@camstack/types 0.1.30 → 0.1.32

package/dist/{index-s8uJNgNs.js → index-BUBhoPUu.js}

@@ -1070,9 +1070,9 @@ const DecodedFrameSchema = zod.z.object({
   format: zod.z.enum(["jpeg", "rgb", "bgr", "yuv420", "gray"]),
   timestamp: zod.z.number()
 });
-const BrokerStatusSchema = zod.z.enum(["idle", "connecting", "streaming", "error", "stopped"]);
+const BrokerStatusSchema$1 = zod.z.enum(["idle", "connecting", "streaming", "error", "stopped"]);
 const BrokerStatsSchema = zod.z.object({
-  status: BrokerStatusSchema,
+  status: BrokerStatusSchema$1,
   inputFps: zod.z.number(),
   decodeFps: zod.z.number(),
   encodedSubscribers: zod.z.number(),
@@ -1178,22 +1178,34 @@ const PlaceholderReasonSchema = zod.z.enum([
   "disabled",
   "waking"
 ]);
+const VideoCodecTargetSchema = zod.z.enum(["H264", "H265", "auto"]);
+const AudioCodecTargetSchema = zod.z.enum(["AAC", "Opus", "PCMU", "none"]);
+const MaxResolutionSchema = zod.z.object({
+  width: zod.z.number().int().positive(),
+  height: zod.z.number().int().positive()
+});
+const GetStreamWithCodecInputSchema = zod.z.object({
+  deviceId: zod.z.number().int().nonnegative(),
+  videoCodec: VideoCodecTargetSchema,
+  audioCodec: AudioCodecTargetSchema.optional(),
+  maxResolution: MaxResolutionSchema.optional(),
+  tag: zod.z.string().optional()
+});
+const RtpSourceSchema = zod.z.object({
+  url: zod.z.string(),
+  videoCodec: zod.z.enum(["H264", "H265"]),
+  audioCodec: zod.z.string(),
+  resolution: MaxResolutionSchema,
+  transcoded: zod.z.boolean(),
+  encoder: zod.z.string(),
+  pipelineKey: zod.z.string()
+});
 const streamBrokerCapability = {
   name: "stream-broker",
   scope: "system",
   mode: "singleton",
   exposesDeviceSettings: true,
   methods: {
-    // ── Cam stream lifecycle (publish / retract) ─────────────────────
-    /**
-     * Register a physical camera stream as an input option. Idempotent
-     * for (deviceId, camStreamId) — re-publishing updates metadata
-     * without disturbing profile assignments. The provider calls this
-     * in `onInitialize` for each stream it offers. Third-party addons
-     * may also publish (e.g. an RTMP discovery layer) — camstack has
-     * no notion of "owner" beyond the (deviceId, camStreamId) key.
-     */
-    /* — see STREAM_BROKER_CAP_EVENTS below for cap-event category strings — */
     publishCameraStream: method(
       zod.z.object({
         deviceId: zod.z.number().int().nonnegative(),
@@ -1204,28 +1216,8 @@ const streamBrokerCapability = {
         resolution: CamStreamResolutionSchema.optional(),
         fps: zod.z.number().positive().optional(),
         label: zod.z.string().optional(),
-        /**
-         * Device-level features that the broker / manager / snapshot
-         * orchestrator consult to derive per-stream policy (e.g.
-         * `BatteryOperated` → relax stall watchdog, default pre-buffer
-         * to off, raise snapshot rate-limit). Single source of truth —
-         * publishers no longer set per-stream flags like `allowStall`.
-         */
         deviceFeatures: zod.z.array(zod.z.string()).optional(),
-        /**
-         * Whether this stream participates in the broker's automatic
-         * profile assignment. Defaults `true`. Publishers set `false` for
-         * streams that should be SELECTABLE but not auto-picked — e.g.
-         * Reolink publishes native Baichuan as eligible and RTSP/RTMP
-         * mirrors as ineligible (still assignable manually via
-         * `assignProfile`).
-         */
         autoEligible: zod.z.boolean().optional(),
-        /**
-         * Transport-specific opaque metadata stashed alongside the stream
-         * record. `pull-rfc4571` publishers put the SDP here so the broker
-         * reader can route packets without an in-band DESCRIBE phase.
-         */
         metadata: zod.z.record(zod.z.string(), zod.z.unknown()).optional()
       }),
       zod.z.object({ success: zod.z.literal(true) }),
@@ -1239,12 +1231,6 @@ const streamBrokerCapability = {
       zod.z.object({ success: zod.z.literal(true) }),
       { kind: "mutation", auth: "admin" }
     ),
-    // ── Profile assignment ───────────────────────────────────────────
-    /**
-     * Assign a cam stream to a profile slot. Tears down any existing
-     * broker for that slot and rebuilds against the new source. Persists
-     * the choice — survives reboots.
-     */
     assignProfile: method(
       zod.z.object({
         deviceId: zod.z.number().int().nonnegative(),
@@ -1262,12 +1248,6 @@ const streamBrokerCapability = {
       zod.z.object({ success: zod.z.literal(true) }),
       { kind: "mutation", auth: "admin" }
     ),
-    // ── System-wide views ────────────────────────────────────────────
-    /**
-     * Full dump of every published cam stream across every device.
-     * For dashboards and cross-device tooling; per-device reads go
-     * through the `camera-streams` cap on the device proxy.
-     */
     listAllCameraStreams: method(
       zod.z.void(),
       zod.z.array(CameraStreamSchema).readonly()
@@ -1276,7 +1256,6 @@ const streamBrokerCapability = {
       zod.z.void(),
       zod.z.array(ProfileSlotSchema).readonly()
     ),
-    // ── Broker runtime (stats + client inventory) ────────────────────
     getBrokerStats: method(
       zod.z.object({ brokerId: zod.z.string() }),
       BrokerStatsSchema
@@ -1294,7 +1273,6 @@ const streamBrokerCapability = {
       zod.z.object({ killed: zod.z.boolean() }),
       { kind: "mutation", auth: "admin" }
     ),
-    /** Rebuild the broker for a profile slot in place (re-dial source). */
     restartProfile: method(
       zod.z.object({
         deviceId: zod.z.number().int().nonnegative(),
@@ -1303,24 +1281,28 @@ const streamBrokerCapability = {
       zod.z.object({ success: zod.z.boolean() }),
       { kind: "mutation", auth: "admin" }
     ),
-    // ── Stream URLs ──────────────────────────────────────────────────
     getStreamUrl: method(
       zod.z.object({ streamId: zod.z.string(), format: StreamFormatSchema }),
       zod.z.object({ url: zod.z.string() })
     ),
-    // ── In-process broker access ─────────────────────────────────────
     /**
-     * Return the live IStreamBroker instance for a given brokerId. Same
-     * LOCAL-ONLY contract as before: callers (pipeline-runner) must be
-     * co-located. BrokerId is `${deviceId}/${camStreamId}` — profile
-     * lookup goes through `assignments` if a caller starts from a
-     * profile.
+     * Shared codec-targeted stream API — see Task #184.
+     * Resolution order: source-select → HW transcode → libx264/libx265.
      */
+    getStreamWithCodec: method(
+      GetStreamWithCodecInputSchema,
+      RtpSourceSchema,
+      { kind: "mutation", auth: "admin" }
+    ),
+    releaseStreamWithCodec: method(
+      zod.z.object({ pipelineKey: zod.z.string() }),
+      zod.z.object({ released: zod.z.boolean(), refcount: zod.z.number().int().nonnegative() }),
+      { kind: "mutation", auth: "admin" }
+    ),
     getBroker: method(
       zod.z.object({ brokerId: zod.z.string() }),
       zod.z.custom()
     ),
-    // ── Pre-buffer ───────────────────────────────────────────────────
     setPreBufferDuration: method(
       zod.z.object({ brokerId: zod.z.string(), seconds: zod.z.number().min(0).max(30) }),
       zod.z.void(),
@@ -1330,7 +1312,6 @@ const streamBrokerCapability = {
       zod.z.object({ brokerId: zod.z.string() }),
       zod.z.object({ configuredSec: zod.z.number(), bufferedMs: zod.z.number(), packetCount: zod.z.number() })
     ),
-    // ── RTSP restream ────────────────────────────────────────────────
     getRtspPort: method(zod.z.void(), zod.z.number()),
     getAllRtspEntries: method(
       zod.z.object({ hostname: zod.z.string().optional() }),
@@ -1356,37 +1337,15 @@ const streamBrokerCapability = {
     )
   },
   events: {
-    /**
-     * Emitted when a profile starts consuming a push-kind cam stream.
-     * Push-kind providers (e.g. Reolink Baichuan native streams)
-     * subscribe and begin emitting packets only on demand — battery
-     * cams stay asleep until someone actually watches.
-     */
     onCamStreamDemand: event(zod.z.object({
       deviceId: zod.z.number().int().nonnegative(),
       camStreamId: zod.z.string(),
       profile: CamProfileSchema
     })),
-    /**
-     * Emitted when the last profile consuming a push-kind cam stream
-     * releases it. Providers tear down upstream connections on this
-     * signal.
-     */
     onCamStreamIdle: event(zod.z.object({
       deviceId: zod.z.number().int().nonnegative(),
       camStreamId: zod.z.string()
     })),
-    /**
-     * Emitted by a broker that failed to dial a managed-loopback
-     * source (today: `pull-rfc4571`). The publisher's transport (e.g.
-     * the Reolink lib's RFC 4571 TCP server) idle-tears-down after
-     * ~15s with no clients and may rebind to a different port on
-     * recreate, leaving the URL the broker has cached stale. The owning
-     * camera provider re-runs its publish pipeline on receipt — that
-     * call self-heals the loopback server (`ensureRfc4571Server`) and
-     * `publishCameraStream` propagates the fresh URL back into the
-     * broker's source resolver.
-     */
     onRequestStreamSourceRefresh: event(zod.z.object({
       deviceId: zod.z.number().int().nonnegative(),
       camStreamId: zod.z.string(),
@@ -3545,7 +3504,7 @@ const SettingsRecordSchema = zod.z.object({
 });
 const CollectionColumnSchema = zod.z.object({
   name: zod.z.string(),
-  type: zod.z.enum(["TEXT", "INTEGER", "REAL", "JSON"]),
+  type: zod.z.enum(["TEXT", "INTEGER", "REAL", "JSON", "BOOLEAN"]),
   primaryKey: zod.z.boolean().optional(),
   notNull: zod.z.boolean().optional(),
   unique: zod.z.boolean().optional()
@@ -3660,14 +3619,293 @@ const logDestinationCapability = {
     )
   }
 };
+const StaticDirOutputSchema = zod.z.object({ staticDir: zod.z.string() });
+const VersionOutputSchema = zod.z.object({ version: zod.z.string() });
 const adminUiCapability = {
   name: "admin-ui",
   scope: "system",
   mode: "singleton",
   internal: true,
   methods: {
-    getStaticDir: method(zod.z.void(), zod.z.string()),
-    getVersion: method(zod.z.void(), zod.z.string())
+    getStaticDir: method(zod.z.void(), StaticDirOutputSchema),
+    getVersion: method(zod.z.void(), VersionOutputSchema)
+  }
+};
+const SsoBridgeClaimsSchema = zod.z.object({
+  userId: zod.z.string(),
+  username: zod.z.string(),
+  isAdmin: zod.z.boolean(),
+  provider: zod.z.string(),
+  email: zod.z.string().optional(),
+  displayName: zod.z.string().optional(),
+  /**
+   * Public HTTPS URL of the hub that issued this token. Used by
+   * cloud-mode OAuth proxies (Alexa Smart Home Lambda, future Google
+   * Home Lambda) to route a request back to the originating hub
+   * without holding routing state of their own. The Lambda decodes the
+   * JWT WITHOUT verifying the signature — the hub re-verifies on every
+   * inbound call so trust still rests with the signing hub.
+   */
+  hubUrl: zod.z.string().optional()
+});
+const ssoBridgeCapability = {
+  name: "sso-bridge",
+  scope: "system",
+  mode: "singleton",
+  internal: true,
+  methods: {
+    signBridgeToken: method(
+      zod.z.object({
+        claims: SsoBridgeClaimsSchema,
+        ttlSec: zod.z.number().int().positive().optional()
+      }),
+      zod.z.object({ token: zod.z.string() })
+    ),
+    verifyBridgeToken: method(
+      zod.z.object({ token: zod.z.string() }),
+      SsoBridgeClaimsSchema.nullable()
+    )
+  }
+};
+const PasskeySummarySchema = zod.z.object({
+  credentialId: zod.z.string(),
+  label: zod.z.string(),
+  createdAt: zod.z.number(),
+  lastUsedAt: zod.z.number().nullable(),
+  transports: zod.z.array(zod.z.string()).default([])
+});
+const userPasskeysCapability = {
+  name: "user-passkeys",
+  scope: "system",
+  mode: "collection",
+  internal: true,
+  methods: {
+    beginRegistration: method(
+      zod.z.object({ userId: zod.z.string(), username: zod.z.string() }),
+      // PublicKeyCredentialCreationOptionsJSON — opaque JSON shape from
+      // @simplewebauthn. The browser passes it straight to credentials.create().
+      zod.z.object({ optionsJSON: zod.z.record(zod.z.string(), zod.z.unknown()) }),
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    finishRegistration: method(
+      zod.z.object({
+        userId: zod.z.string(),
+        /** RegistrationResponseJSON from the browser. */
+        response: zod.z.record(zod.z.string(), zod.z.unknown()),
+        /** Operator-visible label (e.g. "MacBook Touch ID"). */
+        label: zod.z.string()
+      }),
+      zod.z.object({ success: zod.z.literal(true), credentialId: zod.z.string() }),
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    beginAuthentication: method(
+      // userId optional — when absent, the addon emits a "passkey discovery"
+      // (`allowCredentials: []`) so the browser shows every available
+      // credential. When present, only the user's credentials are allowed.
+      zod.z.object({ userId: zod.z.string().optional() }),
+      zod.z.object({ optionsJSON: zod.z.record(zod.z.string(), zod.z.unknown()) }),
+      { kind: "mutation", access: "view" }
+    ),
+    finishAuthentication: method(
+      zod.z.object({
+        /** Required — the user the assertion belongs to (verified). */
+        userId: zod.z.string(),
+        /** AuthenticationResponseJSON from the browser. */
+        response: zod.z.record(zod.z.string(), zod.z.unknown())
+      }),
+      zod.z.object({ verified: zod.z.boolean() }),
+      { kind: "mutation", access: "view" }
+    ),
+    listPasskeys: method(
+      zod.z.object({ userId: zod.z.string() }),
+      zod.z.array(PasskeySummarySchema),
+      { auth: "admin" }
+    ),
+    removePasskey: method(
+      zod.z.object({ userId: zod.z.string(), credentialId: zod.z.string() }),
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation", auth: "admin", access: "delete" }
+    )
+  }
+};
+const EmailAddressSchema = zod.z.email();
+const SendEmailInputSchema = zod.z.object({
+  to: zod.z.union([EmailAddressSchema, zod.z.array(EmailAddressSchema).min(1)]),
+  cc: zod.z.array(EmailAddressSchema).optional(),
+  bcc: zod.z.array(EmailAddressSchema).optional(),
+  /** RFC 5322 `From` field. Most relays will reject if the domain
+   *  isn't authorised — the addon is responsible for substituting a
+   *  sane default when omitted. */
+  from: zod.z.string().optional(),
+  /** Optional `Reply-To` override. */
+  replyTo: zod.z.string().optional(),
+  subject: zod.z.string(),
+  /** Plain-text body. Required even when `html` is present (fallback
+   *  for clients that strip HTML — including most spam filters). */
+  text: zod.z.string(),
+  /** Optional HTML body. Renders alongside `text` as multi-part. */
+  html: zod.z.string().optional()
+});
+const SendEmailResultSchema = zod.z.object({
+  messageId: zod.z.string(),
+  accepted: zod.z.array(EmailAddressSchema).default([]),
+  rejected: zod.z.array(EmailAddressSchema).default([])
+});
+const SmtpStatusSchema = zod.z.object({
+  /** True iff the addon has successfully verified the relay. */
+  ready: zod.z.boolean(),
+  /** Operator-visible host string (no credentials). */
+  host: zod.z.string(),
+  /** Last error message reported by the relay, when not ready. */
+  error: zod.z.string().optional(),
+  /** Last successful verify timestamp (unix ms). */
+  lastVerifiedAt: zod.z.number().optional()
+});
+const smtpProviderCapability = {
+  name: "smtp-provider",
+  scope: "system",
+  mode: "collection",
+  internal: true,
+  providerKind: "email",
+  methods: {
+    sendEmail: method(
+      SendEmailInputSchema,
+      SendEmailResultSchema,
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    /** Round-trip ping against the SMTP relay (EHLO + AUTH if configured).
+     *  Used by the operator's "Test connection" button. */
+    verify: method(
+      zod.z.void(),
+      SmtpStatusSchema,
+      { kind: "mutation", auth: "admin", access: "view" }
+    ),
+    getStatus: method(
+      zod.z.void(),
+      SmtpStatusSchema,
+      { auth: "admin" }
+    )
+  }
+};
+const BrokerKindSchema = zod.z.enum(["external", "embedded"]);
+const BrokerStatusSchema = zod.z.enum([
+  "connected",
+  "disconnected",
+  "auth-failed",
+  "unreachable",
+  "tls-error"
+]);
+const BrokerInfoSchema = zod.z.object({
+  id: zod.z.string(),
+  name: zod.z.string(),
+  url: zod.z.string(),
+  kind: BrokerKindSchema,
+  status: BrokerStatusSchema,
+  latencyMs: zod.z.number().nullable(),
+  error: zod.z.string().optional(),
+  /** Embedded brokers only: number of MQTT clients currently connected. */
+  connectedClients: zod.z.number().int().nonnegative().optional(),
+  /** Epoch ms of the last live probe (external) or aedes snapshot (embedded). */
+  lastCheckedAt: zod.z.number().optional()
+});
+const BrokerConnectionDetailsSchema = zod.z.object({
+  url: zod.z.string(),
+  username: zod.z.string().optional(),
+  password: zod.z.string().optional(),
+  /**
+   * Suggested prefix for `clientId`. Each consumer should suffix this
+   * with its own discriminator (addon id, instance id) so reconnects
+   * don't kick each other off (MQTT spec: clientId must be unique per
+   * broker).
+   */
+  clientIdPrefix: zod.z.string().optional()
+});
+const AddBrokerInputSchema = zod.z.object({
+  name: zod.z.string().min(1),
+  url: zod.z.string().regex(/^(mqtt|mqtts|ws|wss):\/\//, "URL must start with mqtt(s):// or ws(s)://"),
+  username: zod.z.string().optional(),
+  password: zod.z.string().optional(),
+  clientIdPrefix: zod.z.string().optional()
+});
+const AddBrokerResultSchema = zod.z.object({
+  id: zod.z.string()
+});
+const IdInputSchema = zod.z.object({ id: zod.z.string() });
+const TestResultSchema = zod.z.discriminatedUnion("ok", [
+  zod.z.object({ ok: zod.z.literal(true), latencyMs: zod.z.number() }),
+  zod.z.object({ ok: zod.z.literal(false), error: zod.z.string() })
+]);
+const StartEmbeddedInputSchema = zod.z.object({
+  port: zod.z.number().int().min(1).max(65535).default(1883),
+  /** Allow anonymous connect (no username/password). Default: false. */
+  allowAnonymous: zod.z.boolean().default(false),
+  /** Optional shared username/password for clients. */
+  username: zod.z.string().optional(),
+  password: zod.z.string().optional()
+});
+const StartEmbeddedResultSchema = zod.z.object({
+  id: zod.z.string(),
+  url: zod.z.string()
+});
+const StatusSchema = zod.z.object({
+  brokerCount: zod.z.number(),
+  embeddedRunning: zod.z.boolean()
+});
+const mqttBrokerCapability = {
+  name: "mqtt-broker",
+  scope: "system",
+  mode: "collection",
+  providerKind: "broker",
+  status: { schema: StatusSchema, kind: "poll" },
+  methods: {
+    listBrokers: method(zod.z.void(), zod.z.array(BrokerInfoSchema)),
+    getBrokerConfig: method(IdInputSchema, BrokerConnectionDetailsSchema),
+    addBroker: method(AddBrokerInputSchema, AddBrokerResultSchema, { kind: "mutation" }),
+    removeBroker: method(IdInputSchema, zod.z.void(), { kind: "mutation" }),
+    testConnection: method(IdInputSchema, TestResultSchema, { kind: "mutation" }),
+    startEmbeddedBroker: method(StartEmbeddedInputSchema, StartEmbeddedResultSchema, { kind: "mutation" }),
+    stopEmbeddedBroker: method(IdInputSchema, zod.z.void(), { kind: "mutation" }),
+    getStatus: method(zod.z.void(), StatusSchema)
+  }
+};
+const LinkStateSchema = zod.z.enum(["unlinked", "linked", "error"]);
+const DeviceExportStatusSchema = zod.z.object({
+  linkState: LinkStateSchema,
+  exposedDeviceCount: zod.z.number(),
+  error: zod.z.string().optional()
+});
+const DeviceKindSchema = zod.z.string();
+const ExposedDeviceSchema = zod.z.object({
+  deviceId: zod.z.string(),
+  exposedAs: zod.z.string().optional(),
+  capabilities: zod.z.array(zod.z.string()).optional()
+});
+const ExposeInputSchema = zod.z.object({
+  deviceId: zod.z.string(),
+  capabilities: zod.z.array(zod.z.string()).optional()
+});
+const UnexposeInputSchema = zod.z.object({ deviceId: zod.z.string() });
+const deviceExportCapability = {
+  name: "device-export",
+  scope: "system",
+  mode: "collection",
+  providerKind: "device-export",
+  status: { schema: DeviceExportStatusSchema, kind: "poll" },
+  /**
+   * Each export provider contributes its own per-device "Export" panel
+   * (enabled toggle, preferred stream, addon-specific knobs like the
+   * HA-MQTT discovery prefix). The three framework methods
+   * `getDeviceSettingsContribution` / `getDeviceLiveContribution` /
+   * `applyDeviceSettingsPatch` are auto-injected on the provider
+   * interface and routed to the device-details aggregator.
+   */
+  exposesDeviceSettings: true,
+  methods: {
+    getStatus: method(zod.z.void(), DeviceExportStatusSchema),
+    listSupportedDeviceKinds: method(zod.z.void(), zod.z.array(DeviceKindSchema)),
+    listExposedDevices: method(zod.z.void(), zod.z.array(ExposedDeviceSchema)),
+    exposeDevice: method(ExposeInputSchema, zod.z.void(), { kind: "mutation" }),
+    unexposeDevice: method(UnexposeInputSchema, zod.z.void(), { kind: "mutation" })
   }
 };
 const AddonPageDeclarationSchema$1 = zod.z.object({
@@ -3783,7 +4021,35 @@ const addonWidgetsCapability = {
 };
 const AddonHttpRouteSchema = zod.z.object({
   method: zod.z.enum(["GET", "POST", "PUT", "DELETE", "PATCH"]),
-  path: zod.z.string()
+  path: zod.z.string(),
+  access: zod.z.enum(["public", "authenticated", "admin"]).optional(),
+  description: zod.z.string().optional()
+});
+const InvokeRequestSchema = zod.z.object({
+  method: zod.z.string(),
+  path: zod.z.string(),
+  params: zod.z.record(zod.z.string(), zod.z.string()),
+  query: zod.z.record(zod.z.string(), zod.z.string()),
+  body: zod.z.unknown(),
+  headers: zod.z.record(zod.z.string(), zod.z.string()),
+  user: zod.z.object({
+    id: zod.z.string(),
+    username: zod.z.string(),
+    isAdmin: zod.z.boolean()
+  }).optional(),
+  scopedToken: zod.z.unknown().optional()
+});
+const InvokeReplyEnvelopeSchema = zod.z.object({
+  status: zod.z.number().int(),
+  headers: zod.z.record(zod.z.string(), zod.z.string()),
+  /** When set, the hub MUST `reply.redirect(redirectUrl)` instead of
+   *  sending `body`. Status defaults to 302 when this is set unless
+   *  the handler called `reply.code(...)` explicitly. */
+  redirectUrl: zod.z.string().nullable(),
+  /** JSON-serializable body. `undefined` is treated as "no body". */
+  body: zod.z.unknown().optional(),
+  /** Set when the handler called `reply.type(mime)`. */
+  contentType: zod.z.string().optional()
 });
 const addonRoutesCapability = {
   name: "addon-routes",
@@ -3791,7 +4057,16 @@ const addonRoutesCapability = {
   mode: "collection",
   internal: true,
   methods: {
-    getRoutes: method(zod.z.void(), zod.z.array(AddonHttpRouteSchema))
+    getRoutes: method(zod.z.void(), zod.z.array(AddonHttpRouteSchema)),
+    /**
+     * Cross-process dispatch entry point. Forked addons implement this
+     * (via `buildAddonRouteProvider`) so the hub's Fastify catch-all
+     * can route through Moleculer when the handler lives in a worker.
+     *
+     * Local addons can implement it for free with the same helper;
+     * the hub bypasses the wire on co-located addons.
+     */
+    invoke: method(InvokeRequestSchema, InvokeReplyEnvelopeSchema, { kind: "mutation" })
   }
 };
 const HWACCEL_OPTIONS = [
@@ -4032,6 +4307,29 @@ const webrtcSessionCapability = {
       zod.z.object({ sessionId: zod.z.string(), sdpOffer: zod.z.string() }),
       { kind: "mutation" }
     ),
+    /**
+     * Accept a CLIENT-generated SDP offer and return the server's
+     * SDP answer. Mirrors the WHEP / Alexa
+     * `Alexa.RTCSessionController.InitiateSessionWithOffer` direction
+     * (client offers, server answers) — the dual of `createSession`,
+     * which has the server offer first.
+     *
+     * `target` defaults to the device's adaptive selection when
+     * omitted; an optional `sessionId` lets the client provide its
+     * own correlation id (Alexa supplies one in the directive
+     * payload). The returned `sessionId` is whatever the server uses
+     * to track the session and accepts via `closeSession`.
+     */
+    handleOffer: method(
+      zod.z.object({
+        deviceId: zod.z.number().int().nonnegative(),
+        target: WebrtcStreamTargetSchema.optional(),
+        sdpOffer: zod.z.string(),
+        sessionId: zod.z.string().optional()
+      }),
+      zod.z.object({ sessionId: zod.z.string(), sdpAnswer: zod.z.string() }),
+      { kind: "mutation" }
+    ),
     handleAnswer: method(
       zod.z.object({
         deviceId: zod.z.number().int().nonnegative(),
@@ -4671,12 +4969,12 @@ const audioCodecCapability = {
 };
 const EmbeddingResultSchema = zod.z.object({
   embedding: zod.z.array(zod.z.number()),
-  dimensions: zod.z.number()
+  inferenceMs: zod.z.number()
 });
 const EmbeddingInfoSchema = zod.z.object({
   modelId: zod.z.string(),
-  dimensions: zod.z.number(),
-  inputSize: zod.z.number()
+  embeddingDim: zod.z.number(),
+  ready: zod.z.boolean()
 });
 const embeddingEncoderCapability = {
   name: "embedding-encoder",
@@ -5327,7 +5625,14 @@ const AuthResultSchema = zod.z.object({
   username: zod.z.string(),
   email: zod.z.string().optional(),
   displayName: zod.z.string().optional(),
-  roles: zod.z.array(zod.z.string()).optional()
+  /**
+   * Whether the authenticating user is an admin. The auth-provider
+   * surface returns this so the server's login flow can mint a JWT
+   * with the correct bypass flag. Non-admin users authenticated via
+   * an external IdP still need their scopes assigned by an admin via
+   * `setUserScopes` — the SSO flow doesn't carry permissions.
+   */
+  isAdmin: zod.z.boolean().default(false)
 });
 const authProviderCapability = {
   name: "auth-provider",
@@ -5348,6 +5653,14 @@ const authProviderCapability = {
 const AuthProviderInfoSchema = zod.z.object({
   /** Stable id matching the addon id (used for `getLoginUrl({addonId,…})`). */
   addonId: zod.z.string(),
+  /**
+   * Per-instance id when one addon registers multiple "logical"
+   * providers (e.g. OIDC with Google + Microsoft + custom). The login
+   * URL becomes `/addon/${addonId}/${instanceId}/start` — handler reads
+   * `:instanceId` from the route. Empty/unset means the addon is a
+   * single-instance provider; the URL is `/addon/${addonId}/start`.
+   */
+  instanceId: zod.z.string().optional(),
   /** Display label shown on the login button + admin row. */
   displayName: zod.z.string(),
   /** Optional iconography hint (lucide-react icon name OR emoji). */
@@ -5358,6 +5671,8 @@ const AuthProviderInfoSchema = zod.z.object({
   /** When true, the provider exposes a credential-form login flow
    *  (`validateCredentials` accepts username + password). */
   hasCredentialFlow: zod.z.boolean(),
+  /** Provider kind, drives admin-UI hint dispatch (oidc / saml / totp / …). */
+  kind: zod.z.string().optional(),
   /** Operator-facing status string (e.g. "Connected to https://login.acme.com"). */
   status: zod.z.string().optional(),
   /** When false, the provider is registered but disabled by config; the
@@ -5394,16 +5709,36 @@ const NetworkAccessStatusSchema = zod.z.object({
   endpoint: NetworkEndpointSchema.nullable(),
   error: zod.z.string().optional()
 });
+const NetworkEndpointEntrySchema = NetworkEndpointSchema.extend({
+  /**
+   * Stable id within the provider — typically `<mode>-<sourcePort>` so
+   * the orchestrator can dedupe across `listEndpoints` polls.
+   */
+  id: zod.z.string(),
+  /** Operator-facing label (mirrors `MeshEndpoint.label`). */
+  label: zod.z.string(),
+  /** Optional provider-specific mode tag, used for icon/colour in admin UI. */
+  mode: zod.z.string().optional(),
+  /** Originating local port the ingress fronts (informational). */
+  sourcePort: zod.z.number().optional()
+});
 const networkAccessCapability = {
   name: "network-access",
   scope: "system",
   mode: "collection",
   internal: true,
+  providerKind: "ingress",
   methods: {
     start: method(zod.z.void(), NetworkEndpointSchema, { kind: "mutation" }),
     stop: method(zod.z.void(), zod.z.void(), { kind: "mutation" }),
     getEndpoint: method(zod.z.void(), NetworkEndpointSchema.nullable()),
-    getStatus: method(zod.z.void(), NetworkAccessStatusSchema)
+    getStatus: method(zod.z.void(), NetworkAccessStatusSchema),
+    /**
+     * Enumerate every active ingress entry. Default implementation (when
+     * the provider omits this method) is derived from `getEndpoint()` —
+     * see the remote-access orchestrator for the fallback path.
+     */
+    listEndpoints: method(zod.z.void(), zod.z.array(NetworkEndpointEntrySchema).readonly())
   }
 };
 const RemoteAccessEndpointSchema = zod.z.object({
@@ -5607,20 +5942,59 @@ const notificationOutputCapability = {
     )
   }
 };
+const NotificationRuleConditionsSchema = zod.z.object({
+  deviceIds: zod.z.array(zod.z.number()).readonly().optional(),
+  classNames: zod.z.array(zod.z.string()).readonly().optional(),
+  zoneIds: zod.z.array(zod.z.string()).readonly().optional(),
+  minConfidence: zod.z.number().optional(),
+  source: zod.z.enum(["pipeline", "onboard", "any"]).optional(),
+  schedule: zod.z.object({
+    days: zod.z.array(zod.z.number()).readonly(),
+    startHour: zod.z.number(),
+    endHour: zod.z.number()
+  }).optional(),
+  cooldownSeconds: zod.z.number().optional(),
+  minDwellSeconds: zod.z.number().optional()
+});
+const NotificationRuleTemplateSchema = zod.z.object({
+  title: zod.z.string(),
+  body: zod.z.string(),
+  imageMode: zod.z.enum(["crop", "annotated", "full", "none"])
+});
 const NotificationRuleSchema = zod.z.object({
   id: zod.z.string(),
   name: zod.z.string(),
   enabled: zod.z.boolean(),
-  conditions: zod.z.record(zod.z.string(), zod.z.unknown()),
-  actions: zod.z.array(zod.z.record(zod.z.string(), zod.z.unknown()))
+  eventTypes: zod.z.array(zod.z.string()).readonly(),
+  conditions: NotificationRuleConditionsSchema,
+  outputs: zod.z.array(zod.z.string()).readonly(),
+  template: NotificationRuleTemplateSchema.optional(),
+  priority: zod.z.enum(["low", "normal", "high", "critical"])
+});
+const NotificationTestResultSchema = zod.z.object({
+  ruleId: zod.z.string(),
+  eventId: zod.z.string(),
+  timestamp: zod.z.number(),
+  wouldFire: zod.z.boolean(),
+  reason: zod.z.string().optional()
 });
 const NotificationHistoryEntrySchema = zod.z.object({
   id: zod.z.string(),
   ruleId: zod.z.string(),
+  ruleName: zod.z.string(),
+  eventId: zod.z.string(),
   timestamp: zod.z.number(),
-  deviceId: zod.z.number().optional(),
+  outputs: zod.z.array(zod.z.string()).readonly(),
   success: zod.z.boolean(),
-  error: zod.z.string().optional()
+  error: zod.z.string().optional(),
+  deviceId: zod.z.number().optional()
+});
+const NotificationHistoryFilterSchema = zod.z.object({
+  ruleId: zod.z.string().optional(),
+  deviceId: zod.z.number().optional(),
+  from: zod.z.number().optional(),
+  to: zod.z.number().optional(),
+  limit: zod.z.number().optional()
 });
 const advancedNotifierCapability = {
   name: "advanced-notifier",
@@ -5628,17 +6002,28 @@ const advancedNotifierCapability = {
   mode: "singleton",
   internal: true,
   methods: {
-    getRules: method(zod.z.void(), zod.z.array(NotificationRuleSchema).readonly()),
-    upsertRule: method(NotificationRuleSchema, zod.z.void(), { kind: "mutation" }),
-    deleteRule: method(zod.z.object({ ruleId: zod.z.string() }), zod.z.void(), { kind: "mutation" }),
+    getRules: method(
+      zod.z.void(),
+      zod.z.object({ rules: zod.z.array(NotificationRuleSchema).readonly() })
+    ),
+    upsertRule: method(
+      zod.z.object({ rule: NotificationRuleSchema }),
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation" }
+    ),
+    deleteRule: method(
+      zod.z.object({ ruleId: zod.z.string() }),
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation" }
+    ),
     testRule: method(
       zod.z.object({ ruleId: zod.z.string(), lookbackMinutes: zod.z.number() }),
-      zod.z.array(zod.z.record(zod.z.string(), zod.z.unknown())),
+      zod.z.object({ results: zod.z.array(NotificationTestResultSchema).readonly() }),
       { kind: "mutation" }
     ),
     getHistory: method(
-      zod.z.object({ ruleId: zod.z.string().optional(), limit: zod.z.number().optional() }),
-      zod.z.array(NotificationHistoryEntrySchema)
+      zod.z.object({ filter: NotificationHistoryFilterSchema.optional() }),
+      zod.z.object({ entries: zod.z.array(NotificationHistoryEntrySchema).readonly() })
     )
   }
 };
@@ -6660,6 +7045,47 @@ const intercomCapability = {
       zod.z.object({ deviceId: zod.z.number(), sessionId: zod.z.string() }),
       zod.z.void(),
       { kind: "mutation", auth: "admin" }
+    ),
+    /**
+     * Open a raw-PCM talk session (no WebRTC SDP plumbing). Used by
+     * non-WebRTC consumers (HomeKit export, Alexa raw audio, test
+     * harnesses) that already have decoded PCM frames and just need a
+     * direct path onto the camera's talk channel. Mutually exclusive
+     * with `startSession` (an active WebRTC session must be stopped
+     * before a raw-PCM session can be opened on the same device, and
+     * vice versa).
+     */
+    startTalkSession: method(
+      zod.z.object({ deviceId: zod.z.number() }),
+      zod.z.object({ sessionId: zod.z.string() }),
+      { kind: "mutation", auth: "admin" }
+    ),
+    /**
+     * Push a chunk of PCM s16le mono onto the active raw-PCM talk
+     * session. Frames are encoded to the firmware's expected codec
+     * (Reolink: IMA ADPCM @ camera sample rate; Hikvision: G.711 @
+     * 8 kHz) inside the provider — callers must resample upstream to
+     * the rate the camera negotiated (typical: 16 kHz Reolink,
+     * 8 kHz Hikvision). PCM is shipped base64-encoded so the payload
+     * survives JSON serialization across tRPC.
+     */
+    pushTalkPcm: method(
+      zod.z.object({
+        deviceId: zod.z.number(),
+        /** PCM frames as little-endian s16, mono. Base64-encoded so
+         *  the payload survives tRPC JSON serialization. */
+        pcmBase64: zod.z.string(),
+        /** Sequence number for ordering / dropping out-of-order frames. */
+        sequenceNumber: zod.z.number().int()
+      }),
+      zod.z.object({ accepted: zod.z.boolean() }),
+      { kind: "mutation", auth: "admin" }
+    ),
+    /** Close the raw-PCM talk session. Idempotent. */
+    endTalkSession: method(
+      zod.z.object({ deviceId: zod.z.number() }),
+      zod.z.void(),
+      { kind: "mutation", auth: "admin" }
     )
   },
   events: {
@@ -6735,6 +7161,33 @@ const HwAccelBackendInputSchema = zod.z.enum([
 const HwAccelResolutionSchema = zod.z.object({
   preferred: zod.z.array(zod.z.string()).readonly()
 });
+const HardwareEncoderIdSchema = zod.z.enum([
+  "h264_videotoolbox",
+  "hevc_videotoolbox",
+  "h264_vaapi",
+  "hevc_vaapi",
+  "h264_nvenc",
+  "hevc_nvenc",
+  "h264_qsv",
+  "hevc_qsv",
+  "h264_amf",
+  "hevc_amf",
+  "libx264",
+  "libx265"
+]);
+const HardwareEncoderProbeSchema = zod.z.object({
+  encoder: HardwareEncoderIdSchema,
+  codec: zod.z.enum(["H264", "H265"]),
+  family: zod.z.enum(["videotoolbox", "vaapi", "nvenc", "qsv", "amf", "software"]),
+  available: zod.z.boolean(),
+  reason: zod.z.string().optional()
+});
+const HardwareEncodersSchema = zod.z.object({
+  encoders: zod.z.array(HardwareEncoderProbeSchema).readonly(),
+  defaultH264: HardwareEncoderIdSchema,
+  defaultH265: HardwareEncoderIdSchema,
+  probedAt: zod.z.number()
+});
 const HardwarePlatformSchema = zod.z.enum(["darwin", "linux", "win32"]);
 const HardwareArchSchema = zod.z.enum(["arm64", "x64"]);
 const GpuInfoSchema = zod.z.object({
@@ -6788,41 +7241,24 @@ const platformProbeCapability = {
   scope: "system",
   mode: "singleton",
   methods: {
-    /** Return cached hardware + scored backends for this node. */
-    getCapabilities: method(
-      zod.z.void(),
-      PlatformCapabilitiesSchema
-    ),
-    /** Convenience getter — hardware only. */
-    getHardware: method(
-      zod.z.void(),
-      HardwareInfoSchema
-    ),
-    /**
-     * Resolve the best (model, runtime, backend, format) for a given list
-     * of requirements, using this node's scored backends as the candidate
-     * pool. Always returns a config — falls back to CPU when no preferred
-     * backend matches.
-     */
+    getCapabilities: method(zod.z.void(), PlatformCapabilitiesSchema),
+    getHardware: method(zod.z.void(), HardwareInfoSchema),
     resolveInferenceConfig: method(
-      zod.z.object({
-        requirements: zod.z.array(ModelRequirementSchema).readonly()
-      }),
+      zod.z.object({ requirements: zod.z.array(ModelRequirementSchema).readonly() }),
       ResolvedInferenceConfigSchema
     ),
-    /**
-     * Resolve the ordered HW acceleration backend list for this node.
-     * Pass `prefer` to hint a specific backend; pass `null` or omit
-     * for auto-detection. Replaces the legacy `$hwaccel.resolve`
-     * Moleculer action — cap routing handles per-node dispatch via
-     * `nodeId`.
-     */
     resolveHwAccel: method(
-      zod.z.object({
-        prefer: HwAccelBackendInputSchema,
-        nodeId: zod.z.string().optional()
-      }),
+      zod.z.object({ prefer: HwAccelBackendInputSchema, nodeId: zod.z.string().optional() }),
       HwAccelResolutionSchema
+    ),
+    /**
+     * Hardware-encoder probe — see Task #185. Cached after first call.
+     */
+    getHardwareEncoders: method(zod.z.void(), HardwareEncodersSchema),
+    refreshHardwareEncoders: method(
+      zod.z.void(),
+      HardwareEncodersSchema,
+      { kind: "mutation", auth: "admin" }
     )
   }
 };
@@ -7059,25 +7495,11 @@ const MeshStatusSchema = zod.z.object({
   /** Last error from the daemon, when not joined. */
   error: zod.z.string().optional()
 });
-const PublicIngressConfigSchema = zod.z.object({
-  /** Whether the provider should expose CamStack via its public
-   *  ingress (Tailscale Funnel, etc.). */
-  enabled: zod.z.boolean(),
-  /** Local port to forward. Auto-detected from the hub HTTP port
-   *  when omitted. */
-  port: zod.z.number().int().min(1).max(65535).optional()
-});
-const MeshIngressConfigSchema = zod.z.object({
-  /** Whether the provider should expose CamStack inside the mesh
-   *  via HTTPS (Tailscale Serve, etc.) instead of just raw IP. */
-  enabled: zod.z.boolean(),
-  /** Local port to forward. Auto-detected when omitted. */
-  port: zod.z.number().int().min(1).max(65535).optional()
-});
 const meshNetworkCapability = {
   name: "mesh-network",
   scope: "system",
   mode: "collection",
+  providerKind: "mesh",
   methods: {
     /** Return the current join state + endpoints + peer count. Cheap
      *  poll-target — admin UI hits this every few seconds. */
@@ -7099,6 +7521,29 @@ const meshNetworkCapability = {
       zod.z.object({ joined: zod.z.literal(true) }),
       { kind: "mutation" }
     ),
+    /**
+     * Start an interactive browser-redirect login flow.
+     *
+     * The provider spawns its daemon's join command without a pre-auth
+     * key, captures the verification URL the daemon prints, and returns
+     * it. The admin UI opens the URL in a new tab; the user completes
+     * authentication in the provider's web console and the background
+     * process self-terminates. The caller then polls `getStatus()` until
+     * `joined: true`.
+     *
+     * Mirrors the `tailscale up` (no `--auth-key`) flow.
+     */
+    startLogin: method(
+      zod.z.object({
+        /** Optional hostname override the host should advertise once joined. */
+        hostname: zod.z.string().optional()
+      }),
+      zod.z.object({
+        /** Authentication URL the operator should open in a browser. */
+        loginUrl: zod.z.string()
+      }),
+      { kind: "mutation" }
+    ),
     /** Leave the mesh. After this the meshIp/magicDnsHostname/etc.
      *  vanish until the next `join`. */
     leave: method(
@@ -7111,21 +7556,32 @@ const meshNetworkCapability = {
       peers: zod.z.array(MeshPeerSchema).readonly()
     })),
     /**
-     * Toggle the public ingress (e.g. Tailscale Funnel) that maps a
-     * local port to the open internet via the provider's edge. Idempotent.
-     */
-    setPublicIngress: method(
-      PublicIngressConfigSchema,
-      zod.z.object({ success: zod.z.literal(true) }),
-      { kind: "mutation" }
-    ),
-    /**
-     * Toggle the in-mesh HTTPS ingress (e.g. Tailscale Serve) so peers
-     * inside the mesh hit a valid TLS endpoint instead of the raw IP.
+     * Probe the mesh daemon / API for a sanity check WITHOUT joining.
+     * Operator-facing "test connection" button: validates the auth key
+     * + reaches the control plane and reports back what would happen
+     * on join.
+     *
+     * Tailscale: dry-runs `tailscale up --auth-key=… --reset` against
+     * an idempotency probe; for an already-joined node it just returns
+     * the current status.
      */
-    setMeshIngress: method(
-      MeshIngressConfigSchema,
-      zod.z.object({ success: zod.z.literal(true) }),
+    testConnection: method(
+      zod.z.object({
+        /** Optional auth key — when provided, probes the key validity
+         *  against the provider's API. Omit when already joined to
+         *  just ping the daemon. */
+        authKey: zod.z.string().optional()
+      }),
+      zod.z.object({
+        ok: zod.z.boolean(),
+        /** Provider-side identifier resolved by the probe (tailnet
+         *  name for Tailscale, network id for ZeroTier, etc.). */
+        tenant: zod.z.string().optional(),
+        /** Daemon binary version, when reachable. */
+        daemonVersion: zod.z.string().optional(),
+        /** Human-readable error when `ok: false`. */
+        error: zod.z.string().optional()
+      }),
       { kind: "mutation" }
     )
   }
@@ -7184,26 +7640,54 @@ const meshOrchestratorCapability = {
     )
   }
 };
-const UserRoleSchema = zod.z.enum(["admin", "viewer", "agent", "scoped"]);
+const MethodAccessSchema = zod.z.enum(["view", "create", "delete"]);
 const AllowedProviderSchema = zod.z.union([zod.z.literal("*"), zod.z.array(zod.z.string())]);
 const AllowedDevicesSchema = zod.z.record(zod.z.string(), zod.z.union([zod.z.literal("*"), zod.z.array(zod.z.string())]));
-const MethodAccessSchema = zod.z.enum(["view", "create", "delete"]);
-const TokenScopeSchema = zod.z.object({
-  type: zod.z.enum(["addon", "capability"]),
-  target: zod.z.string(),
-  access: zod.z.array(MethodAccessSchema).min(1)
-});
+const CapScopeSchema = zod.z.enum(["device", "system"]);
+const TokenScopeSchema = zod.z.discriminatedUnion("type", [
+  zod.z.object({
+    type: zod.z.literal("category"),
+    target: CapScopeSchema,
+    access: zod.z.array(MethodAccessSchema).min(1)
+  }),
+  zod.z.object({
+    type: zod.z.literal("capability"),
+    target: zod.z.string(),
+    access: zod.z.array(MethodAccessSchema).min(1)
+  }),
+  zod.z.object({
+    type: zod.z.literal("addon"),
+    target: zod.z.string(),
+    access: zod.z.array(MethodAccessSchema).min(1)
+  }),
+  zod.z.object({
+    type: zod.z.literal("device"),
+    /**
+     * One or more deviceIds (serialised as strings for wire-format
+     * consistency with the rest of the union). Matcher accepts if
+     * `input.deviceId` ∈ `targets`. Array shape avoids the row-explosion
+     * of one scope-per-device when granting access to a set of cameras.
+     */
+    targets: zod.z.array(zod.z.string()).min(1),
+    access: zod.z.array(MethodAccessSchema).min(1)
+  })
+]);
 const UserRecordSchema = zod.z.object({
   id: zod.z.string(),
   username: zod.z.string(),
   passwordHash: zod.z.string(),
-  role: UserRoleSchema,
+  /**
+   * Admin bypass. When true, the middleware skips the scope-access
+   * check entirely. There is no other axis of privilege; the legacy
+   * role enum collapsed onto this boolean in v2.
+   */
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: AllowedProviderSchema,
   allowedDevices: AllowedDevicesSchema,
   /**
-   * Scopes granted to this user. Admins bypass; their `scopes` is ignored.
-   * Non-admins (`viewer`, `agent`, `scoped`) without scopes are locked out
-   * of every protected call.
+   * Scopes granted to this user. Admins bypass; their `scopes` is
+   * ignored. Non-admins without scopes are locked out of every
+   * protected call.
    */
   scopes: zod.z.array(TokenScopeSchema).default([]),
   createdAt: zod.z.number(),
@@ -7212,7 +7696,7 @@ const UserRecordSchema = zod.z.object({
 const ApiKeyRecordSchema = zod.z.object({
   id: zod.z.string(),
   label: zod.z.string(),
-  role: UserRoleSchema,
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: AllowedProviderSchema,
   allowedDevices: AllowedDevicesSchema,
   tokenHash: zod.z.string(),
@@ -7236,7 +7720,7 @@ const ScopedTokenSchema = zod.z.object({
 const UserSummarySchema = zod.z.object({
   id: zod.z.string(),
   username: zod.z.string(),
-  role: UserRoleSchema,
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")]),
   allowedDevices: zod.z.record(zod.z.string(), zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")])),
   scopes: zod.z.array(TokenScopeSchema).default([]),
@@ -7246,14 +7730,14 @@ const UserSummarySchema = zod.z.object({
 const CreateUserInputSchema = zod.z.object({
   username: zod.z.string(),
   password: zod.z.string().min(6),
-  role: UserRoleSchema,
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")]).optional(),
   allowedDevices: zod.z.record(zod.z.string(), zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")])).optional(),
   scopes: zod.z.array(TokenScopeSchema).optional()
 });
 const UpdateUserInputSchema = zod.z.object({
   id: zod.z.string(),
-  role: UserRoleSchema.optional(),
+  isAdmin: zod.z.boolean().optional(),
   allowedProviders: zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")]).optional(),
   allowedDevices: zod.z.record(zod.z.string(), zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")])).optional(),
   scopes: zod.z.array(TokenScopeSchema).optional()
@@ -7261,7 +7745,7 @@ const UpdateUserInputSchema = zod.z.object({
 const ApiKeySummarySchema = zod.z.object({
   id: zod.z.string(),
   label: zod.z.string(),
-  role: UserRoleSchema,
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")]).optional(),
   allowedDevices: zod.z.record(zod.z.string(), zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")])).optional(),
   tokenPrefix: zod.z.string(),
@@ -7270,7 +7754,7 @@ const ApiKeySummarySchema = zod.z.object({
 });
 const CreateApiKeyInputSchema = zod.z.object({
   label: zod.z.string(),
-  role: UserRoleSchema,
+  isAdmin: zod.z.boolean().default(false),
   allowedProviders: zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")]).optional(),
   allowedDevices: zod.z.record(zod.z.string(), zod.z.union([zod.z.array(zod.z.string()), zod.z.literal("*")])).optional()
 });
@@ -7284,16 +7768,11 @@ const ScopedTokenSummarySchema = zod.z.object({
   name: zod.z.string(),
   tokenPrefix: zod.z.string(),
   scopes: zod.z.array(TokenScopeSchema),
-  // Mirror the storage schema: `.nullish()` accepts the SQLite-native
-  // `null` for absent timestamps as well as in-memory `undefined`.
   expiresAt: zod.z.number().nullish(),
   lastUsedAt: zod.z.number().nullish(),
   createdAt: zod.z.number()
 });
 const CreateScopedTokenInputSchema = zod.z.object({
-  // The owner the token is issued on behalf of. `adminProcedure` gates
-  // this call so an admin can mint tokens for any user; the CLI passes
-  // its own logged-in `user.id` here.
   userId: zod.z.string(),
   name: zod.z.string(),
   scopes: zod.z.array(TokenScopeSchema),
@@ -7303,45 +7782,85 @@ const CreateScopedTokenResultSchema = zod.z.object({
   token: zod.z.string(),
   record: ScopedTokenSummarySchema
 });
+const TotpSetupResultSchema = zod.z.object({
+  secret: zod.z.string(),
+  otpauthUrl: zod.z.string()
+});
+const TotpStatusSchema = zod.z.object({
+  /** True iff `confirmedAt != null` — a pending half-enrollment is reported as `enabled: false`. */
+  enabled: zod.z.boolean(),
+  /** Null when no row exists OR the row is still pending confirmation. */
+  confirmedAt: zod.z.number().nullable()
+});
 const userManagementCapability = {
   name: "user-management",
   scope: "system",
   mode: "singleton",
   methods: {
-    // ── Users ──────────────────────────────────────────────────────
     listUsers: method(zod.z.void(), zod.z.array(UserSummarySchema), { auth: "admin" }),
-    createUser: method(CreateUserInputSchema, UserSummarySchema, { kind: "mutation", auth: "admin" }),
-    updateUser: method(UpdateUserInputSchema, zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin" }),
-    deleteUser: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin" }),
+    createUser: method(CreateUserInputSchema, UserSummarySchema, { kind: "mutation", auth: "admin", access: "create" }),
+    updateUser: method(UpdateUserInputSchema, zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin", access: "create" }),
+    deleteUser: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin", access: "delete" }),
     resetPassword: method(
       zod.z.object({ id: zod.z.string(), newPassword: zod.z.string().min(6) }),
       zod.z.object({ success: zod.z.literal(true) }),
-      { kind: "mutation", auth: "admin" }
+      { kind: "mutation", auth: "admin", access: "create" }
     ),
-    /**
-     * Replace the scope set on a user. Subset check: the caller's scopes
-     * must include every requested scope+access (admin bypasses).
-     */
     setUserScopes: method(
       zod.z.object({ userId: zod.z.string(), scopes: zod.z.array(TokenScopeSchema) }),
       zod.z.object({ success: zod.z.literal(true) }),
-      { kind: "mutation", auth: "admin" }
+      { kind: "mutation", auth: "admin", access: "create" }
     ),
     validateCredentials: method(
       zod.z.object({ username: zod.z.string(), password: zod.z.string() }),
       UserSummarySchema.extend({ passwordHash: zod.z.string() }).nullable(),
-      { kind: "mutation" }
+      { kind: "mutation", access: "view" }
     ),
-    // ── API Keys ──────────────────────────────────────────────────
     listApiKeys: method(zod.z.void(), zod.z.array(ApiKeySummarySchema), { auth: "admin" }),
-    createApiKey: method(CreateApiKeyInputSchema, CreateApiKeyResultSchema, { kind: "mutation", auth: "admin" }),
-    revokeApiKey: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin" }),
-    validateApiKey: method(zod.z.object({ token: zod.z.string() }), ApiKeySummarySchema.nullable(), { kind: "mutation" }),
-    // ── Scoped Tokens ─────────────────────────────────────────────
-    createScopedToken: method(CreateScopedTokenInputSchema, CreateScopedTokenResultSchema, { kind: "mutation", auth: "admin" }),
-    revokeScopedToken: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin" }),
-    validateScopedToken: method(zod.z.object({ token: zod.z.string() }), ScopedTokenSummarySchema.nullable()),
-    listScopedTokens: method(zod.z.object({ userId: zod.z.string() }), zod.z.array(ScopedTokenSummarySchema), { auth: "admin" })
+    createApiKey: method(CreateApiKeyInputSchema, CreateApiKeyResultSchema, { kind: "mutation", auth: "admin", access: "create" }),
+    revokeApiKey: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin", access: "delete" }),
+    validateApiKey: method(zod.z.object({ token: zod.z.string() }), ApiKeySummarySchema.nullable(), { kind: "mutation", access: "view" }),
+    createScopedToken: method(CreateScopedTokenInputSchema, CreateScopedTokenResultSchema, { kind: "mutation", auth: "admin", access: "create" }),
+    revokeScopedToken: method(zod.z.object({ id: zod.z.string() }), zod.z.object({ success: zod.z.literal(true) }), { kind: "mutation", auth: "admin", access: "delete" }),
+    validateScopedToken: method(zod.z.object({ token: zod.z.string() }), ScopedTokenSummarySchema.nullable(), { access: "view" }),
+    listScopedTokens: method(zod.z.object({ userId: zod.z.string() }), zod.z.array(ScopedTokenSummarySchema), { auth: "admin" }),
+    // ── TOTP / 2FA ─────────────────────────────────────────────────
+    //
+    // Setup → Confirm → (Verify on login) → Disable.
+    //
+    // Admin-only for now: operator enrolls TOTP on a user's behalf by
+    // pairing their authenticator with the returned QR. Self-service
+    // enrollment is a follow-up (needs the cap framework to expose the
+    // caller's identity to the provider so the provider can enforce
+    // self-or-admin).
+    setupTotp: method(
+      zod.z.object({ userId: zod.z.string() }),
+      TotpSetupResultSchema,
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    confirmTotp: method(
+      zod.z.object({ userId: zod.z.string(), code: zod.z.string() }),
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation", auth: "admin", access: "create" }
+    ),
+    disableTotp: method(
+      zod.z.object({ userId: zod.z.string() }),
+      zod.z.object({ success: zod.z.literal(true) }),
+      { kind: "mutation", auth: "admin", access: "delete" }
+    ),
+    getTotpStatus: method(
+      zod.z.object({ userId: zod.z.string() }),
+      TotpStatusSchema,
+      { auth: "admin" }
+    ),
+    // Public (no `auth`) — used by the login flow's second-step
+    // challenge endpoint. The userId comes from the password-validation
+    // step (signed bridge token), so this method is not a free oracle.
+    verifyTotp: method(
+      zod.z.object({ userId: zod.z.string(), code: zod.z.string() }),
+      zod.z.object({ valid: zod.z.boolean() }),
+      { kind: "mutation", access: "view" }
+    )
   }
 };
 const FeatureManifestSchema = zod.z.object({
@@ -7969,6 +8488,7 @@ exports.AUDIO_MACRO_LABELS = AUDIO_MACRO_LABELS;
 exports.AbortUploadInputSchema = AbortUploadInputSchema;
 exports.AccessoriesStatusSchema = AccessoriesStatusSchema;
 exports.AccessoryKind = AccessoryKind;
+exports.AddBrokerInputSchema = AddBrokerInputSchema;
 exports.AddonAutoUpdateSchema = AddonAutoUpdateSchema;
 exports.AddonListItemSchema = AddonListItemSchema;
 exports.AddonPageDeclarationSchema = AddonPageDeclarationSchema;
@@ -8014,10 +8534,12 @@ exports.BoundingBoxSchema = BoundingBoxSchema;
 exports.BrightnessStatusSchema = BrightnessStatusSchema;
 exports.BrokerAudioClientSchema = BrokerAudioClientSchema;
 exports.BrokerClientsSchema = BrokerClientsSchema;
+exports.BrokerConnectionDetailsSchema = BrokerConnectionDetailsSchema;
 exports.BrokerDecodedClientSchema = BrokerDecodedClientSchema;
+exports.BrokerInfoSchema = BrokerInfoSchema;
 exports.BrokerRtspClientSchema = BrokerRtspClientSchema;
 exports.BrokerStatsSchema = BrokerStatsSchema;
-exports.BrokerStatusSchema = BrokerStatusSchema;
+exports.BrokerStatusSchema = BrokerStatusSchema$1;
 exports.CAM_PROFILE_ORDER = CAM_PROFILE_ORDER;
 exports.CamProfileSchema = CamProfileSchema;
 exports.CamStreamKindSchema = CamStreamKindSchema;
@@ -8027,6 +8549,7 @@ exports.CameraCredentialsStatusSchema = CameraCredentialsStatusSchema;
 exports.CameraMetricsSchema = CameraMetricsSchema;
 exports.CameraMetricsWithDeviceIdSchema = CameraMetricsWithDeviceIdSchema;
 exports.CameraStreamSchema = CameraStreamSchema;
+exports.CapScopeSchema = CapScopeSchema;
 exports.CapabilityBindingsSchema = CapabilityBindingsSchema;
 exports.ChargingStatus = ChargingStatus;
 exports.ClientNetworkStatsSchema = ClientNetworkStatsSchema;
@@ -8056,6 +8579,7 @@ exports.DecoderStatsSchema = DecoderStatsSchema;
 exports.DeleteIntegrationResultSchema = DeleteIntegrationResultSchema;
 exports.DetectorOutputSchema = DetectorOutputSchema;
 exports.DeviceDiscoveryStatusSchema = DeviceDiscoveryStatusSchema;
+exports.DeviceExportStatusSchema = DeviceExportStatusSchema;
 exports.DeviceFeature = DeviceFeature;
 exports.DeviceInfoSchema = DeviceInfoSchema;
 exports.DeviceNetworkStatsSchema = DeviceNetworkStatsSchema;
@@ -8074,11 +8598,14 @@ exports.EndDownloadInputSchema = EndDownloadInputSchema;
 exports.EnrichedWidgetMetadataSchema = EnrichedWidgetMetadataSchema;
 exports.EventItemSchema = EventItemSchema;
 exports.EventKindSchema = EventKindSchema;
+exports.ExposeInputSchema = ExposeInputSchema;
+exports.ExposedDeviceSchema = ExposedDeviceSchema;
 exports.ExposedResourceSchema = ExposedResourceSchema;
 exports.FeatureManifestSchema = FeatureManifestSchema;
 exports.FeatureProbeStatusSchema = FeatureProbeStatusSchema;
 exports.FinalizeUploadInputSchema = FinalizeUploadInputSchema;
 exports.FrameInputSchema = FrameInputSchema;
+exports.GetStreamWithCodecInputSchema = GetStreamWithCodecInputSchema;
 exports.GlobalMetricsSchema = GlobalMetricsSchema;
 exports.HWACCEL_OPTIONS = HWACCEL_OPTIONS;
 exports.HealthStatusSchema = HealthStatusSchema;
@@ -8125,6 +8652,7 @@ exports.PIPELINE_FLOW_CAPABILITY_NAMES = PIPELINE_FLOW_CAPABILITY_NAMES;
 exports.PIPELINE_OWNER_CAPABILITY_NAMES = PIPELINE_OWNER_CAPABILITY_NAMES;
 exports.PackageUpdateSchema = PackageUpdateSchema;
 exports.PackageVersionInfoSchema = PackageVersionInfoSchema;
+exports.PasskeySummarySchema = PasskeySummarySchema;
 exports.PcmSampleFormatSchema = PcmSampleFormatSchema;
 exports.PerScopeBreakdownSchema = PerScopeBreakdownSchema;
 exports.PipelineAssignmentSchema = PipelineAssignmentSchema;
@@ -8151,6 +8679,7 @@ exports.RegisteredStreamSchema = RegisteredStreamSchema;
 exports.RemoteAccessEndpointSchema = RemoteAccessEndpointSchema;
 exports.RemoteAccessProviderInfoSchema = RemoteAccessProviderInfoSchema;
 exports.ReportMotionInputSchema = ReportMotionInputSchema;
+exports.RtpSourceSchema = RtpSourceSchema;
 exports.RtspRestreamEntrySchema = RtspRestreamEntrySchema;
 exports.RunnerCameraConfigSchema = RunnerCameraConfigSchema;
 exports.RunnerCameraDeviceUIFields = RunnerCameraDeviceUIFields;
@@ -8161,12 +8690,18 @@ exports.ScopedTokenSchema = ScopedTokenSchema;
 exports.ScopedTokenSummarySchema = ScopedTokenSummarySchema;
 exports.SearchResultSchema = SearchResultSchema;
 exports.SegmentSchema = SegmentSchema;
+exports.SendEmailInputSchema = SendEmailInputSchema;
+exports.SendEmailResultSchema = SendEmailResultSchema;
 exports.SettingsPatchSchema = SettingsPatchSchema;
 exports.SettingsRecordSchema = SettingsRecordSchema;
 exports.SettingsSchemaWithValuesSchema = SettingsSchemaWithValuesSchema;
 exports.SettingsUpdateResultSchema = SettingsUpdateResultSchema;
+exports.SmtpStatusSchema = SmtpStatusSchema;
 exports.SnapshotImageSchema = SnapshotImageSchema;
 exports.SpatialDetectionSchema = SpatialDetectionSchema;
+exports.SsoBridgeClaimsSchema = SsoBridgeClaimsSchema;
+exports.StartEmbeddedInputSchema = StartEmbeddedInputSchema;
+exports.StatusSchema = StatusSchema;
 exports.StorageLocationRefSchema = StorageLocationRefSchema;
 exports.StorageLocationSchema = StorageLocationSchema;
 exports.StorageLocationTypeSchema = StorageLocationTypeSchema;
@@ -8189,10 +8724,10 @@ exports.TrackStateSchema = TrackStateSchema;
 exports.TrackedDetectionSchema = TrackedDetectionSchema;
 exports.TurnProviderInfoSchema = TurnProviderInfoSchema;
 exports.TurnServerSchema = TurnServerSchema;
+exports.UnexposeInputSchema = UnexposeInputSchema;
 exports.UpdateIntegrationInputSchema = UpdateIntegrationInputSchema;
 exports.UpdateUserInputSchema = UpdateUserInputSchema;
 exports.UserRecordSchema = UserRecordSchema;
-exports.UserRoleSchema = UserRoleSchema;
 exports.UserSummarySchema = UserSummarySchema;
 exports.WELL_KNOWN_TABS = WELL_KNOWN_TABS;
 exports.WELL_KNOWN_TAB_MAP = WELL_KNOWN_TAB_MAP;
@@ -8236,6 +8771,7 @@ exports.cameraStreamsCapability = cameraStreamsCapability;
 exports.decoderCapability = decoderCapability;
 exports.detectionPipelineCapability = detectionPipelineCapability;
 exports.deviceDiscoveryCapability = deviceDiscoveryCapability;
+exports.deviceExportCapability = deviceExportCapability;
 exports.deviceManagerCapability = deviceManagerCapability;
 exports.deviceMatchesProfile = deviceMatchesProfile;
 exports.deviceOpsCapability = deviceOpsCapability;
@@ -8263,6 +8799,7 @@ exports.metricsProviderCapability = metricsProviderCapability;
 exports.motionCapability = motionCapability;
 exports.motionDetectionCapability = motionDetectionCapability;
 exports.motionTriggerCapability = motionTriggerCapability;
+exports.mqttBrokerCapability = mqttBrokerCapability;
 exports.nativeObjectDetectionCapability = nativeObjectDetectionCapability;
 exports.networkAccessCapability = networkAccessCapability;
 exports.networkQualityCapability = networkQualityCapability;
@@ -8283,8 +8820,10 @@ exports.remoteAccessCapability = remoteAccessCapability;
 exports.resolveDeviceProfile = resolveDeviceProfile;
 exports.restreamerCapability = restreamerCapability;
 exports.settingsStoreCapability = settingsStoreCapability;
+exports.smtpProviderCapability = smtpProviderCapability;
 exports.snapshotCapability = snapshotCapability;
 exports.snapshotProviderCapability = snapshotProviderCapability;
+exports.ssoBridgeCapability = ssoBridgeCapability;
 exports.storageCapability = storageCapability;
 exports.storageProviderCapability = storageProviderCapability;
 exports.streamBrokerCapability = streamBrokerCapability;
@@ -8295,10 +8834,11 @@ exports.toastCapability = toastCapability;
 exports.turnOrchestratorCapability = turnOrchestratorCapability;
 exports.turnProviderCapability = turnProviderCapability;
 exports.userManagementCapability = userManagementCapability;
+exports.userPasskeysCapability = userPasskeysCapability;
 exports.webrtcCapability = webrtcCapability;
 exports.webrtcClientHintsSchema = webrtcClientHintsSchema;
 exports.webrtcSessionCapability = webrtcSessionCapability;
 exports.zoneAnalyticsCapability = zoneAnalyticsCapability;
 exports.zoneRulesCapability = zoneRulesCapability;
 exports.zonesCapability = zonesCapability;
-//# sourceMappingURL=index-s8uJNgNs.js.map
+//# sourceMappingURL=index-BUBhoPUu.js.map