npm - @ax-hub/sdk - Versions diffs - 0.2.0 → 1.0.0 - Mend

@ax-hub/sdk 0.2.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -124,6 +124,15 @@ declare class StreamConsumedError extends AxHubError {
 }
 declare class TenantSlugRequiredError extends AxHubError {
 }
+/**
+ * SDK-self error: tenant-scoped app routes
+ * (`POST`/`GET /api/v1/tenants/{tenantID}/apps`) require a tenant **UUID** in
+ * the path. Thrown before any request when the SDK holds only a slug (or no
+ * tenant context). Mirrors {@link TenantSlugRequiredError}; constructed inline
+ * at call sites (crud.ts / scoped.ts), like TenantSlugRequiredError in client.ts.
+ */
+declare class TenantIdRequiredError extends AxHubError {
+}
 declare class ConfigurationError extends AxHubError {
 }
 declare class PoolStaleError extends UnauthenticatedError {
@@ -169,15 +178,24 @@ declare class DeviceFlowDeniedError extends AccessDeniedError {
 }
 declare class DeviceFlowTimeoutError extends ExpiredTokenError {
 }
-declare function isOAuthPath(path: string): boolean;
-interface DispatchContext {
-    path: string;
-    status: number;
-    body: unknown;
-    fallbackRequestId: string;
+declare class InvalidTargetError extends OAuthError {
+}
+declare class InvalidClientError extends OAuthError {
+}
+declare class InvalidRequestError extends OAuthError {
+}
+declare class InvalidScopeError extends OAuthError {
+}
+declare class InvalidTokenError extends OAuthError {
+}
+declare class UnauthorizedClientError extends OAuthError {
+}
+declare class UnsupportedGrantTypeError extends OAuthError {
+}
+declare class OAuthServerError extends OAuthError {
+}
+declare class TemporarilyUnavailableError extends OAuthError {
 }
-declare function dispatch(ctx: DispatchContext): AxHubError;
 declare const brand: unique symbol;
 type Branded<T, B extends string> = T & {
@@ -305,6 +323,26 @@ declare class HttpClient {
     private logRequest;
 }
+interface StaticTokenAuthOptions {
+    token: string;
+    tokenType: TokenType;
+    onRefresh?: () => Promise<string>;
+}
+declare class StaticTokenAuth implements AuthProvider {
+    private token;
+    readonly tokenType: TokenType;
+    private readonly onRefresh?;
+    private refreshing;
+    constructor(opts: StaticTokenAuthOptions);
+    currentToken(): string;
+    headersFor(ring: AuthRing): Record<string, string>;
+    onUnauthorized(): Promise<boolean>;
+}
+declare class NoAuth implements AuthProvider {
+    headersFor(_ring: AuthRing): Record<string, string>;
+    onUnauthorized(): Promise<boolean>;
+}
 interface PaginatedList<T> {
     items: T[];
     nextCursor: string | null;
@@ -378,282 +416,59 @@ declare function decodeCursor(token: string): KeysetCursor;
 declare function orderByFingerprint(orderBy?: DataOrderBy): string;
 declare function cursorFromRow(row: Record<string, unknown> | undefined, opts?: CursorBuildOptions): string | null;
-interface RequestOptions {
+interface ParsedFrame {
+    id?: string;
+    event?: string;
+    data: string;
+}
+type StreamItem<T> = {
+    type: 'item';
+    value: T;
+    id: string | undefined;
+} | {
+    type: 'gap';
+    sinceId: string | undefined;
+    missingCount?: number;
+} | {
+    type: 'decode-skip';
+    frame: ParsedFrame;
+    error: AxHubError;
+};
+interface SSEStreamOptions<T> {
+    url: string;
+    http: HttpClient;
+    ring: AuthRing;
     signal?: AbortSignal;
-    timeoutMs?: number;
-    idempotencyKey?: string | false;
+    maxReconnects?: number;
+    parseEvent: (frame: ParsedFrame) => T;
 }
-interface PageRequestOptions extends ListOptions, RequestOptions {
+interface SSEStream<T> extends AsyncIterable<StreamItem<T>> {
+    dispose(): void;
 }
-interface AuditEvent {
-    id: string;
-    type?: string;
-    actorId?: string;
-    hash?: string;
-    prevHash?: string;
-    createdAt?: string;
-    [key: string]: unknown;
-}
-interface EmitAuditEventInput {
-    type: string;
-    actorId?: string;
-    resource?: string;
-    payload?: unknown;
+type WebhookVerifyReason = 'signature_mismatch' | 'timestamp_skew' | 'malformed_signature' | 'missing_secret' | 'replay';
+interface VerifyWebhookInput {
+    rawBody: Buffer | Uint8Array | string;
+    signature: string;
+    secret: string;
+    tolerance?: number;
+    timestamp?: string;
+    replayCache?: Set<string>;
+    now?: () => number;
 }
-interface IntegrityCheckResult {
+interface VerifyWebhookResult {
     ok: boolean;
-    checked: number;
-    firstBadSeq?: number;
-    reason?: string;
-}
-interface AnonymizeInput {
-    subjectId?: string;
-    actorId?: string;
-    anonymizedId?: string;
-    reason?: string;
-}
-declare class AuditClient {
-    private readonly http;
-    readonly events: AuditEventsClient;
-    readonly server: AuditServerClient;
-    constructor(http: HttpClient);
-    scoped(tenantSlug: string): TenantAuditClient;
-    integrityCheck(tenantSlug: string, opts?: RequestOptions): Promise<IntegrityCheckResult>;
-    anonymize(tenantSlug: string, input: AnonymizeInput, opts?: RequestOptions): Promise<AuditEvent | void>;
-}
-declare class TenantAuditClient {
-    private readonly http;
-    private readonly tenantSlug;
-    readonly events: AuditEventsForTenantClient;
-    readonly server: AuditServerForTenantClient;
-    constructor(http: HttpClient, tenantSlug: string);
-    integrityCheck(opts?: RequestOptions): Promise<IntegrityCheckResult>;
-    anonymize(input: AnonymizeInput, opts?: RequestOptions): Promise<AuditEvent | void>;
-}
-declare class AuditEventsClient {
-    private readonly http;
-    constructor(http: HttpClient);
-    forTenant(tenantSlug: string): AuditEventsForTenantClient;
-}
-declare class AuditEventsForTenantClient {
-    private readonly http;
-    private readonly tenantSlug;
-    constructor(http: HttpClient, tenantSlug: string);
-    list(opts?: PageRequestOptions & {
-        type?: string;
-    }): Promise<PaginatedList<AuditEvent>>;
-    get(eventId: string, opts?: RequestOptions): Promise<AuditEvent>;
-}
-declare class AuditServerClient {
-    private readonly http;
-    constructor(http: HttpClient);
-    forTenant(tenantSlug: string): AuditServerForTenantClient;
-}
-declare class AuditServerForTenantClient {
-    private readonly http;
-    private readonly tenantSlug;
-    constructor(http: HttpClient, tenantSlug: string);
-    /**
-     * Emit a server-side audit event.
-     *
-     * @remarks The backend route `POST /audit-events/server` is not yet
-     * implemented (currently 404). Retained ahead of backend support — see
-     * ADR-0040. Do not rely on this in production until the route ships.
-     */
-    emit(input: EmitAuditEventInput, opts?: RequestOptions): Promise<AuditEvent>;
-}
-interface AuthzTag {
-    id: string;
-    name: string;
-    parentId?: string;
-    [key: string]: unknown;
-}
-interface AuthzSubject {
-    id: string;
-    type: string;
-    externalId?: string;
-    [key: string]: unknown;
-}
-interface AuthzGrant {
-    id: string;
-    subjectId: string;
-    resource: string;
-    action: string;
-    effect: 'allow' | 'deny';
-    [key: string]: unknown;
-}
-interface DecideInput {
-    subjectId: string;
-    resource: string;
-    action: string;
-    context?: Record<string, unknown>;
-}
-interface DecideResult {
-    allowed: boolean;
-    reason?: string;
-    matchedGrantId?: string;
-}
-declare class AuthzClient {
-    private readonly http;
-    constructor(http: HttpClient);
-    scoped(tenantSlug: string): TenantAuthzClient;
-}
-declare class TenantAuthzClient {
-    /** @adminOnly Tag governance. `list()` requires tenant_admin (v0.1, SPEC 307) — member callers get ForbiddenError (no auto-retry; permission, not transient). Members browse the data catalog via `gateway.catalog`. */
-    readonly tags: Crud<AuthzTag>;
-    /** @adminOnly Subject governance. `list()` requires tenant_admin (v0.1) — member callers get ForbiddenError. */
-    readonly subjects: Crud<AuthzSubject>;
-    /** @adminOnly Grant governance. `list()` requires tenant_admin (v0.1) — member callers get ForbiddenError. */
-    readonly grants: Crud<AuthzGrant>;
-    readonly evaluator: AuthzEvaluatorClient;
-    constructor(http: HttpClient, tenantSlug: string);
-}
-declare class Crud<T extends {
-    id: string;
-}> {
-    private readonly http;
-    private readonly base;
-    constructor(http: HttpClient, base: string);
-    list(opts?: RequestOptions): Promise<T[]>;
-    get(id: string, opts?: RequestOptions): Promise<T>;
-    create(input: Record<string, unknown>, opts?: RequestOptions): Promise<T>;
-    update(id: string, patch: Record<string, unknown>, opts?: RequestOptions): Promise<T>;
-    delete(id: string, opts?: RequestOptions): Promise<void>;
-}
-declare class AuthzEvaluatorClient {
-    private readonly http;
-    private readonly base;
-    private readonly ttlMs;
-    private readonly cache;
-    constructor(http: HttpClient, base: string, ttlMs?: number);
-    decide(input: DecideInput, opts?: RequestOptions): Promise<DecideResult>;
-    decideMany(inputs: DecideInput[], opts?: RequestOptions): Promise<DecideResult[]>;
+    reason?: WebhookVerifyReason;
 }
+declare function signWebhook(rawBody: Buffer | Uint8Array | string, secret: string, timestamp?: string): string;
+declare function verifyWebhook(input: VerifyWebhookInput): VerifyWebhookResult;
-interface Tenant {
-    id: string;
-    slug: string;
-    name: string;
-    plan?: string;
-    createdAt?: string;
-    updatedAt?: string;
-    [key: string]: unknown;
-}
-interface CreateTenantInput {
-    slug: string;
-    name: string;
-    plan?: string;
-}
-interface UpdateTenantInput {
-    name?: string;
-    plan?: string;
-}
-interface TenantMember {
-    id: string;
-    userId: string;
-    role: string;
-    status?: string;
-    [key: string]: unknown;
-}
-interface TenantInvitation {
-    id: string;
-    email: string;
-    role: string;
-    status: string;
-    reason?: string;
-    [key: string]: unknown;
-}
-interface InviteTenantMemberInput {
-    email: string;
-    role: string;
-    reason?: string;
-}
-interface BulkInviteResult {
-    accepted: TenantInvitation[];
-    rejected: Array<{
-        email: string;
-        reason: string;
-        message?: string;
-    }>;
-}
-interface EmailDomain {
-    domain: string;
-    verified?: boolean;
-    [key: string]: unknown;
-}
-interface TenantIconUploadResult {
-    uploadUrl: string;
-    getUrl: string;
-    expiresAt?: string;
-}
-declare class TenantsClient {
-    private readonly http;
-    constructor(http: HttpClient);
-    scoped(tenantIdOrSlug: string): TenantScopedTenantsClient;
-    create(input: CreateTenantInput, opts?: RequestOptions): Promise<Tenant>;
-    list(opts?: PageRequestOptions): Promise<PaginatedList<Tenant>>;
-    get(tenantIdOrSlug: string, opts?: RequestOptions): Promise<Tenant>;
-    update(tenantIdOrSlug: string, patch: UpdateTenantInput, opts?: RequestOptions): Promise<Tenant>;
-    delete(tenantIdOrSlug: string, opts?: RequestOptions): Promise<void>;
-    signIconUploadURL(tenantIdOrSlug: string, input: {
-        contentType: string;
-    }, opts?: RequestOptions): Promise<TenantIconUploadResult>;
-    get members(): TenantMembersClient;
-    get invitations(): TenantInvitationsClient;
-    get emailDomains(): TenantEmailDomainsClient;
-}
-declare class TenantScopedTenantsClient {
-    readonly members: TenantMembersForTenantClient;
-    readonly invitations: TenantInvitationsForTenantClient;
-    readonly emailDomains: TenantEmailDomainsForTenantClient;
-    constructor(http: HttpClient, tenantIdOrSlug: string);
-}
-declare class TenantMembersClient {
-    private readonly http;
-    constructor(http: HttpClient);
-    forTenant(tenantIdOrSlug: string): TenantMembersForTenantClient;
-}
-declare class TenantMembersForTenantClient {
-    private readonly http;
-    private readonly tenant;
-    constructor(http: HttpClient, tenant: string);
-    list(opts?: PageRequestOptions): Promise<PaginatedList<TenantMember>>;
-    update(membershipId: string, patch: {
-        role?: string;
-    }, opts?: RequestOptions): Promise<void>;
-    deactivate(membershipId: string, opts?: RequestOptions): Promise<void>;
-    reactivate(membershipId: string, opts?: RequestOptions): Promise<void>;
-}
-declare class TenantInvitationsClient {
-    private readonly http;
-    constructor(http: HttpClient);
-    forTenant(tenantIdOrSlug: string): TenantInvitationsForTenantClient;
-}
-declare class TenantInvitationsForTenantClient {
-    private readonly http;
-    private readonly tenant;
-    constructor(http: HttpClient, tenant: string);
-    list(opts?: PageRequestOptions): Promise<PaginatedList<TenantInvitation>>;
-    create(input: InviteTenantMemberInput, opts?: RequestOptions): Promise<TenantInvitation>;
-    bulkCreate(inputs: InviteTenantMemberInput[], opts?: RequestOptions): Promise<BulkInviteResult>;
-    delete(invitationId: string, opts?: RequestOptions): Promise<void>;
-}
-declare class TenantEmailDomainsClient {
-    private readonly http;
-    constructor(http: HttpClient);
-    forTenant(tenantIdOrSlug: string): TenantEmailDomainsForTenantClient;
+interface RequestOptions {
+    signal?: AbortSignal;
+    timeoutMs?: number;
+    idempotencyKey?: string | false;
 }
-declare class TenantEmailDomainsForTenantClient {
-    private readonly http;
-    private readonly tenant;
-    constructor(http: HttpClient, tenant: string);
-    list(opts?: RequestOptions): Promise<EmailDomain[]>;
-    create(input: {
-        domain: string;
-    }, opts?: RequestOptions): Promise<EmailDomain>;
-    delete(domain: string, opts?: RequestOptions): Promise<void>;
+interface PageRequestOptions extends ListOptions, RequestOptions {
 }
 interface EnvVar {
@@ -675,16 +490,18 @@ declare class AppsEnvVarsMixin {
     listEnvVars(appId: string): Promise<EnvVar[]>;
     /**
      * Create or overwrite an env var. Key must match `^[A-Z_][A-Z0-9_]*$` —
-     * validation happens client-side before any network round-trip.
+     * validation happens client-side before any network round-trip. `stage`
+     * scopes the value to a deploy stage (wire: `stage`); omit for the default.
      *
      * @example happy
      *   await sdk.apps.setEnvVar('app_abc', 'DATABASE_URL', 'postgres://...')
+     *   await sdk.apps.setEnvVar('app_abc', 'API_KEY', 'k', 'production')
      *
      * @example failure
      *   try { await sdk.apps.setEnvVar('app_abc', 'database url', 'x') }
      *   catch (e) { if (e instanceof ValidationError) /* fix key *\/ }
      */
-    setEnvVar(appId: string, key: string, value: string): Promise<void>;
+    setEnvVar(appId: string, key: string, value: string, stage?: string): Promise<void>;
     /**
      * Fetch a single env var by key.
      *
@@ -707,6 +524,121 @@ declare class AppsEnvVarsMixin {
     deleteEnvVar(appId: string, key: string): Promise<void>;
 }
+interface FieldAvailability {
+    available: boolean;
+    /** Set when `available` is false: `invalid` | `reserved` | `taken`. */
+    reason?: string;
+}
+interface AppAvailability {
+    slug?: FieldAvailability;
+    subdomain?: FieldAvailability;
+}
+interface CheckAvailabilityInput {
+    slug?: string;
+    subdomain?: string;
+}
+interface IconPreCreateInput {
+    /** MIME type of the asset, e.g. `image/png`. */
+    contentType: string;
+    /** Slug of the app-to-be; becomes the object key suffix. Must match the slug used at create. */
+    slug: string;
+    /** Icon variant. Defaults to `light`. */
+    variant?: 'light' | 'dark';
+}
+interface IconPreCreateResult {
+    /** Presigned PUT URL the caller uploads the binary to. Single-use, ~5 min. */
+    uploadUrl: string;
+    /** Public GET URL to set as `iconUrl`/`iconDarkUrl` on the subsequent create. */
+    getUrl: string;
+    expiresAt?: string;
+}
+declare class AppsAvailabilityMixin {
+    private readonly http;
+    private readonly defaultTenantId?;
+    constructor(http: HttpClient, defaultTenantId?: string | undefined);
+    private requireTenantId;
+    /**
+     * Check whether an app `slug` and/or `subdomain` is available before
+     * creating (member-gated). Tenant-scoped: requires `defaultTenantId`. Each
+     * returned field is present only when its input was supplied.
+     *
+     * @example happy
+     *   const a = await sdk.apps.checkAvailability({ slug: 'my-app', subdomain: 'my' })
+     *   if (a.slug?.available && a.subdomain?.available) /* safe to create *\/
+     *
+     * @example failure
+     *   try { await sdk.apps.checkAvailability({ slug: 'x' }) }
+     *   catch (e) { if (e instanceof TenantIdRequiredError) /* set defaultTenantId *\/ }
+     */
+    checkAvailability(input: CheckAvailabilityInput): Promise<AppAvailability>;
+    /**
+     * Get a presigned PUT URL for an app icon BEFORE the app is created
+     * (member-gated). Tenant-scoped: requires `defaultTenantId`. Use the
+     * returned `getUrl` as `iconUrl` (or `iconDarkUrl` for `variant: 'dark'`)
+     * when calling `apps.create`. Distinct from `apps.signIconUploadURL`, which
+     * targets an existing app.
+     *
+     * @example happy
+     *   const { uploadUrl, getUrl } = await sdk.apps.iconPreCreateUrl({ contentType: 'image/png', slug: 'my-app' })
+     *   await fetch(uploadUrl, { method: 'PUT', body: imageBlob, headers: { 'Content-Type': 'image/png' } })
+     *   await sdk.apps.create({ slug: 'my-app', name: 'My App', iconUrl: getUrl })
+     *
+     * @example failure
+     *   try { await sdk.apps.iconPreCreateUrl({ contentType: 'application/zip', slug: 'my-app' }) }
+     *   catch (e) { if (e instanceof NotAllowedError) /* unsupported MIME *\/ }
+     */
+    iconPreCreateUrl(input: IconPreCreateInput): Promise<IconPreCreateResult>;
+}
+/**
+ * Resolves a tenant slug to its UUID for the apps control-ring
+ * (`/api/v1/tenants/{UUID}/apps`). A UUID passes through unchanged (no network
+ * call); a slug is mapped to its UUID via the caller's own memberships
+ * (`GET /api/v1/me` → `tenants[]`).
+ *
+ * The slug→UUID map is cached per resolver instance. One resolver is owned by
+ * the root {@link AxHubClient} and shared with `withTenant`-derived clients via
+ * the internal options, so a client tree fires `/me` at most once per distinct
+ * slug regardless of how many `sdk.apps` / `sdk.tenant(slug).apps` calls run.
+ */
+declare class TenantResolver {
+    private readonly me;
+    private readonly cache;
+    constructor(http: HttpClient);
+    /**
+     * Returns the tenant UUID for `slugOrUuid`. A UUID is returned as-is (fast
+     * path, no `/me`). A slug is looked up in the caller's memberships, caching
+     * the result. Throws {@link TenantIdRequiredError} if the slug is not among
+     * the caller's tenants (the `/me` call itself succeeded — the slug is simply
+     * not a membership — so this is an SDK-self "couldn't resolve a tenant UUID"
+     * error, not a backend 404).
+     */
+    resolveTenantId(slugOrUuid: string, opts?: RequestOptions): Promise<string>;
+}
+type AppStatus = 'draft' | 'deployed' | 'archived' | 'active' | 'deleted' | 'permanently_deleted' | (string & {});
+type AppVisibility = 'private' | 'tenant' | 'public' | 'invite_only' | (string & {});
+type AppPublicationStatus = 'draft' | 'pending_review' | 'approved' | (string & {});
+type AppReviewStatus = 'not_submitted' | 'pending' | 'approved' | 'rejected' | (string & {});
+interface AppResponseCategory {
+    id: string;
+    tenantId?: string;
+    slug: string;
+    name: string;
+    description?: string;
+    color?: string;
+    iconUrl?: string;
+    displayOrder?: number;
+    appsCount?: number;
+    discoverableAppsCount?: number;
+    createdAt?: string;
+    updatedAt?: string;
+}
+interface AppResponseOwner {
+    id: string;
+    name?: string;
+    avatarUrl?: string;
+}
 interface AppResponse {
     id: string;
     tenantId: string;
@@ -715,35 +647,113 @@ interface AppResponse {
     name: string;
     description?: string;
     iconUrl?: string;
+    iconDarkUrl?: string;
     schemaName: string;
-    status: 'active' | 'deleted' | 'permanently_deleted';
-    visibility: 'private' | 'tenant' | 'public';
-    publicationStatus: 'draft' | 'pending_review' | 'approved';
+    status: AppStatus;
+    visibility: AppVisibility;
+    publicationStatus: AppPublicationStatus;
+    reviewStatus?: AppReviewStatus;
+    authMode?: string;
+    dataScopes?: string[];
+    deployMethod?: string;
+    resourceTier?: string;
+    subdomain?: string;
+    accessUrl?: string | null;
+    lastDeploymentStatus?: string | null;
+    operatingStatus?: string;
+    suspendedAt?: string | null;
+    resumedAt?: string | null;
+    categoryId?: string;
+    category?: AppResponseCategory;
+    owner?: AppResponseOwner;
     likeCount: number;
     subscriberCount: number;
+    callsCount?: number;
+    sharedTablesCount?: number;
     createdAt: string;
     updatedAt: string;
     deletedAt: string | null;
 }
+type AppSort = '-created_at' | '-like_count' | '-subscriber_count' | 'name';
+/**
+ * Filter/sort/page params for the tenant-scoped apps list
+ * (`GET /api/v1/tenants/{tenantID}/apps`). The `*In` fields accept an array and
+ * serialize to the comma-separated string the backend expects. Filtering is
+ * only honored on the tenant-scoped path. A tenant UUID (directly configured
+ * or resolved from the default tenant slug) is required; callers who want the
+ * self/workspace feed should use `sdk.apps.listMine()`.
+ */
+interface ListAppsOptions extends ListOptions {
+    /** Free-text search. Wire: `q`. */
+    q?: string;
+    /** Wire: `category_id`. */
+    categoryId?: string;
+    /** Wire: `status`. */
+    status?: string;
+    /** CSV on the wire. Wire: `status_in`. */
+    statusIn?: string[];
+    /** Wire: `review_status`. */
+    reviewStatus?: string;
+    /** CSV on the wire. Wire: `review_status_in`. */
+    reviewStatusIn?: string[];
+    /** Wire: `operating_status`. */
+    operatingStatus?: string;
+    /** CSV on the wire. Wire: `operating_status_in`. */
+    operatingStatusIn?: string[];
+    /** Wire: `sort`. */
+    sort?: AppSort;
+    /** 1-based page number. Wire: `page`. */
+    page?: number;
+    /** Page size for offset pagination. Wire: `per_page`. */
+    perPage?: number;
+}
 interface CreateAppInput {
     slug: string;
     name: string;
     description?: string;
     iconUrl?: string;
+    /** Dark-mode icon. Wire: `icon_dark_url`. */
+    iconDarkUrl?: string;
     visibility?: 'private' | 'tenant' | 'public';
+    /** Wire: `auth_mode`. */
+    authMode?: string;
+    /** Wire: `data_scopes`. */
+    dataScopes?: string[];
+    /** Wire: `deploy_method`. */
+    deployMethod?: string;
+    /** Wire: `resource_tier`. */
+    resourceTier?: string;
+    /** Wire: `subdomain`. */
+    subdomain?: string;
 }
 interface UpdateAppInput {
     name?: string;
     description?: string;
     iconUrl?: string;
+    /** Dark-mode icon. Wire: `icon_dark_url`. */
+    iconDarkUrl?: string;
     visibility?: 'private' | 'tenant' | 'public';
+    /** Wire: `auth_mode`. */
+    authMode?: string;
+    /** Wire: `data_scopes`. */
+    dataScopes?: string[];
+    /** Wire: `deploy_method`. */
+    deployMethod?: string;
+    /** Wire: `resource_tier`. */
+    resourceTier?: string;
+    /** Wire: `subdomain`. */
+    subdomain?: string;
+    /** Clear the app's subdomain. Wire: `clear_subdomain`. */
+    clearSubdomain?: boolean;
 }
 declare class AppsCrudMixin {
     private readonly http;
     private readonly defaultTenantSlug?;
     private readonly defaultTenantId?;
-    constructor(http: HttpClient, defaultTenantSlug?: string | undefined, defaultTenantId?: string | undefined);
-    private withTenantQuery;
+    private readonly tenantResolver?;
+    constructor(http: HttpClient, defaultTenantSlug?: string | undefined, defaultTenantId?: string | undefined, tenantResolver?: TenantResolver | undefined);
+    private resolveTenantId;
     /**
      * Create a new app in the caller's tenant.
      *
@@ -769,7 +779,7 @@ declare class AppsCrudMixin {
      *   try { await sdk.apps.list() }
      *   catch (e) { if (e instanceof PermissionDeniedError) /* request grant *\/ }
      */
-    list(opts?: ListOptions): Promise<PaginatedList<AppResponse>>;
+    list(opts?: ListAppsOptions): Promise<PaginatedList<AppResponse>>;
     /**
      * Iterate every app across all pages. Yields each item; emits a
      * `{type:'drift', addedSince:N}` item if backend's total grows mid-scan.
@@ -952,19 +962,11 @@ interface AppCategory {
     description?: string;
     [key: string]: unknown;
 }
-interface CreateCategoryInput {
-    slug: string;
-    name: string;
-    description?: string;
-}
 declare class AppsCategoriesMixin {
     private readonly http;
     constructor(http: HttpClient);
     list(tenantIdOrSlug: string, opts?: PageRequestOptions): Promise<PaginatedList<AppCategory>>;
-    create(tenantIdOrSlug: string, input: CreateCategoryInput, opts?: RequestOptions): Promise<AppCategory>;
     get(tenantIdOrSlug: string, categoryId: string, opts?: RequestOptions): Promise<AppCategory>;
-    update(tenantIdOrSlug: string, categoryId: string, patch: Partial<CreateCategoryInput>, opts?: RequestOptions): Promise<AppCategory>;
-    delete(tenantIdOrSlug: string, categoryId: string, opts?: RequestOptions): Promise<void>;
 }
 interface Comment {
@@ -1035,11 +1037,50 @@ interface DiscoverAppsOptions extends PageRequestOptions {
     sort?: 'newest' | 'likes' | 'subscribers' | 'name';
     visibility?: 'private' | 'tenant' | 'public';
 }
+interface DiscoverFeedOptions {
+    q?: string;
+    category?: string;
+    sort?: string;
+    /** Only apps created within the last N days. */
+    createdWithinDays?: number;
+    /** 1-based page number. */
+    page?: number;
+    /** Apps per page. */
+    perPage?: number;
+}
 declare class AppsDiscoverMixin {
     private readonly http;
     private readonly defaultTenantSlug?;
-    constructor(http: HttpClient, defaultTenantSlug?: string | undefined);
+    private readonly defaultTenantId?;
+    constructor(http: HttpClient, defaultTenantSlug?: string | undefined, defaultTenantId?: string | undefined);
     search(opts?: DiscoverAppsOptions): Promise<PaginatedList<AppResponse>>;
+    private feedQuery;
+    /**
+     * Global curated discovery feed across all tenants the caller can see
+     * (auth-only). Offset-paginated. Distinct from {@link search} (catalog
+     * alias) — this is `GET /api/v1/apps/discover`.
+     *
+     * @example happy
+     *   const page = await sdk.apps.discoverGlobal({ sort: 'newest', perPage: 20 })
+     *   for (const a of page.items) console.log(a.slug)
+     */
+    discoverGlobal(opts?: DiscoverFeedOptions): Promise<PaginatedList<AppResponse>>;
+    /**
+     * Tenant-scoped discovery feed (member-gated). Requires a tenant UUID — set
+     * `defaultTenantId` on the client. Backend route
+     * `GET /api/v1/tenants/{tenantID}/discover/apps` parses `{tenantID}` as a
+     * UUID; without it this throws `TenantIdRequiredError` before any request.
+     *
+     * @example happy
+     *   const page = await sdk.apps.discoverTenant({ sort: 'likes' })
+     *   for (const a of page.items) console.log(a.slug)
+     *
+     * @example failure
+     *   // No defaultTenantId set:
+     *   try { await sdk.apps.discoverTenant() }
+     *   catch (e) { if (e instanceof TenantIdRequiredError) /* set defaultTenantId *\/ }
+     */
+    discoverTenant(opts?: DiscoverFeedOptions): Promise<PaginatedList<AppResponse>>;
 }
 interface GitConnection {
@@ -1117,6 +1158,85 @@ declare class AppsGitMixin {
     installStart(appId: string, input?: InstallStartInput): Promise<GithubInstallStart>;
 }
+interface AppInvitation {
+    id: string;
+    appId: string;
+    userId: string;
+    allowedScopes: string[];
+    grantedAt: string;
+    createdAt: string;
+}
+interface InviteUserInput {
+    /** UUID of the target user. Must be an active member of the same tenant. */
+    userId: string;
+}
+declare class AppsInvitationsMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Invite a tenant member to an app (owner only). `userId` must be a UUID of
+     * an active member of the same tenant; cross-tenant invites are rejected
+     * (403). Inviting an existing member returns 409.
+     *
+     * @example happy
+     *   const inv = await sdk.apps.invitations.create('app_abc', { userId: '66666666-7777-8888-9999-aaaaaaaaaaaa' })
+     *   console.log(inv.userId, inv.allowedScopes)
+     *
+     * @example failure
+     *   try { await sdk.apps.invitations.create('app_abc', { userId: 'usr_dup' }) }
+     *   catch (e) {
+     *     if (e instanceof AlreadyMemberError) /* already invited *\/
+     *     if (e instanceof PermissionDeniedError) /* cross-tenant / not owner *\/
+     *   }
+     */
+    create(appId: string, input: InviteUserInput): Promise<AppInvitation>;
+    /**
+     * Revoke an app invitation by user UUID (owner only). Idempotent at the
+     * transport level — backend returns 204 on success.
+     *
+     * @example happy
+     *   await sdk.apps.invitations.delete('app_abc', '66666666-7777-8888-9999-aaaaaaaaaaaa')
+     *
+     * @example failure
+     *   try { await sdk.apps.invitations.delete('app_abc', 'usr_missing') }
+     *   catch (e) { if (e instanceof NotFoundError) /* no such invitation *\/ }
+     */
+    delete(appId: string, userId: string): Promise<void>;
+}
+declare class AppsLifecycleMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Suspend an app (owner only). The app's dataapi stops serving traffic until
+     * resumed. Suspending an already-suspended app returns 409
+     * (`already_suspended`).
+     *
+     * @example happy
+     *   const app = await sdk.apps.suspend('app_abc')
+     *   console.log(app.status)
+     *
+     * @example failure
+     *   try { await sdk.apps.suspend('app_abc') }
+     *   catch (e) { if (e instanceof ConflictError) /* already suspended *\/ }
+     */
+    suspend(appId: string): Promise<AppResponse>;
+    /**
+     * Resume a suspended app (owner only). Resuming an app that is not suspended
+     * returns 409 (`not_suspended`); an app that cannot be reactivated returns
+     * 409 (`cannot_reactivate`).
+     *
+     * @example happy
+     *   const app = await sdk.apps.resume('app_abc')
+     *   console.log(app.status)
+     *
+     * @example failure
+     *   try { await sdk.apps.resume('app_abc') }
+     *   catch (e) { if (e instanceof ConflictError) /* not suspended / cannot reactivate *\/ }
+     */
+    resume(appId: string): Promise<AppResponse>;
+}
 interface LikeResult {
     inserted: boolean;
 }
@@ -1126,33 +1246,87 @@ interface UnlikeResult {
 interface LikeStatus {
     liked: boolean;
 }
-declare class AppsLikesMixin {
+declare class AppsLikesMixin {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Like an app. Idempotent — second call returns `{ inserted: false }`. The
+     * app's denormalized `likeCount` is updated server-side only when
+     * `inserted = true`.
+     *
+     * @example happy
+     *   const { inserted } = await sdk.apps.likes.like('app_abc')
+     *   if (inserted) console.log('first time like')
+     */
+    like(appId: string): Promise<LikeResult>;
+    /**
+     * Unlike an app. Idempotent — second call returns `{ deleted: false }`.
+     *
+     * @example happy
+     *   const { deleted } = await sdk.apps.likes.unlike('app_abc')
+     */
+    unlike(appId: string): Promise<UnlikeResult>;
+    /**
+     * Check if caller has liked the app.
+     *
+     * @example happy
+     *   const { liked } = await sdk.apps.likes.me('app_abc')
+     */
+    me(appId: string): Promise<LikeStatus>;
+}
+interface AppMember {
+    id: string;
+    appId: string;
+    userId: string;
+    email?: string;
+    allowedScopes: string[];
+    grantedAt: string;
+    grantedById?: string;
+}
+interface ListMembersOptions extends RequestOptions {
+    /** 1-based page number. */
+    page?: number;
+    /** Members per page. */
+    perPage?: number;
+}
+declare class AppsMembersMixin {
     private readonly http;
     constructor(http: HttpClient);
     /**
-     * Like an app. Idempotent — second call returns `{ inserted: false }`. The
-     * app's denormalized `likeCount` is updated server-side only when
-     * `inserted = true`.
+     * List members of an app (any member of the app can read). Offset-paginated.
      *
      * @example happy
-     *   const { inserted } = await sdk.apps.likes.like('app_abc')
-     *   if (inserted) console.log('first time like')
+     *   const page = await sdk.apps.members.list('app_abc', { page: 1, perPage: 50 })
+     *   for (const m of page.items) console.log(m.userId, m.email, m.allowedScopes)
+     *
+     * @example failure
+     *   try { await sdk.apps.members.list('app_abc') }
+     *   catch (e) { if (e instanceof PermissionDeniedError) /* not a member *\/ }
      */
-    like(appId: string): Promise<LikeResult>;
+    list(appId: string, opts?: ListMembersOptions): Promise<PaginatedList<AppMember>>;
+}
+declare class AppsMeMixin {
+    private readonly http;
+    constructor(http: HttpClient);
     /**
-     * Unlike an app. Idempotent — second call returns `{ deleted: false }`.
+     * List apps the caller owns. Self-scoped via the auth principal.
      *
      * @example happy
-     *   const { deleted } = await sdk.apps.likes.unlike('app_abc')
+     *   const page = await sdk.apps.me.owned()
+     *   for (const a of page.items) console.log(a.slug)
      */
-    unlike(appId: string): Promise<UnlikeResult>;
+    owned(opts?: RequestOptions): Promise<PaginatedList<AppResponse>>;
     /**
-     * Check if caller has liked the app.
+     * List apps shared with (received by) the caller. Self-scoped via the auth
+     * principal.
      *
      * @example happy
-     *   const { liked } = await sdk.apps.likes.me('app_abc')
+     *   const page = await sdk.apps.me.received()
+     *   for (const a of page.items) console.log(a.slug)
      */
-    me(appId: string): Promise<LikeStatus>;
+    received(opts?: RequestOptions): Promise<PaginatedList<AppResponse>>;
 }
 interface OAuthClient {
@@ -1181,6 +1355,11 @@ interface CreateOAuthClientInput {
     type?: 'public' | 'confidential';
     tokenEndpointAuthMethod?: 'client_secret_basic' | 'client_secret_post' | 'none';
     allowedGrantTypes?: string[];
+    /**
+     * RFC 8707 audience whitelist. Tokens issued to this client may only target
+     * `resource` values in this list. Maps to wire `allowed_resources`.
+     */
+    allowedResources?: string[];
 }
 declare class AppsOAuthClientsMixin {
     private readonly http;
@@ -1321,6 +1500,8 @@ interface CreateTableInput {
     name: string;
     ownerColumn: string;
     columns: TableColumn[];
+    /** Optional human-readable table description. Wire: `description`. */
+    description?: string;
 }
 interface AddColumnInput {
     name: string;
@@ -1333,6 +1514,39 @@ interface AddGrantInput {
     principalId: string;
     scopes: GrantScope[];
 }
+interface TableAvailability {
+    available: boolean;
+    /** `ok` | `invalid_format` | `taken`. */
+    reason: string;
+}
+interface ColumnTypeOption {
+    /** API value to send (e.g. `text`). */
+    value: string;
+    /** Display label. */
+    label: string;
+}
+interface TableRowColumn {
+    name: string;
+    type: string;
+    nullable: boolean;
+}
+interface TableRowsMeta {
+    page: number;
+    perPage: number;
+    total: number;
+    totalPages: number;
+}
+interface TableRowsPage {
+    columns: TableRowColumn[];
+    rows: Array<Record<string, unknown>>;
+    meta: TableRowsMeta;
+}
+interface BrowseRowsOptions extends RequestOptions {
+    /** 1-based page number. */
+    page?: number;
+    /** Rows per page. */
+    perPage?: number;
+}
 declare class AppsTablesMixin {
     private readonly http;
     constructor(http: HttpClient);
@@ -1432,6 +1646,38 @@ declare class AppsTablesMixin {
      *   console.log(schema.indexes.map((i) => i.name))
      */
     inspect(appId: string, tableName: string): Promise<TableSchema>;
+    /**
+     * Check whether a table name is available before creating it (member-gated).
+     * Validates name format client-side first.
+     *
+     * @example happy
+     *   const a = await sdk.apps.tables.checkAvailability('app_abc', 'orders')
+     *   if (a.available) /* safe to create *\/ else console.log(a.reason)
+     */
+    checkAvailability(appId: string, tableName: string): Promise<TableAvailability>;
+    /**
+     * List the supported column types for table-builder UIs (member-gated).
+     *
+     * @example happy
+     *   const types = await sdk.apps.tables.columnTypes('app_abc')
+     *   for (const t of types) console.log(t.value, t.label)
+     */
+    columnTypes(appId: string): Promise<ColumnTypeOption[]>;
+    /**
+     * Browse rows of a dynamic table (owner-gated admin view — owner_column is
+     * ignored, all rows returned). Offset-paginated. For app-data access use the
+     * data ring (`sdk.data.table(...)`) instead.
+     *
+     * @example happy
+     *   const page = await sdk.apps.tables.browseRows('app_abc', 'orders', { page: 1, perPage: 50 })
+     *   console.log(page.meta.totalPages, page.columns.map((c) => c.name))
+     *   for (const row of page.rows) console.log(row)
+     *
+     * @example failure
+     *   try { await sdk.apps.tables.browseRows('app_abc', 'missing') }
+     *   catch (e) { if (e instanceof NotFoundError) /* no such table *\/ }
+     */
+    browseRows(appId: string, tableName: string, opts?: BrowseRowsOptions): Promise<TableRowsPage>;
 }
 interface AppTemplate {
@@ -1450,9 +1696,14 @@ declare class AppsTemplatesMixin {
 declare class AppsClient {
     private readonly crud;
+    private readonly lifecycle;
+    private readonly availability;
     private readonly envVars;
     readonly publication: AppsPublicationMixin;
     readonly access: AppsAccessMixin;
+    readonly invitations: AppsInvitationsMixin;
+    readonly members: AppsMembersMixin;
+    readonly me: AppsMeMixin;
     readonly categories: AppsCategoriesMixin;
     readonly discover: AppsDiscoverMixin;
     readonly likes: AppsLikesMixin;
@@ -1461,7 +1712,7 @@ declare class AppsClient {
     readonly git: AppsGitMixin;
     readonly tables: AppsTablesMixin;
     readonly templates: AppsTemplatesMixin;
-    constructor(http: HttpClient, defaultTenantSlug?: string, defaultTenantId?: string);
+    constructor(http: HttpClient, defaultTenantSlug?: string, defaultTenantId?: string, tenantResolver?: TenantResolver);
     create: (...args: Parameters<AppsCrudMixin["create"]>) => Promise<AppResponse>;
     list: (...args: Parameters<AppsCrudMixin["list"]>) => Promise<PaginatedList<AppResponse>>;
     listAll: (...args: Parameters<AppsCrudMixin["listAll"]>) => AsyncGenerator<ListAllItem<AppResponse>, any, any>;
@@ -1473,15 +1724,19 @@ declare class AppsClient {
     signIconDarkUploadURL: (...args: Parameters<AppsCrudMixin["signIconDarkUploadURL"]>) => Promise<SignIconUploadResult>;
     /**
      * List apps the caller has been granted access to (not necessarily owned).
-     * Wraps `GET /users/me/apps`. Distinct from {@link list} which returns all
-     * apps in the resolved tenant; `listMine` is per-user scoped via the auth
-     * principal in the token.
+     * Wraps `GET /api/v1/me/apps/workspace`. Distinct from {@link list} which
+     * returns all apps in the resolved tenant; `listMine` is per-user scoped via
+     * the auth principal in the token.
      *
      * @example happy
      *   const accessible = await sdk.apps.listMine()
      *   for (const a of accessible) console.log(a.slug)
      */
     listMine: (...args: Parameters<AppsCrudMixin["listMine"]>) => Promise<AppResponse[]>;
+    suspend: (...args: Parameters<AppsLifecycleMixin["suspend"]>) => Promise<AppResponse>;
+    resume: (...args: Parameters<AppsLifecycleMixin["resume"]>) => Promise<AppResponse>;
+    checkAvailability: (...args: Parameters<AppsAvailabilityMixin["checkAvailability"]>) => Promise<AppAvailability>;
+    iconPreCreateUrl: (...args: Parameters<AppsAvailabilityMixin["iconPreCreateUrl"]>) => Promise<IconPreCreateResult>;
     listEnvVars: (...args: Parameters<AppsEnvVarsMixin["listEnvVars"]>) => Promise<EnvVar[]>;
     setEnvVar: (...args: Parameters<AppsEnvVarsMixin["setEnvVar"]>) => Promise<void>;
     getEnvVar: (...args: Parameters<AppsEnvVarsMixin["getEnvVar"]>) => Promise<EnvVar>;
@@ -1734,17 +1989,15 @@ declare class TenantScopedClient {
     readonly slug: string;
     private readonly root;
     readonly apps: TenantScopedAppsClient;
-    constructor(slug: string, scopedRoot: AxHubClient, root: AxHubClient);
-    get tenants(): TenantScopedTenantsClient;
-    get authz(): TenantAuthzClient;
-    get audit(): TenantAuditClient;
+    constructor(slug: string, scopedRoot: AxHubClient, root: AxHubClient, tenantResolver: TenantResolver);
     get gateway(): TenantGatewayClient;
     app(appSlug: string): AppScopedClient;
 }
 declare class TenantScopedAppsClient {
     private readonly tenantSlug;
     private readonly http;
-    constructor(tenantSlug: string, http: HttpClient);
+    private readonly tenantResolver;
+    constructor(tenantSlug: string, http: HttpClient, tenantResolver: TenantResolver);
     create(input: CreateAppInput, opts?: RequestOptions): Promise<AppResponse>;
     list(opts?: PageRequestOptions): Promise<PaginatedList<AppResponse>>;
     listAll(opts?: PageRequestOptions): AsyncGenerator<ListAllItem<AppResponse>>;
@@ -1806,9 +2059,92 @@ interface CreateDeploymentInput {
     /** Force a rebuild even if this commit already has a built image (dependency / base-image refresh). */
     forceRebuild?: boolean;
 }
+interface LogLine {
+    /** RFC3339 timestamp the line was emitted. */
+    ts: string;
+    /** Container that produced the line (compose multi-service). */
+    container: string;
+    /** One stdout/stderr line (JSON string if structured). */
+    message: string;
+    /** Unique key for de-duplication. */
+    insertId: string;
+}
+interface LogsPage {
+    lines: LogLine[];
+    /** Pass back as `cursor` to continue; empty string means end. */
+    nextCursor: string;
+    hasMore: boolean;
+}
+interface FetchLogsOptions {
+    /** `forward` (newer) or `backward` (older). */
+    direction?: 'forward' | 'backward';
+    /** Opaque cursor from a prior `nextCursor`. */
+    cursor?: string;
+    /** RFC3339 lower bound. */
+    since?: string;
+    /** RFC3339 upper bound. */
+    until?: string;
+    /** Max lines per page. */
+    limit?: number;
+}
+interface StartBootstrapInput {
+    name: string;
+    slug: string;
+    subdomain: string;
+    templateId: string;
+    githubInstallationId: number;
+    githubOwner: string;
+    repoName: string;
+    repoPrivate?: boolean;
+}
+interface BootstrapAccepted {
+    /** Saga id to poll with `bootstrapStatus`. */
+    bootstrapId: string;
+    /** Polling endpoint path. */
+    statusUrl: string;
+}
+type BootstrapStage = 'app' | 'repo' | 'push' | 'connect' | 'deploy' | 'done';
+type BootstrapStatusValue = 'running' | 'done' | 'failed';
+interface BootstrapStatus {
+    id: string;
+    stage: string;
+    status: string;
+    appId?: string;
+    deploymentId?: string;
+    repoFullName?: string;
+    errorCode?: string;
+    errorMessage?: string;
+}
+interface GithubAccount {
+    login: string;
+    type: string;
+    installed: boolean;
+    installationId?: number;
+    avatarUrl?: string;
+    installUrl?: string;
+}
+interface GithubRepo {
+    id: number;
+    name: string;
+    fullName: string;
+    private: boolean;
+    defaultBranch: string;
+}
+interface GithubReposPage {
+    repositories: GithubRepo[];
+    /** Total repos before pagination. */
+    totalCount: number;
+}
+interface ListReposOptions {
+    /** 1-based page number. */
+    page?: number;
+    /** Repos per page. */
+    perPage?: number;
+}
 declare class DeploymentsClient {
     private readonly http;
-    constructor(http: HttpClient);
+    private readonly defaultTenantId?;
+    constructor(http: HttpClient, defaultTenantId?: string | undefined);
     /**
      * Trigger a new deployment. Returns immediately with the deployment row
      * in `pending` or `building` state; poll `get()` to observe progression.
@@ -1866,24 +2202,77 @@ declare class DeploymentsClient {
      *   }
      */
     rollback(appId: string, did: string): Promise<void>;
+    /**
+     * Fetch runtime logs for an app's running containers (owner-gated). Cursor
+     * paginated: pass the returned `nextCursor` back to continue. `forward`
+     * fetches newer lines (poll loop); `backward` fetches older history.
+     *
+     * @example happy
+     *   let page = await sdk.deployments.logs('app_abc', { direction: 'backward', limit: 100 })
+     *   for (const l of page.lines) console.log(l.ts, l.message)
+     *   if (page.hasMore) page = await sdk.deployments.logs('app_abc', { cursor: page.nextCursor })
+     *
+     * @example failure
+     *   try { await sdk.deployments.logs('app_abc') }
+     *   catch (e) { if (e instanceof UnavailableError) /* log backend down (503) *\/ }
+     */
+    logs(appId: string, opts?: FetchLogsOptions): Promise<LogsPage>;
+    private requireTenantId;
+    /**
+     * Start an app-bootstrap saga (member-gated): create a GitHub repo from a
+     * template, connect it, and deploy in one async flow. Returns immediately
+     * (202) with a `bootstrapId` — poll `bootstrapStatus` to observe progress.
+     * Tenant-scoped: requires `defaultTenantId`.
+     *
+     * @example happy
+     *   const { bootstrapId } = await sdk.deployments.startBootstrap({
+     *     name: 'My Todo', slug: 'my-todo', subdomain: 'todo',
+     *     templateId: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+     *     githubInstallationId: 12345678, githubOwner: 'ksro0128', repoName: 'my-todo-frontend',
+     *   })
+     *
+     * @example failure
+     *   try { await sdk.deployments.startBootstrap({ ...input }) }
+     *   catch (e) { if (e instanceof TenantIdRequiredError) /* set defaultTenantId *\/ }
+     */
+    startBootstrap(input: StartBootstrapInput): Promise<BootstrapAccepted>;
+    /**
+     * Poll the status of an app-bootstrap saga (member-gated). Tenant-scoped:
+     * requires `defaultTenantId`. `status` is `running` | `done` | `failed`;
+     * `stage` walks `app → repo → push → connect → deploy → done`.
+     *
+     * @example happy
+     *   const st = await sdk.deployments.bootstrapStatus('bs_a1b2c3d4')
+     *   if (st.status === 'done') console.log(st.appId, st.deploymentId)
+     *   else if (st.status === 'failed') console.error(st.errorCode, st.errorMessage)
+     */
+    bootstrapStatus(bootstrapId: string): Promise<BootstrapStatus>;
+    /**
+     * List GitHub accounts (user + orgs) visible to the caller and whether the
+     * axhub GitHub App is installed on each (auth-only). Use the
+     * `installationId` of an installed account to list its repos.
+     *
+     * @example happy
+     *   const accounts = await sdk.deployments.githubAccounts()
+     *   for (const a of accounts) console.log(a.login, a.installed, a.installationId)
+     *
+     * @example failure
+     *   try { await sdk.deployments.githubAccounts() }
+     *   catch (e) { if (e instanceof PreconditionFailedError) /* GitHub link required (428) *\/ }
+     */
+    githubAccounts(): Promise<GithubAccount[]>;
+    /**
+     * List repositories under a GitHub installation (auth-only). Offset
+     * paginated. Get the `installationId` from `githubAccounts`.
+     *
+     * @example happy
+     *   const page = await sdk.deployments.githubRepos(12345678, { page: 1, perPage: 30 })
+     *   console.log(page.totalCount)
+     *   for (const r of page.repositories) console.log(r.fullName, r.defaultBranch)
+     */
+    githubRepos(installationId: number, opts?: ListReposOptions): Promise<GithubReposPage>;
 }
-interface GatewayEngine {
-    name: 'postgres' | 'mysql' | string;
-    capabilities: string[];
-}
-interface GatewayConnector {
-    id: string;
-    engine: string;
-    name: string;
-    [key: string]: unknown;
-}
-interface GatewayResource {
-    id: string;
-    connectorId: string;
-    name: string;
-    [key: string]: unknown;
-}
 interface GatewayQueryInput {
     resourceId?: string;
     connectorId?: string;
@@ -2003,46 +2392,36 @@ interface InvokeResult<Row = Record<string, unknown>> {
     rowCount: number;
     matchedPolicies?: string[];
 }
+interface EngineCapability {
+    engine: string;
+    kind: string;
+    displayName: string;
+    supportedActions: string[];
+    /** Per-action allowed effects (action → effect[]). */
+    allowedEffects: Record<string, string[]>;
+}
 declare class GatewayClient {
     private readonly http;
     constructor(http: HttpClient);
     scoped(tenantSlug: string): TenantGatewayClient;
+    /**
+     * List the gateway's engine capabilities (auth-only; no tenant membership
+     * required). Each entry describes an engine + kind, its invokable actions,
+     * and the effects each action may produce. Tenant-independent.
+     *
+     * @example happy
+     *   const engines = await sdk.gateway.engines()
+     *   for (const e of engines) console.log(e.engine, e.kind, e.supportedActions)
+     */
+    engines(opts?: RequestOptions): Promise<EngineCapability[]>;
 }
 declare class TenantGatewayClient {
-    /** @adminOnly Global engine catalog. Governance read — requires tenant_admin (v0.1, SPEC 307). */
-    readonly engines: GatewayEnginesClient;
-    /** @adminOnly Connector governance (list/create/update/...). Member callers get ForbiddenError (v0.1). Members use `catalog.listConnectors()`. */
-    readonly connectors: GatewayConnectorsClient;
-    /** @adminOnly Raw resource governance. Member callers get ForbiddenError (v0.1). Members use `catalog.listResources()`. */
-    readonly resources: GatewayResourcesClient;
     /** Run a parameterized read query. Member OK. See also `catalog.invoke()`. */
     readonly query: GatewayQueryClient;
     /** Member-facing catalog: discover connectors/resources you can read + invoke. */
     readonly catalog: GatewayCatalogClient;
     constructor(http: HttpClient, tenantSlug: string);
 }
-declare class GatewayEnginesClient {
-    private readonly http;
-    private readonly base;
-    constructor(http: HttpClient, base: string);
-    list(opts?: RequestOptions): Promise<GatewayEngine[]>;
-}
-declare class GatewayCrud<T extends {
-    id: string;
-}> {
-    protected readonly http: HttpClient;
-    protected readonly base: string;
-    constructor(http: HttpClient, base: string);
-    list(opts?: RequestOptions): Promise<T[]>;
-    get(id: string, opts?: RequestOptions): Promise<T>;
-    create(input: Record<string, unknown>, opts?: RequestOptions): Promise<T>;
-    update(id: string, patch: Record<string, unknown>, opts?: RequestOptions): Promise<T>;
-    delete(id: string, opts?: RequestOptions): Promise<void>;
-}
-declare class GatewayConnectorsClient extends GatewayCrud<GatewayConnector> {
-}
-declare class GatewayResourcesClient extends GatewayCrud<GatewayResource> {
-}
 declare class GatewayQueryClient {
     private readonly http;
     private readonly base;
@@ -2065,7 +2444,6 @@ declare class GatewayQueryClient {
 }
 /**
  * Member-facing gateway catalog: connectors/resources the caller can read, plus `invoke`.
- * Distinct from the `@adminOnly` governance clients (`connectors`/`resources`/`engines`).
  */
 declare class GatewayCatalogClient {
     private readonly http;
@@ -2169,6 +2547,36 @@ interface DeviceAuthorizationResponse {
     interval: number;
     raw: Record<string, unknown>;
 }
+/**
+ * RFC 7591 Dynamic Client Registration request for an MCP client. All fields
+ * optional per the spec; the backend fills defaults. `resource`/`resources`
+ * are the RFC 8707 audiences the client may request.
+ */
+interface RegisterMcpClientInput {
+    clientName?: string;
+    clientUri?: string;
+    redirectUris?: string[];
+    grantTypes?: string[];
+    responseTypes?: string[];
+    scope?: string;
+    tokenEndpointAuthMethod?: string;
+    resource?: string;
+    resources?: string[];
+    softwareId?: string;
+    softwareVersion?: string;
+}
+/** RFC 7591 registration response. Mirrors backend `dynamicRegistrationResponse`. */
+interface RegisterMcpClientResult {
+    clientId: string;
+    clientIdIssuedAt?: number;
+    clientName?: string;
+    redirectUris?: string[];
+    grantTypes?: string[];
+    responseTypes?: string[];
+    scope?: string;
+    tokenEndpointAuthMethod?: string;
+    raw: Record<string, unknown>;
+}
 interface IdentityProvider {
     id: string;
     tenantId?: string;
@@ -2193,7 +2601,6 @@ declare class IdentityClient {
     readonly oauth: IdentityOAuthClient;
     readonly oidc: IdentityOIDCClient;
     readonly deviceCode: IdentityDeviceCodeClient;
-    readonly idp: IdentityProviderClient;
     readonly systemOAuthClients: IdentitySystemOAuthClientsClient;
     constructor(http: HttpClient, defaultTenantSlug?: string);
     /** @deprecated Use sdk.identity.pat.issue(). Kept until 1.0 RC migration. */
@@ -2223,6 +2630,10 @@ declare class IdentityOAuthClient {
     private readonly defaultTenantSlug?;
     constructor(http: HttpClient, defaultTenantSlug?: string | undefined);
     private tenantQuery;
+    /**
+     * Build the `/oauth/authorize` URL. `resource` is the RFC 8707 audience —
+     * pass the target API's identifier to bind the issued token to it.
+     */
     authorizeUrl(input: {
         clientId: string;
         redirectUri: string;
@@ -2230,6 +2641,7 @@ declare class IdentityOAuthClient {
         state?: string;
         codeChallenge?: string;
         codeChallengeMethod?: string;
+        resource?: string;
     }): string;
     exchangeCode(input: {
         code: string;
@@ -2237,11 +2649,13 @@ declare class IdentityOAuthClient {
         redirectUri: string;
         codeVerifier: string;
         clientSecret?: string;
+        resource?: string;
     }, opts?: RequestOptions): Promise<OAuthTokenResponse>;
     refreshTokens(input: {
         refreshToken: string;
         clientId?: string;
         clientSecret?: string;
+        resource?: string;
     }, opts?: RequestOptions): Promise<OAuthTokenResponse>;
     revoke(input: {
         token: string;
@@ -2249,6 +2663,25 @@ declare class IdentityOAuthClient {
         clientId?: string;
     }, opts?: RequestOptions): Promise<void>;
     userinfo(opts?: RequestOptions): Promise<Record<string, unknown>>;
+    /**
+     * RFC 7591 Dynamic Client Registration for an MCP client. This route is
+     * **unauthenticated** (`POST /oauth/register`, public ring) — no token is
+     * sent. The returned `clientId` (and any backend-issued secret in `raw`) is
+     * the registration result; persist it on the agent side.
+     *
+     * @example happy
+     *   const reg = await sdk.identity.oauth.registerMcpClient({
+     *     clientName: 'my-mcp-agent',
+     *     redirectUris: ['https://agent.example/cb'],
+     *     resource: 'https://api.example/mcp',
+     *   })
+     *   storeClientId(reg.clientId)
+     *
+     * @example failure
+     *   try { await sdk.identity.oauth.registerMcpClient({ redirectUris: ['not-a-url'] }) }
+     *   catch (e) { if (e instanceof OAuthError) /* invalid_redirect_uri / invalid_client_metadata *\/ }
+     */
+    registerMcpClient(input: RegisterMcpClientInput, opts?: RequestOptions): Promise<RegisterMcpClientResult>;
     getClient(clientId: string, opts?: RequestOptions): Promise<SystemOAuthClient>;
     revokeOwnGrant(clientId: string, opts?: RequestOptions): Promise<void>;
 }
@@ -2260,15 +2693,63 @@ declare class IdentityOIDCClient {
     discovery(opts?: RequestOptions): Promise<Record<string, unknown>>;
     jwks(opts?: RequestOptions): Promise<Record<string, unknown>>;
     providers(opts?: RequestOptions): Promise<IdentityProvider[]>;
+    /**
+     * Resolve the interactive IdP login start URL. `returnOrigin` (RFC: the SPA
+     * origin the backend bounces the browser back to after the IdP round-trip)
+     * maps to the `return_origin` query param on `GET /auth/{providerID}/start`.
+     */
     startURL(providerId: string, input?: {
         redirectTo?: string;
         state?: string;
+        returnOrigin?: string;
     }, opts?: RequestOptions): Promise<string>;
+    /**
+     * Build the Google OAuth login start URL (`GET /auth/google_oauth2/start`,
+     * legacy interactive route). Issues a 302 to Google, so this is a URL the
+     * caller navigates the browser to. `returnTo` / `returnOrigin` map to the
+     * `return_to` / `return_origin` query params the backend reads to bounce the
+     * browser back after the Google round-trip.
+     *
+     * @example happy
+     *   const url = sdk.identity.oidc.googleStartUrl({ returnTo: 'https://app.example/done' })
+     *   window.location.href = url
+     */
+    googleStartUrl(input?: {
+        returnTo?: string;
+        returnOrigin?: string;
+    }): string;
     exchangeCallback(input: {
         code: string;
         state?: string;
         provider?: string;
     }, opts?: RequestOptions): Promise<OAuthTokenResponse>;
+    /**
+     * Build the GitHub OAuth start URL. `GET /auth/github` issues a 302 redirect
+     * to GitHub, so this is a URL the caller navigates the browser to (it does
+     * not return JSON). `returnTo` is where the backend sends the browser back
+     * after the GitHub round-trip completes.
+     *
+     * @example happy
+     *   const url = sdk.identity.oidc.githubStartUrl({ returnTo: 'https://app.example/done' })
+     *   window.location.href = url
+     */
+    githubStartUrl(input?: {
+        returnTo?: string;
+    }): string;
+    /**
+     * Build the GitHub OAuth callback URL. `GET /auth/github/callback` also
+     * 302-redirects (the backend sets the session and bounces the browser to
+     * `return_to`), so this is a URL helper, not a JSON-returning request — the
+     * browser hits it directly with GitHub's `code`/`state` query params.
+     *
+     * @example happy
+     *   const url = sdk.identity.oidc.githubCallbackUrl({ code: 'gh_code', state: 'xyz' })
+     */
+    githubCallbackUrl(input: {
+        code?: string;
+        state?: string;
+        error?: string;
+    }): string;
 }
 declare class IdentityDeviceCodeClient {
     private readonly http;
@@ -2286,14 +2767,6 @@ declare class IdentityDeviceCodeClient {
         signal?: AbortSignal;
     }, opts?: RequestOptions): Promise<OAuthTokenResponse>;
 }
-declare class IdentityProviderClient {
-    private readonly http;
-    constructor(http: HttpClient);
-    list(tenantId: string, opts?: RequestOptions): Promise<IdentityProvider[]>;
-    create(tenantId: string, input: Record<string, unknown>, opts?: RequestOptions): Promise<IdentityProvider>;
-    enable(tenantId: string, providerId: string, opts?: RequestOptions): Promise<IdentityProvider>;
-    disable(tenantId: string, providerId: string, opts?: RequestOptions): Promise<IdentityProvider>;
-}
 declare class IdentitySystemOAuthClientsClient {
     private readonly http;
     constructor(http: HttpClient);
@@ -2368,6 +2841,59 @@ declare class PublicationRequestsClient {
      *   catch (e) { if (e instanceof NotAdminError) /* not platform admin *\/ }
      */
     listPending(opts?: ListOptions): Promise<PaginatedList<PublicationRequest>>;
+    /**
+     * List settled (approved/rejected) publication requests for a tenant
+     * (reviewer-gated). `tenantId` is required by the backend route — passing it
+     * empty throws `RequiredError` before any request.
+     *
+     * @example happy
+     *   const page = await sdk.publicationRequests.history('tnt_1', { pageSize: 20 })
+     *   for (const pr of page.items) console.log(pr.appId, pr.status)
+     *
+     * @example failure
+     *   try { await sdk.publicationRequests.history('') }
+     *   catch (e) { if (e instanceof RequiredError) /* tenantId required *\/ }
+     */
+    history(tenantId: string, opts?: ListOptions): Promise<PaginatedList<PublicationRequest>>;
+}
+interface Tenant {
+    id: string;
+    slug: string;
+    name: string;
+    plan?: string;
+    createdAt?: string;
+    updatedAt?: string;
+    [key: string]: unknown;
+}
+declare class TenantsClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    get(tenantIdOrSlug: string, opts?: RequestOptions): Promise<Tenant>;
+}
+interface PublicConfig {
+    /** Base domain apps are served under, e.g. `axhub.jocodingax.ai`. */
+    baseDomain: string;
+    /** Any additional fields the backend adds are passed through. */
+    [key: string]: unknown;
+}
+declare class ConfigClient {
+    private readonly http;
+    constructor(http: HttpClient);
+    /**
+     * Fetch public runtime config (tokenless). No Authorization header is sent;
+     * usable before login. Rate-limited (429) if hammered.
+     *
+     * @example happy
+     *   const cfg = await sdk.config.public()
+     *   console.log(cfg.baseDomain)
+     *
+     * @example failure
+     *   try { await sdk.config.public() }
+     *   catch (e) { if (e instanceof RateLimitedError) /* back off (429) *\/ }
+     */
+    public(opts?: RequestOptions): Promise<PublicConfig>;
 }
 interface MockClientOptions {
@@ -2418,6 +2944,7 @@ interface AxHubInternalOptions {
     logger: Logger;
     schemaCacheOptions?: SchemaCacheOptions;
     mockStore?: MockStore;
+    tenantResolver?: TenantResolver;
 }
 declare class AxHubClient {
     readonly http: HttpClient;
@@ -2426,22 +2953,25 @@ declare class AxHubClient {
     readonly logger: Logger;
     private readonly schemaCacheOptions?;
     readonly mock?: MockStore;
+    private readonly tenantResolver;
     private _apps?;
-    private _audit?;
-    private _authz?;
     private _data?;
     private _deployments?;
     private _gateway?;
     private _identity?;
     private _publicationRequests?;
     private _tenants?;
+    private _config?;
     constructor(opts: AxHubClientOptions | AxHubInternalOptions);
     resolveTenantSlug(perCall?: string): string;
     get apps(): AppsClient;
-    get audit(): AuditClient;
-    get authz(): AuthzClient;
     get data(): DataClient;
     get deployments(): DeploymentsClient;
+    /**
+     * Public, tokenless configuration (`sdk.config.public()`). No Authorization
+     * header is sent — usable before authentication.
+     */
+    get config(): ConfigClient;
     get gateway(): GatewayClient;
     get identity(): IdentityClient;
     get tenants(): TenantsClient;
@@ -2487,63 +3017,4 @@ declare class AxHubClient {
     tenant(tenantSlug: string): TenantScopedClient;
 }
-interface StaticTokenAuthOptions {
-    token: string;
-    tokenType: TokenType;
-    onRefresh?: () => Promise<string>;
-}
-declare class StaticTokenAuth implements AuthProvider {
-    private token;
-    readonly tokenType: TokenType;
-    private readonly onRefresh?;
-    private refreshing;
-    constructor(opts: StaticTokenAuthOptions);
-    currentToken(): string;
-    headersFor(ring: AuthRing): Record<string, string>;
-    onUnauthorized(): Promise<boolean>;
-}
-declare class NoAuth implements AuthProvider {
-    headersFor(_ring: AuthRing): Record<string, string>;
-    onUnauthorized(): Promise<boolean>;
-}
-interface ParsedFrame {
-    id?: string;
-    event?: string;
-    data: string;
-}
-type StreamItem<T> = {
-    type: 'item';
-    value: T;
-    id: string | undefined;
-} | {
-    type: 'gap';
-    sinceId: string | undefined;
-    missingCount?: number;
-} | {
-    type: 'decode-skip';
-    frame: ParsedFrame;
-    error: AxHubError;
-};
-interface SSEStream<T> extends AsyncIterable<StreamItem<T>> {
-    dispose(): void;
-}
-type WebhookVerifyReason = 'signature_mismatch' | 'timestamp_skew' | 'malformed_signature' | 'missing_secret' | 'replay';
-interface VerifyWebhookInput {
-    rawBody: Buffer | Uint8Array | string;
-    signature: string;
-    secret: string;
-    tolerance?: number;
-    timestamp?: string;
-    replayCache?: Set<string>;
-    now?: () => number;
-}
-interface VerifyWebhookResult {
-    ok: boolean;
-    reason?: WebhookVerifyReason;
-}
-declare function signWebhook(rawBody: Buffer | Uint8Array | string, secret: string, timestamp?: string): string;
-declare function verifyWebhook(input: VerifyWebhookInput): VerifyWebhookResult;
-export { AbortError, AccessDeniedError, type AddColumnInput, type AddCommentInput, type AddGrantInput, AlreadyAccessedError, AlreadyActiveError, AlreadyDeletedError, AlreadyInactiveError, AlreadyMemberError, AlreadyRevokedError, AlreadySettledError, type AnonymizeInput, type AppAccess, type AppCategory, type AppID, type AppId, type AppResponse, AppScopedClient, AppScopedDataClient, type AppSlug, type AppTable, type AppTemplate, AppUnavailableError, AppsClient, AuditClient, type AuditEvent, type AuditEventID, type AuthProvider, type AuthRing, AuthorizationPendingError, AuthzClient, type AuthzGrant, type AuthzSubject, type AuthzTag, AxHubClient, type AxHubClientOptions, AxHubError, type AxHubErrorInit, BadRequestError, type Branded, type BulkInviteResult, type CatalogAncestor, type CatalogConnector, type CatalogKind, type CatalogKindAction, type CatalogPermissionsReadDetail, type CatalogPermissionsReadList, type CatalogResourceDetail, type CatalogResourceFilter, type CatalogResourceView, type CatalogTag, type ColumnType, type Comment, ConfigurationError, ConflictError, type ConnectGitInput, type ConnectorID, type CreateAppInput, type CreateCategoryInput, type CreateDeploymentInput, type CreateOAuthClientInput, type CreateTableInput, type CreateTenantInput, type CursorDirection, DEFAULT_BASE_URL, type DataBulkResult, DataClient, type DataCountOptions, type DataGetOptions, type DataListOptions, type DataOrderBy, DataTableClient, type DataTableSchema, type DecideInput, type DecideResult, DecodeError, type DeploymentFailureReason, type DeploymentID, type DeploymentId, type DeploymentResponse, type DeploymentStatus, DeploymentsClient, type DeviceAuthorizationResponse, DeviceFlowDeniedError, DeviceFlowTimeoutError, type DiscoverAppsOptions, type DiscoverOptions, type DispatchContext, DomainTakenError, DuplicateError, type EmailDomain, type EmitAuditEventInput, EmptyError, type EnvVar, ExpiredTokenError, type FetchLike, type FieldError, ForbiddenError, GatewayCatalogClient, GatewayClient, type GatewayConnector, type GatewayEngine, type GatewayQueryColumn, type GatewayQueryInput, type GatewayQueryResult, type GatewayResource, type GitConnection, type GitConnectionSetup, type GitConnectionStatus, type GithubInstallStart, type GrantID, type GrantPrincipalType, type GrantScope, IdentityClient, IdentityDeviceCodeClient, IdentityMeClient, IdentityOAuthClient, IdentityOIDCClient, IdentityPATClient, type IdentityProvider, IdentityProviderClient, IdentitySystemOAuthClientsClient, type InferRow, type InstallStartInput, type IntegrityCheckResult, InternalServerError, IntrospectFailedError, InvalidCursorError, InvalidGrantError, InvalidPathError, InvalidStateTransitionError, InvalidValueError, InvitationExpiredError, type InviteTenantMemberInput, type InvokeInput, type InvokeResult, type IssuePersonalAccessTokenInput, type IssuePersonalAccessTokenResult, type KeysetCursor, LastAdminError, LegacyCursorError, type LikeResult, type LikeStatus, type ListAllItem, type ListAllOptions, type ListOptions, type Logger, type MeResponse, type MockClientOptions, type MockFixtures, MockInProductionError, type MockRow, type MockSchemas, MockStore, NetworkError, NoAuth, NotAdminError, NotAllowedError, NotDeletedError, NotFoundError, NotMemberError, type OAuthClient, type OAuthClientWithSecret, OAuthError, type OAuthErrorInit, type OAuthTokenResponse, type OrderByField, type PATID, type PATSummary, type PaginatedList, type ParsedFrame, type PatId, PendingExistsError, PermanentlyDeletedError, PermissionDeniedError, PoolStaleError, PreconditionFailedError, type PublicationRequest, type PublicationRequestStatus, PublicationRequestsClient, type QueryExpr, type RateLimitStrategy, RateLimitedError, type RequestId, RequiredError, type ResourceID, type RetryInfo, type SSEStream, ScanLimitExceededError, SchemaCache, type SchemaCacheOptions, SchemaNameTakenError, type SchemaShapeFromRow, type SelectColumns, type SettlePublicationInput, type SignIconUploadInput, type SignIconUploadResult, SlowDownError, SlugTakenError, StaticTokenAuth, StreamConsumedError, type StreamItem, type SubjectID, type SubmitPublicationInput, type SystemOAuthClient, type TableColumn, type TableConstraint, type TableGrant, type TableID, type TableIndex, TableNotFoundError, type TableSchema, type TagID, type Tenant, TenantGatewayClient, type TenantID, type TenantId, type TenantInvitation, type TenantMember, TenantScopedAppsClient, TenantScopedClient, type TenantSlug, TenantSlugRequiredError, TenantsClient, TimeoutError, TokenExpiredError, TokenInvalidError, TokenMissingError, type TokenType, UnauthenticatedError, UnavailableError, type UnlikeResult, type UnpublishInput, type UpdateAppInput, type UpdateGitConnectionInput, type UpdateTenantInput, type UserID, type UserId, ValidationError, type VerifyWebhookInput, type VerifyWebhookResult, WebhookVerificationError, type WebhookVerifyReason, and, asAppId, asAppSlug, asDeploymentId, asPatId, asRequestId, asTenantId, asTenantSlug, asUserId, assertMockModeAllowed, createMockStore, cursorFromRow, decodeCursor, defineSchema, dispatch, encodeCursor, escapeLike, formatErrorMessage, getAccessibleColumns, getMaskHint, id, isAllowed, isOAuthPath, isPolicyDeny, isSqlFormatError, not, or, orderByFingerprint, parseRetryAfter, raw, schemaCacheKey, signWebhook, tableFromPath, verifyWebhook, where };
+export { AbortError, AccessDeniedError, type AddColumnInput, type AddCommentInput, type AddGrantInput, AlreadyAccessedError, AlreadyActiveError, AlreadyDeletedError, AlreadyInactiveError, AlreadyMemberError, AlreadyRevokedError, AlreadySettledError, type AppAccess, type AppAvailability, type AppCategory, type AppID, type AppId, type AppInvitation, type AppMember, type AppPublicationStatus, type AppResponse, type AppResponseCategory, type AppResponseOwner, type AppReviewStatus, AppScopedClient, AppScopedDataClient, type AppSlug, type AppSort, type AppStatus, type AppTable, type AppTemplate, AppUnavailableError, type AppVisibility, AppsClient, type AuditEventID, type AuthProvider, type AuthRing, AuthorizationPendingError, AxHubClient, type AxHubClientOptions, AxHubError, type AxHubErrorInit, BadRequestError, type BootstrapAccepted, type BootstrapStage, type BootstrapStatus, type BootstrapStatusValue, type Branded, type BrowseRowsOptions, type CatalogAncestor, type CatalogConnector, type CatalogKind, type CatalogKindAction, type CatalogPermissionsReadDetail, type CatalogPermissionsReadList, type CatalogResourceDetail, type CatalogResourceFilter, type CatalogResourceView, type CatalogTag, type CheckAvailabilityInput, type ColumnType, type ColumnTypeOption, type Comment, ConfigClient, ConfigurationError, ConflictError, type ConnectGitInput, type ConnectorID, type CreateAppInput, type CreateDeploymentInput, type CreateOAuthClientInput, type CreateTableInput, type CursorBuildOptions, type CursorDirection, DEFAULT_BASE_URL, type DataBulkResult, DataClient, type DataCountOptions, type DataGetOptions, type DataListOptions, type DataOrderBy, DataTableClient, type DataTableSchema, DecodeError, type DeploymentFailureReason, type DeploymentID, type DeploymentId, type DeploymentResponse, type DeploymentStatus, DeploymentsClient, type DeviceAuthorizationResponse, DeviceFlowDeniedError, DeviceFlowTimeoutError, type DiscoverAppsOptions, type DiscoverFeedOptions, type DiscoverOptions, DomainTakenError, DuplicateError, EmptyError, type EngineCapability, type EnvVar, ExpiredTokenError, type FetchLike, type FetchLogsOptions, type FieldAvailability, type FieldError, ForbiddenError, GatewayCatalogClient, GatewayClient, type GatewayQueryColumn, type GatewayQueryInput, type GatewayQueryResult, type GitConnection, type GitConnectionSetup, type GitConnectionStatus, type GithubAccount, type GithubInstallStart, type GithubRepo, type GithubReposPage, type GrantID, type GrantPrincipalType, type GrantScope, type IconPreCreateInput, type IconPreCreateResult, IdentityClient, IdentityDeviceCodeClient, IdentityMeClient, IdentityOAuthClient, IdentityOIDCClient, IdentityPATClient, type IdentityProvider, IdentitySystemOAuthClientsClient, type InferRow, type InstallStartInput, InternalServerError, IntrospectFailedError, InvalidClientError, InvalidCursorError, InvalidGrantError, InvalidPathError, InvalidRequestError, InvalidScopeError, InvalidStateTransitionError, InvalidTargetError, InvalidTokenError, InvalidValueError, InvitationExpiredError, type InviteUserInput, type InvokeInput, type InvokeResult, type IssuePersonalAccessTokenInput, type IssuePersonalAccessTokenResult, type KeysetCursor, LastAdminError, LegacyCursorError, type LikeResult, type LikeStatus, type ListAllItem, type ListAllOptions, type ListAppsOptions, type ListMembersOptions, type ListOptions, type ListReposOptions, type LogLine, type Logger, type LogsPage, type MeResponse, type MockClientOptions, type MockFixtures, MockInProductionError, type MockRow, type MockSchemas, MockStore, NetworkError, NoAuth, NotAdminError, NotAllowedError, NotDeletedError, NotFoundError, NotMemberError, type OAuthClient, type OAuthClientWithSecret, OAuthError, type OAuthErrorInit, OAuthServerError, type OAuthTokenResponse, type OrderByField, type OrderDirection, type PATID, type PATSummary, type PageRequestOptions, type PaginatedList, type ParsedFrame, type PatId, PendingExistsError, PermanentlyDeletedError, PermissionDeniedError, PoolStaleError, PreconditionFailedError, type PublicConfig, type PublicationRequest, type PublicationRequestStatus, PublicationRequestsClient, type QueryExpr, type RateLimitStrategy, RateLimitedError, type RegisterMcpClientInput, type RegisterMcpClientResult, type RequestId, type RequestOptions, RequiredError, type ResourceID, type RetryInfo, type SSEStream, type SSEStreamOptions, ScanLimitExceededError, SchemaCache, type SchemaCacheOptions, SchemaNameTakenError, type SchemaShapeFromRow, type SelectColumns, type SettlePublicationInput, type SignIconUploadInput, type SignIconUploadResult, SlowDownError, SlugTakenError, type StartBootstrapInput, StaticTokenAuth, type StaticTokenAuthOptions, StreamConsumedError, type StreamItem, type SubjectID, type SubmitPublicationInput, type SystemOAuthClient, type TableAvailability, type TableColumn, type TableConstraint, type TableGrant, type TableID, type TableIndex, TableNotFoundError, type TableRowColumn, type TableRowsMeta, type TableRowsPage, type TableSchema, type TagID, TemporarilyUnavailableError, type Tenant, TenantGatewayClient, type TenantID, type TenantId, TenantIdRequiredError, TenantScopedAppsClient, TenantScopedClient, type TenantSlug, TenantSlugRequiredError, TenantsClient, TimeoutError, TokenExpiredError, TokenInvalidError, TokenMissingError, type TokenType, UnauthenticatedError, UnauthorizedClientError, UnavailableError, type UnlikeResult, type UnpublishInput, UnsupportedGrantTypeError, type UpdateAppInput, type UpdateGitConnectionInput, type UserID, type UserId, ValidationError, type VerifyWebhookInput, type VerifyWebhookResult, WebhookVerificationError, type WebhookVerifyReason, and, asAppId, asAppSlug, asDeploymentId, asPatId, asRequestId, asTenantId, asTenantSlug, asUserId, assertMockModeAllowed, createMockStore, cursorFromRow, decodeCursor, defineSchema, encodeCursor, escapeLike, formatErrorMessage, getAccessibleColumns, getMaskHint, id, isAllowed, isPolicyDeny, isSqlFormatError, not, or, orderByFingerprint, parseRetryAfter, raw, schemaCacheKey, signWebhook, tableFromPath, verifyWebhook, where };