@ax-hub/sdk 0.0.1

package/dist/index.d.ts

@@ -0,0 +1,2193 @@
+interface FieldError {
+    name: string;
+    code: string;
+    message?: string;
+}
+interface RetryInfo {
+    afterMs: number;
+}
+interface AxHubErrorInit {
+    message: string;
+    code: string;
+    category: string;
+    httpStatus: number;
+    retryable: boolean;
+    requestId: string;
+    resource?: string;
+    fields?: FieldError[];
+    retry?: RetryInfo;
+    docUrl?: string;
+    cause?: unknown;
+}
+declare class AxHubError extends Error {
+    readonly code: string;
+    readonly category: string;
+    readonly httpStatus: number;
+    readonly retryable: boolean;
+    readonly requestId: string;
+    readonly resource?: string;
+    readonly fields?: FieldError[];
+    readonly retry?: RetryInfo;
+    readonly docUrl?: string;
+    constructor(init: AxHubErrorInit);
+    toJSON(): Record<string, unknown>;
+    toString(): string;
+}
+declare function formatErrorMessage(err: AxHubError): string;
+declare class ValidationError extends AxHubError {
+}
+declare class UnauthenticatedError extends AxHubError {
+}
+declare class PermissionDeniedError extends AxHubError {
+}
+declare class NotFoundError extends AxHubError {
+}
+declare class ConflictError extends AxHubError {
+}
+declare class PreconditionFailedError extends AxHubError {
+}
+declare class RateLimitedError extends AxHubError {
+}
+declare class InternalServerError extends AxHubError {
+}
+declare class UnavailableError extends AxHubError {
+}
+declare class SlugTakenError extends ConflictError {
+}
+declare class AlreadyMemberError extends ConflictError {
+}
+declare class AlreadyDeletedError extends ConflictError {
+}
+declare class TokenMissingError extends UnauthenticatedError {
+}
+declare class TokenExpiredError extends UnauthenticatedError {
+}
+declare class TokenInvalidError extends UnauthenticatedError {
+}
+declare class NotAdminError extends PermissionDeniedError {
+}
+declare class ForbiddenError extends PermissionDeniedError {
+}
+declare class PermanentlyDeletedError extends NotFoundError {
+}
+declare class InvitationExpiredError extends NotFoundError {
+}
+declare class AlreadyRevokedError extends ConflictError {
+}
+declare class AlreadySettledError extends ConflictError {
+}
+declare class AlreadyActiveError extends ConflictError {
+}
+declare class AlreadyInactiveError extends ConflictError {
+}
+declare class AlreadyAccessedError extends ConflictError {
+}
+declare class NotDeletedError extends ConflictError {
+}
+declare class LastAdminError extends ConflictError {
+}
+declare class PendingExistsError extends ConflictError {
+}
+declare class InvalidStateTransitionError extends ConflictError {
+}
+declare class SchemaNameTakenError extends ConflictError {
+}
+declare class DomainTakenError extends ConflictError {
+}
+declare class DuplicateError extends ConflictError {
+}
+declare class InvalidValueError extends ValidationError {
+}
+declare class RequiredError extends ValidationError {
+}
+declare class EmptyError extends ValidationError {
+}
+declare class BadRequestError extends ValidationError {
+}
+declare class NotMemberError extends PermissionDeniedError {
+}
+declare class NotAllowedError extends PermissionDeniedError {
+}
+declare class AppUnavailableError extends UnavailableError {
+}
+declare class NetworkError extends AxHubError {
+}
+declare class TimeoutError extends AxHubError {
+}
+declare class DecodeError extends AxHubError {
+}
+declare class AbortError extends AxHubError {
+}
+declare class InvalidPathError extends AxHubError {
+}
+declare class StreamConsumedError extends AxHubError {
+}
+declare class TenantSlugRequiredError extends AxHubError {
+}
+declare class PoolStaleError extends UnauthenticatedError {
+}
+declare class WebhookVerificationError extends ValidationError {
+}
+interface OAuthErrorInit {
+    code: string;
+    description?: string;
+    uri?: string;
+    httpStatus: number;
+    retryable: boolean;
+    requestId: string;
+}
+declare class OAuthError extends AxHubError {
+    readonly description?: string;
+    readonly uri?: string;
+    constructor(init: OAuthErrorInit);
+}
+declare class InvalidGrantError extends OAuthError {
+}
+declare class AccessDeniedError extends OAuthError {
+}
+declare class AuthorizationPendingError extends OAuthError {
+}
+declare class SlowDownError extends OAuthError {
+}
+declare class ExpiredTokenError extends OAuthError {
+}
+declare class DeviceFlowDeniedError extends AccessDeniedError {
+}
+declare class DeviceFlowTimeoutError extends ExpiredTokenError {
+}
+
+declare function isOAuthPath(path: string): boolean;
+interface DispatchContext {
+    path: string;
+    status: number;
+    body: unknown;
+    fallbackRequestId: string;
+}
+declare function dispatch(ctx: DispatchContext): AxHubError;
+
+declare const brand: unique symbol;
+type Branded<T, B extends string> = T & {
+    readonly [brand]: B;
+};
+type AppId = Branded<string, 'AppId'>;
+type AppID = AppId;
+type DeploymentId = Branded<string, 'DeploymentId'>;
+type DeploymentID = DeploymentId;
+type TenantId = Branded<string, 'TenantId'>;
+type TenantID = TenantId;
+type TenantSlug = Branded<string, 'TenantSlug'>;
+type AppSlug = Branded<string, 'AppSlug'>;
+type PatId = Branded<string, 'PatId'>;
+type PATID = PatId;
+type UserId = Branded<string, 'UserId'>;
+type UserID = UserId;
+type RequestId = Branded<string, 'RequestId'>;
+type ResourceID = Branded<string, 'ResourceID'>;
+type ConnectorID = Branded<string, 'ConnectorID'>;
+type SubjectID = Branded<string, 'SubjectID'>;
+type GrantID = Branded<string, 'GrantID'>;
+type TagID = Branded<string, 'TagID'>;
+type AuditEventID = Branded<string, 'AuditEventID'>;
+type TableID = Branded<string, 'TableID'>;
+declare function asAppId(s: string): AppId;
+declare function asDeploymentId(s: string): DeploymentId;
+declare function asTenantId(s: string): TenantId;
+declare function asTenantSlug(s: string): TenantSlug;
+declare function asAppSlug(s: string): AppSlug;
+declare function asPatId(s: string): PatId;
+declare function asUserId(s: string): UserId;
+declare function asRequestId(s: string): RequestId;
+/**
+ * Runtime-validating branded ID factories. SDK methods still accept plain
+ * strings; these factories are for callers who want validation plus
+ * compile-time brand separation in their own code.
+ */
+declare const id: {
+    tenant(value: string): TenantID;
+    tenantSlug(value: string): TenantSlug;
+    app(value: string): AppID;
+    appSlug(value: string): AppSlug;
+    user(value: string): UserID;
+    deployment(value: string): DeploymentID;
+    pat(value: string): PATID;
+    resource(value: string): ResourceID;
+    connector(value: string): ConnectorID;
+    subject(value: string): SubjectID;
+    grant(value: string): GrantID;
+    tag(value: string): TagID;
+    auditEvent(value: string): AuditEventID;
+    table(value: string): TableID;
+};
+
+interface Logger {
+    debug(obj: object, msg?: string): void;
+    info(obj: object, msg?: string): void;
+    warn(obj: object, msg?: string): void;
+    error(obj: object, msg?: string): void;
+}
+
+declare function parseRetryAfter(header: string | null | undefined): number;
+type RateLimitStrategy = 'sleep' | 'throw';
+
+interface RetryPolicy {
+    maxAttempts: number;
+    baseMs: number;
+    capMs: number;
+    jitter: () => number;
+}
+
+type FetchLike = typeof fetch;
+type TokenType = 'pat' | 'jwt';
+type AuthRing = 'admin' | 'data' | 'public';
+interface AuthProvider {
+    headersFor(ring: AuthRing): Record<string, string>;
+    onUnauthorized(): Promise<boolean>;
+}
+interface HttpClientOptions {
+    baseUrl: string;
+    auth: AuthProvider;
+    fetch?: FetchLike;
+    logger?: Logger;
+    debug?: boolean;
+    timeoutMs?: number;
+    idempotencyKey?: {
+        autoGenerate?: boolean;
+        generator?: () => string;
+    };
+    retryPolicy?: RetryPolicy;
+    rateLimitStrategy?: RateLimitStrategy;
+}
+interface RequestInit2 {
+    ring: AuthRing;
+    query?: Record<string, string | number | boolean | undefined>;
+    body?: unknown;
+    parseBody?: boolean;
+    signal?: AbortSignal;
+    idempotent?: boolean;
+    rawResponse?: boolean;
+    headers?: Record<string, string>;
+    timeoutMs?: number;
+    idempotencyKey?: string | false;
+}
+declare class HttpClient {
+    readonly baseUrl: string;
+    readonly auth: AuthProvider;
+    readonly fetch: FetchLike;
+    readonly logger: Logger;
+    readonly debug: boolean;
+    readonly timeoutMs: number;
+    readonly idempotencyKey: Required<NonNullable<HttpClientOptions['idempotencyKey']>>;
+    readonly retryPolicy: RetryPolicy;
+    readonly rateLimitStrategy: RateLimitStrategy;
+    constructor(opts: HttpClientOptions);
+    request<T>(method: string, path: string, init: RequestInit2): Promise<T>;
+    private requestOnce;
+    private parseSuccess;
+    private safeParseJson;
+    private buildUrl;
+    private buildHeaders;
+    private resolveIdempotencyKey;
+    private withStableIdempotencyKey;
+    private logRequest;
+}
+
+interface ParsedFrame {
+    id?: string;
+    event?: string;
+    data: string;
+}
+type StreamItem<T> = {
+    type: 'item';
+    value: T;
+    id: string | undefined;
+} | {
+    type: 'gap';
+    sinceId: string | undefined;
+    missingCount?: number;
+} | {
+    type: 'decode-skip';
+    frame: ParsedFrame;
+    error: AxHubError;
+};
+interface SSEStream<T> extends AsyncIterable<StreamItem<T>> {
+    dispose(): void;
+}
+
+interface PaginatedList<T> {
+    items: T[];
+    nextCursor: string | null;
+    total: number;
+}
+interface ListOptions {
+    pageSize?: number;
+    cursor?: string;
+}
+interface ListAllOptions extends ListOptions {
+    signal?: AbortSignal;
+}
+type ListAllItem<T> = {
+    type: 'item';
+    value: T;
+} | {
+    type: 'drift';
+    addedSince: number;
+};
+
+interface RequestOptions {
+    signal?: AbortSignal;
+    timeoutMs?: number;
+    idempotencyKey?: string | false;
+}
+interface PageRequestOptions extends ListOptions, RequestOptions {
+}
+
+interface GatewayEngine {
+    name: 'postgres' | 'mysql' | string;
+    capabilities: string[];
+}
+interface GatewayConnector {
+    id: string;
+    engine: string;
+    name: string;
+    [key: string]: unknown;
+}
+interface GatewayResource {
+    id: string;
+    connectorId: string;
+    name: string;
+    [key: string]: unknown;
+}
+interface GatewayQueryInput {
+    resourceId?: string;
+    connectorId?: string;
+    path?: string;
+    sql: string;
+    params?: unknown[];
+    rowLimit?: number;
+}
+interface GatewayQueryResult<Row = Record<string, unknown>> {
+    rows: Row[];
+    rowCount: number;
+    auditEventId?: string;
+}
+declare class GatewayClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    scoped(tenantSlug: string): TenantGatewayClient;
+}
+declare class TenantGatewayClient {
+    readonly engines: GatewayEnginesClient;
+    readonly connectors: GatewayConnectorsClient;
+    readonly resources: GatewayResourcesClient;
+    readonly query: GatewayQueryClient;
+    constructor(http: HttpClient, tenantSlug: string);
+}
+declare class GatewayEnginesClient {
+    private readonly http;
+    private readonly base;
+    constructor(http: HttpClient, base: string);
+    list(opts?: RequestOptions): Promise<GatewayEngine[]>;
+}
+declare class GatewayCrud<T extends {
+    id: string;
+}> {
+    protected readonly http: HttpClient;
+    protected readonly base: string;
+    constructor(http: HttpClient, base: string);
+    list(opts?: PageRequestOptions): Promise<PaginatedList<T>>;
+    get(id: string, opts?: RequestOptions): Promise<T>;
+    create(input: Record<string, unknown>, opts?: RequestOptions): Promise<T>;
+    update(id: string, patch: Record<string, unknown>, opts?: RequestOptions): Promise<T>;
+    delete(id: string, opts?: RequestOptions): Promise<void>;
+}
+declare class GatewayConnectorsClient extends GatewayCrud<GatewayConnector> {
+}
+declare class GatewayResourcesClient extends GatewayCrud<GatewayResource> {
+}
+declare class GatewayQueryClient {
+    private readonly http;
+    private readonly base;
+    constructor(http: HttpClient, base: string);
+    run<Row extends Record<string, unknown> = Record<string, unknown>>(input: GatewayQueryInput, opts?: RequestOptions): Promise<GatewayQueryResult<Row>>;
+    stream<Row extends Record<string, unknown> = Record<string, unknown>>(input: GatewayQueryInput, opts?: RequestOptions): SSEStream<Row>;
+}
+
+interface AuditEvent {
+    id: string;
+    type?: string;
+    actorId?: string;
+    hash?: string;
+    prevHash?: string;
+    createdAt?: string;
+    [key: string]: unknown;
+}
+interface EmitAuditEventInput {
+    type: string;
+    actorId?: string;
+    resource?: string;
+    payload?: unknown;
+}
+interface IntegrityCheckResult {
+    ok: boolean;
+    checked: number;
+    brokenAt?: string;
+}
+interface AnonymizeInput {
+    subjectId?: string;
+    actorId?: string;
+    anonymizedId?: string;
+    reason?: string;
+}
+declare class AuditClient {
+    private readonly http;
+    readonly events: AuditEventsClient;
+    readonly server: AuditServerClient;
+    constructor(http: HttpClient);
+    scoped(tenantSlug: string): TenantAuditClient;
+    integrityCheck(tenantSlug: string, opts?: RequestOptions): Promise<IntegrityCheckResult>;
+    anonymize(tenantSlug: string, input: AnonymizeInput, opts?: RequestOptions): Promise<AuditEvent | void>;
+}
+declare class TenantAuditClient {
+    private readonly http;
+    private readonly tenantSlug;
+    readonly events: AuditEventsForTenantClient;
+    readonly server: AuditServerForTenantClient;
+    constructor(http: HttpClient, tenantSlug: string);
+    integrityCheck(opts?: RequestOptions): Promise<IntegrityCheckResult>;
+    anonymize(input: AnonymizeInput, opts?: RequestOptions): Promise<AuditEvent | void>;
+}
+declare class AuditEventsClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    forTenant(tenantSlug: string): AuditEventsForTenantClient;
+}
+declare class AuditEventsForTenantClient {
+    private readonly http;
+    private readonly tenantSlug;
+    constructor(http: HttpClient, tenantSlug: string);
+    list(opts?: PageRequestOptions & {
+        type?: string;
+    }): Promise<PaginatedList<AuditEvent>>;
+    get(eventId: string, opts?: RequestOptions): Promise<AuditEvent>;
+}
+declare class AuditServerClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    forTenant(tenantSlug: string): AuditServerForTenantClient;
+}
+declare class AuditServerForTenantClient {
+    private readonly http;
+    private readonly tenantSlug;
+    constructor(http: HttpClient, tenantSlug: string);
+    emit(input: EmitAuditEventInput, opts?: RequestOptions): Promise<AuditEvent>;
+}
+
+interface AuthzTag {
+    id: string;
+    name: string;
+    parentId?: string;
+    [key: string]: unknown;
+}
+interface AuthzSubject {
+    id: string;
+    type: string;
+    externalId?: string;
+    [key: string]: unknown;
+}
+interface AuthzGrant {
+    id: string;
+    subjectId: string;
+    resource: string;
+    action: string;
+    effect: 'allow' | 'deny';
+    [key: string]: unknown;
+}
+interface DecideInput {
+    subjectId: string;
+    resource: string;
+    action: string;
+    context?: Record<string, unknown>;
+}
+interface DecideResult {
+    allowed: boolean;
+    reason?: string;
+    matchedGrantId?: string;
+}
+declare class AuthzClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    scoped(tenantSlug: string): TenantAuthzClient;
+}
+declare class TenantAuthzClient {
+    readonly tags: Crud<AuthzTag>;
+    readonly subjects: Crud<AuthzSubject>;
+    readonly grants: Crud<AuthzGrant>;
+    readonly evaluator: AuthzEvaluatorClient;
+    constructor(http: HttpClient, tenantSlug: string);
+}
+declare class Crud<T extends {
+    id: string;
+}> {
+    private readonly http;
+    private readonly base;
+    constructor(http: HttpClient, base: string);
+    list(opts?: PageRequestOptions): Promise<PaginatedList<T>>;
+    get(id: string, opts?: RequestOptions): Promise<T>;
+    create(input: Record<string, unknown>, opts?: RequestOptions): Promise<T>;
+    update(id: string, patch: Record<string, unknown>, opts?: RequestOptions): Promise<T>;
+    delete(id: string, opts?: RequestOptions): Promise<void>;
+}
+declare class AuthzEvaluatorClient {
+    private readonly http;
+    private readonly base;
+    private readonly ttlMs;
+    private readonly cache;
+    constructor(http: HttpClient, base: string, ttlMs?: number);
+    decide(input: DecideInput, opts?: RequestOptions): Promise<DecideResult>;
+    decideMany(inputs: DecideInput[], opts?: RequestOptions): Promise<DecideResult[]>;
+}
+
+interface Tenant {
+    id: string;
+    slug: string;
+    name: string;
+    plan?: string;
+    createdAt?: string;
+    updatedAt?: string;
+    [key: string]: unknown;
+}
+interface CreateTenantInput {
+    slug: string;
+    name: string;
+    plan?: string;
+}
+interface UpdateTenantInput {
+    name?: string;
+    plan?: string;
+}
+interface TenantMember {
+    id: string;
+    userId: string;
+    role: string;
+    status?: string;
+    [key: string]: unknown;
+}
+interface TenantInvitation {
+    id: string;
+    email: string;
+    role: string;
+    status: string;
+    reason?: string;
+    [key: string]: unknown;
+}
+interface InviteTenantMemberInput {
+    email: string;
+    role: string;
+    reason?: string;
+}
+interface BulkInviteResult {
+    accepted: TenantInvitation[];
+    rejected: Array<{
+        email: string;
+        reason: string;
+    }>;
+}
+interface EmailDomain {
+    domain: string;
+    verified?: boolean;
+    [key: string]: unknown;
+}
+interface TenantIconUploadResult {
+    uploadUrl: string;
+    getUrl: string;
+    expiresAt?: string;
+}
+declare class TenantsClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    scoped(tenantIdOrSlug: string): TenantScopedTenantsClient;
+    create(input: CreateTenantInput, opts?: RequestOptions): Promise<Tenant>;
+    list(opts?: PageRequestOptions): Promise<PaginatedList<Tenant>>;
+    get(tenantIdOrSlug: string, opts?: RequestOptions): Promise<Tenant>;
+    update(tenantIdOrSlug: string, patch: UpdateTenantInput, opts?: RequestOptions): Promise<Tenant>;
+    delete(tenantIdOrSlug: string, opts?: RequestOptions): Promise<void>;
+    signIconUploadURL(tenantIdOrSlug: string, input: {
+        contentType: string;
+    }, opts?: RequestOptions): Promise<TenantIconUploadResult>;
+    get members(): TenantMembersClient;
+    get invitations(): TenantInvitationsClient;
+    get emailDomains(): TenantEmailDomainsClient;
+}
+declare class TenantScopedTenantsClient {
+    readonly members: TenantMembersForTenantClient;
+    readonly invitations: TenantInvitationsForTenantClient;
+    readonly emailDomains: TenantEmailDomainsForTenantClient;
+    constructor(http: HttpClient, tenantIdOrSlug: string);
+}
+declare class TenantMembersClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    forTenant(tenantIdOrSlug: string): TenantMembersForTenantClient;
+}
+declare class TenantMembersForTenantClient {
+    private readonly http;
+    private readonly tenant;
+    constructor(http: HttpClient, tenant: string);
+    list(opts?: PageRequestOptions): Promise<PaginatedList<TenantMember>>;
+    update(membershipId: string, patch: {
+        role?: string;
+    }, opts?: RequestOptions): Promise<TenantMember>;
+    deactivate(membershipId: string, opts?: RequestOptions): Promise<TenantMember>;
+    reactivate(membershipId: string, opts?: RequestOptions): Promise<TenantMember>;
+}
+declare class TenantInvitationsClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    forTenant(tenantIdOrSlug: string): TenantInvitationsForTenantClient;
+}
+declare class TenantInvitationsForTenantClient {
+    private readonly http;
+    private readonly tenant;
+    constructor(http: HttpClient, tenant: string);
+    list(opts?: PageRequestOptions): Promise<PaginatedList<TenantInvitation>>;
+    create(input: InviteTenantMemberInput, opts?: RequestOptions): Promise<TenantInvitation>;
+    bulkCreate(inputs: InviteTenantMemberInput[], opts?: RequestOptions): Promise<BulkInviteResult>;
+    delete(invitationId: string, opts?: RequestOptions): Promise<void>;
+}
+declare class TenantEmailDomainsClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    forTenant(tenantIdOrSlug: string): TenantEmailDomainsForTenantClient;
+}
+declare class TenantEmailDomainsForTenantClient {
+    private readonly http;
+    private readonly tenant;
+    constructor(http: HttpClient, tenant: string);
+    list(opts?: RequestOptions): Promise<EmailDomain[]>;
+    create(input: {
+        domain: string;
+    }, opts?: RequestOptions): Promise<EmailDomain>;
+    delete(domain: string, opts?: RequestOptions): Promise<void>;
+}
+
+interface EnvVar {
+    key: string;
+    value: string;
+    createdAt: string;
+    updatedAt: string;
+}
+declare class AppsEnvVarsMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * List all env vars for an app.
+     *
+     * @example happy
+     *   const vars = await sdk.apps.listEnvVars('app_abc')
+     *   for (const v of vars) console.log(v.key, '=', v.value)
+     */
+    listEnvVars(appId: string): Promise<EnvVar[]>;
+    /**
+     * Create or overwrite an env var. Key must match `^[A-Z_][A-Z0-9_]*$` —
+     * validation happens client-side before any network round-trip.
+     *
+     * @example happy
+     *   await sdk.apps.setEnvVar('app_abc', 'DATABASE_URL', 'postgres://...')
+     *
+     * @example failure
+     *   try { await sdk.apps.setEnvVar('app_abc', 'database url', 'x') }
+     *   catch (e) { if (e instanceof ValidationError) /* fix key *\/ }
+     */
+    setEnvVar(appId: string, key: string, value: string): Promise<void>;
+    /**
+     * Fetch a single env var by key.
+     *
+     * @example happy
+     *   const v = await sdk.apps.getEnvVar('app_abc', 'DATABASE_URL')
+     *
+     * @example failure
+     *   try { await sdk.apps.getEnvVar('app_abc', 'NOT_SET') }
+     *   catch (e) { if (e instanceof NotFoundError) /* not set *\/ }
+     */
+    getEnvVar(appId: string, key: string): Promise<EnvVar>;
+    /**
+     * Remove an env var. Idempotent: deleting a missing key returns 404 which
+     * the SDK throws as `NotFoundError`. Callers that want fire-and-forget
+     * delete should ignore that specific class.
+     *
+     * @example happy
+     *   await sdk.apps.deleteEnvVar('app_abc', 'OLD_KEY')
+     */
+    deleteEnvVar(appId: string, key: string): Promise<void>;
+}
+
+interface AppResponse {
+    id: string;
+    tenantId: string;
+    ownerId: string;
+    slug: string;
+    name: string;
+    description?: string;
+    iconUrl?: string;
+    schemaName: string;
+    status: 'active' | 'deleted' | 'permanently_deleted';
+    visibility: 'private' | 'tenant' | 'public';
+    publicationStatus: 'draft' | 'pending_review' | 'approved';
+    likeCount: number;
+    subscriberCount: number;
+    createdAt: string;
+    updatedAt: string;
+    deletedAt: string | null;
+}
+interface CreateAppInput {
+    slug: string;
+    name: string;
+    description?: string;
+    iconUrl?: string;
+    visibility?: 'private' | 'tenant' | 'public';
+}
+interface UpdateAppInput {
+    name?: string;
+    description?: string;
+    iconUrl?: string;
+    visibility?: 'private' | 'tenant' | 'public';
+}
+declare class AppsCrudMixin {
+    private readonly http;
+    private readonly defaultTenantSlug?;
+    private readonly defaultTenantId?;
+    constructor(http: HttpClient, defaultTenantSlug?: string | undefined, defaultTenantId?: string | undefined);
+    private withTenantQuery;
+    /**
+     * Create a new app in the caller's tenant.
+     *
+     * @example happy
+     *   const app = await sdk.apps.create({ slug: 'my-app', name: 'My App' })
+     *
+     * @example failure
+     *   try { await sdk.apps.create({ slug: 'taken', name: 'X' }) }
+     *   catch (e) {
+     *     if (e instanceof SlugTakenError) // pick a different slug
+     *   }
+     */
+    create(input: CreateAppInput): Promise<AppResponse>;
+    /**
+     * List apps in the caller's tenant, paginated.
+     *
+     * @example happy
+     *   const page = await sdk.apps.list({ pageSize: 50 })
+     *   console.log(page.total, page.items.length)
+     *
+     * @example failure
+     *   // permission denied (not a tenant member):
+     *   try { await sdk.apps.list() }
+     *   catch (e) { if (e instanceof PermissionDeniedError) /* request grant *\/ }
+     */
+    list(opts?: ListOptions): Promise<PaginatedList<AppResponse>>;
+    /**
+     * Iterate every app across all pages. Yields each item; emits a
+     * `{type:'drift', addedSince:N}` item if backend's total grows mid-scan.
+     *
+     * @example happy
+     *   for await (const it of sdk.apps.listAll({ pageSize: 100 })) {
+     *     if (it.type === 'item') process(it.value)
+     *     else if (it.type === 'drift') console.warn(`${it.addedSince} added during scan`)
+     *   }
+     */
+    listAll(opts?: ListAllOptions): AsyncGenerator<ListAllItem<AppResponse>>;
+    /**
+     * Fetch a single app by ID.
+     *
+     * @example happy
+     *   const app = await sdk.apps.get('app_abc')
+     *
+     * @example failure
+     *   try { await sdk.apps.get('app_does_not_exist') }
+     *   catch (e) {
+     *     if (e instanceof NotFoundError) /* abort or pick different app *\/
+     *     if (e instanceof PermanentlyDeletedError) /* 410 — irrecoverable *\/
+     *   }
+     */
+    get(appId: string): Promise<AppResponse>;
+    /**
+     * Partial-update an app.
+     *
+     * @example happy
+     *   const app = await sdk.apps.update('app_abc', { name: 'Renamed' })
+     *
+     * @example failure
+     *   try { await sdk.apps.update('app_x', { visibility: 'public' }) }
+     *   catch (e) {
+     *     if (e instanceof ConflictError) /* requires publication approval *\/
+     *     if (e instanceof PermissionDeniedError) /* not owner / admin *\/
+     *   }
+     */
+    update(appId: string, patch: UpdateAppInput): Promise<AppResponse>;
+    /**
+     * Soft-delete an app. Calling delete twice is safe — second call returns
+     * `AlreadyDeletedError` (409). The app row stays in DB for the retention
+     * window and can be hard-purged by platform admin separately.
+     *
+     * @example happy
+     *   await sdk.apps.delete('app_abc')  // first call OK
+     *
+     * @example failure
+     *   try { await sdk.apps.delete('app_abc') }
+     *   catch (e) { if (e instanceof AlreadyDeletedError) /* already deleted *\/ }
+     */
+    delete(appId: string): Promise<void>;
+    /**
+     * Hard-delete (purge) an app. Requires the app to be soft-deleted first —
+     * calling on an active app returns `NotDeletedError` (409). Irreversible:
+     * physical schema + rows are dropped server-side.
+     *
+     * @example happy
+     *   await sdk.apps.delete('app_abc')      // soft-delete first
+     *   await sdk.apps.permanent('app_abc')   // then hard-purge
+     *
+     * @example failure
+     *   try { await sdk.apps.permanent('app_active') }
+     *   catch (e) { if (e instanceof NotDeletedError) /* must soft-delete first *\/ }
+     */
+    permanent(appId: string): Promise<void>;
+    /**
+     * Get a presigned PUT URL for uploading the app icon. The caller must
+     * `PUT` the binary directly to `uploadUrl` with the matching `Content-Type`
+     * header; `getUrl` is the public/CDN URL where the icon will be served after
+     * upload completes.
+     *
+     * Unsupported MIME types are rejected with 400.
+     *
+     * @example happy
+     *   const { uploadUrl, getUrl } = await sdk.apps.signIconUploadURL('app_abc', { contentType: 'image/png' })
+     *   await fetch(uploadUrl, { method: 'PUT', body: imageBlob, headers: { 'Content-Type': 'image/png' } })
+     *   await sdk.apps.update('app_abc', { iconUrl: getUrl })
+     */
+    signIconUploadURL(appId: string, input: SignIconUploadInput): Promise<SignIconUploadResult>;
+    /**
+     * Get a presigned PUT URL for the dark-mode app icon. Same semantics as
+     * `signIconUploadURL` but writes to the `icon_dark_url` field.
+     *
+     * @example happy
+     *   const { uploadUrl } = await sdk.apps.signIconDarkUploadURL('app_abc', { contentType: 'image/svg+xml' })
+     */
+    signIconDarkUploadURL(appId: string, input: SignIconUploadInput): Promise<SignIconUploadResult>;
+    private signIconImpl;
+    /**
+     * List apps the caller has been granted access to (not necessarily owned).
+     * Useful for "apps in my dashboard" type views.
+     *
+     * Backend route is `/api/v1/users/me/apps` — surfaced here under `sdk.apps`
+     * to avoid a `sdk.users.*` namespace just for this one method (eng review #3).
+     *
+     * @example happy
+     *   const mine = await sdk.apps.listMine()
+     *   for (const a of mine) console.log(a.slug, a.publicationStatus)
+     */
+    listMine(): Promise<AppResponse[]>;
+}
+interface SignIconUploadInput {
+    /** MIME type of the asset, e.g. `image/png`. Backend rejects unsupported types. */
+    contentType: string;
+}
+interface SignIconUploadResult {
+    /** Presigned PUT URL the caller uploads the binary to. Expires shortly. */
+    uploadUrl: string;
+    /** Public/CDN URL the icon will be served from once upload completes. */
+    getUrl: string;
+    /** ISO timestamp when the presigned URL expires. */
+    expiresAt?: string;
+}
+
+interface AppAccess {
+    id: string;
+    appId: string;
+    userId: string;
+    grantedAt: string;
+}
+declare class AppsAccessMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Self-grant access to an app. Caller must have authenticated identity and
+     * the app must be reachable (own tenant, or `public` visibility).
+     *
+     * Backend convention: owner always has implicit access — calling this on a
+     * self-owned app returns `AlreadyAccessedError` (409). Second-time grants
+     * also return `AlreadyAccessedError`. Private apps for non-members return
+     * `AccessDeniedError` (403).
+     *
+     * @example happy
+     *   const grant = await sdk.apps.access.grant('app_abc')
+     *   console.log(grant.grantedAt)
+     *
+     * @example failure
+     *   try { await sdk.apps.access.grant('app_abc') }
+     *   catch (e) {
+     *     if (e instanceof AlreadyAccessedError) /* already have access *\/
+     *     if (e instanceof AccessDeniedError) /* private app, no membership *\/
+     *   }
+     */
+    grant(appId: string): Promise<AppAccess>;
+    /**
+     * Revoke own access to an app. Backend route is `DELETE /apps/{id}/access/me`
+     * (the `/me` suffix mirrors the self-revoke convention).
+     *
+     * Idempotent at the SDK level only insofar as the backend treats a missing
+     * grant as 404 — callers wanting fire-and-forget should ignore `NotFoundError`.
+     *
+     * @example happy
+     *   await sdk.apps.access.revoke('app_abc')
+     *
+     * @example failure
+     *   try { await sdk.apps.access.revoke('app_abc') }
+     *   catch (e) { if (e instanceof NotFoundError) /* no grant to revoke *\/ }
+     */
+    revoke(appId: string): Promise<void>;
+    /**
+     * Fetch caller's own access record for the app. Returns `null` if the caller
+     * has no grant (backend returns 404 — SDK normalizes to null for ergonomics).
+     *
+     * @example happy
+     *   const grant = await sdk.apps.access.me('app_abc')
+     *   if (grant) console.log('have access since', grant.grantedAt)
+     *   else console.log('no access')
+     */
+    me(appId: string): Promise<AppAccess | null>;
+}
+
+interface AppCategory {
+    id: string;
+    tenantId?: string;
+    slug: string;
+    name: string;
+    description?: string;
+    [key: string]: unknown;
+}
+interface CreateCategoryInput {
+    slug: string;
+    name: string;
+    description?: string;
+}
+declare class AppsCategoriesMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    list(tenantIdOrSlug: string, opts?: PageRequestOptions): Promise<PaginatedList<AppCategory>>;
+    create(tenantIdOrSlug: string, input: CreateCategoryInput, opts?: RequestOptions): Promise<AppCategory>;
+    get(tenantIdOrSlug: string, categoryId: string, opts?: RequestOptions): Promise<AppCategory>;
+    update(tenantIdOrSlug: string, categoryId: string, patch: Partial<CreateCategoryInput>, opts?: RequestOptions): Promise<AppCategory>;
+    delete(tenantIdOrSlug: string, categoryId: string, opts?: RequestOptions): Promise<void>;
+}
+
+interface Comment {
+    id: string;
+    appId: string;
+    authorId: string;
+    body: string;
+    createdAt: string;
+    updatedAt: string;
+    deletedAt: string | null;
+}
+interface AddCommentInput {
+    body: string;
+}
+declare class AppsCommentsMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Add a comment to an app. Body length is validated client-side (1-500 chars).
+     *
+     * @example happy
+     *   const c = await sdk.apps.comments.add('app_abc', { body: 'looks great!' })
+     *
+     * @example failure
+     *   try { await sdk.apps.comments.add('app_x', { body: '' }) }
+     *   catch (e) { if (e instanceof ValidationError) /* fix body length *\/ }
+     */
+    add(appId: string, input: AddCommentInput): Promise<Comment>;
+    /**
+     * List comments on an app, newest first.
+     *
+     * @example happy
+     *   const page = await sdk.apps.comments.list('app_abc', { pageSize: 50 })
+     */
+    list(appId: string, opts?: ListOptions): Promise<PaginatedList<Comment>>;
+    /**
+     * Iterate every comment across pages. Emits a `{type:'drift'}` event when
+     * the backend's total grows mid-scan (new comment added during iteration).
+     *
+     * @example happy
+     *   for await (const it of sdk.apps.comments.listAll('app_abc', { pageSize: 100 })) {
+     *     if (it.type === 'item') process(it.value)
+     *     else if (it.type === 'drift') console.warn(`${it.addedSince} new comments during scan`)
+     *   }
+     */
+    listAll(appId: string, opts?: ListAllOptions): AsyncGenerator<ListAllItem<Comment>>;
+    /**
+     * Delete a comment by ID. Author can delete own; platform/app admins can
+     * delete any. Backend route is global (`/comments/{id}`) — appId is implicit
+     * from the comment row.
+     *
+     * @example happy
+     *   await sdk.apps.comments.delete('cmt_abc')
+     *
+     * @example failure
+     *   try { await sdk.apps.comments.delete('cmt_other_user') }
+     *   catch (e) {
+     *     if (e instanceof PermissionDeniedError) /* not author / not admin *\/
+     *     if (e instanceof AlreadyDeletedError) /* already deleted *\/
+     *   }
+     */
+    delete(commentId: string): Promise<void>;
+}
+
+interface DiscoverAppsOptions extends PageRequestOptions {
+    q?: string;
+    category?: string;
+    sort?: 'newest' | 'likes' | 'subscribers' | 'name';
+    visibility?: 'private' | 'tenant' | 'public';
+}
+declare class AppsDiscoverMixin {
+    private readonly http;
+    private readonly defaultTenantSlug?;
+    constructor(http: HttpClient, defaultTenantSlug?: string | undefined);
+    search(opts?: DiscoverAppsOptions): Promise<PaginatedList<AppResponse>>;
+}
+
+interface GitConnection {
+    connected: true;
+    id: string;
+    appId: string;
+    repoFullName: string;
+    branch: string;
+    installationId: string;
+    connectedAt: string;
+}
+interface GitConnectionSetup {
+    connected: false;
+    installUrl: string;
+}
+type GitConnectionStatus = GitConnection | GitConnectionSetup;
+interface ConnectGitInput {
+    repoFullName: string;
+    branch: string;
+    installationId: string;
+}
+interface UpdateGitConnectionInput {
+    branch: string;
+}
+interface GithubInstallStart {
+    redirectUrl: string;
+}
+interface InstallStartInput {
+    redirectUri?: string;
+}
+declare class AppsGitMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Fetch the current GitHub repository connection for an app.
+     */
+    get(appId: string): Promise<GitConnectionStatus>;
+    /**
+     * Connect a GitHub repository to an app. Requires a prior GitHub App
+     * installation (see `installStart`). The `repoFullName` follows GitHub's
+     * `owner/repo` convention; `branch` must exist on the remote.
+     *
+     * @example happy
+     *   const conn = await sdk.apps.git.connect('app_abc', {
+     *     repoFullName: 'my-org/my-repo',
+     *     branch: 'main',
+     *     installationId: '12345',
+     *   })
+     *
+     * @example failure
+     *   try { await sdk.apps.git.connect('app_x', { repoFullName: 'invalid', branch: '', installationId: '' }) }
+     *   catch (e) { if (e instanceof ValidationError) /* fix repo / branch *\/ }
+     */
+    connect(appId: string, input: ConnectGitInput): Promise<GitConnection>;
+    /**
+     * Update the auto-deploy branch for an existing GitHub connection.
+     */
+    update(appId: string, input: UpdateGitConnectionInput): Promise<GitConnection>;
+    /**
+     * Disconnect the app's GitHub repository link.
+     */
+    disconnect(appId: string): Promise<void>;
+    /**
+     * Start the GitHub App installation OAuth flow. Returns a redirect URL the
+     * caller (typically a CLI / web flow) must open in a browser. After the user
+     * approves, GitHub posts back to AX Hub with the installation ID, which can
+     * then be used in `connect`.
+     *
+     * @example happy
+     *   const { redirectUrl } = await sdk.apps.git.installStart('app_abc', {
+     *     redirectUri: 'http://localhost:3000/gh/callback',
+     *   })
+     *   open(redirectUrl)
+     */
+    installStart(appId: string, input?: InstallStartInput): Promise<GithubInstallStart>;
+}
+
+interface LikeResult {
+    inserted: boolean;
+}
+interface UnlikeResult {
+    deleted: boolean;
+}
+interface LikeStatus {
+    liked: boolean;
+}
+declare class AppsLikesMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Like an app. Idempotent — second call returns `{ inserted: false }`. The
+     * app's denormalized `likeCount` is updated server-side only when
+     * `inserted = true`.
+     *
+     * @example happy
+     *   const { inserted } = await sdk.apps.likes.like('app_abc')
+     *   if (inserted) console.log('first time like')
+     */
+    like(appId: string): Promise<LikeResult>;
+    /**
+     * Unlike an app. Idempotent — second call returns `{ deleted: false }`.
+     *
+     * @example happy
+     *   const { deleted } = await sdk.apps.likes.unlike('app_abc')
+     */
+    unlike(appId: string): Promise<UnlikeResult>;
+    /**
+     * Check if caller has liked the app.
+     *
+     * @example happy
+     *   const { liked } = await sdk.apps.likes.me('app_abc')
+     */
+    me(appId: string): Promise<LikeStatus>;
+}
+
+interface OAuthClient {
+    id: string;
+    appId: string;
+    name: string;
+    clientId: string;
+    redirectUris: string[];
+    scopes: string[];
+    createdAt: string;
+}
+/**
+ * Returned ONLY by `create`. The `clientSecret` is the raw secret — backend
+ * stores a hash and never returns it again on subsequent `list`/`get`. PAT
+ * pattern: store this immediately on the agent side; losing it requires
+ * creating a new client.
+ */
+interface OAuthClientWithSecret extends OAuthClient {
+    /** Raw secret. Surfaced exactly once; backend persists only the hash. */
+    clientSecret: string;
+}
+interface CreateOAuthClientInput {
+    name: string;
+    redirectUris: string[];
+    scopes: string[];
+    type?: 'public' | 'confidential';
+    tokenEndpointAuthMethod?: 'client_secret_basic' | 'client_secret_post' | 'none';
+    allowedGrantTypes?: string[];
+}
+declare class AppsOAuthClientsMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Create an OAuth client for an app. The `clientSecret` field in the response
+     * is the **raw secret** — surfaced exactly once. Store it immediately; backend
+     * keeps only a hash. Lose it and the client must be deleted + recreated.
+     *
+     * Empty `scopes` is rejected client-side (400 `empty_scopes` server-side).
+     *
+     * @example happy
+     *   const c = await sdk.apps.oauthClients.create('app_abc', {
+     *     name: 'web-app',
+     *     redirectUris: ['https://myapp.com/cb'],
+     *     scopes: ['read', 'write'],
+     *   })
+     *   storeSecret(c.clientSecret) // ONLY chance to capture it
+     *
+     * @example failure
+     *   try { await sdk.apps.oauthClients.create('app_x', { name: '', redirectUris: [], scopes: [] }) }
+     *   catch (e) { if (e instanceof ValidationError) /* fix inputs *\/ }
+     */
+    create(appId: string, input: CreateOAuthClientInput): Promise<OAuthClientWithSecret>;
+    /**
+     * Delete an OAuth client by ID. Backend route is global (`/oauth-clients/{id}`).
+     * After this, any tokens issued via this client become unusable.
+     *
+     * @example happy
+     *   await sdk.apps.oauthClients.delete('oac_abc')
+     */
+    delete(clientId: string): Promise<void>;
+}
+
+type PublicationRequestStatus = 'pending' | 'approved' | 'rejected';
+interface PublicationRequest {
+    id: string;
+    appId: string;
+    requesterId: string;
+    reason?: string;
+    status: PublicationRequestStatus;
+    reviewerId?: string;
+    reviewerComment?: string;
+    createdAt: string;
+    updatedAt: string;
+    settledAt?: string | null;
+}
+interface SubmitPublicationInput {
+    reason?: string;
+}
+interface UnpublishInput {
+    comment?: string;
+}
+declare class AppsPublicationMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Submit an app for public release review. Owner-only. The app must be in
+     * `draft` or previously-rejected state; second submit while pending returns
+     * `PendingExistsError` (409).
+     *
+     * @example happy
+     *   const pr = await sdk.apps.publication.submit('app_abc', { reason: 'Ready for v1' })
+     *   console.log(pr.status) // 'pending'
+     *
+     * @example failure
+     *   try { await sdk.apps.publication.submit('app_abc') }
+     *   catch (e) { if (e instanceof PendingExistsError) /* already pending review *\/ }
+     */
+    submit(appId: string, input?: SubmitPublicationInput): Promise<PublicationRequest>;
+    /**
+     * List publication-request history for an app, newest first.
+     *
+     * @example happy
+     *   const page = await sdk.apps.publication.list('app_abc', { pageSize: 20 })
+     *   for (const pr of page.items) console.log(pr.status, pr.reviewerComment)
+     */
+    list(appId: string, opts?: ListOptions): Promise<PaginatedList<PublicationRequest>>;
+    /**
+     * Take a published app off the public catalog. Owner / admin only. App must
+     * be in `approved` + `public` state; otherwise `InvalidStateTransitionError`.
+     *
+     * @example happy
+     *   const app = await sdk.apps.publication.unpublish('app_abc', { comment: 'Maintenance' })
+     *   console.log(app.publicationStatus, app.visibility) // 'draft', 'tenant'
+     *
+     * @example failure
+     *   try { await sdk.apps.publication.unpublish('app_x') }
+     *   catch (e) { if (e instanceof InvalidStateTransitionError) /* not currently public *\/ }
+     */
+    unpublish(appId: string, input?: UnpublishInput): Promise<AppResponse>;
+}
+
+type ColumnType = 'text' | 'int' | 'bigint' | 'float' | 'numeric' | 'bool' | 'timestamp' | 'timestamptz' | 'json' | 'jsonb' | 'uuid';
+interface TableColumn {
+    name: string;
+    type: ColumnType;
+    nullable?: boolean;
+    default?: string | number | boolean | null;
+}
+interface AppTable {
+    appId: string;
+    schemaName: string;
+    tableName: string;
+    ownerColumn: string;
+    columns: TableColumn[];
+    createdAt: string;
+    updatedAt: string;
+}
+interface TableIndex {
+    name: string;
+    columns: string[];
+    unique?: boolean;
+}
+interface TableConstraint {
+    name: string;
+    type: string;
+    columns?: string[];
+}
+interface TableSchema extends AppTable {
+    indexes: TableIndex[];
+    constraints: TableConstraint[];
+    rowCount?: number;
+    sizeBytes?: number;
+}
+type GrantPrincipalType = 'user' | 'tenant' | 'app';
+type GrantScope = 'read' | 'write' | 'delete' | 'admin';
+interface TableGrant {
+    id: string;
+    appId: string;
+    tableName: string;
+    principalType: GrantPrincipalType;
+    principalId: string;
+    scopes: GrantScope[];
+    createdAt: string;
+}
+interface CreateTableInput {
+    name: string;
+    ownerColumn: string;
+    columns: TableColumn[];
+}
+interface AddColumnInput {
+    name: string;
+    type: ColumnType;
+    nullable?: boolean;
+    default?: string | number | boolean | null;
+}
+interface AddGrantInput {
+    principalType: GrantPrincipalType;
+    principalId: string;
+    scopes: GrantScope[];
+}
+declare class AppsTablesMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * List all tables in an app's schema.
+     *
+     * @example happy
+     *   const tables = await sdk.apps.tables.list('app_abc')
+     *   for (const t of tables) console.log(t.tableName, t.columns.length)
+     */
+    list(appId: string): Promise<AppTable[]>;
+    /**
+     * Create a new table. Name must match `^[a-z][a-z0-9_]{0,62}$` — validation
+     * happens client-side before any network round-trip. ownerColumn must be
+     * present in `columns`.
+     *
+     * @example happy
+     *   const t = await sdk.apps.tables.create('app_abc', {
+     *     name: 'tasks',
+     *     ownerColumn: 'user_id',
+     *     columns: [
+     *       { name: 'user_id', type: 'uuid', nullable: false },
+     *       { name: 'title', type: 'text', nullable: false },
+     *       { name: 'done', type: 'bool', default: false },
+     *     ],
+     *   })
+     *
+     * @example failure
+     *   try { await sdk.apps.tables.create('app_x', { name: 'tasks', ownerColumn: 'u', columns: [] }) }
+     *   catch (e) { if (e instanceof SchemaNameTakenError) /* table name taken *\/ }
+     */
+    create(appId: string, input: CreateTableInput): Promise<AppTable>;
+    /**
+     * Drop a table. Irreversible — backend permanently removes the physical
+     * table on success.
+     *
+     * @example happy
+     *   await sdk.apps.tables.delete('app_abc', 'tasks_old')
+     */
+    delete(appId: string, tableName: string): Promise<void>;
+    /**
+     * Add a column to an existing table. Column name must be unique within the
+     * table; duplicate names return 400 `duplicate`.
+     *
+     * @example happy
+     *   await sdk.apps.tables.addColumn('app_abc', 'tasks', { name: 'priority', type: 'int', default: 0 })
+     */
+    addColumn(appId: string, tableName: string, input: AddColumnInput): Promise<TableColumn>;
+    /**
+     * Drop a column. Cannot drop the `ownerColumn` — backend returns 409
+     * `cannot_drop_owner_column`.
+     *
+     * @example happy
+     *   await sdk.apps.tables.dropColumn('app_abc', 'tasks', 'priority')
+     */
+    dropColumn(appId: string, tableName: string, columnName: string): Promise<void>;
+    /**
+     * List grants on a table.
+     *
+     * @example happy
+     *   const grants = await sdk.apps.tables.listGrants('app_abc', 'tasks')
+     */
+    listGrants(appId: string, tableName: string): Promise<TableGrant[]>;
+    /**
+     * Grant access on a table to a principal (user/tenant/app). Cross-tenant
+     * grants are rejected with 403 (a tenant can only grant to its own members).
+     *
+     * @example happy
+     *   const g = await sdk.apps.tables.addGrant('app_abc', 'tasks', {
+     *     principalType: 'user',
+     *     principalId: 'usr_xyz',
+     *     scopes: ['read', 'write'],
+     *   })
+     *
+     * @example failure
+     *   try { await sdk.withTenant('other').apps.tables.addGrant('app_abc', 'tasks', {...}) }
+     *   catch (e) { if (e instanceof PermissionDeniedError) /* cross-tenant *\/ }
+     */
+    addGrant(appId: string, tableName: string, input: AddGrantInput): Promise<TableGrant>;
+    /**
+     * Revoke a table grant by ID.
+     *
+     * @example happy
+     *   await sdk.apps.tables.revokeGrant('app_abc', 'tasks', 'gnt_abc')
+     *
+     * @example failure
+     *   try { await sdk.apps.tables.revokeGrant('app_abc', 'tasks', 'gnt_abc') }
+     *   catch (e) { if (e instanceof AlreadyRevokedError) /* already gone *\/ }
+     */
+    revokeGrant(appId: string, tableName: string, grantId: string): Promise<void>;
+    /**
+     * Inspect physical schema details for a dynamic table: columns, indexes,
+     * constraints, and optional storage stats.
+     *
+     * @example happy
+     *   const schema = await sdk.apps.tables.inspect('app_abc', 'orders')
+     *   console.log(schema.indexes.map((i) => i.name))
+     */
+    inspect(appId: string, tableName: string): Promise<TableSchema>;
+}
+
+interface AppTemplate {
+    id: string;
+    slug: string;
+    name: string;
+    description?: string;
+    [key: string]: unknown;
+}
+declare class AppsTemplatesMixin {
+    private readonly http;
+    private readonly defaultTenantSlug?;
+    constructor(http: HttpClient, defaultTenantSlug?: string | undefined);
+    list(opts?: PageRequestOptions): Promise<PaginatedList<AppTemplate>>;
+}
+
+declare class AppsClient {
+    private readonly crud;
+    private readonly envVars;
+    readonly publication: AppsPublicationMixin;
+    readonly access: AppsAccessMixin;
+    readonly categories: AppsCategoriesMixin;
+    readonly discover: AppsDiscoverMixin;
+    readonly likes: AppsLikesMixin;
+    readonly comments: AppsCommentsMixin;
+    readonly oauthClients: AppsOAuthClientsMixin;
+    readonly git: AppsGitMixin;
+    readonly tables: AppsTablesMixin;
+    readonly templates: AppsTemplatesMixin;
+    constructor(http: HttpClient, defaultTenantSlug?: string, defaultTenantId?: string);
+    create: (...args: Parameters<AppsCrudMixin["create"]>) => Promise<AppResponse>;
+    list: (...args: Parameters<AppsCrudMixin["list"]>) => Promise<PaginatedList<AppResponse>>;
+    listAll: (...args: Parameters<AppsCrudMixin["listAll"]>) => AsyncGenerator<ListAllItem<AppResponse>, any, any>;
+    get: (...args: Parameters<AppsCrudMixin["get"]>) => Promise<AppResponse>;
+    update: (...args: Parameters<AppsCrudMixin["update"]>) => Promise<AppResponse>;
+    delete: (...args: Parameters<AppsCrudMixin["delete"]>) => Promise<void>;
+    permanent: (...args: Parameters<AppsCrudMixin["permanent"]>) => Promise<void>;
+    signIconUploadURL: (...args: Parameters<AppsCrudMixin["signIconUploadURL"]>) => Promise<SignIconUploadResult>;
+    signIconDarkUploadURL: (...args: Parameters<AppsCrudMixin["signIconDarkUploadURL"]>) => Promise<SignIconUploadResult>;
+    /**
+     * List apps the caller has been granted access to (not necessarily owned).
+     * Wraps `GET /users/me/apps`. Distinct from {@link list} which returns all
+     * apps in the resolved tenant; `listMine` is per-user scoped via the auth
+     * principal in the token.
+     *
+     * @example happy
+     *   const accessible = await sdk.apps.listMine()
+     *   for (const a of accessible) console.log(a.slug)
+     */
+    listMine: (...args: Parameters<AppsCrudMixin["listMine"]>) => Promise<AppResponse[]>;
+    listEnvVars: (...args: Parameters<AppsEnvVarsMixin["listEnvVars"]>) => Promise<EnvVar[]>;
+    setEnvVar: (...args: Parameters<AppsEnvVarsMixin["setEnvVar"]>) => Promise<void>;
+    getEnvVar: (...args: Parameters<AppsEnvVarsMixin["getEnvVar"]>) => Promise<EnvVar>;
+    deleteEnvVar: (...args: Parameters<AppsEnvVarsMixin["deleteEnvVar"]>) => Promise<void>;
+}
+
+type ColumnPrimitive = 'uuid' | 'string' | 'number' | 'integer' | 'boolean' | 'timestamp' | 'json';
+type EnumColumn<V extends readonly string[]> = {
+    type: 'enum';
+    values: V;
+};
+type ColumnDef = ColumnPrimitive | EnumColumn<readonly string[]>;
+type SchemaShape = Record<string, ColumnDef>;
+interface DataColumn<Name extends string = string, Def extends ColumnDef = ColumnDef> {
+    table: string;
+    name: Name;
+    def: Def;
+}
+interface DataTableSchema<Row extends Record<string, unknown> = Record<string, unknown>> {
+    table: string;
+    columns: SchemaShape;
+    cols: {
+        [K in keyof Row & string]: DataColumn<K>;
+    };
+}
+type ColumnValue<D extends ColumnDef> = D extends {
+    type: 'enum';
+    values: readonly (infer V)[];
+} ? V : D extends 'number' | 'integer' ? number : D extends 'boolean' ? boolean : unknown;
+type RowFromSchema<S extends SchemaShape> = {
+    [K in keyof S & string]: ColumnValue<S[K]>;
+};
+declare function defineSchema<const S extends SchemaShape>(input: {
+    table: string;
+    columns: S;
+}): DataTableSchema<RowFromSchema<S>>;
+
+type QueryExpr = {
+    op: 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte' | 'like';
+    column: string;
+    value: unknown;
+} | {
+    op: 'in';
+    column: string;
+    values: unknown[];
+} | {
+    op: 'and' | 'or';
+    clauses: QueryExpr[];
+} | {
+    op: 'not';
+    clause: QueryExpr;
+} | {
+    op: 'raw';
+    sql: string;
+    params?: unknown[];
+};
+declare function escapeLike(value: string): string;
+declare function raw(sql: string, params?: unknown[]): QueryExpr;
+declare function and(...clauses: QueryExpr[]): QueryExpr;
+declare function or(...clauses: QueryExpr[]): QueryExpr;
+declare function not(clause: QueryExpr): QueryExpr;
+declare function where<T>(column: DataColumn<string> | string): {
+    eq: (value: T) => QueryExpr;
+    ne: (value: T) => QueryExpr;
+    gt: (value: T) => QueryExpr;
+    gte: (value: T) => QueryExpr;
+    lt: (value: T) => QueryExpr;
+    lte: (value: T) => QueryExpr;
+    in: (values: T[]) => QueryExpr;
+    like: {
+        contains: (value: string) => QueryExpr;
+        startsWith: (value: string) => QueryExpr;
+        endsWith: (value: string) => QueryExpr;
+        raw: (value: string) => QueryExpr;
+    };
+};
+
+interface DataListOptions extends ListOptions, RequestOptions {
+    where?: QueryExpr;
+    orderBy?: string;
+}
+interface DataCountOptions extends RequestOptions {
+    where?: QueryExpr;
+}
+interface DataBulkResult<Row = unknown> {
+    items: Row[];
+    count: number;
+}
+declare class DataClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    table<Row extends Record<string, unknown> = Record<string, unknown>>(tenantSlug: string, appSlug: string, table: string | DataTableSchema<Row>): DataTableClient<Row>;
+    scoped(tenantSlug: string): TenantDataFactory;
+}
+declare class TenantDataFactory {
+    private readonly data;
+    private readonly tenantSlug;
+    constructor(data: DataClient, tenantSlug: string);
+    app(appSlug: string): AppDataFactory;
+}
+declare class AppDataFactory {
+    private readonly data;
+    private readonly tenantSlug;
+    private readonly appSlug;
+    constructor(data: DataClient, tenantSlug: string, appSlug: string);
+    table<Row extends Record<string, unknown> = Record<string, unknown>>(table: string | DataTableSchema<Row>): DataTableClient<Row>;
+}
+declare class DataTableClient<Row extends Record<string, unknown> = Record<string, unknown>> {
+    private readonly http;
+    private readonly tenantSlug;
+    private readonly appSlug;
+    private readonly tableName;
+    constructor(http: HttpClient, tenantSlug: string, appSlug: string, tableName: string);
+    private path;
+    list(opts?: DataListOptions): Promise<PaginatedList<Row>>;
+    listAll(opts?: DataListOptions): AsyncGenerator<ListAllItem<Row>>;
+    count(opts?: DataCountOptions): Promise<number>;
+    get(id: string, opts?: RequestOptions): Promise<Row>;
+    insert(row: Partial<Row>, opts?: RequestOptions): Promise<Row>;
+    insertMany(rows: Array<Partial<Row>>, opts?: RequestOptions): Promise<DataBulkResult<Row>>;
+    update(id: string, patch: Partial<Row>, opts?: RequestOptions): Promise<Row>;
+    delete(id: string, opts?: RequestOptions): Promise<void>;
+}
+
+declare class TenantScopedClient {
+    readonly slug: string;
+    private readonly root;
+    readonly apps: TenantScopedAppsClient;
+    constructor(slug: string, scopedRoot: AxHubClient, root: AxHubClient);
+    get tenants(): TenantScopedTenantsClient;
+    get authz(): TenantAuthzClient;
+    get audit(): TenantAuditClient;
+    get gateway(): TenantGatewayClient;
+    app(appSlug: string): AppScopedClient;
+}
+declare class TenantScopedAppsClient {
+    private readonly tenantSlug;
+    private readonly http;
+    constructor(tenantSlug: string, http: HttpClient);
+    create(input: CreateAppInput, opts?: RequestOptions): Promise<AppResponse>;
+    list(opts?: PageRequestOptions): Promise<PaginatedList<AppResponse>>;
+    listAll(opts?: PageRequestOptions): AsyncGenerator<ListAllItem<AppResponse>>;
+    get(appId: string, opts?: RequestOptions): Promise<AppResponse>;
+    update(appId: string, patch: UpdateAppInput, opts?: RequestOptions): Promise<AppResponse>;
+    delete(appId: string, opts?: RequestOptions): Promise<void>;
+}
+declare class AppScopedClient {
+    readonly tenantSlug: string;
+    readonly appSlug: string;
+    private readonly root;
+    readonly data: AppScopedDataClient;
+    readonly tables: AppScopedTablesClient;
+    constructor(tenantSlug: string, appSlug: string, root: AxHubClient);
+}
+declare class AppScopedDataClient {
+    private readonly tenantSlug;
+    private readonly appSlug;
+    private readonly rootData;
+    constructor(tenantSlug: string, appSlug: string, rootData: DataClient);
+    table<Row extends Record<string, unknown> = Record<string, unknown>>(table: string | DataTableSchema<Row>): DataTableClient<Row>;
+}
+declare class AppScopedTablesClient {
+    private readonly tenantSlug;
+    private readonly appSlug;
+    private readonly http;
+    constructor(tenantSlug: string, appSlug: string, http: HttpClient);
+    create(input: unknown, opts?: RequestOptions): Promise<unknown>;
+    inspect(tableName: string, opts?: RequestOptions): Promise<unknown>;
+}
+
+type DeploymentStatus = 'queued' | 'building' | 'deploying' | 'succeeded' | 'failed' | 'cancelled' | 'rolled_back';
+interface DeploymentResponse {
+    id: string;
+    appId: string;
+    status: DeploymentStatus;
+    triggerSource: string;
+    startedAt: string | null;
+    completedAt: string | null;
+    url: string | null;
+    errorMessage: string | null;
+    createdAt: string;
+    updatedAt: string;
+}
+interface CreateDeploymentInput {
+    ref?: string;
+}
+interface BuildLogEvent {
+    ts: string;
+    line: string;
+}
+interface PodLogEvent {
+    ts: string;
+    line: string;
+}
+interface PodEventEvent {
+    type: 'Normal' | 'Warning';
+    reason: string;
+    message: string;
+    ts: string;
+}
+declare class DeploymentsClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Trigger a new deployment. Returns immediately with the deployment row
+     * in `queued` or `building` state; use `streamBuildLogs` or polling
+     * `get()` to observe progression.
+     *
+     * @example happy
+     *   const dep = await sdk.deployments.create('app_abc', { ref: 'main' })
+     *
+     * @example failure
+     *   try { await sdk.deployments.create('app_abc') }
+     *   catch (e) {
+     *     if (e instanceof ConflictError) /* in-progress deploy exists *\/
+     *     if (e instanceof PreconditionFailedError) /* git connection missing *\/
+     *   }
+     */
+    create(appId: string, input?: CreateDeploymentInput): Promise<DeploymentResponse>;
+    /**
+     * List deployments for an app, newest first.
+     *
+     * @example happy
+     *   const page = await sdk.deployments.list('app_abc', { pageSize: 20 })
+     */
+    list(appId: string, opts?: ListOptions): Promise<PaginatedList<DeploymentResponse>>;
+    listAll(appId: string, opts?: ListAllOptions): AsyncGenerator<ListAllItem<DeploymentResponse>>;
+    /**
+     * Fetch a single deployment. Use to poll terminal status without streaming.
+     *
+     * @example happy
+     *   const dep = await sdk.deployments.get('app_abc', 'dep_123')
+     *   if (dep.status === 'succeeded') console.log(dep.url)
+     */
+    get(appId: string, did: string): Promise<DeploymentResponse>;
+    /**
+     * Cancel an in-progress deployment. Best-effort — if the deployment has
+     * already transitioned to a terminal state when the request arrives, the
+     * route returns 204 on acceptance. Idempotent.
+     *
+     * @example happy
+     *   await sdk.deployments.cancel('app_abc', 'dep_123')
+     */
+    cancel(appId: string, did: string): Promise<void>;
+    /**
+     * Rollback to a prior succeeded deployment's image. Creates a new
+     * deployment rollback action; original deployment is unaffected. Backend
+     * returns 204 when the request is accepted.
+     *
+     * @example happy
+     *   await sdk.deployments.rollback('app_abc', 'dep_old_succeeded')
+     *
+     * @example failure
+     *   try { await sdk.deployments.rollback('app_abc', 'dep_never_succeeded') }
+     *   catch (e) {
+     *     if (e instanceof PreconditionFailedError) /* no image to rollback to *\/
+     *   }
+     */
+    rollback(appId: string, did: string): Promise<void>;
+    /**
+     * Stream Cloud Build log lines for a deployment via SSE. Returns an
+     * AsyncIterable that yields `{type:'item', value}`, `{type:'gap'}` (on
+     * reconnect when ring buffer rolled), or `{type:'decode-skip'}` (single
+     * malformed frame). Iterator completes when the deployment reaches a
+     * terminal state.
+     *
+     * @example happy
+     *   const ctrl = new AbortController()
+     *   for await (const ev of sdk.deployments.streamBuildLogs(appId, did, { signal: ctrl.signal })) {
+     *     if (ev.type === 'item') process.stdout.write(ev.value.line + '\n')
+     *   }
+     *
+     * @example failure
+     *   try {
+     *     for await (const _ of sdk.deployments.streamBuildLogs(appId, did)) {}
+     *   } catch (e) {
+     *     if (e instanceof StreamConsumedError) /* iterating twice — forbidden *\/
+     *   }
+     */
+    streamBuildLogs(appId: string, did: string, opts?: {
+        signal?: AbortSignal;
+    }): SSEStream<BuildLogEvent>;
+    /**
+     * Stream runtime pod stdout/stderr after deploy succeeds. Same iterator
+     * semantics as `streamBuildLogs`. Ring buffer cap = 200 most recent lines.
+     *
+     * @example happy
+     *   for await (const ev of sdk.deployments.streamPodLogs(appId, did)) {
+     *     if (ev.type === 'item') console.log(ev.value.line)
+     *   }
+     */
+    streamPodLogs(appId: string, did: string, opts?: {
+        signal?: AbortSignal;
+    }): SSEStream<PodLogEvent>;
+    /**
+     * Stream Kubernetes pod events (Normal / Warning — CrashLoopBackOff,
+     * OOMKilled, ImagePullBackOff, ...). Use for self-heal signal detection.
+     *
+     * @example happy
+     *   for await (const ev of sdk.deployments.streamPodEvents(appId, did)) {
+     *     if (ev.type === 'item' && ev.value.type === 'Warning') {
+     *       console.warn(ev.value.reason, ev.value.message)
+     *     }
+     *   }
+     */
+    streamPodEvents(appId: string, did: string, opts?: {
+        signal?: AbortSignal;
+    }): SSEStream<PodEventEvent>;
+}
+
+interface IssuePersonalAccessTokenInput {
+    name: string;
+    expiresInDays?: number;
+}
+interface IssuePersonalAccessTokenResult {
+    patId: string;
+    name: string;
+    rawToken: string;
+    createdAt: string;
+    expiresAt: string | null;
+}
+interface PATSummary {
+    id: string;
+    name: string;
+    createdAt: string;
+    expiresAt: string | null;
+    lastUsedAt: string | null;
+}
+interface MeResponse {
+    userId: string;
+    email: string;
+    name?: string;
+    platformAdmin?: boolean;
+    tenants?: Array<{
+        tenantId: string;
+        tenantSlug: string;
+        role: string;
+        isActive: boolean;
+        iconUrl?: string;
+    }>;
+    [key: string]: unknown;
+}
+interface OAuthTokenResponse {
+    accessToken: string;
+    tokenType: string;
+    expiresIn?: number;
+    refreshToken?: string;
+    scope?: string;
+    raw: Record<string, unknown>;
+}
+interface DeviceAuthorizationResponse {
+    deviceCode: string;
+    userCode: string;
+    verificationUri: string;
+    verificationUriComplete?: string;
+    expiresIn: number;
+    interval: number;
+    raw: Record<string, unknown>;
+}
+interface IdentityProvider {
+    id: string;
+    tenantId?: string;
+    provider: string;
+    type: 'oidc' | 'oauth2' | 'saml' | string;
+    enabled?: boolean;
+    [key: string]: unknown;
+}
+interface SystemOAuthClient {
+    id: string;
+    clientId?: string;
+    tenantId?: string;
+    name?: string;
+    redirectUris?: string[];
+    scopes?: string[];
+    [key: string]: unknown;
+}
+declare class IdentityClient {
+    private readonly http;
+    readonly pat: IdentityPATClient;
+    readonly meClient: IdentityMeClient;
+    readonly oauth: IdentityOAuthClient;
+    readonly oidc: IdentityOIDCClient;
+    readonly deviceCode: IdentityDeviceCodeClient;
+    readonly idp: IdentityProviderClient;
+    readonly systemOAuthClients: IdentitySystemOAuthClientsClient;
+    constructor(http: HttpClient, defaultTenantSlug?: string);
+    /** @deprecated Use sdk.identity.pat.issue(). Kept until 1.0 RC migration. */
+    issuePersonalAccessToken(input: IssuePersonalAccessTokenInput, opts?: RequestOptions): Promise<IssuePersonalAccessTokenResult>;
+    /** @deprecated Use sdk.identity.pat.list(). Kept until 1.0 RC migration. */
+    listPersonalAccessTokens(opts?: RequestOptions): Promise<PATSummary[]>;
+    /** @deprecated Use sdk.identity.pat.revoke(). Kept until 1.0 RC migration. */
+    revokePersonalAccessToken(patId: string, opts?: RequestOptions): Promise<void>;
+    me(opts?: RequestOptions): Promise<MeResponse>;
+}
+declare class IdentityPATClient {
+    private readonly http;
+    private readonly defaultTenantSlug?;
+    constructor(http: HttpClient, defaultTenantSlug?: string | undefined);
+    private tenantQuery;
+    issue(input: IssuePersonalAccessTokenInput, opts?: RequestOptions): Promise<IssuePersonalAccessTokenResult>;
+    list(opts?: RequestOptions): Promise<PATSummary[]>;
+    revoke(patId: string, opts?: RequestOptions): Promise<void>;
+}
+declare class IdentityMeClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    get(opts?: RequestOptions): Promise<MeResponse>;
+}
+declare class IdentityOAuthClient {
+    private readonly http;
+    private readonly defaultTenantSlug?;
+    constructor(http: HttpClient, defaultTenantSlug?: string | undefined);
+    private tenantQuery;
+    authorizeUrl(input: {
+        clientId: string;
+        redirectUri: string;
+        scope?: string;
+        state?: string;
+        codeChallenge?: string;
+        codeChallengeMethod?: string;
+    }): string;
+    exchangeCode(input: {
+        code: string;
+        clientId: string;
+        redirectUri: string;
+        codeVerifier: string;
+        clientSecret?: string;
+    }, opts?: RequestOptions): Promise<OAuthTokenResponse>;
+    refreshTokens(input: {
+        refreshToken: string;
+        clientId?: string;
+        clientSecret?: string;
+    }, opts?: RequestOptions): Promise<OAuthTokenResponse>;
+    revoke(input: {
+        token: string;
+        tokenTypeHint?: string;
+        clientId?: string;
+    }, opts?: RequestOptions): Promise<void>;
+    userinfo(opts?: RequestOptions): Promise<Record<string, unknown>>;
+    getClient(clientId: string, opts?: RequestOptions): Promise<SystemOAuthClient>;
+    revokeOwnGrant(clientId: string, opts?: RequestOptions): Promise<void>;
+}
+declare class IdentityOIDCClient {
+    private readonly http;
+    private readonly defaultTenantSlug?;
+    constructor(http: HttpClient, defaultTenantSlug?: string | undefined);
+    private tenantQuery;
+    discovery(opts?: RequestOptions): Promise<Record<string, unknown>>;
+    jwks(opts?: RequestOptions): Promise<Record<string, unknown>>;
+    providers(opts?: RequestOptions): Promise<IdentityProvider[]>;
+    startURL(providerId: string, input?: {
+        redirectTo?: string;
+        state?: string;
+    }, opts?: RequestOptions): Promise<string>;
+    exchangeCallback(input: {
+        code: string;
+        state?: string;
+        provider?: string;
+    }, opts?: RequestOptions): Promise<OAuthTokenResponse>;
+}
+declare class IdentityDeviceCodeClient {
+    private readonly http;
+    private readonly defaultTenantSlug?;
+    constructor(http: HttpClient, defaultTenantSlug?: string | undefined);
+    private tenantQuery;
+    request(input: {
+        clientId: string;
+        scope?: string;
+    }, opts?: RequestOptions): Promise<DeviceAuthorizationResponse>;
+    poll(input: {
+        deviceCode: string;
+        clientId: string;
+        intervalMs?: number;
+        signal?: AbortSignal;
+    }, opts?: RequestOptions): Promise<OAuthTokenResponse>;
+}
+declare class IdentityProviderClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    list(tenantId: string, opts?: RequestOptions): Promise<IdentityProvider[]>;
+    create(tenantId: string, input: Record<string, unknown>, opts?: RequestOptions): Promise<IdentityProvider>;
+    enable(tenantId: string, providerId: string, opts?: RequestOptions): Promise<IdentityProvider>;
+    disable(tenantId: string, providerId: string, opts?: RequestOptions): Promise<IdentityProvider>;
+}
+declare class IdentitySystemOAuthClientsClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    get(clientId: string, opts?: RequestOptions): Promise<SystemOAuthClient>;
+    create(input: Record<string, unknown>, opts?: RequestOptions): Promise<SystemOAuthClient>;
+    delete(clientId: string, opts?: RequestOptions): Promise<void>;
+}
+
+interface SettlePublicationInput {
+    comment?: string;
+}
+declare class PublicationRequestsClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Fetch a single publication request by ID. Visible to the requester
+     * (owner) and reviewers/admins.
+     *
+     * @example happy
+     *   const pr = await sdk.publicationRequests.get('pr_abc')
+     *
+     * @example failure
+     *   try { await sdk.publicationRequests.get('pr_missing') }
+     *   catch (e) { if (e instanceof NotFoundError) /* abort *\/ }
+     */
+    get(prId: string): Promise<PublicationRequest>;
+    /**
+     * Approve a publication request. Requires the `publication_reviewer` role;
+     * non-reviewers get `PermissionDeniedError`. Approving an already-settled
+     * request returns `AlreadySettledError` (409).
+     *
+     * Side effects (server-side): the app's `publicationStatus = 'approved'`,
+     * `visibility = 'public'`, and an `AppPublished` event is emitted.
+     *
+     * @example happy
+     *   const pr = await sdk.publicationRequests.approve('pr_abc', { comment: 'LGTM' })
+     *   console.log(pr.status) // 'approved'
+     *
+     * @example failure
+     *   try { await sdk.publicationRequests.approve('pr_settled') }
+     *   catch (e) {
+     *     if (e instanceof AlreadySettledError) /* already approved/rejected *\/
+     *     if (e instanceof PermissionDeniedError) /* not a reviewer *\/
+     *   }
+     */
+    approve(prId: string, input?: SettlePublicationInput): Promise<PublicationRequest>;
+    /**
+     * Reject a publication request. Same role + idempotency rules as `approve`.
+     * App state unchanged; requester can resubmit after addressing the comment.
+     *
+     * @example happy
+     *   const pr = await sdk.publicationRequests.reject('pr_abc', { comment: 'Add screenshots' })
+     *   console.log(pr.status) // 'rejected'
+     */
+    reject(prId: string, input?: SettlePublicationInput): Promise<PublicationRequest>;
+    private settle;
+    /**
+     * List all pending publication requests across the tenant. Platform admin
+     * only — non-admins get `PermissionDeniedError`.
+     *
+     * @example happy
+     *   const page = await sdk.publicationRequests.listPending({ pageSize: 20 })
+     *   for (const pr of page.items) console.log(pr.appId, pr.requesterId, pr.reason)
+     *
+     * @example failure
+     *   try { await sdk.publicationRequests.listPending() }
+     *   catch (e) { if (e instanceof NotAdminError) /* not platform admin *\/ }
+     */
+    listPending(opts?: ListOptions): Promise<PaginatedList<PublicationRequest>>;
+}
+
+/**
+ * Default production base URL for AX Hub. Override via `baseUrl` for staging,
+ * local dev, or self-hosted environments. Also overridable via env var
+ * `AX_HUB_BASE_URL` (caller wires this if desired).
+ */
+declare const DEFAULT_BASE_URL = "https://axhub-api.jocodingax.ai";
+interface AxHubClientOptions {
+    /**
+     * Backend root URL. Defaults to {@link DEFAULT_BASE_URL}. Override for
+     * staging / self-hosted / local dev.
+     */
+    baseUrl?: string;
+    token?: string;
+    tokenType?: TokenType;
+    /**
+     * JWT refresh callback. Called when an admin-ring request returns 401.
+     * Should return the new JWT, or throw to surface the 401 to the caller.
+     */
+    onRefresh?: () => Promise<string>;
+    defaultTenantSlug?: string;
+    defaultTenantId?: string;
+    logger?: Logger;
+    debug?: boolean;
+    fetch?: FetchLike;
+    timeoutMs?: number;
+    idempotencyKey?: {
+        autoGenerate?: boolean;
+        generator?: () => string;
+    };
+    retryPolicy?: RetryPolicy;
+    rateLimitStrategy?: RateLimitStrategy;
+}
+interface AxHubInternalOptions {
+    __sharedHttp: HttpClient;
+    defaultTenantSlug: string;
+    defaultTenantId?: string;
+    logger: Logger;
+}
+declare class AxHubClient {
+    readonly http: HttpClient;
+    readonly defaultTenantSlug?: string;
+    readonly defaultTenantId?: string;
+    readonly logger: Logger;
+    private _apps?;
+    private _audit?;
+    private _authz?;
+    private _data?;
+    private _deployments?;
+    private _gateway?;
+    private _identity?;
+    private _publicationRequests?;
+    private _tenants?;
+    constructor(opts: AxHubClientOptions | AxHubInternalOptions);
+    resolveTenantSlug(perCall?: string): string;
+    get apps(): AppsClient;
+    get audit(): AuditClient;
+    get authz(): AuthzClient;
+    get data(): DataClient;
+    get deployments(): DeploymentsClient;
+    get gateway(): GatewayClient;
+    get identity(): IdentityClient;
+    get tenants(): TenantsClient;
+    /**
+     * Admin namespace for publication-request review workflow. Separated from
+     * `sdk.apps.publication` (which is owner-scoped: submit/list/unpublish own
+     * app) because approve/reject/listPending act on requests cross-app and
+     * require reviewer/platform-admin roles.
+     *
+     * @example happy
+     *   const pr = await sdk.publicationRequests.approve('pr_abc', { comment: 'LGTM' })
+     */
+    get publicationRequests(): PublicationRequestsClient;
+    /**
+     * Returns a new AxHubClient scoped to the given tenant. The new client
+     * shares the same underlying HttpClient (and therefore auth + retry state)
+     * but reports `defaultTenantSlug = tenantSlug` for path templating.
+     *
+     * Resource clients (`apps`, `deployments`, `identity`) on the scoped
+     * client are independent instances — they do NOT alias the parent's. This
+     * matters when a caller passes `sdk.apps` and `sdk.withTenant('x').apps`
+     * around: they are distinct references, lazy-initialized on first access.
+     *
+     * @example happy
+     *   const other = sdk.withTenant('analytics')
+     *   await other.apps.create({ slug: 'dashboard', name: 'Dashboard' })
+     *
+     * @example failure
+     *   // The scoped client inherits auth — if the token is not a member of
+     *   // the target tenant, the first call surfaces PermissionDeniedError.
+     */
+    withTenant(tenantSlug: string): AxHubClient;
+    /**
+     * Recommended tenant-scoped surface. Path-tenant routes receive the slug
+     * automatically, while root-only routes (OAuth token, JWKS, /me) remain on
+     * the root client.
+     *
+     * @example happy
+     *   const acme = sdk.tenant('acme')
+     *   await acme.apps.create({ slug: 'crm', name: 'CRM' })
+     *   await acme.app('crm').data.table('orders').list()
+     */
+    tenant(tenantSlug: string): TenantScopedClient;
+}
+
+interface StaticTokenAuthOptions {
+    token: string;
+    tokenType: TokenType;
+    onRefresh?: () => Promise<string>;
+}
+declare class StaticTokenAuth implements AuthProvider {
+    private token;
+    readonly tokenType: TokenType;
+    private readonly onRefresh?;
+    private refreshing;
+    constructor(opts: StaticTokenAuthOptions);
+    currentToken(): string;
+    headersFor(ring: AuthRing): Record<string, string>;
+    onUnauthorized(): Promise<boolean>;
+}
+declare class NoAuth implements AuthProvider {
+    headersFor(_ring: AuthRing): Record<string, string>;
+    onUnauthorized(): Promise<boolean>;
+}
+
+type WebhookVerifyReason = 'signature_mismatch' | 'timestamp_skew' | 'malformed_signature' | 'missing_secret' | 'replay';
+interface VerifyWebhookInput {
+    rawBody: Buffer | Uint8Array | string;
+    signature: string;
+    secret: string;
+    tolerance?: number;
+    timestamp?: string;
+    replayCache?: Set<string>;
+    now?: () => number;
+}
+interface VerifyWebhookResult {
+    ok: boolean;
+    reason?: WebhookVerifyReason;
+}
+declare function signWebhook(rawBody: Buffer | Uint8Array | string, secret: string, timestamp?: string): string;
+declare function verifyWebhook(input: VerifyWebhookInput): VerifyWebhookResult;
+
+export { AbortError, AccessDeniedError, type AddColumnInput, type AddCommentInput, type AddGrantInput, AlreadyAccessedError, AlreadyActiveError, AlreadyDeletedError, AlreadyInactiveError, AlreadyMemberError, AlreadyRevokedError, AlreadySettledError, type AnonymizeInput, type AppAccess, type AppCategory, type AppID, type AppId, type AppResponse, AppScopedClient, AppScopedDataClient, type AppSlug, type AppTable, type AppTemplate, AppUnavailableError, AppsClient, AuditClient, type AuditEvent, type AuditEventID, type AuthProvider, type AuthRing, AuthorizationPendingError, AuthzClient, type AuthzGrant, type AuthzSubject, type AuthzTag, AxHubClient, type AxHubClientOptions, AxHubError, type AxHubErrorInit, BadRequestError, type Branded, type BuildLogEvent, type BulkInviteResult, type ColumnType, type Comment, ConflictError, type ConnectGitInput, type ConnectorID, type CreateAppInput, type CreateCategoryInput, type CreateDeploymentInput, type CreateOAuthClientInput, type CreateTableInput, type CreateTenantInput, DEFAULT_BASE_URL, type DataBulkResult, DataClient, type DataCountOptions, type DataListOptions, DataTableClient, type DataTableSchema, type DecideInput, type DecideResult, DecodeError, type DeploymentID, type DeploymentId, type DeploymentResponse, type DeploymentStatus, DeploymentsClient, type DeviceAuthorizationResponse, DeviceFlowDeniedError, DeviceFlowTimeoutError, type DiscoverAppsOptions, type DispatchContext, DomainTakenError, DuplicateError, type EmailDomain, type EmitAuditEventInput, EmptyError, type EnvVar, ExpiredTokenError, type FetchLike, type FieldError, ForbiddenError, GatewayClient, type GatewayConnector, type GatewayEngine, type GatewayQueryInput, type GatewayQueryResult, type GatewayResource, type GitConnection, type GitConnectionSetup, type GitConnectionStatus, type GithubInstallStart, type GrantID, type GrantPrincipalType, type GrantScope, IdentityClient, IdentityDeviceCodeClient, IdentityMeClient, IdentityOAuthClient, IdentityOIDCClient, IdentityPATClient, type IdentityProvider, IdentityProviderClient, IdentitySystemOAuthClientsClient, type InstallStartInput, type IntegrityCheckResult, InternalServerError, InvalidGrantError, InvalidPathError, InvalidStateTransitionError, InvalidValueError, InvitationExpiredError, type InviteTenantMemberInput, type IssuePersonalAccessTokenInput, type IssuePersonalAccessTokenResult, LastAdminError, type LikeResult, type LikeStatus, type ListAllItem, type ListAllOptions, type ListOptions, type Logger, type MeResponse, NetworkError, NoAuth, NotAdminError, NotAllowedError, NotDeletedError, NotFoundError, NotMemberError, type OAuthClient, type OAuthClientWithSecret, OAuthError, type OAuthErrorInit, type OAuthTokenResponse, type PATID, type PATSummary, type PaginatedList, type ParsedFrame, type PatId, PendingExistsError, PermanentlyDeletedError, PermissionDeniedError, type PodEventEvent, type PodLogEvent, PoolStaleError, PreconditionFailedError, type PublicationRequest, type PublicationRequestStatus, PublicationRequestsClient, type QueryExpr, type RateLimitStrategy, RateLimitedError, type RequestId, RequiredError, type ResourceID, type RetryInfo, type SSEStream, SchemaNameTakenError, type SettlePublicationInput, type SignIconUploadInput, type SignIconUploadResult, SlowDownError, SlugTakenError, StaticTokenAuth, StreamConsumedError, type StreamItem, type SubjectID, type SubmitPublicationInput, type SystemOAuthClient, type TableColumn, type TableConstraint, type TableGrant, type TableID, type TableIndex, type TableSchema, type TagID, type Tenant, type TenantID, type TenantId, type TenantInvitation, type TenantMember, TenantScopedAppsClient, TenantScopedClient, type TenantSlug, TenantSlugRequiredError, TenantsClient, TimeoutError, TokenExpiredError, TokenInvalidError, TokenMissingError, type TokenType, UnauthenticatedError, UnavailableError, type UnlikeResult, type UnpublishInput, type UpdateAppInput, type UpdateGitConnectionInput, type UpdateTenantInput, type UserID, type UserId, ValidationError, type VerifyWebhookInput, type VerifyWebhookResult, WebhookVerificationError, type WebhookVerifyReason, and, asAppId, asAppSlug, asDeploymentId, asPatId, asRequestId, asTenantId, asTenantSlug, asUserId, defineSchema, dispatch, escapeLike, formatErrorMessage, id, isOAuthPath, not, or, parseRetryAfter, raw, signWebhook, verifyWebhook, where };