npm - @camstack/core - Versions diffs - 0.1.38 → 0.1.40 - Mend

@camstack/core 0.1.38 → 0.1.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/dist/index.js CHANGED Viewed

@@ -37,7 +37,7 @@ let node_vm = require("node:vm");
 node_vm = require_chunk.__toESM(node_vm);
 let node_os = require("node:os");
 node_os = require_chunk.__toESM(node_os);
-//#region ../types/dist/index-CWhQOnm9.mjs
+//#region ../types/dist/index-CgPd35k5.mjs
 var MODEL_FORMATS = [
 	"onnx",
 	"coreml",
@@ -112,6 +112,12 @@ Object.fromEntries([
 		icon: "video",
 		order: 35
 	},
+	{
+		id: "ptz",
+		label: "PTZ",
+		icon: "move",
+		order: 40
+	},
 	{
 		id: "pipeline",
 		label: "Detection Pipeline",
@@ -238,7 +244,19 @@ var DecoderSessionConfigSchema = zod.z.object({
 	* on every line so `grep tag=broker:5/high` filters one camera
 	* profile cleanly.
 	*/
-	tag: zod.z.string().optional()
+	tag: zod.z.string().optional(),
+	/**
+	* Where the session delivers decoded frames (Phase 5 / D9):
+	*
+	* - `'callback'` (default) — the legacy pixel path: decoded frames are
+	*   buffered as `DecodedFrame`s and drained via `pullFrames`.
+	* - `'shm'` — the shared-memory frame plane: decoded frames are written
+	*   into an OS shared-memory ring and drained as zero-pixel
+	*   `FrameHandle`s via `pullHandles`. A session is one mode or the
+	*   other — `pullFrames` returns nothing for an `'shm'` session and
+	*   `pullHandles` returns nothing for a `'callback'` session.
+	*/
+	frameSink: zod.z.enum(["callback", "shm"]).default("callback")
 });
 function errMsg$2(err) {
 	if (err instanceof Error) return err.message;
@@ -898,6 +916,63 @@ var DecodedFrameSchema = zod.z.object({
 	]),
 	timestamp: zod.z.number()
 });
+var FrameHandleSchema = zod.z.object({
+	shmId: zod.z.string(),
+	slot: zod.z.number().int().nonnegative(),
+	seq: zod.z.number().int().nonnegative(),
+	width: zod.z.number().int().positive(),
+	height: zod.z.number().int().positive(),
+	format: zod.z.enum([
+		"jpeg",
+		"rgb",
+		"bgr",
+		"yuv420",
+		"gray"
+	]),
+	pts: zod.z.number(),
+	byteLength: zod.z.number().int().nonnegative(),
+	nodeId: zod.z.string(),
+	slotCount: zod.z.number().int().positive()
+});
+var FrameHandleFormatSchema = zod.z.enum([
+	"rgb",
+	"bgr",
+	"yuv420",
+	"gray"
+]);
+var SubscribeFramesInputSchema = zod.z.object({
+	brokerId: zod.z.string(),
+	format: FrameHandleFormatSchema,
+	/**
+	* Optional reader-side cadence hint in frames per second. The broker does
+	* NOT throttle — latest-wins ring reads drop frames implicitly for a slow
+	* consumer. The value is echoed back in `SubscribeFramesResult.maxFps` so
+	* the consumer can pace its own `pullFrameHandles` polling.
+	*/
+	maxFps: zod.z.number().positive().optional(),
+	/** Short caller-identity tag (`motion`, `detection`, …) for diagnostics. */
+	tag: zod.z.string().optional()
+});
+var SubscribeFramesResultSchema = zod.z.object({
+	/** Opaque id the consumer passes to `pullFrameHandles` / `unsubscribeFrames`. */
+	subscriptionId: zod.z.string(),
+	/** Reader-side cadence hint (frames/s) — echoes `SubscribeFramesInput.maxFps`. */
+	maxFps: zod.z.number().nonnegative()
+});
+var DecodedAudioChunkSchema = zod.z.object({
+	data: zod.z.instanceof(Uint8Array),
+	sampleRate: zod.z.number().int().positive(),
+	channels: zod.z.number().int().positive(),
+	timestamp: zod.z.number()
+});
+var SubscribeAudioChunksInputSchema = zod.z.object({
+	brokerId: zod.z.string(),
+	/** Short caller-identity tag (`audio-analyzer`, …) for `listClients`. */
+	tag: zod.z.string().optional()
+});
+var SubscribeAudioChunksResultSchema = zod.z.object({
+/** Opaque id passed to `pullAudioChunks` / `unsubscribeAudioChunks`. */
+subscriptionId: zod.z.string() });
 var BrokerStatusSchema$1 = zod.z.enum([
 	"idle",
 	"connecting",
@@ -1100,7 +1175,13 @@ method(zod.z.object({
 }), {
 	kind: "mutation",
 	auth: "admin"
-}), method(zod.z.object({ brokerId: zod.z.string() }), zod.z.custom()), method(zod.z.object({
+}), method(SubscribeAudioChunksInputSchema, SubscribeAudioChunksResultSchema, { kind: "mutation" }), method(zod.z.object({
+	subscriptionId: zod.z.string(),
+	maxCount: zod.z.number().int().positive().default(8)
+}), zod.z.array(DecodedAudioChunkSchema).readonly()), method(zod.z.object({ subscriptionId: zod.z.string() }), zod.z.object({ released: zod.z.boolean() }), { kind: "mutation" }), method(SubscribeFramesInputSchema, SubscribeFramesResultSchema, { kind: "mutation" }), method(zod.z.object({
+	subscriptionId: zod.z.string(),
+	maxCount: zod.z.number().int().positive().default(4)
+}), zod.z.array(FrameHandleSchema).readonly()), method(zod.z.object({ subscriptionId: zod.z.string() }), zod.z.object({ released: zod.z.boolean() }), { kind: "mutation" }), method(zod.z.object({
 	brokerId: zod.z.string(),
 	seconds: zod.z.number().min(0).max(30)
 }), zod.z.void(), {
@@ -1793,6 +1874,34 @@ DeviceType.Light, DeviceType.Siren, DeviceType.Switch, method(zod.z.object({
 	enabled: zod.z.boolean(),
 	lastChangedAt: zod.z.number()
 });
+zod.z.object({
+	enabled: zod.z.boolean(),
+	sensitivity: zod.z.number(),
+	/** Row-major active-cell grid. Length = gridWidth*gridHeight (see getOptions). */
+	cells: zod.z.array(zod.z.boolean()),
+	lastFetchedAt: zod.z.number()
+});
+var MotionZoneOptionsSchema = zod.z.object({
+	gridWidth: zod.z.number(),
+	gridHeight: zod.z.number(),
+	sensitivity: zod.z.object({
+		min: zod.z.number(),
+		max: zod.z.number(),
+		step: zod.z.number()
+	})
+});
+var MotionZonePatchSchema = zod.z.object({
+	enabled: zod.z.boolean().optional(),
+	sensitivity: zod.z.number().optional(),
+	cells: zod.z.array(zod.z.boolean()).optional()
+});
+DeviceType.Camera, method(zod.z.object({ deviceId: zod.z.number() }), MotionZoneOptionsSchema), method(zod.z.object({
+	deviceId: zod.z.number(),
+	patch: MotionZonePatchSchema
+}), zod.z.void(), {
+	kind: "mutation",
+	auth: "admin"
+});
 var AutotrackTargetTypeSchema = zod.z.string().describe("Vendor target string (people/vehicle/pet); empty = camera default");
 var PtzAutotrackSettingsSchema = zod.z.object({
 	targetType: AutotrackTargetTypeSchema,
@@ -1835,6 +1944,85 @@ DeviceType.Camera, method(zod.z.object({ deviceId: zod.z.number() }), PtzAutotra
 	deviceId: zod.z.number(),
 	status: PtzAutotrackStatusSchema
 });
+var StreamProfileSchema = zod.z.enum([
+	"main",
+	"sub",
+	"ext"
+]);
+var StreamProfileConfigSchema = zod.z.object({
+	width: zod.z.number(),
+	height: zod.z.number(),
+	codec: zod.z.enum(["h264", "h265"]),
+	framerate: zod.z.number(),
+	bitrate: zod.z.number(),
+	bitrateMode: zod.z.enum(["vbr", "cbr"]).optional(),
+	encoderProfile: zod.z.enum([
+		"high",
+		"main",
+		"baseline"
+	]).optional(),
+	gop: zod.z.number().optional(),
+	audio: zod.z.boolean().optional()
+});
+zod.z.object({
+	/** Per-profile current config. A profile absent = the camera doesn't have it. */
+	main: StreamProfileConfigSchema.optional(),
+	sub: StreamProfileConfigSchema.optional(),
+	ext: StreamProfileConfigSchema.optional(),
+	lastFetchedAt: zod.z.number()
+});
+var StreamProfileOptionsSchema = zod.z.object({
+	resolutions: zod.z.array(zod.z.object({
+		width: zod.z.number(),
+		height: zod.z.number()
+	})),
+	codecs: zod.z.array(zod.z.enum(["h264", "h265"])),
+	framerates: zod.z.array(zod.z.number()),
+	/** Allowed bitrate values (kbps). Empty if the camera takes a free range. */
+	bitrates: zod.z.array(zod.z.number()),
+	/** Optional [min,max] kbps when the camera accepts a continuous range. */
+	bitrateRange: zod.z.tuple([zod.z.number(), zod.z.number()]).optional(),
+	supportsBitrateMode: zod.z.boolean(),
+	supportsEncoderProfile: zod.z.boolean(),
+	supportsGop: zod.z.boolean(),
+	/** Allowed GOP / keyframe-interval range, in seconds — drives the
+	*  I-frame-interval selector. Absent when the camera advertises GOP
+	*  support but no concrete range (callers then fall back to a free
+	*  numeric input). `{ min, max, step }` per the getOptions convention. */
+	gop: zod.z.object({
+		min: zod.z.number(),
+		max: zod.z.number(),
+		step: zod.z.number()
+	}).optional()
+});
+var StreamParamsOptionsSchema = zod.z.object({
+	main: StreamProfileOptionsSchema.optional(),
+	sub: StreamProfileOptionsSchema.optional(),
+	ext: StreamProfileOptionsSchema.optional()
+});
+var StreamProfilePatchSchema = zod.z.object({
+	width: zod.z.number().optional(),
+	height: zod.z.number().optional(),
+	codec: zod.z.enum(["h264", "h265"]).optional(),
+	framerate: zod.z.number().optional(),
+	bitrate: zod.z.number().optional(),
+	bitrateMode: zod.z.enum(["vbr", "cbr"]).optional(),
+	encoderProfile: zod.z.enum([
+		"high",
+		"main",
+		"baseline"
+	]).optional(),
+	gop: zod.z.number().optional(),
+	audio: zod.z.boolean().optional()
+});
+DeviceType.Camera, method(zod.z.object({ deviceId: zod.z.number() }), StreamParamsOptionsSchema), method(zod.z.object({
+	deviceId: zod.z.number(),
+	profile: StreamProfileSchema,
+	patch: StreamProfilePatchSchema
+}), zod.z.void(), {
+	kind: "mutation",
+	auth: "admin"
+}), method(zod.z.object({ deviceId: zod.z.number() }), zod.z.unknown().nullable());
 zod.z.object({
 	on: zod.z.boolean(),
 	/** Ms epoch of the last state change. Useful for UI "X minutes ago". */
@@ -2474,6 +2662,85 @@ method(LogEntrySchema, zod.z.void(), { kind: "mutation" }), method(zod.z.object(
 var StaticDirOutputSchema = zod.z.object({ staticDir: zod.z.string() });
 var VersionOutputSchema = zod.z.object({ version: zod.z.string() });
 method(zod.z.void(), StaticDirOutputSchema), method(zod.z.void(), VersionOutputSchema);
+var MethodAccessSchema = zod.z.enum([
+	"view",
+	"create",
+	"delete"
+]);
+var AllowedProviderSchema = zod.z.union([zod.z.literal("*"), zod.z.array(zod.z.string())]);
+var AllowedDevicesSchema = zod.z.record(zod.z.string(), zod.z.union([zod.z.literal("*"), zod.z.array(zod.z.string())]));
+var CapScopeSchema = zod.z.enum(["device", "system"]);
+var TokenScopeSchema = zod.z.discriminatedUnion("type", [
+	zod.z.object({
+		type: zod.z.literal("category"),
+		target: CapScopeSchema,
+		access: zod.z.array(MethodAccessSchema).min(1)
+	}),
+	zod.z.object({
+		type: zod.z.literal("capability"),
+		target: zod.z.string(),
+		access: zod.z.array(MethodAccessSchema).min(1)
+	}),
+	zod.z.object({
+		type: zod.z.literal("addon"),
+		target: zod.z.string(),
+		access: zod.z.array(MethodAccessSchema).min(1)
+	}),
+	zod.z.object({
+		type: zod.z.literal("device"),
+		/**
+		* One or more deviceIds (serialised as strings for wire-format
+		* consistency with the rest of the union). Matcher accepts if
+		* `input.deviceId` ∈ `targets`. Array shape avoids the row-explosion
+		* of one scope-per-device when granting access to a set of cameras.
+		*/
+		targets: zod.z.array(zod.z.string()).min(1),
+		access: zod.z.array(MethodAccessSchema).min(1)
+	})
+]);
+zod.z.object({
+	id: zod.z.string(),
+	username: zod.z.string(),
+	passwordHash: zod.z.string(),
+	/**
+	* Admin bypass. When true, the middleware skips the scope-access
+	* check entirely. There is no other axis of privilege; the legacy
+	* role enum collapsed onto this boolean in v2.
+	*/
+	isAdmin: zod.z.boolean().default(false),
+	allowedProviders: AllowedProviderSchema,
+	allowedDevices: AllowedDevicesSchema,
+	/**
+	* Scopes granted to this user. Admins bypass; their `scopes` is
+	* ignored. Non-admins without scopes are locked out of every
+	* protected call.
+	*/
+	scopes: zod.z.array(TokenScopeSchema).default([]),
+	createdAt: zod.z.number(),
+	updatedAt: zod.z.number()
+});
+zod.z.object({
+	id: zod.z.string(),
+	label: zod.z.string(),
+	isAdmin: zod.z.boolean().default(false),
+	allowedProviders: AllowedProviderSchema,
+	allowedDevices: AllowedDevicesSchema,
+	tokenHash: zod.z.string(),
+	tokenPrefix: zod.z.string(),
+	createdAt: zod.z.number(),
+	lastUsedAt: zod.z.number().optional()
+});
+zod.z.object({
+	id: zod.z.string(),
+	userId: zod.z.string(),
+	name: zod.z.string(),
+	tokenHash: zod.z.string(),
+	tokenPrefix: zod.z.string(),
+	scopes: zod.z.array(TokenScopeSchema),
+	expiresAt: zod.z.number().nullish(),
+	lastUsedAt: zod.z.number().nullish(),
+	createdAt: zod.z.number()
+});
 var SsoBridgeClaimsSchema = zod.z.object({
 	userId: zod.z.string(),
 	username: zod.z.string(),
@@ -2489,12 +2756,36 @@ var SsoBridgeClaimsSchema = zod.z.object({
 	* JWT WITHOUT verifying the signature — the hub re-verifies on every
 	* inbound call so trust still rests with the signing hub.
 	*/
-	hubUrl: zod.z.string().optional()
+	hubUrl: zod.z.string().optional(),
+	/** Permission scopes baked into the token. Set by the OAuth
+	*  account-linking grant; absent on ordinary SSO-login tokens. */
+	scopes: zod.z.array(TokenScopeSchema).optional(),
+	/** OAuth authorization-code binding — set only on `oauth-code` tokens. */
+	redirectUri: zod.z.string().optional(),
+	integrationId: zod.z.string().optional(),
+	/** JWT ID — unique per issued code; consumed-set enforces single-use. */
+	jti: zod.z.string().optional(),
+	/** OAuth session registry id — set on `oauth-access`/`oauth-refresh`
+	*  tokens so the verify path can check the session is not revoked. */
+	sessionId: zod.z.string().optional()
 });
 method(zod.z.object({
 	claims: SsoBridgeClaimsSchema,
 	ttlSec: zod.z.number().int().positive().optional()
 }), zod.z.object({ token: zod.z.string() })), method(zod.z.object({ token: zod.z.string() }), SsoBridgeClaimsSchema.nullable());
+var OauthIntegrationDescriptorSchema = zod.z.object({
+	/** Stable id used as the `integration=` query param, e.g. 'export-alexa'. */
+	integrationId: zod.z.string(),
+	/** Human label rendered on the consent page. */
+	displayName: zod.z.string(),
+	/** Scopes baked into every token issued for this integration. */
+	requestedScopes: zod.z.array(TokenScopeSchema),
+	/** Allowed redirect_uri prefixes. /api/oauth2/authorize rejects any
+	*  redirect_uri that does not start with one of these. Required —
+	*  an empty list means the integration can never complete linking. */
+	allowedRedirectPrefixes: zod.z.array(zod.z.string()).min(1)
+});
+method(zod.z.void(), OauthIntegrationDescriptorSchema);
 var PasskeySummarySchema = zod.z.object({
 	credentialId: zod.z.string(),
 	label: zod.z.string(),
@@ -2740,22 +3031,29 @@ var WidgetSizeEnum = zod.z.enum([
 	"lg",
 	"xl"
 ]);
+var WidgetRemoteSchema = zod.z.object({
+	remoteName: zod.z.string(),
+	exposedModule: zod.z.string(),
+	componentKey: zod.z.string().optional()
+});
 var WidgetMetadataSchema = zod.z.object({
-	/** Stable id within the addon — kebab-case. */
-	stableId: zod.z.string(),
+	/** Primary host tab — `'dashboard'`, `'device-tab'`, or a device-detail tab id. */
+	tab: zod.z.string(),
+	/** Optional sub-tab within `tab`. */
+	subTab: zod.z.string().optional(),
 	/** Operator-facing label. */
 	label: zod.z.string(),
+	/** Ordering within `(tab, subTab)`, ascending. */
+	order: zod.z.number().optional(),
+	/** Always `'remote'` — a widget is a Module Federation remote. */
+	kind: zod.z.literal("remote"),
+	/** MF remote descriptor. */
+	remote: WidgetRemoteSchema,
+	/** Stable id within the addon — kebab-case. Equals `remote.componentKey`. */
+	stableId: zod.z.string(),
 	description: zod.z.string().optional(),
 	icon: zod.z.string().optional(),
 	/**
-	* Module Federation remote name — must match the `name` field on the
-	* widget addon's `federation()` plugin config. Used by the host's
-	* `<WidgetRegistryProvider>` to call `loadRemote('<remoteName>/widgets')`.
-	* Conventionally `addon_<addonid>_widgets` (snake_case; MF names
-	* cannot contain hyphens).
-	*/
-	remoteName: zod.z.string(),
-	/**
 	* Bundle filename inside the addon's `dist/` dir served at
 	* `/api/addon-widgets/<addonId>/<bundle>`. With Module Federation
 	* this is always `'remoteEntry.js'` — the value is kept on the
@@ -2763,9 +3061,9 @@ var WidgetMetadataSchema = zod.z.object({
 	* cache-buster URL without a separate filesystem stat.
 	*/
 	bundle: zod.z.string(),
-	/** Where the widget makes sense to render. */
+	/** Every host the widget supports. The picker filters on this set. */
 	hosts: zod.z.array(WidgetHostEnum).readonly(),
-	/** Required props the host must supply. Validated at <WidgetSlot> mount. */
+	/** Required props the host must supply. Validated at `<WidgetSlot>` mount. */
 	requires: zod.z.object({
 		deviceContext: zod.z.boolean().default(false),
 		integrationContext: zod.z.boolean().default(false)
@@ -2829,6 +3127,16 @@ var InvokeReplyEnvelopeSchema = zod.z.object({
 	contentType: zod.z.string().optional()
 });
 method(zod.z.void(), zod.z.array(AddonHttpRouteSchema)), method(InvokeRequestSchema, InvokeReplyEnvelopeSchema, { kind: "mutation" });
+var ShmRingStatsSchema = zod.z.object({
+	sessionId: zod.z.string(),
+	slotCount: zod.z.number().int(),
+	slotByteLength: zod.z.number().int(),
+	segmentBytes: zod.z.number().int(),
+	budgetMb: zod.z.number().int(),
+	framesWritten: zod.z.number().int(),
+	getFrameHits: zod.z.number().int(),
+	getFrameMisses: zod.z.number().int()
+});
 method(zod.z.object({ codec: zod.z.string() }), zod.z.boolean()), method(zod.z.void(), zod.z.object({
 	id: zod.z.string(),
 	name: zod.z.string(),
@@ -2847,6 +3155,9 @@ method(zod.z.object({ codec: zod.z.string() }), zod.z.boolean()), method(zod.z.v
 	sessionId: zod.z.string(),
 	maxCount: zod.z.number().default(1)
 }), zod.z.array(DecodedFrameSchema)), method(zod.z.object({
+	sessionId: zod.z.string(),
+	maxCount: zod.z.number().default(1)
+}), zod.z.array(FrameHandleSchema)), method(zod.z.object({ handle: FrameHandleSchema }), DecodedFrameSchema.nullable()), method(zod.z.object({ sessionId: zod.z.string() }), ShmRingStatsSchema.nullable()), method(zod.z.object({
 	sessionId: zod.z.string(),
 	config: DecoderSessionConfigSchema.partial()
 }), zod.z.void()), method(zod.z.object({ sessionId: zod.z.string() }), DecoderStatsSchema), method(zod.z.void(), zod.z.array(zod.z.object({
@@ -4225,10 +4536,38 @@ var PtzMoveCommandSchema = zod.z.object({
 	zoom: zod.z.number().optional(),
 	speed: zod.z.number().optional()
 });
+PtzPositionSchema.extend({ autofocus: zod.z.boolean() });
+var PtzOptionsSchema = zod.z.object({
+	hasPan: zod.z.boolean(),
+	hasTilt: zod.z.boolean(),
+	hasZoom: zod.z.boolean(),
+	supportsPresets: zod.z.boolean(),
+	/** Max number of named presets the camera supports, when known. */
+	maxPresets: zod.z.number().optional(),
+	/** Whether the camera exposes a controllable autofocus toggle
+	*  (boolean `hasX` per the getOptions availability convention). */
+	hasAutofocus: zod.z.boolean()
+});
 DeviceType.Camera, method(PtzMoveCommandSchema.extend({ deviceId: zod.z.number() }), zod.z.void(), { kind: "mutation" }), method(PtzMoveCommandSchema.extend({ deviceId: zod.z.number() }), zod.z.void(), { kind: "mutation" }), method(zod.z.object({ deviceId: zod.z.number() }), zod.z.void(), { kind: "mutation" }), method(zod.z.object({ deviceId: zod.z.number() }), zod.z.array(PtzPresetSchema)), method(zod.z.object({
 	deviceId: zod.z.number(),
 	presetId: zod.z.string()
-}), zod.z.void(), { kind: "mutation" }), method(zod.z.object({ deviceId: zod.z.number() }), zod.z.void(), { kind: "mutation" }), method(zod.z.object({ deviceId: zod.z.number() }), PtzPositionSchema);
+}), zod.z.void(), { kind: "mutation" }), method(zod.z.object({
+	deviceId: zod.z.number(),
+	presetId: zod.z.string(),
+	name: zod.z.string()
+}), zod.z.void(), {
+	kind: "mutation",
+	auth: "admin"
+}), method(zod.z.object({
+	deviceId: zod.z.number(),
+	presetId: zod.z.string()
+}), zod.z.void(), {
+	kind: "mutation",
+	auth: "admin"
+}), method(zod.z.object({ deviceId: zod.z.number() }), PtzOptionsSchema), method(zod.z.object({ deviceId: zod.z.number() }), zod.z.void(), { kind: "mutation" }), method(zod.z.object({ deviceId: zod.z.number() }), PtzPositionSchema), method(zod.z.object({
+	deviceId: zod.z.number(),
+	enabled: zod.z.boolean()
+}), zod.z.void(), { kind: "mutation" });
 var EventItemSchema = zod.z.object({
 	id: zod.z.string(),
 	type: zod.z.string(),
@@ -4871,85 +5210,6 @@ authKey: zod.z.string().optional() }), zod.z.object({
 	/** Human-readable error when `ok: false`. */
 	error: zod.z.string().optional()
 }), { kind: "mutation" });
-var MethodAccessSchema = zod.z.enum([
-	"view",
-	"create",
-	"delete"
-]);
-var AllowedProviderSchema = zod.z.union([zod.z.literal("*"), zod.z.array(zod.z.string())]);
-var AllowedDevicesSchema = zod.z.record(zod.z.string(), zod.z.union([zod.z.literal("*"), zod.z.array(zod.z.string())]));
-var CapScopeSchema = zod.z.enum(["device", "system"]);
-var TokenScopeSchema = zod.z.discriminatedUnion("type", [
-	zod.z.object({
-		type: zod.z.literal("category"),
-		target: CapScopeSchema,
-		access: zod.z.array(MethodAccessSchema).min(1)
-	}),
-	zod.z.object({
-		type: zod.z.literal("capability"),
-		target: zod.z.string(),
-		access: zod.z.array(MethodAccessSchema).min(1)
-	}),
-	zod.z.object({
-		type: zod.z.literal("addon"),
-		target: zod.z.string(),
-		access: zod.z.array(MethodAccessSchema).min(1)
-	}),
-	zod.z.object({
-		type: zod.z.literal("device"),
-		/**
-		* One or more deviceIds (serialised as strings for wire-format
-		* consistency with the rest of the union). Matcher accepts if
-		* `input.deviceId` ∈ `targets`. Array shape avoids the row-explosion
-		* of one scope-per-device when granting access to a set of cameras.
-		*/
-		targets: zod.z.array(zod.z.string()).min(1),
-		access: zod.z.array(MethodAccessSchema).min(1)
-	})
-]);
-zod.z.object({
-	id: zod.z.string(),
-	username: zod.z.string(),
-	passwordHash: zod.z.string(),
-	/**
-	* Admin bypass. When true, the middleware skips the scope-access
-	* check entirely. There is no other axis of privilege; the legacy
-	* role enum collapsed onto this boolean in v2.
-	*/
-	isAdmin: zod.z.boolean().default(false),
-	allowedProviders: AllowedProviderSchema,
-	allowedDevices: AllowedDevicesSchema,
-	/**
-	* Scopes granted to this user. Admins bypass; their `scopes` is
-	* ignored. Non-admins without scopes are locked out of every
-	* protected call.
-	*/
-	scopes: zod.z.array(TokenScopeSchema).default([]),
-	createdAt: zod.z.number(),
-	updatedAt: zod.z.number()
-});
-zod.z.object({
-	id: zod.z.string(),
-	label: zod.z.string(),
-	isAdmin: zod.z.boolean().default(false),
-	allowedProviders: AllowedProviderSchema,
-	allowedDevices: AllowedDevicesSchema,
-	tokenHash: zod.z.string(),
-	tokenPrefix: zod.z.string(),
-	createdAt: zod.z.number(),
-	lastUsedAt: zod.z.number().optional()
-});
-zod.z.object({
-	id: zod.z.string(),
-	userId: zod.z.string(),
-	name: zod.z.string(),
-	tokenHash: zod.z.string(),
-	tokenPrefix: zod.z.string(),
-	scopes: zod.z.array(TokenScopeSchema),
-	expiresAt: zod.z.number().nullish(),
-	lastUsedAt: zod.z.number().nullish(),
-	createdAt: zod.z.number()
-});
 var UserSummarySchema = zod.z.object({
 	id: zod.z.string(),
 	username: zod.z.string(),
@@ -5022,6 +5282,16 @@ var CreateScopedTokenResultSchema = zod.z.object({
 	token: zod.z.string(),
 	record: ScopedTokenSummarySchema
 });
+var OauthSessionSummarySchema = zod.z.object({
+	id: zod.z.string(),
+	userId: zod.z.string(),
+	username: zod.z.string(),
+	integrationId: zod.z.string(),
+	scopes: zod.z.array(TokenScopeSchema),
+	createdAt: zod.z.number(),
+	lastUsedAt: zod.z.number(),
+	revokedAt: zod.z.number().nullable()
+});
 var TotpSetupResultSchema = zod.z.object({
 	secret: zod.z.string(),
 	otpauthUrl: zod.z.string()
@@ -5104,6 +5374,41 @@ method(zod.z.void(), zod.z.array(UserSummarySchema), { auth: "admin" }), method(
 }), zod.z.object({ valid: zod.z.boolean() }), {
 	kind: "mutation",
 	access: "view"
+}), method(zod.z.object({
+	integrationId: zod.z.string(),
+	userId: zod.z.string(),
+	username: zod.z.string(),
+	scopes: zod.z.array(TokenScopeSchema),
+	redirectUri: zod.z.string(),
+	hubUrl: zod.z.string()
+}), zod.z.object({ code: zod.z.string() }), {
+	kind: "mutation",
+	access: "create"
+}), method(zod.z.object({
+	code: zod.z.string(),
+	redirectUri: zod.z.string()
+}), zod.z.object({
+	accessToken: zod.z.string(),
+	refreshToken: zod.z.string(),
+	expiresIn: zod.z.number()
+}).nullable(), {
+	kind: "mutation",
+	access: "view"
+}), method(zod.z.object({ refreshToken: zod.z.string() }), zod.z.object({
+	accessToken: zod.z.string(),
+	refreshToken: zod.z.string(),
+	expiresIn: zod.z.number()
+}).nullable(), {
+	kind: "mutation",
+	access: "view"
+}), method(zod.z.object({ token: zod.z.string() }), zod.z.object({
+	userId: zod.z.string(),
+	username: zod.z.string(),
+	scopes: zod.z.array(TokenScopeSchema)
+}).nullable(), { access: "view" }), method(zod.z.void(), zod.z.array(OauthSessionSummarySchema), { auth: "admin" }), method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.boolean() }), {
+	kind: "mutation",
+	auth: "admin",
+	access: "delete"
 });
 var FeatureManifestSchema = zod.z.object({
 	streaming: zod.z.boolean(),
@@ -5272,7 +5577,13 @@ method(zod.z.void(), zod.z.array(TopologyNodeSchema).readonly(), { auth: "admin"
 }), RenameNodeResultSchema, {
 	kind: "mutation",
 	auth: "admin"
-}), method(zod.z.void(), zod.z.record(zod.z.string(), ClusterAddonStatusEntrySchema), { auth: "admin" }), method(zod.z.object({ nodeId: zod.z.string() }), zod.z.array(NodeAddonEntrySchema).readonly(), { auth: "admin" }), method(zod.z.object({
+}), method(zod.z.void(), zod.z.record(zod.z.string(), ClusterAddonStatusEntrySchema), { auth: "admin" }), method(zod.z.object({ windowSeconds: zod.z.number().int().positive().max(300).default(60) }), zod.z.array(zod.z.object({
+	callerAddonId: zod.z.string(),
+	providerAddonId: zod.z.string(),
+	capName: zod.z.string(),
+	callsPerMin: zod.z.number(),
+	lastCallAtMs: zod.z.number()
+})).readonly(), { auth: "admin" }), method(zod.z.object({ nodeId: zod.z.string() }), zod.z.array(NodeAddonEntrySchema).readonly(), { auth: "admin" }), method(zod.z.object({
 	nodeId: zod.z.string(),
 	level: zod.z.string()
 }), SuccessSchema, {
@@ -7510,6 +7821,16 @@ var StorageManager = class {
 	}
 };
 //#endregion
+//#region src/auth/scope-matcher.ts
+/**
+* True if the scope set grants `access` on device-scoped capabilities.
+* A `category:device` grant covers every device cap (the broad grant).
+* Mirrors the OR-semantics of the existing token scope matcher.
+*/
+function scopesAllowDeviceCap(scopes, access) {
+	return scopes.some((s) => s.type === "category" && s.target === "device" && s.access.includes(access));
+}
+//#endregion
 //#region src/notification/notification-service.ts
 /**
 * Central notification service that routes notifications to configured outputs.
@@ -8335,5 +8656,6 @@ exports.installPythonPackages = installPythonPackages;
 exports.installPythonRequirements = installPythonRequirements;
 exports.isModelDownloaded = isModelDownloaded;
 exports.loadTlsCert = loadTlsCert;
+exports.scopesAllowDeviceCap = scopesAllowDeviceCap;
 //# sourceMappingURL=index.js.map