@camstack/types 0.1.30 → 0.1.31

package/dist/{index-s8uJNgNs.js → index-BKifir_y.js}

@@ -3545,7 +3545,7 @@ const SettingsRecordSchema = zod.z.object({
 });
 const CollectionColumnSchema = zod.z.object({
   name: zod.z.string(),
-  type: zod.z.enum(["TEXT", "INTEGER", "REAL", "JSON"]),
+  type: zod.z.enum(["TEXT", "INTEGER", "REAL", "JSON", "BOOLEAN"]),
   primaryKey: zod.z.boolean().optional(),
   notNull: zod.z.boolean().optional(),
   unique: zod.z.boolean().optional()
@@ -3670,6 +3670,352 @@ const adminUiCapability = {
     getVersion: method(zod.z.void(), zod.z.string())
   }
 };
+const SsoBridgeClaimsSchema = zod.z.object({
+  userId: zod.z.string(),
+  username: zod.z.string(),
+  isAdmin: zod.z.boolean(),
+  provider: zod.z.string(),
+  email: zod.z.string().optional(),
+  displayName: zod.z.string().optional()
+});
+const ssoBridgeCapability = {
+  name: "sso-bridge",
+  scope: "system",
+  mode: "singleton",
+  internal: true,
+  methods: {
+    signBridgeToken: method(
+      zod.z.object({
+        claims: SsoBridgeClaimsSchema,
+        ttlSec: zod.z.number().int().positive().optional()
+      }),
+      zod.z.object({ token: zod.z.string() })
+    ),
+    verifyBridgeToken: method(
+      zod.z.object({ token: zod.z.string() }),
+      SsoBridgeClaimsSchema.nullable()
+    )
+  }
+};
+const PasskeySummarySchema = zod.z.object({
+  credentialId: zod.z.string(),
+  label: zod.z.string(),
+  createdAt: zod.z.number(),
+  lastUsedAt: zod.z.number().nullable(),
+  transports: zod.z.array(zod.z.string()).default([])
+});
+const userPasskeysCapability = {
+  name: "user-passkeys",
+  scope: "system",
+  mode: "collection",
+  internal: true,
+  methods: {
+    beginRegistration: method(
+      zod.z.object({ userId: zod.z.string(), username: zod.z.string() }),
+      // PublicKeyCredentialCreationOptionsJSON — opaque JSON shape from
+      // @simplewebauthn. The browser passes it straight to credentials.create().
+      zod.z.object({ optionsJSON: zod.z.record(zod.z.string(), zod.z.unknown()) }),
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    finishRegistration: method(
+      zod.z.object({
+        userId: zod.z.string(),
+        /** RegistrationResponseJSON from the browser. */
+        response: zod.z.record(zod.z.string(), zod.z.unknown()),
+        /** Operator-visible label (e.g. "MacBook Touch ID"). */
+        label: zod.z.string()
+      }),
+      zod.z.object({ success: zod.z.literal(true), credentialId: zod.z.string() }),
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    beginAuthentication: method(
+      // userId optional — when absent, the addon emits a "passkey discovery"
+      // (`allowCredentials: []`) so the browser shows every available
+      // credential. When present, only the user's credentials are allowed.
+      zod.z.object({ userId: zod.z.string().optional() }),
+      zod.z.object({ optionsJSON: zod.z.record(zod.z.string(), zod.z.unknown()) }),
+      { kind: "mutation", access: "view" }
+    ),
+    finishAuthentication: method(
+      zod.z.object({
+        /** Required — the user the assertion belongs to (verified). */
+        userId: zod.z.string(),
+        /** AuthenticationResponseJSON from the browser. */
+        response: zod.z.record(zod.z.string(), zod.z.unknown())
+      }),
+      zod.z.object({ verified: zod.z.boolean() }),
+      { kind: "mutation", access: "view" }
+    ),
+    listPasskeys: method(
+      zod.z.object({ userId: zod.z.string() }),
+      zod.z.array(PasskeySummarySchema),
+      { auth: "admin" }
+    ),
+    removePasskey: method(
+      zod.z.object({ userId: zod.z.string(), credentialId: zod.z.string() }),
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation", auth: "admin", access: "delete" }
+    )
+  }
+};
+const EmailAddressSchema = zod.z.string().email();
+const SendEmailInputSchema = zod.z.object({
+  to: zod.z.union([EmailAddressSchema, zod.z.array(EmailAddressSchema).min(1)]),
+  cc: zod.z.array(EmailAddressSchema).optional(),
+  bcc: zod.z.array(EmailAddressSchema).optional(),
+  /** RFC 5322 `From` field. Most relays will reject if the domain
+   *  isn't authorised — the addon is responsible for substituting a
+   *  sane default when omitted. */
+  from: zod.z.string().optional(),
+  /** Optional `Reply-To` override. */
+  replyTo: zod.z.string().optional(),
+  subject: zod.z.string(),
+  /** Plain-text body. Required even when `html` is present (fallback
+   *  for clients that strip HTML — including most spam filters). */
+  text: zod.z.string(),
+  /** Optional HTML body. Renders alongside `text` as multi-part. */
+  html: zod.z.string().optional()
+});
+const SendEmailResultSchema = zod.z.object({
+  messageId: zod.z.string(),
+  accepted: zod.z.array(EmailAddressSchema).default([]),
+  rejected: zod.z.array(EmailAddressSchema).default([])
+});
+const SmtpStatusSchema = zod.z.object({
+  /** True iff the addon has successfully verified the relay. */
+  ready: zod.z.boolean(),
+  /** Operator-visible host string (no credentials). */
+  host: zod.z.string(),
+  /** Last error message reported by the relay, when not ready. */
+  error: zod.z.string().optional(),
+  /** Last successful verify timestamp (unix ms). */
+  lastVerifiedAt: zod.z.number().optional()
+});
+const smtpProviderCapability = {
+  name: "smtp-provider",
+  scope: "system",
+  mode: "collection",
+  internal: true,
+  methods: {
+    sendEmail: method(
+      SendEmailInputSchema,
+      SendEmailResultSchema,
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    /** Round-trip ping against the SMTP relay (EHLO + AUTH if configured).
+     *  Used by the operator's "Test connection" button. */
+    verify: method(
+      zod.z.void(),
+      SmtpStatusSchema,
+      { kind: "mutation", auth: "admin", access: "view" }
+    ),
+    getStatus: method(
+      zod.z.void(),
+      SmtpStatusSchema,
+      { auth: "admin" }
+    )
+  }
+};
+const QosSchema = zod.z.union([zod.z.literal(0), zod.z.literal(1), zod.z.literal(2)]);
+const PublishInputSchema = zod.z.object({
+  topic: zod.z.string(),
+  /** UTF-8 payload. Binary payloads must be base64-encoded by the caller. */
+  payload: zod.z.string(),
+  qos: QosSchema.default(0),
+  retain: zod.z.boolean().default(false)
+});
+const SubscribeInputSchema = zod.z.object({
+  /** MQTT topic filter (supports `+` single-level and `#` multi-level wildcards). */
+  topic: zod.z.string(),
+  qos: QosSchema.default(0),
+  /**
+   * Caller-supplied owner tag. Useful for debugging + the
+   * `listSubscriptions` admin view ("which consumer owns this?").
+   * When omitted, the addon synthesizes one from the caller's addon id.
+   */
+  owner: zod.z.string().optional()
+});
+const SubscribeResultSchema = zod.z.object({
+  success: zod.z.literal(true),
+  /** Server-generated subscription id. Pass to `unsubscribe` to release. */
+  subscriptionId: zod.z.string()
+});
+const UnsubscribeInputSchema = zod.z.object({
+  /** Subscription id from `subscribe`. */
+  subscriptionId: zod.z.string()
+});
+const MqttStatusSchema = zod.z.object({
+  /** True iff the addon has an active connection to the broker. */
+  connected: zod.z.boolean(),
+  /** Operator-visible host string (e.g. `mqtt://broker.example:1883`). */
+  brokerUrl: zod.z.string(),
+  /** Active subscription count (per-owner, NOT broker-side topic count). */
+  subscriptionCount: zod.z.number().int(),
+  /** Last error reported by the broker. */
+  error: zod.z.string().optional(),
+  /** Last successful connection timestamp (unix ms). */
+  connectedAt: zod.z.number().optional()
+});
+const SubscriptionInfoSchema = zod.z.object({
+  subscriptionId: zod.z.string(),
+  topic: zod.z.string(),
+  qos: QosSchema,
+  owner: zod.z.string(),
+  /** When this individual subscription was created. */
+  createdAt: zod.z.number()
+});
+const mqttProviderCapability = {
+  name: "mqtt-provider",
+  scope: "system",
+  mode: "collection",
+  internal: true,
+  methods: {
+    /** Publish a message. Lazy-opens the connection if not yet active. */
+    publish: method(
+      PublishInputSchema,
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    /**
+     * Subscribe to a topic. Returns a `subscriptionId` to pass to
+     * `unsubscribe`. The addon refcounts broker subscriptions —
+     * multiple consumers on the same topic share one upstream sub.
+     * Messages arrive on `mqtt.message` events with `subscriptionIds[]`
+     * listing which subscriptions matched.
+     */
+    subscribe: method(
+      SubscribeInputSchema,
+      SubscribeResultSchema,
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    /** Release a specific subscription. Tears down the broker sub
+     *  only when the last owner releases. Idempotent. */
+    unsubscribe: method(
+      UnsubscribeInputSchema,
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation", auth: "admin", access: "delete" }
+    ),
+    /** List active per-owner subscriptions on this provider. */
+    listSubscriptions: method(
+      zod.z.void(),
+      zod.z.array(SubscriptionInfoSchema),
+      { auth: "admin" }
+    ),
+    getStatus: method(
+      zod.z.void(),
+      MqttStatusSchema,
+      { auth: "admin" }
+    )
+  }
+};
+const HaServiceCallSchema = zod.z.object({
+  /** HA domain (e.g. `light`, `switch`, `notify`). */
+  domain: zod.z.string(),
+  /** HA service (e.g. `turn_on`, `toggle`). */
+  service: zod.z.string(),
+  /** Service-specific data payload (e.g. `{entity_id: 'light.kitchen', brightness: 200}`). */
+  serviceData: zod.z.record(zod.z.string(), zod.z.unknown()).optional(),
+  /** Optional target spec (entity_id / device_id / area_id). */
+  target: zod.z.record(zod.z.string(), zod.z.unknown()).optional()
+});
+const HaStateSchema = zod.z.object({
+  entity_id: zod.z.string(),
+  state: zod.z.string(),
+  attributes: zod.z.record(zod.z.string(), zod.z.unknown()).default({}),
+  last_changed: zod.z.string().optional(),
+  last_updated: zod.z.string().optional()
+});
+const HaStatusSchema = zod.z.object({
+  connected: zod.z.boolean(),
+  host: zod.z.string(),
+  /** Active per-owner subscription count. */
+  subscriptionCount: zod.z.number().int(),
+  /** Last error reported by the WebSocket. */
+  error: zod.z.string().optional(),
+  /** HA version reported during the auth handshake, when reachable. */
+  haVersion: zod.z.string().optional(),
+  connectedAt: zod.z.number().optional()
+});
+const HaSubscribeInputSchema = zod.z.object({
+  /**
+   * Specific HA event type to subscribe to (`state_changed`,
+   * `service_called`, etc.). Empty string = all events (firehose —
+   * only for debugging).
+   */
+  eventType: zod.z.string().optional(),
+  /** Caller-supplied tag for listSubscriptions debugging. */
+  owner: zod.z.string().optional()
+});
+const HaSubscribeResultSchema = zod.z.object({
+  success: zod.z.literal(true),
+  subscriptionId: zod.z.string()
+});
+const HaUnsubscribeInputSchema = zod.z.object({
+  subscriptionId: zod.z.string()
+});
+const HaSubscriptionInfoSchema = zod.z.object({
+  subscriptionId: zod.z.string(),
+  /** Empty string when subscribed to ALL events. */
+  eventType: zod.z.string(),
+  owner: zod.z.string(),
+  createdAt: zod.z.number()
+});
+const homeAssistantCapability = {
+  name: "home-assistant",
+  scope: "system",
+  mode: "collection",
+  internal: true,
+  methods: {
+    /**
+     * Subscribe to HA events. Returns a `subscriptionId` to pass to
+     * `unsubscribeEvents`. The addon refcounts upstream subscriptions
+     * so multiple consumers share one HA-side event stream.
+     * Events arrive on the kernel bus under `home-assistant.event`
+     * with `subscriptionIds[]` listing which subs matched.
+     */
+    subscribeEvents: method(
+      HaSubscribeInputSchema,
+      HaSubscribeResultSchema,
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    /** Release a specific subscription. Tears down the upstream sub
+     *  only when the last owner releases. Idempotent. */
+    unsubscribeEvents: method(
+      HaUnsubscribeInputSchema,
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation", auth: "admin", access: "delete" }
+    ),
+    /**
+     * Call an HA service (turn light on, run a script, etc.). Returns
+     * the HA response object — usually `{context, response: ...}`.
+     */
+    callService: method(
+      HaServiceCallSchema,
+      zod.z.object({ result: zod.z.unknown() }),
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    /** Fetch all entity states. Cheap snapshot — HA returns the full
+     *  state registry on every call. */
+    getStates: method(
+      zod.z.void(),
+      zod.z.array(HaStateSchema).readonly(),
+      { auth: "admin" }
+    ),
+    /** Fetch a single entity's current state. `null` when not found. */
+    getState: method(
+      zod.z.object({ entityId: zod.z.string() }),
+      HaStateSchema.nullable(),
+      { auth: "admin" }
+    ),
+    /** List active per-owner subscriptions. */
+    listSubscriptions: method(
+      zod.z.void(),
+      zod.z.array(HaSubscriptionInfoSchema).readonly(),
+      { auth: "admin" }
+    ),
+    getStatus: method(zod.z.void(), HaStatusSchema, { auth: "admin" })
+  }
+};
 const AddonPageDeclarationSchema$1 = zod.z.object({
   id: zod.z.string(),
   label: zod.z.string(),
@@ -3783,7 +4129,35 @@ const addonWidgetsCapability = {
 };
 const AddonHttpRouteSchema = zod.z.object({
   method: zod.z.enum(["GET", "POST", "PUT", "DELETE", "PATCH"]),
-  path: zod.z.string()
+  path: zod.z.string(),
+  access: zod.z.enum(["public", "authenticated", "admin"]).optional(),
+  description: zod.z.string().optional()
+});
+const InvokeRequestSchema = zod.z.object({
+  method: zod.z.string(),
+  path: zod.z.string(),
+  params: zod.z.record(zod.z.string(), zod.z.string()),
+  query: zod.z.record(zod.z.string(), zod.z.string()),
+  body: zod.z.unknown(),
+  headers: zod.z.record(zod.z.string(), zod.z.string()),
+  user: zod.z.object({
+    id: zod.z.string(),
+    username: zod.z.string(),
+    isAdmin: zod.z.boolean()
+  }).optional(),
+  scopedToken: zod.z.unknown().optional()
+});
+const InvokeReplyEnvelopeSchema = zod.z.object({
+  status: zod.z.number().int(),
+  headers: zod.z.record(zod.z.string(), zod.z.string()),
+  /** When set, the hub MUST `reply.redirect(redirectUrl)` instead of
+   *  sending `body`. Status defaults to 302 when this is set unless
+   *  the handler called `reply.code(...)` explicitly. */
+  redirectUrl: zod.z.string().nullable(),
+  /** JSON-serializable body. `undefined` is treated as "no body". */
+  body: zod.z.unknown().optional(),
+  /** Set when the handler called `reply.type(mime)`. */
+  contentType: zod.z.string().optional()
 });
 const addonRoutesCapability = {
   name: "addon-routes",
@@ -3791,7 +4165,16 @@ const addonRoutesCapability = {
   mode: "collection",
   internal: true,
   methods: {
-    getRoutes: method(zod.z.void(), zod.z.array(AddonHttpRouteSchema))
+    getRoutes: method(zod.z.void(), zod.z.array(AddonHttpRouteSchema)),
+    /**
+     * Cross-process dispatch entry point. Forked addons implement this
+     * (via `buildAddonRouteProvider`) so the hub's Fastify catch-all
+     * can route through Moleculer when the handler lives in a worker.
+     *
+     * Local addons can implement it for free with the same helper;
+     * the hub bypasses the wire on co-located addons.
+     */
+    invoke: method(InvokeRequestSchema, InvokeReplyEnvelopeSchema, { kind: "mutation" })
   }
 };
 const HWACCEL_OPTIONS = [
@@ -5327,7 +5710,14 @@ const AuthResultSchema = zod.z.object({
   username: zod.z.string(),
   email: zod.z.string().optional(),
   displayName: zod.z.string().optional(),
-  roles: zod.z.array(zod.z.string()).optional()
+  /**
+   * Whether the authenticating user is an admin. The auth-provider
+   * surface returns this so the server's login flow can mint a JWT
+   * with the correct bypass flag. Non-admin users authenticated via
+   * an external IdP still need their scopes assigned by an admin via
+   * `setUserScopes` — the SSO flow doesn't carry permissions.
+   */
+  isAdmin: zod.z.boolean().default(false)
 });
 const authProviderCapability = {
   name: "auth-provider",
@@ -5348,6 +5738,14 @@ const authProviderCapability = {
 const AuthProviderInfoSchema = zod.z.object({
   /** Stable id matching the addon id (used for `getLoginUrl({addonId,…})`). */
   addonId: zod.z.string(),
+  /**
+   * Per-instance id when one addon registers multiple "logical"
+   * providers (e.g. OIDC with Google + Microsoft + custom). The login
+   * URL becomes `/addon/${addonId}/${instanceId}/start` — handler reads
+   * `:instanceId` from the route. Empty/unset means the addon is a
+   * single-instance provider; the URL is `/addon/${addonId}/start`.
+   */
+  instanceId: zod.z.string().optional(),
   /** Display label shown on the login button + admin row. */
   displayName: zod.z.string(),
   /** Optional iconography hint (lucide-react icon name OR emoji). */
@@ -5358,6 +5756,8 @@ const AuthProviderInfoSchema = zod.z.object({
   /** When true, the provider exposes a credential-form login flow
    *  (`validateCredentials` accepts username + password). */
   hasCredentialFlow: zod.z.boolean(),
+  /** Provider kind, drives admin-UI hint dispatch (oidc / saml / totp / …). */
+  kind: zod.z.string().optional(),
   /** Operator-facing status string (e.g. "Connected to https://login.acme.com"). */
   status: zod.z.string().optional(),
   /** When false, the provider is registered but disabled by config; the
@@ -7127,6 +7527,35 @@ const meshNetworkCapability = {
       MeshIngressConfigSchema,
       zod.z.object({ success: zod.z.literal(true) }),
       { kind: "mutation" }
+    ),
+    /**
+     * Probe the mesh daemon / API for a sanity check WITHOUT joining.
+     * Operator-facing "test connection" button: validates the auth key
+     * + reaches the control plane and reports back what would happen
+     * on join.
+     *
+     * Tailscale: dry-runs `tailscale up --auth-key=… --reset` against
+     * an idempotency probe; for an already-joined node it just returns
+     * the current status.
+     */
+    testConnection: method(
+      zod.z.object({
+        /** Optional auth key — when provided, probes the key validity
+         *  against the provider's API. Omit when already joined to
+         *  just ping the daemon. */
+        authKey: zod.z.string().optional()
+      }),
+      zod.z.object({
+        ok: zod.z.boolean(),
+        /** Provider-side identifier resolved by the probe (tailnet
+         *  name for Tailscale, network id for ZeroTier, etc.). */
+        tenant: zod.z.string().optional(),
+        /** Daemon binary version, when reachable. */
+        daemonVersion: zod.z.string().optional(),
+        /** Human-readable error when `ok: false`. */
+        error: zod.z.string().optional()
+      }),
+      { kind: "mutation" }
     )
   }
 };
@@ -7184,26 +7613,54 @@ const meshOrchestratorCapability = {
     )
   }
 };
-const UserRoleSchema = zod.z.enum(["admin", "viewer", "agent", "scoped"]);
+const MethodAccessSchema = zod.z.enum(["view", "create", "delete"]);
 const AllowedProviderSchema = zod.z.union([zod.z.literal("*"), zod.z.array(zod.z.string())]);
 const AllowedDevicesSchema = zod.z.record(zod.z.string(), zod.z.union([zod.z.literal("*"), zod.z.array(zod.z.string())]));
-const MethodAccessSchema = zod.z.enum(["view", "create", "delete"]);
-const TokenScopeSchema = zod.z.object({
-  type: zod.z.enum(["addon", "capability"]),
-  target: zod.z.string(),
-  access: zod.z.array(MethodAccessSchema).min(1)
-});
+const CapScopeSchema = zod.z.enum(["device", "system"]);
+const TokenScopeSchema = zod.z.discriminatedUnion("type", [
+  zod.z.object({
+    type: zod.z.literal("category"),
+    target: CapScopeSchema,
+    access: zod.z.array(MethodAccessSchema).min(1)
+  }),
+  zod.z.object({
+    type: zod.z.literal("capability"),
+    target: zod.z.string(),
+    access: zod.z.array(MethodAccessSchema).min(1)
+  }),
+  zod.z.object({
+    type: zod.z.literal("addon"),
+    target: zod.z.string(),
+    access: zod.z.array(MethodAccessSchema).min(1)
+  }),
+  zod.z.object({
+    type: zod.z.literal("device"),
+    /**
+     * One or more deviceIds (serialised as strings for wire-format
+     * consistency with the rest of the union). Matcher accepts if
+     * `input.deviceId` ∈ `targets`. Array shape avoids the row-explosion
+     * of one scope-per-device when granting access to a set of cameras.
+     */
+    targets: zod.z.array(zod.z.string()).min(1),
+    access: zod.z.array(MethodAccessSchema).min(1)
+  })
+]);
 const UserRecordSchema = zod.z.object({
   id: zod.z.string(),
   username: zod.z.string(),
   passwordHash: zod.z.string(),
-  role: UserRoleSchema,
+  /**
+   * Admin bypass. When true, the middleware skips the scope-access
+   * check entirely. There is no other axis of privilege; the legacy
+   * role enum collapsed onto this boolean in v2.
+   */
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: AllowedProviderSchema,
   allowedDevices: AllowedDevicesSchema,
   /**
-   * Scopes granted to this user. Admins bypass; their `scopes` is ignored.
-   * Non-admins (`viewer`, `agent`, `scoped`) without scopes are locked out
-   * of every protected call.
+   * Scopes granted to this user. Admins bypass; their `scopes` is
+   * ignored. Non-admins without scopes are locked out of every
+   * protected call.
    */
   scopes: zod.z.array(TokenScopeSchema).default([]),
   createdAt: zod.z.number(),
@@ -7212,7 +7669,7 @@ const UserRecordSchema = zod.z.object({
 const ApiKeyRecordSchema = zod.z.object({
   id: zod.z.string(),
   label: zod.z.string(),
-  role: UserRoleSchema,
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: AllowedProviderSchema,
   allowedDevices: AllowedDevicesSchema,
   tokenHash: zod.z.string(),
@@ -7236,7 +7693,7 @@ const ScopedTokenSchema = zod.z.object({
 const UserSummarySchema = zod.z.object({
   id: zod.z.string(),
   username: zod.z.string(),
-  role: UserRoleSchema,
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")]),
   allowedDevices: zod.z.record(zod.z.string(), zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")])),
   scopes: zod.z.array(TokenScopeSchema).default([]),
@@ -7246,14 +7703,14 @@ const UserSummarySchema = zod.z.object({
 const CreateUserInputSchema = zod.z.object({
   username: zod.z.string(),
   password: zod.z.string().min(6),
-  role: UserRoleSchema,
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")]).optional(),
   allowedDevices: zod.z.record(zod.z.string(), zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")])).optional(),
   scopes: zod.z.array(TokenScopeSchema).optional()
 });
 const UpdateUserInputSchema = zod.z.object({
   id: zod.z.string(),
-  role: UserRoleSchema.optional(),
+  isAdmin: zod.z.boolean().optional(),
   allowedProviders: zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")]).optional(),
   allowedDevices: zod.z.record(zod.z.string(), zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")])).optional(),
   scopes: zod.z.array(TokenScopeSchema).optional()
@@ -7261,7 +7718,7 @@ const UpdateUserInputSchema = zod.z.object({
 const ApiKeySummarySchema = zod.z.object({
   id: zod.z.string(),
   label: zod.z.string(),
-  role: UserRoleSchema,
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")]).optional(),
   allowedDevices: zod.z.record(zod.z.string(), zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")])).optional(),
   tokenPrefix: zod.z.string(),
@@ -7270,7 +7727,7 @@ const ApiKeySummarySchema = zod.z.object({
 });
 const CreateApiKeyInputSchema = zod.z.object({
   label: zod.z.string(),
-  role: UserRoleSchema,
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")]).optional(),
   allowedDevices: zod.z.record(zod.z.string(), zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")])).optional()
 });
@@ -7284,16 +7741,11 @@ const ScopedTokenSummarySchema = zod.z.object({
   name: zod.z.string(),
   tokenPrefix: zod.z.string(),
   scopes: zod.z.array(TokenScopeSchema),
-  // Mirror the storage schema: `.nullish()` accepts the SQLite-native
-  // `null` for absent timestamps as well as in-memory `undefined`.
   expiresAt: zod.z.number().nullish(),
   lastUsedAt: zod.z.number().nullish(),
   createdAt: zod.z.number()
 });
 const CreateScopedTokenInputSchema = zod.z.object({
-  // The owner the token is issued on behalf of. `adminProcedure` gates
-  // this call so an admin can mint tokens for any user; the CLI passes
-  // its own logged-in `user.id` here.
   userId: zod.z.string(),
   name: zod.z.string(),
   scopes: zod.z.array(TokenScopeSchema),
@@ -7303,45 +7755,85 @@ const CreateScopedTokenResultSchema = zod.z.object({
   token: zod.z.string(),
   record: ScopedTokenSummarySchema
 });
+const TotpSetupResultSchema = zod.z.object({
+  secret: zod.z.string(),
+  otpauthUrl: zod.z.string()
+});
+const TotpStatusSchema = zod.z.object({
+  /** True iff `confirmedAt != null` — a pending half-enrollment is reported as `enabled: false`. */
+  enabled: zod.z.boolean(),
+  /** Null when no row exists OR the row is still pending confirmation. */
+  confirmedAt: zod.z.number().nullable()
+});
 const userManagementCapability = {
   name: "user-management",
   scope: "system",
   mode: "singleton",
   methods: {
-    // ── Users ──────────────────────────────────────────────────────
     listUsers: method(zod.z.void(), zod.z.array(UserSummarySchema), { auth: "admin" }),
-    createUser: method(CreateUserInputSchema, UserSummarySchema, { kind: "mutation", auth: "admin" }),
-    updateUser: method(UpdateUserInputSchema, zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin" }),
-    deleteUser: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin" }),
+    createUser: method(CreateUserInputSchema, UserSummarySchema, { kind: "mutation", auth: "admin", access: "create" }),
+    updateUser: method(UpdateUserInputSchema, zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin", access: "create" }),
+    deleteUser: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin", access: "delete" }),
     resetPassword: method(
       zod.z.object({ id: zod.z.string(), newPassword: zod.z.string().min(6) }),
       zod.z.object({ success: zod.z.literal(true) }),
-      { kind: "mutation", auth: "admin" }
+      { kind: "mutation", auth: "admin", access: "create" }
     ),
-    /**
-     * Replace the scope set on a user. Subset check: the caller's scopes
-     * must include every requested scope+access (admin bypasses).
-     */
     setUserScopes: method(
       zod.z.object({ userId: zod.z.string(), scopes: zod.z.array(TokenScopeSchema) }),
       zod.z.object({ success: zod.z.literal(true) }),
-      { kind: "mutation", auth: "admin" }
+      { kind: "mutation", auth: "admin", access: "create" }
     ),
     validateCredentials: method(
       zod.z.object({ username: zod.z.string(), password: zod.z.string() }),
       UserSummarySchema.extend({ passwordHash: zod.z.string() }).nullable(),
-      { kind: "mutation" }
+      { kind: "mutation", access: "view" }
     ),
-    // ── API Keys ──────────────────────────────────────────────────
     listApiKeys: method(zod.z.void(), zod.z.array(ApiKeySummarySchema), { auth: "admin" }),
-    createApiKey: method(CreateApiKeyInputSchema, CreateApiKeyResultSchema, { kind: "mutation", auth: "admin" }),
-    revokeApiKey: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin" }),
-    validateApiKey: method(zod.z.object({ token: zod.z.string() }), ApiKeySummarySchema.nullable(), { kind: "mutation" }),
-    // ── Scoped Tokens ─────────────────────────────────────────────
-    createScopedToken: method(CreateScopedTokenInputSchema, CreateScopedTokenResultSchema, { kind: "mutation", auth: "admin" }),
-    revokeScopedToken: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin" }),
-    validateScopedToken: method(zod.z.object({ token: zod.z.string() }), ScopedTokenSummarySchema.nullable()),
-    listScopedTokens: method(zod.z.object({ userId: zod.z.string() }), zod.z.array(ScopedTokenSummarySchema), { auth: "admin" })
+    createApiKey: method(CreateApiKeyInputSchema, CreateApiKeyResultSchema, { kind: "mutation", auth: "admin", access: "create" }),
+    revokeApiKey: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin", access: "delete" }),
+    validateApiKey: method(zod.z.object({ token: zod.z.string() }), ApiKeySummarySchema.nullable(), { kind: "mutation", access: "view" }),
+    createScopedToken: method(CreateScopedTokenInputSchema, CreateScopedTokenResultSchema, { kind: "mutation", auth: "admin", access: "create" }),
+    revokeScopedToken: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin", access: "delete" }),
+    validateScopedToken: method(zod.z.object({ token: zod.z.string() }), ScopedTokenSummarySchema.nullable(), { access: "view" }),
+    listScopedTokens: method(zod.z.object({ userId: zod.z.string() }), zod.z.array(ScopedTokenSummarySchema), { auth: "admin" }),
+    // ── TOTP / 2FA ─────────────────────────────────────────────────
+    //
+    // Setup → Confirm → (Verify on login) → Disable.
+    //
+    // Admin-only for now: operator enrolls TOTP on a user's behalf by
+    // pairing their authenticator with the returned QR. Self-service
+    // enrollment is a follow-up (needs the cap framework to expose the
+    // caller's identity to the provider so the provider can enforce
+    // self-or-admin).
+    setupTotp: method(
+      zod.z.object({ userId: zod.z.string() }),
+      TotpSetupResultSchema,
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    confirmTotp: method(
+      zod.z.object({ userId: zod.z.string(), code: zod.z.string() }),
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    disableTotp: method(
+      zod.z.object({ userId: zod.z.string() }),
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation", auth: "admin", access: "delete" }
+    ),
+    getTotpStatus: method(
+      zod.z.object({ userId: zod.z.string() }),
+      TotpStatusSchema,
+      { auth: "admin" }
+    ),
+    // Public (no `auth`) — used by the login flow's second-step
+    // challenge endpoint. The userId comes from the password-validation
+    // step (signed bridge token), so this method is not a free oracle.
+    verifyTotp: method(
+      zod.z.object({ userId: zod.z.string(), code: zod.z.string() }),
+      zod.z.object({ valid: zod.z.boolean() }),
+      { kind: "mutation", access: "view" }
+    )
   }
 };
 const FeatureManifestSchema = zod.z.object({
@@ -8027,6 +8519,7 @@ exports.CameraCredentialsStatusSchema = CameraCredentialsStatusSchema;
 exports.CameraMetricsSchema = CameraMetricsSchema;
 exports.CameraMetricsWithDeviceIdSchema = CameraMetricsWithDeviceIdSchema;
 exports.CameraStreamSchema = CameraStreamSchema;
+exports.CapScopeSchema = CapScopeSchema;
 exports.CapabilityBindingsSchema = CapabilityBindingsSchema;
 exports.ChargingStatus = ChargingStatus;
 exports.ClientNetworkStatsSchema = ClientNetworkStatsSchema;
@@ -8081,6 +8574,9 @@ exports.FinalizeUploadInputSchema = FinalizeUploadInputSchema;
 exports.FrameInputSchema = FrameInputSchema;
 exports.GlobalMetricsSchema = GlobalMetricsSchema;
 exports.HWACCEL_OPTIONS = HWACCEL_OPTIONS;
+exports.HaServiceCallSchema = HaServiceCallSchema;
+exports.HaStateSchema = HaStateSchema;
+exports.HaStatusSchema = HaStatusSchema;
 exports.HealthStatusSchema = HealthStatusSchema;
 exports.HistoryPointSchema = HistoryPointSchema;
 exports.HistoryResolutionEnum = HistoryResolutionEnum;
@@ -8105,6 +8601,7 @@ exports.MotionSourcesSchema = MotionSourcesSchema;
 exports.MotionStatusSchema = MotionStatusSchema;
 exports.MotionTriggerRuntimeStateSchema = MotionTriggerRuntimeStateSchema;
 exports.MotionTriggerStatusSchema = MotionTriggerStatusSchema;
+exports.MqttStatusSchema = MqttStatusSchema;
 exports.NativeDetectionSchema = NativeDetectionSchema;
 exports.NativeObjectClassEnum = NativeObjectClassEnum;
 exports.NativeObjectDetectionStatusSchema = NativeObjectDetectionStatusSchema;
@@ -8125,6 +8622,7 @@ exports.PIPELINE_FLOW_CAPABILITY_NAMES = PIPELINE_FLOW_CAPABILITY_NAMES;
 exports.PIPELINE_OWNER_CAPABILITY_NAMES = PIPELINE_OWNER_CAPABILITY_NAMES;
 exports.PackageUpdateSchema = PackageUpdateSchema;
 exports.PackageVersionInfoSchema = PackageVersionInfoSchema;
+exports.PasskeySummarySchema = PasskeySummarySchema;
 exports.PcmSampleFormatSchema = PcmSampleFormatSchema;
 exports.PerScopeBreakdownSchema = PerScopeBreakdownSchema;
 exports.PipelineAssignmentSchema = PipelineAssignmentSchema;
@@ -8145,6 +8643,7 @@ exports.PtzAutotrackTargetOptionSchema = PtzAutotrackTargetOptionSchema;
 exports.PtzMoveCommandSchema = PtzMoveCommandSchema;
 exports.PtzPositionSchema = PtzPositionSchema;
 exports.PtzPresetSchema = PtzPresetSchema;
+exports.PublishInputSchema = PublishInputSchema;
 exports.QueryFilterSchema = QueryFilterSchema;
 exports.ReadChunkInputSchema = ReadChunkInputSchema;
 exports.RegisteredStreamSchema = RegisteredStreamSchema;
@@ -8161,12 +8660,16 @@ exports.ScopedTokenSchema = ScopedTokenSchema;
 exports.ScopedTokenSummarySchema = ScopedTokenSummarySchema;
 exports.SearchResultSchema = SearchResultSchema;
 exports.SegmentSchema = SegmentSchema;
+exports.SendEmailInputSchema = SendEmailInputSchema;
+exports.SendEmailResultSchema = SendEmailResultSchema;
 exports.SettingsPatchSchema = SettingsPatchSchema;
 exports.SettingsRecordSchema = SettingsRecordSchema;
 exports.SettingsSchemaWithValuesSchema = SettingsSchemaWithValuesSchema;
 exports.SettingsUpdateResultSchema = SettingsUpdateResultSchema;
+exports.SmtpStatusSchema = SmtpStatusSchema;
 exports.SnapshotImageSchema = SnapshotImageSchema;
 exports.SpatialDetectionSchema = SpatialDetectionSchema;
+exports.SsoBridgeClaimsSchema = SsoBridgeClaimsSchema;
 exports.StorageLocationRefSchema = StorageLocationRefSchema;
 exports.StorageLocationSchema = StorageLocationSchema;
 exports.StorageLocationTypeSchema = StorageLocationTypeSchema;
@@ -8175,6 +8678,8 @@ exports.StreamInfoSchema = StreamInfoSchema;
 exports.StreamNetworkStatsSchema = StreamNetworkStatsSchema;
 exports.StreamSourceEntrySchema = StreamSourceEntrySchema$1;
 exports.StreamSourceSchema = StreamSourceSchema;
+exports.SubscribeInputSchema = SubscribeInputSchema;
+exports.SubscriptionInfoSchema = SubscriptionInfoSchema;
 exports.SwitchStatusSchema = SwitchStatusSchema;
 exports.SystemMetricsSchema = SystemMetricsSchema;
 exports.TestConnectionResultSchema = TestConnectionResultSchema;
@@ -8192,7 +8697,6 @@ exports.TurnServerSchema = TurnServerSchema;
 exports.UpdateIntegrationInputSchema = UpdateIntegrationInputSchema;
 exports.UpdateUserInputSchema = UpdateUserInputSchema;
 exports.UserRecordSchema = UserRecordSchema;
-exports.UserRoleSchema = UserRoleSchema;
 exports.UserSummarySchema = UserSummarySchema;
 exports.WELL_KNOWN_TABS = WELL_KNOWN_TABS;
 exports.WELL_KNOWN_TAB_MAP = WELL_KNOWN_TAB_MAP;
@@ -8250,6 +8754,7 @@ exports.eventsCapability = eventsCapability;
 exports.expandCapMethods = expandCapMethods;
 exports.featureProbeCapability = featureProbeCapability;
 exports.getAudioMacroClassIds = getAudioMacroClassIds;
+exports.homeAssistantCapability = homeAssistantCapability;
 exports.hydrateSchema = hydrateSchema;
 exports.integrationsCapability = integrationsCapability;
 exports.intercomCapability = intercomCapability;
@@ -8263,6 +8768,7 @@ exports.metricsProviderCapability = metricsProviderCapability;
 exports.motionCapability = motionCapability;
 exports.motionDetectionCapability = motionDetectionCapability;
 exports.motionTriggerCapability = motionTriggerCapability;
+exports.mqttProviderCapability = mqttProviderCapability;
 exports.nativeObjectDetectionCapability = nativeObjectDetectionCapability;
 exports.networkAccessCapability = networkAccessCapability;
 exports.networkQualityCapability = networkQualityCapability;
@@ -8283,8 +8789,10 @@ exports.remoteAccessCapability = remoteAccessCapability;
 exports.resolveDeviceProfile = resolveDeviceProfile;
 exports.restreamerCapability = restreamerCapability;
 exports.settingsStoreCapability = settingsStoreCapability;
+exports.smtpProviderCapability = smtpProviderCapability;
 exports.snapshotCapability = snapshotCapability;
 exports.snapshotProviderCapability = snapshotProviderCapability;
+exports.ssoBridgeCapability = ssoBridgeCapability;
 exports.storageCapability = storageCapability;
 exports.storageProviderCapability = storageProviderCapability;
 exports.streamBrokerCapability = streamBrokerCapability;
@@ -8295,10 +8803,11 @@ exports.toastCapability = toastCapability;
 exports.turnOrchestratorCapability = turnOrchestratorCapability;
 exports.turnProviderCapability = turnProviderCapability;
 exports.userManagementCapability = userManagementCapability;
+exports.userPasskeysCapability = userPasskeysCapability;
 exports.webrtcCapability = webrtcCapability;
 exports.webrtcClientHintsSchema = webrtcClientHintsSchema;
 exports.webrtcSessionCapability = webrtcSessionCapability;
 exports.zoneAnalyticsCapability = zoneAnalyticsCapability;
 exports.zoneRulesCapability = zoneRulesCapability;
 exports.zonesCapability = zonesCapability;
-//# sourceMappingURL=index-s8uJNgNs.js.map
+//# sourceMappingURL=index-BKifir_y.js.map