@camstack/addon-tailscale-ingress 0.1.4 → 0.1.6

package/dist/tailscale-ingress.addon.js

@@ -4621,7 +4621,7 @@ function _instanceof(cls, params = {}) {
 	return inst;
 }
 //#endregion
-//#region ../types/dist/index-Ce7RZWP4.mjs
+//#region ../types/dist/index-CgPd35k5.mjs
 var MODEL_FORMATS = [
 	"onnx",
 	"coreml",
@@ -4696,6 +4696,12 @@ Object.fromEntries([
 		icon: "video",
 		order: 35
 	},
+	{
+		id: "ptz",
+		label: "PTZ",
+		icon: "move",
+		order: 40
+	},
 	{
 		id: "pipeline",
 		label: "Detection Pipeline",
@@ -4809,6 +4815,10 @@ function hydrateField(field, values) {
 		};
 	}
 	const rawValue = storedValue !== void 0 ? storedValue : defaultValue !== void 0 ? defaultValue : null;
+	if (field.type === "password") return {
+		...field,
+		value: ""
+	};
 	const value = field.type === "textarea" && field.isJson && rawValue !== null && typeof rawValue === "object" ? JSON.stringify(rawValue, null, 2) : rawValue;
 	return {
 		...field,
@@ -4887,7 +4897,19 @@ var DecoderSessionConfigSchema = object({
 	* on every line so `grep tag=broker:5/high` filters one camera
 	* profile cleanly.
 	*/
-	tag: string().optional()
+	tag: string().optional(),
+	/**
+	* Where the session delivers decoded frames (Phase 5 / D9):
+	*
+	* - `'callback'` (default) — the legacy pixel path: decoded frames are
+	*   buffered as `DecodedFrame`s and drained via `pullFrames`.
+	* - `'shm'` — the shared-memory frame plane: decoded frames are written
+	*   into an OS shared-memory ring and drained as zero-pixel
+	*   `FrameHandle`s via `pullHandles`. A session is one mode or the
+	*   other — `pullFrames` returns nothing for an `'shm'` session and
+	*   `pullHandles` returns nothing for a `'callback'` session.
+	*/
+	frameSink: _enum(["callback", "shm"]).default("callback")
 });
 var YAMNET_TO_MACRO = {
 	mapping: {
@@ -5540,6 +5562,63 @@ var DecodedFrameSchema = object({
 	]),
 	timestamp: number()
 });
+var FrameHandleSchema = object({
+	shmId: string(),
+	slot: number().int().nonnegative(),
+	seq: number().int().nonnegative(),
+	width: number().int().positive(),
+	height: number().int().positive(),
+	format: _enum([
+		"jpeg",
+		"rgb",
+		"bgr",
+		"yuv420",
+		"gray"
+	]),
+	pts: number(),
+	byteLength: number().int().nonnegative(),
+	nodeId: string(),
+	slotCount: number().int().positive()
+});
+var FrameHandleFormatSchema = _enum([
+	"rgb",
+	"bgr",
+	"yuv420",
+	"gray"
+]);
+var SubscribeFramesInputSchema = object({
+	brokerId: string(),
+	format: FrameHandleFormatSchema,
+	/**
+	* Optional reader-side cadence hint in frames per second. The broker does
+	* NOT throttle — latest-wins ring reads drop frames implicitly for a slow
+	* consumer. The value is echoed back in `SubscribeFramesResult.maxFps` so
+	* the consumer can pace its own `pullFrameHandles` polling.
+	*/
+	maxFps: number().positive().optional(),
+	/** Short caller-identity tag (`motion`, `detection`, …) for diagnostics. */
+	tag: string().optional()
+});
+var SubscribeFramesResultSchema = object({
+	/** Opaque id the consumer passes to `pullFrameHandles` / `unsubscribeFrames`. */
+	subscriptionId: string(),
+	/** Reader-side cadence hint (frames/s) — echoes `SubscribeFramesInput.maxFps`. */
+	maxFps: number().nonnegative()
+});
+var DecodedAudioChunkSchema = object({
+	data: _instanceof(Uint8Array),
+	sampleRate: number().int().positive(),
+	channels: number().int().positive(),
+	timestamp: number()
+});
+var SubscribeAudioChunksInputSchema = object({
+	brokerId: string(),
+	/** Short caller-identity tag (`audio-analyzer`, …) for `listClients`. */
+	tag: string().optional()
+});
+var SubscribeAudioChunksResultSchema = object({ 
+/** Opaque id passed to `pullAudioChunks` / `unsubscribeAudioChunks`. */
+subscriptionId: string() });
 var BrokerStatsSchema = object({
 	status: _enum([
 		"idle",
@@ -5741,7 +5820,13 @@ method(object({
 }), {
 	kind: "mutation",
 	auth: "admin"
-}), method(object({ brokerId: string() }), custom()), method(object({
+}), method(SubscribeAudioChunksInputSchema, SubscribeAudioChunksResultSchema, { kind: "mutation" }), method(object({
+	subscriptionId: string(),
+	maxCount: number().int().positive().default(8)
+}), array(DecodedAudioChunkSchema).readonly()), method(object({ subscriptionId: string() }), object({ released: boolean() }), { kind: "mutation" }), method(SubscribeFramesInputSchema, SubscribeFramesResultSchema, { kind: "mutation" }), method(object({
+	subscriptionId: string(),
+	maxCount: number().int().positive().default(4)
+}), array(FrameHandleSchema).readonly()), method(object({ subscriptionId: string() }), object({ released: boolean() }), { kind: "mutation" }), method(object({
 	brokerId: string(),
 	seconds: number().min(0).max(30)
 }), _void(), {
@@ -6433,6 +6518,34 @@ DeviceType.Light, DeviceType.Siren, DeviceType.Switch, method(object({
 	enabled: boolean(),
 	lastChangedAt: number()
 });
+object({
+	enabled: boolean(),
+	sensitivity: number(),
+	/** Row-major active-cell grid. Length = gridWidth*gridHeight (see getOptions). */
+	cells: array(boolean()),
+	lastFetchedAt: number()
+});
+var MotionZoneOptionsSchema = object({
+	gridWidth: number(),
+	gridHeight: number(),
+	sensitivity: object({
+		min: number(),
+		max: number(),
+		step: number()
+	})
+});
+var MotionZonePatchSchema = object({
+	enabled: boolean().optional(),
+	sensitivity: number().optional(),
+	cells: array(boolean()).optional()
+});
+DeviceType.Camera, method(object({ deviceId: number() }), MotionZoneOptionsSchema), method(object({
+	deviceId: number(),
+	patch: MotionZonePatchSchema
+}), _void(), {
+	kind: "mutation",
+	auth: "admin"
+});
 var PtzAutotrackSettingsSchema = object({
 	targetType: string().describe("Vendor target string (people/vehicle/pet); empty = camera default"),
 	stopDelaySeconds: number().int().min(0).max(300),
@@ -6474,6 +6587,85 @@ DeviceType.Camera, method(object({ deviceId: number() }), PtzAutotrackStatusSche
 	deviceId: number(),
 	status: PtzAutotrackStatusSchema
 });
+var StreamProfileSchema = _enum([
+	"main",
+	"sub",
+	"ext"
+]);
+var StreamProfileConfigSchema = object({
+	width: number(),
+	height: number(),
+	codec: _enum(["h264", "h265"]),
+	framerate: number(),
+	bitrate: number(),
+	bitrateMode: _enum(["vbr", "cbr"]).optional(),
+	encoderProfile: _enum([
+		"high",
+		"main",
+		"baseline"
+	]).optional(),
+	gop: number().optional(),
+	audio: boolean().optional()
+});
+object({
+	/** Per-profile current config. A profile absent = the camera doesn't have it. */
+	main: StreamProfileConfigSchema.optional(),
+	sub: StreamProfileConfigSchema.optional(),
+	ext: StreamProfileConfigSchema.optional(),
+	lastFetchedAt: number()
+});
+var StreamProfileOptionsSchema = object({
+	resolutions: array(object({
+		width: number(),
+		height: number()
+	})),
+	codecs: array(_enum(["h264", "h265"])),
+	framerates: array(number()),
+	/** Allowed bitrate values (kbps). Empty if the camera takes a free range. */
+	bitrates: array(number()),
+	/** Optional [min,max] kbps when the camera accepts a continuous range. */
+	bitrateRange: tuple([number(), number()]).optional(),
+	supportsBitrateMode: boolean(),
+	supportsEncoderProfile: boolean(),
+	supportsGop: boolean(),
+	/** Allowed GOP / keyframe-interval range, in seconds — drives the
+	*  I-frame-interval selector. Absent when the camera advertises GOP
+	*  support but no concrete range (callers then fall back to a free
+	*  numeric input). `{ min, max, step }` per the getOptions convention. */
+	gop: object({
+		min: number(),
+		max: number(),
+		step: number()
+	}).optional()
+});
+var StreamParamsOptionsSchema = object({
+	main: StreamProfileOptionsSchema.optional(),
+	sub: StreamProfileOptionsSchema.optional(),
+	ext: StreamProfileOptionsSchema.optional()
+});
+var StreamProfilePatchSchema = object({
+	width: number().optional(),
+	height: number().optional(),
+	codec: _enum(["h264", "h265"]).optional(),
+	framerate: number().optional(),
+	bitrate: number().optional(),
+	bitrateMode: _enum(["vbr", "cbr"]).optional(),
+	encoderProfile: _enum([
+		"high",
+		"main",
+		"baseline"
+	]).optional(),
+	gop: number().optional(),
+	audio: boolean().optional()
+});
+DeviceType.Camera, method(object({ deviceId: number() }), StreamParamsOptionsSchema), method(object({
+	deviceId: number(),
+	profile: StreamProfileSchema,
+	patch: StreamProfilePatchSchema
+}), _void(), {
+	kind: "mutation",
+	auth: "admin"
+}), method(object({ deviceId: number() }), unknown().nullable());
 object({
 	on: boolean(),
 	/** Ms epoch of the last state change. Useful for UI "X minutes ago". */
@@ -7113,6 +7305,85 @@ method(LogEntrySchema, _void(), { kind: "mutation" }), method(object({
 var StaticDirOutputSchema = object({ staticDir: string() });
 var VersionOutputSchema = object({ version: string() });
 method(_void(), StaticDirOutputSchema), method(_void(), VersionOutputSchema);
+var MethodAccessSchema = _enum([
+	"view",
+	"create",
+	"delete"
+]);
+var AllowedProviderSchema = union([literal("*"), array(string())]);
+var AllowedDevicesSchema = record(string(), union([literal("*"), array(string())]));
+var CapScopeSchema = _enum(["device", "system"]);
+var TokenScopeSchema = discriminatedUnion("type", [
+	object({
+		type: literal("category"),
+		target: CapScopeSchema,
+		access: array(MethodAccessSchema).min(1)
+	}),
+	object({
+		type: literal("capability"),
+		target: string(),
+		access: array(MethodAccessSchema).min(1)
+	}),
+	object({
+		type: literal("addon"),
+		target: string(),
+		access: array(MethodAccessSchema).min(1)
+	}),
+	object({
+		type: literal("device"),
+		/**
+		* One or more deviceIds (serialised as strings for wire-format
+		* consistency with the rest of the union). Matcher accepts if
+		* `input.deviceId` ∈ `targets`. Array shape avoids the row-explosion
+		* of one scope-per-device when granting access to a set of cameras.
+		*/
+		targets: array(string()).min(1),
+		access: array(MethodAccessSchema).min(1)
+	})
+]);
+object({
+	id: string(),
+	username: string(),
+	passwordHash: string(),
+	/**
+	* Admin bypass. When true, the middleware skips the scope-access
+	* check entirely. There is no other axis of privilege; the legacy
+	* role enum collapsed onto this boolean in v2.
+	*/
+	isAdmin: boolean().default(false),
+	allowedProviders: AllowedProviderSchema,
+	allowedDevices: AllowedDevicesSchema,
+	/**
+	* Scopes granted to this user. Admins bypass; their `scopes` is
+	* ignored. Non-admins without scopes are locked out of every
+	* protected call.
+	*/
+	scopes: array(TokenScopeSchema).default([]),
+	createdAt: number(),
+	updatedAt: number()
+});
+object({
+	id: string(),
+	label: string(),
+	isAdmin: boolean().default(false),
+	allowedProviders: AllowedProviderSchema,
+	allowedDevices: AllowedDevicesSchema,
+	tokenHash: string(),
+	tokenPrefix: string(),
+	createdAt: number(),
+	lastUsedAt: number().optional()
+});
+object({
+	id: string(),
+	userId: string(),
+	name: string(),
+	tokenHash: string(),
+	tokenPrefix: string(),
+	scopes: array(TokenScopeSchema),
+	expiresAt: number().nullish(),
+	lastUsedAt: number().nullish(),
+	createdAt: number()
+});
 var SsoBridgeClaimsSchema = object({
 	userId: string(),
 	username: string(),
@@ -7128,12 +7399,36 @@ var SsoBridgeClaimsSchema = object({
 	* JWT WITHOUT verifying the signature — the hub re-verifies on every
 	* inbound call so trust still rests with the signing hub.
 	*/
-	hubUrl: string().optional()
+	hubUrl: string().optional(),
+	/** Permission scopes baked into the token. Set by the OAuth
+	*  account-linking grant; absent on ordinary SSO-login tokens. */
+	scopes: array(TokenScopeSchema).optional(),
+	/** OAuth authorization-code binding — set only on `oauth-code` tokens. */
+	redirectUri: string().optional(),
+	integrationId: string().optional(),
+	/** JWT ID — unique per issued code; consumed-set enforces single-use. */
+	jti: string().optional(),
+	/** OAuth session registry id — set on `oauth-access`/`oauth-refresh`
+	*  tokens so the verify path can check the session is not revoked. */
+	sessionId: string().optional()
 });
 method(object({
 	claims: SsoBridgeClaimsSchema,
 	ttlSec: number().int().positive().optional()
 }), object({ token: string() })), method(object({ token: string() }), SsoBridgeClaimsSchema.nullable());
+var OauthIntegrationDescriptorSchema = object({
+	/** Stable id used as the `integration=` query param, e.g. 'export-alexa'. */
+	integrationId: string(),
+	/** Human label rendered on the consent page. */
+	displayName: string(),
+	/** Scopes baked into every token issued for this integration. */
+	requestedScopes: array(TokenScopeSchema),
+	/** Allowed redirect_uri prefixes. /api/oauth2/authorize rejects any
+	*  redirect_uri that does not start with one of these. Required —
+	*  an empty list means the integration can never complete linking. */
+	allowedRedirectPrefixes: array(string()).min(1)
+});
+method(_void(), OauthIntegrationDescriptorSchema);
 var PasskeySummarySchema = object({
 	credentialId: string(),
 	label: string(),
@@ -7379,22 +7674,29 @@ var WidgetSizeEnum = _enum([
 	"lg",
 	"xl"
 ]);
+var WidgetRemoteSchema = object({
+	remoteName: string(),
+	exposedModule: string(),
+	componentKey: string().optional()
+});
 var WidgetMetadataSchema = object({
-	/** Stable id within the addon — kebab-case. */
-	stableId: string(),
+	/** Primary host tab — `'dashboard'`, `'device-tab'`, or a device-detail tab id. */
+	tab: string(),
+	/** Optional sub-tab within `tab`. */
+	subTab: string().optional(),
 	/** Operator-facing label. */
 	label: string(),
+	/** Ordering within `(tab, subTab)`, ascending. */
+	order: number().optional(),
+	/** Always `'remote'` — a widget is a Module Federation remote. */
+	kind: literal("remote"),
+	/** MF remote descriptor. */
+	remote: WidgetRemoteSchema,
+	/** Stable id within the addon — kebab-case. Equals `remote.componentKey`. */
+	stableId: string(),
 	description: string().optional(),
 	icon: string().optional(),
 	/**
-	* Module Federation remote name — must match the `name` field on the
-	* widget addon's `federation()` plugin config. Used by the host's
-	* `<WidgetRegistryProvider>` to call `loadRemote('<remoteName>/widgets')`.
-	* Conventionally `addon_<addonid>_widgets` (snake_case; MF names
-	* cannot contain hyphens).
-	*/
-	remoteName: string(),
-	/**
 	* Bundle filename inside the addon's `dist/` dir served at
 	* `/api/addon-widgets/<addonId>/<bundle>`. With Module Federation
 	* this is always `'remoteEntry.js'` — the value is kept on the
@@ -7402,9 +7704,9 @@ var WidgetMetadataSchema = object({
 	* cache-buster URL without a separate filesystem stat.
 	*/
 	bundle: string(),
-	/** Where the widget makes sense to render. */
+	/** Every host the widget supports. The picker filters on this set. */
 	hosts: array(WidgetHostEnum).readonly(),
-	/** Required props the host must supply. Validated at <WidgetSlot> mount. */
+	/** Required props the host must supply. Validated at `<WidgetSlot>` mount. */
 	requires: object({
 		deviceContext: boolean().default(false),
 		integrationContext: boolean().default(false)
@@ -7468,6 +7770,16 @@ var InvokeReplyEnvelopeSchema = object({
 	contentType: string().optional()
 });
 method(_void(), array(AddonHttpRouteSchema)), method(InvokeRequestSchema, InvokeReplyEnvelopeSchema, { kind: "mutation" });
+var ShmRingStatsSchema = object({
+	sessionId: string(),
+	slotCount: number().int(),
+	slotByteLength: number().int(),
+	segmentBytes: number().int(),
+	budgetMb: number().int(),
+	framesWritten: number().int(),
+	getFrameHits: number().int(),
+	getFrameMisses: number().int()
+});
 method(object({ codec: string() }), boolean()), method(_void(), object({
 	id: string(),
 	name: string(),
@@ -7486,6 +7798,9 @@ method(object({ codec: string() }), boolean()), method(_void(), object({
 	sessionId: string(),
 	maxCount: number().default(1)
 }), array(DecodedFrameSchema)), method(object({
+	sessionId: string(),
+	maxCount: number().default(1)
+}), array(FrameHandleSchema)), method(object({ handle: FrameHandleSchema }), DecodedFrameSchema.nullable()), method(object({ sessionId: string() }), ShmRingStatsSchema.nullable()), method(object({
 	sessionId: string(),
 	config: DecoderSessionConfigSchema.partial()
 }), _void()), method(object({ sessionId: string() }), DecoderStatsSchema), method(_void(), array(object({
@@ -8230,42 +8545,6 @@ method(object({
 	username: string(),
 	password: string()
 }), AuthResultSchema.nullable(), { kind: "mutation" }), method(object({ state: string() }), string()), method(record(string(), string()), AuthResultSchema, { kind: "mutation" }), method(object({ token: string() }), AuthResultSchema.nullable());
-var AuthProviderInfoSchema = object({
-	/** Stable id matching the addon id (used for `getLoginUrl({addonId,…})`). */
-	addonId: string(),
-	/**
-	* Per-instance id when one addon registers multiple "logical"
-	* providers (e.g. OIDC with Google + Microsoft + custom). The login
-	* URL becomes `/addon/${addonId}/${instanceId}/start` — handler reads
-	* `:instanceId` from the route. Empty/unset means the addon is a
-	* single-instance provider; the URL is `/addon/${addonId}/start`.
-	*/
-	instanceId: string().optional(),
-	/** Display label shown on the login button + admin row. */
-	displayName: string(),
-	/** Optional iconography hint (lucide-react icon name OR emoji). */
-	icon: string().optional(),
-	/** When true, the provider exposes a redirect-based login flow
-	*  (`getLoginUrl` returns a URL the browser navigates to). */
-	hasRedirectFlow: boolean(),
-	/** When true, the provider exposes a credential-form login flow
-	*  (`validateCredentials` accepts username + password). */
-	hasCredentialFlow: boolean(),
-	/** Provider kind, drives admin-UI hint dispatch (oidc / saml / totp / …). */
-	kind: string().optional(),
-	/** Operator-facing status string (e.g. "Connected to https://login.acme.com"). */
-	status: string().optional(),
-	/** When false, the provider is registered but disabled by config; the
-	*  UI surfaces it as inactive without enumerating it for login. */
-	enabled: boolean()
-});
-method(_void(), array(AuthProviderInfoSchema).readonly()), method(object({
-	addonId: string(),
-	enabled: boolean()
-}), object({ success: literal(true) }), {
-	kind: "mutation",
-	auth: "admin"
-});
 var NetworkEndpointSchema = object({
 	url: string(),
 	hostname: string(),
@@ -8294,7 +8573,6 @@ var networkAccessCapability = {
 	name: "network-access",
 	scope: "system",
 	mode: "collection",
-	internal: true,
 	providerKind: "ingress",
 	methods: {
 		start: method(_void(), NetworkEndpointSchema, { kind: "mutation" }),
@@ -8302,40 +8580,13 @@ var networkAccessCapability = {
 		getEndpoint: method(_void(), NetworkEndpointSchema.nullable()),
 		getStatus: method(_void(), NetworkAccessStatusSchema),
 		/**
-		* Enumerate every active ingress entry. Default implementation (when
-		* the provider omits this method) is derived from `getEndpoint()` —
-		* see the remote-access orchestrator for the fallback path.
+		* Enumerate every active ingress entry. Providers that expose only a
+		* single endpoint may omit this method; callers fall back to
+		* `getEndpoint()` in that case.
 		*/
 		listEndpoints: method(_void(), array(NetworkEndpointEntrySchema).readonly())
 	}
 };
-var RemoteAccessEndpointSchema = object({
-	url: string(),
-	hostname: string(),
-	port: number(),
-	protocol: _enum(["http", "https"])
-});
-var RemoteAccessProviderInfoSchema = object({
-	/** Stable id matching the addon id. */
-	addonId: string(),
-	/** Display label shown on the admin row — sourced from the addon manifest. */
-	displayName: string(),
-	/** When false, the provider is registered but disabled. */
-	enabled: boolean(),
-	/** True when the underlying tunnel/connection is up. */
-	connected: boolean(),
-	/** Public-facing endpoint, when connected. Null otherwise. */
-	endpoint: RemoteAccessEndpointSchema.nullable(),
-	/** Last error message (when connected=false), if available. */
-	error: string().optional()
-});
-method(_void(), array(RemoteAccessProviderInfoSchema).readonly()), method(object({ addonId: string() }), RemoteAccessEndpointSchema, {
-	kind: "mutation",
-	auth: "admin"
-}), method(object({ addonId: string() }), object({ success: literal(true) }), {
-	kind: "mutation",
-	auth: "admin"
-});
 var TurnServerSchema = object({
 	/** Single URL or list of URLs (e.g. "turn:turn.example.com:3478?transport=udp"). */
 	urls: union([string(), array(string())]),
@@ -8343,33 +8594,6 @@ var TurnServerSchema = object({
 	credential: string().optional()
 });
 method(_void(), array(TurnServerSchema).readonly());
-var TurnProviderInfoSchema = object({
-	/** Stable id matching the addon id. */
-	addonId: string(),
-	/** Display label shown on the admin row — sourced from the addon manifest. */
-	displayName: string(),
-	/** When false, the provider is registered but disabled. */
-	enabled: boolean(),
-	/** Number of servers this provider is currently exposing. */
-	serverCount: number(),
-	/**
-	* Flat list of every TURN/STUN URL this provider currently exposes.
-	* One row per URL (multi-URL ICE server entries are flattened). The
-	* admin UI shows this in a compact per-provider list so operators
-	* can verify what's actually being negotiated without having to dig
-	* into the combined `getAllServers` output.
-	*/
-	urls: array(string()).readonly(),
-	/** Last fetch error (when serverCount=0 due to API failure), if any. */
-	error: string().optional()
-});
-method(_void(), array(TurnProviderInfoSchema).readonly()), method(_void(), array(TurnServerSchema).readonly()), method(object({
-	addonId: string(),
-	enabled: boolean()
-}), object({ success: literal(true) }), {
-	kind: "mutation",
-	auth: "admin"
-});
 var SnapshotImageSchema = object({
 	base64: string(),
 	contentType: string()
@@ -8972,10 +9196,38 @@ var PtzMoveCommandSchema = object({
 	zoom: number().optional(),
 	speed: number().optional()
 });
+PtzPositionSchema.extend({ autofocus: boolean() });
+var PtzOptionsSchema = object({
+	hasPan: boolean(),
+	hasTilt: boolean(),
+	hasZoom: boolean(),
+	supportsPresets: boolean(),
+	/** Max number of named presets the camera supports, when known. */
+	maxPresets: number().optional(),
+	/** Whether the camera exposes a controllable autofocus toggle
+	*  (boolean `hasX` per the getOptions availability convention). */
+	hasAutofocus: boolean()
+});
 DeviceType.Camera, method(PtzMoveCommandSchema.extend({ deviceId: number() }), _void(), { kind: "mutation" }), method(PtzMoveCommandSchema.extend({ deviceId: number() }), _void(), { kind: "mutation" }), method(object({ deviceId: number() }), _void(), { kind: "mutation" }), method(object({ deviceId: number() }), array(PtzPresetSchema)), method(object({
 	deviceId: number(),
 	presetId: string()
-}), _void(), { kind: "mutation" }), method(object({ deviceId: number() }), _void(), { kind: "mutation" }), method(object({ deviceId: number() }), PtzPositionSchema);
+}), _void(), { kind: "mutation" }), method(object({
+	deviceId: number(),
+	presetId: string(),
+	name: string()
+}), _void(), {
+	kind: "mutation",
+	auth: "admin"
+}), method(object({
+	deviceId: number(),
+	presetId: string()
+}), _void(), {
+	kind: "mutation",
+	auth: "admin"
+}), method(object({ deviceId: number() }), PtzOptionsSchema), method(object({ deviceId: number() }), _void(), { kind: "mutation" }), method(object({ deviceId: number() }), PtzPositionSchema), method(object({
+	deviceId: number(),
+	enabled: boolean()
+}), _void(), { kind: "mutation" });
 var EventItemSchema = object({
 	id: string(),
 	type: string(),
@@ -9463,7 +9715,7 @@ method(_void(), ListResultSchema), method(_void(), PreferredSchema), method(obje
 	*  tunnel always emits `https://` regardless. */
 	scheme: _enum(["http", "https"]).optional()
 }), GetConnectionEndpointsResultSchema), method(_void(), AllowedAddressesSchema), method(AllowedAddressesSchema, object({ success: literal(true) }), { kind: "mutation" }), method(_void(), AllowedAddressesSchema, { kind: "mutation" });
-var MeshEndpointSchema$1 = object({
+var MeshEndpointSchema = object({
 	/** Stable identifier within the provider (e.g. `mesh-ipv4`, `magicdns`, `funnel`). */
 	id: string(),
 	/** Operator-facing label (e.g. "Mesh IPv4", "MagicDNS"). */
@@ -9540,7 +9792,7 @@ var MeshStatusSchema = object({
 	/** Number of peers visible to this host (excluding self). */
 	peerCount: number(),
 	/** Every endpoint this provider exposes for the current host. */
-	endpoints: array(MeshEndpointSchema$1).readonly(),
+	endpoints: array(MeshEndpointSchema).readonly(),
 	/** Last error from the daemon, when not joined. */
 	error: string().optional(),
 	/**
@@ -9615,131 +9867,7 @@ authKey: string().optional() }), object({
 	/** Human-readable error when `ok: false`. */
 	error: string().optional()
 }), { kind: "mutation" });
-var MeshEndpointSchema = object({
-	id: string(),
-	label: string(),
-	scope: _enum(["mesh", "public"]),
-	url: string(),
-	hostname: string(),
-	port: number(),
-	protocol: _enum(["http", "https"])
-});
-var MeshProviderInfoSchema = object({
-	/** Stable id matching the addon id. */
-	addonId: string(),
-	/** Display label shown on the admin row — sourced from the addon manifest. */
-	displayName: string(),
-	/** True when the host is joined to this provider's mesh. */
-	joined: boolean(),
-	/** Local mesh IP (empty when not joined). */
-	meshIp: string(),
-	/** MagicDNS / mesh hostname (empty when not configured). */
-	magicDnsHostname: string(),
-	/** Peer count (excluding self). */
-	peerCount: number(),
-	/** Active endpoints (mesh IP + MagicDNS + optional public Funnel). */
-	endpoints: array(MeshEndpointSchema).readonly(),
-	/** Last error reported by the provider. */
-	error: string().optional(),
-	/** Tenant / tailnet / network display name. Empty pre-join. */
-	tenantName: string(),
-	/** Mesh DNS suffix (e.g. tailXXXX.ts.net). Empty when not configured. */
-	magicDnsSuffix: string(),
-	/** Authenticated user / account login. Null for token-only providers. */
-	userLogin: string().nullable(),
-	/** Provider control-plane URL. */
-	controlPlaneUrl: string(),
-	/** Machine-key expiry (epoch ms). Null when keys don't rotate. */
-	keyExpiry: number().nullable()
-});
-method(_void(), array(MeshProviderInfoSchema).readonly()), method(object({
-	addonId: string(),
-	authKey: string().min(8),
-	hostname: string().optional()
-}), object({ joined: literal(true) }), { kind: "mutation" }), method(object({ addonId: string() }), object({ success: literal(true) }), { kind: "mutation" }), method(object({
-	addonId: string(),
-	hostname: string().optional()
-}), object({ loginUrl: string() }), { kind: "mutation" }), method(object({ addonId: string() }), object({ loggedOut: literal(true) }), { kind: "mutation" }), method(object({ addonId: string() }), object({ peers: array(MeshPeerSchema).readonly() }));
-var MethodAccessSchema = _enum([
-	"view",
-	"create",
-	"delete"
-]);
-var AllowedProviderSchema = union([literal("*"), array(string())]);
-var AllowedDevicesSchema = record(string(), union([literal("*"), array(string())]));
-var CapScopeSchema = _enum(["device", "system"]);
-var TokenScopeSchema = discriminatedUnion("type", [
-	object({
-		type: literal("category"),
-		target: CapScopeSchema,
-		access: array(MethodAccessSchema).min(1)
-	}),
-	object({
-		type: literal("capability"),
-		target: string(),
-		access: array(MethodAccessSchema).min(1)
-	}),
-	object({
-		type: literal("addon"),
-		target: string(),
-		access: array(MethodAccessSchema).min(1)
-	}),
-	object({
-		type: literal("device"),
-		/**
-		* One or more deviceIds (serialised as strings for wire-format
-		* consistency with the rest of the union). Matcher accepts if
-		* `input.deviceId` ∈ `targets`. Array shape avoids the row-explosion
-		* of one scope-per-device when granting access to a set of cameras.
-		*/
-		targets: array(string()).min(1),
-		access: array(MethodAccessSchema).min(1)
-	})
-]);
-object({
-	id: string(),
-	username: string(),
-	passwordHash: string(),
-	/**
-	* Admin bypass. When true, the middleware skips the scope-access
-	* check entirely. There is no other axis of privilege; the legacy
-	* role enum collapsed onto this boolean in v2.
-	*/
-	isAdmin: boolean().default(false),
-	allowedProviders: AllowedProviderSchema,
-	allowedDevices: AllowedDevicesSchema,
-	/**
-	* Scopes granted to this user. Admins bypass; their `scopes` is
-	* ignored. Non-admins without scopes are locked out of every
-	* protected call.
-	*/
-	scopes: array(TokenScopeSchema).default([]),
-	createdAt: number(),
-	updatedAt: number()
-});
-object({
-	id: string(),
-	label: string(),
-	isAdmin: boolean().default(false),
-	allowedProviders: AllowedProviderSchema,
-	allowedDevices: AllowedDevicesSchema,
-	tokenHash: string(),
-	tokenPrefix: string(),
-	createdAt: number(),
-	lastUsedAt: number().optional()
-});
-object({
-	id: string(),
-	userId: string(),
-	name: string(),
-	tokenHash: string(),
-	tokenPrefix: string(),
-	scopes: array(TokenScopeSchema),
-	expiresAt: number().nullish(),
-	lastUsedAt: number().nullish(),
-	createdAt: number()
-});
-var UserSummarySchema = object({
+var UserSummarySchema = object({
 	id: string(),
 	username: string(),
 	isAdmin: boolean().default(false),
@@ -9811,6 +9939,16 @@ var CreateScopedTokenResultSchema = object({
 	token: string(),
 	record: ScopedTokenSummarySchema
 });
+var OauthSessionSummarySchema = object({
+	id: string(),
+	userId: string(),
+	username: string(),
+	integrationId: string(),
+	scopes: array(TokenScopeSchema),
+	createdAt: number(),
+	lastUsedAt: number(),
+	revokedAt: number().nullable()
+});
 var TotpSetupResultSchema = object({
 	secret: string(),
 	otpauthUrl: string()
@@ -9893,6 +10031,41 @@ method(_void(), array(UserSummarySchema), { auth: "admin" }), method(CreateUserI
 }), object({ valid: boolean() }), {
 	kind: "mutation",
 	access: "view"
+}), method(object({
+	integrationId: string(),
+	userId: string(),
+	username: string(),
+	scopes: array(TokenScopeSchema),
+	redirectUri: string(),
+	hubUrl: string()
+}), object({ code: string() }), {
+	kind: "mutation",
+	access: "create"
+}), method(object({
+	code: string(),
+	redirectUri: string()
+}), object({
+	accessToken: string(),
+	refreshToken: string(),
+	expiresIn: number()
+}).nullable(), {
+	kind: "mutation",
+	access: "view"
+}), method(object({ refreshToken: string() }), object({
+	accessToken: string(),
+	refreshToken: string(),
+	expiresIn: number()
+}).nullable(), {
+	kind: "mutation",
+	access: "view"
+}), method(object({ token: string() }), object({
+	userId: string(),
+	username: string(),
+	scopes: array(TokenScopeSchema)
+}).nullable(), { access: "view" }), method(_void(), array(OauthSessionSummarySchema), { auth: "admin" }), method(object({ id: string() }), object({ success: boolean() }), {
+	kind: "mutation",
+	auth: "admin",
+	access: "delete"
 });
 var FeatureManifestSchema = object({
 	streaming: boolean(),
@@ -10061,7 +10234,13 @@ method(_void(), array(TopologyNodeSchema).readonly(), { auth: "admin" }), method
 }), RenameNodeResultSchema, {
 	kind: "mutation",
 	auth: "admin"
-}), method(_void(), record(string(), ClusterAddonStatusEntrySchema), { auth: "admin" }), method(object({ nodeId: string() }), array(NodeAddonEntrySchema).readonly(), { auth: "admin" }), method(object({
+}), method(_void(), record(string(), ClusterAddonStatusEntrySchema), { auth: "admin" }), method(object({ windowSeconds: number().int().positive().max(300).default(60) }), array(object({
+	callerAddonId: string(),
+	providerAddonId: string(),
+	capName: string(),
+	callsPerMin: number(),
+	lastCallAtMs: number()
+})).readonly(), { auth: "admin" }), method(object({ nodeId: string() }), array(NodeAddonEntrySchema).readonly(), { auth: "admin" }), method(object({
 	nodeId: string(),
 	level: string()
 }), SuccessSchema, {
@@ -10349,6 +10528,13 @@ method(_void(), array(AddonListItemSchema).readonly()), method(object({
 	mode: _enum(["singleton", "collection"]),
 	isActive: boolean()
 })).readonly()), method(object({
+	capName: string().min(1),
+	addonId: string().min(1),
+	enabled: boolean()
+}), object({ success: literal(true) }), {
+	kind: "mutation",
+	auth: "admin"
+}), method(object({
 	packageName: string().min(1),
 	version: string().optional()
 }), UpdateFrameworkPackageResultSchema, {
@@ -11034,6 +11220,12 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
+	"addons.setCapabilityProviderEnabled": {
+		capName: "addons",
+		capScope: "system",
+		addonId: null,
+		access: "create"
+	},
 	"addons.uninstallPackage": {
 		capName: "addons",
 		capScope: "system",
@@ -11286,18 +11478,6 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
-	"authentication.listProviders": {
-		capName: "authentication",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"authentication.setProviderEnabled": {
-		capName: "authentication",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
 	"authProvider.getLoginUrl": {
 		capName: "auth-provider",
 		capScope: "system",
@@ -11424,12 +11604,24 @@ Object.freeze({
 		addonId: null,
 		access: "delete"
 	},
+	"decoder.getFrame": {
+		capName: "decoder",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"decoder.getInfo": {
 		capName: "decoder",
 		capScope: "system",
 		addonId: null,
 		access: "view"
 	},
+	"decoder.getShmStats": {
+		capName: "decoder",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"decoder.getStats": {
 		capName: "decoder",
 		capScope: "system",
@@ -11454,6 +11646,12 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
+	"decoder.pullHandles": {
+		capName: "decoder",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"decoder.pushPacket": {
 		capName: "decoder",
 		capScope: "system",
@@ -12144,42 +12342,6 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
-	"meshOrchestrator.joinProvider": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
-	"meshOrchestrator.leaveProvider": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
-	"meshOrchestrator.listProviderPeers": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"meshOrchestrator.listProviders": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"meshOrchestrator.logoutProvider": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
-	"meshOrchestrator.startLoginProvider": {
-		capName: "mesh-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
 	"metricsProvider.collectSnapshot": {
 		capName: "metrics-provider",
 		capScope: "system",
@@ -12276,6 +12438,18 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
+	"motionZones.getOptions": {
+		capName: "motion-zones",
+		capScope: "device",
+		addonId: null,
+		access: "view"
+	},
+	"motionZones.setZone": {
+		capName: "motion-zones",
+		capScope: "device",
+		addonId: null,
+		access: "create"
+	},
 	"mqttBroker.addBroker": {
 		capName: "mqtt-broker",
 		capScope: "system",
@@ -12390,6 +12564,12 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
+	"nodes.getCapUsageGraph": {
+		capName: "nodes",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"nodes.getNodeAddons": {
 		capName: "nodes",
 		capScope: "system",
@@ -12456,6 +12636,12 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
+	"oauthIntegration.getDescriptor": {
+		capName: "oauth-integration",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"osd.setOverlay": {
 		capName: "osd",
 		capScope: "device",
@@ -13014,6 +13200,18 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
+	"ptz.deletePreset": {
+		capName: "ptz",
+		capScope: "device",
+		addonId: null,
+		access: "delete"
+	},
+	"ptz.getOptions": {
+		capName: "ptz",
+		capScope: "device",
+		addonId: null,
+		access: "view"
+	},
 	"ptz.getPosition": {
 		capName: "ptz",
 		capScope: "device",
@@ -13044,6 +13242,18 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
+	"ptz.savePreset": {
+		capName: "ptz",
+		capScope: "device",
+		addonId: null,
+		access: "create"
+	},
+	"ptz.setAutofocus": {
+		capName: "ptz",
+		capScope: "device",
+		addonId: null,
+		access: "create"
+	},
 	"ptz.stop": {
 		capName: "ptz",
 		capScope: "device",
@@ -13206,24 +13416,6 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
-	"remoteAccess.listProviders": {
-		capName: "remote-access",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"remoteAccess.startProvider": {
-		capName: "remote-access",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
-	"remoteAccess.stopProvider": {
-		capName: "remote-access",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
 	"restreamer.getExposedResources": {
 		capName: "restreamer",
 		capScope: "system",
@@ -13584,12 +13776,6 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
-	"streamBroker.getBroker": {
-		capName: "stream-broker",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
 	"streamBroker.getBrokerStats": {
 		capName: "stream-broker",
 		capScope: "system",
@@ -13662,6 +13848,18 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
+	"streamBroker.pullAudioChunks": {
+		capName: "stream-broker",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
+	"streamBroker.pullFrameHandles": {
+		capName: "stream-broker",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"streamBroker.regenerateRtspToken": {
 		capName: "stream-broker",
 		capScope: "system",
@@ -13698,12 +13896,36 @@ Object.freeze({
 		addonId: null,
 		access: "create"
 	},
+	"streamBroker.subscribeAudioChunks": {
+		capName: "stream-broker",
+		capScope: "system",
+		addonId: null,
+		access: "create"
+	},
+	"streamBroker.subscribeFrames": {
+		capName: "stream-broker",
+		capScope: "system",
+		addonId: null,
+		access: "create"
+	},
 	"streamBroker.unassignProfile": {
 		capName: "stream-broker",
 		capScope: "system",
 		addonId: null,
 		access: "create"
 	},
+	"streamBroker.unsubscribeAudioChunks": {
+		capName: "stream-broker",
+		capScope: "system",
+		addonId: null,
+		access: "create"
+	},
+	"streamBroker.unsubscribeFrames": {
+		capName: "stream-broker",
+		capScope: "system",
+		addonId: null,
+		access: "create"
+	},
 	"streamingEngine.getStreamUrl": {
 		capName: "streaming-engine",
 		capScope: "system",
@@ -13728,6 +13950,24 @@ Object.freeze({
 		addonId: null,
 		access: "delete"
 	},
+	"streamParams.getConfigSchema": {
+		capName: "stream-params",
+		capScope: "device",
+		addonId: null,
+		access: "view"
+	},
+	"streamParams.getOptions": {
+		capName: "stream-params",
+		capScope: "device",
+		addonId: null,
+		access: "view"
+	},
+	"streamParams.setProfile": {
+		capName: "stream-params",
+		capScope: "device",
+		addonId: null,
+		access: "create"
+	},
 	"switch.setState": {
 		capName: "switch",
 		capScope: "device",
@@ -13782,24 +14022,6 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
-	"turnOrchestrator.getAllServers": {
-		capName: "turn-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"turnOrchestrator.listProviders": {
-		capName: "turn-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "view"
-	},
-	"turnOrchestrator.setProviderEnabled": {
-		capName: "turn-orchestrator",
-		capScope: "system",
-		addonId: null,
-		access: "create"
-	},
 	"turnProvider.getTurnServers": {
 		capName: "turn-provider",
 		capScope: "system",
@@ -13854,6 +14076,12 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
+	"userManagement.listOauthSessions": {
+		capName: "user-management",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"userManagement.listScopedTokens": {
 		capName: "user-management",
 		capScope: "system",
@@ -13866,6 +14094,30 @@ Object.freeze({
 		addonId: null,
 		access: "view"
 	},
+	"userManagement.oauthExchangeCode": {
+		capName: "user-management",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
+	"userManagement.oauthIssueCode": {
+		capName: "user-management",
+		capScope: "system",
+		addonId: null,
+		access: "create"
+	},
+	"userManagement.oauthRefresh": {
+		capName: "user-management",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
+	"userManagement.oauthVerifyAccessToken": {
+		capName: "user-management",
+		capScope: "system",
+		addonId: null,
+		access: "view"
+	},
 	"userManagement.resetPassword": {
 		capName: "user-management",
 		capScope: "system",
@@ -13878,6 +14130,12 @@ Object.freeze({
 		addonId: null,
 		access: "delete"
 	},
+	"userManagement.revokeOauthSession": {
+		capName: "user-management",
+		capScope: "system",
+		addonId: null,
+		access: "delete"
+	},
 	"userManagement.revokeScopedToken": {
 		capName: "user-management",
 		capScope: "system",