@camstack/addon-pipeline-orchestrator 0.1.13 → 0.1.15

package/dist/index.js

@@ -5136,6 +5136,9 @@ function hydrateField(field, values) {
     return { ...field, value: items };
   }
   const rawValue = storedValue !== void 0 ? storedValue : defaultValue !== void 0 ? defaultValue : null;
+  if (field.type === "password") {
+    return { ...field, value: "" };
+  }
   const value = field.type === "textarea" && field.isJson && rawValue !== null && typeof rawValue === "object" ? JSON.stringify(rawValue, null, 2) : rawValue;
   const hydrated = { ...field, value };
   return hydrated;
@@ -7345,6 +7348,34 @@ MotionTriggerStatusSchema.extend({
     }) }
   }
 });
+object({
+  enabled: boolean(),
+  sensitivity: number(),
+  /** Row-major active-cell grid. Length = gridWidth*gridHeight (see getOptions). */
+  cells: array(boolean()),
+  lastFetchedAt: number()
+});
+const MotionZoneOptionsSchema = object({
+  gridWidth: number(),
+  gridHeight: number(),
+  sensitivity: object({ min: number(), max: number(), step: number() })
+});
+const MotionZonePatchSchema = object({
+  enabled: boolean().optional(),
+  sensitivity: number().optional(),
+  cells: array(boolean()).optional()
+});
+({
+  deviceTypes: [DeviceType.Camera],
+  methods: {
+    getOptions: method(object({ deviceId: number() }), MotionZoneOptionsSchema),
+    setZone: method(
+      object({ deviceId: number(), patch: MotionZonePatchSchema }),
+      _void(),
+      { kind: "mutation", auth: "admin" }
+    )
+  }
+});
 const AutotrackTargetTypeSchema = string().describe("Vendor target string (people/vehicle/pet); empty = camera default");
 const PtzAutotrackSettingsSchema = object({
   targetType: AutotrackTargetTypeSchema,
@@ -7433,6 +7464,72 @@ PtzAutotrackStatusSchema.extend({
     }) }
   }
 });
+const StreamProfileSchema = _enum(["main", "sub", "ext"]);
+const StreamProfileConfigSchema = object({
+  width: number(),
+  height: number(),
+  codec: _enum(["h264", "h265"]),
+  framerate: number(),
+  bitrate: number(),
+  // kbps
+  bitrateMode: _enum(["vbr", "cbr"]).optional(),
+  encoderProfile: _enum(["high", "main", "baseline"]).optional(),
+  gop: number().optional(),
+  audio: boolean().optional()
+});
+object({
+  /** Per-profile current config. A profile absent = the camera doesn't have it. */
+  main: StreamProfileConfigSchema.optional(),
+  sub: StreamProfileConfigSchema.optional(),
+  ext: StreamProfileConfigSchema.optional(),
+  lastFetchedAt: number()
+});
+const StreamProfileOptionsSchema = object({
+  resolutions: array(object({ width: number(), height: number() })),
+  codecs: array(_enum(["h264", "h265"])),
+  framerates: array(number()),
+  /** Allowed bitrate values (kbps). Empty if the camera takes a free range. */
+  bitrates: array(number()),
+  /** Optional [min,max] kbps when the camera accepts a continuous range. */
+  bitrateRange: tuple([number(), number()]).optional(),
+  supportsBitrateMode: boolean(),
+  supportsEncoderProfile: boolean(),
+  supportsGop: boolean()
+});
+const StreamParamsOptionsSchema = object({
+  main: StreamProfileOptionsSchema.optional(),
+  sub: StreamProfileOptionsSchema.optional(),
+  ext: StreamProfileOptionsSchema.optional()
+});
+const StreamProfilePatchSchema = object({
+  width: number().optional(),
+  height: number().optional(),
+  codec: _enum(["h264", "h265"]).optional(),
+  framerate: number().optional(),
+  bitrate: number().optional(),
+  bitrateMode: _enum(["vbr", "cbr"]).optional(),
+  encoderProfile: _enum(["high", "main", "baseline"]).optional(),
+  gop: number().optional(),
+  audio: boolean().optional()
+});
+({
+  deviceTypes: [DeviceType.Camera],
+  methods: {
+    getOptions: method(
+      object({ deviceId: number() }),
+      StreamParamsOptionsSchema
+    ),
+    setProfile: method(
+      object({
+        deviceId: number(),
+        profile: StreamProfileSchema,
+        patch: StreamProfilePatchSchema
+      }),
+      _void(),
+      { kind: "mutation", auth: "admin" }
+    )
+  }
+});
 object({
   on: boolean(),
   /** Ms epoch of the last state change. Useful for UI "X minutes ago". */
@@ -8373,6 +8470,83 @@ const VersionOutputSchema = object({ version: string() });
     getVersion: method(_void(), VersionOutputSchema)
   }
 });
+const MethodAccessSchema = _enum(["view", "create", "delete"]);
+const AllowedProviderSchema = union([literal("*"), array(string())]);
+const AllowedDevicesSchema = record(string(), union([literal("*"), array(string())]));
+const CapScopeSchema = _enum(["device", "system"]);
+const TokenScopeSchema = discriminatedUnion("type", [
+  object({
+    type: literal("category"),
+    target: CapScopeSchema,
+    access: array(MethodAccessSchema).min(1)
+  }),
+  object({
+    type: literal("capability"),
+    target: string(),
+    access: array(MethodAccessSchema).min(1)
+  }),
+  object({
+    type: literal("addon"),
+    target: string(),
+    access: array(MethodAccessSchema).min(1)
+  }),
+  object({
+    type: literal("device"),
+    /**
+     * One or more deviceIds (serialised as strings for wire-format
+     * consistency with the rest of the union). Matcher accepts if
+     * `input.deviceId` ∈ `targets`. Array shape avoids the row-explosion
+     * of one scope-per-device when granting access to a set of cameras.
+     */
+    targets: array(string()).min(1),
+    access: array(MethodAccessSchema).min(1)
+  })
+]);
+object({
+  id: string(),
+  username: string(),
+  passwordHash: string(),
+  /**
+   * Admin bypass. When true, the middleware skips the scope-access
+   * check entirely. There is no other axis of privilege; the legacy
+   * role enum collapsed onto this boolean in v2.
+   */
+  isAdmin: boolean().default(false),
+  allowedProviders: AllowedProviderSchema,
+  allowedDevices: AllowedDevicesSchema,
+  /**
+   * Scopes granted to this user. Admins bypass; their `scopes` is
+   * ignored. Non-admins without scopes are locked out of every
+   * protected call.
+   */
+  scopes: array(TokenScopeSchema).default([]),
+  createdAt: number(),
+  updatedAt: number()
+});
+object({
+  id: string(),
+  label: string(),
+  isAdmin: boolean().default(false),
+  allowedProviders: AllowedProviderSchema,
+  allowedDevices: AllowedDevicesSchema,
+  tokenHash: string(),
+  tokenPrefix: string(),
+  createdAt: number(),
+  lastUsedAt: number().optional()
+});
+object({
+  id: string(),
+  userId: string(),
+  name: string(),
+  tokenHash: string(),
+  tokenPrefix: string(),
+  scopes: array(TokenScopeSchema),
+  // SQLite/JSON storage round-trips undefined → null. Use `nullish` so the
+  // schema accepts both `null` (read from disk) and `undefined` (in-memory).
+  expiresAt: number().nullish(),
+  lastUsedAt: number().nullish(),
+  createdAt: number()
+});
 const SsoBridgeClaimsSchema = object({
   userId: string(),
   username: string(),
@@ -8388,7 +8562,18 @@ const SsoBridgeClaimsSchema = object({
    * JWT WITHOUT verifying the signature — the hub re-verifies on every
    * inbound call so trust still rests with the signing hub.
    */
-  hubUrl: string().optional()
+  hubUrl: string().optional(),
+  /** Permission scopes baked into the token. Set by the OAuth
+   *  account-linking grant; absent on ordinary SSO-login tokens. */
+  scopes: array(TokenScopeSchema).optional(),
+  /** OAuth authorization-code binding — set only on `oauth-code` tokens. */
+  redirectUri: string().optional(),
+  integrationId: string().optional(),
+  /** JWT ID — unique per issued code; consumed-set enforces single-use. */
+  jti: string().optional(),
+  /** OAuth session registry id — set on `oauth-access`/`oauth-refresh`
+   *  tokens so the verify path can check the session is not revoked. */
+  sessionId: string().optional()
 });
 ({
   methods: {
@@ -8405,6 +8590,23 @@ const SsoBridgeClaimsSchema = object({
     )
   }
 });
+const OauthIntegrationDescriptorSchema = object({
+  /** Stable id used as the `integration=` query param, e.g. 'export-alexa'. */
+  integrationId: string(),
+  /** Human label rendered on the consent page. */
+  displayName: string(),
+  /** Scopes baked into every token issued for this integration. */
+  requestedScopes: array(TokenScopeSchema),
+  /** Allowed redirect_uri prefixes. /oauth2/authorize rejects any
+   *  redirect_uri that does not start with one of these. Required —
+   *  an empty list means the integration can never complete linking. */
+  allowedRedirectPrefixes: array(string()).min(1)
+});
+({
+  methods: {
+    getDescriptor: method(_void(), OauthIntegrationDescriptorSchema)
+  }
+});
 const PasskeySummarySchema = object({
   credentialId: string(),
   label: string(),
@@ -10294,51 +10496,6 @@ const AuthResultSchema = object({
     validateToken: method(object({ token: string() }), AuthResultSchema.nullable())
   }
 });
-const AuthProviderInfoSchema = object({
-  /** Stable id matching the addon id (used for `getLoginUrl({addonId,…})`). */
-  addonId: string(),
-  /**
-   * Per-instance id when one addon registers multiple "logical"
-   * providers (e.g. OIDC with Google + Microsoft + custom). The login
-   * URL becomes `/addon/${addonId}/${instanceId}/start` — handler reads
-   * `:instanceId` from the route. Empty/unset means the addon is a
-   * single-instance provider; the URL is `/addon/${addonId}/start`.
-   */
-  instanceId: string().optional(),
-  /** Display label shown on the login button + admin row. */
-  displayName: string(),
-  /** Optional iconography hint (lucide-react icon name OR emoji). */
-  icon: string().optional(),
-  /** When true, the provider exposes a redirect-based login flow
-   *  (`getLoginUrl` returns a URL the browser navigates to). */
-  hasRedirectFlow: boolean(),
-  /** When true, the provider exposes a credential-form login flow
-   *  (`validateCredentials` accepts username + password). */
-  hasCredentialFlow: boolean(),
-  /** Provider kind, drives admin-UI hint dispatch (oidc / saml / totp / …). */
-  kind: string().optional(),
-  /** Operator-facing status string (e.g. "Connected to https://login.acme.com"). */
-  status: string().optional(),
-  /** When false, the provider is registered but disabled by config; the
-   *  UI surfaces it as inactive without enumerating it for login. */
-  enabled: boolean()
-});
-({
-  methods: {
-    /** All registered auth providers, both enabled and disabled. */
-    listProviders: method(_void(), array(AuthProviderInfoSchema).readonly()),
-    /**
-     * Toggle a provider's enabled flag. Disabled providers stay
-     * registered but aren't surfaced on the login page. The orchestrator
-     * persists the state in `addon-settings` so it survives restarts.
-     */
-    setProviderEnabled: method(
-      object({ addonId: string(), enabled: boolean() }),
-      object({ success: literal(true) }),
-      { kind: "mutation", auth: "admin" }
-    )
-  }
-});
 const NetworkEndpointSchema = object({
   url: string(),
   hostname: string(),
@@ -10370,55 +10527,13 @@ const NetworkEndpointEntrySchema = NetworkEndpointSchema.extend({
     getEndpoint: method(_void(), NetworkEndpointSchema.nullable()),
     getStatus: method(_void(), NetworkAccessStatusSchema),
     /**
-     * Enumerate every active ingress entry. Default implementation (when
-     * the provider omits this method) is derived from `getEndpoint()` —
-     * see the remote-access orchestrator for the fallback path.
+     * Enumerate every active ingress entry. Providers that expose only a
+     * single endpoint may omit this method; callers fall back to
+     * `getEndpoint()` in that case.
      */
     listEndpoints: method(_void(), array(NetworkEndpointEntrySchema).readonly())
   }
 });
-const RemoteAccessEndpointSchema = object({
-  url: string(),
-  hostname: string(),
-  port: number(),
-  protocol: _enum(["http", "https"])
-});
-const RemoteAccessProviderInfoSchema = object({
-  /** Stable id matching the addon id. */
-  addonId: string(),
-  /** Display label shown on the admin row — sourced from the addon manifest. */
-  displayName: string(),
-  /** When false, the provider is registered but disabled. */
-  enabled: boolean(),
-  /** True when the underlying tunnel/connection is up. */
-  connected: boolean(),
-  /** Public-facing endpoint, when connected. Null otherwise. */
-  endpoint: RemoteAccessEndpointSchema.nullable(),
-  /** Last error message (when connected=false), if available. */
-  error: string().optional()
-});
-({
-  methods: {
-    /** All registered remote-access providers + their live status. */
-    listProviders: method(_void(), array(RemoteAccessProviderInfoSchema).readonly()),
-    /**
-     * Start a specific provider's tunnel. Per-provider config still
-     * lives on the addon's settings panel; this is just the on/off
-     * trigger so the admin UI can manage the lifecycle from one place.
-     */
-    startProvider: method(
-      object({ addonId: string() }),
-      RemoteAccessEndpointSchema,
-      { kind: "mutation", auth: "admin" }
-    ),
-    /** Stop a specific provider's tunnel (idempotent on already-stopped). */
-    stopProvider: method(
-      object({ addonId: string() }),
-      object({ success: literal(true) }),
-      { kind: "mutation", auth: "admin" }
-    )
-  }
-});
 const TurnServerSchema = object({
   /** Single URL or list of URLs (e.g. "turn:turn.example.com:3478?transport=udp"). */
   urls: union([string(), array(string())]),
@@ -10438,45 +10553,6 @@ const TurnServerSchema = object({
     )
   }
 });
-const TurnProviderInfoSchema = object({
-  /** Stable id matching the addon id. */
-  addonId: string(),
-  /** Display label shown on the admin row — sourced from the addon manifest. */
-  displayName: string(),
-  /** When false, the provider is registered but disabled. */
-  enabled: boolean(),
-  /** Number of servers this provider is currently exposing. */
-  serverCount: number(),
-  /**
-   * Flat list of every TURN/STUN URL this provider currently exposes.
-   * One row per URL (multi-URL ICE server entries are flattened). The
-   * admin UI shows this in a compact per-provider list so operators
-   * can verify what's actually being negotiated without having to dig
-   * into the combined `getAllServers` output.
-   */
-  urls: array(string()).readonly(),
-  /** Last fetch error (when serverCount=0 due to API failure), if any. */
-  error: string().optional()
-});
-({
-  methods: {
-    /** All registered TURN providers + per-provider stats. */
-    listProviders: method(_void(), array(TurnProviderInfoSchema).readonly()),
-    /**
-     * Combined list of TURN/STUN servers from all ENABLED providers.
-     * Consumed by the WebRTC layer at session-creation time —
-     * implementations may fetch fresh short-lived credentials each
-     * call (e.g. Cloudflare API), so consumers SHOULD call per-session.
-     */
-    getAllServers: method(_void(), array(TurnServerSchema).readonly()),
-    /** Toggle a provider's enabled flag. */
-    setProviderEnabled: method(
-      object({ addonId: string(), enabled: boolean() }),
-      object({ success: literal(true) }),
-      { kind: "mutation", auth: "admin" }
-    )
-  }
-});
 const SnapshotImageSchema = object({
   base64: string(),
   contentType: string()
@@ -11204,6 +11280,14 @@ const PtzMoveCommandSchema = object({
   zoom: number().optional(),
   speed: number().optional()
 });
+const PtzOptionsSchema = object({
+  hasPan: boolean(),
+  hasTilt: boolean(),
+  hasZoom: boolean(),
+  supportsPresets: boolean(),
+  /** Max number of named presets the camera supports, when known. */
+  maxPresets: number().optional()
+});
 ({
   deviceTypes: [DeviceType.Camera],
   methods: {
@@ -11231,6 +11315,20 @@ const PtzMoveCommandSchema = object({
       _void(),
       { kind: "mutation" }
     ),
+    savePreset: method(
+      object({ deviceId: number(), presetId: string(), name: string() }),
+      _void(),
+      { kind: "mutation", auth: "admin" }
+    ),
+    deletePreset: method(
+      object({ deviceId: number(), presetId: string() }),
+      _void(),
+      { kind: "mutation", auth: "admin" }
+    ),
+    getOptions: method(
+      object({ deviceId: number() }),
+      PtzOptionsSchema
+    ),
     goHome: method(
       object({ deviceId: number() }),
       _void(),
@@ -11944,7 +12042,7 @@ const AllowedAddressesSchema = object({
     )
   }
 });
-const MeshEndpointSchema$1 = object({
+const MeshEndpointSchema = object({
   /** Stable identifier within the provider (e.g. `mesh-ipv4`, `magicdns`, `funnel`). */
   id: string(),
   /** Operator-facing label (e.g. "Mesh IPv4", "MagicDNS"). */
@@ -12017,7 +12115,7 @@ const MeshStatusSchema = object({
   /** Number of peers visible to this host (excluding self). */
   peerCount: number(),
   /** Every endpoint this provider exposes for the current host. */
-  endpoints: array(MeshEndpointSchema$1).readonly(),
+  endpoints: array(MeshEndpointSchema).readonly(),
   /** Last error from the daemon, when not joined. */
   error: string().optional(),
   // ── Account / tenant identity (generic across providers) ────────
@@ -12180,182 +12278,6 @@ const MeshStatusSchema = object({
     // tabs driven by this cap.
   }
 });
-const MeshEndpointSchema = object({
-  id: string(),
-  label: string(),
-  scope: _enum(["mesh", "public"]),
-  url: string(),
-  hostname: string(),
-  port: number(),
-  protocol: _enum(["http", "https"])
-});
-const MeshProviderInfoSchema = object({
-  /** Stable id matching the addon id. */
-  addonId: string(),
-  /** Display label shown on the admin row — sourced from the addon manifest. */
-  displayName: string(),
-  /** True when the host is joined to this provider's mesh. */
-  joined: boolean(),
-  /** Local mesh IP (empty when not joined). */
-  meshIp: string(),
-  /** MagicDNS / mesh hostname (empty when not configured). */
-  magicDnsHostname: string(),
-  /** Peer count (excluding self). */
-  peerCount: number(),
-  /** Active endpoints (mesh IP + MagicDNS + optional public Funnel). */
-  endpoints: array(MeshEndpointSchema).readonly(),
-  /** Last error reported by the provider. */
-  error: string().optional(),
-  // ── Generic identity fields mirrored from MeshStatus ─────────────
-  /** Tenant / tailnet / network display name. Empty pre-join. */
-  tenantName: string(),
-  /** Mesh DNS suffix (e.g. tailXXXX.ts.net). Empty when not configured. */
-  magicDnsSuffix: string(),
-  /** Authenticated user / account login. Null for token-only providers. */
-  userLogin: string().nullable(),
-  /** Provider control-plane URL. */
-  controlPlaneUrl: string(),
-  /** Machine-key expiry (epoch ms). Null when keys don't rotate. */
-  keyExpiry: number().nullable()
-});
-({
-  methods: {
-    /** All registered mesh-network providers + live status. */
-    listProviders: method(_void(), array(MeshProviderInfoSchema).readonly()),
-    /**
-     * Join the mesh of a specific provider. Per-provider config still
-     * lives on its settings panel; the orchestrator forwards.
-     */
-    joinProvider: method(
-      object({
-        addonId: string(),
-        authKey: string().min(8),
-        hostname: string().optional()
-      }),
-      object({ joined: literal(true) }),
-      { kind: "mutation" }
-    ),
-    leaveProvider: method(
-      object({ addonId: string() }),
-      object({ success: literal(true) }),
-      { kind: "mutation" }
-    ),
-    /**
-     * Browser-redirect login flow. Forwards to the named provider's
-     * `mesh-network.startLogin` and returns the URL the daemon
-     * prints. UI opens it in a new tab, then polls `listProviders`
-     * for `joined: true`.
-     */
-    startLoginProvider: method(
-      object({
-        addonId: string(),
-        hostname: string().optional()
-      }),
-      object({ loginUrl: string() }),
-      { kind: "mutation" }
-    ),
-    /**
-     * Sign out of the provider's account entirely (`mesh-network.logout`).
-     * Distinct from `leaveProvider` which only takes the host off-mesh;
-     * `logoutProvider` wipes credentials so the next start requires a
-     * fresh login.
-     */
-    logoutProvider: method(
-      object({ addonId: string() }),
-      object({ loggedOut: literal(true) }),
-      { kind: "mutation" }
-    ),
-    /**
-     * Per-provider peer list. Forwards to `mesh-network.listPeers` on
-     * the addressed provider. Separate from `listProviders` because
-     * peer payloads can be large on a heavily-populated tailnet —
-     * fetch only when the operator opens the Peers tab.
-     */
-    listProviderPeers: method(
-      object({ addonId: string() }),
-      object({
-        peers: array(MeshPeerSchema).readonly()
-      })
-    )
-  }
-});
-const MethodAccessSchema = _enum(["view", "create", "delete"]);
-const AllowedProviderSchema = union([literal("*"), array(string())]);
-const AllowedDevicesSchema = record(string(), union([literal("*"), array(string())]));
-const CapScopeSchema = _enum(["device", "system"]);
-const TokenScopeSchema = discriminatedUnion("type", [
-  object({
-    type: literal("category"),
-    target: CapScopeSchema,
-    access: array(MethodAccessSchema).min(1)
-  }),
-  object({
-    type: literal("capability"),
-    target: string(),
-    access: array(MethodAccessSchema).min(1)
-  }),
-  object({
-    type: literal("addon"),
-    target: string(),
-    access: array(MethodAccessSchema).min(1)
-  }),
-  object({
-    type: literal("device"),
-    /**
-     * One or more deviceIds (serialised as strings for wire-format
-     * consistency with the rest of the union). Matcher accepts if
-     * `input.deviceId` ∈ `targets`. Array shape avoids the row-explosion
-     * of one scope-per-device when granting access to a set of cameras.
-     */
-    targets: array(string()).min(1),
-    access: array(MethodAccessSchema).min(1)
-  })
-]);
-object({
-  id: string(),
-  username: string(),
-  passwordHash: string(),
-  /**
-   * Admin bypass. When true, the middleware skips the scope-access
-   * check entirely. There is no other axis of privilege; the legacy
-   * role enum collapsed onto this boolean in v2.
-   */
-  isAdmin: boolean().default(false),
-  allowedProviders: AllowedProviderSchema,
-  allowedDevices: AllowedDevicesSchema,
-  /**
-   * Scopes granted to this user. Admins bypass; their `scopes` is
-   * ignored. Non-admins without scopes are locked out of every
-   * protected call.
-   */
-  scopes: array(TokenScopeSchema).default([]),
-  createdAt: number(),
-  updatedAt: number()
-});
-object({
-  id: string(),
-  label: string(),
-  isAdmin: boolean().default(false),
-  allowedProviders: AllowedProviderSchema,
-  allowedDevices: AllowedDevicesSchema,
-  tokenHash: string(),
-  tokenPrefix: string(),
-  createdAt: number(),
-  lastUsedAt: number().optional()
-});
-object({
-  id: string(),
-  userId: string(),
-  name: string(),
-  tokenHash: string(),
-  tokenPrefix: string(),
-  scopes: array(TokenScopeSchema),
-  // SQLite/JSON storage round-trips undefined → null. Use `nullish` so the
-  // schema accepts both `null` (read from disk) and `undefined` (in-memory).
-  expiresAt: number().nullish(),
-  lastUsedAt: number().nullish(),
-  createdAt: number()
-});
 const UserSummarySchema = object({
   id: string(),
   username: string(),
@@ -12428,6 +12350,16 @@ const CreateScopedTokenResultSchema = object({
   token: string(),
   record: ScopedTokenSummarySchema
 });
+const OauthSessionSummarySchema = object({
+  id: string(),
+  userId: string(),
+  username: string(),
+  integrationId: string(),
+  scopes: array(TokenScopeSchema),
+  createdAt: number(),
+  lastUsedAt: number(),
+  revokedAt: number().nullable()
+});
 const TotpSetupResultSchema = object({
   secret: string(),
   otpauthUrl: string()
@@ -12503,6 +12435,66 @@ const TotpStatusSchema = object({
       object({ userId: string(), code: string() }),
       object({ valid: boolean() }),
       { kind: "mutation", access: "view" }
+    ),
+    // ── OAuth account-linking grant ────────────────────────────────
+    //
+    // Core's /oauth2/* endpoints delegate here. Tokens are sso-bridge
+    // JWTs (kinds oauth-code / oauth-access / oauth-refresh) and ALWAYS
+    // carry isAdmin:false — the operator login proves hub control; the
+    // issued token is minimal (device scope only).
+    oauthIssueCode: method(
+      object({
+        integrationId: string(),
+        userId: string(),
+        username: string(),
+        scopes: array(TokenScopeSchema),
+        redirectUri: string(),
+        hubUrl: string()
+      }),
+      object({ code: string() }),
+      { kind: "mutation", access: "create" }
+    ),
+    oauthExchangeCode: method(
+      object({ code: string(), redirectUri: string() }),
+      object({
+        accessToken: string(),
+        refreshToken: string(),
+        expiresIn: number()
+      }).nullable(),
+      { kind: "mutation", access: "view" }
+    ),
+    oauthRefresh: method(
+      object({ refreshToken: string() }),
+      object({
+        accessToken: string(),
+        refreshToken: string(),
+        expiresIn: number()
+      }).nullable(),
+      { kind: "mutation", access: "view" }
+    ),
+    oauthVerifyAccessToken: method(
+      object({ token: string() }),
+      object({
+        userId: string(),
+        username: string(),
+        scopes: array(TokenScopeSchema)
+      }).nullable(),
+      { access: "view" }
+    ),
+    // ── OAuth linked-session management (Phase D) ──────────────────
+    //
+    // The admin UI lists active account-linking sessions and revokes
+    // them; revocation makes the linked integration's tokens fail
+    // verification immediately.
+    listOauthSessions: method(
+      _void(),
+      array(OauthSessionSummarySchema),
+      { auth: "admin" }
+    ),
+    revokeOauthSession: method(
+      object({ id: string() }),
+      object({ success: boolean() }),
+      { kind: "mutation", auth: "admin", access: "delete" }
     )
   }
 });
@@ -13148,6 +13140,29 @@ const CustomActionInputSchema = object({
         isActive: boolean()
       })).readonly()
     ),
+    /**
+     * Toggle a single collection-cap provider on/off. Generic write-side
+     * counterpart of `listCapabilityProviders` — drives the per-provider
+     * Enable/Disable affordance in admin pages (TURN servers, etc.)
+     * without needing a bespoke orchestrator cap.
+     *
+     * Reaches the hub's `CapabilityRegistry` directly:
+     * `enableCollectionProvider` / `disableCollectionProvider` flip the
+     * registry-level `disabledProviders` set. `getCollectionEntries`
+     * already filters disabled providers out, so a disabled provider
+     * drops out of every collection aggregate immediately. Only valid
+     * for `mode: 'collection'` caps — the registry no-ops + warns for
+     * singletons.
+     */
+    setCapabilityProviderEnabled: method(
+      object({
+        capName: string().min(1),
+        addonId: string().min(1),
+        enabled: boolean()
+      }),
+      object({ success: literal(true) }),
+      { kind: "mutation", auth: "admin" }
+    ),
     /**
      * Live-update one of the framework packages marked
      * `camstack.system: true` (`@camstack/types|kernel|core|sdk|ui-library`).
@@ -14982,6 +14997,24 @@ class PipelineOrchestratorAddon extends BaseAddon {
           allowedSizes: ["lg", "xl"],
           defaultColumns: 12,
           defaultRows: 4
+        },
+        {
+          // On-camera motion-detection grid editor. The `motion-zones`
+          // cap is owned by the camera provider addons; the widget only
+          // talks to it over tRPC, so hosting the React surface here
+          // (one bundle) avoids duplicating it per provider.
+          stableId: "motion-zones-editor",
+          label: "Motion Zones",
+          description: "On-camera motion-detection grid editor (live-frame overlay).",
+          icon: "grid-3x3",
+          remoteName: "addon_pipeline_orchestrator_widgets",
+          bundle: "remoteEntry.js",
+          hosts: ["device-tab"],
+          requires: { deviceContext: true, integrationContext: false },
+          defaultSize: "lg",
+          allowedSizes: ["md", "lg"],
+          defaultColumns: 12,
+          defaultRows: 1
         }
       ]
     };
@@ -17153,8 +17186,28 @@ class PipelineOrchestratorAddon extends BaseAddon {
         }
       ]
     };
+    const motionZonesSection = {
+      id: "motion-zones",
+      title: "Motion Zones",
+      tab: "motion",
+      location: "settings",
+      columns: 1,
+      order: 0,
+      fields: [
+        {
+          // Widget fields manage their own state via DeviceProxy —
+          // `ConfigWidgetField` carries no `value` (unlike the legacy
+          // `zone-editor` field type which still does).
+          type: "widget",
+          key: "motion-zones",
+          label: "Motion Zones",
+          widgetId: "pipeline-orchestrator/motion-zones-editor",
+          span: 1
+        }
+      ]
+    };
     return {
-      sections: [...baseSections, zonesSection]
+      sections: [...baseSections, zonesSection, motionZonesSection]
     };
   }
   // `getCameraPipelineWithFallback` was a thin wrapper over