npm - @ax-hub/admin-sdk - Versions diffs - 1.0.2 → 2.1.0 - Mend

@ax-hub/admin-sdk 1.0.2 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -34,6 +34,20 @@ const admin = new AdminClient({
 })
 ```
+## Agent operating notes
+Use `@ax-hub/admin-sdk` only when the token is authorized for governance routes. Ordinary member/PAT workflows for creating apps, dynamic tables, rows, and deployments belong in [`@ax-hub/sdk`](../sdk/README.md). If an agent sees `403 permission_denied` or `not_admin`, treat it as an authorization result, not an SDK bug.
+The app/data SDKs were live-verified against production tenant `test` on 2026-06-08. That QA created and deleted apps, env vars, tables, columns, grants, and rows. For app/data cleanup semantics, table grant revocation is proven by `revokedAt`, while row/table delete is proven by follow-up `404` or `410`. Admin-specific tenant governance calls still require a real admin token and should be run only against disposable tenant fixtures.
+Safety checklist for admin agents:
+1. Confirm the token is intended for admin/governance work.
+2. Use timestamp-suffixed fixture slugs, domains, tags, and subjects.
+3. Delete only fixtures created by the current run.
+4. Branch on typed `AxHubError` category/code, not localized `message` text.
+5. Never print admin tokens or raw OAuth/client secrets.
 ## Resource Catalog
 | Namespace | Methods |

package/dist/index.cjs CHANGED Viewed

@@ -1,2 +1,2 @@
-'use strict';var ulid=require('ulid'),crypto=require('crypto');var d=class extends Error{code;category;httpStatus;retryable;requestId;resource;fields;retry;docUrl;constructor(e){super(e.message,e.cause?{cause:e.cause}:void 0),this.name=this.constructor.name,this.code=e.code,this.category=e.category,this.httpStatus=e.httpStatus,this.retryable=e.retryable,this.requestId=e.requestId,e.resource!==void 0&&(this.resource=e.resource),e.fields!==void 0&&(this.fields=e.fields),e.retry!==void 0&&(this.retry=e.retry),e.docUrl!==void 0&&(this.docUrl=e.docUrl);}toJSON(){return {name:this.name,message:this.message,code:this.code,category:this.category,httpStatus:this.httpStatus,retryable:this.retryable,requestId:this.requestId,resource:this.resource,fields:this.fields,retry:this.retry,docUrl:this.docUrl}}toString(){return Rt(this)}};function Rt(t){let e=[`${t.name}[${t.code}]`];return t.requestId&&e.push(`req=${t.requestId}`),e.push(`problem=${t.message}`),t.fields?.length&&e.push(`cause=${t.fields.map(r=>`${r.name}:${r.code}`).join(",")}`),t.retry?.afterMs!==void 0?e.push(`fix=retry_after_${t.retry.afterMs}ms`):t.retryable?e.push("fix=retry_with_backoff"):e.push("fix=inspect_input_or_permissions"),t.docUrl&&e.push(`docs=${t.docUrl}`),e.join(" ")}var p=class extends d{},x=class extends d{},v=class extends d{},h=class extends d{},u=class extends d{},$=class extends d{},R=class extends d{},E=class extends d{},_=class extends d{},M=class extends u{},F=class extends u{},H=class extends u{},j=class extends x{},z=class extends x{},K=class extends x{},N=class extends v{},G=class extends v{},W=class extends h{},V=class extends h{},Y=class extends u{},J=class extends u{},X=class extends u{},Q=class extends u{},Z=class extends u{},ee=class extends u{},te=class extends u{},re=class extends u{},ne=class extends u{},se=class extends u{},ie=class extends u{},oe=class extends u{},ae=class extends p{},de=class extends p{},ue=class extends p{},ce=class extends p{},le=class extends v{},pe=class extends v{},ge=class extends _{},ye=class extends d{},me=class extends d{},I=class extends d{},T=class extends d{},st=class extends d{},$e=class extends d{},it=class extends d{},ot=class extends d{},Me=class extends d{},fe=class extends x{},at=class extends p{},dt=class extends h{},ut=class extends E{},S=class extends p{},k=class extends p{},he=class extends Me{},ct=class extends E{},c=class extends d{description;uri;constructor(e){super({message:e.description??e.code,code:e.code,category:"oauth",httpStatus:e.httpStatus,retryable:e.retryable,requestId:e.requestId}),e.description!==void 0&&(this.description=e.description),e.uri!==void 0&&(this.uri=e.uri);}},be=class extends c{},w=class extends c{},xe=class extends c{},ve=class extends c{},C=class extends c{},lt=class extends w{},pt=class extends C{},Te=class extends c{},Ie=class extends c{},Ae=class extends c{},Re=class extends c{},Ee=class extends c{},_e=class extends c{},Se=class extends c{},ke=class extends c{},we=class extends c{};var Et={slug_taken:M,already_member:F,already_deleted:H,already_revoked:Y,already_settled:J,already_active:X,already_inactive:Q,already_accessed:Z,not_deleted:ee,last_admin:te,pending_exists:re,invalid_state_transition:ne,schema_name_taken:se,domain_taken:ie,duplicate:oe,token_missing:j,token_expired:z,token_invalid:K,pool_stale:fe,not_admin:N,forbidden:G,not_member:le,not_allowed:pe,permanently_deleted:W,invitation_expired:V,invalid_value:ae,required:de,empty:ue,bad_request:ce,app_unavailable:ge},_t={validation:p,unauthenticated:x,permission_denied:v,not_found:h,conflict:u,precondition_failed:$,rate_limited:R,internal:E,unavailable:_},St={invalid_grant:be,access_denied:w,authorization_pending:xe,slow_down:ve,expired_token:C,invalid_target:Te,invalid_client:Ie,invalid_request:Ae,invalid_scope:Re,invalid_token:Ee,unauthorized_client:_e,unsupported_grant_type:Se,server_error:ke,temporarily_unavailable:we},kt={authorization_pending:true,slow_down:true,access_denied:false,invalid_grant:false,expired_token:false,server_error:true,temporarily_unavailable:true};function Gt(t){if(typeof t!="object"||t===null)return  false;let e=t.error;if(typeof e!="object"||e===null)return  false;let r=e;return typeof r.code=="string"&&typeof r.category=="string"&&typeof r.retryable=="boolean"}function Wt(t){return typeof t!="object"||t===null?false:typeof t.error=="string"}function wt(t){return t.startsWith("/oauth/")||t.startsWith("/auth/")}function gt(t){return wt(t.path)&&Wt(t.body)?Yt(t):Gt(t.body)?Vt(t):new I({message:"Unexpected error response shape",code:"decode_failed",category:"decode",httpStatus:t.status,retryable:false,requestId:t.fallbackRequestId})}function Vt(t){let r=t.body.error,n=r.retry?{afterMs:r.retry.after_ms}:void 0,s={message:r.message,code:r.code,category:r.category,httpStatus:t.status,retryable:r.retryable,requestId:r.request_id||t.fallbackRequestId,resource:r.resource,fields:r.fields,retry:n,docUrl:r.doc_url},a=Et[r.code];if(a)return new a(s);let l=_t[r.category]??d;return new l(s)}function Yt(t){let e=t.body,r=St[e.error]??c,n=kt[e.error]??false;return new r({code:e.error,description:e.error_description,uri:e.error_uri,httpStatus:t.status,retryable:n,requestId:t.fallbackRequestId})}function Jt(t){return t}function Xt(t){return t}function Qt(t){return t}function Zt(t){return t}function er(t){return t}function tr(t){return t}function rr(t){return t}function nr(t){return t}var sr=/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i,Ct=/^[a-z][a-z0-9-]{0,62}$/;function Fe(t,e,r){return new p({message:t,code:r,category:"validation",httpStatus:0,retryable:false,requestId:"",fields:[{name:e,code:r}]})}function m(t,e){if(t.trim()==="")throw Fe(`${e} must be non-empty`,e,"empty");if(!sr.test(t))throw Fe(`${e} must be a UUID`,e,"invalid_uuid")}function Ot(t,e){if(t.trim()==="")throw Fe(`${e} must be non-empty`,e,"empty");if(!Ct.test(t))throw Fe(`${e} must match ${Ct.source}`,e,"invalid_slug")}var ir={tenant(t){return m(t,"tenantId"),t},tenantSlug(t){return Ot(t,"tenantSlug"),t},app(t){return m(t,"appId"),t},appSlug(t){return Ot(t,"appSlug"),t},user(t){return m(t,"userId"),t},deployment(t){return m(t,"deploymentId"),t},pat(t){return m(t,"patId"),t},resource(t){return m(t,"resourceId"),t},connector(t){return m(t,"connectorId"),t},subject(t){return m(t,"subjectId"),t},grant(t){return m(t,"grantId"),t},tag(t){return m(t,"tagId"),t},auditEvent(t){return m(t,"auditEventId"),t},table(t){return m(t,"tableId"),t}};var Ce=class{token;tokenType;onRefresh;refreshing=null;constructor(e){this.token=e.token,this.tokenType=e.tokenType,this.onRefresh=e.onRefresh;}currentToken(){return this.token}headersFor(e){return e==="public"?{}:this.tokenType==="pat"?{"X-Api-Key":this.token}:{Authorization:`Bearer ${this.token}`}}async onUnauthorized(){return this.tokenType!=="jwt"||!this.onRefresh?false:this.refreshing?this.refreshing:(this.refreshing=(async()=>{try{let e=await this.onRefresh();return this.token=e,!0}catch{return  false}finally{this.refreshing=null;}})(),this.refreshing)}},Oe=class{headersFor(e){return {}}async onUnauthorized(){return  false}};var He={debug(){},info(){},warn(){},error(){}};function yt(t){if(!t)return 6e4;let e=t.trim();if(e==="")return 6e4;let r=Number(e);if(Number.isFinite(r))return r>=0?Math.floor(r*1e3):6e4;let n=Date.parse(e);return Number.isNaN(n)?6e4:Math.max(0,n-Date.now())}var or=new Set(["authorization","x-api-key","cookie","set-cookie","proxy-authorization"]),ar="***REDACTED***";function qt(t){let e={},r=(n,s)=>{e[n]=or.has(n.toLowerCase())?ar:s;};if(typeof Headers<"u"&&t instanceof Headers)t.forEach((n,s)=>r(s,n));else for(let[n,s]of Object.entries(t))r(n,s);return e}var ft={maxAttempts:3,baseMs:200,capMs:5e3,jitter:Math.random};function dr(t){return t instanceof d?t.retryable:t instanceof TypeError}async function Pt(t,e=ft,r){let n;for(let s=0;s<e.maxAttempts;s++){if(r?.aborted)throw mt("aborted before attempt",r.reason);try{return await t(s)}catch(a){if(n=a,!dr(a)||s===e.maxAttempts-1)throw a;let l=Math.min(e.capMs,e.baseMs*2**s)*e.jitter();await ht(l,r);}}throw n}function ht(t,e){return new Promise((r,n)=>{if(e?.aborted){n(mt("aborted before sleep",e.reason));return}let s=setTimeout(()=>{e?.removeEventListener("abort",a),r();},t),a=()=>{clearTimeout(s),n(mt("aborted during sleep",e?.reason));};e?.addEventListener("abort",a,{once:true});})}function mt(t,e){return new T({message:t,code:"aborted",category:"abort",httpStatus:0,retryable:false,requestId:"",cause:e})}var ur=new Set(["GET","HEAD","OPTIONS"]),je=class{baseUrl;auth;fetch;logger;debug;timeoutMs;idempotencyKey;retryPolicy;rateLimitStrategy;constructor(e){this.baseUrl=e.baseUrl.replace(/\/$/,""),this.auth=e.auth,this.fetch=e.fetch??globalThis.fetch,this.logger=e.logger??He,this.debug=e.debug??false,this.timeoutMs=e.timeoutMs??3e4,this.idempotencyKey={autoGenerate:e.idempotencyKey?.autoGenerate??true,generator:e.idempotencyKey?.generator??ulid.ulid},this.retryPolicy=e.retryPolicy??ft,this.rateLimitStrategy=e.rateLimitStrategy??"sleep";}async request(e,r,n){let s=ur.has(e.toUpperCase()),a=this.withStableIdempotencyKey(n);return s||n.idempotent?Pt(()=>this.requestOnce(e,r,a),this.retryPolicy,a.signal):this.requestOnce(e,r,a)}async requestOnce(e,r,n){let s=this.buildUrl(r,n.query),a=ulid.ulid(),l=this.buildHeaders(a,n),b=n.body!==void 0?JSON.stringify(n.body):void 0;b!==void 0&&(l["Content-Type"]="application/json");let g=new AbortController,It=()=>g.abort(n.signal?.reason);n.signal?.addEventListener("abort",It,{once:true});let At=n.timeoutMs??this.timeoutMs,Kt=setTimeout(()=>g.abort(new Error("timeout")),At),f;try{this.logRequest(e,s,l,a),f=await this.fetch(s,{method:e,headers:l,body:b,signal:g.signal});}catch(A){throw n.signal?.aborted?new T({message:"Request aborted",code:"aborted",category:"abort",httpStatus:0,retryable:false,requestId:a,cause:A}):g.signal.aborted?new me({message:`Request timed out after ${At}ms`,code:"timeout",category:"timeout",httpStatus:0,retryable:true,requestId:a,cause:A}):new ye({message:"Network error",code:"network",category:"network",httpStatus:0,retryable:true,requestId:a,cause:A})}finally{clearTimeout(Kt),n.signal?.removeEventListener("abort",It);}if(n.rawResponse&&f.ok)return {response:f,requestId:a};if(f.ok)return this.parseSuccess(f,n,a);let nt=await this.safeParseJson(f);if(f.status===401&&n.ring==="admin"&&await this.auth.onUnauthorized())return this.requestOnce(e,r,n);if(f.status===429){let A=yt(f.headers.get("Retry-After")),Nt=new R({message:cr(nt)??"Rate limited",code:lr(nt)??"rate_limited",category:"rate_limited",httpStatus:429,retryable:true,requestId:a,retry:{afterMs:A}});if(this.rateLimitStrategy==="sleep")return await ht(A,n.signal),this.requestOnce(e,r,n);throw Nt}throw gt({path:r,status:f.status,body:nt,fallbackRequestId:a})}async parseSuccess(e,r,n){if(e.status===204||r.parseBody===false)return;let s=await e.text();if(s!=="")try{return JSON.parse(s)}catch(a){throw new I({message:"Backend returned non-JSON success body",code:"decode_failed",category:"decode",httpStatus:e.status,retryable:false,requestId:n,cause:a})}}async safeParseJson(e){try{let r=await e.text();return r===""?void 0:JSON.parse(r)}catch{return}}buildUrl(e,r){let n=e.startsWith("/")?e:`/${e}`,s=this.baseUrl+n;if(!r)return s;let a=new URLSearchParams;for(let[b,g]of Object.entries(r))g!==void 0&&a.set(b,String(g));let l=a.toString();return l?`${s}?${l}`:s}buildHeaders(e,r){let n=this.resolveIdempotencyKey(r);return {"X-Request-Id":e,Accept:"application/json",...r.ring!=="public"?this.auth.headersFor(r.ring):{},...n?{"Idempotency-Key":n}:{},...r.headers??{}}}resolveIdempotencyKey(e){if(e.idempotencyKey!==false){if(typeof e.idempotencyKey=="string"){if(e.idempotencyKey.trim()==="")throw new d({message:"idempotencyKey must be non-empty",code:"invalid_idempotency_key",category:"validation",httpStatus:0,retryable:false,requestId:""});return e.idempotencyKey}if(!(!e.idempotent||!this.idempotencyKey.autoGenerate))return this.idempotencyKey.generator()}}withStableIdempotencyKey(e){return e.idempotencyKey!==void 0||!e.idempotent||!this.idempotencyKey.autoGenerate?e:{...e,idempotencyKey:this.idempotencyKey.generator()}}logRequest(e,r,n,s){this.debug&&this.logger.debug({method:e,url:r,headers:qt(n),requestId:s},"http.request");}};function cr(t){if(typeof t!="object"||t===null)return;let e=t.error;if(typeof e=="object"&&e!==null){let r=e.message;if(typeof r=="string")return r}if(typeof e=="string")return e}function lr(t){if(typeof t!="object"||t===null)return;let e=t.error;if(typeof e=="object"&&e!==null){let r=e.code;if(typeof r=="string")return r}}var Lt=4096,Ut=false;function Bt(t){return `v2:${Buffer.from(JSON.stringify(t),"utf8").toString("base64url")}`}function pr(t){if(t.length>Lt)throw new S({message:`Cursor token exceeds maximum size (${Lt} chars)`,code:"invalid_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/invalid-cursor"});if(t.startsWith("v1:"))throw new k({message:"Legacy v1: cursor token is not compatible with keyset pagination; restart pagination without cursor",code:"legacy_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/legacy-cursor"});if(!t.startsWith("v2:"))throw new k({message:"Cursor token is missing the v2: keyset prefix; restart pagination without cursor",code:"legacy_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/legacy-cursor"});try{let e=JSON.parse(Buffer.from(t.slice(3),"base64url").toString("utf8"));if(!fr(e))throw new Error("invalid cursor shape");return e}catch(e){throw new S({message:"Malformed keyset cursor token",code:"invalid_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",cause:e,docUrl:"https://docs.axhub.dev/errors/validation/invalid-cursor"})}}function gr(t,e){let r=typeof t=="string"?t.split(",").map(n=>{let s=n.trim();return s.startsWith("-")?{field:s.slice(1),dir:"desc"}:s.startsWith("+")?{field:s.slice(1),dir:"asc"}:{field:s,dir:"asc"}}).filter(n=>n.field.length>0):[...t??[]].map(n=>({field:n.field,dir:n.dir??"asc"}));return r.length>0&&!r.some(n=>n.field==="id")&&(e?.warnOnTiebreaker&&!Ut&&(Ut=true,console.warn("AX Hub SDK: orderBy is not unique; appending id ASC as keyset cursor tiebreaker")),r.push({field:"id",dir:"asc"})),r}function yr(t){return JSON.stringify($t(t))}function mr(t,e){if(!t)return null;let r=$t(e?.orderBy,{warnOnTiebreaker:true}),n={};for(let b of r){let g=t[b.field];(g===null||typeof g=="string"||typeof g=="number"||typeof g=="boolean")&&(n[b.field]=g);}let s=t.id,a={values:n,direction:e?.direction??"forward",orderBy:r,orderByFingerprint:JSON.stringify(r)};(typeof s=="string"||typeof s=="number")&&(a.tiebreaker={field:"id",value:s});let l=e?.page;return typeof l=="number"&&Number.isInteger(l)&&l>0&&(a.page=l),e?.contextFingerprint&&(a.contextFingerprint=e.contextFingerprint),Bt(a)}function $t(t,e){let r=gr(t,e);return r.length>0?r:[{field:"id",dir:"asc"}]}function fr(t){return typeof t=="object"&&t!==null&&typeof t.values=="object"&&(t.direction==="forward"||t.direction==="backward")&&Array.isArray(t.orderBy)&&typeof t.orderByFingerprint=="string"}function bt(t){return Buffer.isBuffer(t)?t:Buffer.from(t)}function br(t){let e=t.startsWith("sha256=")?t.slice(7):t;return /^[0-9a-f]{64}$/i.test(e)?Buffer.from(e,"hex"):null}function xr(t,e,r){let n=r?Buffer.concat([Buffer.from(`${r}.`),bt(t)]):bt(t);return `sha256=${crypto.createHmac("sha256",e).update(n).digest("hex")}`}function vr(t){if(!t.secret)return {ok:false,reason:"missing_secret"};let e=br(t.signature);if(!e)return {ok:false,reason:"malformed_signature"};let r=Math.floor((t.now?.()??Date.now())/1e3),n=bt(t.rawBody);if(t.timestamp!==void 0){let a=Number(t.timestamp);if(!Number.isFinite(a))return {ok:false,reason:"timestamp_skew"};let l=t.tolerance??300;if(Math.abs(r-a)>l)return {ok:false,reason:"timestamp_skew"};let b=`${t.timestamp}:${t.signature}`;if(t.replayCache?.has(b))return {ok:false,reason:"replay"};n=Buffer.concat([Buffer.from(`${t.timestamp}.`),n]);}let s=crypto.createHmac("sha256",t.secret).update(n).digest();return e.byteLength!==s.byteLength?{ok:false,reason:"signature_mismatch"}:crypto.timingSafeEqual(e,s)?(t.timestamp!==void 0&&t.replayCache?.add(`${t.timestamp}:${t.signature}`),{ok:true}):{ok:false,reason:"signature_mismatch"}}function o(t,e){return {...t,signal:e?.signal,timeoutMs:e?.timeoutMs,idempotencyKey:e?.idempotencyKey}}function O(t){let e={};return t?.pageSize!==void 0&&(e.limit=t.pageSize),t?.cursor!==void 0&&(e.cursor=t.cursor),e}function q(t,e){return {items:t.items.map(e),nextCursor:t.next_cursor,total:t.total}}function y(t){let e={};for(let[r,n]of Object.entries(t))n!==void 0&&(e[r]=n);return e}function i(t){return encodeURIComponent(t)}function ze(t){return {...t,id:String(t.id),slug:String(t.slug),name:String(t.name),createdAt:t.created_at??t.createdAt,updatedAt:t.updated_at??t.updatedAt}}function Tr(t){return {id:String(t.id),role:String(t.role),...t,userId:t.user_id??t.userId}}function xt(t){return {id:String(t.id),email:String(t.email),role:String(t.role),status:String(t.status),...t}}function Ft(t){return {...t,domain:String(t.domain??t.email_domain),verified:t.verified}}var P=class{constructor(e,r){this.http=e;this.mockStore=r;}http;mockStore;scoped(e){return new Ke(this.http,e)}async create(e,r){if(this.mockStore)return this.mockStore.createTenant(e);let n=await this.http.request("POST","/api/v1/tenants",o({ring:"admin",body:y(e),idempotent:false},r));return ze(n)}async get(e,r){if(this.mockStore)return this.mockStore.getTenant(e);let n=await this.http.request("GET",`/api/v1/tenants/${i(e)}`,o({ring:"admin"},r));return ze(n)}async list(e){if(this.mockStore)return this.mockStore.listTenants();let r=await this.http.request("GET","/api/v1/tenants",o({ring:"admin",query:O(e)},e));return q(r,ze)}async update(e,r,n){if(this.mockStore)return this.mockStore.updateTenant(e,r);let s=await this.http.request("PATCH",`/api/v1/tenants/${i(e)}`,o({ring:"admin",body:y(r),idempotent:false},n));return ze(s)}async delete(e,r){if(this.mockStore)return this.mockStore.deleteTenant(e);await this.http.request("DELETE",`/api/v1/tenants/${i(e)}`,o({ring:"admin",idempotent:true},r));}async signIconUploadURL(e,r,n){let s=await this.http.request("POST",`/api/v1/tenants/${i(e)}/icon/upload-url`,o({ring:"admin",body:{content_type:r.contentType},idempotent:false},n));return {uploadUrl:s.upload_url??s.put_url??"",getUrl:s.get_url??s.public_url??"",expiresAt:s.expires_at}}get members(){return new Ne(this.http)}get invitations(){return new Ge(this.http)}get emailDomains(){return new We(this.http)}},Ke=class{members;invitations;emailDomains;constructor(e,r){this.members=new qe(e,r),this.invitations=new Pe(e,r),this.emailDomains=new De(e,r);}},Ne=class{constructor(e){this.http=e;}http;forTenant(e){return new qe(this.http,e)}},qe=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/members`,o({ring:"admin",query:O(e)},e));return q(r,Tr)}async update(e,r,n){await this.http.request("PATCH",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}`,o({ring:"admin",body:y(r),idempotent:false},n));}async deactivate(e,r){await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}/deactivate`,o({ring:"admin",body:{},idempotent:false},r));}async reactivate(e,r){await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}/reactivate`,o({ring:"admin",body:{},idempotent:false},r));}},Ge=class{constructor(e){this.http=e;}http;forTenant(e){return new Pe(this.http,e)}},Pe=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/invitations`,o({ring:"admin",query:O(e)},e));return q(r,xt)}async create(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/invitations`,o({ring:"admin",body:y(e),idempotent:false},r));return xt(n)}async bulkCreate(e,r){if(e.length>200)throw new p({message:"bulk invitations are capped at 200",code:"too_many_items",category:"validation",httpStatus:0,retryable:false,requestId:"",fields:[{name:"invitations",code:"max_200"}]});let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/invitations/bulk`,o({ring:"admin",body:{items:e},idempotent:false},r));return {accepted:(n.succeeded??[]).map(xt),rejected:(n.failed??[]).map(s=>({email:s.email,reason:s.reason,message:s.message}))}}async delete(e,r){await this.http.request("DELETE",`/api/v1/tenants/${i(this.tenant)}/invitations/${i(e)}`,o({ring:"admin",idempotent:true},r));}},We=class{constructor(e){this.http=e;}http;forTenant(e){return new De(this.http,e)}},De=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){return (await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/email-domains`,o({ring:"admin"},e))).items.map(Ft)}async create(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/email-domains`,o({ring:"admin",body:{email_domain:e.domain},idempotent:false},r));return Ft(n)}async delete(e,r){await this.http.request("DELETE",`/api/v1/tenants/${i(this.tenant)}/email-domains/${i(e)}`,o({ring:"admin",idempotent:true},r));}};var D=class{constructor(e){this.http=e;}http;scoped(e){return new Ve(this.http,e)}},Ve=class{tags;subjects;grants;constructor(e,r){let n=`/api/v1/tenants/${i(r)}`;this.tags=new Ye(e,`${n}/tags`),this.subjects=new Je(e,`${n}/subjects`),this.grants=new Xe(e,`${n}/grants`);}},Ye=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}create(e,r){return this.http.request("POST",this.base,o({ring:"admin",body:y(e),idempotent:false},r))}update(e,r,n){return this.http.request("PATCH",`${this.base}/${i(e)}`,o({ring:"admin",body:y(r),idempotent:false},n))}delete(e,r){return this.http.request("DELETE",`${this.base}/${i(e)}`,o({ring:"admin",idempotent:true},r))}},Je=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}create(e,r){return this.http.request("POST",this.base,o({ring:"admin",body:y(e),idempotent:false},r))}update(e,r,n){return this.http.request("PATCH",`${this.base}/${i(e)}`,o({ring:"admin",body:y(r),idempotent:false},n))}delete(e,r){return this.http.request("DELETE",`${this.base}/${i(e)}`,o({ring:"admin",idempotent:true},r))}},Xe=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}};function Le(t){return {id:String(t.id),...t,actorId:t.actor_id??t.actorId,prevHash:t.prev_hash??t.prevHash,createdAt:t.created_at??t.createdAt}}function Ir(t){let e={ok:!!t.ok,checked:Number(t.checked??0)};return t.first_bad_seq!==void 0&&t.first_bad_seq!==null&&(e.firstBadSeq=Number(t.first_bad_seq)),t.reason!==void 0&&(e.reason=t.reason),e}var L=class{constructor(e){this.http=e;this.events=new Ze(e),this.server=new et(e);}http;events;server;scoped(e){return new Qe(this.http,e)}integrityCheck(e,r){return this.scoped(e).integrityCheck(r)}anonymize(e,r,n){return this.scoped(e).anonymize(r,n)}},Qe=class{constructor(e,r){this.http=e;this.tenantSlug=r;this.events=new Ue(e,r),this.server=new Be(e,r);}http;tenantSlug;events;server;async integrityCheck(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/integrity-check`,o({ring:"admin"},e));return Ir(r)}async anonymize(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/anonymize`,o({ring:"admin",body:{tenant_id:this.tenantSlug,actor_id:e.actorId??e.subjectId,anonymized_id:e.anonymizedId},idempotent:false},r));return n===void 0?void 0:Le(n)}},Ze=class{constructor(e){this.http=e;}http;forTenant(e){return new Ue(this.http,e)}},Ue=class{constructor(e,r){this.http=e;this.tenantSlug=r;}http;tenantSlug;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events`,o({ring:"admin",query:{...O(e),...e?.type?{type:e.type}:{}}},e));return Array.isArray(r)?{items:r.map(Le),nextCursor:null,total:r.length}:q({items:r.items??[],next_cursor:r.next_cursor??null,total:r.total??r.items?.length??0},Le)}async get(e,r){let n=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/${i(e)}`,o({ring:"admin"},r));return Le(n)}},et=class{constructor(e){this.http=e;}http;forTenant(e){return new Be(this.http,e)}},Be=class{constructor(e,r){this.http=e;this.tenantSlug=r;}http;tenantSlug;async emit(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/server`,o({ring:"admin",body:{type:e.type,actor_id:e.actorId,resource:e.resource,payload:e.payload},idempotent:false},r));return Le(n)}};var U=class{constructor(e){this.http=e;}http;list(e,r){return this.http.request("GET",`/api/v1/tenants/${i(e)}/identity-providers`,o({ring:"admin"},r))}create(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers`,o({ring:"admin",body:r,idempotent:false},n))}enable(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers/${i(r)}/enable`,o({ring:"admin",body:{},idempotent:false},n))}disable(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers/${i(r)}/disable`,o({ring:"admin",body:{},idempotent:false},n))}};var B=class{constructor(e){this.http=e;}http;create(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/categories`,o({ring:"admin",body:y(r),idempotent:false},n))}update(e,r,n,s){return this.http.request("PATCH",`/api/v1/tenants/${i(e)}/categories/${i(r)}`,o({ring:"admin",body:y(n),idempotent:false},s))}delete(e,r,n){return this.http.request("DELETE",`/api/v1/tenants/${i(e)}/categories/${i(r)}`,o({ring:"admin",idempotent:true},n))}};var Ar=new Set(["1","true","yes","on"]);function Rr(t){return t?.trim().toLowerCase()==="production"}function Er(t){return t===void 0?false:Ar.has(t.trim().toLowerCase())}function Ht(){if(Rr(process.env.NODE_ENV)){if(Er(process.env.AX_HUB_ALLOW_MOCK_IN_PROD)){console.warn("[@ax-hub/admin-sdk] WARNING: mock mode active in production (AX_HUB_ALLOW_MOCK_IN_PROD opt-in).");return}throw new he({message:"Mock mode active in production without explicit opt-in",code:"mock_in_production",category:"configuration",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/mock-in-production"})}}function vt(t){return new h({message:`Mock tenant not found: ${t}`,code:"tenant_not_found",category:"not_found",httpStatus:404,retryable:false,requestId:"",resource:`tenants/${t}`})}var tt=class{tenants=new Map;nextId=1;constructor(e){for(let r of e?.tenants??[]){let n=String(r.id);this.tenants.set(n,{...r,id:n});}}createTenant(e){let r=`tenant_${this.nextId++}`,n=new Date().toISOString(),s={id:r,slug:e.slug,name:e.name,...e.plan!==void 0?{plan:e.plan}:{},createdAt:n,updatedAt:n};return this.tenants.set(r,s),{...s}}getTenant(e){let r=this.tenants.get(e);if(!r)throw vt(e);return {...r}}listTenants(){let e=[...this.tenants.values()].map(r=>({...r}));return {items:e,nextCursor:null,total:e.length}}updateTenant(e,r){let n=this.tenants.get(e);if(!n)throw vt(e);let s={...n,...r,id:e,updatedAt:new Date().toISOString()};return this.tenants.set(e,s),{...s}}deleteTenant(e){if(!this.tenants.has(e))throw vt(e);this.tenants.delete(e);}};function jt(t){if(t.mode==="mock")return Ht(),new tt(t.fixtures)}var zt="https://api.axhub.ai";function _r(t){return typeof t=="object"&&t!==null&&"__sharedHttp"in t}var Tt=class{http;logger;mock;r;n;s;i;o;constructor(e){if(_r(e)){this.http=e.__sharedHttp,this.logger=e.logger;return}if(e.token!==void 0&&e.tokenType===void 0)throw new TypeError('AdminClient requires tokenType when token is set ("pat" | "jwt")');let r=e.token!==void 0&&e.tokenType!==void 0?new Ce({token:e.token,tokenType:e.tokenType,onRefresh:e.onRefresh}):new Oe;this.http=new je({baseUrl:e.baseUrl??zt,auth:r,fetch:e.fetch,logger:e.logger,debug:e.debug,timeoutMs:e.timeoutMs,idempotencyKey:e.idempotencyKey,retryPolicy:e.retryPolicy,rateLimitStrategy:e.rateLimitStrategy}),this.logger=e.logger??He,this.mock=jt(e);}get tenants(){return this.r||(this.r=new P(this.http,this.mock)),this.r}get authz(){return this.n||(this.n=new D(this.http)),this.n}get audit(){return this.s||(this.s=new L(this.http)),this.s}get identityProviders(){return this.i||(this.i=new U(this.http)),this.i}get categories(){return this.o||(this.o=new B(this.http)),this.o}tenant(e){return new rt(e,this.http)}},rt=class{constructor(e,r){this.tenant=e;this.http=r;}tenant;http;get tenants(){return new P(this.http).scoped(this.tenant)}get authz(){return new D(this.http).scoped(this.tenant)}get audit(){return new L(this.http).scoped(this.tenant)}get identityProviders(){return new U(this.http)}get categories(){return new B(this.http)}};
-exports.AbortError=T;exports.AccessDeniedError=w;exports.AdminClient=Tt;exports.AlreadyAccessedError=Z;exports.AlreadyActiveError=X;exports.AlreadyDeletedError=H;exports.AlreadyInactiveError=Q;exports.AlreadyMemberError=F;exports.AlreadyRevokedError=Y;exports.AlreadySettledError=J;exports.AppUnavailableError=ge;exports.AuditClient=L;exports.AuditEventsClient=Ze;exports.AuditEventsForTenantClient=Ue;exports.AuditServerClient=et;exports.AuditServerForTenantClient=Be;exports.AuthorizationPendingError=xe;exports.AuthzClient=D;exports.AuthzGrantsClient=Xe;exports.AuthzSubjectsClient=Je;exports.AuthzTagsClient=Ye;exports.AxHubError=d;exports.BadRequestError=ce;exports.CategoriesAdminClient=B;exports.ConfigurationError=Me;exports.ConflictError=u;exports.DEFAULT_BASE_URL=zt;exports.DecodeError=I;exports.DeviceFlowDeniedError=lt;exports.DeviceFlowTimeoutError=pt;exports.DomainTakenError=ie;exports.DuplicateError=oe;exports.EmptyError=ue;exports.ExpiredTokenError=C;exports.ForbiddenError=G;exports.IdentityProviderClient=U;exports.InternalServerError=E;exports.IntrospectFailedError=ut;exports.InvalidClientError=Ie;exports.InvalidCursorError=S;exports.InvalidGrantError=be;exports.InvalidPathError=st;exports.InvalidRequestError=Ae;exports.InvalidScopeError=Re;exports.InvalidStateTransitionError=ne;exports.InvalidTargetError=Te;exports.InvalidTokenError=Ee;exports.InvalidValueError=ae;exports.InvitationExpiredError=V;exports.LastAdminError=te;exports.LegacyCursorError=k;exports.MockInProductionError=he;exports.NetworkError=ye;exports.NoAuth=Oe;exports.NotAdminError=N;exports.NotAllowedError=pe;exports.NotDeletedError=ee;exports.NotFoundError=h;exports.NotMemberError=le;exports.OAuthError=c;exports.OAuthServerError=ke;exports.PendingExistsError=re;exports.PermanentlyDeletedError=W;exports.PermissionDeniedError=v;exports.PoolStaleError=fe;exports.PreconditionFailedError=$;exports.RateLimitedError=R;exports.RequiredError=de;exports.ScanLimitExceededError=ct;exports.SchemaNameTakenError=se;exports.SlowDownError=ve;exports.SlugTakenError=M;exports.StaticTokenAuth=Ce;exports.StreamConsumedError=$e;exports.TableNotFoundError=dt;exports.TemporarilyUnavailableError=we;exports.TenantAuditClient=Qe;exports.TenantAuthzClient=Ve;exports.TenantEmailDomainsClient=We;exports.TenantEmailDomainsForTenantClient=De;exports.TenantIdRequiredError=ot;exports.TenantInvitationsClient=Ge;exports.TenantInvitationsForTenantClient=Pe;exports.TenantMembersClient=Ne;exports.TenantMembersForTenantClient=qe;exports.TenantScopedAdminClient=rt;exports.TenantScopedTenantsAdminClient=Ke;exports.TenantSlugRequiredError=it;exports.TenantsAdminClient=P;exports.TimeoutError=me;exports.TokenExpiredError=z;exports.TokenInvalidError=K;exports.TokenMissingError=j;exports.UnauthenticatedError=x;exports.UnauthorizedClientError=_e;exports.UnavailableError=_;exports.UnsupportedGrantTypeError=Se;exports.ValidationError=p;exports.WebhookVerificationError=at;exports.asAppId=Jt;exports.asAppSlug=er;exports.asDeploymentId=Xt;exports.asPatId=tr;exports.asRequestId=nr;exports.asTenantId=Qt;exports.asTenantSlug=Zt;exports.asUserId=rr;exports.cursorFromRow=mr;exports.decodeCursor=pr;exports.encodeCursor=Bt;exports.formatErrorMessage=Rt;exports.id=ir;exports.orderByFingerprint=yr;exports.parseRetryAfter=yt;exports.signWebhook=xr;exports.verifyWebhook=vr;
+'use strict';var ulid=require('ulid'),crypto=require('crypto');var d=class extends Error{code;category;httpStatus;retryable;requestId;resource;fields;retry;docUrl;constructor(e){super(e.message,e.cause?{cause:e.cause}:void 0),this.name=this.constructor.name,this.code=e.code,this.category=e.category,this.httpStatus=e.httpStatus,this.retryable=e.retryable,this.requestId=e.requestId,e.resource!==void 0&&(this.resource=e.resource),e.fields!==void 0&&(this.fields=e.fields),e.retry!==void 0&&(this.retry=e.retry),e.docUrl!==void 0&&(this.docUrl=e.docUrl);}toJSON(){return {name:this.name,message:this.message,code:this.code,category:this.category,httpStatus:this.httpStatus,retryable:this.retryable,requestId:this.requestId,resource:this.resource,fields:this.fields,retry:this.retry,docUrl:this.docUrl}}toString(){return _t(this)}};function _t(t){let e=[`${t.name}[${t.code}]`];return t.requestId&&e.push(`req=${t.requestId}`),e.push(`problem=${t.message}`),t.fields?.length&&e.push(`cause=${t.fields.map(r=>`${r.name}:${r.code}`).join(",")}`),t.retry?.afterMs!==void 0?e.push(`fix=retry_after_${t.retry.afterMs}ms`):t.retryable?e.push("fix=retry_with_backoff"):e.push("fix=inspect_input_or_permissions"),t.docUrl&&e.push(`docs=${t.docUrl}`),e.join(" ")}var l=class extends d{},x=class extends d{},v=class extends d{},h=class extends d{},u=class extends d{},$=class extends d{},A=class extends d{},R=class extends d{},E=class extends d{},M=class extends u{},F=class extends u{},H=class extends u{},j=class extends x{},z=class extends x{},K=class extends x{},N=class extends v{},G=class extends v{},W=class extends h{},V=class extends h{},Me=class extends h{},Y=class extends u{},J=class extends u{},X=class extends u{},Q=class extends u{},Z=class extends u{},ee=class extends u{},te=class extends u{},re=class extends u{},ne=class extends u{},se=class extends u{},ie=class extends u{},oe=class extends u{},ae=class extends l{},Fe=class extends l{},de=class extends l{},ue=class extends l{},ce=class extends l{},le=class extends v{},pe=class extends v{},ge=class extends E{},ye=class extends d{},me=class extends d{},_=class extends d{},T=class extends d{},at=class extends d{},He=class extends d{},dt=class extends d{},ut=class extends d{},je=class extends d{},fe=class extends x{},ct=class extends l{},lt=class extends h{},pt=class extends R{},S=class extends l{},k=class extends l{},he=class extends je{},gt=class extends R{},c=class extends d{description;uri;constructor(e){super({message:e.description??e.code,code:e.code,category:"oauth",httpStatus:e.httpStatus,retryable:e.retryable,requestId:e.requestId}),e.description!==void 0&&(this.description=e.description),e.uri!==void 0&&(this.uri=e.uri);}},be=class extends c{},w=class extends c{},xe=class extends c{},ve=class extends c{},C=class extends c{},yt=class extends w{},mt=class extends C{},Te=class extends c{},Ie=class extends c{},Ae=class extends c{},Re=class extends c{},Ee=class extends c{},_e=class extends c{},Se=class extends c{},ke=class extends c{},we=class extends c{};var St={slug_taken:M,already_member:F,already_deleted:H,already_revoked:Y,already_settled:J,already_active:X,already_inactive:Q,already_accessed:Z,not_deleted:ee,last_admin:te,pending_exists:re,invalid_state_transition:ne,schema_name_taken:se,domain_taken:ie,duplicate:oe,token_missing:j,token_expired:z,token_invalid:K,pool_stale:fe,not_admin:N,forbidden:G,not_member:le,not_allowed:pe,permanently_deleted:W,invitation_expired:V,link_invalid:Me,invalid_value:ae,invalid_expiry:Fe,required:de,empty:ue,bad_request:ce,app_unavailable:ge},kt={validation:l,unauthenticated:x,permission_denied:v,not_found:h,conflict:u,precondition_failed:$,rate_limited:A,internal:R,unavailable:E},wt={invalid_grant:be,access_denied:w,authorization_pending:xe,slow_down:ve,expired_token:C,invalid_target:Te,invalid_client:Ie,invalid_request:Ae,invalid_scope:Re,invalid_token:Ee,unauthorized_client:_e,unsupported_grant_type:Se,server_error:ke,temporarily_unavailable:we},Ct={authorization_pending:true,slow_down:true,access_denied:false,invalid_grant:false,expired_token:false,server_error:true,temporarily_unavailable:true};function Vt(t){if(typeof t!="object"||t===null)return  false;let e=t.error;if(typeof e!="object"||e===null)return  false;let r=e;return typeof r.code=="string"&&typeof r.category=="string"&&typeof r.retryable=="boolean"}function Yt(t){return typeof t!="object"||t===null?false:typeof t.error=="string"}function Ot(t){return t.startsWith("/oauth/")||t.startsWith("/auth/")}function ft(t){return Ot(t.path)&&Yt(t.body)?Xt(t):Vt(t.body)?Jt(t):new _({message:"Unexpected error response shape",code:"decode_failed",category:"decode",httpStatus:t.status,retryable:false,requestId:t.fallbackRequestId})}function Jt(t){let r=t.body.error,n=r.retry?{afterMs:r.retry.after_ms}:void 0,s={message:r.message,code:r.code,category:r.category,httpStatus:t.status,retryable:r.retryable,requestId:r.request_id||t.fallbackRequestId,resource:r.resource,fields:r.fields,retry:n,docUrl:r.doc_url},a=St[r.code];if(a)return new a(s);let p=kt[r.category]??d;return new p(s)}function Xt(t){let e=t.body,r=wt[e.error]??c,n=Ct[e.error]??false;return new r({code:e.error,description:e.error_description,uri:e.error_uri,httpStatus:t.status,retryable:n,requestId:t.fallbackRequestId})}function Qt(t){return t}function Zt(t){return t}function er(t){return t}function tr(t){return t}function rr(t){return t}function nr(t){return t}function sr(t){return t}function ir(t){return t}var or=/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i,qt=/^[a-z][a-z0-9-]{0,62}$/;function ze(t,e,r){return new l({message:t,code:r,category:"validation",httpStatus:0,retryable:false,requestId:"",fields:[{name:e,code:r}]})}function f(t,e){if(t.trim()==="")throw ze(`${e} must be non-empty`,e,"empty");if(!or.test(t))throw ze(`${e} must be a UUID`,e,"invalid_uuid")}function Pt(t,e){if(t.trim()==="")throw ze(`${e} must be non-empty`,e,"empty");if(!qt.test(t))throw ze(`${e} must match ${qt.source}`,e,"invalid_slug")}var ar={tenant(t){return f(t,"tenantId"),t},tenantSlug(t){return Pt(t,"tenantSlug"),t},app(t){return f(t,"appId"),t},appSlug(t){return Pt(t,"appSlug"),t},user(t){return f(t,"userId"),t},deployment(t){return f(t,"deploymentId"),t},pat(t){return f(t,"patId"),t},resource(t){return f(t,"resourceId"),t},connector(t){return f(t,"connectorId"),t},subject(t){return f(t,"subjectId"),t},grant(t){return f(t,"grantId"),t},tag(t){return f(t,"tagId"),t},auditEvent(t){return f(t,"auditEventId"),t},table(t){return f(t,"tableId"),t}};var Ce=class{token;tokenType;onRefresh;refreshing=null;constructor(e){this.token=e.token,this.tokenType=e.tokenType,this.onRefresh=e.onRefresh;}currentToken(){return this.token}headersFor(e){return e==="public"?{}:this.tokenType==="pat"?{"X-Api-Key":this.token}:{Authorization:`Bearer ${this.token}`}}async onUnauthorized(){return this.tokenType!=="jwt"||!this.onRefresh?false:this.refreshing?this.refreshing:(this.refreshing=(async()=>{try{let e=await this.onRefresh();return this.token=e,!0}catch{return  false}finally{this.refreshing=null;}})(),this.refreshing)}},Oe=class{headersFor(e){return {}}async onUnauthorized(){return  false}};var Ke={debug(){},info(){},warn(){},error(){}};function ht(t){if(!t)return 6e4;let e=t.trim();if(e==="")return 6e4;let r=Number(e);if(Number.isFinite(r))return r>=0?Math.floor(r*1e3):6e4;let n=Date.parse(e);return Number.isNaN(n)?6e4:Math.max(0,n-Date.now())}var dr=new Set(["authorization","x-api-key","cookie","set-cookie","proxy-authorization"]),ur="***REDACTED***";function Dt(t){let e={},r=(n,s)=>{e[n]=dr.has(n.toLowerCase())?ur:s;};if(typeof Headers<"u"&&t instanceof Headers)t.forEach((n,s)=>r(s,n));else for(let[n,s]of Object.entries(t))r(n,s);return e}var xt={maxAttempts:3,baseMs:200,capMs:5e3,jitter:Math.random};function cr(t){return t instanceof d?t.retryable:t instanceof TypeError}async function Lt(t,e=xt,r){let n;for(let s=0;s<e.maxAttempts;s++){if(r?.aborted)throw bt("aborted before attempt",r.reason);try{return await t(s)}catch(a){if(n=a,!cr(a)||s===e.maxAttempts-1)throw a;let p=Math.min(e.capMs,e.baseMs*2**s)*e.jitter();await vt(p,r);}}throw n}function vt(t,e){return new Promise((r,n)=>{if(e?.aborted){n(bt("aborted before sleep",e.reason));return}let s=setTimeout(()=>{e?.removeEventListener("abort",a),r();},t),a=()=>{clearTimeout(s),n(bt("aborted during sleep",e?.reason));};e?.addEventListener("abort",a,{once:true});})}function bt(t,e){return new T({message:t,code:"aborted",category:"abort",httpStatus:0,retryable:false,requestId:"",cause:e})}var lr=new Set(["GET","HEAD","OPTIONS"]),Ne=class{baseUrl;auth;fetch;logger;debug;timeoutMs;idempotencyKey;retryPolicy;rateLimitStrategy;constructor(e){this.baseUrl=e.baseUrl.replace(/\/$/,""),this.auth=e.auth,this.fetch=e.fetch??globalThis.fetch,this.logger=e.logger??Ke,this.debug=e.debug??false,this.timeoutMs=e.timeoutMs??3e4,this.idempotencyKey={autoGenerate:e.idempotencyKey?.autoGenerate??true,generator:e.idempotencyKey?.generator??ulid.ulid},this.retryPolicy=e.retryPolicy??xt,this.rateLimitStrategy=e.rateLimitStrategy??"sleep";}async request(e,r,n){let s=lr.has(e.toUpperCase()),a=this.withStableIdempotencyKey(n);return s||n.idempotent?Lt(()=>this.requestOnce(e,r,a),this.retryPolicy,a.signal):this.requestOnce(e,r,a)}async requestOnce(e,r,n){let s=this.buildUrl(r,n.query),a=ulid.ulid(),p=this.buildHeaders(a,n);if(n.body!==void 0&&n.form!==void 0)throw new d({message:"body and form are mutually exclusive",code:"invalid_request_body",category:"validation",httpStatus:0,retryable:false,requestId:a});let b=n.form!==void 0?this.formBody(n.form):n.body!==void 0?JSON.stringify(n.body):void 0;b!==void 0&&(p["Content-Type"]=n.form!==void 0?"application/x-www-form-urlencoded":"application/json");let g=new AbortController,$e=()=>g.abort(n.signal?.reason);n.signal?.addEventListener("abort",$e,{once:true});let Et=n.timeoutMs??this.timeoutMs,Gt=setTimeout(()=>g.abort(new Error("timeout")),Et),y;try{this.logRequest(e,s,p,a),y=await this.fetch(s,{method:e,headers:p,body:b,redirect:"manual",signal:g.signal});}catch(I){throw n.signal?.aborted?new T({message:"Request aborted",code:"aborted",category:"abort",httpStatus:0,retryable:false,requestId:a,cause:I}):g.signal.aborted?new me({message:`Request timed out after ${Et}ms`,code:"timeout",category:"timeout",httpStatus:0,retryable:true,requestId:a,cause:I}):new ye({message:"Network error",code:"network",category:"network",httpStatus:0,retryable:true,requestId:a,cause:I})}finally{clearTimeout(Gt),n.signal?.removeEventListener("abort",$e);}if(y.status>=300&&y.status<400)return {status:y.status,location:y.headers.get("Location")??y.headers.get("location")};if(n.rawResponse&&y.ok)return {response:y,requestId:a};if(y.ok)return this.parseSuccess(y,n,a);let ot=await this.safeParseJson(y);if(y.status===401&&n.ring==="admin"&&await this.auth.onUnauthorized())return this.requestOnce(e,r,n);if(y.status===429){let I=ht(y.headers.get("Retry-After")),Wt=new A({message:pr(ot)??"Rate limited",code:gr(ot)??"rate_limited",category:"rate_limited",httpStatus:429,retryable:true,requestId:a,retry:{afterMs:I}});if(this.rateLimitStrategy==="sleep")return await vt(I,n.signal),this.requestOnce(e,r,n);throw Wt}throw ft({path:r,status:y.status,body:ot,fallbackRequestId:a})}async parseSuccess(e,r,n){if(e.status===204||r.parseBody===false)return;let s=await e.text();if(s!=="")try{return JSON.parse(s)}catch{return s}}async safeParseJson(e){try{let r=await e.text();return r===""?void 0:JSON.parse(r)}catch{return}}buildUrl(e,r){let n=e.startsWith("/")?e:`/${e}`,s=this.baseUrl+n;if(!r)return s;let a=new URLSearchParams;for(let[b,g]of Object.entries(r))if(g!==void 0)if(Array.isArray(g))for(let $e of g)a.append(b,String($e));else a.set(b,String(g));let p=a.toString();return p?`${s}?${p}`:s}buildHeaders(e,r){let n=this.resolveIdempotencyKey(r);return {"X-Request-Id":e,Accept:"application/json",...r.ring!=="public"?this.auth.headersFor(r.ring):{},...n?{"Idempotency-Key":n}:{},...r.headers??{}}}resolveIdempotencyKey(e){if(e.idempotencyKey!==false){if(typeof e.idempotencyKey=="string"){if(e.idempotencyKey.trim()==="")throw new d({message:"idempotencyKey must be non-empty",code:"invalid_idempotency_key",category:"validation",httpStatus:0,retryable:false,requestId:""});return e.idempotencyKey}if(!(!e.idempotent||!this.idempotencyKey.autoGenerate))return this.idempotencyKey.generator()}}formBody(e){let r=new URLSearchParams;for(let[n,s]of Object.entries(e))s!==void 0&&r.set(n,String(s));return r.toString()}withStableIdempotencyKey(e){return e.idempotencyKey!==void 0||!e.idempotent||!this.idempotencyKey.autoGenerate?e:{...e,idempotencyKey:this.idempotencyKey.generator()}}logRequest(e,r,n,s){this.debug&&this.logger.debug({method:e,url:r,headers:Dt(n),requestId:s},"http.request");}};function pr(t){if(typeof t!="object"||t===null)return;let e=t.error;if(typeof e=="object"&&e!==null){let r=e.message;if(typeof r=="string")return r}if(typeof e=="string")return e}function gr(t){if(typeof t!="object"||t===null)return;let e=t.error;if(typeof e=="object"&&e!==null){let r=e.code;if(typeof r=="string")return r}}var Bt=4096,$t=false;function Mt(t){return `v2:${Buffer.from(JSON.stringify(t),"utf8").toString("base64url")}`}function yr(t){if(t.length>Bt)throw new S({message:`Cursor token exceeds maximum size (${Bt} chars)`,code:"invalid_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/invalid-cursor"});if(t.startsWith("v1:"))throw new k({message:"Legacy v1: cursor token is not compatible with keyset pagination; restart pagination without cursor",code:"legacy_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/legacy-cursor"});if(!t.startsWith("v2:"))throw new k({message:"Cursor token is missing the v2: keyset prefix; restart pagination without cursor",code:"legacy_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/legacy-cursor"});try{let e=JSON.parse(Buffer.from(t.slice(3),"base64url").toString("utf8"));if(!br(e))throw new Error("invalid cursor shape");return e}catch(e){throw new S({message:"Malformed keyset cursor token",code:"invalid_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",cause:e,docUrl:"https://docs.axhub.dev/errors/validation/invalid-cursor"})}}function mr(t,e){let r=typeof t=="string"?t.split(",").map(n=>{let s=n.trim();return s.startsWith("-")?{field:s.slice(1),dir:"desc"}:s.startsWith("+")?{field:s.slice(1),dir:"asc"}:{field:s,dir:"asc"}}).filter(n=>n.field.length>0):[...t??[]].map(n=>({field:n.field,dir:n.dir??"asc"}));return r.length>0&&!r.some(n=>n.field==="id")&&(e?.warnOnTiebreaker&&!$t&&($t=true,console.warn("AX Hub SDK: orderBy is not unique; appending id ASC as keyset cursor tiebreaker")),r.push({field:"id",dir:"asc"})),r}function fr(t){return JSON.stringify(Ft(t))}function hr(t,e){if(!t)return null;let r=Ft(e?.orderBy,{warnOnTiebreaker:true}),n={};for(let b of r){let g=t[b.field];(g===null||typeof g=="string"||typeof g=="number"||typeof g=="boolean")&&(n[b.field]=g);}let s=t.id,a={values:n,direction:e?.direction??"forward",orderBy:r,orderByFingerprint:JSON.stringify(r)};(typeof s=="string"||typeof s=="number")&&(a.tiebreaker={field:"id",value:s});let p=e?.page;return typeof p=="number"&&Number.isInteger(p)&&p>0&&(a.page=p),e?.contextFingerprint&&(a.contextFingerprint=e.contextFingerprint),Mt(a)}function Ft(t,e){let r=mr(t,e);return r.length>0?r:[{field:"id",dir:"asc"}]}function br(t){return typeof t=="object"&&t!==null&&typeof t.values=="object"&&(t.direction==="forward"||t.direction==="backward")&&Array.isArray(t.orderBy)&&typeof t.orderByFingerprint=="string"}function Tt(t){return Buffer.isBuffer(t)?t:Buffer.from(t)}function vr(t){let e=t.startsWith("sha256=")?t.slice(7):t;return /^[0-9a-f]{64}$/i.test(e)?Buffer.from(e,"hex"):null}function Tr(t,e,r){let n=r?Buffer.concat([Buffer.from(`${r}.`),Tt(t)]):Tt(t);return `sha256=${crypto.createHmac("sha256",e).update(n).digest("hex")}`}function Ir(t){if(!t.secret)return {ok:false,reason:"missing_secret"};let e=vr(t.signature);if(!e)return {ok:false,reason:"malformed_signature"};let r=Math.floor((t.now?.()??Date.now())/1e3),n=Tt(t.rawBody);if(t.timestamp!==void 0){let a=Number(t.timestamp);if(!Number.isFinite(a))return {ok:false,reason:"timestamp_skew"};let p=t.tolerance??300;if(Math.abs(r-a)>p)return {ok:false,reason:"timestamp_skew"};let b=`${t.timestamp}:${t.signature}`;if(t.replayCache?.has(b))return {ok:false,reason:"replay"};n=Buffer.concat([Buffer.from(`${t.timestamp}.`),n]);}let s=crypto.createHmac("sha256",t.secret).update(n).digest();return e.byteLength!==s.byteLength?{ok:false,reason:"signature_mismatch"}:crypto.timingSafeEqual(e,s)?(t.timestamp!==void 0&&t.replayCache?.add(`${t.timestamp}:${t.signature}`),{ok:true}):{ok:false,reason:"signature_mismatch"}}function o(t,e){return {...t,signal:e?.signal,timeoutMs:e?.timeoutMs,idempotencyKey:e?.idempotencyKey}}function O(t){let e={};return t?.pageSize!==void 0&&(e.limit=t.pageSize),t?.cursor!==void 0&&(e.cursor=t.cursor),e}function q(t,e){return {items:t.items.map(e),nextCursor:t.next_cursor,total:t.total}}function m(t){let e={};for(let[r,n]of Object.entries(t))n!==void 0&&(e[r]=n);return e}function i(t){return encodeURIComponent(t)}function Ge(t){return {...t,id:String(t.id),slug:String(t.slug),name:String(t.name),createdAt:t.created_at??t.createdAt,updatedAt:t.updated_at??t.updatedAt}}function Ar(t){return {id:String(t.id),role:String(t.role),...t,userId:t.user_id??t.userId}}function It(t){return {id:String(t.id),email:String(t.email),role:String(t.role),status:String(t.status),...t}}function jt(t){return {...t,domain:String(t.domain??t.email_domain),verified:t.verified}}var P=class{constructor(e,r){this.http=e;this.mockStore=r;}http;mockStore;scoped(e){return new We(this.http,e)}async create(e,r){if(this.mockStore)return this.mockStore.createTenant(e);let n=await this.http.request("POST","/api/v1/tenants",o({ring:"admin",body:m(e),idempotent:false},r));return Ge(n)}async get(e,r){if(this.mockStore)return this.mockStore.getTenant(e);let n=await this.http.request("GET",`/api/v1/tenants/${i(e)}`,o({ring:"admin"},r));return Ge(n)}async list(e){if(this.mockStore)return this.mockStore.listTenants();let r=await this.http.request("GET","/api/v1/tenants",o({ring:"admin",query:O(e)},e));return q(r,Ge)}async update(e,r,n){if(this.mockStore)return this.mockStore.updateTenant(e,r);let s=await this.http.request("PATCH",`/api/v1/tenants/${i(e)}`,o({ring:"admin",body:m(r),idempotent:false},n));return Ge(s)}async delete(e,r){if(this.mockStore)return this.mockStore.deleteTenant(e);await this.http.request("DELETE",`/api/v1/tenants/${i(e)}`,o({ring:"admin",idempotent:true},r));}async signIconUploadURL(e,r,n){let s=await this.http.request("POST",`/api/v1/tenants/${i(e)}/icon/upload-url`,o({ring:"admin",body:{content_type:r.contentType},idempotent:false},n));return {uploadUrl:s.upload_url??s.put_url??"",getUrl:s.get_url??s.public_url??"",expiresAt:s.expires_at}}get members(){return new Ve(this.http)}get invitations(){return new Ye(this.http)}get emailDomains(){return new Je(this.http)}},We=class{members;invitations;emailDomains;constructor(e,r){this.members=new qe(e,r),this.invitations=new Pe(e,r),this.emailDomains=new De(e,r);}},Ve=class{constructor(e){this.http=e;}http;forTenant(e){return new qe(this.http,e)}},qe=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/members`,o({ring:"admin",query:O(e)},e));return q(r,Ar)}async update(e,r,n){await this.http.request("PATCH",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}`,o({ring:"admin",body:m(r),idempotent:false},n));}async deactivate(e,r){await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}/deactivate`,o({ring:"admin",body:{},idempotent:false},r));}async reactivate(e,r){await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}/reactivate`,o({ring:"admin",body:{},idempotent:false},r));}},Ye=class{constructor(e){this.http=e;}http;forTenant(e){return new Pe(this.http,e)}},Pe=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/invitations`,o({ring:"admin",query:O(e)},e));return q(r,It)}async create(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/invitations`,o({ring:"admin",body:m(e),idempotent:false},r));return It(n)}async bulkCreate(e,r){if(e.length>200)throw new l({message:"bulk invitations are capped at 200",code:"too_many_items",category:"validation",httpStatus:0,retryable:false,requestId:"",fields:[{name:"invitations",code:"max_200"}]});let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/invitations/bulk`,o({ring:"admin",body:{items:e},idempotent:false},r));return {accepted:(n.succeeded??[]).map(It),rejected:(n.failed??[]).map(s=>({email:s.email,reason:s.reason,message:s.message}))}}async delete(e,r){await this.http.request("DELETE",`/api/v1/tenants/${i(this.tenant)}/invitations/${i(e)}`,o({ring:"admin",idempotent:true},r));}},Je=class{constructor(e){this.http=e;}http;forTenant(e){return new De(this.http,e)}},De=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){return (await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/email-domains`,o({ring:"admin"},e))).items.map(jt)}async create(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/email-domains`,o({ring:"admin",body:{email_domain:e.domain},idempotent:false},r));return jt(n)}async delete(e,r){await this.http.request("DELETE",`/api/v1/tenants/${i(this.tenant)}/email-domains/${i(e)}`,o({ring:"admin",idempotent:true},r));}};var D=class{constructor(e){this.http=e;}http;scoped(e){return new Xe(this.http,e)}},Xe=class{tags;subjects;grants;constructor(e,r){let n=`/api/v1/tenants/${i(r)}`;this.tags=new Qe(e,`${n}/tags`),this.subjects=new Ze(e,`${n}/subjects`),this.grants=new et(e,`${n}/grants`);}},Qe=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}create(e,r){return this.http.request("POST",this.base,o({ring:"admin",body:m(e),idempotent:false},r))}update(e,r,n){return this.http.request("PATCH",`${this.base}/${i(e)}`,o({ring:"admin",body:m(r),idempotent:false},n))}delete(e,r){return this.http.request("DELETE",`${this.base}/${i(e)}`,o({ring:"admin",idempotent:true},r))}},Ze=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}create(e,r){return this.http.request("POST",this.base,o({ring:"admin",body:m(e),idempotent:false},r))}update(e,r,n){return this.http.request("PATCH",`${this.base}/${i(e)}`,o({ring:"admin",body:m(r),idempotent:false},n))}delete(e,r){return this.http.request("DELETE",`${this.base}/${i(e)}`,o({ring:"admin",idempotent:true},r))}},et=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}};function Le(t){return {id:String(t.id),...t,actorId:t.actor_id??t.actorId,prevHash:t.prev_hash??t.prevHash,createdAt:t.created_at??t.createdAt}}function Rr(t){let e={ok:!!t.ok,checked:Number(t.checked??0)};return t.first_bad_seq!==void 0&&t.first_bad_seq!==null&&(e.firstBadSeq=Number(t.first_bad_seq)),t.reason!==void 0&&(e.reason=t.reason),e}var L=class{constructor(e){this.http=e;this.events=new rt(e),this.server=new nt(e);}http;events;server;scoped(e){return new tt(this.http,e)}integrityCheck(e,r){return this.scoped(e).integrityCheck(r)}anonymize(e,r,n){return this.scoped(e).anonymize(r,n)}},tt=class{constructor(e,r){this.http=e;this.tenantSlug=r;this.events=new Ue(e,r),this.server=new Be(e,r);}http;tenantSlug;events;server;async integrityCheck(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/integrity-check`,o({ring:"admin"},e));return Rr(r)}async anonymize(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/anonymize`,o({ring:"admin",body:{tenant_id:this.tenantSlug,actor_id:e.actorId??e.subjectId,anonymized_id:e.anonymizedId},idempotent:false},r));return n===void 0?void 0:Le(n)}},rt=class{constructor(e){this.http=e;}http;forTenant(e){return new Ue(this.http,e)}},Ue=class{constructor(e,r){this.http=e;this.tenantSlug=r;}http;tenantSlug;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events`,o({ring:"admin",query:{...O(e),...e?.type?{type:e.type}:{}}},e));return Array.isArray(r)?{items:r.map(Le),nextCursor:null,total:r.length}:q({items:r.items??[],next_cursor:r.next_cursor??null,total:r.total??r.items?.length??0},Le)}async get(e,r){let n=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/${i(e)}`,o({ring:"admin"},r));return Le(n)}},nt=class{constructor(e){this.http=e;}http;forTenant(e){return new Be(this.http,e)}},Be=class{constructor(e,r){this.http=e;this.tenantSlug=r;}http;tenantSlug;async emit(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/server`,o({ring:"admin",body:{type:e.type,actor_id:e.actorId,resource:e.resource,payload:e.payload},idempotent:false},r));return Le(n)}};var U=class{constructor(e){this.http=e;}http;list(e,r){return this.http.request("GET",`/api/v1/tenants/${i(e)}/identity-providers`,o({ring:"admin"},r))}create(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers`,o({ring:"admin",body:r,idempotent:false},n))}enable(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers/${i(r)}/enable`,o({ring:"admin",body:{},idempotent:false},n))}disable(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers/${i(r)}/disable`,o({ring:"admin",body:{},idempotent:false},n))}};var B=class{constructor(e){this.http=e;}http;create(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/categories`,o({ring:"admin",body:m(r),idempotent:false},n))}update(e,r,n,s){return this.http.request("PATCH",`/api/v1/tenants/${i(e)}/categories/${i(r)}`,o({ring:"admin",body:m(n),idempotent:false},s))}delete(e,r,n){return this.http.request("DELETE",`/api/v1/tenants/${i(e)}/categories/${i(r)}`,o({ring:"admin",idempotent:true},n))}};var Er=new Set(["1","true","yes","on"]);function _r(t){return t?.trim().toLowerCase()==="production"}function Sr(t){return t===void 0?false:Er.has(t.trim().toLowerCase())}function zt(){if(_r(process.env.NODE_ENV)){if(Sr(process.env.AX_HUB_ALLOW_MOCK_IN_PROD)){console.warn("[@ax-hub/admin-sdk] WARNING: mock mode active in production (AX_HUB_ALLOW_MOCK_IN_PROD opt-in).");return}throw new he({message:"Mock mode active in production without explicit opt-in",code:"mock_in_production",category:"configuration",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/mock-in-production"})}}function At(t){return new h({message:`Mock tenant not found: ${t}`,code:"tenant_not_found",category:"not_found",httpStatus:404,retryable:false,requestId:"",resource:`tenants/${t}`})}var st=class{tenants=new Map;nextId=1;constructor(e){for(let r of e?.tenants??[]){let n=String(r.id);this.tenants.set(n,{...r,id:n});}}createTenant(e){let r=`tenant_${this.nextId++}`,n=new Date().toISOString(),s={id:r,slug:e.slug,name:e.name,...e.plan!==void 0?{plan:e.plan}:{},createdAt:n,updatedAt:n};return this.tenants.set(r,s),{...s}}getTenant(e){let r=this.tenants.get(e);if(!r)throw At(e);return {...r}}listTenants(){let e=[...this.tenants.values()].map(r=>({...r}));return {items:e,nextCursor:null,total:e.length}}updateTenant(e,r){let n=this.tenants.get(e);if(!n)throw At(e);let s={...n,...r,id:e,updatedAt:new Date().toISOString()};return this.tenants.set(e,s),{...s}}deleteTenant(e){if(!this.tenants.has(e))throw At(e);this.tenants.delete(e);}};function Kt(t){if(t.mode==="mock")return zt(),new st(t.fixtures)}var Nt="https://api.axhub.ai";function kr(t){return typeof t=="object"&&t!==null&&"__sharedHttp"in t}var Rt=class{http;logger;mock;r;n;s;i;o;constructor(e){if(kr(e)){this.http=e.__sharedHttp,this.logger=e.logger;return}if(e.token!==void 0&&e.tokenType===void 0)throw new TypeError('AdminClient requires tokenType when token is set ("pat" | "jwt")');let r=e.token!==void 0&&e.tokenType!==void 0?new Ce({token:e.token,tokenType:e.tokenType,onRefresh:e.onRefresh}):new Oe;this.http=new Ne({baseUrl:e.baseUrl??Nt,auth:r,fetch:e.fetch,logger:e.logger,debug:e.debug,timeoutMs:e.timeoutMs,idempotencyKey:e.idempotencyKey,retryPolicy:e.retryPolicy,rateLimitStrategy:e.rateLimitStrategy}),this.logger=e.logger??Ke,this.mock=Kt(e);}get tenants(){return this.r||(this.r=new P(this.http,this.mock)),this.r}get authz(){return this.n||(this.n=new D(this.http)),this.n}get audit(){return this.s||(this.s=new L(this.http)),this.s}get identityProviders(){return this.i||(this.i=new U(this.http)),this.i}get categories(){return this.o||(this.o=new B(this.http)),this.o}tenant(e){return new it(e,this.http)}},it=class{constructor(e,r){this.tenant=e;this.http=r;}tenant;http;get tenants(){return new P(this.http).scoped(this.tenant)}get authz(){return new D(this.http).scoped(this.tenant)}get audit(){return new L(this.http).scoped(this.tenant)}get identityProviders(){return new U(this.http)}get categories(){return new B(this.http)}};
+exports.AbortError=T;exports.AccessDeniedError=w;exports.AdminClient=Rt;exports.AlreadyAccessedError=Z;exports.AlreadyActiveError=X;exports.AlreadyDeletedError=H;exports.AlreadyInactiveError=Q;exports.AlreadyMemberError=F;exports.AlreadyRevokedError=Y;exports.AlreadySettledError=J;exports.AppUnavailableError=ge;exports.AuditClient=L;exports.AuditEventsClient=rt;exports.AuditEventsForTenantClient=Ue;exports.AuditServerClient=nt;exports.AuditServerForTenantClient=Be;exports.AuthorizationPendingError=xe;exports.AuthzClient=D;exports.AuthzGrantsClient=et;exports.AuthzSubjectsClient=Ze;exports.AuthzTagsClient=Qe;exports.AxHubError=d;exports.BadRequestError=ce;exports.CategoriesAdminClient=B;exports.ConfigurationError=je;exports.ConflictError=u;exports.DEFAULT_BASE_URL=Nt;exports.DecodeError=_;exports.DeviceFlowDeniedError=yt;exports.DeviceFlowTimeoutError=mt;exports.DomainTakenError=ie;exports.DuplicateError=oe;exports.EmptyError=ue;exports.ExpiredTokenError=C;exports.ForbiddenError=G;exports.IdentityProviderClient=U;exports.InternalServerError=R;exports.IntrospectFailedError=pt;exports.InvalidClientError=Ie;exports.InvalidCursorError=S;exports.InvalidGrantError=be;exports.InvalidPathError=at;exports.InvalidRequestError=Ae;exports.InvalidScopeError=Re;exports.InvalidStateTransitionError=ne;exports.InvalidTargetError=Te;exports.InvalidTokenError=Ee;exports.InvalidValueError=ae;exports.InvitationExpiredError=V;exports.LastAdminError=te;exports.LegacyCursorError=k;exports.MockInProductionError=he;exports.NetworkError=ye;exports.NoAuth=Oe;exports.NotAdminError=N;exports.NotAllowedError=pe;exports.NotDeletedError=ee;exports.NotFoundError=h;exports.NotMemberError=le;exports.OAuthError=c;exports.OAuthServerError=ke;exports.PendingExistsError=re;exports.PermanentlyDeletedError=W;exports.PermissionDeniedError=v;exports.PoolStaleError=fe;exports.PreconditionFailedError=$;exports.RateLimitedError=A;exports.RequiredError=de;exports.ScanLimitExceededError=gt;exports.SchemaNameTakenError=se;exports.SlowDownError=ve;exports.SlugTakenError=M;exports.StaticTokenAuth=Ce;exports.StreamConsumedError=He;exports.TableNotFoundError=lt;exports.TemporarilyUnavailableError=we;exports.TenantAuditClient=tt;exports.TenantAuthzClient=Xe;exports.TenantEmailDomainsClient=Je;exports.TenantEmailDomainsForTenantClient=De;exports.TenantIdRequiredError=ut;exports.TenantInvitationsClient=Ye;exports.TenantInvitationsForTenantClient=Pe;exports.TenantMembersClient=Ve;exports.TenantMembersForTenantClient=qe;exports.TenantScopedAdminClient=it;exports.TenantScopedTenantsAdminClient=We;exports.TenantSlugRequiredError=dt;exports.TenantsAdminClient=P;exports.TimeoutError=me;exports.TokenExpiredError=z;exports.TokenInvalidError=K;exports.TokenMissingError=j;exports.UnauthenticatedError=x;exports.UnauthorizedClientError=_e;exports.UnavailableError=E;exports.UnsupportedGrantTypeError=Se;exports.ValidationError=l;exports.WebhookVerificationError=ct;exports.asAppId=Qt;exports.asAppSlug=rr;exports.asDeploymentId=Zt;exports.asPatId=nr;exports.asRequestId=ir;exports.asTenantId=er;exports.asTenantSlug=tr;exports.asUserId=sr;exports.cursorFromRow=hr;exports.decodeCursor=yr;exports.encodeCursor=Mt;exports.formatErrorMessage=_t;exports.id=ar;exports.orderByFingerprint=fr;exports.parseRetryAfter=ht;exports.signWebhook=Tr;exports.verifyWebhook=Ir;

package/dist/index.d.cts CHANGED Viewed

@@ -291,8 +291,9 @@ interface HttpClientOptions {
 }
 interface RequestInit2 {
     ring: AuthRing;
-    query?: Record<string, string | number | boolean | undefined>;
+    query?: Record<string, string | number | boolean | undefined | ReadonlyArray<string | number | boolean>>;
     body?: unknown;
+    form?: Record<string, string | number | boolean | undefined>;
     parseBody?: boolean;
     signal?: AbortSignal;
     idempotent?: boolean;
@@ -319,6 +320,7 @@ declare class HttpClient {
     private buildUrl;
     private buildHeaders;
     private resolveIdempotencyKey;
+    private formBody;
     private withStableIdempotencyKey;
     private logRequest;
 }
@@ -346,15 +348,15 @@ declare class NoAuth implements AuthProvider {
 interface PaginatedList<T> {
     items: T[];
     nextCursor: string | null;
-    total: number;
+    total?: number;
     firstCursor?: string | null;
     hasNext?: boolean;
     hasPrev?: boolean;
     /**
-     * `true` when `total` reflects the full filtered result set the caller will
-     * see. `false` when SDK-side filtering (no backend `where` pushdown) means
-     * `total` is the backend's unfiltered total and the true filtered count
-     * requires walking remaining pages. Absent on plain unfiltered queries.
+     * `true` when `total` reflects the full filtered result set. `false` when
+     * the producer knows the list omits an exact total. When `total` is absent,
+     * callers should use the resource-specific `count()` method if they need an
+     * exact count.
      */
     totalIsExact?: boolean;
 }

package/dist/index.d.ts CHANGED Viewed

@@ -291,8 +291,9 @@ interface HttpClientOptions {
 }
 interface RequestInit2 {
     ring: AuthRing;
-    query?: Record<string, string | number | boolean | undefined>;
+    query?: Record<string, string | number | boolean | undefined | ReadonlyArray<string | number | boolean>>;
     body?: unknown;
+    form?: Record<string, string | number | boolean | undefined>;
     parseBody?: boolean;
     signal?: AbortSignal;
     idempotent?: boolean;
@@ -319,6 +320,7 @@ declare class HttpClient {
     private buildUrl;
     private buildHeaders;
     private resolveIdempotencyKey;
+    private formBody;
     private withStableIdempotencyKey;
     private logRequest;
 }
@@ -346,15 +348,15 @@ declare class NoAuth implements AuthProvider {
 interface PaginatedList<T> {
     items: T[];
     nextCursor: string | null;
-    total: number;
+    total?: number;
     firstCursor?: string | null;
     hasNext?: boolean;
     hasPrev?: boolean;
     /**
-     * `true` when `total` reflects the full filtered result set the caller will
-     * see. `false` when SDK-side filtering (no backend `where` pushdown) means
-     * `total` is the backend's unfiltered total and the true filtered count
-     * requires walking remaining pages. Absent on plain unfiltered queries.
+     * `true` when `total` reflects the full filtered result set. `false` when
+     * the producer knows the list omits an exact total. When `total` is absent,
+     * callers should use the resource-specific `count()` method if they need an
+     * exact count.
      */
     totalIsExact?: boolean;
 }

package/dist/index.js CHANGED Viewed

@@ -1,2 +1,2 @@
-import {ulid}from'ulid';import {createHmac,timingSafeEqual}from'crypto';var d=class extends Error{code;category;httpStatus;retryable;requestId;resource;fields;retry;docUrl;constructor(e){super(e.message,e.cause?{cause:e.cause}:void 0),this.name=this.constructor.name,this.code=e.code,this.category=e.category,this.httpStatus=e.httpStatus,this.retryable=e.retryable,this.requestId=e.requestId,e.resource!==void 0&&(this.resource=e.resource),e.fields!==void 0&&(this.fields=e.fields),e.retry!==void 0&&(this.retry=e.retry),e.docUrl!==void 0&&(this.docUrl=e.docUrl);}toJSON(){return {name:this.name,message:this.message,code:this.code,category:this.category,httpStatus:this.httpStatus,retryable:this.retryable,requestId:this.requestId,resource:this.resource,fields:this.fields,retry:this.retry,docUrl:this.docUrl}}toString(){return Rt(this)}};function Rt(t){let e=[`${t.name}[${t.code}]`];return t.requestId&&e.push(`req=${t.requestId}`),e.push(`problem=${t.message}`),t.fields?.length&&e.push(`cause=${t.fields.map(r=>`${r.name}:${r.code}`).join(",")}`),t.retry?.afterMs!==void 0?e.push(`fix=retry_after_${t.retry.afterMs}ms`):t.retryable?e.push("fix=retry_with_backoff"):e.push("fix=inspect_input_or_permissions"),t.docUrl&&e.push(`docs=${t.docUrl}`),e.join(" ")}var p=class extends d{},x=class extends d{},v=class extends d{},h=class extends d{},u=class extends d{},$=class extends d{},R=class extends d{},E=class extends d{},_=class extends d{},M=class extends u{},F=class extends u{},H=class extends u{},j=class extends x{},z=class extends x{},K=class extends x{},N=class extends v{},G=class extends v{},W=class extends h{},V=class extends h{},Y=class extends u{},J=class extends u{},X=class extends u{},Q=class extends u{},Z=class extends u{},ee=class extends u{},te=class extends u{},re=class extends u{},ne=class extends u{},se=class extends u{},ie=class extends u{},oe=class extends u{},ae=class extends p{},de=class extends p{},ue=class extends p{},ce=class extends p{},le=class extends v{},pe=class extends v{},ge=class extends _{},ye=class extends d{},me=class extends d{},I=class extends d{},T=class extends d{},st=class extends d{},$e=class extends d{},it=class extends d{},ot=class extends d{},Me=class extends d{},fe=class extends x{},at=class extends p{},dt=class extends h{},ut=class extends E{},S=class extends p{},k=class extends p{},he=class extends Me{},ct=class extends E{},c=class extends d{description;uri;constructor(e){super({message:e.description??e.code,code:e.code,category:"oauth",httpStatus:e.httpStatus,retryable:e.retryable,requestId:e.requestId}),e.description!==void 0&&(this.description=e.description),e.uri!==void 0&&(this.uri=e.uri);}},be=class extends c{},w=class extends c{},xe=class extends c{},ve=class extends c{},C=class extends c{},lt=class extends w{},pt=class extends C{},Te=class extends c{},Ie=class extends c{},Ae=class extends c{},Re=class extends c{},Ee=class extends c{},_e=class extends c{},Se=class extends c{},ke=class extends c{},we=class extends c{};var Et={slug_taken:M,already_member:F,already_deleted:H,already_revoked:Y,already_settled:J,already_active:X,already_inactive:Q,already_accessed:Z,not_deleted:ee,last_admin:te,pending_exists:re,invalid_state_transition:ne,schema_name_taken:se,domain_taken:ie,duplicate:oe,token_missing:j,token_expired:z,token_invalid:K,pool_stale:fe,not_admin:N,forbidden:G,not_member:le,not_allowed:pe,permanently_deleted:W,invitation_expired:V,invalid_value:ae,required:de,empty:ue,bad_request:ce,app_unavailable:ge},_t={validation:p,unauthenticated:x,permission_denied:v,not_found:h,conflict:u,precondition_failed:$,rate_limited:R,internal:E,unavailable:_},St={invalid_grant:be,access_denied:w,authorization_pending:xe,slow_down:ve,expired_token:C,invalid_target:Te,invalid_client:Ie,invalid_request:Ae,invalid_scope:Re,invalid_token:Ee,unauthorized_client:_e,unsupported_grant_type:Se,server_error:ke,temporarily_unavailable:we},kt={authorization_pending:true,slow_down:true,access_denied:false,invalid_grant:false,expired_token:false,server_error:true,temporarily_unavailable:true};function Gt(t){if(typeof t!="object"||t===null)return  false;let e=t.error;if(typeof e!="object"||e===null)return  false;let r=e;return typeof r.code=="string"&&typeof r.category=="string"&&typeof r.retryable=="boolean"}function Wt(t){return typeof t!="object"||t===null?false:typeof t.error=="string"}function wt(t){return t.startsWith("/oauth/")||t.startsWith("/auth/")}function gt(t){return wt(t.path)&&Wt(t.body)?Yt(t):Gt(t.body)?Vt(t):new I({message:"Unexpected error response shape",code:"decode_failed",category:"decode",httpStatus:t.status,retryable:false,requestId:t.fallbackRequestId})}function Vt(t){let r=t.body.error,n=r.retry?{afterMs:r.retry.after_ms}:void 0,s={message:r.message,code:r.code,category:r.category,httpStatus:t.status,retryable:r.retryable,requestId:r.request_id||t.fallbackRequestId,resource:r.resource,fields:r.fields,retry:n,docUrl:r.doc_url},a=Et[r.code];if(a)return new a(s);let l=_t[r.category]??d;return new l(s)}function Yt(t){let e=t.body,r=St[e.error]??c,n=kt[e.error]??false;return new r({code:e.error,description:e.error_description,uri:e.error_uri,httpStatus:t.status,retryable:n,requestId:t.fallbackRequestId})}function Jt(t){return t}function Xt(t){return t}function Qt(t){return t}function Zt(t){return t}function er(t){return t}function tr(t){return t}function rr(t){return t}function nr(t){return t}var sr=/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i,Ct=/^[a-z][a-z0-9-]{0,62}$/;function Fe(t,e,r){return new p({message:t,code:r,category:"validation",httpStatus:0,retryable:false,requestId:"",fields:[{name:e,code:r}]})}function m(t,e){if(t.trim()==="")throw Fe(`${e} must be non-empty`,e,"empty");if(!sr.test(t))throw Fe(`${e} must be a UUID`,e,"invalid_uuid")}function Ot(t,e){if(t.trim()==="")throw Fe(`${e} must be non-empty`,e,"empty");if(!Ct.test(t))throw Fe(`${e} must match ${Ct.source}`,e,"invalid_slug")}var ir={tenant(t){return m(t,"tenantId"),t},tenantSlug(t){return Ot(t,"tenantSlug"),t},app(t){return m(t,"appId"),t},appSlug(t){return Ot(t,"appSlug"),t},user(t){return m(t,"userId"),t},deployment(t){return m(t,"deploymentId"),t},pat(t){return m(t,"patId"),t},resource(t){return m(t,"resourceId"),t},connector(t){return m(t,"connectorId"),t},subject(t){return m(t,"subjectId"),t},grant(t){return m(t,"grantId"),t},tag(t){return m(t,"tagId"),t},auditEvent(t){return m(t,"auditEventId"),t},table(t){return m(t,"tableId"),t}};var Ce=class{token;tokenType;onRefresh;refreshing=null;constructor(e){this.token=e.token,this.tokenType=e.tokenType,this.onRefresh=e.onRefresh;}currentToken(){return this.token}headersFor(e){return e==="public"?{}:this.tokenType==="pat"?{"X-Api-Key":this.token}:{Authorization:`Bearer ${this.token}`}}async onUnauthorized(){return this.tokenType!=="jwt"||!this.onRefresh?false:this.refreshing?this.refreshing:(this.refreshing=(async()=>{try{let e=await this.onRefresh();return this.token=e,!0}catch{return  false}finally{this.refreshing=null;}})(),this.refreshing)}},Oe=class{headersFor(e){return {}}async onUnauthorized(){return  false}};var He={debug(){},info(){},warn(){},error(){}};function yt(t){if(!t)return 6e4;let e=t.trim();if(e==="")return 6e4;let r=Number(e);if(Number.isFinite(r))return r>=0?Math.floor(r*1e3):6e4;let n=Date.parse(e);return Number.isNaN(n)?6e4:Math.max(0,n-Date.now())}var or=new Set(["authorization","x-api-key","cookie","set-cookie","proxy-authorization"]),ar="***REDACTED***";function qt(t){let e={},r=(n,s)=>{e[n]=or.has(n.toLowerCase())?ar:s;};if(typeof Headers<"u"&&t instanceof Headers)t.forEach((n,s)=>r(s,n));else for(let[n,s]of Object.entries(t))r(n,s);return e}var ft={maxAttempts:3,baseMs:200,capMs:5e3,jitter:Math.random};function dr(t){return t instanceof d?t.retryable:t instanceof TypeError}async function Pt(t,e=ft,r){let n;for(let s=0;s<e.maxAttempts;s++){if(r?.aborted)throw mt("aborted before attempt",r.reason);try{return await t(s)}catch(a){if(n=a,!dr(a)||s===e.maxAttempts-1)throw a;let l=Math.min(e.capMs,e.baseMs*2**s)*e.jitter();await ht(l,r);}}throw n}function ht(t,e){return new Promise((r,n)=>{if(e?.aborted){n(mt("aborted before sleep",e.reason));return}let s=setTimeout(()=>{e?.removeEventListener("abort",a),r();},t),a=()=>{clearTimeout(s),n(mt("aborted during sleep",e?.reason));};e?.addEventListener("abort",a,{once:true});})}function mt(t,e){return new T({message:t,code:"aborted",category:"abort",httpStatus:0,retryable:false,requestId:"",cause:e})}var ur=new Set(["GET","HEAD","OPTIONS"]),je=class{baseUrl;auth;fetch;logger;debug;timeoutMs;idempotencyKey;retryPolicy;rateLimitStrategy;constructor(e){this.baseUrl=e.baseUrl.replace(/\/$/,""),this.auth=e.auth,this.fetch=e.fetch??globalThis.fetch,this.logger=e.logger??He,this.debug=e.debug??false,this.timeoutMs=e.timeoutMs??3e4,this.idempotencyKey={autoGenerate:e.idempotencyKey?.autoGenerate??true,generator:e.idempotencyKey?.generator??ulid},this.retryPolicy=e.retryPolicy??ft,this.rateLimitStrategy=e.rateLimitStrategy??"sleep";}async request(e,r,n){let s=ur.has(e.toUpperCase()),a=this.withStableIdempotencyKey(n);return s||n.idempotent?Pt(()=>this.requestOnce(e,r,a),this.retryPolicy,a.signal):this.requestOnce(e,r,a)}async requestOnce(e,r,n){let s=this.buildUrl(r,n.query),a=ulid(),l=this.buildHeaders(a,n),b=n.body!==void 0?JSON.stringify(n.body):void 0;b!==void 0&&(l["Content-Type"]="application/json");let g=new AbortController,It=()=>g.abort(n.signal?.reason);n.signal?.addEventListener("abort",It,{once:true});let At=n.timeoutMs??this.timeoutMs,Kt=setTimeout(()=>g.abort(new Error("timeout")),At),f;try{this.logRequest(e,s,l,a),f=await this.fetch(s,{method:e,headers:l,body:b,signal:g.signal});}catch(A){throw n.signal?.aborted?new T({message:"Request aborted",code:"aborted",category:"abort",httpStatus:0,retryable:false,requestId:a,cause:A}):g.signal.aborted?new me({message:`Request timed out after ${At}ms`,code:"timeout",category:"timeout",httpStatus:0,retryable:true,requestId:a,cause:A}):new ye({message:"Network error",code:"network",category:"network",httpStatus:0,retryable:true,requestId:a,cause:A})}finally{clearTimeout(Kt),n.signal?.removeEventListener("abort",It);}if(n.rawResponse&&f.ok)return {response:f,requestId:a};if(f.ok)return this.parseSuccess(f,n,a);let nt=await this.safeParseJson(f);if(f.status===401&&n.ring==="admin"&&await this.auth.onUnauthorized())return this.requestOnce(e,r,n);if(f.status===429){let A=yt(f.headers.get("Retry-After")),Nt=new R({message:cr(nt)??"Rate limited",code:lr(nt)??"rate_limited",category:"rate_limited",httpStatus:429,retryable:true,requestId:a,retry:{afterMs:A}});if(this.rateLimitStrategy==="sleep")return await ht(A,n.signal),this.requestOnce(e,r,n);throw Nt}throw gt({path:r,status:f.status,body:nt,fallbackRequestId:a})}async parseSuccess(e,r,n){if(e.status===204||r.parseBody===false)return;let s=await e.text();if(s!=="")try{return JSON.parse(s)}catch(a){throw new I({message:"Backend returned non-JSON success body",code:"decode_failed",category:"decode",httpStatus:e.status,retryable:false,requestId:n,cause:a})}}async safeParseJson(e){try{let r=await e.text();return r===""?void 0:JSON.parse(r)}catch{return}}buildUrl(e,r){let n=e.startsWith("/")?e:`/${e}`,s=this.baseUrl+n;if(!r)return s;let a=new URLSearchParams;for(let[b,g]of Object.entries(r))g!==void 0&&a.set(b,String(g));let l=a.toString();return l?`${s}?${l}`:s}buildHeaders(e,r){let n=this.resolveIdempotencyKey(r);return {"X-Request-Id":e,Accept:"application/json",...r.ring!=="public"?this.auth.headersFor(r.ring):{},...n?{"Idempotency-Key":n}:{},...r.headers??{}}}resolveIdempotencyKey(e){if(e.idempotencyKey!==false){if(typeof e.idempotencyKey=="string"){if(e.idempotencyKey.trim()==="")throw new d({message:"idempotencyKey must be non-empty",code:"invalid_idempotency_key",category:"validation",httpStatus:0,retryable:false,requestId:""});return e.idempotencyKey}if(!(!e.idempotent||!this.idempotencyKey.autoGenerate))return this.idempotencyKey.generator()}}withStableIdempotencyKey(e){return e.idempotencyKey!==void 0||!e.idempotent||!this.idempotencyKey.autoGenerate?e:{...e,idempotencyKey:this.idempotencyKey.generator()}}logRequest(e,r,n,s){this.debug&&this.logger.debug({method:e,url:r,headers:qt(n),requestId:s},"http.request");}};function cr(t){if(typeof t!="object"||t===null)return;let e=t.error;if(typeof e=="object"&&e!==null){let r=e.message;if(typeof r=="string")return r}if(typeof e=="string")return e}function lr(t){if(typeof t!="object"||t===null)return;let e=t.error;if(typeof e=="object"&&e!==null){let r=e.code;if(typeof r=="string")return r}}var Lt=4096,Ut=false;function Bt(t){return `v2:${Buffer.from(JSON.stringify(t),"utf8").toString("base64url")}`}function pr(t){if(t.length>Lt)throw new S({message:`Cursor token exceeds maximum size (${Lt} chars)`,code:"invalid_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/invalid-cursor"});if(t.startsWith("v1:"))throw new k({message:"Legacy v1: cursor token is not compatible with keyset pagination; restart pagination without cursor",code:"legacy_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/legacy-cursor"});if(!t.startsWith("v2:"))throw new k({message:"Cursor token is missing the v2: keyset prefix; restart pagination without cursor",code:"legacy_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/legacy-cursor"});try{let e=JSON.parse(Buffer.from(t.slice(3),"base64url").toString("utf8"));if(!fr(e))throw new Error("invalid cursor shape");return e}catch(e){throw new S({message:"Malformed keyset cursor token",code:"invalid_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",cause:e,docUrl:"https://docs.axhub.dev/errors/validation/invalid-cursor"})}}function gr(t,e){let r=typeof t=="string"?t.split(",").map(n=>{let s=n.trim();return s.startsWith("-")?{field:s.slice(1),dir:"desc"}:s.startsWith("+")?{field:s.slice(1),dir:"asc"}:{field:s,dir:"asc"}}).filter(n=>n.field.length>0):[...t??[]].map(n=>({field:n.field,dir:n.dir??"asc"}));return r.length>0&&!r.some(n=>n.field==="id")&&(e?.warnOnTiebreaker&&!Ut&&(Ut=true,console.warn("AX Hub SDK: orderBy is not unique; appending id ASC as keyset cursor tiebreaker")),r.push({field:"id",dir:"asc"})),r}function yr(t){return JSON.stringify($t(t))}function mr(t,e){if(!t)return null;let r=$t(e?.orderBy,{warnOnTiebreaker:true}),n={};for(let b of r){let g=t[b.field];(g===null||typeof g=="string"||typeof g=="number"||typeof g=="boolean")&&(n[b.field]=g);}let s=t.id,a={values:n,direction:e?.direction??"forward",orderBy:r,orderByFingerprint:JSON.stringify(r)};(typeof s=="string"||typeof s=="number")&&(a.tiebreaker={field:"id",value:s});let l=e?.page;return typeof l=="number"&&Number.isInteger(l)&&l>0&&(a.page=l),e?.contextFingerprint&&(a.contextFingerprint=e.contextFingerprint),Bt(a)}function $t(t,e){let r=gr(t,e);return r.length>0?r:[{field:"id",dir:"asc"}]}function fr(t){return typeof t=="object"&&t!==null&&typeof t.values=="object"&&(t.direction==="forward"||t.direction==="backward")&&Array.isArray(t.orderBy)&&typeof t.orderByFingerprint=="string"}function bt(t){return Buffer.isBuffer(t)?t:Buffer.from(t)}function br(t){let e=t.startsWith("sha256=")?t.slice(7):t;return /^[0-9a-f]{64}$/i.test(e)?Buffer.from(e,"hex"):null}function xr(t,e,r){let n=r?Buffer.concat([Buffer.from(`${r}.`),bt(t)]):bt(t);return `sha256=${createHmac("sha256",e).update(n).digest("hex")}`}function vr(t){if(!t.secret)return {ok:false,reason:"missing_secret"};let e=br(t.signature);if(!e)return {ok:false,reason:"malformed_signature"};let r=Math.floor((t.now?.()??Date.now())/1e3),n=bt(t.rawBody);if(t.timestamp!==void 0){let a=Number(t.timestamp);if(!Number.isFinite(a))return {ok:false,reason:"timestamp_skew"};let l=t.tolerance??300;if(Math.abs(r-a)>l)return {ok:false,reason:"timestamp_skew"};let b=`${t.timestamp}:${t.signature}`;if(t.replayCache?.has(b))return {ok:false,reason:"replay"};n=Buffer.concat([Buffer.from(`${t.timestamp}.`),n]);}let s=createHmac("sha256",t.secret).update(n).digest();return e.byteLength!==s.byteLength?{ok:false,reason:"signature_mismatch"}:timingSafeEqual(e,s)?(t.timestamp!==void 0&&t.replayCache?.add(`${t.timestamp}:${t.signature}`),{ok:true}):{ok:false,reason:"signature_mismatch"}}function o(t,e){return {...t,signal:e?.signal,timeoutMs:e?.timeoutMs,idempotencyKey:e?.idempotencyKey}}function O(t){let e={};return t?.pageSize!==void 0&&(e.limit=t.pageSize),t?.cursor!==void 0&&(e.cursor=t.cursor),e}function q(t,e){return {items:t.items.map(e),nextCursor:t.next_cursor,total:t.total}}function y(t){let e={};for(let[r,n]of Object.entries(t))n!==void 0&&(e[r]=n);return e}function i(t){return encodeURIComponent(t)}function ze(t){return {...t,id:String(t.id),slug:String(t.slug),name:String(t.name),createdAt:t.created_at??t.createdAt,updatedAt:t.updated_at??t.updatedAt}}function Tr(t){return {id:String(t.id),role:String(t.role),...t,userId:t.user_id??t.userId}}function xt(t){return {id:String(t.id),email:String(t.email),role:String(t.role),status:String(t.status),...t}}function Ft(t){return {...t,domain:String(t.domain??t.email_domain),verified:t.verified}}var P=class{constructor(e,r){this.http=e;this.mockStore=r;}http;mockStore;scoped(e){return new Ke(this.http,e)}async create(e,r){if(this.mockStore)return this.mockStore.createTenant(e);let n=await this.http.request("POST","/api/v1/tenants",o({ring:"admin",body:y(e),idempotent:false},r));return ze(n)}async get(e,r){if(this.mockStore)return this.mockStore.getTenant(e);let n=await this.http.request("GET",`/api/v1/tenants/${i(e)}`,o({ring:"admin"},r));return ze(n)}async list(e){if(this.mockStore)return this.mockStore.listTenants();let r=await this.http.request("GET","/api/v1/tenants",o({ring:"admin",query:O(e)},e));return q(r,ze)}async update(e,r,n){if(this.mockStore)return this.mockStore.updateTenant(e,r);let s=await this.http.request("PATCH",`/api/v1/tenants/${i(e)}`,o({ring:"admin",body:y(r),idempotent:false},n));return ze(s)}async delete(e,r){if(this.mockStore)return this.mockStore.deleteTenant(e);await this.http.request("DELETE",`/api/v1/tenants/${i(e)}`,o({ring:"admin",idempotent:true},r));}async signIconUploadURL(e,r,n){let s=await this.http.request("POST",`/api/v1/tenants/${i(e)}/icon/upload-url`,o({ring:"admin",body:{content_type:r.contentType},idempotent:false},n));return {uploadUrl:s.upload_url??s.put_url??"",getUrl:s.get_url??s.public_url??"",expiresAt:s.expires_at}}get members(){return new Ne(this.http)}get invitations(){return new Ge(this.http)}get emailDomains(){return new We(this.http)}},Ke=class{members;invitations;emailDomains;constructor(e,r){this.members=new qe(e,r),this.invitations=new Pe(e,r),this.emailDomains=new De(e,r);}},Ne=class{constructor(e){this.http=e;}http;forTenant(e){return new qe(this.http,e)}},qe=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/members`,o({ring:"admin",query:O(e)},e));return q(r,Tr)}async update(e,r,n){await this.http.request("PATCH",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}`,o({ring:"admin",body:y(r),idempotent:false},n));}async deactivate(e,r){await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}/deactivate`,o({ring:"admin",body:{},idempotent:false},r));}async reactivate(e,r){await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}/reactivate`,o({ring:"admin",body:{},idempotent:false},r));}},Ge=class{constructor(e){this.http=e;}http;forTenant(e){return new Pe(this.http,e)}},Pe=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/invitations`,o({ring:"admin",query:O(e)},e));return q(r,xt)}async create(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/invitations`,o({ring:"admin",body:y(e),idempotent:false},r));return xt(n)}async bulkCreate(e,r){if(e.length>200)throw new p({message:"bulk invitations are capped at 200",code:"too_many_items",category:"validation",httpStatus:0,retryable:false,requestId:"",fields:[{name:"invitations",code:"max_200"}]});let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/invitations/bulk`,o({ring:"admin",body:{items:e},idempotent:false},r));return {accepted:(n.succeeded??[]).map(xt),rejected:(n.failed??[]).map(s=>({email:s.email,reason:s.reason,message:s.message}))}}async delete(e,r){await this.http.request("DELETE",`/api/v1/tenants/${i(this.tenant)}/invitations/${i(e)}`,o({ring:"admin",idempotent:true},r));}},We=class{constructor(e){this.http=e;}http;forTenant(e){return new De(this.http,e)}},De=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){return (await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/email-domains`,o({ring:"admin"},e))).items.map(Ft)}async create(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/email-domains`,o({ring:"admin",body:{email_domain:e.domain},idempotent:false},r));return Ft(n)}async delete(e,r){await this.http.request("DELETE",`/api/v1/tenants/${i(this.tenant)}/email-domains/${i(e)}`,o({ring:"admin",idempotent:true},r));}};var D=class{constructor(e){this.http=e;}http;scoped(e){return new Ve(this.http,e)}},Ve=class{tags;subjects;grants;constructor(e,r){let n=`/api/v1/tenants/${i(r)}`;this.tags=new Ye(e,`${n}/tags`),this.subjects=new Je(e,`${n}/subjects`),this.grants=new Xe(e,`${n}/grants`);}},Ye=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}create(e,r){return this.http.request("POST",this.base,o({ring:"admin",body:y(e),idempotent:false},r))}update(e,r,n){return this.http.request("PATCH",`${this.base}/${i(e)}`,o({ring:"admin",body:y(r),idempotent:false},n))}delete(e,r){return this.http.request("DELETE",`${this.base}/${i(e)}`,o({ring:"admin",idempotent:true},r))}},Je=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}create(e,r){return this.http.request("POST",this.base,o({ring:"admin",body:y(e),idempotent:false},r))}update(e,r,n){return this.http.request("PATCH",`${this.base}/${i(e)}`,o({ring:"admin",body:y(r),idempotent:false},n))}delete(e,r){return this.http.request("DELETE",`${this.base}/${i(e)}`,o({ring:"admin",idempotent:true},r))}},Xe=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}};function Le(t){return {id:String(t.id),...t,actorId:t.actor_id??t.actorId,prevHash:t.prev_hash??t.prevHash,createdAt:t.created_at??t.createdAt}}function Ir(t){let e={ok:!!t.ok,checked:Number(t.checked??0)};return t.first_bad_seq!==void 0&&t.first_bad_seq!==null&&(e.firstBadSeq=Number(t.first_bad_seq)),t.reason!==void 0&&(e.reason=t.reason),e}var L=class{constructor(e){this.http=e;this.events=new Ze(e),this.server=new et(e);}http;events;server;scoped(e){return new Qe(this.http,e)}integrityCheck(e,r){return this.scoped(e).integrityCheck(r)}anonymize(e,r,n){return this.scoped(e).anonymize(r,n)}},Qe=class{constructor(e,r){this.http=e;this.tenantSlug=r;this.events=new Ue(e,r),this.server=new Be(e,r);}http;tenantSlug;events;server;async integrityCheck(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/integrity-check`,o({ring:"admin"},e));return Ir(r)}async anonymize(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/anonymize`,o({ring:"admin",body:{tenant_id:this.tenantSlug,actor_id:e.actorId??e.subjectId,anonymized_id:e.anonymizedId},idempotent:false},r));return n===void 0?void 0:Le(n)}},Ze=class{constructor(e){this.http=e;}http;forTenant(e){return new Ue(this.http,e)}},Ue=class{constructor(e,r){this.http=e;this.tenantSlug=r;}http;tenantSlug;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events`,o({ring:"admin",query:{...O(e),...e?.type?{type:e.type}:{}}},e));return Array.isArray(r)?{items:r.map(Le),nextCursor:null,total:r.length}:q({items:r.items??[],next_cursor:r.next_cursor??null,total:r.total??r.items?.length??0},Le)}async get(e,r){let n=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/${i(e)}`,o({ring:"admin"},r));return Le(n)}},et=class{constructor(e){this.http=e;}http;forTenant(e){return new Be(this.http,e)}},Be=class{constructor(e,r){this.http=e;this.tenantSlug=r;}http;tenantSlug;async emit(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/server`,o({ring:"admin",body:{type:e.type,actor_id:e.actorId,resource:e.resource,payload:e.payload},idempotent:false},r));return Le(n)}};var U=class{constructor(e){this.http=e;}http;list(e,r){return this.http.request("GET",`/api/v1/tenants/${i(e)}/identity-providers`,o({ring:"admin"},r))}create(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers`,o({ring:"admin",body:r,idempotent:false},n))}enable(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers/${i(r)}/enable`,o({ring:"admin",body:{},idempotent:false},n))}disable(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers/${i(r)}/disable`,o({ring:"admin",body:{},idempotent:false},n))}};var B=class{constructor(e){this.http=e;}http;create(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/categories`,o({ring:"admin",body:y(r),idempotent:false},n))}update(e,r,n,s){return this.http.request("PATCH",`/api/v1/tenants/${i(e)}/categories/${i(r)}`,o({ring:"admin",body:y(n),idempotent:false},s))}delete(e,r,n){return this.http.request("DELETE",`/api/v1/tenants/${i(e)}/categories/${i(r)}`,o({ring:"admin",idempotent:true},n))}};var Ar=new Set(["1","true","yes","on"]);function Rr(t){return t?.trim().toLowerCase()==="production"}function Er(t){return t===void 0?false:Ar.has(t.trim().toLowerCase())}function Ht(){if(Rr(process.env.NODE_ENV)){if(Er(process.env.AX_HUB_ALLOW_MOCK_IN_PROD)){console.warn("[@ax-hub/admin-sdk] WARNING: mock mode active in production (AX_HUB_ALLOW_MOCK_IN_PROD opt-in).");return}throw new he({message:"Mock mode active in production without explicit opt-in",code:"mock_in_production",category:"configuration",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/mock-in-production"})}}function vt(t){return new h({message:`Mock tenant not found: ${t}`,code:"tenant_not_found",category:"not_found",httpStatus:404,retryable:false,requestId:"",resource:`tenants/${t}`})}var tt=class{tenants=new Map;nextId=1;constructor(e){for(let r of e?.tenants??[]){let n=String(r.id);this.tenants.set(n,{...r,id:n});}}createTenant(e){let r=`tenant_${this.nextId++}`,n=new Date().toISOString(),s={id:r,slug:e.slug,name:e.name,...e.plan!==void 0?{plan:e.plan}:{},createdAt:n,updatedAt:n};return this.tenants.set(r,s),{...s}}getTenant(e){let r=this.tenants.get(e);if(!r)throw vt(e);return {...r}}listTenants(){let e=[...this.tenants.values()].map(r=>({...r}));return {items:e,nextCursor:null,total:e.length}}updateTenant(e,r){let n=this.tenants.get(e);if(!n)throw vt(e);let s={...n,...r,id:e,updatedAt:new Date().toISOString()};return this.tenants.set(e,s),{...s}}deleteTenant(e){if(!this.tenants.has(e))throw vt(e);this.tenants.delete(e);}};function jt(t){if(t.mode==="mock")return Ht(),new tt(t.fixtures)}var zt="https://api.axhub.ai";function _r(t){return typeof t=="object"&&t!==null&&"__sharedHttp"in t}var Tt=class{http;logger;mock;r;n;s;i;o;constructor(e){if(_r(e)){this.http=e.__sharedHttp,this.logger=e.logger;return}if(e.token!==void 0&&e.tokenType===void 0)throw new TypeError('AdminClient requires tokenType when token is set ("pat" | "jwt")');let r=e.token!==void 0&&e.tokenType!==void 0?new Ce({token:e.token,tokenType:e.tokenType,onRefresh:e.onRefresh}):new Oe;this.http=new je({baseUrl:e.baseUrl??zt,auth:r,fetch:e.fetch,logger:e.logger,debug:e.debug,timeoutMs:e.timeoutMs,idempotencyKey:e.idempotencyKey,retryPolicy:e.retryPolicy,rateLimitStrategy:e.rateLimitStrategy}),this.logger=e.logger??He,this.mock=jt(e);}get tenants(){return this.r||(this.r=new P(this.http,this.mock)),this.r}get authz(){return this.n||(this.n=new D(this.http)),this.n}get audit(){return this.s||(this.s=new L(this.http)),this.s}get identityProviders(){return this.i||(this.i=new U(this.http)),this.i}get categories(){return this.o||(this.o=new B(this.http)),this.o}tenant(e){return new rt(e,this.http)}},rt=class{constructor(e,r){this.tenant=e;this.http=r;}tenant;http;get tenants(){return new P(this.http).scoped(this.tenant)}get authz(){return new D(this.http).scoped(this.tenant)}get audit(){return new L(this.http).scoped(this.tenant)}get identityProviders(){return new U(this.http)}get categories(){return new B(this.http)}};
-export{T as AbortError,w as AccessDeniedError,Tt as AdminClient,Z as AlreadyAccessedError,X as AlreadyActiveError,H as AlreadyDeletedError,Q as AlreadyInactiveError,F as AlreadyMemberError,Y as AlreadyRevokedError,J as AlreadySettledError,ge as AppUnavailableError,L as AuditClient,Ze as AuditEventsClient,Ue as AuditEventsForTenantClient,et as AuditServerClient,Be as AuditServerForTenantClient,xe as AuthorizationPendingError,D as AuthzClient,Xe as AuthzGrantsClient,Je as AuthzSubjectsClient,Ye as AuthzTagsClient,d as AxHubError,ce as BadRequestError,B as CategoriesAdminClient,Me as ConfigurationError,u as ConflictError,zt as DEFAULT_BASE_URL,I as DecodeError,lt as DeviceFlowDeniedError,pt as DeviceFlowTimeoutError,ie as DomainTakenError,oe as DuplicateError,ue as EmptyError,C as ExpiredTokenError,G as ForbiddenError,U as IdentityProviderClient,E as InternalServerError,ut as IntrospectFailedError,Ie as InvalidClientError,S as InvalidCursorError,be as InvalidGrantError,st as InvalidPathError,Ae as InvalidRequestError,Re as InvalidScopeError,ne as InvalidStateTransitionError,Te as InvalidTargetError,Ee as InvalidTokenError,ae as InvalidValueError,V as InvitationExpiredError,te as LastAdminError,k as LegacyCursorError,he as MockInProductionError,ye as NetworkError,Oe as NoAuth,N as NotAdminError,pe as NotAllowedError,ee as NotDeletedError,h as NotFoundError,le as NotMemberError,c as OAuthError,ke as OAuthServerError,re as PendingExistsError,W as PermanentlyDeletedError,v as PermissionDeniedError,fe as PoolStaleError,$ as PreconditionFailedError,R as RateLimitedError,de as RequiredError,ct as ScanLimitExceededError,se as SchemaNameTakenError,ve as SlowDownError,M as SlugTakenError,Ce as StaticTokenAuth,$e as StreamConsumedError,dt as TableNotFoundError,we as TemporarilyUnavailableError,Qe as TenantAuditClient,Ve as TenantAuthzClient,We as TenantEmailDomainsClient,De as TenantEmailDomainsForTenantClient,ot as TenantIdRequiredError,Ge as TenantInvitationsClient,Pe as TenantInvitationsForTenantClient,Ne as TenantMembersClient,qe as TenantMembersForTenantClient,rt as TenantScopedAdminClient,Ke as TenantScopedTenantsAdminClient,it as TenantSlugRequiredError,P as TenantsAdminClient,me as TimeoutError,z as TokenExpiredError,K as TokenInvalidError,j as TokenMissingError,x as UnauthenticatedError,_e as UnauthorizedClientError,_ as UnavailableError,Se as UnsupportedGrantTypeError,p as ValidationError,at as WebhookVerificationError,Jt as asAppId,er as asAppSlug,Xt as asDeploymentId,tr as asPatId,nr as asRequestId,Qt as asTenantId,Zt as asTenantSlug,rr as asUserId,mr as cursorFromRow,pr as decodeCursor,Bt as encodeCursor,Rt as formatErrorMessage,ir as id,yr as orderByFingerprint,yt as parseRetryAfter,xr as signWebhook,vr as verifyWebhook};
+import {ulid}from'ulid';import {createHmac,timingSafeEqual}from'crypto';var d=class extends Error{code;category;httpStatus;retryable;requestId;resource;fields;retry;docUrl;constructor(e){super(e.message,e.cause?{cause:e.cause}:void 0),this.name=this.constructor.name,this.code=e.code,this.category=e.category,this.httpStatus=e.httpStatus,this.retryable=e.retryable,this.requestId=e.requestId,e.resource!==void 0&&(this.resource=e.resource),e.fields!==void 0&&(this.fields=e.fields),e.retry!==void 0&&(this.retry=e.retry),e.docUrl!==void 0&&(this.docUrl=e.docUrl);}toJSON(){return {name:this.name,message:this.message,code:this.code,category:this.category,httpStatus:this.httpStatus,retryable:this.retryable,requestId:this.requestId,resource:this.resource,fields:this.fields,retry:this.retry,docUrl:this.docUrl}}toString(){return _t(this)}};function _t(t){let e=[`${t.name}[${t.code}]`];return t.requestId&&e.push(`req=${t.requestId}`),e.push(`problem=${t.message}`),t.fields?.length&&e.push(`cause=${t.fields.map(r=>`${r.name}:${r.code}`).join(",")}`),t.retry?.afterMs!==void 0?e.push(`fix=retry_after_${t.retry.afterMs}ms`):t.retryable?e.push("fix=retry_with_backoff"):e.push("fix=inspect_input_or_permissions"),t.docUrl&&e.push(`docs=${t.docUrl}`),e.join(" ")}var l=class extends d{},x=class extends d{},v=class extends d{},h=class extends d{},u=class extends d{},$=class extends d{},A=class extends d{},R=class extends d{},E=class extends d{},M=class extends u{},F=class extends u{},H=class extends u{},j=class extends x{},z=class extends x{},K=class extends x{},N=class extends v{},G=class extends v{},W=class extends h{},V=class extends h{},Me=class extends h{},Y=class extends u{},J=class extends u{},X=class extends u{},Q=class extends u{},Z=class extends u{},ee=class extends u{},te=class extends u{},re=class extends u{},ne=class extends u{},se=class extends u{},ie=class extends u{},oe=class extends u{},ae=class extends l{},Fe=class extends l{},de=class extends l{},ue=class extends l{},ce=class extends l{},le=class extends v{},pe=class extends v{},ge=class extends E{},ye=class extends d{},me=class extends d{},_=class extends d{},T=class extends d{},at=class extends d{},He=class extends d{},dt=class extends d{},ut=class extends d{},je=class extends d{},fe=class extends x{},ct=class extends l{},lt=class extends h{},pt=class extends R{},S=class extends l{},k=class extends l{},he=class extends je{},gt=class extends R{},c=class extends d{description;uri;constructor(e){super({message:e.description??e.code,code:e.code,category:"oauth",httpStatus:e.httpStatus,retryable:e.retryable,requestId:e.requestId}),e.description!==void 0&&(this.description=e.description),e.uri!==void 0&&(this.uri=e.uri);}},be=class extends c{},w=class extends c{},xe=class extends c{},ve=class extends c{},C=class extends c{},yt=class extends w{},mt=class extends C{},Te=class extends c{},Ie=class extends c{},Ae=class extends c{},Re=class extends c{},Ee=class extends c{},_e=class extends c{},Se=class extends c{},ke=class extends c{},we=class extends c{};var St={slug_taken:M,already_member:F,already_deleted:H,already_revoked:Y,already_settled:J,already_active:X,already_inactive:Q,already_accessed:Z,not_deleted:ee,last_admin:te,pending_exists:re,invalid_state_transition:ne,schema_name_taken:se,domain_taken:ie,duplicate:oe,token_missing:j,token_expired:z,token_invalid:K,pool_stale:fe,not_admin:N,forbidden:G,not_member:le,not_allowed:pe,permanently_deleted:W,invitation_expired:V,link_invalid:Me,invalid_value:ae,invalid_expiry:Fe,required:de,empty:ue,bad_request:ce,app_unavailable:ge},kt={validation:l,unauthenticated:x,permission_denied:v,not_found:h,conflict:u,precondition_failed:$,rate_limited:A,internal:R,unavailable:E},wt={invalid_grant:be,access_denied:w,authorization_pending:xe,slow_down:ve,expired_token:C,invalid_target:Te,invalid_client:Ie,invalid_request:Ae,invalid_scope:Re,invalid_token:Ee,unauthorized_client:_e,unsupported_grant_type:Se,server_error:ke,temporarily_unavailable:we},Ct={authorization_pending:true,slow_down:true,access_denied:false,invalid_grant:false,expired_token:false,server_error:true,temporarily_unavailable:true};function Vt(t){if(typeof t!="object"||t===null)return  false;let e=t.error;if(typeof e!="object"||e===null)return  false;let r=e;return typeof r.code=="string"&&typeof r.category=="string"&&typeof r.retryable=="boolean"}function Yt(t){return typeof t!="object"||t===null?false:typeof t.error=="string"}function Ot(t){return t.startsWith("/oauth/")||t.startsWith("/auth/")}function ft(t){return Ot(t.path)&&Yt(t.body)?Xt(t):Vt(t.body)?Jt(t):new _({message:"Unexpected error response shape",code:"decode_failed",category:"decode",httpStatus:t.status,retryable:false,requestId:t.fallbackRequestId})}function Jt(t){let r=t.body.error,n=r.retry?{afterMs:r.retry.after_ms}:void 0,s={message:r.message,code:r.code,category:r.category,httpStatus:t.status,retryable:r.retryable,requestId:r.request_id||t.fallbackRequestId,resource:r.resource,fields:r.fields,retry:n,docUrl:r.doc_url},a=St[r.code];if(a)return new a(s);let p=kt[r.category]??d;return new p(s)}function Xt(t){let e=t.body,r=wt[e.error]??c,n=Ct[e.error]??false;return new r({code:e.error,description:e.error_description,uri:e.error_uri,httpStatus:t.status,retryable:n,requestId:t.fallbackRequestId})}function Qt(t){return t}function Zt(t){return t}function er(t){return t}function tr(t){return t}function rr(t){return t}function nr(t){return t}function sr(t){return t}function ir(t){return t}var or=/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i,qt=/^[a-z][a-z0-9-]{0,62}$/;function ze(t,e,r){return new l({message:t,code:r,category:"validation",httpStatus:0,retryable:false,requestId:"",fields:[{name:e,code:r}]})}function f(t,e){if(t.trim()==="")throw ze(`${e} must be non-empty`,e,"empty");if(!or.test(t))throw ze(`${e} must be a UUID`,e,"invalid_uuid")}function Pt(t,e){if(t.trim()==="")throw ze(`${e} must be non-empty`,e,"empty");if(!qt.test(t))throw ze(`${e} must match ${qt.source}`,e,"invalid_slug")}var ar={tenant(t){return f(t,"tenantId"),t},tenantSlug(t){return Pt(t,"tenantSlug"),t},app(t){return f(t,"appId"),t},appSlug(t){return Pt(t,"appSlug"),t},user(t){return f(t,"userId"),t},deployment(t){return f(t,"deploymentId"),t},pat(t){return f(t,"patId"),t},resource(t){return f(t,"resourceId"),t},connector(t){return f(t,"connectorId"),t},subject(t){return f(t,"subjectId"),t},grant(t){return f(t,"grantId"),t},tag(t){return f(t,"tagId"),t},auditEvent(t){return f(t,"auditEventId"),t},table(t){return f(t,"tableId"),t}};var Ce=class{token;tokenType;onRefresh;refreshing=null;constructor(e){this.token=e.token,this.tokenType=e.tokenType,this.onRefresh=e.onRefresh;}currentToken(){return this.token}headersFor(e){return e==="public"?{}:this.tokenType==="pat"?{"X-Api-Key":this.token}:{Authorization:`Bearer ${this.token}`}}async onUnauthorized(){return this.tokenType!=="jwt"||!this.onRefresh?false:this.refreshing?this.refreshing:(this.refreshing=(async()=>{try{let e=await this.onRefresh();return this.token=e,!0}catch{return  false}finally{this.refreshing=null;}})(),this.refreshing)}},Oe=class{headersFor(e){return {}}async onUnauthorized(){return  false}};var Ke={debug(){},info(){},warn(){},error(){}};function ht(t){if(!t)return 6e4;let e=t.trim();if(e==="")return 6e4;let r=Number(e);if(Number.isFinite(r))return r>=0?Math.floor(r*1e3):6e4;let n=Date.parse(e);return Number.isNaN(n)?6e4:Math.max(0,n-Date.now())}var dr=new Set(["authorization","x-api-key","cookie","set-cookie","proxy-authorization"]),ur="***REDACTED***";function Dt(t){let e={},r=(n,s)=>{e[n]=dr.has(n.toLowerCase())?ur:s;};if(typeof Headers<"u"&&t instanceof Headers)t.forEach((n,s)=>r(s,n));else for(let[n,s]of Object.entries(t))r(n,s);return e}var xt={maxAttempts:3,baseMs:200,capMs:5e3,jitter:Math.random};function cr(t){return t instanceof d?t.retryable:t instanceof TypeError}async function Lt(t,e=xt,r){let n;for(let s=0;s<e.maxAttempts;s++){if(r?.aborted)throw bt("aborted before attempt",r.reason);try{return await t(s)}catch(a){if(n=a,!cr(a)||s===e.maxAttempts-1)throw a;let p=Math.min(e.capMs,e.baseMs*2**s)*e.jitter();await vt(p,r);}}throw n}function vt(t,e){return new Promise((r,n)=>{if(e?.aborted){n(bt("aborted before sleep",e.reason));return}let s=setTimeout(()=>{e?.removeEventListener("abort",a),r();},t),a=()=>{clearTimeout(s),n(bt("aborted during sleep",e?.reason));};e?.addEventListener("abort",a,{once:true});})}function bt(t,e){return new T({message:t,code:"aborted",category:"abort",httpStatus:0,retryable:false,requestId:"",cause:e})}var lr=new Set(["GET","HEAD","OPTIONS"]),Ne=class{baseUrl;auth;fetch;logger;debug;timeoutMs;idempotencyKey;retryPolicy;rateLimitStrategy;constructor(e){this.baseUrl=e.baseUrl.replace(/\/$/,""),this.auth=e.auth,this.fetch=e.fetch??globalThis.fetch,this.logger=e.logger??Ke,this.debug=e.debug??false,this.timeoutMs=e.timeoutMs??3e4,this.idempotencyKey={autoGenerate:e.idempotencyKey?.autoGenerate??true,generator:e.idempotencyKey?.generator??ulid},this.retryPolicy=e.retryPolicy??xt,this.rateLimitStrategy=e.rateLimitStrategy??"sleep";}async request(e,r,n){let s=lr.has(e.toUpperCase()),a=this.withStableIdempotencyKey(n);return s||n.idempotent?Lt(()=>this.requestOnce(e,r,a),this.retryPolicy,a.signal):this.requestOnce(e,r,a)}async requestOnce(e,r,n){let s=this.buildUrl(r,n.query),a=ulid(),p=this.buildHeaders(a,n);if(n.body!==void 0&&n.form!==void 0)throw new d({message:"body and form are mutually exclusive",code:"invalid_request_body",category:"validation",httpStatus:0,retryable:false,requestId:a});let b=n.form!==void 0?this.formBody(n.form):n.body!==void 0?JSON.stringify(n.body):void 0;b!==void 0&&(p["Content-Type"]=n.form!==void 0?"application/x-www-form-urlencoded":"application/json");let g=new AbortController,$e=()=>g.abort(n.signal?.reason);n.signal?.addEventListener("abort",$e,{once:true});let Et=n.timeoutMs??this.timeoutMs,Gt=setTimeout(()=>g.abort(new Error("timeout")),Et),y;try{this.logRequest(e,s,p,a),y=await this.fetch(s,{method:e,headers:p,body:b,redirect:"manual",signal:g.signal});}catch(I){throw n.signal?.aborted?new T({message:"Request aborted",code:"aborted",category:"abort",httpStatus:0,retryable:false,requestId:a,cause:I}):g.signal.aborted?new me({message:`Request timed out after ${Et}ms`,code:"timeout",category:"timeout",httpStatus:0,retryable:true,requestId:a,cause:I}):new ye({message:"Network error",code:"network",category:"network",httpStatus:0,retryable:true,requestId:a,cause:I})}finally{clearTimeout(Gt),n.signal?.removeEventListener("abort",$e);}if(y.status>=300&&y.status<400)return {status:y.status,location:y.headers.get("Location")??y.headers.get("location")};if(n.rawResponse&&y.ok)return {response:y,requestId:a};if(y.ok)return this.parseSuccess(y,n,a);let ot=await this.safeParseJson(y);if(y.status===401&&n.ring==="admin"&&await this.auth.onUnauthorized())return this.requestOnce(e,r,n);if(y.status===429){let I=ht(y.headers.get("Retry-After")),Wt=new A({message:pr(ot)??"Rate limited",code:gr(ot)??"rate_limited",category:"rate_limited",httpStatus:429,retryable:true,requestId:a,retry:{afterMs:I}});if(this.rateLimitStrategy==="sleep")return await vt(I,n.signal),this.requestOnce(e,r,n);throw Wt}throw ft({path:r,status:y.status,body:ot,fallbackRequestId:a})}async parseSuccess(e,r,n){if(e.status===204||r.parseBody===false)return;let s=await e.text();if(s!=="")try{return JSON.parse(s)}catch{return s}}async safeParseJson(e){try{let r=await e.text();return r===""?void 0:JSON.parse(r)}catch{return}}buildUrl(e,r){let n=e.startsWith("/")?e:`/${e}`,s=this.baseUrl+n;if(!r)return s;let a=new URLSearchParams;for(let[b,g]of Object.entries(r))if(g!==void 0)if(Array.isArray(g))for(let $e of g)a.append(b,String($e));else a.set(b,String(g));let p=a.toString();return p?`${s}?${p}`:s}buildHeaders(e,r){let n=this.resolveIdempotencyKey(r);return {"X-Request-Id":e,Accept:"application/json",...r.ring!=="public"?this.auth.headersFor(r.ring):{},...n?{"Idempotency-Key":n}:{},...r.headers??{}}}resolveIdempotencyKey(e){if(e.idempotencyKey!==false){if(typeof e.idempotencyKey=="string"){if(e.idempotencyKey.trim()==="")throw new d({message:"idempotencyKey must be non-empty",code:"invalid_idempotency_key",category:"validation",httpStatus:0,retryable:false,requestId:""});return e.idempotencyKey}if(!(!e.idempotent||!this.idempotencyKey.autoGenerate))return this.idempotencyKey.generator()}}formBody(e){let r=new URLSearchParams;for(let[n,s]of Object.entries(e))s!==void 0&&r.set(n,String(s));return r.toString()}withStableIdempotencyKey(e){return e.idempotencyKey!==void 0||!e.idempotent||!this.idempotencyKey.autoGenerate?e:{...e,idempotencyKey:this.idempotencyKey.generator()}}logRequest(e,r,n,s){this.debug&&this.logger.debug({method:e,url:r,headers:Dt(n),requestId:s},"http.request");}};function pr(t){if(typeof t!="object"||t===null)return;let e=t.error;if(typeof e=="object"&&e!==null){let r=e.message;if(typeof r=="string")return r}if(typeof e=="string")return e}function gr(t){if(typeof t!="object"||t===null)return;let e=t.error;if(typeof e=="object"&&e!==null){let r=e.code;if(typeof r=="string")return r}}var Bt=4096,$t=false;function Mt(t){return `v2:${Buffer.from(JSON.stringify(t),"utf8").toString("base64url")}`}function yr(t){if(t.length>Bt)throw new S({message:`Cursor token exceeds maximum size (${Bt} chars)`,code:"invalid_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/invalid-cursor"});if(t.startsWith("v1:"))throw new k({message:"Legacy v1: cursor token is not compatible with keyset pagination; restart pagination without cursor",code:"legacy_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/legacy-cursor"});if(!t.startsWith("v2:"))throw new k({message:"Cursor token is missing the v2: keyset prefix; restart pagination without cursor",code:"legacy_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/validation/legacy-cursor"});try{let e=JSON.parse(Buffer.from(t.slice(3),"base64url").toString("utf8"));if(!br(e))throw new Error("invalid cursor shape");return e}catch(e){throw new S({message:"Malformed keyset cursor token",code:"invalid_cursor",category:"validation",httpStatus:0,retryable:false,requestId:"",cause:e,docUrl:"https://docs.axhub.dev/errors/validation/invalid-cursor"})}}function mr(t,e){let r=typeof t=="string"?t.split(",").map(n=>{let s=n.trim();return s.startsWith("-")?{field:s.slice(1),dir:"desc"}:s.startsWith("+")?{field:s.slice(1),dir:"asc"}:{field:s,dir:"asc"}}).filter(n=>n.field.length>0):[...t??[]].map(n=>({field:n.field,dir:n.dir??"asc"}));return r.length>0&&!r.some(n=>n.field==="id")&&(e?.warnOnTiebreaker&&!$t&&($t=true,console.warn("AX Hub SDK: orderBy is not unique; appending id ASC as keyset cursor tiebreaker")),r.push({field:"id",dir:"asc"})),r}function fr(t){return JSON.stringify(Ft(t))}function hr(t,e){if(!t)return null;let r=Ft(e?.orderBy,{warnOnTiebreaker:true}),n={};for(let b of r){let g=t[b.field];(g===null||typeof g=="string"||typeof g=="number"||typeof g=="boolean")&&(n[b.field]=g);}let s=t.id,a={values:n,direction:e?.direction??"forward",orderBy:r,orderByFingerprint:JSON.stringify(r)};(typeof s=="string"||typeof s=="number")&&(a.tiebreaker={field:"id",value:s});let p=e?.page;return typeof p=="number"&&Number.isInteger(p)&&p>0&&(a.page=p),e?.contextFingerprint&&(a.contextFingerprint=e.contextFingerprint),Mt(a)}function Ft(t,e){let r=mr(t,e);return r.length>0?r:[{field:"id",dir:"asc"}]}function br(t){return typeof t=="object"&&t!==null&&typeof t.values=="object"&&(t.direction==="forward"||t.direction==="backward")&&Array.isArray(t.orderBy)&&typeof t.orderByFingerprint=="string"}function Tt(t){return Buffer.isBuffer(t)?t:Buffer.from(t)}function vr(t){let e=t.startsWith("sha256=")?t.slice(7):t;return /^[0-9a-f]{64}$/i.test(e)?Buffer.from(e,"hex"):null}function Tr(t,e,r){let n=r?Buffer.concat([Buffer.from(`${r}.`),Tt(t)]):Tt(t);return `sha256=${createHmac("sha256",e).update(n).digest("hex")}`}function Ir(t){if(!t.secret)return {ok:false,reason:"missing_secret"};let e=vr(t.signature);if(!e)return {ok:false,reason:"malformed_signature"};let r=Math.floor((t.now?.()??Date.now())/1e3),n=Tt(t.rawBody);if(t.timestamp!==void 0){let a=Number(t.timestamp);if(!Number.isFinite(a))return {ok:false,reason:"timestamp_skew"};let p=t.tolerance??300;if(Math.abs(r-a)>p)return {ok:false,reason:"timestamp_skew"};let b=`${t.timestamp}:${t.signature}`;if(t.replayCache?.has(b))return {ok:false,reason:"replay"};n=Buffer.concat([Buffer.from(`${t.timestamp}.`),n]);}let s=createHmac("sha256",t.secret).update(n).digest();return e.byteLength!==s.byteLength?{ok:false,reason:"signature_mismatch"}:timingSafeEqual(e,s)?(t.timestamp!==void 0&&t.replayCache?.add(`${t.timestamp}:${t.signature}`),{ok:true}):{ok:false,reason:"signature_mismatch"}}function o(t,e){return {...t,signal:e?.signal,timeoutMs:e?.timeoutMs,idempotencyKey:e?.idempotencyKey}}function O(t){let e={};return t?.pageSize!==void 0&&(e.limit=t.pageSize),t?.cursor!==void 0&&(e.cursor=t.cursor),e}function q(t,e){return {items:t.items.map(e),nextCursor:t.next_cursor,total:t.total}}function m(t){let e={};for(let[r,n]of Object.entries(t))n!==void 0&&(e[r]=n);return e}function i(t){return encodeURIComponent(t)}function Ge(t){return {...t,id:String(t.id),slug:String(t.slug),name:String(t.name),createdAt:t.created_at??t.createdAt,updatedAt:t.updated_at??t.updatedAt}}function Ar(t){return {id:String(t.id),role:String(t.role),...t,userId:t.user_id??t.userId}}function It(t){return {id:String(t.id),email:String(t.email),role:String(t.role),status:String(t.status),...t}}function jt(t){return {...t,domain:String(t.domain??t.email_domain),verified:t.verified}}var P=class{constructor(e,r){this.http=e;this.mockStore=r;}http;mockStore;scoped(e){return new We(this.http,e)}async create(e,r){if(this.mockStore)return this.mockStore.createTenant(e);let n=await this.http.request("POST","/api/v1/tenants",o({ring:"admin",body:m(e),idempotent:false},r));return Ge(n)}async get(e,r){if(this.mockStore)return this.mockStore.getTenant(e);let n=await this.http.request("GET",`/api/v1/tenants/${i(e)}`,o({ring:"admin"},r));return Ge(n)}async list(e){if(this.mockStore)return this.mockStore.listTenants();let r=await this.http.request("GET","/api/v1/tenants",o({ring:"admin",query:O(e)},e));return q(r,Ge)}async update(e,r,n){if(this.mockStore)return this.mockStore.updateTenant(e,r);let s=await this.http.request("PATCH",`/api/v1/tenants/${i(e)}`,o({ring:"admin",body:m(r),idempotent:false},n));return Ge(s)}async delete(e,r){if(this.mockStore)return this.mockStore.deleteTenant(e);await this.http.request("DELETE",`/api/v1/tenants/${i(e)}`,o({ring:"admin",idempotent:true},r));}async signIconUploadURL(e,r,n){let s=await this.http.request("POST",`/api/v1/tenants/${i(e)}/icon/upload-url`,o({ring:"admin",body:{content_type:r.contentType},idempotent:false},n));return {uploadUrl:s.upload_url??s.put_url??"",getUrl:s.get_url??s.public_url??"",expiresAt:s.expires_at}}get members(){return new Ve(this.http)}get invitations(){return new Ye(this.http)}get emailDomains(){return new Je(this.http)}},We=class{members;invitations;emailDomains;constructor(e,r){this.members=new qe(e,r),this.invitations=new Pe(e,r),this.emailDomains=new De(e,r);}},Ve=class{constructor(e){this.http=e;}http;forTenant(e){return new qe(this.http,e)}},qe=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/members`,o({ring:"admin",query:O(e)},e));return q(r,Ar)}async update(e,r,n){await this.http.request("PATCH",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}`,o({ring:"admin",body:m(r),idempotent:false},n));}async deactivate(e,r){await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}/deactivate`,o({ring:"admin",body:{},idempotent:false},r));}async reactivate(e,r){await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/members/${i(e)}/reactivate`,o({ring:"admin",body:{},idempotent:false},r));}},Ye=class{constructor(e){this.http=e;}http;forTenant(e){return new Pe(this.http,e)}},Pe=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/invitations`,o({ring:"admin",query:O(e)},e));return q(r,It)}async create(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/invitations`,o({ring:"admin",body:m(e),idempotent:false},r));return It(n)}async bulkCreate(e,r){if(e.length>200)throw new l({message:"bulk invitations are capped at 200",code:"too_many_items",category:"validation",httpStatus:0,retryable:false,requestId:"",fields:[{name:"invitations",code:"max_200"}]});let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/invitations/bulk`,o({ring:"admin",body:{items:e},idempotent:false},r));return {accepted:(n.succeeded??[]).map(It),rejected:(n.failed??[]).map(s=>({email:s.email,reason:s.reason,message:s.message}))}}async delete(e,r){await this.http.request("DELETE",`/api/v1/tenants/${i(this.tenant)}/invitations/${i(e)}`,o({ring:"admin",idempotent:true},r));}},Je=class{constructor(e){this.http=e;}http;forTenant(e){return new De(this.http,e)}},De=class{constructor(e,r){this.http=e;this.tenant=r;}http;tenant;async list(e){return (await this.http.request("GET",`/api/v1/tenants/${i(this.tenant)}/email-domains`,o({ring:"admin"},e))).items.map(jt)}async create(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenant)}/email-domains`,o({ring:"admin",body:{email_domain:e.domain},idempotent:false},r));return jt(n)}async delete(e,r){await this.http.request("DELETE",`/api/v1/tenants/${i(this.tenant)}/email-domains/${i(e)}`,o({ring:"admin",idempotent:true},r));}};var D=class{constructor(e){this.http=e;}http;scoped(e){return new Xe(this.http,e)}},Xe=class{tags;subjects;grants;constructor(e,r){let n=`/api/v1/tenants/${i(r)}`;this.tags=new Qe(e,`${n}/tags`),this.subjects=new Ze(e,`${n}/subjects`),this.grants=new et(e,`${n}/grants`);}},Qe=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}create(e,r){return this.http.request("POST",this.base,o({ring:"admin",body:m(e),idempotent:false},r))}update(e,r,n){return this.http.request("PATCH",`${this.base}/${i(e)}`,o({ring:"admin",body:m(r),idempotent:false},n))}delete(e,r){return this.http.request("DELETE",`${this.base}/${i(e)}`,o({ring:"admin",idempotent:true},r))}},Ze=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}create(e,r){return this.http.request("POST",this.base,o({ring:"admin",body:m(e),idempotent:false},r))}update(e,r,n){return this.http.request("PATCH",`${this.base}/${i(e)}`,o({ring:"admin",body:m(r),idempotent:false},n))}delete(e,r){return this.http.request("DELETE",`${this.base}/${i(e)}`,o({ring:"admin",idempotent:true},r))}},et=class{constructor(e,r){this.http=e;this.base=r;}http;base;list(e){return this.http.request("GET",this.base,o({ring:"admin"},e))}};function Le(t){return {id:String(t.id),...t,actorId:t.actor_id??t.actorId,prevHash:t.prev_hash??t.prevHash,createdAt:t.created_at??t.createdAt}}function Rr(t){let e={ok:!!t.ok,checked:Number(t.checked??0)};return t.first_bad_seq!==void 0&&t.first_bad_seq!==null&&(e.firstBadSeq=Number(t.first_bad_seq)),t.reason!==void 0&&(e.reason=t.reason),e}var L=class{constructor(e){this.http=e;this.events=new rt(e),this.server=new nt(e);}http;events;server;scoped(e){return new tt(this.http,e)}integrityCheck(e,r){return this.scoped(e).integrityCheck(r)}anonymize(e,r,n){return this.scoped(e).anonymize(r,n)}},tt=class{constructor(e,r){this.http=e;this.tenantSlug=r;this.events=new Ue(e,r),this.server=new Be(e,r);}http;tenantSlug;events;server;async integrityCheck(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/integrity-check`,o({ring:"admin"},e));return Rr(r)}async anonymize(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/anonymize`,o({ring:"admin",body:{tenant_id:this.tenantSlug,actor_id:e.actorId??e.subjectId,anonymized_id:e.anonymizedId},idempotent:false},r));return n===void 0?void 0:Le(n)}},rt=class{constructor(e){this.http=e;}http;forTenant(e){return new Ue(this.http,e)}},Ue=class{constructor(e,r){this.http=e;this.tenantSlug=r;}http;tenantSlug;async list(e){let r=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events`,o({ring:"admin",query:{...O(e),...e?.type?{type:e.type}:{}}},e));return Array.isArray(r)?{items:r.map(Le),nextCursor:null,total:r.length}:q({items:r.items??[],next_cursor:r.next_cursor??null,total:r.total??r.items?.length??0},Le)}async get(e,r){let n=await this.http.request("GET",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/${i(e)}`,o({ring:"admin"},r));return Le(n)}},nt=class{constructor(e){this.http=e;}http;forTenant(e){return new Be(this.http,e)}},Be=class{constructor(e,r){this.http=e;this.tenantSlug=r;}http;tenantSlug;async emit(e,r){let n=await this.http.request("POST",`/api/v1/tenants/${i(this.tenantSlug)}/audit-events/server`,o({ring:"admin",body:{type:e.type,actor_id:e.actorId,resource:e.resource,payload:e.payload},idempotent:false},r));return Le(n)}};var U=class{constructor(e){this.http=e;}http;list(e,r){return this.http.request("GET",`/api/v1/tenants/${i(e)}/identity-providers`,o({ring:"admin"},r))}create(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers`,o({ring:"admin",body:r,idempotent:false},n))}enable(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers/${i(r)}/enable`,o({ring:"admin",body:{},idempotent:false},n))}disable(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/identity-providers/${i(r)}/disable`,o({ring:"admin",body:{},idempotent:false},n))}};var B=class{constructor(e){this.http=e;}http;create(e,r,n){return this.http.request("POST",`/api/v1/tenants/${i(e)}/categories`,o({ring:"admin",body:m(r),idempotent:false},n))}update(e,r,n,s){return this.http.request("PATCH",`/api/v1/tenants/${i(e)}/categories/${i(r)}`,o({ring:"admin",body:m(n),idempotent:false},s))}delete(e,r,n){return this.http.request("DELETE",`/api/v1/tenants/${i(e)}/categories/${i(r)}`,o({ring:"admin",idempotent:true},n))}};var Er=new Set(["1","true","yes","on"]);function _r(t){return t?.trim().toLowerCase()==="production"}function Sr(t){return t===void 0?false:Er.has(t.trim().toLowerCase())}function zt(){if(_r(process.env.NODE_ENV)){if(Sr(process.env.AX_HUB_ALLOW_MOCK_IN_PROD)){console.warn("[@ax-hub/admin-sdk] WARNING: mock mode active in production (AX_HUB_ALLOW_MOCK_IN_PROD opt-in).");return}throw new he({message:"Mock mode active in production without explicit opt-in",code:"mock_in_production",category:"configuration",httpStatus:0,retryable:false,requestId:"",docUrl:"https://docs.axhub.dev/errors/mock-in-production"})}}function At(t){return new h({message:`Mock tenant not found: ${t}`,code:"tenant_not_found",category:"not_found",httpStatus:404,retryable:false,requestId:"",resource:`tenants/${t}`})}var st=class{tenants=new Map;nextId=1;constructor(e){for(let r of e?.tenants??[]){let n=String(r.id);this.tenants.set(n,{...r,id:n});}}createTenant(e){let r=`tenant_${this.nextId++}`,n=new Date().toISOString(),s={id:r,slug:e.slug,name:e.name,...e.plan!==void 0?{plan:e.plan}:{},createdAt:n,updatedAt:n};return this.tenants.set(r,s),{...s}}getTenant(e){let r=this.tenants.get(e);if(!r)throw At(e);return {...r}}listTenants(){let e=[...this.tenants.values()].map(r=>({...r}));return {items:e,nextCursor:null,total:e.length}}updateTenant(e,r){let n=this.tenants.get(e);if(!n)throw At(e);let s={...n,...r,id:e,updatedAt:new Date().toISOString()};return this.tenants.set(e,s),{...s}}deleteTenant(e){if(!this.tenants.has(e))throw At(e);this.tenants.delete(e);}};function Kt(t){if(t.mode==="mock")return zt(),new st(t.fixtures)}var Nt="https://api.axhub.ai";function kr(t){return typeof t=="object"&&t!==null&&"__sharedHttp"in t}var Rt=class{http;logger;mock;r;n;s;i;o;constructor(e){if(kr(e)){this.http=e.__sharedHttp,this.logger=e.logger;return}if(e.token!==void 0&&e.tokenType===void 0)throw new TypeError('AdminClient requires tokenType when token is set ("pat" | "jwt")');let r=e.token!==void 0&&e.tokenType!==void 0?new Ce({token:e.token,tokenType:e.tokenType,onRefresh:e.onRefresh}):new Oe;this.http=new Ne({baseUrl:e.baseUrl??Nt,auth:r,fetch:e.fetch,logger:e.logger,debug:e.debug,timeoutMs:e.timeoutMs,idempotencyKey:e.idempotencyKey,retryPolicy:e.retryPolicy,rateLimitStrategy:e.rateLimitStrategy}),this.logger=e.logger??Ke,this.mock=Kt(e);}get tenants(){return this.r||(this.r=new P(this.http,this.mock)),this.r}get authz(){return this.n||(this.n=new D(this.http)),this.n}get audit(){return this.s||(this.s=new L(this.http)),this.s}get identityProviders(){return this.i||(this.i=new U(this.http)),this.i}get categories(){return this.o||(this.o=new B(this.http)),this.o}tenant(e){return new it(e,this.http)}},it=class{constructor(e,r){this.tenant=e;this.http=r;}tenant;http;get tenants(){return new P(this.http).scoped(this.tenant)}get authz(){return new D(this.http).scoped(this.tenant)}get audit(){return new L(this.http).scoped(this.tenant)}get identityProviders(){return new U(this.http)}get categories(){return new B(this.http)}};
+export{T as AbortError,w as AccessDeniedError,Rt as AdminClient,Z as AlreadyAccessedError,X as AlreadyActiveError,H as AlreadyDeletedError,Q as AlreadyInactiveError,F as AlreadyMemberError,Y as AlreadyRevokedError,J as AlreadySettledError,ge as AppUnavailableError,L as AuditClient,rt as AuditEventsClient,Ue as AuditEventsForTenantClient,nt as AuditServerClient,Be as AuditServerForTenantClient,xe as AuthorizationPendingError,D as AuthzClient,et as AuthzGrantsClient,Ze as AuthzSubjectsClient,Qe as AuthzTagsClient,d as AxHubError,ce as BadRequestError,B as CategoriesAdminClient,je as ConfigurationError,u as ConflictError,Nt as DEFAULT_BASE_URL,_ as DecodeError,yt as DeviceFlowDeniedError,mt as DeviceFlowTimeoutError,ie as DomainTakenError,oe as DuplicateError,ue as EmptyError,C as ExpiredTokenError,G as ForbiddenError,U as IdentityProviderClient,R as InternalServerError,pt as IntrospectFailedError,Ie as InvalidClientError,S as InvalidCursorError,be as InvalidGrantError,at as InvalidPathError,Ae as InvalidRequestError,Re as InvalidScopeError,ne as InvalidStateTransitionError,Te as InvalidTargetError,Ee as InvalidTokenError,ae as InvalidValueError,V as InvitationExpiredError,te as LastAdminError,k as LegacyCursorError,he as MockInProductionError,ye as NetworkError,Oe as NoAuth,N as NotAdminError,pe as NotAllowedError,ee as NotDeletedError,h as NotFoundError,le as NotMemberError,c as OAuthError,ke as OAuthServerError,re as PendingExistsError,W as PermanentlyDeletedError,v as PermissionDeniedError,fe as PoolStaleError,$ as PreconditionFailedError,A as RateLimitedError,de as RequiredError,gt as ScanLimitExceededError,se as SchemaNameTakenError,ve as SlowDownError,M as SlugTakenError,Ce as StaticTokenAuth,He as StreamConsumedError,lt as TableNotFoundError,we as TemporarilyUnavailableError,tt as TenantAuditClient,Xe as TenantAuthzClient,Je as TenantEmailDomainsClient,De as TenantEmailDomainsForTenantClient,ut as TenantIdRequiredError,Ye as TenantInvitationsClient,Pe as TenantInvitationsForTenantClient,Ve as TenantMembersClient,qe as TenantMembersForTenantClient,it as TenantScopedAdminClient,We as TenantScopedTenantsAdminClient,dt as TenantSlugRequiredError,P as TenantsAdminClient,me as TimeoutError,z as TokenExpiredError,K as TokenInvalidError,j as TokenMissingError,x as UnauthenticatedError,_e as UnauthorizedClientError,E as UnavailableError,Se as UnsupportedGrantTypeError,l as ValidationError,ct as WebhookVerificationError,Qt as asAppId,rr as asAppSlug,Zt as asDeploymentId,nr as asPatId,ir as asRequestId,er as asTenantId,tr as asTenantSlug,sr as asUserId,hr as cursorFromRow,yr as decodeCursor,Mt as encodeCursor,_t as formatErrorMessage,ar as id,fr as orderByFingerprint,ht as parseRetryAfter,Tr as signWebhook,Ir as verifyWebhook};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ax-hub/admin-sdk",
-  "version": "1.0.2",
+  "version": "2.1.0",
   "description": "Governance SDK for AX Hub (platform/tenant admin surface). Shares @ax-hub/core with @ax-hub/sdk.",
   "keywords": [
     "ax-hub",