@blimu/backend 1.2.0 → 1.2.1

package/dist/index.cjs

@@ -29,14 +29,14 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
-var src_exports = {};
-__export(src_exports, {
+var index_exports = {};
+__export(index_exports, {
   Blimu: () => Blimu,
   BlimuError: () => BlimuError,
   BulkResourcesService: () => BulkResourcesService,
   BulkRolesService: () => BulkRolesService,
   EntitlementsService: () => EntitlementsService,
-  FetchError: () => import_fetch10.FetchError,
+  FetchError: () => import_fetch.FetchError,
   PlansService: () => PlansService,
   ResourceMembersService: () => ResourceMembersService,
   ResourcesService: () => ResourcesService,
@@ -49,15 +49,15 @@ __export(src_exports, {
   isNotUndefined: () => isNotUndefined,
   listAll: () => listAll,
   paginate: () => paginate,
-  parseNDJSONStream: () => import_fetch12.parseNDJSONStream,
-  parseSSEStream: () => import_fetch12.parseSSEStream,
+  parseNDJSONStream: () => import_fetch3.parseNDJSONStream,
+  parseSSEStream: () => import_fetch3.parseSSEStream,
   verifyToken: () => verifyToken
 });
-module.exports = __toCommonJS(src_exports);
+module.exports = __toCommonJS(index_exports);
 
 // src/client.ts
-var import_fetch10 = require("@blimu/fetch");
-var import_fetch11 = require("@blimu/fetch");
+var import_fetch = require("@blimu/fetch");
+var import_fetch2 = require("@blimu/fetch");
 
 // src/auth-strategies.ts
 function buildAuthStrategies(cfg) {
@@ -73,12 +73,6 @@ function buildAuthStrategies(cfg) {
   return authStrategies;
 }
 
-// src/services/bulk_resources.ts
-var import_fetch = require("@blimu/fetch");
-
-// src/schema.ts
-var schema_exports = {};
-
 // src/services/bulk_resources.ts
 var BulkResourcesService = class {
   constructor(core) {
@@ -99,7 +93,6 @@ var BulkResourcesService = class {
 };
 
 // src/services/bulk_roles.ts
-var import_fetch2 = require("@blimu/fetch");
 var BulkRolesService = class {
   constructor(core) {
     this.core = core;
@@ -119,7 +112,6 @@ var BulkRolesService = class {
 };
 
 // src/services/entitlements.ts
-var import_fetch3 = require("@blimu/fetch");
 var EntitlementsService = class {
   constructor(core) {
     this.core = core;
@@ -162,8 +154,121 @@ var EntitlementsService = class {
   }
 };
 
+// src/services/oauth.ts
+var OauthService = class {
+  constructor(core) {
+    this.core = core;
+  }
+  /**
+   * GET /v1/oauth/authorize*
+   * @summary Check consent requirement*
+   * @description Checks if user consent is required for the OAuth2 app and requested scopes.*/
+  checkConsentRequired(query, init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/oauth/authorize`,
+      query,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/authorize*
+   * @summary Authorize OAuth2 application*
+   * @description Handles user consent approval/denial. Validates auto_approved flag against consent requirements.*/
+  authorize(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/authorize`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/device/authorize*
+   * @summary Authorize or deny device code*
+   * @description Allows an authenticated user to authorize or deny a device code request. Requires valid user session.*/
+  authorizeDeviceCode(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/device/authorize`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/device/code*
+   * @summary Request device authorization codes*
+   * @description Initiates device authorization flow. Returns device_code (for polling) and user_code (for user entry).*/
+  requestDeviceCode(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/device/code`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * GET /v1/oauth/device/code/{user_code}*
+   * @summary Get device code information*
+   * @description Returns device code information including app name, scopes, and consent requirement status.*/
+  getDeviceCodeInfo(user_code, init) {
+    return this.core.request({
+      method: "GET",
+      path: `/v1/oauth/device/code/${encodeURIComponent(user_code)}`,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/device/token*
+   * @summary Poll for device authorization tokens*
+   * @description Client polls this endpoint to exchange device_code for tokens once user has authorized.*/
+  exchangeDeviceCode(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/device/token`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/introspect*
+   * @summary Introspect token*
+   * @description Validates a token and returns metadata. Requires client authentication.*/
+  introspect(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/introspect`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/revoke*
+   * @summary Revoke token*
+   * @description Revokes an access or refresh token. Requires client authentication.*/
+  revoke(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/revoke`,
+      body,
+      ...init ?? {}
+    });
+  }
+  /**
+   * POST /v1/oauth/token*
+   * @summary Token endpoint*
+   * @description Issues access and refresh tokens. Supports authorization_code and refresh_token (always available per OAuth2 spec).*/
+  token(body, init) {
+    return this.core.request({
+      method: "POST",
+      path: `/v1/oauth/token`,
+      body,
+      ...init ?? {}
+    });
+  }
+};
+
 // src/services/plans.ts
-var import_fetch4 = require("@blimu/fetch");
 var PlansService = class {
   constructor(core) {
     this.core = core;
@@ -205,7 +310,6 @@ var PlansService = class {
 };
 
 // src/services/resource_members.ts
-var import_fetch5 = require("@blimu/fetch");
 var ResourceMembersService = class {
   constructor(core) {
     this.core = core;
@@ -225,7 +329,6 @@ var ResourceMembersService = class {
 };
 
 // src/services/resources.ts
-var import_fetch6 = require("@blimu/fetch");
 var ResourcesService = class {
   constructor(core) {
     this.core = core;
@@ -291,7 +394,6 @@ var ResourcesService = class {
 };
 
 // src/services/roles.ts
-var import_fetch7 = require("@blimu/fetch");
 var RolesService = class {
   constructor(core) {
     this.core = core;
@@ -334,7 +436,6 @@ var RolesService = class {
 };
 
 // src/services/usage.ts
-var import_fetch8 = require("@blimu/fetch");
 var UsageService = class {
   constructor(core) {
     this.core = core;
@@ -402,7 +503,6 @@ var UsageService = class {
 };
 
 // src/services/users.ts
-var import_fetch9 = require("@blimu/fetch");
 var UsersService = class {
   constructor(core) {
     this.core = core;
@@ -483,6 +583,7 @@ var Blimu = class {
   bulkResources;
   bulkRoles;
   entitlements;
+  oauth;
   plans;
   resourceMembers;
   resources;
@@ -493,7 +594,7 @@ var Blimu = class {
     const restCfg = { ...options ?? {} };
     delete restCfg.apiKey;
     const authStrategies = buildAuthStrategies(options ?? {});
-    const core = new import_fetch10.FetchClient({
+    const core = new import_fetch.FetchClient({
       ...restCfg,
       baseURL: options?.baseURL ?? "https://api.blimu.dev",
       ...authStrategies.length > 0 ? { authStrategies } : {}
@@ -501,6 +602,7 @@ var Blimu = class {
     this.bulkResources = new BulkResourcesService(core);
     this.bulkRoles = new BulkRolesService(core);
     this.entitlements = new EntitlementsService(core);
+    this.oauth = new OauthService(core);
     this.plans = new PlansService(core);
     this.resourceMembers = new ResourceMembersService(core);
     this.resources = new ResourcesService(core);
@@ -509,13 +611,13 @@ var Blimu = class {
     this.users = new UsersService(core);
   }
 };
-var BlimuError = import_fetch10.FetchError;
+var BlimuError = import_fetch.FetchError;
 
 // src/index.ts
-__reExport(src_exports, require("@blimu/fetch"), module.exports);
+__reExport(index_exports, require("@blimu/fetch"), module.exports);
 
 // src/utils.ts
-var import_fetch12 = require("@blimu/fetch");
+var import_fetch3 = require("@blimu/fetch");
 async function* paginate(fetchPage, initialQuery = {}, pageSize = 100) {
   let offset = Number(initialQuery.offset ?? 0);
   const limit = Number(initialQuery.limit ?? pageSize);
@@ -541,19 +643,35 @@ function isNotUndefined(arr) {
   );
 }
 
+// src/schema.ts
+var schema_exports = {};
+
 // src/schema.zod.ts
 var schema_zod_exports = {};
 __export(schema_zod_exports, {
+  AuthorizeRequestSchema: () => AuthorizeRequestSchema,
   BalanceResponseSchema: () => BalanceResponseSchema,
   CheckLimitResponseSchema: () => CheckLimitResponseSchema,
+  ConsentCheckResponseSchema: () => ConsentCheckResponseSchema,
+  DeviceAuthorizeRequestSchema: () => DeviceAuthorizeRequestSchema,
+  DeviceAuthorizeResponseSchema: () => DeviceAuthorizeResponseSchema,
+  DeviceCodeInfoResponseSchema: () => DeviceCodeInfoResponseSchema,
+  DeviceCodeRequestSchema: () => DeviceCodeRequestSchema,
+  DeviceCodeResponseSchema: () => DeviceCodeResponseSchema,
+  DeviceTokenRequestSchema: () => DeviceTokenRequestSchema,
   EntitlementCheckBodySchema: () => EntitlementCheckBodySchema,
   EntitlementCheckResultSchema: () => EntitlementCheckResultSchema,
+  EntitlementTypeSchema: () => EntitlementTypeSchema,
   EntitlementsListForResourceQuerySchema: () => EntitlementsListForResourceQuerySchema,
   EntitlementsListForTenantQuerySchema: () => EntitlementsListForTenantQuerySchema,
   EntitlementsListResultSchema: () => EntitlementsListResultSchema,
+  IntrospectionRequestSchema: () => IntrospectionRequestSchema,
+  IntrospectionResponseSchema: () => IntrospectionResponseSchema,
+  OauthCheckConsentRequiredQuerySchema: () => OauthCheckConsentRequiredQuerySchema,
   PlanAssignBodySchema: () => PlanAssignBodySchema,
   PlanDeleteResponseSchema: () => PlanDeleteResponseSchema,
   PlanResponseSchema: () => PlanResponseSchema,
+  PlanTypeSchema: () => PlanTypeSchema,
   ResourceBulkCreateBodySchema: () => ResourceBulkCreateBodySchema,
   ResourceBulkResultSchema: () => ResourceBulkResultSchema,
   ResourceCreateBodySchema: () => ResourceCreateBodySchema,
@@ -561,20 +679,25 @@ __export(schema_zod_exports, {
   ResourceMemberListSchema: () => ResourceMemberListSchema,
   ResourceMembersListQuerySchema: () => ResourceMembersListQuerySchema,
   ResourceSchema: () => ResourceSchema,
+  ResourceTypeSchema: () => ResourceTypeSchema,
   ResourceUpdateBodySchema: () => ResourceUpdateBodySchema,
   ResourcesListQuerySchema: () => ResourcesListQuerySchema,
+  RevocationRequestSchema: () => RevocationRequestSchema,
   RoleBulkCreateBodySchema: () => RoleBulkCreateBodySchema,
   RoleBulkResultSchema: () => RoleBulkResultSchema,
   RoleCreateBodySchema: () => RoleCreateBodySchema,
   RoleListSchema: () => RoleListSchema,
   RoleSchema: () => RoleSchema,
   RolesListQuerySchema: () => RolesListQuerySchema,
+  TokenRequestSchema: () => TokenRequestSchema,
+  TokenResponseSchema: () => TokenResponseSchema,
   TransactionHistoryResponseSchema: () => TransactionHistoryResponseSchema,
   UsageCheckBodySchema: () => UsageCheckBodySchema,
   UsageConsumeBodySchema: () => UsageConsumeBodySchema,
   UsageCreditBodySchema: () => UsageCreditBodySchema,
   UsageGetBalanceQuerySchema: () => UsageGetBalanceQuerySchema,
   UsageGetTransactionHistoryQuerySchema: () => UsageGetTransactionHistoryQuerySchema,
+  UsageLimitTypeSchema: () => UsageLimitTypeSchema,
   UsageWalletResponseSchema: () => UsageWalletResponseSchema,
   UserCreateBodySchema: () => UserCreateBodySchema,
   UserListSchema: () => UserListSchema,
@@ -584,6 +707,32 @@ __export(schema_zod_exports, {
   UsersListQuerySchema: () => UsersListQuerySchema
 });
 var import_zod = require("zod");
+var EntitlementTypeSchema = import_zod.z.string();
+var PlanTypeSchema = import_zod.z.string();
+var ResourceTypeSchema = import_zod.z.string();
+var UsageLimitTypeSchema = import_zod.z.string();
+var AuthorizeRequestSchema = import_zod.z.object({
+  /** Action to take: allow or deny */
+  action: import_zod.z.enum(["allow", "deny"]),
+  /** True if consent was auto-approved (not required or previously granted) */
+  auto_approved: import_zod.z.boolean().optional(),
+  /** OAuth2 client ID */
+  client_id: import_zod.z.string(),
+  /** PKCE code challenge */
+  code_challenge: import_zod.z.string().optional(),
+  /** PKCE code challenge method */
+  code_challenge_method: import_zod.z.string().optional(),
+  /** Redirect URI */
+  redirect_uri: import_zod.z.string(),
+  /** Response type (typically "code") */
+  response_type: import_zod.z.string(),
+  /** Space-separated list of scopes */
+  scope: import_zod.z.string().optional(),
+  /** State parameter for CSRF protection */
+  state: import_zod.z.string().optional(),
+  /** True if user explicitly clicked Allow, false if auto-approved */
+  user_action: import_zod.z.boolean().optional()
+});
 var BalanceResponseSchema = import_zod.z.object({ balance: import_zod.z.number() });
 var CheckLimitResponseSchema = import_zod.z.object({
   allowed: import_zod.z.boolean(),
@@ -591,9 +740,206 @@ var CheckLimitResponseSchema = import_zod.z.object({
   remaining: import_zod.z.number().optional(),
   requested: import_zod.z.number()
 });
+var ConsentCheckResponseSchema = import_zod.z.object({
+  /** Whether user consent is required */
+  consent_required: import_zod.z.boolean(),
+  /** Whether consent was previously granted for this app and scopes */
+  previously_granted: import_zod.z.boolean()
+});
+var DeviceAuthorizeRequestSchema = import_zod.z.object({
+  /** Action to take: allow or deny */
+  action: import_zod.z.enum(["allow", "deny"]),
+  /** True if consent was auto-approved (not required or previously granted) */
+  auto_approved: import_zod.z.boolean().optional(),
+  /** True if user explicitly clicked Allow, false if auto-approved */
+  user_action: import_zod.z.boolean().optional(),
+  /** The user code displayed to the user */
+  user_code: import_zod.z.string()
+});
+var DeviceAuthorizeResponseSchema = import_zod.z.object({
+  /** Whether the authorization was successful */
+  success: import_zod.z.boolean()
+});
+var DeviceCodeInfoResponseSchema = import_zod.z.object({
+  /** The name of the OAuth2 application */
+  appName: import_zod.z.string(),
+  /** Whether the user has already granted consent for this app and scopes */
+  previouslyGranted: import_zod.z.boolean(),
+  /** Whether the app requires user consent */
+  requireConsent: import_zod.z.boolean(),
+  /** The scopes requested by the device code */
+  scopes: import_zod.z.string().array()
+});
+var DeviceCodeRequestSchema = import_zod.z.object({
+  /** OAuth2 client ID */
+  client_id: import_zod.z.string(),
+  /** PKCE code challenge (base64url encoded SHA256 hash) */
+  code_challenge: import_zod.z.string().optional(),
+  /** PKCE code challenge method */
+  code_challenge_method: import_zod.z.enum(["S256", "plain"]).optional(),
+  /** Space-separated list of scopes */
+  scope: import_zod.z.string().optional()
+});
+var DeviceCodeResponseSchema = import_zod.z.object({
+  /** Device verification code (for polling) */
+  device_code: import_zod.z.string(),
+  /** Device code expiration time in seconds */
+  expires_in: import_zod.z.number(),
+  /** Minimum polling interval in seconds */
+  interval: import_zod.z.number(),
+  /** User verification code (short, human-readable) */
+  user_code: import_zod.z.string(),
+  /** Verification URI for user */
+  verification_uri: import_zod.z.string(),
+  /** Complete verification URI with user code */
+  verification_uri_complete: import_zod.z.string()
+});
+var DeviceTokenRequestSchema = import_zod.z.object({
+  /** OAuth2 client ID */
+  client_id: import_zod.z.string(),
+  /** PKCE code verifier (if challenge was provided) */
+  code_verifier: import_zod.z.string().optional(),
+  /** Device code from authorization response */
+  device_code: import_zod.z.string(),
+  /** Grant type (must be device_code) */
+  grant_type: import_zod.z.enum([
+    "urn:ietf:params:oauth:grant-type:device_code"
+  ])
+});
+var IntrospectionRequestSchema = import_zod.z.object({
+  /** The token to introspect */
+  token: import_zod.z.string(),
+  /** Hint about token type */
+  token_type_hint: import_zod.z.enum(["access_token", "refresh_token"]).optional()
+});
+var IntrospectionResponseSchema = import_zod.z.object({
+  /** Whether the token is active */
+  active: import_zod.z.boolean(),
+  /** Client ID */
+  client_id: import_zod.z.string().optional(),
+  /** Environment ID */
+  environment_id: import_zod.z.string().optional(),
+  /** Token expiration timestamp */
+  exp: import_zod.z.number().optional(),
+  /** Token issued at timestamp */
+  iat: import_zod.z.number().optional(),
+  /** Space-separated list of scopes */
+  scope: import_zod.z.string().optional(),
+  /** Subject (user ID) */
+  sub: import_zod.z.string().optional(),
+  /** Token type */
+  token_type: import_zod.z.string().optional(),
+  /** Username or user ID */
+  username: import_zod.z.string().optional()
+});
+var PlanDeleteResponseSchema = import_zod.z.object({ success: import_zod.z.boolean() });
+var ResourceMemberListSchema = import_zod.z.object({
+  items: import_zod.z.object({
+    inherited: import_zod.z.boolean(),
+    role: import_zod.z.string(),
+    user: import_zod.z.object({
+      avatarUrl: import_zod.z.string().nullable(),
+      createdAt: import_zod.z.iso.datetime(),
+      email: import_zod.z.email(),
+      emailVerified: import_zod.z.boolean(),
+      firstName: import_zod.z.string().nullable(),
+      id: import_zod.z.string(),
+      lastLoginAt: import_zod.z.iso.datetime().nullable(),
+      lastName: import_zod.z.string().nullable(),
+      lookupKey: import_zod.z.string().nullable(),
+      updatedAt: import_zod.z.iso.datetime()
+    }),
+    userId: import_zod.z.string()
+  }).array(),
+  limit: import_zod.z.number(),
+  page: import_zod.z.number(),
+  total: import_zod.z.number()
+});
+var RevocationRequestSchema = import_zod.z.object({
+  /** The token to revoke */
+  token: import_zod.z.string(),
+  /** Hint about token type */
+  token_type_hint: import_zod.z.enum(["access_token", "refresh_token"]).optional()
+});
+var TokenRequestSchema = import_zod.z.object({
+  /** OAuth2 client ID */
+  client_id: import_zod.z.string(),
+  /** OAuth2 client secret (required for confidential clients) */
+  client_secret: import_zod.z.string().optional(),
+  /** Authorization code (required for authorization_code grant) */
+  code: import_zod.z.string().optional(),
+  /** PKCE code verifier (if challenge was provided) */
+  code_verifier: import_zod.z.string().optional(),
+  /** OAuth2 grant type */
+  grant_type: import_zod.z.enum(["authorization_code", "refresh_token"]),
+  /** Redirect URI (required for authorization_code grant) */
+  redirect_uri: import_zod.z.string().optional(),
+  /** Refresh token (required for refresh_token grant) */
+  refresh_token: import_zod.z.string().optional(),
+  /** Space-separated list of scopes (optional for refresh) */
+  scope: import_zod.z.string().optional()
+});
+var TokenResponseSchema = import_zod.z.object({
+  /** Access token (JWT) */
+  access_token: import_zod.z.string(),
+  /** Access token expiration time in seconds */
+  expires_in: import_zod.z.number(),
+  /** Refresh token (for obtaining new access tokens) */
+  refresh_token: import_zod.z.string(),
+  /** Space-separated list of granted scopes */
+  scope: import_zod.z.string().optional(),
+  /** Token type */
+  token_type: import_zod.z.string()
+});
+var UserSchema = import_zod.z.object({
+  avatarUrl: import_zod.z.string().nullable(),
+  createdAt: import_zod.z.iso.datetime(),
+  email: import_zod.z.email(),
+  emailVerified: import_zod.z.boolean(),
+  firstName: import_zod.z.string().nullable(),
+  id: import_zod.z.string(),
+  lastLoginAt: import_zod.z.iso.datetime().nullable(),
+  lastName: import_zod.z.string().nullable(),
+  lookupKey: import_zod.z.string().nullable(),
+  updatedAt: import_zod.z.iso.datetime()
+});
+var UserCreateBodySchema = import_zod.z.object({
+  avatarUrl: import_zod.z.url().optional(),
+  email: import_zod.z.email(),
+  firstName: import_zod.z.string().nullable().optional(),
+  lastName: import_zod.z.string().nullable().optional(),
+  lookupKey: import_zod.z.string(),
+  newUser: import_zod.z.boolean().nullable().optional(),
+  password: import_zod.z.string().nullable().optional()
+});
+var UserListSchema = import_zod.z.object({
+  items: import_zod.z.object({
+    avatarUrl: import_zod.z.string().nullable(),
+    createdAt: import_zod.z.iso.datetime(),
+    email: import_zod.z.email(),
+    emailVerified: import_zod.z.boolean(),
+    firstName: import_zod.z.string().nullable(),
+    id: import_zod.z.string(),
+    lastLoginAt: import_zod.z.iso.datetime().nullable(),
+    lastName: import_zod.z.string().nullable(),
+    lookupKey: import_zod.z.string().nullable(),
+    updatedAt: import_zod.z.iso.datetime()
+  }).array(),
+  limit: import_zod.z.number(),
+  page: import_zod.z.number(),
+  total: import_zod.z.number()
+});
+var UserUpdateBodySchema = import_zod.z.object({
+  avatarUrl: import_zod.z.url().nullable().optional(),
+  email: import_zod.z.email().optional(),
+  firstName: import_zod.z.string().nullable().optional(),
+  lastName: import_zod.z.string().nullable().optional(),
+  lookupKey: import_zod.z.string().optional(),
+  password: import_zod.z.string().optional()
+});
 var EntitlementCheckBodySchema = import_zod.z.object({
   amount: import_zod.z.number().int().optional(),
-  entitlement: import_zod.z.string(),
+  entitlement: EntitlementTypeSchema,
   resourceId: import_zod.z.string(),
   userId: import_zod.z.string()
 });
@@ -603,15 +949,15 @@ var EntitlementCheckResultSchema = import_zod.z.object({
     allowed: import_zod.z.boolean(),
     current: import_zod.z.number().optional(),
     limit: import_zod.z.number().optional(),
-    plan: import_zod.z.string().nullable().optional(),
+    plan: PlanTypeSchema.optional(),
     reason: import_zod.z.string().optional(),
     remaining: import_zod.z.number().optional(),
     scope: import_zod.z.string().optional()
   }).nullable().optional(),
   plans: import_zod.z.object({
     allowed: import_zod.z.boolean(),
-    allowedPlans: import_zod.z.string().array().optional(),
-    plan: import_zod.z.string().nullable().optional(),
+    allowedPlans: PlanTypeSchema.array().optional(),
+    plan: PlanTypeSchema.optional(),
     reason: import_zod.z.string().optional()
   }).nullable().optional(),
   roles: import_zod.z.object({
@@ -621,30 +967,29 @@ var EntitlementCheckResultSchema = import_zod.z.object({
     userRoles: import_zod.z.string().array().optional()
   }).nullable().optional()
 });
+var PlanAssignBodySchema = import_zod.z.object({ planKey: PlanTypeSchema });
 var EntitlementsListResultSchema = import_zod.z.object({
   results: import_zod.z.object({
     entitlements: import_zod.z.object({
       allowed: import_zod.z.boolean(),
       allowedByPlan: import_zod.z.boolean(),
       allowedByRole: import_zod.z.boolean(),
-      allowedPlans: import_zod.z.string().array().optional(),
+      allowedPlans: PlanTypeSchema.array().optional(),
       allowedRoles: import_zod.z.string().array(),
-      currentPlan: import_zod.z.string().optional(),
+      currentPlan: PlanTypeSchema.optional(),
       currentRole: import_zod.z.string().optional(),
-      entitlement: import_zod.z.string()
+      entitlement: EntitlementTypeSchema
     }).array(),
     resourceId: import_zod.z.string(),
-    resourceType: import_zod.z.string()
+    resourceType: ResourceTypeSchema
   }).array()
 });
-var PlanAssignBodySchema = import_zod.z.object({ planKey: import_zod.z.string() });
-var PlanDeleteResponseSchema = import_zod.z.object({ success: import_zod.z.boolean() });
 var PlanResponseSchema = import_zod.z.object({
   createdAt: import_zod.z.iso.datetime(),
   environmentId: import_zod.z.string(),
-  planKey: import_zod.z.string(),
+  planKey: PlanTypeSchema,
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   updatedAt: import_zod.z.iso.datetime()
 });
 var ResourceSchema = import_zod.z.object({
@@ -653,9 +998,9 @@ var ResourceSchema = import_zod.z.object({
   name: import_zod.z.string().nullable(),
   parents: import_zod.z.object({
     id: import_zod.z.string(),
-    type: import_zod.z.string()
+    type: ResourceTypeSchema
   }).array().optional(),
-  type: import_zod.z.string()
+  type: ResourceTypeSchema
 });
 var ResourceBulkCreateBodySchema = import_zod.z.object({
   resources: import_zod.z.object({
@@ -663,7 +1008,7 @@ var ResourceBulkCreateBodySchema = import_zod.z.object({
     name: import_zod.z.string().optional(),
     parents: import_zod.z.object({
       id: import_zod.z.string(),
-      type: import_zod.z.string()
+      type: ResourceTypeSchema
     }).array().optional(),
     roles: import_zod.z.object({
       role: import_zod.z.string(),
@@ -675,7 +1020,7 @@ var ResourceBulkResultSchema = import_zod.z.object({
   created: import_zod.z.object({
     environmentId: import_zod.z.string(),
     id: import_zod.z.string(),
-    type: import_zod.z.string()
+    type: ResourceTypeSchema
   }).array(),
   errors: import_zod.z.object({
     error: import_zod.z.string(),
@@ -685,7 +1030,7 @@ var ResourceBulkResultSchema = import_zod.z.object({
       name: import_zod.z.string().optional(),
       parents: import_zod.z.object({
         id: import_zod.z.string(),
-        type: import_zod.z.string()
+        type: ResourceTypeSchema
       }).array().optional(),
       roles: import_zod.z.object({
         role: import_zod.z.string(),
@@ -705,55 +1050,33 @@ var ResourceCreateBodySchema = import_zod.z.object({
   name: import_zod.z.string().optional(),
   parents: import_zod.z.object({
     id: import_zod.z.string(),
-    type: import_zod.z.string()
+    type: ResourceTypeSchema
   }).array().optional(),
   roles: import_zod.z.object({
     role: import_zod.z.string(),
     userId: import_zod.z.string()
   }).array().optional()
 });
-var ResourceMemberListSchema = import_zod.z.object({
-  items: import_zod.z.object({
-    inherited: import_zod.z.boolean(),
-    role: import_zod.z.string(),
-    user: import_zod.z.object({
-      avatarUrl: import_zod.z.string().nullable(),
-      createdAt: import_zod.z.iso.datetime(),
-      email: import_zod.z.email(),
-      emailVerified: import_zod.z.boolean(),
-      firstName: import_zod.z.string().nullable(),
-      id: import_zod.z.string(),
-      lastLoginAt: import_zod.z.iso.datetime().nullable(),
-      lastName: import_zod.z.string().nullable(),
-      lookupKey: import_zod.z.string().nullable(),
-      updatedAt: import_zod.z.iso.datetime()
-    }),
-    userId: import_zod.z.string()
-  }).array(),
-  limit: import_zod.z.number(),
-  page: import_zod.z.number(),
-  total: import_zod.z.number()
-});
 var ResourceUpdateBodySchema = import_zod.z.object({
   name: import_zod.z.string().optional(),
   /** Creates relationships with other resources. Parent resources must already exist. */
   parents: import_zod.z.object({
     id: import_zod.z.string(),
-    type: import_zod.z.string()
+    type: ResourceTypeSchema
   }).array().optional()
 });
 var RoleSchema = import_zod.z.object({
   createdAt: import_zod.z.string(),
   environmentId: import_zod.z.string(),
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   role: import_zod.z.string(),
   userId: import_zod.z.string()
 });
 var RoleBulkCreateBodySchema = import_zod.z.object({
   roles: import_zod.z.object({
     resourceId: import_zod.z.string(),
-    resourceType: import_zod.z.string(),
+    resourceType: ResourceTypeSchema,
     role: import_zod.z.string(),
     userId: import_zod.z.string()
   }).array()
@@ -763,7 +1086,7 @@ var RoleBulkResultSchema = import_zod.z.object({
     createdAt: import_zod.z.string(),
     environmentId: import_zod.z.string(),
     resourceId: import_zod.z.string(),
-    resourceType: import_zod.z.string(),
+    resourceType: ResourceTypeSchema,
     role: import_zod.z.string(),
     userId: import_zod.z.string()
   }).array(),
@@ -772,7 +1095,7 @@ var RoleBulkResultSchema = import_zod.z.object({
     index: import_zod.z.number(),
     role: import_zod.z.object({
       resourceId: import_zod.z.string(),
-      resourceType: import_zod.z.string(),
+      resourceType: ResourceTypeSchema,
       role: import_zod.z.string(),
       userId: import_zod.z.string()
     })
@@ -786,7 +1109,7 @@ var RoleBulkResultSchema = import_zod.z.object({
 });
 var RoleCreateBodySchema = import_zod.z.object({
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   role: import_zod.z.string()
 });
 var RoleListSchema = import_zod.z.object({
@@ -796,43 +1119,58 @@ var RoleListSchema = import_zod.z.object({
     createdAt: import_zod.z.string(),
     environmentId: import_zod.z.string(),
     resourceId: import_zod.z.string(),
-    resourceType: import_zod.z.string(),
+    resourceType: ResourceTypeSchema,
     role: import_zod.z.string(),
     userId: import_zod.z.string()
   }).array(),
   total: import_zod.z.number()
 });
+var UserResourceListSchema = import_zod.z.array(
+  import_zod.z.object({
+    inherited: import_zod.z.boolean(),
+    resource: import_zod.z.object({
+      id: import_zod.z.string(),
+      name: import_zod.z.string(),
+      parents: import_zod.z.object({
+        id: import_zod.z.string(),
+        type: ResourceTypeSchema
+      }).array(),
+      type: ResourceTypeSchema
+    }).catchall(import_zod.z.unknown()),
+    role: import_zod.z.string()
+  })
+);
 var TransactionHistoryResponseSchema = import_zod.z.object({
   items: import_zod.z.object({
     amount: import_zod.z.number().int(),
     createdAt: import_zod.z.iso.datetime(),
     environmentId: import_zod.z.string(),
     id: import_zod.z.string(),
-    limitType: import_zod.z.string(),
+    limitType: UsageLimitTypeSchema,
     resourceId: import_zod.z.string(),
-    resourceType: import_zod.z.string(),
+    resourceType: ResourceTypeSchema,
     tags: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).nullable()
   }).array()
 });
 var UsageCheckBodySchema = import_zod.z.object({
   amount: import_zod.z.number().int(),
-  limitType: import_zod.z.string(),
+  limitType: UsageLimitTypeSchema,
   period: import_zod.z.enum(["monthly", "yearly", "lifetime"]),
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string()
+  resourceType: ResourceTypeSchema
 });
 var UsageConsumeBodySchema = import_zod.z.object({
   amount: import_zod.z.number().int(),
-  limitType: import_zod.z.string(),
+  limitType: UsageLimitTypeSchema,
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   tags: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).optional()
 });
 var UsageCreditBodySchema = import_zod.z.object({
   amount: import_zod.z.number().int(),
-  limitType: import_zod.z.string(),
+  limitType: UsageLimitTypeSchema,
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   tags: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).optional()
 });
 var UsageWalletResponseSchema = import_zod.z.object({
@@ -840,72 +1178,11 @@ var UsageWalletResponseSchema = import_zod.z.object({
   createdAt: import_zod.z.iso.datetime(),
   environmentId: import_zod.z.string(),
   id: import_zod.z.string(),
-  limitType: import_zod.z.string(),
+  limitType: UsageLimitTypeSchema,
   resourceId: import_zod.z.string(),
-  resourceType: import_zod.z.string(),
+  resourceType: ResourceTypeSchema,
   tags: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).nullable()
 });
-var UserSchema = import_zod.z.object({
-  avatarUrl: import_zod.z.string().nullable(),
-  createdAt: import_zod.z.iso.datetime(),
-  email: import_zod.z.email(),
-  emailVerified: import_zod.z.boolean(),
-  firstName: import_zod.z.string().nullable(),
-  id: import_zod.z.string(),
-  lastLoginAt: import_zod.z.iso.datetime().nullable(),
-  lastName: import_zod.z.string().nullable(),
-  lookupKey: import_zod.z.string().nullable(),
-  updatedAt: import_zod.z.iso.datetime()
-});
-var UserCreateBodySchema = import_zod.z.object({
-  avatarUrl: import_zod.z.url().optional(),
-  email: import_zod.z.email(),
-  firstName: import_zod.z.string().nullable().optional(),
-  lastName: import_zod.z.string().nullable().optional(),
-  lookupKey: import_zod.z.string(),
-  newUser: import_zod.z.boolean().nullable().optional(),
-  password: import_zod.z.string().nullable().optional()
-});
-var UserListSchema = import_zod.z.object({
-  items: import_zod.z.object({
-    avatarUrl: import_zod.z.string().nullable(),
-    createdAt: import_zod.z.iso.datetime(),
-    email: import_zod.z.email(),
-    emailVerified: import_zod.z.boolean(),
-    firstName: import_zod.z.string().nullable(),
-    id: import_zod.z.string(),
-    lastLoginAt: import_zod.z.iso.datetime().nullable(),
-    lastName: import_zod.z.string().nullable(),
-    lookupKey: import_zod.z.string().nullable(),
-    updatedAt: import_zod.z.iso.datetime()
-  }).array(),
-  limit: import_zod.z.number(),
-  page: import_zod.z.number(),
-  total: import_zod.z.number()
-});
-var UserResourceListSchema = import_zod.z.array(
-  import_zod.z.object({
-    inherited: import_zod.z.boolean(),
-    resource: import_zod.z.object({
-      id: import_zod.z.string(),
-      name: import_zod.z.string(),
-      parents: import_zod.z.object({
-        id: import_zod.z.string(),
-        type: import_zod.z.string()
-      }).array(),
-      type: import_zod.z.string()
-    }).catchall(import_zod.z.unknown()),
-    role: import_zod.z.string()
-  })
-);
-var UserUpdateBodySchema = import_zod.z.object({
-  avatarUrl: import_zod.z.url().nullable().optional(),
-  email: import_zod.z.email().optional(),
-  firstName: import_zod.z.string().nullable().optional(),
-  lastName: import_zod.z.string().nullable().optional(),
-  lookupKey: import_zod.z.string().optional(),
-  password: import_zod.z.string().optional()
-});
 var ResourceListSchema = import_zod.z.object({
   items: ResourceSchema.array(),
   limit: import_zod.z.number(),
@@ -920,6 +1197,14 @@ var EntitlementsListForTenantQuerySchema = import_zod.z.object({
   /** The unique identifier of the user */
   userId: import_zod.z.string()
 });
+var OauthCheckConsentRequiredQuerySchema = import_zod.z.object({
+  /** OAuth2 client ID */
+  client_id: import_zod.z.string(),
+  /** Redirect URI */
+  redirect_uri: import_zod.z.string().optional(),
+  /** Space-separated list of scopes */
+  scope: import_zod.z.string().optional()
+});
 var ResourceMembersListQuerySchema = import_zod.z.object({
   /** Number of items per page (minimum: 1, maximum: 100) */
   limit: import_zod.z.number().optional(),
@@ -944,7 +1229,7 @@ var RolesListQuerySchema = import_zod.z.object({
   /** Filter roles by specific resource ID */
   resourceId: import_zod.z.string().optional(),
   /** Filter roles by resource type */
-  resourceType: import_zod.z.string().optional(),
+  resourceType: ResourceTypeSchema.optional(),
   /** Filter by role name */
   role: import_zod.z.string().optional()
 });
@@ -1001,7 +1286,7 @@ var TokenVerifier = class {
     if (!response.ok) {
       const errorText = await response.text();
       console.error(`[TokenVerifier] \u274C Failed to fetch JWKs: ${response.status} ${errorText}`);
-      throw new import_fetch10.FetchError("Failed to fetch JWKs", response.status, errorText);
+      throw new import_fetch.FetchError("Failed to fetch JWKs", response.status, errorText);
     }
     const jwkSet = await response.json();
     console.log(`[TokenVerifier] \u2705 Successfully fetched JWK Set with ${jwkSet.keys.length} keys`);