@camstack/addon-admin-ui 0.1.36 → 0.1.38

package/dist/server/addon.js

@@ -5069,6 +5069,7 @@ const WELL_KNOWN_TABS = [
   { id: "osd", label: "OSD", icon: "type", order: 18 },
   { id: "stream-broker", label: "Stream Broker", icon: "radio", order: 20 },
   { id: "streaming", label: "Streaming", icon: "video", order: 35 },
+  { id: "ptz", label: "PTZ", icon: "move", order: 40 },
   { id: "pipeline", label: "Detection Pipeline", icon: "cpu", order: 39 },
   { id: "zones", label: "Detection", icon: "shapes", order: 38 },
   { id: "live-stats", label: "Live Stats", icon: "activity", order: 39 },
@@ -5136,6 +5137,9 @@ function hydrateField(field, values) {
     return { ...field, value: items };
   }
   const rawValue = storedValue !== void 0 ? storedValue : defaultValue !== void 0 ? defaultValue : null;
+  if (field.type === "password") {
+    return { ...field, value: "" };
+  }
   const value = field.type === "textarea" && field.isJson && rawValue !== null && typeof rawValue === "object" ? JSON.stringify(rawValue, null, 2) : rawValue;
   const hydrated = { ...field, value };
   return hydrated;
@@ -5222,7 +5226,19 @@ const DecoderSessionConfigSchema = object({
    * on every line so `grep tag=broker:5/high` filters one camera
    * profile cleanly.
    */
-  tag: string().optional()
+  tag: string().optional(),
+  /**
+   * Where the session delivers decoded frames (Phase 5 / D9):
+   *
+   * - `'callback'` (default) — the legacy pixel path: decoded frames are
+   *   buffered as `DecodedFrame`s and drained via `pullFrames`.
+   * - `'shm'` — the shared-memory frame plane: decoded frames are written
+   *   into an OS shared-memory ring and drained as zero-pixel
+   *   `FrameHandle`s via `pullHandles`. A session is one mode or the
+   *   other — `pullFrames` returns nothing for an `'shm'` session and
+   *   `pullHandles` returns nothing for a `'callback'` session.
+   */
+  frameSink: _enum(["callback", "shm"]).default("callback")
 });
 const YAMNET_TO_MACRO = {
   mapping: {
@@ -5952,6 +5968,53 @@ const DecodedFrameSchema = object({
   format: _enum(["jpeg", "rgb", "bgr", "yuv420", "gray"]),
   timestamp: number()
 });
+const FrameHandleSchema = object({
+  shmId: string(),
+  slot: number().int().nonnegative(),
+  seq: number().int().nonnegative(),
+  width: number().int().positive(),
+  height: number().int().positive(),
+  format: _enum(["jpeg", "rgb", "bgr", "yuv420", "gray"]),
+  pts: number(),
+  byteLength: number().int().nonnegative(),
+  nodeId: string(),
+  slotCount: number().int().positive()
+});
+const FrameHandleFormatSchema = _enum(["rgb", "bgr", "yuv420", "gray"]);
+const SubscribeFramesInputSchema = object({
+  brokerId: string(),
+  format: FrameHandleFormatSchema,
+  /**
+   * Optional reader-side cadence hint in frames per second. The broker does
+   * NOT throttle — latest-wins ring reads drop frames implicitly for a slow
+   * consumer. The value is echoed back in `SubscribeFramesResult.maxFps` so
+   * the consumer can pace its own `pullFrameHandles` polling.
+   */
+  maxFps: number().positive().optional(),
+  /** Short caller-identity tag (`motion`, `detection`, …) for diagnostics. */
+  tag: string().optional()
+});
+const SubscribeFramesResultSchema = object({
+  /** Opaque id the consumer passes to `pullFrameHandles` / `unsubscribeFrames`. */
+  subscriptionId: string(),
+  /** Reader-side cadence hint (frames/s) — echoes `SubscribeFramesInput.maxFps`. */
+  maxFps: number().nonnegative()
+});
+const DecodedAudioChunkSchema = object({
+  data: _instanceof(Uint8Array),
+  sampleRate: number().int().positive(),
+  channels: number().int().positive(),
+  timestamp: number()
+});
+const SubscribeAudioChunksInputSchema = object({
+  brokerId: string(),
+  /** Short caller-identity tag (`audio-analyzer`, …) for `listClients`. */
+  tag: string().optional()
+});
+const SubscribeAudioChunksResultSchema = object({
+  /** Opaque id passed to `pullAudioChunks` / `unsubscribeAudioChunks`. */
+  subscriptionId: string()
+});
 const BrokerStatusSchema$1 = _enum(["idle", "connecting", "streaming", "error", "stopped"]);
 const BrokerStatsSchema = object({
   status: BrokerStatusSchema$1,
@@ -6173,9 +6236,76 @@ const RtpSourceSchema = object({
       object({ released: boolean(), refcount: number().int().nonnegative() }),
       { kind: "mutation", auth: "admin" }
     ),
-    getBroker: method(
-      object({ brokerId: string() }),
-      custom()
+    /**
+     * ── Decoded audio-chunk plane (Phase 5 / D9) ──────────────────────
+     *
+     * The serialisable replacement for the live-object `IStreamBroker.
+     * onDecodedAudioChunk` callback path. Unlike the video frame plane,
+     * audio chunks are tiny (a ~500ms PCM window is a few KB) so they ship
+     * their bytes INLINE over tRPC — no shared-memory ring. A consumer:
+     *
+     *   1. `subscribeAudioChunks({ brokerId, tag })` — the broker registers
+     *      a per-subscription bounded FIFO queue and returns a
+     *      `subscriptionId`.
+     *   2. polls `pullAudioChunks({ subscriptionId, maxCount })` — drains
+     *      `DecodedAudioChunk[]` in arrival order (FIFO, no latest-wins
+     *      drop: an audio gap is audible / breaks an analysis window). The
+     *      queue is generously sized; it only drops its oldest chunk if a
+     *      truly stalled consumer lets it overflow.
+     *   3. `unsubscribeAudioChunks({ subscriptionId })` on teardown.
+     */
+    subscribeAudioChunks: method(
+      SubscribeAudioChunksInputSchema,
+      SubscribeAudioChunksResultSchema,
+      { kind: "mutation" }
+    ),
+    pullAudioChunks: method(
+      object({
+        subscriptionId: string(),
+        maxCount: number().int().positive().default(8)
+      }),
+      array(DecodedAudioChunkSchema).readonly()
+    ),
+    unsubscribeAudioChunks: method(
+      object({ subscriptionId: string() }),
+      object({ released: boolean() }),
+      { kind: "mutation" }
+    ),
+    /**
+     * ── Shared-memory frame plane (Phase 5 / D9) ──────────────────────
+     *
+     * The handle-based replacement for the live-object `IStreamBroker.
+     * onDecodedFrame` callback path. A consumer:
+     *
+     *   1. `subscribeFrames({ brokerId, format })` — the broker spins up
+     *      (or reuses) a `frameSink: 'shm'` decoder session producing that
+     *      `format` and returns a `subscriptionId`.
+     *   2. polls `pullFrameHandles({ subscriptionId, maxCount })` — drains
+     *      zero-pixel `FrameHandle[]`; each handle is fed to a
+     *      `FrameRingReader` that opens the named shm segment and reads the
+     *      pixels back zero-copy.
+     *   3. `unsubscribeFrames({ subscriptionId })` on teardown.
+     *
+     * The broker keeps one shm ring per `(brokerId, format)` actually
+     * requested — no broker-side `sharp` conversion. fps throttling is
+     * implicit (latest-wins ring reads drop frames for a slow consumer).
+     */
+    subscribeFrames: method(
+      SubscribeFramesInputSchema,
+      SubscribeFramesResultSchema,
+      { kind: "mutation" }
+    ),
+    pullFrameHandles: method(
+      object({
+        subscriptionId: string(),
+        maxCount: number().int().positive().default(4)
+      }),
+      array(FrameHandleSchema).readonly()
+    ),
+    unsubscribeFrames: method(
+      object({ subscriptionId: string() }),
+      object({ released: boolean() }),
+      { kind: "mutation" }
     ),
     setPreBufferDuration: method(
       object({ brokerId: string(), seconds: number().min(0).max(30) }),
@@ -7253,6 +7383,34 @@ MotionTriggerStatusSchema.extend({
     }) }
   }
 });
+object({
+  enabled: boolean(),
+  sensitivity: number(),
+  /** Row-major active-cell grid. Length = gridWidth*gridHeight (see getOptions). */
+  cells: array(boolean()),
+  lastFetchedAt: number()
+});
+const MotionZoneOptionsSchema = object({
+  gridWidth: number(),
+  gridHeight: number(),
+  sensitivity: object({ min: number(), max: number(), step: number() })
+});
+const MotionZonePatchSchema = object({
+  enabled: boolean().optional(),
+  sensitivity: number().optional(),
+  cells: array(boolean()).optional()
+});
+({
+  deviceTypes: [DeviceType.Camera],
+  methods: {
+    getOptions: method(object({ deviceId: number() }), MotionZoneOptionsSchema),
+    setZone: method(
+      object({ deviceId: number(), patch: MotionZonePatchSchema }),
+      _void(),
+      { kind: "mutation", auth: "admin" }
+    )
+  }
+});
 const AutotrackTargetTypeSchema = string().describe("Vendor target string (people/vehicle/pet); empty = camera default");
 const PtzAutotrackSettingsSchema = object({
   targetType: AutotrackTargetTypeSchema,
@@ -7341,6 +7499,100 @@ PtzAutotrackStatusSchema.extend({
     }) }
   }
 });
+const StreamProfileSchema = _enum(["main", "sub", "ext"]);
+const StreamProfileConfigSchema = object({
+  width: number(),
+  height: number(),
+  codec: _enum(["h264", "h265"]),
+  framerate: number(),
+  bitrate: number(),
+  // kbps
+  bitrateMode: _enum(["vbr", "cbr"]).optional(),
+  encoderProfile: _enum(["high", "main", "baseline"]).optional(),
+  gop: number().optional(),
+  audio: boolean().optional()
+});
+object({
+  /** Per-profile current config. A profile absent = the camera doesn't have it. */
+  main: StreamProfileConfigSchema.optional(),
+  sub: StreamProfileConfigSchema.optional(),
+  ext: StreamProfileConfigSchema.optional(),
+  lastFetchedAt: number()
+});
+const StreamProfileOptionsSchema = object({
+  resolutions: array(object({ width: number(), height: number() })),
+  codecs: array(_enum(["h264", "h265"])),
+  framerates: array(number()),
+  /** Allowed bitrate values (kbps). Empty if the camera takes a free range. */
+  bitrates: array(number()),
+  /** Optional [min,max] kbps when the camera accepts a continuous range. */
+  bitrateRange: tuple([number(), number()]).optional(),
+  supportsBitrateMode: boolean(),
+  supportsEncoderProfile: boolean(),
+  supportsGop: boolean(),
+  /** Allowed GOP / keyframe-interval range, in seconds — drives the
+   *  I-frame-interval selector. Absent when the camera advertises GOP
+   *  support but no concrete range (callers then fall back to a free
+   *  numeric input). `{ min, max, step }` per the getOptions convention. */
+  gop: object({ min: number(), max: number(), step: number() }).optional()
+});
+const StreamParamsOptionsSchema = object({
+  main: StreamProfileOptionsSchema.optional(),
+  sub: StreamProfileOptionsSchema.optional(),
+  ext: StreamProfileOptionsSchema.optional()
+});
+const StreamProfilePatchSchema = object({
+  width: number().optional(),
+  height: number().optional(),
+  codec: _enum(["h264", "h265"]).optional(),
+  framerate: number().optional(),
+  bitrate: number().optional(),
+  bitrateMode: _enum(["vbr", "cbr"]).optional(),
+  encoderProfile: _enum(["high", "main", "baseline"]).optional(),
+  gop: number().optional(),
+  audio: boolean().optional()
+});
+({
+  deviceTypes: [DeviceType.Camera],
+  methods: {
+    getOptions: method(
+      object({ deviceId: number() }),
+      StreamParamsOptionsSchema
+    ),
+    setProfile: method(
+      object({
+        deviceId: number(),
+        profile: StreamProfileSchema,
+        patch: StreamProfilePatchSchema
+      }),
+      _void(),
+      { kind: "mutation", auth: "admin" }
+    ),
+    /**
+     * Build the `ConfigUISchema` (admin-ui `ConfigFormBuilder` input
+     * shape) for this camera's stream-encoder settings — one section per
+     * profile (main / sub / ext) with the resolution / codec / framerate
+     * / bitrate / bitrate-mode / encoder-profile / GOP controls the
+     * firmware actually exposes.
+     *
+     * Driven by `getOptions` (camera-probed availability) + `getStatus`
+     * (current per-profile config); each field's `default` is seeded
+     * from the live config so the form renders the camera state in one
+     * pass. Returns `null` when the camera exposes no configurable
+     * stream property — the renderer then shows the unsupported message.
+     *
+     * Output is `z.unknown().nullable()` — the same convention every
+     * other `ConfigUISchema`-returning cap method uses (`device-ops`,
+     * `device-manager`); `ConfigUISchema` is a TS-only type with no
+     * companion Zod schema, and a concrete object would collapse
+     * unrelated AppRouter branches to `unknown` during codegen.
+     */
+    getConfigSchema: method(
+      object({ deviceId: number() }),
+      unknown().nullable()
+    )
+  }
+});
 object({
   on: boolean(),
   /** Ms epoch of the last state change. Useful for UI "X minutes ago". */
@@ -8282,6 +8534,83 @@ const adminUiCapability = {
     getVersion: method(_void(), VersionOutputSchema)
   }
 };
+const MethodAccessSchema = _enum(["view", "create", "delete"]);
+const AllowedProviderSchema = union([literal("*"), array(string())]);
+const AllowedDevicesSchema = record(string(), union([literal("*"), array(string())]));
+const CapScopeSchema = _enum(["device", "system"]);
+const TokenScopeSchema = discriminatedUnion("type", [
+  object({
+    type: literal("category"),
+    target: CapScopeSchema,
+    access: array(MethodAccessSchema).min(1)
+  }),
+  object({
+    type: literal("capability"),
+    target: string(),
+    access: array(MethodAccessSchema).min(1)
+  }),
+  object({
+    type: literal("addon"),
+    target: string(),
+    access: array(MethodAccessSchema).min(1)
+  }),
+  object({
+    type: literal("device"),
+    /**
+     * One or more deviceIds (serialised as strings for wire-format
+     * consistency with the rest of the union). Matcher accepts if
+     * `input.deviceId` ∈ `targets`. Array shape avoids the row-explosion
+     * of one scope-per-device when granting access to a set of cameras.
+     */
+    targets: array(string()).min(1),
+    access: array(MethodAccessSchema).min(1)
+  })
+]);
+object({
+  id: string(),
+  username: string(),
+  passwordHash: string(),
+  /**
+   * Admin bypass. When true, the middleware skips the scope-access
+   * check entirely. There is no other axis of privilege; the legacy
+   * role enum collapsed onto this boolean in v2.
+   */
+  isAdmin: boolean().default(false),
+  allowedProviders: AllowedProviderSchema,
+  allowedDevices: AllowedDevicesSchema,
+  /**
+   * Scopes granted to this user. Admins bypass; their `scopes` is
+   * ignored. Non-admins without scopes are locked out of every
+   * protected call.
+   */
+  scopes: array(TokenScopeSchema).default([]),
+  createdAt: number(),
+  updatedAt: number()
+});
+object({
+  id: string(),
+  label: string(),
+  isAdmin: boolean().default(false),
+  allowedProviders: AllowedProviderSchema,
+  allowedDevices: AllowedDevicesSchema,
+  tokenHash: string(),
+  tokenPrefix: string(),
+  createdAt: number(),
+  lastUsedAt: number().optional()
+});
+object({
+  id: string(),
+  userId: string(),
+  name: string(),
+  tokenHash: string(),
+  tokenPrefix: string(),
+  scopes: array(TokenScopeSchema),
+  // SQLite/JSON storage round-trips undefined → null. Use `nullish` so the
+  // schema accepts both `null` (read from disk) and `undefined` (in-memory).
+  expiresAt: number().nullish(),
+  lastUsedAt: number().nullish(),
+  createdAt: number()
+});
 const SsoBridgeClaimsSchema = object({
   userId: string(),
   username: string(),
@@ -8297,7 +8626,18 @@ const SsoBridgeClaimsSchema = object({
    * JWT WITHOUT verifying the signature — the hub re-verifies on every
    * inbound call so trust still rests with the signing hub.
    */
-  hubUrl: string().optional()
+  hubUrl: string().optional(),
+  /** Permission scopes baked into the token. Set by the OAuth
+   *  account-linking grant; absent on ordinary SSO-login tokens. */
+  scopes: array(TokenScopeSchema).optional(),
+  /** OAuth authorization-code binding — set only on `oauth-code` tokens. */
+  redirectUri: string().optional(),
+  integrationId: string().optional(),
+  /** JWT ID — unique per issued code; consumed-set enforces single-use. */
+  jti: string().optional(),
+  /** OAuth session registry id — set on `oauth-access`/`oauth-refresh`
+   *  tokens so the verify path can check the session is not revoked. */
+  sessionId: string().optional()
 });
 ({
   methods: {
@@ -8314,6 +8654,23 @@ const SsoBridgeClaimsSchema = object({
     )
   }
 });
+const OauthIntegrationDescriptorSchema = object({
+  /** Stable id used as the `integration=` query param, e.g. 'export-alexa'. */
+  integrationId: string(),
+  /** Human label rendered on the consent page. */
+  displayName: string(),
+  /** Scopes baked into every token issued for this integration. */
+  requestedScopes: array(TokenScopeSchema),
+  /** Allowed redirect_uri prefixes. /api/oauth2/authorize rejects any
+   *  redirect_uri that does not start with one of these. Required —
+   *  an empty list means the integration can never complete linking. */
+  allowedRedirectPrefixes: array(string()).min(1)
+});
+({
+  methods: {
+    getDescriptor: method(_void(), OauthIntegrationDescriptorSchema)
+  }
+});
 const PasskeySummarySchema = object({
   credentialId: string(),
   label: string(),
@@ -8594,21 +8951,30 @@ const AddonPageDeclarationSchema = object({
 });
 const WidgetHostEnum = _enum(["device-tab", "dashboard", "integration-detail"]);
 const WidgetSizeEnum = _enum(["xs", "sm", "md", "lg", "xl"]);
+const WidgetRemoteSchema = object({
+  remoteName: string(),
+  exposedModule: string(),
+  componentKey: string().optional()
+});
 const WidgetMetadataSchema = object({
-  /** Stable id within the addon — kebab-case. */
-  stableId: string(),
+  // ── UiContribution core (kind:'remote') ──────────────────────────
+  /** Primary host tab — `'dashboard'`, `'device-tab'`, or a device-detail tab id. */
+  tab: string(),
+  /** Optional sub-tab within `tab`. */
+  subTab: string().optional(),
   /** Operator-facing label. */
   label: string(),
+  /** Ordering within `(tab, subTab)`, ascending. */
+  order: number().optional(),
+  /** Always `'remote'` — a widget is a Module Federation remote. */
+  kind: literal("remote"),
+  /** MF remote descriptor. */
+  remote: WidgetRemoteSchema,
+  // ── Widget-only metadata ─────────────────────────────────────────
+  /** Stable id within the addon — kebab-case. Equals `remote.componentKey`. */
+  stableId: string(),
   description: string().optional(),
   icon: string().optional(),
-  /**
-   * Module Federation remote name — must match the `name` field on the
-   * widget addon's `federation()` plugin config. Used by the host's
-   * `<WidgetRegistryProvider>` to call `loadRemote('<remoteName>/widgets')`.
-   * Conventionally `addon_<addonid>_widgets` (snake_case; MF names
-   * cannot contain hyphens).
-   */
-  remoteName: string(),
   /**
    * Bundle filename inside the addon's `dist/` dir served at
    * `/api/addon-widgets/<addonId>/<bundle>`. With Module Federation
@@ -8617,9 +8983,9 @@ const WidgetMetadataSchema = object({
    * cache-buster URL without a separate filesystem stat.
    */
   bundle: string(),
-  /** Where the widget makes sense to render. */
+  /** Every host the widget supports. The picker filters on this set. */
   hosts: array(WidgetHostEnum).readonly(),
-  /** Required props the host must supply. Validated at <WidgetSlot> mount. */
+  /** Required props the host must supply. Validated at `<WidgetSlot>` mount. */
   requires: object({
     deviceContext: boolean().default(false),
     integrationContext: boolean().default(false)
@@ -8690,6 +9056,16 @@ const InvokeReplyEnvelopeSchema = object({
     invoke: method(InvokeRequestSchema, InvokeReplyEnvelopeSchema, { kind: "mutation" })
   }
 });
+const ShmRingStatsSchema = object({
+  sessionId: string(),
+  slotCount: number().int(),
+  slotByteLength: number().int(),
+  segmentBytes: number().int(),
+  budgetMb: number().int(),
+  framesWritten: number().int(),
+  getFrameHits: number().int(),
+  getFrameMisses: number().int()
+});
 ({
   methods: {
     // ── Discovery ─────────────────────────────────────────────────
@@ -8717,10 +9093,27 @@ const InvokeReplyEnvelopeSchema = object({
       url: string()
     }), _void()),
     // ── Output — polling-based frame retrieval ────────────────────
+    // `pullFrames` drains the pixel `DecodedFrame[]` of a `frameSink:
+    // 'callback'` session. `pullHandles` (Phase 5 / D9) drains the
+    // zero-pixel `FrameHandle[]` of a `frameSink: 'shm'` session — the
+    // broker hands each handle to a `FrameRingReader` that opens the
+    // named segment and reads the pixels back zero-copy. A session is
+    // one mode or the other; the unmatched method returns an empty
+    // array.
     pullFrames: method(object({
       sessionId: string(),
       maxCount: number().default(1)
     }), array(DecodedFrameSchema)),
+    pullHandles: method(object({
+      sessionId: string(),
+      maxCount: number().default(1)
+    }), array(FrameHandleSchema)),
+    // ── Frame fetch (Phase 5 / D9 downstream access) ──────────────
+    // Read the pixels a FrameHandle refers to from this node's shm ring.
+    // Returns null when the slot was already recycled (latest-wins).
+    getFrame: method(object({ handle: FrameHandleSchema }), DecodedFrameSchema.nullable()),
+    // shm ring usage stats for a session.
+    getShmStats: method(object({ sessionId: string() }), ShmRingStatsSchema.nullable()),
     // ── Control ───────────────────────────────────────────────────
     updateConfig: method(object({
       sessionId: string(),
@@ -9888,8 +10281,8 @@ const DevicePersistConfigPayloadSchema = object({
     /**
      * Return the addon ids that declared a wrapper provider for `capName`.
      * Backs the device-bindings UI's wrapper-picker dropdown. Entries are
-     * sourced from `CapabilityRegistry.wrapperProviders`, populated at
-     * `ProviderRegistration.kind === 'wrapper'` time.
+     * sourced from `CapabilityRegistry.wrapperProviders`, populated when
+     * the cap definition declares `kind: 'wrapper'`.
      */
     listWrappersForCap: method(
       object({ capName: string() }),
@@ -10979,6 +11372,18 @@ const PtzMoveCommandSchema = object({
   zoom: number().optional(),
   speed: number().optional()
 });
+PtzPositionSchema.extend({ autofocus: boolean() });
+const PtzOptionsSchema = object({
+  hasPan: boolean(),
+  hasTilt: boolean(),
+  hasZoom: boolean(),
+  supportsPresets: boolean(),
+  /** Max number of named presets the camera supports, when known. */
+  maxPresets: number().optional(),
+  /** Whether the camera exposes a controllable autofocus toggle
+   *  (boolean `hasX` per the getOptions availability convention). */
+  hasAutofocus: boolean()
+});
 ({
   deviceTypes: [DeviceType.Camera],
   methods: {
@@ -11006,6 +11411,20 @@ const PtzMoveCommandSchema = object({
       _void(),
       { kind: "mutation" }
     ),
+    savePreset: method(
+      object({ deviceId: number(), presetId: string(), name: string() }),
+      _void(),
+      { kind: "mutation", auth: "admin" }
+    ),
+    deletePreset: method(
+      object({ deviceId: number(), presetId: string() }),
+      _void(),
+      { kind: "mutation", auth: "admin" }
+    ),
+    getOptions: method(
+      object({ deviceId: number() }),
+      PtzOptionsSchema
+    ),
     goHome: method(
       object({ deviceId: number() }),
       _void(),
@@ -11020,6 +11439,13 @@ const PtzMoveCommandSchema = object({
     getPosition: method(
       object({ deviceId: number() }),
       PtzPositionSchema
+    ),
+    /** Toggle the camera's autofocus. Only meaningful when
+     *  `getOptions().hasAutofocus` is true. */
+    setAutofocus: method(
+      object({ deviceId: number(), enabled: boolean() }),
+      _void(),
+      { kind: "mutation" }
     )
   }
 });
@@ -11955,83 +12381,6 @@ const MeshStatusSchema = object({
     // tabs driven by this cap.
   }
 });
-const MethodAccessSchema = _enum(["view", "create", "delete"]);
-const AllowedProviderSchema = union([literal("*"), array(string())]);
-const AllowedDevicesSchema = record(string(), union([literal("*"), array(string())]));
-const CapScopeSchema = _enum(["device", "system"]);
-const TokenScopeSchema = discriminatedUnion("type", [
-  object({
-    type: literal("category"),
-    target: CapScopeSchema,
-    access: array(MethodAccessSchema).min(1)
-  }),
-  object({
-    type: literal("capability"),
-    target: string(),
-    access: array(MethodAccessSchema).min(1)
-  }),
-  object({
-    type: literal("addon"),
-    target: string(),
-    access: array(MethodAccessSchema).min(1)
-  }),
-  object({
-    type: literal("device"),
-    /**
-     * One or more deviceIds (serialised as strings for wire-format
-     * consistency with the rest of the union). Matcher accepts if
-     * `input.deviceId` ∈ `targets`. Array shape avoids the row-explosion
-     * of one scope-per-device when granting access to a set of cameras.
-     */
-    targets: array(string()).min(1),
-    access: array(MethodAccessSchema).min(1)
-  })
-]);
-object({
-  id: string(),
-  username: string(),
-  passwordHash: string(),
-  /**
-   * Admin bypass. When true, the middleware skips the scope-access
-   * check entirely. There is no other axis of privilege; the legacy
-   * role enum collapsed onto this boolean in v2.
-   */
-  isAdmin: boolean().default(false),
-  allowedProviders: AllowedProviderSchema,
-  allowedDevices: AllowedDevicesSchema,
-  /**
-   * Scopes granted to this user. Admins bypass; their `scopes` is
-   * ignored. Non-admins without scopes are locked out of every
-   * protected call.
-   */
-  scopes: array(TokenScopeSchema).default([]),
-  createdAt: number(),
-  updatedAt: number()
-});
-object({
-  id: string(),
-  label: string(),
-  isAdmin: boolean().default(false),
-  allowedProviders: AllowedProviderSchema,
-  allowedDevices: AllowedDevicesSchema,
-  tokenHash: string(),
-  tokenPrefix: string(),
-  createdAt: number(),
-  lastUsedAt: number().optional()
-});
-object({
-  id: string(),
-  userId: string(),
-  name: string(),
-  tokenHash: string(),
-  tokenPrefix: string(),
-  scopes: array(TokenScopeSchema),
-  // SQLite/JSON storage round-trips undefined → null. Use `nullish` so the
-  // schema accepts both `null` (read from disk) and `undefined` (in-memory).
-  expiresAt: number().nullish(),
-  lastUsedAt: number().nullish(),
-  createdAt: number()
-});
 const UserSummarySchema = object({
   id: string(),
   username: string(),
@@ -12104,6 +12453,16 @@ const CreateScopedTokenResultSchema = object({
   token: string(),
   record: ScopedTokenSummarySchema
 });
+const OauthSessionSummarySchema = object({
+  id: string(),
+  userId: string(),
+  username: string(),
+  integrationId: string(),
+  scopes: array(TokenScopeSchema),
+  createdAt: number(),
+  lastUsedAt: number(),
+  revokedAt: number().nullable()
+});
 const TotpSetupResultSchema = object({
   secret: string(),
   otpauthUrl: string()
@@ -12179,6 +12538,66 @@ const TotpStatusSchema = object({
       object({ userId: string(), code: string() }),
       object({ valid: boolean() }),
       { kind: "mutation", access: "view" }
+    ),
+    // ── OAuth account-linking grant ────────────────────────────────
+    //
+    // Core's /oauth2/* endpoints delegate here. Tokens are sso-bridge
+    // JWTs (kinds oauth-code / oauth-access / oauth-refresh) and ALWAYS
+    // carry isAdmin:false — the operator login proves hub control; the
+    // issued token is minimal (device scope only).
+    oauthIssueCode: method(
+      object({
+        integrationId: string(),
+        userId: string(),
+        username: string(),
+        scopes: array(TokenScopeSchema),
+        redirectUri: string(),
+        hubUrl: string()
+      }),
+      object({ code: string() }),
+      { kind: "mutation", access: "create" }
+    ),
+    oauthExchangeCode: method(
+      object({ code: string(), redirectUri: string() }),
+      object({
+        accessToken: string(),
+        refreshToken: string(),
+        expiresIn: number()
+      }).nullable(),
+      { kind: "mutation", access: "view" }
+    ),
+    oauthRefresh: method(
+      object({ refreshToken: string() }),
+      object({
+        accessToken: string(),
+        refreshToken: string(),
+        expiresIn: number()
+      }).nullable(),
+      { kind: "mutation", access: "view" }
+    ),
+    oauthVerifyAccessToken: method(
+      object({ token: string() }),
+      object({
+        userId: string(),
+        username: string(),
+        scopes: array(TokenScopeSchema)
+      }).nullable(),
+      { access: "view" }
+    ),
+    // ── OAuth linked-session management (Phase D) ──────────────────
+    //
+    // The admin UI lists active account-linking sessions and revokes
+    // them; revocation makes the linked integration's tokens fail
+    // verification immediately.
+    listOauthSessions: method(
+      _void(),
+      array(OauthSessionSummarySchema),
+      { auth: "admin" }
+    ),
+    revokeOauthSession: method(
+      object({ id: string() }),
+      object({ success: boolean() }),
+      { kind: "mutation", auth: "admin", access: "delete" }
     )
   }
 });
@@ -12395,6 +12814,19 @@ const RenameNodeResultSchema = object({
       record(string(), ClusterAddonStatusEntrySchema),
       { auth: "admin" }
     ),
+    getCapUsageGraph: method(
+      object({
+        windowSeconds: number().int().positive().max(300).default(60)
+      }),
+      array(object({
+        callerAddonId: string(),
+        providerAddonId: string(),
+        capName: string(),
+        callsPerMin: number(),
+        lastCallAtMs: number()
+      })).readonly(),
+      { auth: "admin" }
+    ),
     /**
      * Direct per-node addon listing — calls `$agent.status` on the target
      * node (or returns the hub registry for `nodeId === 'hub'`) and surfaces