@centrali-io/centrali-sdk 5.5.1 → 6.0.0

package/dist/index.d.ts

@@ -1,4 +1,5 @@
 import { AxiosRequestConfig, Method } from 'axios';
+
 /**
  * Error thrown by the Centrali SDK when an HTTP request fails.
  * Wraps the underlying HTTP error to avoid leaking transport details.
@@ -18,7 +19,7 @@ import { AxiosRequestConfig, Method } from 'axios';
  * }
  * ```
  */
-export declare class CentraliError extends Error {
+declare class CentraliError extends Error {
     /** HTTP status code (e.g. 400, 401, 404, 500). Undefined for network errors. */
     readonly status: number | undefined;
     /** HTTP status text (e.g. "Bad Request"). Undefined for network errors. */
@@ -49,37 +50,414 @@ export declare class CentraliError extends Error {
  * }
  * ```
  */
-export declare function isCentraliError(err: unknown): err is CentraliError;
+declare function isCentraliError(err: unknown): err is CentraliError;
+
+/**
+ * Generate the API URL from the base URL by adding the 'api.' subdomain.
+ * E.g., https://centrali.io -> https://api.centrali.io
+ */
+declare function getApiUrl(baseUrl: string): string;
+/**
+ * Generate the auth server URL from the base URL.
+ * E.g., https://centrali.io -> https://auth.centrali.io
+ */
+declare function getAuthUrl(baseUrl: string): string;
+/**
+ * Generate the realtime service URL from the base URL.
+ * E.g., https://centrali.io -> https://api.centrali.io/realtime
+ */
+declare function getRealtimeUrl(baseUrl: string): string;
+
+/**
+ * Generate Records API URL PATH.
+ */
+declare function getRecordApiPath(workspaceId: string, recordSlug: string, id?: string): string;
+/**
+ * Generate File Upload API URL PATH.
+ * @param workspaceId
+ */
+declare function getFileUploadApiPath(workspaceId: string): string;
+/**
+ * Generate canonical Files query API URL PATH (CEN-1218 / Phase 3).
+ * Backs `POST /files/query`, `/files/query/test`, and the
+ * `GET /files` URL adapter. Lives on the storage service alongside
+ * the upload + render endpoints.
+ */
+declare function getFilesCanonicalApiPath(workspaceId: string, suffix?: 'query' | 'query/test'): string;
+/**
+ * Generate Function Triggers base API URL PATH.
+ */
+declare function getFunctionTriggersApiPath(workspaceId: string, triggerId?: string): string;
+/**
+ * Generate Function Trigger execute API URL PATH.
+ */
+declare function getFunctionTriggerExecuteApiPath(workspaceId: string, triggerId: string): string;
+/**
+ * Generate Function Trigger pause API URL PATH.
+ */
+declare function getFunctionTriggerPauseApiPath(workspaceId: string, triggerId: string): string;
+/**
+ * Generate Function Trigger resume API URL PATH.
+ */
+declare function getFunctionTriggerResumeApiPath(workspaceId: string, triggerId: string): string;
+/**
+ * Generate Endpoint trigger invocation API URL PATH.
+ */
+declare function getEndpointApiPath(workspaceId: string, path: string): string;
+/**
+ * Generate Saved Queries base API URL PATH for workspace-level operations.
+ *
+ * Phase 4 (CEN-1198) of the query foundation moved the canonical mount from
+ * `/smart-queries` to `/saved-queries`. The data service dual-mounts both for
+ * the deprecation window; this helper emits the canonical path.
+ */
+declare function getSmartQueriesApiPath(workspaceId: string): string;
+/**
+ * Generate Saved Queries API URL PATH for structure-level operations.
+ */
+declare function getSmartQueriesStructureApiPath(workspaceId: string, structureSlug: string, queryId?: string): string;
+/**
+ * Generate Saved Query by name API URL PATH.
+ */
+declare function getSmartQueryByNameApiPath(workspaceId: string, structureSlug: string, name: string): string;
+/**
+ * Generate Saved Query execute API URL PATH.
+ */
+declare function getSmartQueryExecuteApiPath(workspaceId: string, structureSlug: string, queryId: string): string;
+/**
+ * Phase 4 canonical saved-query path helpers (no `slug` segment). These hit
+ * the canonical write/execute endpoints that accept canonical `query` bodies
+ * and `variables` typed declarations.
+ */
+declare function getSavedQueryCanonicalCollectionPath(workspaceId: string): string;
+declare function getSavedQueryCanonicalByIdPath(workspaceId: string, queryId: string): string;
+declare function getSavedQueryCanonicalExecutePath(workspaceId: string, queryId: string): string;
+declare function getSavedQueryCanonicalTestPath(workspaceId: string): string;
+/**
+ * Generate Search API URL PATH.
+ */
+declare function getSearchApiPath(workspaceId: string): string;
+/**
+ * Generate Anomaly Insights base API URL PATH.
+ */
+declare function getAnomalyInsightsApiPath(workspaceId: string, insightId?: string): string;
+/**
+ * Generate Anomaly Insights summary API URL PATH.
+ */
+declare function getAnomalyInsightsSummaryApiPath(workspaceId: string): string;
+/**
+ * Generate Anomaly Insights acknowledge API URL PATH.
+ */
+declare function getAnomalyInsightAcknowledgeApiPath(workspaceId: string, insightId: string): string;
+/**
+ * Generate Anomaly Insights dismiss API URL PATH.
+ */
+declare function getAnomalyInsightDismissApiPath(workspaceId: string, insightId: string): string;
+/**
+ * Generate Anomaly Insights bulk acknowledge API URL PATH.
+ */
+declare function getAnomalyInsightsBulkAcknowledgeApiPath(workspaceId: string): string;
+/**
+ * Generate Anomaly analysis trigger API URL PATH.
+ */
+declare function getAnomalyAnalysisTriggerApiPath(workspaceId: string): string;
+/**
+ * Generate structure-scoped anomaly insights API URL PATH.
+ */
+declare function getStructureInsightsApiPath(workspaceId: string, structureSlug: string): string;
+/**
+ * Generate Structures base API URL PATH.
+ */
+declare function getStructuresApiPath(workspaceId: string, structureId?: string): string;
+/**
+ * Generate Structure by slug API URL PATH.
+ */
+declare function getStructureBySlugApiPath(workspaceId: string, recordSlug: string): string;
+/**
+ * Generate Structure validate API URL PATH.
+ */
+declare function getStructureValidateApiPath(workspaceId: string): string;
+/**
+ * Generate collection-scoped anomaly insights API URL PATH.
+ */
+declare function getCollectionInsightsApiPath(workspaceId: string, collectionSlug: string): string;
+/**
+ * Generate Collections base API URL PATH.
+ */
+declare function getCollectionsApiPath(workspaceId: string, collectionId?: string): string;
+/**
+ * Generate Collection by slug API URL PATH.
+ */
+declare function getCollectionBySlugApiPath(workspaceId: string, recordSlug: string): string;
+/**
+ * Generate Collection validate API URL PATH.
+ */
+declare function getCollectionValidateApiPath(workspaceId: string): string;
+/**
+ * Generate Compute Functions base API URL PATH.
+ */
+declare function getComputeFunctionsApiPath(workspaceId: string, functionId?: string): string;
+/**
+ * Generate Compute Function test execution API URL PATH.
+ */
+declare function getComputeFunctionTestApiPath(workspaceId: string): string;
+/**
+ * Generate Function Runs base API URL PATH.
+ */
+declare function getFunctionRunsApiPath(workspaceId: string, runId?: string): string;
+/**
+ * Generate Function Runs by trigger API URL PATH.
+ */
+declare function getFunctionRunsByTriggerApiPath(workspaceId: string, triggerId: string): string;
+/**
+ * Generate Function Runs by function API URL PATH.
+ */
+declare function getFunctionRunsByFunctionApiPath(workspaceId: string, functionId: string): string;
+/**
+ * Generate Compute Job Status API URL PATH.
+ */
+declare function getComputeJobStatusApiPath(workspaceId: string, jobId: string): string;
+/**
+ * Generate Saved Query test execution API URL PATH.
+ */
+declare function getSmartQueryTestApiPath(workspaceId: string, structureSlug: string): string;
+/**
+ * Generate Validation suggestions base API URL PATH.
+ */
+declare function getValidationSuggestionsApiPath(workspaceId: string, suggestionId?: string): string;
+/**
+ * Generate Validation suggestion accept API URL PATH.
+ */
+declare function getValidationSuggestionAcceptApiPath(workspaceId: string, suggestionId: string): string;
+/**
+ * Generate Validation suggestion reject API URL PATH.
+ */
+declare function getValidationSuggestionRejectApiPath(workspaceId: string, suggestionId: string): string;
+/**
+ * Generate Validation bulk accept API URL PATH.
+ */
+declare function getValidationBulkAcceptApiPath(workspaceId: string): string;
+/**
+ * Generate Validation bulk reject API URL PATH.
+ */
+declare function getValidationBulkRejectApiPath(workspaceId: string): string;
+/**
+ * Generate Validation summary API URL PATH.
+ */
+declare function getValidationSummaryApiPath(workspaceId: string): string;
+/**
+ * Generate Validation record suggestions API URL PATH.
+ */
+declare function getValidationRecordSuggestionsApiPath(workspaceId: string, recordId: string): string;
+/**
+ * Generate Validation structure pending count API URL PATH.
+ */
+declare function getValidationPendingCountApiPath(workspaceId: string, structureSlug: string): string;
+/**
+ * Generate Validation batch scan API URL PATH (AI Service).
+ * Note: This routes to the AI service, not the Data service.
+ */
+declare function getValidationScanApiPath(workspaceId: string, batchId?: string): string;
+/**
+ * Generate Orchestrations API URL PATH.
+ * Routes to the orchestration service.
+ */
+declare function getOrchestrationsApiPath(workspaceId: string, orchestrationId?: string): string;
+/**
+ * Generate Orchestration Runs API URL PATH.
+ */
+declare function getOrchestrationRunsApiPath(workspaceId: string, orchestrationId: string, runId?: string): string;
+/**
+ * Generate Orchestration Run Steps API URL PATH.
+ */
+declare function getOrchestrationRunStepsApiPath(workspaceId: string, orchestrationId: string, runId: string): string;
+/**
+ * Generate canonical Orchestration Runs query API URL PATH (CEN-1217).
+ * Backs `POST /orchestration-runs/query`, `/query/test`, and the
+ * `GET /orchestration-runs` URL adapter.
+ */
+declare function getOrchestrationRunsCanonicalApiPath(workspaceId: string, suffix?: 'query' | 'query/test'): string;
+/**
+ * Generate Allowed Domains API URL PATH.
+ */
+declare function getAllowedDomainsApiPath(workspaceId: string, domainId?: string): string;
+/**
+ * Generate Webhook Subscriptions API URL PATH.
+ */
+declare function getWebhookSubscriptionsApiPath(workspaceId: string, subscriptionId?: string): string;
+/**
+ * Generate rotate-secret API URL PATH for a webhook subscription.
+ */
+declare function getWebhookSubscriptionRotateSecretApiPath(workspaceId: string, subscriptionId: string): string;
+/**
+ * Generate deliveries API URL PATH scoped to a webhook subscription.
+ */
+declare function getWebhookSubscriptionDeliveriesApiPath(workspaceId: string, subscriptionId: string, deliveryId?: string): string;
+/**
+ * Generate retry API URL PATH for a webhook delivery.
+ * Retry is workspace-scoped (not nested under a subscription) — only the delivery ID is needed.
+ */
+declare function getWebhookDeliveryRetryApiPath(workspaceId: string, deliveryId: string): string;
+/**
+ * Generate cancel API URL PATH for a webhook delivery retry.
+ * Cancel is workspace-scoped — only the delivery ID is needed.
+ */
+declare function getWebhookDeliveryCancelApiPath(workspaceId: string, deliveryId: string): string;
+
+/**
+ * Retrieve an access token using the Client Credentials flow.
+ */
+declare function fetchClientToken(clientId: string, clientSecret: string, baseUrl: string): Promise<string>;
+
+/**
+ * Options for initializing the Centrali SDK client.
+ */
+interface CentraliSDKOptions {
+    /** Base URL of Centrali (e.g. https://centrali.io). The SDK automatically uses api.centrali.io for API calls. */
+    baseUrl: string;
+    workspaceId: string;
+    /** Publishable key for frontend access. Sent as x-api-key header. No token refresh needed. */
+    publishableKey?: string;
+    /** Optional initial bearer token for authentication */
+    token?: string;
+    /** Optional callback to dynamically fetch a fresh token before each request (e.g., for Clerk, Auth0) */
+    getToken?: () => Promise<string>;
+    /** Optional OAuth2 client credentials */
+    clientId?: string;
+    clientSecret?: string;
+    /** Optional custom axios config */
+    axiosConfig?: AxiosRequestConfig;
+}
+/**
+ * Generic API response wrapper.
+ */
+interface ApiResponse<T> {
+    data: T;
+    meta?: Record<string, any>;
+    error?: any;
+    id?: string;
+    createdAt?: string;
+    updatedAt?: string;
+}
+/**
+ * Paginated API response wrapper.
+ */
+interface PaginatedResponse<T> {
+    /** Data items */
+    data: T[];
+    /** Pagination metadata */
+    meta: {
+        /** Total number of items */
+        total: number;
+        /** Current page number */
+        page: number;
+        /** Items per page */
+        pageSize: number;
+    };
+}
+
+/**
+ * Resource category for authorization.
+ * - 'workspace': Workspace-level resources (e.g., settings, members)
+ * - 'structure': Structure-level resources (e.g., specific records)
+ * - 'custom': Custom resources defined by the user for AuthZ-as-a-Service
+ */
+type ResourceCategory = 'workspace' | 'structure' | 'custom';
+/**
+ * Options for authorization check.
+ * Use this when authorizing access using an external IdP token (BYOT).
+ */
+interface CheckAuthorizationOptions {
+    /**
+     * The JWT token from your external identity provider (e.g., Clerk, Auth0, Okta).
+     * The token will be validated against the configured external auth provider.
+     */
+    token: string;
+    /**
+     * The resource being accessed.
+     * Can be a Centrali system resource (e.g., 'records', 'files') or a custom
+     * resource you've defined for AuthZ-as-a-Service (e.g., 'orders', 'invoices').
+     */
+    resource: string;
+    /**
+     * The action being performed on the resource.
+     * Common actions: 'create', 'read', 'update', 'delete', 'admin'
+     * You can also define custom actions (e.g., 'approve', 'publish').
+     */
+    action: string;
+    /**
+     * Resource category for authorization evaluation.
+     * - 'workspace': Workspace-level resources
+     * - 'structure': Structure-level resources
+     * - 'custom': Custom resources for AuthZ-as-a-Service
+     * @default 'custom'
+     */
+    resourceCategory?: ResourceCategory;
+    /**
+     * Optional context data for policy evaluation.
+     * This data becomes available as `request_metadata` in policies.
+     *
+     * @example
+     * // Policy can reference: request_metadata.orderId, request_metadata.amount
+     * context: {
+     *   orderId: 'order-123',
+     *   amount: 50000,
+     *   department: 'sales'
+     * }
+     */
+    context?: Record<string, unknown>;
+}
+/**
+ * Result of an authorization check.
+ */
+interface AuthorizationResult {
+    /**
+     * Whether the action is allowed.
+     */
+    allowed: boolean;
+    /**
+     * The decision from the policy evaluator.
+     * - 'allow': Access granted
+     * - 'deny': Access denied
+     * - 'not_applicable': No matching policy found
+     */
+    decision: 'allow' | 'deny' | 'not_applicable';
+    /**
+     * Human-readable message explaining the decision.
+     */
+    message?: string;
+}
+
 /**
  * Record event types emitted by the realtime service.
  */
-export type RecordEventType = 'record_created' | 'record_updated' | 'record_deleted' | 'records_bulk_created';
+type RecordEventType = 'record_created' | 'record_updated' | 'record_deleted' | 'records_bulk_created';
 /**
  * Validation event types emitted by the realtime service.
  */
-export type ValidationEventType = 'validation_suggestion_created' | 'validation_batch_completed';
+type ValidationEventType = 'validation_suggestion_created' | 'validation_batch_completed';
 /**
  * Anomaly event types emitted by the realtime service.
  */
-export type AnomalyEventType = 'anomaly_insight_created' | 'anomaly_detection_completed';
+type AnomalyEventType = 'anomaly_insight_created' | 'anomaly_detection_completed';
 /**
  * Compute function event types emitted by the realtime service.
  */
-export type ComputeEventType = 'function_run_completed' | 'function_run_failed';
+type ComputeEventType = 'function_run_completed' | 'function_run_failed';
 /**
  * Orchestration run event types emitted by the realtime service.
  */
-export type OrchestrationEventType = 'orchestration_run_started' | 'orchestration_run_completed' | 'orchestration_run_failed';
+type OrchestrationEventType = 'orchestration_run_started' | 'orchestration_run_completed' | 'orchestration_run_failed';
 /**
  * All event types emitted by the realtime service.
  * Matches: services/backend/realtime/internal/redis/message.go
  */
-export type RealtimeEventType = RecordEventType | ValidationEventType | AnomalyEventType | ComputeEventType | OrchestrationEventType;
+type RealtimeEventType = RecordEventType | ValidationEventType | AnomalyEventType | ComputeEventType | OrchestrationEventType;
 /**
  * Record event payload from the realtime service.
  * Matches: services/backend/realtime/internal/redis/message.go RecordEvent
  */
-export interface RealtimeRecordEvent {
+interface RealtimeRecordEvent {
     /** Event type */
     event: RecordEventType;
     /** Workspace slug where the event occurred */
@@ -102,7 +480,7 @@ export interface RealtimeRecordEvent {
 /**
  * Validation suggestion data nested in the event.
  */
-export interface ValidationSuggestionData {
+interface ValidationSuggestionData {
     /** Structure slug */
     structureSlug: string;
     /** Field with the issue */
@@ -124,7 +502,7 @@ export interface ValidationSuggestionData {
  * Validation suggestion created event payload.
  * Matches the format published by process_validation_events.ts
  */
-export interface RealtimeValidationSuggestionEvent {
+interface RealtimeValidationSuggestionEvent {
     /** Event type */
     event: 'validation_suggestion_created';
     /** Workspace slug */
@@ -141,7 +519,7 @@ export interface RealtimeValidationSuggestionEvent {
 /**
  * Validation batch data nested in the event.
  */
-export interface ValidationBatchData {
+interface ValidationBatchData {
     /** Structure slug that was scanned */
     structureSlug: string;
     /** Batch ID */
@@ -165,7 +543,7 @@ export interface ValidationBatchData {
  * Validation batch completed event payload.
  * Matches the format published by process_validation_events.ts
  */
-export interface RealtimeValidationBatchEvent {
+interface RealtimeValidationBatchEvent {
     /** Event type */
     event: 'validation_batch_completed';
     /** Workspace slug */
@@ -182,7 +560,7 @@ export interface RealtimeValidationBatchEvent {
 /**
  * Anomaly insight data nested in the event.
  */
-export interface AnomalyInsightData {
+interface AnomalyInsightData {
     /** Structure ID */
     structureId: string;
     /** Structure slug */
@@ -210,7 +588,7 @@ export interface AnomalyInsightData {
  * Anomaly insight created event payload.
  * Matches the format published by process_anomaly_events.ts
  */
-export interface RealtimeAnomalyInsightEvent {
+interface RealtimeAnomalyInsightEvent {
     /** Event type */
     event: 'anomaly_insight_created';
     /** Workspace slug */
@@ -227,7 +605,7 @@ export interface RealtimeAnomalyInsightEvent {
 /**
  * Anomaly detection batch data nested in the event.
  */
-export interface AnomalyDetectionData {
+interface AnomalyDetectionData {
     /** Structure ID */
     structureId: string;
     /** Structure slug */
@@ -255,7 +633,7 @@ export interface AnomalyDetectionData {
  * Anomaly detection completed event payload.
  * Matches the format published by process_anomaly_events.ts
  */
-export interface RealtimeAnomalyDetectionEvent {
+interface RealtimeAnomalyDetectionEvent {
     /** Event type */
     event: 'anomaly_detection_completed';
     /** Workspace slug */
@@ -272,7 +650,7 @@ export interface RealtimeAnomalyDetectionEvent {
 /**
  * Function run error details.
  */
-export interface FunctionRunError {
+interface FunctionRunError {
     /** Error message */
     message: string;
     /** Error code */
@@ -283,7 +661,7 @@ export interface FunctionRunError {
 /**
  * Memory usage metrics from function execution.
  */
-export interface FunctionMemoryUsage {
+interface FunctionMemoryUsage {
     /** Heap memory used in bytes */
     heapUsed: number;
     /** Resident set size in bytes */
@@ -293,7 +671,7 @@ export interface FunctionMemoryUsage {
  * Compute function run event payload.
  * Matches the format published by handle_function_run_events.ts
  */
-export interface RealtimeFunctionRunEvent {
+interface RealtimeFunctionRunEvent {
     /** Event type */
     event: ComputeEventType;
     /** Workspace slug */
@@ -326,7 +704,7 @@ export interface RealtimeFunctionRunEvent {
 /**
  * Orchestration failure reason details.
  */
-export interface OrchestrationFailureReason {
+interface OrchestrationFailureReason {
     /** Error code (e.g., "STEP_EXECUTION_FAILED") */
     code: string;
     /** Human-readable error message */
@@ -338,7 +716,7 @@ export interface OrchestrationFailureReason {
  * Orchestration run event payload from the realtime service.
  * Matches: services/backend/realtime/internal/redis/message.go OrchestrationRunEvent
  */
-export interface RealtimeOrchestrationRunEvent {
+interface RealtimeOrchestrationRunEvent {
     /** Event type */
     event: OrchestrationEventType;
     /** Workspace slug */
@@ -363,7 +741,7 @@ export interface RealtimeOrchestrationRunEvent {
 /**
  * Close event payload from the realtime service.
  */
-export interface RealtimeCloseEvent {
+interface RealtimeCloseEvent {
     /** Reason for the close */
     reason: string;
     /** Whether the client should attempt to reconnect */
@@ -372,11 +750,11 @@ export interface RealtimeCloseEvent {
 /**
  * Union type of all realtime events.
  */
-export type RealtimeEvent = RealtimeRecordEvent | RealtimeValidationSuggestionEvent | RealtimeValidationBatchEvent | RealtimeAnomalyInsightEvent | RealtimeAnomalyDetectionEvent | RealtimeFunctionRunEvent | RealtimeOrchestrationRunEvent;
+type RealtimeEvent = RealtimeRecordEvent | RealtimeValidationSuggestionEvent | RealtimeValidationBatchEvent | RealtimeAnomalyInsightEvent | RealtimeAnomalyDetectionEvent | RealtimeFunctionRunEvent | RealtimeOrchestrationRunEvent;
 /**
  * Error object for realtime connection errors.
  */
-export interface RealtimeError {
+interface RealtimeError {
     /** Error code from the server */
     code: 'MISSING_TOKEN' | 'TOKEN_EXPIRED' | 'WORKSPACE_MISMATCH' | 'INVALID_TOKEN' | 'FORBIDDEN' | 'AUTH_ERROR' | 'RATE_LIMIT_EXCEEDED' | 'CONNECTION_ERROR' | 'PARSE_ERROR';
     /** Human-readable error message */
@@ -387,7 +765,7 @@ export interface RealtimeError {
 /**
  * Options for subscribing to realtime events.
  */
-export interface RealtimeSubscribeOptions {
+interface RealtimeSubscribeOptions {
     /** Structure recordSlugs to filter events (e.g., ["order", "customer"]). Empty = all structures */
     structures?: string[];
     /** Collection recordSlugs to filter events (e.g., ["order", "customer"]). Empty = all collections */
@@ -418,225 +796,272 @@ export interface RealtimeSubscribeOptions {
 /**
  * Realtime subscription handle returned by subscribe().
  */
-export interface RealtimeSubscription {
+interface RealtimeSubscription {
     /** Unsubscribe and close the connection */
     unsubscribe: () => void;
     /** Whether the connection is currently open */
     readonly connected: boolean;
 }
+
+type QueryDefinition = {
+    /**
+     * Logical resource being queried.
+     *
+     * - For records: the collection (a.k.a. structure) slug — e.g. `"orders"`,
+     *   `"customers"`. The records executor treats this as the collection slug.
+     * - For other queryable resources: the resource type identifier — e.g.
+     *   `"audit-log"`, `"function-runs"`, `"files"`, `"webhook-deliveries"`.
+     *
+     * Named `resource` (not `collection`) because "collection" is overloaded in
+     * Centrali — it's the renamed records-bucket entity, so `collection: "audit-log"`
+     * would read as a category error. `resource` is REST-canonical and reads
+     * truthfully across every executor.
+     */
+    resource: string;
+    where?: WhereExpression;
+    text?: TextSearchClause;
+    sort?: SortClause[];
+    page?: PageClause;
+    select?: SelectClause;
+    include?: IncludeClause[];
+    joins?: JoinClause[];
+};
+type SavedQueryDefinition = {
+    name: string;
+    description?: string;
+    query: QueryDefinition;
+    variables?: Record<string, QueryVariableDefinition>;
+};
+type WhereExpression = FieldConditionMap | {
+    and: WhereExpression[];
+} | {
+    or: WhereExpression[];
+} | {
+    not: WhereExpression;
+};
+type FieldConditionMap = {
+    [field: string]: FieldCondition;
+};
 /**
- * Internal configuration for realtime connections.
- */
-interface RealtimeConfig {
-    /** Maximum reconnection attempts (default: 10) */
-    maxReconnectAttempts: number;
-    /** Initial reconnect delay in ms (default: 1000) */
-    initialReconnectDelayMs: number;
-    /** Maximum reconnect delay in ms (default: 30000) */
-    maxReconnectDelayMs: number;
-}
-/**
- * Options for initializing the Centrali SDK client.
- */
-export interface CentraliSDKOptions {
-    /** Base URL of Centrali (e.g. https://centrali.io). The SDK automatically uses api.centrali.io for API calls. */
-    baseUrl: string;
-    workspaceId: string;
-    /** Publishable key for frontend access. Sent as x-api-key header. No token refresh needed. */
-    publishableKey?: string;
-    /** Optional initial bearer token for authentication */
-    token?: string;
-    /** Optional callback to dynamically fetch a fresh token before each request (e.g., for Clerk, Auth0) */
-    getToken?: () => Promise<string>;
-    /** Optional OAuth2 client credentials */
-    clientId?: string;
-    clientSecret?: string;
-    /** Optional custom axios config */
-    axiosConfig?: AxiosRequestConfig;
-}
+ * Exactly-one helper: for a record of operator → value-type, produces a union
+ * where each variant has exactly one of the keys present and all the others
+ * forbidden via `?: never`. This enforces the contract's "exactly one operator
+ * per FieldCondition" rule at the type level — `{ eq: 1, ne: 2 }` fails to
+ * type-check.
+ */
+type ExactlyOneOperator<T> = {
+    [K in keyof T]: {
+        [P in K]: T[P];
+    } & {
+        [P in Exclude<keyof T, K>]?: never;
+    };
+}[keyof T];
+type FieldOperatorMap = {
+    eq: ScalarValue;
+    ne: ScalarValue;
+    gt: number | string;
+    gte: number | string;
+    lt: number | string;
+    lte: number | string;
+    in: ScalarValue[];
+    nin: ScalarValue[];
+    contains: string;
+    startsWith: string;
+    endsWith: string;
+    hasAny: ScalarValue[];
+    hasAll: ScalarValue[];
+    exists: boolean;
+};
+type FieldCondition = ExactlyOneOperator<FieldOperatorMap>;
+type ScalarValue = string | number | boolean | null;
+type CanonicalOperator = 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte' | 'in' | 'nin' | 'contains' | 'startsWith' | 'endsWith' | 'hasAny' | 'hasAll' | 'exists';
+declare const CANONICAL_OPERATORS: readonly CanonicalOperator[];
+/** Argument shape an operator expects in a `FieldCondition`. */
+type OperatorValueShape = 
+/** Single scalar input (string/number/boolean/null). */
+'scalar'
+/** Array of scalars — UI typically renders a chip / comma input. */
+ | 'array'
+/** Boolean toggle — `exists`. */
+ | 'boolean';
+/**
+ * Logical type families an operator applies to. The visual builder narrows
+ * the dropdown to the operators valid for the selected field's type.
+ *
+ * `any` means the operator is type-agnostic (`eq`, `ne`, `exists`).
+ */
+type OperatorTypeApplicability = 'string' | 'number' | 'boolean' | 'datetime' | 'array' | 'any';
+type OperatorMeta = {
+    /** Canonical bare operator name. */
+    operator: CanonicalOperator;
+    /** Human-readable label for dropdowns. */
+    label: string;
+    /** Short, symbol-style label suitable for compact number/datetime UIs. */
+    shortLabel?: string;
+    /** Argument shape — drives the value input affordance. */
+    valueShape: OperatorValueShape;
+    /** Field types this operator applies to. */
+    applicableTypes: OperatorTypeApplicability[];
+};
+declare const OPERATOR_METADATA: Readonly<Record<CanonicalOperator, OperatorMeta>>;
 /**
- * Generic API response wrapper.
+ * Operators applicable to a given field-type. Used by builder UIs to narrow
+ * the dropdown when the user selects a field; falls back to `any`-applicable
+ * operators when the type is unknown.
  */
-export interface ApiResponse<T> {
-    data: T;
-    meta?: Record<string, any>;
-    error?: any;
-    id?: string;
-    createdAt?: string;
-    updatedAt?: string;
-}
+declare function operatorsForFieldType(type: OperatorTypeApplicability | string): readonly OperatorMeta[];
+type TextSearchClause = {
+    query: string;
+    fields?: string[];
+    typoTolerance?: boolean;
+};
+type SortClause = {
+    field: string;
+    direction: 'asc' | 'desc';
+};
 /**
- * Resource category for authorization.
- * - 'workspace': Workspace-level resources (e.g., settings, members)
- * - 'structure': Structure-level resources (e.g., specific records)
- * - 'custom': Custom resources defined by the user for AuthZ-as-a-Service
+ * Two pagination modes. Per contract §6 they are mutually exclusive — `cursor`
+ * is forbidden in offset mode and `offset` is forbidden in cursor mode so a
+ * caller cannot construct an ambiguous request.
  */
-export type ResourceCategory = 'workspace' | 'structure' | 'custom';
+type PageClause = {
+    limit: number;
+    offset?: number;
+    cursor?: never;
+} | {
+    limit: number;
+    cursor?: string;
+    offset?: never;
+};
 /**
- * Options for authorization check.
- * Use this when authorizing access using an external IdP token (BYOT).
+ * Records Phase 1 page defaults (contract §6).
+ * Same default and cap for GET adapter and POST query body.
  */
-export interface CheckAuthorizationOptions {
-    /**
-     * The JWT token from your external identity provider (e.g., Clerk, Auth0, Okta).
-     * The token will be validated against the configured external auth provider.
-     */
-    token: string;
-    /**
-     * The resource being accessed.
-     * Can be a Centrali system resource (e.g., 'records', 'files') or a custom
-     * resource you've defined for AuthZ-as-a-Service (e.g., 'orders', 'invoices').
-     */
-    resource: string;
-    /**
-     * The action being performed on the resource.
-     * Common actions: 'create', 'read', 'update', 'delete', 'admin'
-     * You can also define custom actions (e.g., 'approve', 'publish').
-     */
-    action: string;
-    /**
-     * Resource category for authorization evaluation.
-     * - 'workspace': Workspace-level resources
-     * - 'structure': Structure-level resources
-     * - 'custom': Custom resources for AuthZ-as-a-Service
-     * @default 'custom'
-     */
-    resourceCategory?: ResourceCategory;
-    /**
-     * Optional context data for policy evaluation.
-     * This data becomes available as `request_metadata` in policies.
-     *
-     * @example
-     * // Policy can reference: request_metadata.orderId, request_metadata.amount
-     * context: {
-     *   orderId: 'order-123',
-     *   amount: 50000,
-     *   department: 'sales'
-     * }
-     */
-    context?: Record<string, unknown>;
-}
+declare const RECORDS_PAGE_DEFAULT_LIMIT = 50;
+declare const RECORDS_PAGE_MAX_LIMIT = 500;
+type SelectClause = {
+    fields: string[];
+};
 /**
- * Result of an authorization check.
- */
-export interface AuthorizationResult {
+ * Recursive direct-relationship expansion. The executor walks each clause
+ * against reference-typed properties on the parent structure and substitutes
+ * the related row(s) inline under the relation name. Nested `include`
+ * children traverse the next hop on the just-fetched rows. Cycle detection
+ * and depth limits live in the executor (CEN-1192).
+ *
+ * `where` and `select` (CEN-1219) operate on the **target** structure's
+ * namespace — fields are resolved against the included relation's own
+ * properties (e.g. `data.active` on the related `customer`, not the parent's
+ * `data.customer.data.active`). The executor narrows the batched fetch with
+ * `where` and trims the attached row to `select.fields` post-fetch. Nested
+ * `include` children inherit nothing from this clause's `select` — they are
+ * always fetched in full and can carry their own `select`.
+ */
+type IncludeClause = {
+    relation: string;
+    where?: WhereExpression;
+    select?: SelectClause;
+    include?: IncludeClause[];
+};
+type JoinType = 'inner' | 'left' | 'right' | 'full';
+type JoinClause = {
+    /** Resource (collection slug) of the joined records table. */
+    foreignSlug: string;
     /**
-     * Whether the action is allowed.
+     * Field on the primary or any prior join's alias. Bare names refer to the
+     * primary structure; dotted names (`<alias>.<field>`) reference a prior
+     * join's logical alias.
      */
-    allowed: boolean;
+    localField: string;
+    /** Field on the joined table. */
+    foreignField: string;
+    /** SQL join type. Required — no implicit default. */
+    joinType: JoinType;
     /**
-     * The decision from the policy evaluator.
-     * - 'allow': Access granted
-     * - 'deny': Access denied
-     * - 'not_applicable': No matching policy found
+     * Optional projection on the joined row. Defaults to all readable fields
+     * (subject to field-level auth).
      */
-    decision: 'allow' | 'deny' | 'not_applicable';
+    select?: string[];
     /**
-     * Human-readable message explaining the decision.
+     * Logical alias used to namespace the joined row in the response under
+     * `_joined[alias]`, and for `localField` references in subsequent joins.
+     * Defaults to `foreignSlug`. Required when joining the same `foreignSlug`
+     * more than once in the same query.
      */
-    message?: string;
-}
-/**
- * Trigger execution types supported by Centrali.
- */
-export type TriggerExecutionType = 'on-demand' | 'event-driven' | 'scheduled' | 'http-trigger';
+    alias?: string;
+};
 /**
- * Function trigger definition.
+ * Maximum number of `joins[]` entries allowed in a single QueryDefinition.
+ * Cap is conservative until we have telemetry on real-world chain lengths;
+ * raise if customers hit it for legitimate reporting use cases.
  */
-export interface FunctionTrigger {
-    id: string;
-    name: string;
+declare const JOINS_MAX_LENGTH = 4;
+type VariableType = 'string' | 'number' | 'boolean' | 'datetime' | 'id' | {
+    array: VariableType;
+} | {
+    reference: string;
+};
+type QueryVariableDefinition = {
+    type: VariableType;
+    required?: boolean;
+    default?: ScalarValue;
     description?: string;
-    workspaceSlug: string;
-    functionId: string;
-    executionType: TriggerExecutionType;
-    triggerMetadata: Record<string, any>;
-    schedulerJobId?: string;
-    enabled: boolean;
-    createdBy: string;
-    updatedBy: string;
-    createdAt?: string;
-    updatedAt?: string;
-}
-/**
- * Options for invoking an on-demand trigger.
- */
-export interface InvokeTriggerOptions {
-    /** Custom payload/parameters to pass to the trigger execution */
-    payload?: Record<string, any>;
-}
-/**
- * Options for invoking a synchronous compute endpoint.
- */
-export interface InvokeEndpointOptions {
-    /** HTTP method (default: 'POST'). Must be in the trigger's allowedMethods. */
-    method?: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH';
-    /** Request body payload (sent as JSON). Ignored for GET/DELETE. */
-    payload?: Record<string, any>;
-    /** Additional request headers (e.g., X-API-Key for apiKey auth). */
-    headers?: Record<string, string>;
-    /** Query string parameters. */
-    query?: Record<string, string>;
-}
-/**
- * Response from a synchronous compute endpoint invocation.
- */
-export interface EndpointResponse<T = any> {
-    /** HTTP status code from the compute function */
-    status: number;
-    /** Response body from the compute function */
-    data: T;
-    /** Response headers */
-    headers: Record<string, string>;
-}
+};
+type QueryExecutionMode = 'filter' | 'search' | 'hybrid';
+type QueryResultMeta = {
+    total?: number;
+    limit: number;
+    offset?: number;
+    cursor?: string;
+    nextCursor?: string;
+    hasMore?: boolean;
+    processingTimeMs?: number;
+    mode?: QueryExecutionMode;
+};
+type QueryResult<T> = {
+    data: T[];
+    meta: QueryResultMeta;
+};
+type QueryErrorCode = 'unsupported_clause' | 'unsupported_operator' | 'unsupported_legacy_operator' | 'unreadable_field' | 'invalid_query' | 'legacy_write_unsupported' | 'unknown_variable' | 'variable_type_mismatch' | 'missing_required_variable' | 'extra_variable' | 'joins_length_exceeded' | 'unsupported_combination' | 'duplicate_join_alias';
+type QueryError = {
+    code: QueryErrorCode;
+    message: string;
+    /** Dotted path inside the QueryDefinition where the error was detected, e.g. "where.data.status.eq". */
+    path?: string;
+    /** For `unsupported_clause` / `unsupported_operator`, the offending name. */
+    clause?: string;
+};
+type ValidationResult<T> = {
+    ok: true;
+    value: T;
+} | {
+    ok: false;
+    errors: QueryError[];
+};
+
 /**
  * Options for deleting a record.
  */
-export interface DeleteRecordOptions {
+interface DeleteRecordOptions {
     /** Perform a hard delete (permanent). Default: false (soft delete) */
     hard?: boolean;
 }
 /**
  * Options for setting TTL (Time-To-Live) on a record.
  */
-export interface RecordTtlOptions {
+interface RecordTtlOptions {
     /** TTL in seconds. Record expires after this duration. */
     ttlSeconds?: number;
     /** Explicit expiration timestamp (ISO 8601 string). */
     expiresAt?: string;
-    /** Set to true to remove TTL and make record permanent. Only valid on update. */
-    clearTtl?: boolean;
-}
-/**
- * An allowed domain entry for compute function external calls.
- */
-export interface AllowedDomain {
-    id: string;
-    domain: string;
-    createdAt: string;
-    createdBy: string;
-}
-/**
- * Response from listing allowed domains.
- */
-export interface AllowedDomainsListResponse {
-    data: AllowedDomain[];
-    meta: {
-        total: number;
-    };
-}
-/**
- * Options for adding an allowed domain.
- */
-export interface AddAllowedDomainOptions {
-    /** The domain to allow (e.g., 'api.example.com'). No protocol prefix. */
-    domain: string;
+    /** Set to true to remove TTL and make record permanent. Only valid on update. */
+    clearTtl?: boolean;
 }
 /**
  * Options for expanding reference fields when fetching records.
  * Expanded data is placed in the `_expanded` object within the record's data.
  */
-export interface ExpandOptions {
+interface ExpandOptions {
     /**
      * Comma-separated list of reference fields to expand.
      * Supports nested expansion using dot notation (up to 3 levels deep).
@@ -656,10 +1081,9 @@ export interface ExpandOptions {
 /**
  * Options for retrieving a single record.
  */
-export interface GetRecordOptions extends ExpandOptions {
+interface GetRecordOptions extends ExpandOptions {
 }
-export * from './query-types';
-import type { QueryDefinition, QueryResult, WhereExpression, SortClause, PageClause, SelectClause } from './query-types';
+
 /**
  * Filter operators for querying records via the legacy GET adapter.
  *
@@ -680,7 +1104,7 @@ import type { QueryDefinition, QueryResult, WhereExpression, SortClause, PageCla
  * { 'data.status[in]': 'pending,processing' }  // comma-separated for 'in'
  * { 'data.email[contains]': '@gmail.com' }
  */
-export interface FilterOperators {
+interface FilterOperators {
     /** Equal to (default if just a value is provided) */
     eq?: string | number | boolean;
     /** Not equal to */
@@ -711,7 +1135,7 @@ export interface FilterOperators {
 /**
  * Filter value can be a direct value or an object with operators.
  */
-export type FilterValue = string | number | boolean | null | FilterOperators;
+type FilterValue = string | number | boolean | null | FilterOperators;
 /**
  * Date range filter for restricting results to a time window.
  *
@@ -722,7 +1146,7 @@ export type FilterValue = string | number | boolean | null | FilterOperators;
  * // Records updated in a specific range
  * { field: 'updatedAt', from: '2024-01-01T00:00:00Z', to: '2024-03-31T23:59:59Z' }
  */
-export interface DateWindowOption {
+interface DateWindowOption {
     /** The date field to filter on (e.g., 'createdAt', 'updatedAt', or a custom date field) */
     field: string;
     /** ISO 8601 date string — lower bound (inclusive, gte) */
@@ -768,7 +1192,7 @@ export interface DateWindowOption {
  * // Date window
  * { dateWindow: { field: 'createdAt', from: '2024-01-01T00:00:00Z' }, sort: '-createdAt' }
  */
-export interface QueryRecordOptions extends ExpandOptions {
+interface QueryRecordOptions extends ExpandOptions {
     /**
      * Structured filter object. Wrap your field filters here as an alternative to top-level keys.
      * Uses the same syntax as compute function `api.queryRecords`.
@@ -823,39 +1247,164 @@ export interface QueryRecordOptions extends ExpandOptions {
  * Response from invoking a trigger.
  * Currently the API returns the queued job ID as a string.
  */
-export type TriggerInvokeResponse = string;
+type TriggerInvokeResponse = string;
+/**
+ * Record event name constants — use these when constructing `events` on a
+ * webhook subscription instead of hand-typing strings.
+ *
+ * @example
+ * ```ts
+ * await centrali.webhookSubscriptions.create({
+ *   name: 'Order created',
+ *   url: 'https://my-app.example.com/webhooks/centrali',
+ *   events: [RecordEvents.CREATED, RecordEvents.UPDATED],
+ * });
+ * ```
+ */
+declare const RecordEvents: {
+    readonly CREATED: "record_created";
+    readonly UPDATED: "record_updated";
+    readonly DELETED: "record_deleted";
+    readonly BULK_CREATED: "records_bulk_created";
+};
+
+/**
+ * Trigger execution types supported by Centrali.
+ */
+type TriggerExecutionType = 'on-demand' | 'event-driven' | 'scheduled' | 'http-trigger';
+/**
+ * Function trigger definition.
+ */
+interface FunctionTrigger {
+    id: string;
+    name: string;
+    description?: string;
+    workspaceSlug: string;
+    functionId: string;
+    executionType: TriggerExecutionType;
+    triggerMetadata: Record<string, any>;
+    schedulerJobId?: string;
+    enabled: boolean;
+    createdBy: string;
+    updatedBy: string;
+    createdAt?: string;
+    updatedAt?: string;
+}
+/**
+ * Options for invoking an on-demand trigger.
+ */
+interface InvokeTriggerOptions {
+    /** Custom payload/parameters to pass to the trigger execution */
+    payload?: Record<string, any>;
+}
+/**
+ * Options for invoking a synchronous compute endpoint.
+ */
+interface InvokeEndpointOptions {
+    /** HTTP method (default: 'POST'). Must be in the trigger's allowedMethods. */
+    method?: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH';
+    /** Request body payload (sent as JSON). Ignored for GET/DELETE. */
+    payload?: Record<string, any>;
+    /** Additional request headers (e.g., X-API-Key for apiKey auth). */
+    headers?: Record<string, string>;
+    /** Query string parameters. */
+    query?: Record<string, string>;
+}
+/**
+ * Response from a synchronous compute endpoint invocation.
+ */
+interface EndpointResponse<T = any> {
+    /** HTTP status code from the compute function */
+    status: number;
+    /** Response body from the compute function */
+    data: T;
+    /** Response headers */
+    headers: Record<string, string>;
+}
+/**
+ * Input for creating a new function trigger.
+ */
+interface CreateTriggerInput {
+    name: string;
+    functionId: string;
+    executionType: TriggerExecutionType;
+    description?: string;
+    triggerMetadata?: Record<string, any>;
+    enabled?: boolean;
+}
+/**
+ * Input for updating an existing function trigger.
+ */
+interface UpdateTriggerInput {
+    name?: string;
+    description?: string;
+    enabled?: boolean;
+    triggerMetadata?: Record<string, any>;
+}
+/**
+ * Options for listing all triggers (not filtered by type).
+ */
+interface ListAllTriggersOptions {
+    page?: number;
+    limit?: number;
+    functionId?: string;
+    executionType?: TriggerExecutionType;
+    includeHealth?: boolean;
+}
+/**
+ * Health status of a trigger.
+ */
+type TriggerHealthStatus = 'healthy' | 'warning' | 'error' | 'dead' | 'never_run' | 'paused';
+/**
+ * Health metrics for a trigger.
+ */
+interface TriggerHealthMetrics {
+    lastRunAt: string | null;
+    successCount: number;
+    failureCount: number;
+    avgExecutionTimeMs: number;
+    totalRuns: number;
+}
+/**
+ * Trigger with health metrics included.
+ */
+interface TriggerWithHealth extends FunctionTrigger {
+    health: TriggerHealthMetrics;
+    healthStatus: TriggerHealthStatus;
+}
+
 /**
  * Orchestration trigger types.
  */
-export type OrchestrationTriggerType = 'event-driven' | 'scheduled' | 'on-demand' | 'http-trigger';
+type OrchestrationTriggerType = 'event-driven' | 'scheduled' | 'on-demand' | 'http-trigger';
 /**
  * Schedule types for scheduled orchestrations.
  */
-export type OrchestrationScheduleType = 'interval' | 'cron' | 'once';
+type OrchestrationScheduleType = 'interval' | 'cron' | 'once';
 /**
  * Orchestration lifecycle status.
  */
-export type OrchestrationStatus = 'draft' | 'active' | 'paused';
+type OrchestrationStatus = 'draft' | 'active' | 'paused';
 /**
  * Orchestration run status.
  */
-export type OrchestrationRunStatus = 'pending' | 'running' | 'waiting' | 'completed' | 'failed';
+type OrchestrationRunStatus = 'pending' | 'running' | 'waiting' | 'completed' | 'failed';
 /**
  * Orchestration step types.
  */
-export type OrchestrationStepType = 'compute' | 'decision' | 'delay';
+type OrchestrationStepType = 'compute' | 'decision' | 'delay';
 /**
  * Run step status.
  */
-export type OrchestrationStepStatus = 'pending' | 'running' | 'waiting' | 'succeeded' | 'failed';
+type OrchestrationStepStatus = 'pending' | 'running' | 'waiting' | 'succeeded' | 'failed';
 /**
  * Condition operators for decision steps.
  */
-export type ConditionOperator = 'eq' | 'neq' | 'gt' | 'gte' | 'lt' | 'lte' | 'exists' | 'notExists' | 'in' | 'notIn';
+type ConditionOperator = 'eq' | 'neq' | 'gt' | 'gte' | 'lt' | 'lte' | 'exists' | 'notExists' | 'in' | 'notIn';
 /**
  * Orchestration trigger configuration.
  */
-export interface OrchestrationTrigger {
+interface OrchestrationTrigger {
     /** Trigger type */
     type: OrchestrationTriggerType;
     /** Event type for event-driven triggers */
@@ -900,7 +1449,7 @@ export interface OrchestrationTrigger {
 /**
  * Retry configuration for compute steps.
  */
-export interface OrchestrationRetryConfig {
+interface OrchestrationRetryConfig {
     /** Maximum retry attempts */
     maxAttempts: number;
     /** Backoff delay in milliseconds */
@@ -909,21 +1458,21 @@ export interface OrchestrationRetryConfig {
 /**
  * On success configuration for compute steps.
  */
-export interface OrchestrationOnSuccess {
+interface OrchestrationOnSuccess {
     /** Next step ID to execute on success */
     nextStepId?: string;
 }
 /**
  * On failure configuration for compute steps.
  */
-export interface OrchestrationOnFailure {
+interface OrchestrationOnFailure {
     /** Action to take on failure: 'fail' or 'end' */
     action: 'fail' | 'end';
 }
 /**
  * Condition in a decision case.
  */
-export interface OrchestrationCondition {
+interface OrchestrationCondition {
     /** Path to evaluate (e.g., 'input.data.status', 'steps.validate.output.isValid') */
     path: string;
     /** Comparison operator */
@@ -936,7 +1485,7 @@ export interface OrchestrationCondition {
 /**
  * Decision case in a decision step.
  */
-export interface OrchestrationDecisionCase {
+interface OrchestrationDecisionCase {
     /** Conditions to evaluate (AND logic) */
     conditions: OrchestrationCondition[];
     /** Next step ID if conditions match */
@@ -946,7 +1495,7 @@ export interface OrchestrationDecisionCase {
  * Encrypted parameter for a compute step. To encrypt a new value, set encrypt=true and value=plaintext.
  * Stored values have encrypted=true and value is masked in API responses.
  */
-export interface StepEncryptedParam {
+interface StepEncryptedParam {
     /** The parameter value (plaintext on create, masked as "********" on read) */
     value: string;
     /** True when the value is encrypted at rest */
@@ -959,7 +1508,7 @@ export interface StepEncryptedParam {
 /**
  * Orchestration step definition.
  */
-export interface OrchestrationStep {
+interface OrchestrationStep {
     /** Unique step identifier */
     id: string;
     /** Human-readable step name */
@@ -990,7 +1539,7 @@ export interface OrchestrationStep {
 /**
  * Orchestration definition.
  */
-export interface Orchestration {
+interface Orchestration {
     /** Unique identifier */
     id: string;
     /** Workspace slug */
@@ -1021,7 +1570,7 @@ export interface Orchestration {
 /**
  * Input for creating an orchestration.
  */
-export interface CreateOrchestrationInput {
+interface CreateOrchestrationInput {
     /** URL-friendly slug (unique within workspace) */
     slug: string;
     /** Human-readable name */
@@ -1036,7 +1585,7 @@ export interface CreateOrchestrationInput {
 /**
  * Input for updating an orchestration.
  */
-export interface UpdateOrchestrationInput {
+interface UpdateOrchestrationInput {
     /** Updated name */
     name?: string;
     /** Updated description */
@@ -1051,7 +1600,7 @@ export interface UpdateOrchestrationInput {
 /**
  * Trigger metadata for a run.
  */
-export interface OrchestrationTriggerMetadata {
+interface OrchestrationTriggerMetadata {
     /** Event type (for event-driven triggers) */
     eventType?: string;
     /** Schedule ID (for scheduled triggers) */
@@ -1064,7 +1613,7 @@ export interface OrchestrationTriggerMetadata {
 /**
  * Orchestration run instance.
  */
-export interface OrchestrationRun {
+interface OrchestrationRun {
     /** Unique run identifier */
     id: string;
     /** Parent orchestration ID */
@@ -1105,7 +1654,7 @@ export interface OrchestrationRun {
 /**
  * Decision result from a decision step.
  */
-export interface OrchestrationDecisionResult {
+interface OrchestrationDecisionResult {
     /** Number of cases evaluated */
     evaluatedCases: number;
     /** Index of matched case (null if default) */
@@ -1118,7 +1667,7 @@ export interface OrchestrationDecisionResult {
 /**
  * Evaluation result for a single decision case.
  */
-export interface OrchestrationCaseEvaluation {
+interface OrchestrationCaseEvaluation {
     /** Case index */
     caseIndex: number;
     /** Next step ID for this case */
@@ -1131,7 +1680,7 @@ export interface OrchestrationCaseEvaluation {
 /**
  * Evaluation result for a single condition.
  */
-export interface OrchestrationConditionEvaluation {
+interface OrchestrationConditionEvaluation {
     /** Path that was evaluated */
     path: string;
     /** Operator used */
@@ -1152,7 +1701,7 @@ export interface OrchestrationConditionEvaluation {
 /**
  * Delay configuration result from a delay step.
  */
-export interface OrchestrationDelayConfig {
+interface OrchestrationDelayConfig {
     /** Delay duration in milliseconds */
     delayMs: number;
     /** ISO timestamp when step will resume */
@@ -1163,7 +1712,7 @@ export interface OrchestrationDelayConfig {
 /**
  * Error information from a failed step.
  */
-export interface OrchestrationStepError {
+interface OrchestrationStepError {
     /** Error message */
     message: string;
     /** Error code */
@@ -1174,7 +1723,7 @@ export interface OrchestrationStepError {
 /**
  * Run step execution record.
  */
-export interface OrchestrationRunStep {
+interface OrchestrationRunStep {
     /** Unique step execution identifier */
     id: string;
     /** Parent run ID */
@@ -1211,7 +1760,7 @@ export interface OrchestrationRunStep {
 /**
  * Options for triggering an orchestration run.
  */
-export interface TriggerOrchestrationRunOptions {
+interface TriggerOrchestrationRunOptions {
     /** Input data for the run */
     input?: Record<string, unknown>;
     /** Correlation ID for tracing */
@@ -1220,7 +1769,7 @@ export interface TriggerOrchestrationRunOptions {
 /**
  * Options for listing orchestrations.
  */
-export interface ListOrchestrationsOptions {
+interface ListOrchestrationsOptions {
     /** Number of items per page (default: 20, max: 100) */
     limit?: number;
     /** Number of items to skip */
@@ -1231,7 +1780,7 @@ export interface ListOrchestrationsOptions {
 /**
  * Options for listing orchestration runs.
  */
-export interface ListOrchestrationRunsOptions {
+interface ListOrchestrationRunsOptions {
     /** Number of items per page (default: 20, max: 100) */
     limit?: number;
     /** Number of items to skip */
@@ -1239,26 +1788,11 @@ export interface ListOrchestrationRunsOptions {
     /** Filter by run status */
     status?: OrchestrationRunStatus;
 }
-/**
- * Paginated response wrapper.
- */
-export interface PaginatedResponse<T> {
-    /** Data items */
-    data: T[];
-    /** Pagination metadata */
-    meta: {
-        /** Total number of items */
-        total: number;
-        /** Current page number */
-        page: number;
-        /** Items per page */
-        pageSize: number;
-    };
-}
+
 /**
  * Smart query definition stored in the database.
  */
-export interface SmartQuery {
+interface SmartQuery {
     /** Unique identifier (UUID) */
     id: string;
     /** Workspace slug where the query belongs */
@@ -1273,6 +1807,14 @@ export interface SmartQuery {
     queryDefinition: SmartQueryDefinition;
     /** Status (active, archived) */
     status: string;
+    /**
+     * Typed parameter declarations for `${var}` placeholders in the query
+     * body. Present on Phase 4 saved queries; `null`/absent on rows that have
+     * not yet been migrated, in which case execute falls back to legacy
+     * untyped string substitution. Re-exported from `@centrali/query` so the
+     * SDK and server share one shape.
+     */
+    variables?: Record<string, QueryVariableDefinition> | null;
     /** User ID who created the query */
     createdBy: string;
     /** User ID who last updated the query */
@@ -1286,7 +1828,7 @@ export interface SmartQuery {
  * Query definition format for smart queries.
  * Supports filtering, selection, joins, sorting, and pagination.
  */
-export interface SmartQueryDefinition {
+interface SmartQueryDefinition {
     /** Fields to select from the structure */
     select?: string[];
     /** Filter conditions */
@@ -1304,7 +1846,7 @@ export interface SmartQueryDefinition {
  * Where clause for smart query filtering.
  * Supports comparison operators and logical operators.
  */
-export interface SmartQueryWhereClause {
+interface SmartQueryWhereClause {
     /** Field-level conditions */
     [field: string]: SmartQueryFieldCondition | SmartQueryWhereClause[] | undefined;
     /** Logical AND of multiple conditions */
@@ -1315,7 +1857,7 @@ export interface SmartQueryWhereClause {
 /**
  * Field-level condition operators for smart query filtering.
  */
-export interface SmartQueryFieldCondition {
+interface SmartQueryFieldCondition {
     /** Equality */
     $eq?: any;
     /** Not equal */
@@ -1348,7 +1890,7 @@ export interface SmartQueryFieldCondition {
 /**
  * Join definition for smart queries.
  */
-export interface SmartQueryJoin {
+interface SmartQueryJoin {
     /** Target structure slug to join */
     foreignSlug: string;
     /** Field in the main structure */
@@ -1361,7 +1903,7 @@ export interface SmartQueryJoin {
 /**
  * Sort specification for smart queries.
  */
-export interface SmartQuerySort {
+interface SmartQuerySort {
     /** Field to sort by */
     field: string;
     /** Sort direction */
@@ -1370,7 +1912,7 @@ export interface SmartQuerySort {
 /**
  * Options for listing smart queries.
  */
-export interface ListSmartQueryOptions {
+interface ListSmartQueryOptions {
     /** Page number (default: 1) */
     page?: number;
     /** Results per page (default: 20) */
@@ -1383,28 +1925,61 @@ export interface ListSmartQueryOptions {
     sortDirection?: 'asc' | 'desc';
 }
 /**
- * Options for executing a smart query.
+ * A scalar value bindable to a saved-query parameter slot, including `Date`
+ * for `datetime` declarations. `Date` works because axios JSON-serializes it
+ * to an ISO-8601 string before the request leaves the client — the server
+ * never sees a `Date` object and does not perform type coercion.
+ */
+type SavedQueryScalarBinding = ScalarValue | Date;
+/**
+ * Runtime values bound to a saved query's typed parameters at execution time.
+ *
+ * Each key matches a declaration in the saved query's `variables` map.
+ * Scalars cover `string`/`number`/`boolean`/`datetime`/`id`/`reference`;
+ * arrays — including `array<datetime>` — cover `{ array: ... }` declarations
+ * (the shared contract is recursive, so `Date[]` and `string[]` etc. are all
+ * valid bindings).
+ *
+ * Phase 4 typed substitution validates each value against its declared type
+ * by JS `typeof` (no coercion — `"123"` is rejected for `number`). `Date` is
+ * serialized to ISO-8601 over the wire and then accepted as a `datetime`
+ * string. Pre-Phase-4 (untyped) saved queries stringify every value before
+ * substitution; the SDK does not narrow that path.
+ */
+type ExecuteSavedQueryValues = Record<string, SavedQueryScalarBinding | SavedQueryScalarBinding[]>;
+/**
+ * Options for executing a saved query.
  */
-export interface ExecuteSmartQueryOptions {
+interface ExecuteSmartQueryOptions {
     /**
-     * Variables to substitute in the query.
-     * Use mustache-style {{variableName}} syntax in query conditions,
-     * then provide values here at execution time.
+     * Values bound to the saved query's `${var}` placeholders. Use canonical
+     * `${variableName}` syntax in the persisted query body, then pass values
+     * here at execution time.
+     *
+     * On Phase 4 typed saved queries (rows that declare `variables`), the
+     * server validates these against the typed declarations by JS `typeof`
+     * (no coercion). On legacy untyped rows, every value is stringified
+     * before substitution.
      *
      * @example
      * ```ts
-     * // Query definition with variable: { where: { userId: { $eq: "{{currentUserId}}" } } }
-     * const results = await client.smartQueries.execute('orders', 'query-id', {
+     * // Query definition with parameter: { where: { userId: { eq: "${currentUserId}" } } }
+     * const results = await client.savedQueries.execute('orders', 'query-id', {
      *   variables: { currentUserId: 'user_123' }
      * });
+     *
+     * // Typed datetime + array binding (Phase 4)
+     * await client.savedQueries.execute('orders', 'query-id', {
+     *   variables: { since: new Date('2026-01-01'), statuses: ['open', 'paid'] },
+     * });
      * ```
      */
-    variables?: Record<string, string>;
+    variables?: ExecuteSavedQueryValues;
 }
 /**
  * Result from executing a smart query with metadata.
  */
-export interface SmartQueryExecuteResult<T = any> {
+interface SmartQueryExecuteResult<T = any> {
     /** Query results */
     result: T[];
     /** Metadata about the execution */
@@ -1413,18 +1988,91 @@ export interface SmartQueryExecuteResult<T = any> {
         variablesUsed?: string[];
     };
 }
+/**
+ * Input for creating a new saved query.
+ *
+ * Phase 4 callers should set `query` (canonical `QueryDefinition` — eq/gte/lte
+ * operators, `${var}` placeholders) and optionally `variables` to declare the
+ * parameter types. Pre-Phase-4 callers may still set `queryDefinition` (legacy
+ * `$eq`/`$gte` shape) — the SDK routes those to the legacy slug-based create
+ * endpoint, which does not accept typed variable declarations.
+ */
+interface CreateSmartQueryInput {
+    name: string;
+    description?: string;
+    /** Canonical query body (Phase 4). Required for typed `variables`. */
+    query?: QueryDefinition;
+    /**
+     * @deprecated Use `query` (canonical `QueryDefinition`). The legacy
+     *   `SmartQueryDefinition` shape continues to work via the legacy
+     *   slug-based endpoint but cannot carry typed `variables` declarations.
+     */
+    queryDefinition?: SmartQueryDefinition;
+    /**
+     * Optional typed parameter declarations. When present, every `${var}`
+     * placeholder in `query` must be declared, and execute-time values are
+     * validated against these types by JS `typeof` (no server-side coercion).
+     * Requires `query` (canonical).
+     */
+    variables?: Record<string, QueryVariableDefinition> | null;
+}
+/**
+ * Input for updating an existing saved query.
+ */
+interface UpdateSmartQueryInput {
+    name?: string;
+    description?: string;
+    /** Canonical query body (Phase 4). Routes through the canonical PUT. */
+    query?: QueryDefinition;
+    /**
+     * @deprecated Use `query` (canonical). The legacy shape routes through
+     *   the legacy slug-based PUT.
+     */
+    queryDefinition?: SmartQueryDefinition;
+    /**
+     * Replace the typed parameter declarations. Pass `null` to clear them
+     * (the query reverts to the legacy untyped path); omit the field
+     * entirely to leave the existing declarations untouched. Only honored on
+     * the canonical PUT path (i.e. when paired with `query`).
+     */
+    variables?: Record<string, QueryVariableDefinition> | null;
+}
+/**
+ * Input for test-executing a saved query definition without saving.
+ *
+ * Set `query` for canonical authoring; `queryDefinition` stays as a legacy
+ * fallback. When `variableDeclarations` is provided, the canonical test path
+ * validates `variables` against those declarations the same way an executed
+ * saved query would.
+ */
+interface TestSmartQueryInput {
+    /** Canonical query body (Phase 4). */
+    query?: QueryDefinition;
+    /**
+     * @deprecated Use `query` (canonical).
+     */
+    queryDefinition?: SmartQueryDefinition;
+    variables?: ExecuteSavedQueryValues;
+    /**
+     * Typed parameter declarations the author is editing in the same draft.
+     * When provided, the test path validates `variables` against these
+     * declarations the same way an executed saved query would.
+     */
+    variableDeclarations?: Record<string, QueryVariableDefinition>;
+}
+
 /**
  * Property type identifiers for structure properties.
  */
-export type PropertyType = 'string' | 'number' | 'boolean' | 'datetime' | 'array' | 'object' | 'reference';
+type PropertyType = 'string' | 'number' | 'boolean' | 'datetime' | 'array' | 'object' | 'reference';
 /**
  * Schema discovery mode for a structure.
  */
-export type SchemaDiscoveryMode = 'strict' | 'schemaless' | 'auto-evolving';
+type SchemaDiscoveryMode = 'strict' | 'schemaless' | 'auto-evolving';
 /**
  * Base property definition shared by all property types.
  */
-export interface BasePropertyDefinition {
+interface BasePropertyDefinition {
     id?: string;
     name: string;
     type: PropertyType;
@@ -1439,7 +2087,7 @@ export interface BasePropertyDefinition {
 /**
  * String property definition.
  */
-export interface StringPropertyDefinition extends BasePropertyDefinition {
+interface StringPropertyDefinition extends BasePropertyDefinition {
     type: 'string';
     minLength?: number;
     maxLength?: number;
@@ -1451,7 +2099,7 @@ export interface StringPropertyDefinition extends BasePropertyDefinition {
 /**
  * Number property definition.
  */
-export interface NumberPropertyDefinition extends BasePropertyDefinition {
+interface NumberPropertyDefinition extends BasePropertyDefinition {
     type: 'number';
     minimum?: number;
     maximum?: number;
@@ -1468,13 +2116,13 @@ export interface NumberPropertyDefinition extends BasePropertyDefinition {
 /**
  * Boolean property definition.
  */
-export interface BooleanPropertyDefinition extends BasePropertyDefinition {
+interface BooleanPropertyDefinition extends BasePropertyDefinition {
     type: 'boolean';
 }
 /**
  * DateTime property definition.
  */
-export interface DateTimePropertyDefinition extends BasePropertyDefinition {
+interface DateTimePropertyDefinition extends BasePropertyDefinition {
     type: 'datetime';
     earliestDate?: string;
     latestDate?: string;
@@ -1486,7 +2134,7 @@ export interface DateTimePropertyDefinition extends BasePropertyDefinition {
 /**
  * Array property definition.
  */
-export interface ArrayPropertyDefinition extends BasePropertyDefinition {
+interface ArrayPropertyDefinition extends BasePropertyDefinition {
     type: 'array';
     items: {
         type: string;
@@ -1500,7 +2148,7 @@ export interface ArrayPropertyDefinition extends BasePropertyDefinition {
 /**
  * Object property definition.
  */
-export interface ObjectPropertyDefinition extends BasePropertyDefinition {
+interface ObjectPropertyDefinition extends BasePropertyDefinition {
     type: 'object';
     properties?: PropertyDefinition[];
     requiredProperties?: string[];
@@ -1509,7 +2157,7 @@ export interface ObjectPropertyDefinition extends BasePropertyDefinition {
 /**
  * Reference property definition for foreign key-like relationships.
  */
-export interface ReferencePropertyDefinition extends BasePropertyDefinition {
+interface ReferencePropertyDefinition extends BasePropertyDefinition {
     type: 'reference';
     target: string;
     targetField?: string;
@@ -1520,11 +2168,11 @@ export interface ReferencePropertyDefinition extends BasePropertyDefinition {
 /**
  * Union of all property definition types.
  */
-export type PropertyDefinition = StringPropertyDefinition | NumberPropertyDefinition | BooleanPropertyDefinition | DateTimePropertyDefinition | ArrayPropertyDefinition | ObjectPropertyDefinition | ReferencePropertyDefinition;
+type PropertyDefinition = StringPropertyDefinition | NumberPropertyDefinition | BooleanPropertyDefinition | DateTimePropertyDefinition | ArrayPropertyDefinition | ObjectPropertyDefinition | ReferencePropertyDefinition;
 /**
  * Full structure definition.
  */
-export interface Structure {
+interface Structure {
     id: string;
     name: string;
     workspaceSlug: string;
@@ -1554,7 +2202,7 @@ export interface Structure {
 /**
  * Input for creating a new structure.
  */
-export interface CreateStructureInput {
+interface CreateStructureInput {
     name: string;
     recordSlug: string;
     description?: string;
@@ -1566,7 +2214,7 @@ export interface CreateStructureInput {
 /**
  * Input for updating an existing structure.
  */
-export interface UpdateStructureInput {
+interface UpdateStructureInput {
     name?: string;
     description?: string;
     properties?: PropertyDefinition[];
@@ -1578,26 +2226,27 @@ export interface UpdateStructureInput {
 /**
  * Options for listing structures.
  */
-export interface ListStructuresOptions {
+interface ListStructuresOptions {
     page?: number;
     limit?: number;
 }
 /**
  * Options for listing collections (alias for ListStructuresOptions).
  */
-export type ListCollectionsOptions = ListStructuresOptions;
+type ListCollectionsOptions = ListStructuresOptions;
 /**
  * Input for validating a structure definition.
  */
-export interface ValidateStructureInput {
+interface ValidateStructureInput {
     name?: string;
     slug?: string;
     properties?: PropertyDefinition[];
 }
+
 /**
  * Compute function definition.
  */
-export interface ComputeFunction {
+interface ComputeFunction {
     id: string;
     name: string;
     code: string;
@@ -1612,7 +2261,7 @@ export interface ComputeFunction {
 /**
  * Input for creating a new compute function.
  */
-export interface CreateComputeFunctionInput {
+interface CreateComputeFunctionInput {
     name: string;
     code: string;
     description?: string;
@@ -1621,7 +2270,7 @@ export interface CreateComputeFunctionInput {
 /**
  * Input for updating an existing compute function.
  */
-export interface UpdateComputeFunctionInput {
+interface UpdateComputeFunctionInput {
     name?: string;
     description?: string;
     code?: string;
@@ -1630,7 +2279,7 @@ export interface UpdateComputeFunctionInput {
 /**
  * Options for listing compute functions.
  */
-export interface ListComputeFunctionsOptions {
+interface ListComputeFunctionsOptions {
     page?: number;
     limit?: number;
     search?: string;
@@ -1639,7 +2288,7 @@ export interface ListComputeFunctionsOptions {
 /**
  * Input for test-executing a compute function without saving.
  */
-export interface TestComputeFunctionInput {
+interface TestComputeFunctionInput {
     code: string;
     params?: Record<string, any>;
     timeoutMs?: number;
@@ -1647,7 +2296,7 @@ export interface TestComputeFunctionInput {
 /**
  * Result from test-executing a compute function.
  */
-export interface TestComputeFunctionResult {
+interface TestComputeFunctionResult {
     success: boolean;
     output?: any;
     duration_ms?: number;
@@ -1657,15 +2306,15 @@ export interface TestComputeFunctionResult {
 /**
  * Execution source for a function run.
  */
-export type FunctionRunExecutionSource = 'trigger' | 'rerun' | 'manual' | 'scheduled' | 'http-trigger' | 'orchestration' | 'endpoint';
+type FunctionRunExecutionSource = 'trigger' | 'rerun' | 'manual' | 'scheduled' | 'http-trigger' | 'orchestration' | 'endpoint';
 /**
  * Status of a function run.
  */
-export type FunctionRunStatus = 'pending' | 'running' | 'completed' | 'failure' | 'timeout';
+type FunctionRunStatus = 'pending' | 'running' | 'completed' | 'failure' | 'timeout';
 /**
  * A function run record representing a single execution of a compute function.
  */
-export interface FunctionRun {
+interface FunctionRun {
     id: string;
     createdBy: string;
     functionId: string;
@@ -1701,7 +2350,7 @@ export interface FunctionRun {
 /**
  * Options for listing function runs by trigger or function.
  */
-export interface ListFunctionRunsOptions {
+interface ListFunctionRunsOptions {
     page?: number;
     limit?: number;
     status?: FunctionRunStatus;
@@ -1709,95 +2358,22 @@ export interface ListFunctionRunsOptions {
 /**
  * Status of a compute job in the execution pipeline.
  */
-export type ComputeJobStatus = 'queued' | 'running' | 'completed' | 'failed';
+type ComputeJobStatus = 'queued' | 'running' | 'completed' | 'failed';
 /**
  * A compute job status response from the job status endpoint.
  * Represents the state of an async compute execution.
  */
-export interface ComputeJobStatusResponse {
+interface ComputeJobStatusResponse {
     jobId: string;
     status: ComputeJobStatus;
     returnValue?: any;
     failedReason?: string | null;
 }
-/**
- * Input for creating a new function trigger.
- */
-export interface CreateTriggerInput {
-    name: string;
-    functionId: string;
-    executionType: TriggerExecutionType;
-    description?: string;
-    triggerMetadata?: Record<string, any>;
-    enabled?: boolean;
-}
-/**
- * Input for updating an existing function trigger.
- */
-export interface UpdateTriggerInput {
-    name?: string;
-    description?: string;
-    enabled?: boolean;
-    triggerMetadata?: Record<string, any>;
-}
-/**
- * Options for listing all triggers (not filtered by type).
- */
-export interface ListAllTriggersOptions {
-    page?: number;
-    limit?: number;
-    functionId?: string;
-    executionType?: TriggerExecutionType;
-    includeHealth?: boolean;
-}
-/**
- * Health status of a trigger.
- */
-export type TriggerHealthStatus = 'healthy' | 'warning' | 'error' | 'dead' | 'never_run' | 'paused';
-/**
- * Health metrics for a trigger.
- */
-export interface TriggerHealthMetrics {
-    lastRunAt: string | null;
-    successCount: number;
-    failureCount: number;
-    avgExecutionTimeMs: number;
-    totalRuns: number;
-}
-/**
- * Trigger with health metrics included.
- */
-export interface TriggerWithHealth extends FunctionTrigger {
-    health: TriggerHealthMetrics;
-    healthStatus: TriggerHealthStatus;
-}
-/**
- * Input for creating a new smart query.
- */
-export interface CreateSmartQueryInput {
-    name: string;
-    description?: string;
-    queryDefinition: SmartQueryDefinition;
-}
-/**
- * Input for updating an existing smart query.
- */
-export interface UpdateSmartQueryInput {
-    name?: string;
-    description?: string;
-    queryDefinition?: SmartQueryDefinition;
-}
-/**
- * Input for test-executing a smart query definition without saving.
- */
-export interface TestSmartQueryInput {
-    queryDefinition: SmartQueryDefinition;
-    variables?: Record<string, string>;
-}
+
 /**
  * Options for searching records.
  */
-export interface SearchOptions {
+interface SearchOptions {
     /** Filter by structure slug(s). Can be a single slug or array of slugs */
     structures?: string | string[];
     /** Filter by collection slug(s). Can be a single slug or array of slugs */
@@ -1808,7 +2384,7 @@ export interface SearchOptions {
 /**
  * A single search result hit.
  */
-export interface SearchHit {
+interface SearchHit {
     /** The record ID */
     id: string;
     /** The record slug (structure type) */
@@ -1821,7 +2397,7 @@ export interface SearchHit {
 /**
  * Response from a search query.
  */
-export interface SearchResponse {
+interface SearchResponse {
     /** Array of matching records */
     hits: SearchHit[];
     /** Estimated total number of matching records */
@@ -1831,22 +2407,23 @@ export interface SearchResponse {
     /** The original search query */
     query: string;
 }
+
 /**
  * Anomaly insight types.
  */
-export type InsightType = 'time_series_anomaly' | 'statistical_outlier' | 'pattern_deviation' | 'volume_spike' | 'missing_data' | 'orphaned_reference' | 'reference_integrity';
+type InsightType = 'time_series_anomaly' | 'statistical_outlier' | 'pattern_deviation' | 'volume_spike' | 'missing_data' | 'orphaned_reference' | 'reference_integrity';
 /**
  * Anomaly insight severity levels.
  */
-export type InsightSeverity = 'info' | 'warning' | 'critical';
+type InsightSeverity = 'info' | 'warning' | 'critical';
 /**
  * Anomaly insight status.
  */
-export type InsightStatus = 'active' | 'acknowledged' | 'dismissed';
+type InsightStatus = 'active' | 'acknowledged' | 'dismissed';
 /**
  * Anomaly insight record.
  */
-export interface AnomalyInsight {
+interface AnomalyInsight {
     /** Unique identifier */
     id: string;
     /** Workspace slug */
@@ -1887,7 +2464,7 @@ export interface AnomalyInsight {
 /**
  * Options for listing anomaly insights.
  */
-export interface ListInsightsOptions {
+interface ListInsightsOptions {
     /** Filter by severity */
     severity?: InsightSeverity;
     /** Filter by status */
@@ -1904,7 +2481,7 @@ export interface ListInsightsOptions {
 /**
  * Result of triggering anomaly analysis.
  */
-export interface AnomalyAnalysisResult {
+interface AnomalyAnalysisResult {
     /** Whether the analysis was triggered */
     success: boolean;
     /** Status message */
@@ -1915,7 +2492,7 @@ export interface AnomalyAnalysisResult {
 /**
  * Summary of anomaly insights.
  */
-export interface InsightsSummary {
+interface InsightsSummary {
     /** Total insights */
     total: number;
     /** Active insights */
@@ -1933,6 +2510,7 @@ export interface InsightsSummary {
     /** Breakdown by type */
     byType: Record<string, number>;
 }
+
 /**
  * Validation issue types.
  * - 'type': Schema type mismatch (e.g., string where array expected) - rule-based
@@ -1941,15 +2519,15 @@ export interface InsightsSummary {
  * - 'duplicate': Duplicate record detection - rule-based
  * - 'semantic': Logical/semantic issues - AI-based
  */
-export type ValidationIssueType = 'type' | 'format' | 'typo' | 'duplicate' | 'semantic';
+type ValidationIssueType = 'type' | 'format' | 'typo' | 'duplicate' | 'semantic';
 /**
  * Validation suggestion status.
  */
-export type ValidationSuggestionStatus = 'pending' | 'accepted' | 'rejected' | 'auto-applied';
+type ValidationSuggestionStatus = 'pending' | 'accepted' | 'rejected' | 'auto-applied';
 /**
  * A validation suggestion from the AI validation system.
  */
-export interface ValidationSuggestion {
+interface ValidationSuggestion {
     /** Unique identifier */
     id: string;
     /** Workspace slug */
@@ -1988,7 +2566,7 @@ export interface ValidationSuggestion {
 /**
  * Options for listing validation suggestions.
  */
-export interface ListValidationSuggestionsOptions {
+interface ListValidationSuggestionsOptions {
     /** Filter by structure slug (recordSlug) */
     structureSlug?: string;
     /** Filter by record ID */
@@ -2009,11 +2587,11 @@ export interface ListValidationSuggestionsOptions {
 /**
  * Batch scan status.
  */
-export type BatchScanStatus = 'queued' | 'pending' | 'processing' | 'completed' | 'failed';
+type BatchScanStatus = 'queued' | 'pending' | 'processing' | 'completed' | 'failed';
 /**
  * Result from triggering a batch validation scan.
  */
-export interface BatchScanResult {
+interface BatchScanResult {
     /** Unique batch identifier */
     batchId: string;
     /** Current status */
@@ -2034,14 +2612,14 @@ export interface BatchScanResult {
 /**
  * Options for triggering a batch scan.
  */
-export interface TriggerScanOptions {
+interface TriggerScanOptions {
     /** Validation types to run (defaults to structure config) */
     validationTypes?: ValidationIssueType[];
 }
 /**
  * Options for waiting for a scan to complete.
  */
-export interface WaitForScanOptions {
+interface WaitForScanOptions {
     /** Poll interval in milliseconds (default: 5000) */
     pollInterval?: number;
     /** Timeout in milliseconds (default: 300000 = 5 minutes) */
@@ -2050,7 +2628,7 @@ export interface WaitForScanOptions {
 /**
  * Summary of validation suggestions.
  */
-export interface ValidationSummary {
+interface ValidationSummary {
     /** Total suggestions */
     total: number;
     /** Pending suggestions */
@@ -2067,7 +2645,7 @@ export interface ValidationSummary {
 /**
  * Result from accepting a suggestion.
  */
-export interface AcceptSuggestionResult {
+interface AcceptSuggestionResult {
     /** The updated suggestion */
     suggestion: ValidationSuggestion;
     /** Whether the record was updated */
@@ -2078,38 +2656,20 @@ export interface AcceptSuggestionResult {
 /**
  * Result from bulk operations.
  */
-export interface BulkOperationResult {
+interface BulkOperationResult {
     /** Number of successful operations */
-    count: number;
-    /** Errors for failed operations */
-    errors?: Array<{
-        id: string;
-        error: string;
-    }>;
-    /** Status message */
-    message: string;
-}
-/**
- * Record event name constants — use these when constructing `events` on a
- * webhook subscription instead of hand-typing strings.
- *
- * @example
- * ```ts
- * await centrali.webhookSubscriptions.create({
- *   name: 'Order created',
- *   url: 'https://my-app.example.com/webhooks/centrali',
- *   events: [RecordEvents.CREATED, RecordEvents.UPDATED],
- * });
- * ```
- */
-export declare const RecordEvents: {
-    readonly CREATED: "record_created";
-    readonly UPDATED: "record_updated";
-    readonly DELETED: "record_deleted";
-    readonly BULK_CREATED: "records_bulk_created";
-};
-export type WebhookDeliveryStatus = 'success' | 'failed' | 'retrying';
-export interface WebhookSubscription {
+    count: number;
+    /** Errors for failed operations */
+    errors?: Array<{
+        id: string;
+        error: string;
+    }>;
+    /** Status message */
+    message: string;
+}
+
+type WebhookDeliveryStatus = 'success' | 'failed' | 'retrying';
+interface WebhookSubscription {
     id: string;
     name: string;
     url: string;
@@ -2133,7 +2693,7 @@ export interface WebhookSubscription {
  * Full webhook delivery record including request payload and response body.
  * Returned by `deliveries.get()`.
  */
-export interface WebhookDelivery {
+interface WebhookDelivery {
     id: string;
     webhookSubscriptionId: string;
     workspaceSlug: string;
@@ -2156,8 +2716,8 @@ export interface WebhookDelivery {
  * and `responseBody`. Fetch individual deliveries with `deliveries.get()` to get
  * the full payload and response body.
  */
-export type WebhookDeliverySummary = Omit<WebhookDelivery, 'requestPayload' | 'responseBody'>;
-export interface CreateWebhookSubscriptionInput {
+type WebhookDeliverySummary = Omit<WebhookDelivery, 'requestPayload' | 'responseBody'>;
+interface CreateWebhookSubscriptionInput {
     name: string;
     url: string;
     events: RecordEventType[];
@@ -2165,7 +2725,7 @@ export interface CreateWebhookSubscriptionInput {
     recordSlugs?: string[];
     active?: boolean;
 }
-export interface UpdateWebhookSubscriptionInput {
+interface UpdateWebhookSubscriptionInput {
     name?: string;
     url?: string;
     events?: RecordEventType[];
@@ -2177,7 +2737,7 @@ export interface UpdateWebhookSubscriptionInput {
     recordSlugs?: string[];
     active?: boolean;
 }
-export interface ListWebhookDeliveriesOptions {
+interface ListWebhookDeliveriesOptions {
     status?: WebhookDeliveryStatus;
     /** ISO 8601 datetime or Date — include deliveries created at or after this time. */
     since?: string | Date;
@@ -2192,36 +2752,59 @@ export interface ListWebhookDeliveriesOptions {
  * `ApiResponse` itself — so `result.data` is the array and `result.meta` is
  * this object.
  */
-export interface WebhookDeliveriesListMeta {
+interface WebhookDeliveriesListMeta {
     total: number;
     limit: number;
     offset: number;
 }
-export interface WebhookReplayResponse {
+interface WebhookReplayResponse {
     deliveryId: string;
     replayedFrom: string | null;
     status: WebhookDeliveryStatus;
 }
-export interface WebhookCancelResponse {
+interface WebhookCancelResponse {
     deliveryId: string;
     status: WebhookDeliveryStatus;
     lastError: string | null;
 }
+
 /**
- * Generate the API URL from the base URL by adding the 'api.' subdomain.
- * E.g., https://centrali.io -> https://api.centrali.io
+ * An allowed domain entry for compute function external calls.
  */
-export declare function getApiUrl(baseUrl: string): string;
+interface AllowedDomain {
+    id: string;
+    domain: string;
+    createdAt: string;
+    createdBy: string;
+}
 /**
- * Generate the auth server URL from the base URL.
- * E.g., https://centrali.io -> https://auth.centrali.io
+ * Response from listing allowed domains.
  */
-export declare function getAuthUrl(baseUrl: string): string;
+interface AllowedDomainsListResponse {
+    data: AllowedDomain[];
+    meta: {
+        total: number;
+    };
+}
 /**
- * Generate the realtime service URL from the base URL.
- * E.g., https://centrali.io -> https://api.centrali.io/realtime
+ * Options for adding an allowed domain.
+ */
+interface AddAllowedDomainOptions {
+    /** The domain to allow (e.g., 'api.example.com'). No protocol prefix. */
+    domain: string;
+}
+
+/**
+ * Internal configuration for realtime connections.
  */
-export declare function getRealtimeUrl(baseUrl: string): string;
+interface RealtimeConfig {
+    /** Maximum reconnection attempts (default: 10) */
+    maxReconnectAttempts: number;
+    /** Initial reconnect delay in ms (default: 1000) */
+    initialReconnectDelayMs: number;
+    /** Maximum reconnect delay in ms (default: 30000) */
+    maxReconnectDelayMs: number;
+}
 /**
  * RealtimeManager handles SSE connections to the Centrali Realtime Service.
  * Provides automatic reconnection with exponential backoff.
@@ -2238,7 +2821,7 @@ export declare function getRealtimeUrl(baseUrl: string): string;
  * // Later: sub.unsubscribe();
  * ```
  */
-export declare class RealtimeManager {
+declare class RealtimeManager {
     private baseUrl;
     private workspaceSlug;
     private getToken;
@@ -2258,251 +2841,8 @@ export declare class RealtimeManager {
      */
     subscribe(options: RealtimeSubscribeOptions): RealtimeSubscription;
 }
-/**
- * Retrieve an access token using the Client Credentials flow.
- */
-export declare function fetchClientToken(clientId: string, clientSecret: string, baseUrl: string): Promise<string>;
-/**
- * Generate Records API URL PATH.
- */
-export declare function getRecordApiPath(workspaceId: string, recordSlug: string, id?: string): string;
-/**
- * Generate File Upload API URL PATH.
- * @param workspaceId
- */
-export declare function getFileUploadApiPath(workspaceId: string): string;
-/**
- * Generate Function Triggers base API URL PATH.
- */
-export declare function getFunctionTriggersApiPath(workspaceId: string, triggerId?: string): string;
-/**
- * Generate Function Trigger execute API URL PATH.
- */
-export declare function getFunctionTriggerExecuteApiPath(workspaceId: string, triggerId: string): string;
-/**
- * Generate Function Trigger pause API URL PATH.
- */
-export declare function getFunctionTriggerPauseApiPath(workspaceId: string, triggerId: string): string;
-/**
- * Generate Function Trigger resume API URL PATH.
- */
-export declare function getFunctionTriggerResumeApiPath(workspaceId: string, triggerId: string): string;
-/**
- * Generate Endpoint trigger invocation API URL PATH.
- */
-export declare function getEndpointApiPath(workspaceId: string, path: string): string;
-/**
- * Generate Saved Queries base API URL PATH for workspace-level operations.
- *
- * Phase 4 (CEN-1198) of the query foundation moved the canonical mount from
- * `/smart-queries` to `/saved-queries`. The data service dual-mounts both for
- * the deprecation window; this helper emits the canonical path.
- */
-export declare function getSmartQueriesApiPath(workspaceId: string): string;
-/**
- * Generate Saved Queries API URL PATH for structure-level operations.
- */
-export declare function getSmartQueriesStructureApiPath(workspaceId: string, structureSlug: string, queryId?: string): string;
-/**
- * Generate Saved Query by name API URL PATH.
- */
-export declare function getSmartQueryByNameApiPath(workspaceId: string, structureSlug: string, name: string): string;
-/**
- * Generate Saved Query execute API URL PATH.
- */
-export declare function getSmartQueryExecuteApiPath(workspaceId: string, structureSlug: string, queryId: string): string;
-/**
- * Generate Search API URL PATH.
- */
-export declare function getSearchApiPath(workspaceId: string): string;
-/**
- * Generate Anomaly Insights base API URL PATH.
- */
-export declare function getAnomalyInsightsApiPath(workspaceId: string, insightId?: string): string;
-/**
- * Generate Anomaly Insights summary API URL PATH.
- */
-export declare function getAnomalyInsightsSummaryApiPath(workspaceId: string): string;
-/**
- * Generate Anomaly Insights acknowledge API URL PATH.
- */
-export declare function getAnomalyInsightAcknowledgeApiPath(workspaceId: string, insightId: string): string;
-/**
- * Generate Anomaly Insights dismiss API URL PATH.
- */
-export declare function getAnomalyInsightDismissApiPath(workspaceId: string, insightId: string): string;
-/**
- * Generate Anomaly Insights bulk acknowledge API URL PATH.
- */
-export declare function getAnomalyInsightsBulkAcknowledgeApiPath(workspaceId: string): string;
-/**
- * Generate Anomaly analysis trigger API URL PATH.
- */
-export declare function getAnomalyAnalysisTriggerApiPath(workspaceId: string): string;
-/**
- * Generate structure-scoped anomaly insights API URL PATH.
- */
-export declare function getStructureInsightsApiPath(workspaceId: string, structureSlug: string): string;
-/**
- * Generate Structures base API URL PATH.
- */
-export declare function getStructuresApiPath(workspaceId: string, structureId?: string): string;
-/**
- * Generate Structure by slug API URL PATH.
- */
-export declare function getStructureBySlugApiPath(workspaceId: string, recordSlug: string): string;
-/**
- * Generate Structure validate API URL PATH.
- */
-export declare function getStructureValidateApiPath(workspaceId: string): string;
-/**
- * Generate collection-scoped anomaly insights API URL PATH.
- */
-export declare function getCollectionInsightsApiPath(workspaceId: string, collectionSlug: string): string;
-/**
- * Generate Collections base API URL PATH.
- */
-export declare function getCollectionsApiPath(workspaceId: string, collectionId?: string): string;
-/**
- * Generate Collection by slug API URL PATH.
- */
-export declare function getCollectionBySlugApiPath(workspaceId: string, recordSlug: string): string;
-/**
- * Generate Collection validate API URL PATH.
- */
-export declare function getCollectionValidateApiPath(workspaceId: string): string;
-/**
- * Generate Compute Functions base API URL PATH.
- */
-export declare function getComputeFunctionsApiPath(workspaceId: string, functionId?: string): string;
-/**
- * Generate Compute Function test execution API URL PATH.
- */
-export declare function getComputeFunctionTestApiPath(workspaceId: string): string;
-/**
- * Generate Function Runs base API URL PATH.
- */
-export declare function getFunctionRunsApiPath(workspaceId: string, runId?: string): string;
-/**
- * Generate Function Runs by trigger API URL PATH.
- */
-export declare function getFunctionRunsByTriggerApiPath(workspaceId: string, triggerId: string): string;
-/**
- * Generate Function Runs by function API URL PATH.
- */
-export declare function getFunctionRunsByFunctionApiPath(workspaceId: string, functionId: string): string;
-/**
- * Generate Compute Job Status API URL PATH.
- */
-export declare function getComputeJobStatusApiPath(workspaceId: string, jobId: string): string;
-/**
- * Generate Saved Query test execution API URL PATH.
- */
-export declare function getSmartQueryTestApiPath(workspaceId: string, structureSlug: string): string;
-/**
- * Generate Validation suggestions base API URL PATH.
- */
-export declare function getValidationSuggestionsApiPath(workspaceId: string, suggestionId?: string): string;
-/**
- * Generate Validation suggestion accept API URL PATH.
- */
-export declare function getValidationSuggestionAcceptApiPath(workspaceId: string, suggestionId: string): string;
-/**
- * Generate Validation suggestion reject API URL PATH.
- */
-export declare function getValidationSuggestionRejectApiPath(workspaceId: string, suggestionId: string): string;
-/**
- * Generate Validation bulk accept API URL PATH.
- */
-export declare function getValidationBulkAcceptApiPath(workspaceId: string): string;
-/**
- * Generate Validation bulk reject API URL PATH.
- */
-export declare function getValidationBulkRejectApiPath(workspaceId: string): string;
-/**
- * Generate Validation summary API URL PATH.
- */
-export declare function getValidationSummaryApiPath(workspaceId: string): string;
-/**
- * Generate Validation record suggestions API URL PATH.
- */
-export declare function getValidationRecordSuggestionsApiPath(workspaceId: string, recordId: string): string;
-/**
- * Generate Validation structure pending count API URL PATH.
- */
-export declare function getValidationPendingCountApiPath(workspaceId: string, structureSlug: string): string;
-/**
- * Generate Validation batch scan API URL PATH (AI Service).
- * Note: This routes to the AI service, not the Data service.
- */
-export declare function getValidationScanApiPath(workspaceId: string, batchId?: string): string;
-/**
- * Generate Orchestrations API URL PATH.
- * Routes to the orchestration service.
- */
-export declare function getOrchestrationsApiPath(workspaceId: string, orchestrationId?: string): string;
-/**
- * Generate Orchestration Runs API URL PATH.
- */
-export declare function getOrchestrationRunsApiPath(workspaceId: string, orchestrationId: string, runId?: string): string;
-/**
- * Generate Orchestration Run Steps API URL PATH.
- */
-export declare function getOrchestrationRunStepsApiPath(workspaceId: string, orchestrationId: string, runId: string): string;
-/**
- * Generate Allowed Domains API URL PATH.
- */
-export declare function getAllowedDomainsApiPath(workspaceId: string, domainId?: string): string;
-/**
- * Generate Webhook Subscriptions API URL PATH.
- */
-export declare function getWebhookSubscriptionsApiPath(workspaceId: string, subscriptionId?: string): string;
-/**
- * Generate rotate-secret API URL PATH for a webhook subscription.
- */
-export declare function getWebhookSubscriptionRotateSecretApiPath(workspaceId: string, subscriptionId: string): string;
-/**
- * Generate deliveries API URL PATH scoped to a webhook subscription.
- */
-export declare function getWebhookSubscriptionDeliveriesApiPath(workspaceId: string, subscriptionId: string, deliveryId?: string): string;
-/**
- * Generate retry API URL PATH for a webhook delivery.
- * Retry is workspace-scoped (not nested under a subscription) — only the delivery ID is needed.
- */
-export declare function getWebhookDeliveryRetryApiPath(workspaceId: string, deliveryId: string): string;
-/**
- * Generate cancel API URL PATH for a webhook delivery retry.
- * Cancel is workspace-scoped — only the delivery ID is needed.
- */
-export declare function getWebhookDeliveryCancelApiPath(workspaceId: string, deliveryId: string): string;
-/**
- * OrchestrationsManager provides methods for managing orchestrations and triggering runs.
- * Access via `client.orchestrations`.
- *
- * Orchestrations are multi-step workflows that chain compute functions together
- * with conditional logic, delays, and decision branches.
- *
- * Usage:
- * ```ts
- * // List all orchestrations
- * const orchestrations = await client.orchestrations.list();
- *
- * // Get an orchestration by ID
- * const orch = await client.orchestrations.get('orch-id');
- *
- * // Trigger an on-demand orchestration
- * const run = await client.orchestrations.trigger('orch-id', {
- *   input: { orderId: '12345' }
- * });
- *
- * // Get run status
- * const runStatus = await client.orchestrations.getRun('orch-id', run.data.id);
- *
- * // List runs for an orchestration
- * const runs = await client.orchestrations.listRuns('orch-id');
- * ```
- */
-export declare class OrchestrationsManager {
+
+declare class OrchestrationsManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -2730,6 +3070,7 @@ export declare class OrchestrationsManager {
      */
     pause(orchestrationId: string): Promise<ApiResponse<Orchestration>>;
 }
+
 /**
  * TriggersManager provides methods for working with on-demand function triggers.
  * Access via `client.triggers`.
@@ -2754,7 +3095,7 @@ export declare class OrchestrationsManager {
  * const triggers = await client.triggers.list();
  * ```
  */
-export declare class TriggersManager {
+declare class TriggersManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -2982,6 +3323,7 @@ export declare class TriggersManager {
      */
     invokeEndpoint<T = any>(endpointPath: string, options?: InvokeEndpointOptions): Promise<ApiResponse<T>>;
 }
+
 /**
  * RecordsManager exposes the canonical query surface for records.
  *
@@ -3027,7 +3369,7 @@ export declare class TriggersManager {
  * const matches = await client.records.search<Order>('orders', 'urgent shipping');
  * ```
  */
-export declare class RecordsManager {
+declare class RecordsManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -3090,6 +3432,93 @@ export declare class RecordsManager {
         select?: SelectClause;
     }): Promise<QueryResult<T>>;
 }
+
+/**
+ * AuditLogManager exposes the canonical query surface for the audit log.
+ *
+ * Phase 3 of the query foundation (CEN-1214 epic). Workspace-service backed,
+ * not data-service — the audit log is a workspace concern. The shape mirrors
+ * `RecordsManager` so a caller writing audit-log queries uses the same
+ * vocabulary they already know from records.
+ *
+ * - {@link AuditLogManager.query | query} — full POST `/audit/query`. Use for
+ *   nested boolean trees, `select` projection, paging.
+ * - {@link AuditLogManager.test | test} — authoring dry-run against
+ *   `/audit/query/test`. Validates and plans without executing.
+ *
+ * Access via `client.auditLog`.
+ *
+ * @example
+ * ```ts
+ * // Per-resource history (canonical equivalent of legacy GET /audit/.../history).
+ * const history = await client.auditLog.query({
+ *   resource: 'audit-log',
+ *   where: {
+ *     and: [
+ *       { resourceType: { eq: 'structure' } },
+ *       { resourceId: { eq: 'r-123' } },
+ *     ],
+ *   },
+ *   sort: [{ field: 'createdAt', direction: 'desc' }],
+ *   page: { limit: 50 },
+ * });
+ *
+ * // Workspace-wide activity feed in a date range, projecting only the columns
+ * // the table needs (drops the heavy `changes` JSONB).
+ * const activity = await client.auditLog.query({
+ *   resource: 'audit-log',
+ *   where: {
+ *     and: [
+ *       { createdAt: { gte: '2026-04-01' } },
+ *       { createdAt: { lt: '2026-05-01' } },
+ *     ],
+ *   },
+ *   sort: [{ field: 'createdAt', direction: 'desc' }],
+ *   page: { limit: 100 },
+ *   select: { fields: ['type', 'resourceType', 'resourceId', 'actorId', 'summary', 'createdAt'] },
+ * });
+ * ```
+ */
+declare class AuditLogManager {
+    private requestFn;
+    private workspaceId;
+    constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
+    /**
+     * Run a canonical query against `POST /workspace/<ws>/api/v1/audit/query`.
+     *
+     * The body **is** a `QueryDefinition`. `resource` is forced to `"audit-log"`
+     * — the workspace executor rejects anything else. Returns the canonical
+     * `{ data, meta }` envelope.
+     *
+     * The `where` clause that pins both `resourceType.eq` and `resourceId.eq`
+     * uses `audit_logs:retrieve` server-side; everything else uses
+     * `audit_logs:list`. Retrieve-only roles can still query their own
+     * resource's history this way.
+     */
+    query<T = any>(definition: Omit<QueryDefinition, 'resource'> & {
+        resource?: string;
+    }): Promise<QueryResult<T>>;
+    /**
+     * Authoring-time dry-run against `POST /audit/query/test`.
+     *
+     * Same input shape as {@link AuditLogManager.query | query}. Returns a
+     * plan summary on success or structured `QueryError`s on failure, without
+     * executing the query. Use from query builders to surface precise errors
+     * before saving / running.
+     */
+    test(definition: Omit<QueryDefinition, 'resource'> & {
+        resource?: string;
+    }): Promise<{
+        ok: true;
+        plan: {
+            executor: string;
+            resource: string;
+            mode: string;
+            hasUnreadableField: boolean;
+        };
+    }>;
+}
+
 /**
  * SmartQueriesManager — reusable, parameterized saved queries. Access via
  * `client.savedQueries` (canonical) or `client.smartQueries` (deprecated alias).
@@ -3112,7 +3541,7 @@ export declare class RecordsManager {
  * const query = await client.savedQueries.getByName('employee', 'Active Employees');
  * ```
  */
-export declare class SmartQueriesManager {
+declare class SmartQueriesManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -3182,75 +3611,120 @@ export declare class SmartQueriesManager {
      */
     getByName(structureSlug: string, name: string): Promise<ApiResponse<SmartQuery>>;
     /**
-     * Execute a smart query and return results.
+     * Execute a saved query and return results.
      *
-     * Note: Pagination (limit/skip) is defined in the query definition itself,
-     * not at execution time.
+     * Pagination (`limit` / `offset`) is defined inside the persisted
+     * `queryDefinition`, not at execution time.
      *
-     * @param structureSlug - The structure's record slug
-     * @param queryId - The smart query UUID
+     * Variables in the query body use canonical `${var}` placeholders. Phase 4
+     * saved queries declare types for each placeholder via `variables` (see
+     * `get()`); the server validates each value against the declared type by
+     * JS `typeof` (no coercion — `"123"` is rejected for `number`). Legacy
+     * untyped rows accept the same `variables` map but stringify each value
+     * before substitution.
+     *
+     * @param structureSlug - The collection's record slug
+     * @param queryId - The saved query UUID
      * @param options - Optional execution options including variables
      * @returns Query results
      *
      * @example
      * ```ts
      * // Simple execution without variables
-     * const results = await client.smartQueries.execute('employee', 'query-uuid');
+     * const results = await client.savedQueries.execute('employee', 'query-uuid');
      * console.log('Found:', results.data.length, 'records');
      *
      * // Execution with variables
-     * // Query definition: { where: { status: { $eq: "{{statusFilter}}" } } }
-     * const filtered = await client.smartQueries.execute('orders', 'query-id', {
+     * // Query definition: { where: { status: { eq: "${statusFilter}" } } }
+     * const filtered = await client.savedQueries.execute('orders', 'query-id', {
      *   variables: { statusFilter: 'active' }
      * });
      *
      * // Accessing joined data (nested under _joined)
      * // Query with join: { join: { foreignSlug: "products", ... } }
-     * const items = await client.smartQueries.execute('order-items', 'items-with-products');
+     * const items = await client.savedQueries.execute('order-items', 'items-with-products');
      * items.data.forEach(item => {
      *   console.log('Item:', item.name);
      *   console.log('Product:', item._joined?.products?.title);
      * });
      * ```
      */
-    execute<T = any>(structureSlug: string, queryId: string, options?: ExecuteSmartQueryOptions): Promise<ApiResponse<T[]>>;
+    execute<T = any>(_structureSlug: string, queryId: string, options?: ExecuteSmartQueryOptions): Promise<ApiResponse<T[]>>;
     /**
-     * Create a new smart query for a structure.
+     * Type-safe variant of {@link execute}. The caller passes a generic
+     * `TVars` type that describes the saved query's parameter shape, and the
+     * compiler enforces that every required key is provided with the right
+     * scalar type.
      *
-     * @param structureSlug - The structure's record slug
-     * @param input - The smart query definition
-     * @returns The created smart query
+     * Use this when the saved query declares typed `variables` (Phase 4) and
+     * the caller has — or can derive — a TypeScript type for the parameter
+     * map. For untyped callers, prefer {@link execute}.
+     *
+     * @example
+     * ```ts
+     * type MonthlyRevenueVars = { month: Date; region: string };
+     *
+     * const rows = await client.savedQueries.executeTyped<MonthlyRevenueVars>(
+     *   'orders',
+     *   'monthly-revenue',
+     *   { month: new Date('2026-04-01'), region: 'us-east' },
+     * );
+     *
+     * // Compile error — missing required key:
+     * // await client.savedQueries.executeTyped<MonthlyRevenueVars>('orders', 'monthly-revenue', { region: 'us-east' });
+     * ```
+     */
+    executeTyped<TVars extends object, TRow = any>(structureSlug: string, queryId: string, values: TVars): Promise<ApiResponse<TRow[]>>;
+    /**
+     * Create a new saved query.
+     *
+     * Routing: when `input.query` (canonical `QueryDefinition`) is provided
+     * the SDK calls the canonical `POST /saved-queries` endpoint, which
+     * accepts typed `variables` declarations and `${var}` placeholders. When
+     * only legacy `input.queryDefinition` is provided the SDK falls back to
+     * the slug-based legacy endpoint.
+     *
+     * @param structureSlug - The collection's record slug. Required for the
+     *   legacy path; on the canonical path the resource is read from
+     *   `query.resource` and this slug is currently ignored on the wire.
+     * @param input - Canonical (`query`) or legacy (`queryDefinition`) body.
+     * @returns The created saved query.
      *
      * @example
      * ```ts
-     * const query = await client.smartQueries.create('orders', {
+     * // Canonical (Phase 4) — typed parameters + canonical operators
+     * const query = await client.savedQueries.create('orders', {
      *   name: 'Active Orders',
      *   description: 'All orders with active status',
-     *   queryDefinition: {
-     *     where: { status: { $eq: 'active' } },
+     *   query: {
+     *     resource: 'orders',
+     *     where: { 'data.status': { eq: '${statusFilter}' } },
      *     sort: [{ field: 'createdAt', direction: 'desc' }],
-     *     limit: 100
-     *   }
+     *     page: { limit: 100 },
+     *   },
+     *   variables: {
+     *     statusFilter: { type: 'string', required: true },
+     *   },
      * });
      * ```
      */
     create(structureSlug: string, input: CreateSmartQueryInput): Promise<ApiResponse<SmartQuery>>;
     /**
-     * Update an existing smart query.
+     * Update an existing saved query.
      *
-     * @param structureSlug - The structure's record slug
-     * @param queryId - The smart query UUID
-     * @param input - The fields to update
-     * @returns The updated smart query
+     * Routing: when `input.query` is provided the SDK calls canonical
+     * `PUT /saved-queries/:id`; otherwise it falls back to the legacy
+     * slug-based PUT.
      *
      * @example
      * ```ts
-     * const updated = await client.smartQueries.update('orders', 'query-uuid', {
+     * const updated = await client.savedQueries.update('orders', 'query-uuid', {
      *   name: 'Active Orders v2',
-     *   queryDefinition: {
-     *     where: { status: { $in: ['active', 'processing'] } },
-     *     limit: 200
-     *   }
+     *   query: {
+     *     resource: 'orders',
+     *     where: { 'data.status': { in: ['active', 'processing'] } },
+     *     page: { limit: 200 },
+     *   },
      * });
      * ```
      */
@@ -3268,27 +3742,33 @@ export declare class SmartQueriesManager {
      */
     delete(structureSlug: string, queryId: string): Promise<ApiResponse<void>>;
     /**
-     * Test execute a query definition without saving it.
-     * Useful for validating query syntax and previewing results before creating.
+     * Test-execute a query definition without saving it. Useful for
+     * validating syntax, previewing results, and dry-running a draft's
+     * typed `variableDeclarations` against runtime `variables`.
      *
-     * @param structureSlug - The structure's record slug
-     * @param input - The query definition to test and optional variables
-     * @returns Test execution results
+     * Routing: when `input.query` (canonical) is provided the SDK calls
+     * `POST /saved-queries/test`; otherwise it falls back to the legacy
+     * slug-based test endpoint.
      *
      * @example
      * ```ts
-     * const result = await client.smartQueries.test('orders', {
-     *   queryDefinition: {
-     *     where: { amount: { $gte: 100 } },
-     *     select: ['id', 'amount', 'status'],
-     *     limit: 5
-     *   }
+     * // Canonical (Phase 4) — typed variable declarations dry-run
+     * const result = await client.savedQueries.test('orders', {
+     *   query: {
+     *     resource: 'orders',
+     *     where: { 'data.amount': { gte: '${minTotal}' } },
+     *     page: { limit: 5 },
+     *   },
+     *   variableDeclarations: {
+     *     minTotal: { type: 'number', required: true },
+     *   },
+     *   variables: { minTotal: 100 },
      * });
-     * console.log('Preview results:', result.data);
      * ```
      */
     test<T = any>(structureSlug: string, input: TestSmartQueryInput): Promise<ApiResponse<T[]>>;
 }
+
 /**
  * AnomalyInsightsManager provides methods for querying and managing AI-generated anomaly insights.
  * Access via `client.anomalyInsights`.
@@ -3311,7 +3791,7 @@ export declare class SmartQueriesManager {
  * await client.anomalyInsights.dismiss('insight-id');
  * ```
  */
-export declare class AnomalyInsightsManager {
+declare class AnomalyInsightsManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -3438,6 +3918,7 @@ export declare class AnomalyInsightsManager {
      */
     triggerAnalysis(structureSlug: string): Promise<ApiResponse<AnomalyAnalysisResult>>;
 }
+
 /**
  * ValidationManager provides methods for AI-powered data quality validation.
  * Access via `client.validation`.
@@ -3468,7 +3949,7 @@ export declare class AnomalyInsightsManager {
  * await client.validation.bulkAccept(highConfidence.map(s => s.id));
  * ```
  */
-export declare class ValidationManager {
+declare class ValidationManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -3619,6 +4100,7 @@ export declare class ValidationManager {
         pendingCount: number;
     }>>;
 }
+
 /**
  * AllowedDomainsManager provides methods for managing allowed domains for compute function external calls.
  * Access via `client.allowedDomains`.
@@ -3635,7 +4117,7 @@ export declare class ValidationManager {
  * await client.allowedDomains.remove('domain-id');
  * ```
  */
-export declare class AllowedDomainsManager {
+declare class AllowedDomainsManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -3677,6 +4159,7 @@ export declare class AllowedDomainsManager {
      */
     remove(domainId: string): Promise<ApiResponse<void>>;
 }
+
 /**
  * StructuresManager provides methods for managing data structures (schemas).
  * Structures define the shape of records including properties, validation rules,
@@ -3702,7 +4185,7 @@ export declare class AllowedDomainsManager {
  * const validation = await client.structures.validate({ slug: 'orders' });
  * ```
  */
-export declare class StructuresManager {
+declare class StructuresManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -3816,6 +4299,7 @@ export declare class StructuresManager {
      */
     validate(input: ValidateStructureInput): Promise<ApiResponse<any>>;
 }
+
 /**
  * CollectionsManager provides methods for managing data collections (schemas).
  * Collections define the shape of records including properties, validation rules,
@@ -3841,7 +4325,7 @@ export declare class StructuresManager {
  * const validation = await client.collections.validate({ recordSlug: 'orders' });
  * ```
  */
-export declare class CollectionsManager {
+declare class CollectionsManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -3955,6 +4439,7 @@ export declare class CollectionsManager {
      */
     validate(input: ValidateStructureInput): Promise<ApiResponse<any>>;
 }
+
 /**
  * ComputeFunctionsManager provides methods for managing compute functions.
  * Compute functions are JavaScript code blocks that can be executed on triggers,
@@ -3979,7 +4464,7 @@ export declare class CollectionsManager {
  * });
  * ```
  */
-export declare class ComputeFunctionsManager {
+declare class ComputeFunctionsManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -4072,15 +4557,25 @@ export declare class ComputeFunctionsManager {
      */
     testExecute(input: TestComputeFunctionInput): Promise<ApiResponse<TestComputeFunctionResult>>;
 }
+
 /**
  * Manager for querying function execution runs.
  *
  * Provides read access to function run history — useful for checking
  * whether jobs completed, inspecting outputs, and monitoring trigger activity.
  *
- * Access via `client.runs`.
+ * - {@link FunctionRunsManager.query | query} — canonical `POST /function-runs/query`
+ *   (CEN-1216). Use for nested boolean trees, `select` projection, paging.
+ * - {@link FunctionRunsManager.test | test} — authoring dry-run against
+ *   `/function-runs/query/test`. Validates and plans without executing.
+ * - {@link FunctionRunsManager.listByTrigger | listByTrigger} /
+ *   {@link FunctionRunsManager.listByFunction | listByFunction} — legacy GET
+ *   surfaces, retained for back-compat. Prefer `query()` for new code.
+ *
+ * Access via `client.functionRuns` (canonical, CEN-1227). The legacy
+ * `client.runs` accessor remains as a deprecated alias.
  */
-export declare class FunctionRunsManager {
+declare class FunctionRunsManager {
     private requestFn;
     private workspaceId;
     constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
@@ -4092,7 +4587,7 @@ export declare class FunctionRunsManager {
      *
      * @example
      * ```ts
-     * const run = await client.runs.get('run-uuid');
+     * const run = await client.functionRuns.get('run-uuid');
      * console.log('Status:', run.data.status);
      * console.log('Duration:', run.data.endedAt ? Date.parse(run.data.endedAt) - Date.parse(run.data.startedAt) : 'still running');
      * ```
@@ -4108,10 +4603,10 @@ export declare class FunctionRunsManager {
      * @example
      * ```ts
      * // List recent runs for a trigger
-     * const runs = await client.runs.listByTrigger('trigger-uuid');
+     * const runs = await client.functionRuns.listByTrigger('trigger-uuid');
      *
      * // Filter to only failed runs
-     * const failed = await client.runs.listByTrigger('trigger-uuid', {
+     * const failed = await client.functionRuns.listByTrigger('trigger-uuid', {
      *   status: 'failure'
      * });
      * ```
@@ -4127,10 +4622,10 @@ export declare class FunctionRunsManager {
      * @example
      * ```ts
      * // List recent runs for a function
-     * const runs = await client.runs.listByFunction('function-uuid');
+     * const runs = await client.functionRuns.listByFunction('function-uuid');
      *
      * // Only completed runs, page 2
-     * const completed = await client.runs.listByFunction('function-uuid', {
+     * const completed = await client.functionRuns.listByFunction('function-uuid', {
      *   status: 'completed',
      *   page: 2
      * });
@@ -4155,7 +4650,7 @@ export declare class FunctionRunsManager {
      * let job;
      * do {
      *   await new Promise(r => setTimeout(r, 1000));
-     *   job = await client.runs.getJobStatus(jobId);
+     *   job = await client.functionRuns.getJobStatus(jobId);
      * } while (job.data.status === 'queued' || job.data.status === 'running');
      *
      * if (job.data.status === 'completed') {
@@ -4166,7 +4661,338 @@ export declare class FunctionRunsManager {
      * ```
      */
     getJobStatus(jobId: string): Promise<ApiResponse<ComputeJobStatusResponse>>;
+    /**
+     * Run a canonical query against `POST /workspace/<ws>/api/v1/function-runs/query`.
+     *
+     * Phase 3 of the query foundation (CEN-1216). The body **is** a
+     * `QueryDefinition`. `resource` is forced to `"function-runs"` — the
+     * data-service executor rejects anything else. Returns the canonical
+     * `{ data, meta }` envelope.
+     *
+     * Queryable fields are the fixed-schema columns: `id`, `functionId`,
+     * `triggerId`, `status`, `startedAt`, `endedAt`, `executionSource`,
+     * `errorCode`, `errorMessage`, etc. The `runData` and `executionContext`
+     * JSONB columns are intentionally not queryable — fetch a specific run
+     * via `client.functionRuns.get(runId)` if you need its payload.
+     *
+     * The `where` clause that pins `functionId.eq` or `triggerId.eq` (in a
+     * pure AND-of-scalar-eq shape) uses `function_runs:retrieve` server-side;
+     * everything else uses `function_runs:list`. Retrieve-only roles can
+     * still query a specific function or trigger's run history this way.
+     *
+     * @example
+     * ```ts
+     * // Recent failures for a function
+     * const failures = await client.functionRuns.query({
+     *   resource: 'function-runs',
+     *   where: {
+     *     and: [
+     *       { functionId: { eq: 'fn-123' } },
+     *       { status: { eq: 'failure' } },
+     *     ],
+     *   },
+     *   sort: [{ field: 'startedAt', direction: 'desc' }],
+     *   page: { limit: 50 },
+     * });
+     *
+     * // Workspace-wide run activity in a date window with field projection
+     * const activity = await client.functionRuns.query({
+     *   resource: 'function-runs',
+     *   where: {
+     *     and: [
+     *       { startedAt: { gte: '2026-04-01' } },
+     *       { startedAt: { lt: '2026-05-01' } },
+     *     ],
+     *   },
+     *   sort: [{ field: 'startedAt', direction: 'desc' }],
+     *   page: { limit: 100 },
+     *   select: { fields: ['id', 'functionId', 'status', 'startedAt', 'endedAt', 'errorCode'] },
+     * });
+     * ```
+     */
+    query<T = FunctionRun>(definition: Omit<QueryDefinition, 'resource'> & {
+        resource?: string;
+    }): Promise<QueryResult<T>>;
+    /**
+     * Authoring-time dry-run against `POST /function-runs/query/test`.
+     *
+     * Same input shape as {@link FunctionRunsManager.query | query}. Returns
+     * a plan summary on success or structured `QueryError`s on failure,
+     * without executing the query. Use from query builders to surface precise
+     * errors before saving / running.
+     */
+    test(definition: Omit<QueryDefinition, 'resource'> & {
+        resource?: string;
+    }): Promise<{
+        ok: true;
+        plan: {
+            executor: string;
+            resource: string;
+            mode: string;
+            hasUnreadableField: boolean;
+        };
+    }>;
+}
+
+/**
+ * OrchestrationRunsManager — canonical query surface for orchestration runs
+ * (CEN-1217 / Phase 3 of the query foundation).
+ *
+ * Available methods:
+ * - {@link OrchestrationRunsManager.query | query} — canonical
+ *   `POST /orchestration-runs/query`. Use for nested boolean trees, `select`
+ *   projection, paging.
+ * - {@link OrchestrationRunsManager.test | test} — authoring dry-run against
+ *   `/orchestration-runs/query/test`. Validates and plans without executing.
+ *
+ * Per-orchestration trigger / list / get-by-id helpers stay on
+ * `client.orchestrations.{trigger, listRuns, getRun, getRunSteps}` — those
+ * back the legacy nested `/orchestrations/{id}/runs` routes (which now emit a
+ * Deprecation header pointing here for the list shape).
+ *
+ * Access via `client.orchestrationRuns`.
+ */
+declare class OrchestrationRunsManager {
+    private requestFn;
+    private workspaceId;
+    constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
+    /**
+     * Run a canonical query against `POST /workspace/<ws>/api/v1/orchestration-runs/query`.
+     *
+     * The body **is** a `QueryDefinition`. `resource` is forced to
+     * `"orchestration-runs"` — the orchestration-service executor rejects
+     * anything else. Returns the canonical `{ data, meta }` envelope.
+     *
+     * Queryable fields are the fixed-schema columns: `id`, `orchestrationId`,
+     * `orchestrationVersion`, `status`, `currentStepId`, `correlationId`,
+     * `triggerType`, `hasErrors`, `delayStepCount`, `loopIterationCount`,
+     * `failureReason`, `startedAt`, `completedAt`, `ttlExpiresAt`. The JSONB
+     * columns (`input`, `context`, `stepOutputs`, `triggerMetadata`,
+     * `activeLoop`) are intentionally not queryable —
+     * fetch a specific run via
+     * `client.orchestrations.getRun(orchestrationId, runId, true)` if you need
+     * its payload and step history.
+     *
+     * The `where` clause that pins `orchestrationId.eq` or `id.eq` (in a pure
+     * AND-of-scalar-eq shape) uses `orchestrations:retrieve` server-side;
+     * everything else uses `orchestrations:list`. Retrieve-only roles can
+     * still query a specific orchestration's run history this way.
+     *
+     * @example
+     * ```ts
+     * // Recent failed runs for a specific orchestration
+     * const failures = await client.orchestrationRuns.query({
+     *   resource: 'orchestration-runs',
+     *   where: {
+     *     and: [
+     *       { orchestrationId: { eq: 'orch-123' } },
+     *       { status: { eq: 'failed' } },
+     *     ],
+     *   },
+     *   sort: [{ field: 'startedAt', direction: 'desc' }],
+     *   page: { limit: 50 },
+     * });
+     *
+     * // Workspace-wide run activity in a date window with field projection
+     * const activity = await client.orchestrationRuns.query({
+     *   resource: 'orchestration-runs',
+     *   where: {
+     *     and: [
+     *       { startedAt: { gte: '2026-04-01' } },
+     *       { startedAt: { lt: '2026-05-01' } },
+     *     ],
+     *   },
+     *   sort: [{ field: 'startedAt', direction: 'desc' }],
+     *   page: { limit: 100 },
+     *   select: { fields: ['id', 'orchestrationId', 'status', 'startedAt', 'completedAt', 'hasErrors'] },
+     * });
+     * ```
+     */
+    query<T = OrchestrationRun>(definition: Omit<QueryDefinition, 'resource'> & {
+        resource?: string;
+    }): Promise<QueryResult<T>>;
+    /**
+     * Authoring-time dry-run against `POST /orchestration-runs/query/test`.
+     *
+     * Same input shape as {@link OrchestrationRunsManager.query | query}.
+     * Returns a plan summary on success or structured `QueryError`s on
+     * failure, without executing the query. Use from query builders to
+     * surface precise errors before saving / running.
+     */
+    test(definition: Omit<QueryDefinition, 'resource'> & {
+        resource?: string;
+    }): Promise<{
+        ok: true;
+        plan: {
+            executor: string;
+            resource: string;
+            mode: string;
+            hasUnreadableField: boolean;
+        };
+    }>;
+}
+
+/**
+ * Canonical shape returned by `client.files.query()`. Mirrors the
+ * `filesquery` executor's canonical projection in the storage service —
+ * camelCase keys, snake_case never leaks. The truly internal blob-routing
+ * attributes (`storageAddress`, `uniqueName`) are intentionally not on
+ * the canonical surface. `renderId` IS exposed so callers can pass it to
+ * {@link CentraliCli.getFileRenderUrl} / {@link CentraliCli.getFileDownloadUrl}
+ * after discovering files via query.
+ *
+ * Optional fields are absent when unset on the row OR when not requested
+ * via `select.fields`.
+ */
+interface FileMetadata {
+    /** UUID. Always present. */
+    id: string;
+    /** Original filename. */
+    name?: string;
+    /** Absolute storage path (e.g. `/root/shared/logo.png`). */
+    path?: string;
+    /** Parent folder display path. */
+    location?: string;
+    /** Workspace slug — pinned by the executor. */
+    workspaceSlug?: string;
+    /**
+     * Render token. Pass to {@link CentraliCli.getFileRenderUrl} to display
+     * a file inline (e.g. images), or {@link CentraliCli.getFileDownloadUrl}
+     * for an attachment-style download link.
+     */
+    renderId?: string;
+    /** MIME type (e.g. `image/png`). */
+    contentType?: string;
+    /** High-level file kind (image, video, document, …). */
+    fileType?: string;
+    /** Byte size. */
+    size?: number;
+    /** Parent folder UUID; null/absent for files at the root. */
+    folderId?: string | null;
+    /** User ID of the uploader. */
+    createdBy?: string;
+    /** ISO timestamp. */
+    createdAt?: string;
+    /** ISO timestamp. */
+    updatedAt?: string;
+    /** Whether the file is publicly accessible without auth. */
+    isPublic?: boolean;
+    /** Structure slug when this file is attached to a record (otherwise null). */
+    recordSlug?: string | null;
+    /** Authorization context: `general`, `record`, `avatar`, `support`, … */
+    fileContext?: string;
+    /** Soft-delete timestamp (null when active). */
+    deletedAt?: string | null;
+    /** Tags array; supports `hasAny` / `hasAll` operators in queries. */
+    tags?: string[];
+    /** Media duration in seconds (audio/video only). */
+    duration?: number | null;
+    /** Pixel width (image/video). */
+    width?: number | null;
+    /** Pixel height (image/video). */
+    height?: number | null;
+    /** Primary codec (e.g. `opus`, `h264`). */
+    codec?: string | null;
+    /** Bitrate in bits per second. */
+    bitrate?: number | null;
+}
+/**
+ * FilesManager exposes the canonical files query surface (CEN-1218,
+ * Phase 3 of the Query Foundation). Mirrors `client.orchestrationRuns`
+ * and `client.functionRuns`: a thin wrapper over
+ * `POST /files/query` and `/query/test`.
+ *
+ * Existing helpers (`client.uploadFile`, `client.getFileRenderUrl`,
+ * `client.createFolder`, …) stay where they are — those are workflow
+ * helpers, not query primitives.
+ *
+ * Access via `client.files`.
+ */
+declare class FilesManager {
+    private requestFn;
+    private workspaceId;
+    constructor(workspaceId: string, requestFn: <T>(method: Method, path: string, data?: any, queryParams?: Record<string, any>) => Promise<ApiResponse<T>>);
+    /**
+     * Run a canonical query against `POST /storage/ws/<ws>/api/v1/files/query`.
+     *
+     * The body **is** a `QueryDefinition`. `resource` is forced to
+     * `"files"` — the storage executor rejects anything else. Returns the
+     * canonical `{ data, meta }` envelope.
+     *
+     * Queryable fields (canonical camelCase): `id`, `name`, `path`,
+     * `location`, `renderId`, `contentType`, `fileType`, `size`,
+     * `folderId`, `createdBy`, `createdAt`, `updatedAt`, `isPublic`,
+     * `recordSlug`, `fileContext`, `deletedAt`, `tags`, `duration`,
+     * `width`, `height`, `codec`, `bitrate`. Internal blob-routing
+     * columns (`storageAddress`, `uniqueName`) are intentionally not
+     * exposed.
+     *
+     * `tags` is a varchar array column — `hasAny` (overlap) and `hasAll`
+     * (contains) work; range operators don't.
+     *
+     * Authorization: a `where` that pins `id.eq` (in a flat AND-of-scalar-eq
+     * shape) routes through file-context-aware ABAC server-side, including
+     * record-backed files (`records:retrieve`) and path-keyed user / avatar
+     * / support policies. Non-scoped queries use `files:list`.
+     *
+     * @example
+     * ```ts
+     * // Recent images uploaded in the last 7 days
+     * const recent = await client.files.query({
+     *   resource: 'files',
+     *   where: {
+     *     and: [
+     *       { fileType: { eq: 'image' } },
+     *       { createdAt: { gte: '2026-04-24T00:00:00Z' } },
+     *     ],
+     *   },
+     *   sort: [{ field: 'createdAt', direction: 'desc' }],
+     *   page: { limit: 50 },
+     * });
+     *
+     * // Files in a folder, narrowed projection for a list UI
+     * const items = await client.files.query({
+     *   resource: 'files',
+     *   where: { folderId: { eq: 'folder-uuid' } },
+     *   select: { fields: ['name', 'contentType', 'size', 'createdAt'] },
+     *   page: { limit: 100 },
+     * });
+     *
+     * // Files tagged "draft" or "review"
+     * const drafts = await client.files.query({
+     *   resource: 'files',
+     *   where: { tags: { hasAny: ['draft', 'review'] } },
+     * });
+     * ```
+     */
+    query<T = FileMetadata>(definition: Omit<QueryDefinition, 'resource'> & {
+        resource?: string;
+    }): Promise<QueryResult<T>>;
+    /**
+     * Authoring-time dry-run against `POST /files/query/test`.
+     *
+     * Same input shape as {@link FilesManager.query | query}. Returns a
+     * plan summary on success or structured `QueryError`s on failure,
+     * without executing the query. Use from query builders to surface
+     * precise errors before saving / running.
+     *
+     * The `/query/test` response is `{ ok, plan }` (NOT a `{ data }`
+     * envelope), so we return `resp.data` to unwrap the request layer's
+     * coercion — same convention as `client.orchestrationRuns.test`.
+     */
+    test(definition: Omit<QueryDefinition, 'resource'> & {
+        resource?: string;
+    }): Promise<{
+        ok: true;
+        plan: {
+            executor: string;
+            resource: string;
+            mode: string;
+            hasUnreadableField: boolean;
+        };
+    }>;
 }
+
 /**
  * WebhookSubscriptionsManager provides methods for managing outbound webhook
  * subscriptions and inspecting delivery history. Access via
@@ -4200,7 +5026,7 @@ export declare class FunctionRunsManager {
  * await centrali.webhookSubscriptions.deliveries.retry(deliveryId);
  * ```
  */
-export declare class WebhookSubscriptionsManager {
+declare class WebhookSubscriptionsManager {
     private requestFn;
     private workspaceId;
     /**
@@ -4279,16 +5105,116 @@ export declare class WebhookSubscriptionsManager {
      */
     rotateSecret(subscriptionId: string): Promise<ApiResponse<WebhookSubscription>>;
 }
+
+/** Mirror of `@centrali/query`'s `ValidateOptions`. */
+type QueryValidateOptions = {
+    rejectReservedClauses?: boolean;
+    reservedClauses?: readonly (keyof QueryDefinition)[];
+};
+/** Mirror of `@centrali/query`'s `LegacyTranslateWarning`. */
+type LegacyTranslateWarning = {
+    kind: 'regex_translated' | 'operator_renamed' | 'variable_syntax_canonicalized' | 'operator_dropped';
+    path: string;
+    from: string;
+    to?: string;
+};
+/** Mirror of `@centrali/query`'s `LegacyTranslateResult`. */
+type LegacyTranslateResult = {
+    query: QueryDefinition;
+    warnings: LegacyTranslateWarning[];
+};
+/** Mirror of `@centrali/query`'s `LegacyTranslateOptions`. */
+type LegacyTranslateOptions = {
+    resource?: string;
+    dataProperties?: ReadonlySet<string>;
+};
+/** Mirror of `@centrali/query`'s `ParsedUrlQuery`. */
+type ParsedUrlQuery = {
+    query: QueryDefinition;
+    searchTerm?: string;
+};
+/** Mirror of `@centrali/query`'s `UrlParserOptions`. */
+type UrlParserOptions = {
+    resource: string;
+    filterableFields?: readonly string[];
+    defaultLimit?: number;
+    maxLimit?: number;
+};
+/** Mirror of `@centrali/query`'s `QueryHttpErrorCode`. */
+type QueryHttpErrorCode = 'UNSUPPORTED_CLAUSE' | 'UNSUPPORTED_OPERATOR' | 'UNSUPPORTED_LEGACY_OPERATOR' | 'UNREADABLE_FIELD' | 'INVALID_QUERY' | 'LEGACY_WRITE_UNSUPPORTED' | 'UNKNOWN_VARIABLE' | 'VARIABLE_TYPE_MISMATCH' | 'MISSING_REQUIRED_VARIABLE' | 'EXTRA_VARIABLE' | 'JOINS_LENGTH_EXCEEDED' | 'UNSUPPORTED_COMBINATION' | 'DUPLICATE_JOIN_ALIAS';
+/** Mirror of `@centrali/query`'s `QueryHttpError`. */
+type QueryHttpError = {
+    status: number;
+    code: QueryHttpErrorCode;
+    message: string;
+    errors: QueryError[];
+};
 /**
- * Main Centrali SDK client.
+ * QueryManager exposes the canonical query primitives bundled into the SDK.
+ *
+ * The same source that runs server-side (`@centrali/query`) is bundled into
+ * the SDK artifact, so callers can validate a `QueryDefinition` locally and
+ * skip a roundtrip when the body is malformed. Output is byte-for-byte
+ * identical to the server's validator.
+ *
+ * Access via `client.query`.
+ *
+ * @example
+ * ```ts
+ * const result = client.query.validate({
+ *   resource: 'orders',
+ *   where: { 'data.status': { eq: 'open' } },
+ *   page: { limit: 50 },
+ * });
+ * if (!result.ok) {
+ *   for (const err of result.errors) console.log(err.code, err.path, err.message);
+ * }
+ *
+ * // Migrate a legacy saved-query body to canonical
+ * const t = client.query.translateLegacy({ collection: 'orders', limit: 25 });
+ * if (t.ok) console.log(t.value.query, t.value.warnings);
+ * ```
  */
-export declare class CentraliSDK {
+declare class QueryManager {
+    /**
+     * Validate a canonical `QueryDefinition` locally. Returns the same
+     * `ValidationResult` shape the server returns — `ok: true` plus the
+     * narrowed value, or `ok: false` plus the error list.
+     */
+    validate(definition: unknown, options?: QueryValidateOptions): ValidationResult<QueryDefinition>;
+    /**
+     * Translate a legacy query body (`{ collection, $eq, ... }`) into a
+     * canonical `QueryDefinition`. Useful for migration tooling and for
+     * smart-query authors carrying older bodies forward.
+     *
+     * Returns translation warnings alongside the canonical query so callers
+     * can surface "this used to be a regex / dropped operator" notes.
+     */
+    translateLegacy(legacyBody: unknown, options?: LegacyTranslateOptions): ValidationResult<LegacyTranslateResult>;
+    /**
+     * Parse a URL-style flat query (`?status=paid&sort=-createdAt&limit=10`)
+     * into a canonical `QueryDefinition` slice. Mirrors the server-side
+     * GET-adapter so SDK consumers can pre-build canonical bodies from
+     * search-page URL state without a roundtrip.
+     */
+    parseUrl(params: Record<string, unknown>, options: UrlParserOptions): ValidationResult<ParsedUrlQuery>;
+    /**
+     * Aggregate one or more `QueryError`s into the same `{ status, code,
+     * message, errors }` shape the server emits. Use to convert a
+     * validation failure into a thrown `CentraliError` matching the wire
+     * format.
+     */
+    errorsToHttp(errors: QueryError[]): QueryHttpError;
+}
+
+declare class CentraliSDK {
     private axios;
     private token;
     private options;
     private _realtime;
     private _triggers;
     private _records;
+    private _auditLog;
     private _smartQueries;
     private _queryRecordsLegacyWarned;
     private _anomalyInsights;
@@ -4299,7 +5225,10 @@ export declare class CentraliSDK {
     private _collections;
     private _functions;
     private _runs;
+    private _orchestrationRuns;
+    private _files;
     private _webhookSubscriptions;
+    private _query;
     private isRefreshingToken;
     private tokenRefreshPromise;
     constructor(options: CentraliSDKOptions);
@@ -4386,6 +5315,45 @@ export declare class CentraliSDK {
      * ```
      */
     get records(): RecordsManager;
+    /**
+     * Query namespace — canonical query primitives bundled into the SDK
+     * (CEN-1202). Validate, translate-from-legacy, and parse URL-style
+     * queries locally without a server roundtrip. Same source as the
+     * server-side validator, so behavior matches byte-for-byte.
+     *
+     * @example
+     * ```ts
+     * const r = client.query.validate({ resource: 'orders', page: { limit: 50 } });
+     * if (!r.ok) console.error(r.errors);
+     * ```
+     */
+    get query(): QueryManager;
+    /**
+     * Audit Log namespace — canonical query surface for the workspace audit
+     * log (CEN-1215, Phase 3 of the query foundation).
+     *
+     * Routes through `POST /workspace/<ws>/api/v1/audit/query` on the
+     * workspace service. Same `QueryDefinition` vocabulary as
+     * {@link CentraliSDK.records | records} so callers learn one shape and
+     * reuse it.
+     *
+     * @example
+     * ```ts
+     * // Per-resource history
+     * const history = await client.auditLog.query({
+     *   resource: 'audit-log',
+     *   where: {
+     *     and: [
+     *       { resourceType: { eq: 'structure' } },
+     *       { resourceId: { eq: 'r-123' } },
+     *     ],
+     *   },
+     *   sort: [{ field: 'createdAt', direction: 'desc' }],
+     *   page: { limit: 50 },
+     * });
+     * ```
+     */
+    get auditLog(): AuditLogManager;
     /**
      * Saved Queries namespace — list, execute, create, update, and delete
      * saved (formerly "smart") queries. Routes through the canonical
@@ -4417,6 +5385,7 @@ export declare class CentraliSDK {
      * removed in a future major SDK release.
      */
     get smartQueries(): SmartQueriesManager;
+    private _smartQueriesAlias?;
     /**
      * Anomaly Insights namespace for querying and managing AI-generated insights.
      *
@@ -4582,23 +5551,93 @@ export declare class CentraliSDK {
      */
     get functions(): ComputeFunctionsManager;
     /**
-     * Runs namespace for querying execution history.
+     * Function Runs namespace — query function execution history. Canonical
+     * accessor (CEN-1227); pairs with `client.orchestrationRuns` for
+     * orchestration runs (CEN-1217).
      *
      * Usage:
      * ```ts
      * // Get a specific run
-     * const run = await client.runs.get('run-id');
+     * const run = await client.functionRuns.get('run-id');
      *
      * // List runs for a trigger
-     * const runs = await client.runs.listByTrigger('trigger-id');
+     * const runs = await client.functionRuns.listByTrigger('trigger-id');
      *
      * // List failed runs for a compute definition
-     * const failed = await client.runs.listByFunction('fn-id', {
+     * const failed = await client.functionRuns.listByFunction('fn-id', {
      *   status: 'failure'
      * });
+     *
+     * // Canonical query surface
+     * const failures = await client.functionRuns.query({
+     *   where: { and: [{ status: { eq: 'failure' } }] },
+     *   limit: 50
+     * });
+     * ```
+     */
+    get functionRuns(): FunctionRunsManager;
+    /**
+     * Orchestration Runs namespace — canonical query surface for orchestration
+     * run history (CEN-1217 / Phase 3).
+     *
+     * Per-orchestration trigger / list / get-by-id helpers stay on
+     * `client.orchestrations.{trigger, listRuns, getRun, getRunSteps}`. Use
+     * this namespace when you want the canonical `QueryDefinition` shape
+     * (nested boolean trees, `select`, paging) or workspace-wide queries.
+     *
+     * Usage:
+     * ```ts
+     * // Recent failed runs across the workspace
+     * const failures = await client.orchestrationRuns.query({
+     *   resource: 'orchestration-runs',
+     *   where: { and: [{ status: { eq: 'failed' } }] },
+     *   sort: [{ field: 'startedAt', direction: 'desc' }],
+     *   page: { limit: 50 },
+     * });
+     *
+     * // Authoring dry-run from a query builder UI
+     * const plan = await client.orchestrationRuns.test({
+     *   resource: 'orchestration-runs',
+     *   where: { and: [{ orchestrationId: { eq: 'orch-123' } }] },
+     * });
+     * ```
+     */
+    get orchestrationRuns(): OrchestrationRunsManager;
+    /**
+     * Files namespace — canonical query surface for files (CEN-1218 /
+     * Phase 3). Pairs with the existing top-level helpers
+     * (`client.uploadFile`, `client.getFileRenderUrl`,
+     * `client.createFolder`, …) — those stay where they are. Use this
+     * namespace when you want the canonical `QueryDefinition` shape
+     * (nested boolean trees, projection, paging, range/array operators
+     * on `tags`).
+     *
+     * Usage:
+     * ```ts
+     * // Recent images
+     * const images = await client.files.query({
+     *   resource: 'files',
+     *   where: { fileType: { eq: 'image' } },
+     *   sort: [{ field: 'createdAt', direction: 'desc' }],
+     *   page: { limit: 50 },
+     * });
+     *
+     * // Authoring dry-run
+     * const plan = await client.files.test({
+     *   resource: 'files',
+     *   where: { folderId: { eq: 'folder-uuid' } },
+     * });
      * ```
      */
+    get files(): FilesManager;
+    /**
+     * @deprecated Use `client.functionRuns` instead. Renamed in CEN-1227 ahead
+     * of `client.orchestrationRuns` (CEN-1217), at which point `client.runs`
+     * would be ambiguous (function runs vs. orchestration runs). This getter
+     * is a deprecated alias and will be removed in a future major SDK release.
+     */
     get runs(): FunctionRunsManager;
+    private _runsAlias?;
     /**
      * Webhook subscriptions namespace for outbound webhooks — create, update,
      * rotate signing secrets, inspect delivery history, and replay/cancel
@@ -4635,6 +5674,16 @@ export declare class CentraliSDK {
      * Fetch Service Account token using Client Credentials flow.
      */
     fetchServiceAccountToken(): Promise<string>;
+    /**
+     * Build a manager-shaped request callback that tags every outbound call
+     * with `X-Centrali-Deprecated-Method`. Used by `@deprecated` SDK aliases
+     * (`client.smartQueries`, `client.structures`, `client.runs`) so the
+     * existing per-route deprecation counter on the data/workspace services
+     * (CEN-1196) can attribute hits back to which SDK surface the caller used,
+     * even when the underlying HTTP route is canonical and doesn't fire its
+     * own deprecation telemetry.
+     */
+    private requestWithDeprecationHeader;
     /**
      * Perform an HTTP request.
      */
@@ -5000,125 +6049,5 @@ export declare class CentraliSDK {
      */
     checkAuthorization(options: CheckAuthorizationOptions): Promise<ApiResponse<AuthorizationResult>>;
 }
-/**
- * Usage Example:
- *
- * ```ts
- * import { CentraliSDK, CentraliSDKOptions } from 'centrali-sdk';
- *
- * const options: CentraliSDKOptions = {
- *   baseUrl: 'https://centrali.io',
- *   workspaceId: 'my-workspace',
- *   clientId: process.env.CLIENT_ID,
- *   clientSecret: process.env.CLIENT_SECRET,
- * };
- * const client = new CentraliSDK(options);
- *
- * // Automatic client credentials flow on first request
- * const record = await client.createRecord('Customer', { email: 'jane@example.com' });
- *
- * // Or set a user token:
- * client.setToken('<JWT_TOKEN>');
- * await client.queryRecords('Product', { pageSize: 10 });
- *
- * // Subscribe to realtime events (Initial Sync Pattern):
- * // 1. First fetch initial data (filters at TOP LEVEL, not nested)
- * const orders = await client.queryRecords('Order', { 'data.status': 'pending' });
- * setOrders(orders.data);
- *
- * // 2. Then subscribe to realtime updates
- * const subscription = client.realtime.subscribe({
- *   structures: ['Order'],
- *   events: ['record_created', 'record_updated', 'record_deleted'],
- *   onEvent: (event) => {
- *     // 3. Apply updates to UI
- *     console.log('Event:', event.event, event.recordSlug, event.recordId);
- *   },
- *   onError: (error) => console.error('Realtime error:', error),
- *   onConnected: () => console.log('Connected'),
- *   onDisconnected: (reason) => console.log('Disconnected:', reason),
- * });
- *
- * // Cleanup when done
- * subscription.unsubscribe();
- *
- * // Invoke an on-demand trigger:
- * const job = await client.triggers.invoke('trigger-id');
- * console.log('Job queued:', job.data);
- *
- * // Invoke trigger with custom payload:
- * const job2 = await client.triggers.invoke('trigger-id', {
- *   payload: { orderId: '12345', action: 'process' }
- * });
- *
- * // Get trigger details:
- * const trigger = await client.triggers.get('trigger-id');
- * console.log('Trigger:', trigger.data.name, trigger.data.executionType);
- *
- * // List all triggers:
- * const triggers = await client.triggers.list();
- * triggers.data.forEach(t => console.log(t.name));
- *
- * // ---- Smart Queries ----
- *
- * // List all smart queries in the workspace:
- * const allQueries = await client.smartQueries.listAll();
- *
- * // List smart queries for a specific structure:
- * const employeeQueries = await client.smartQueries.list('employee');
- * employeeQueries.data.forEach(q => console.log(q.name));
- *
- * // Get a smart query by name:
- * const activeQuery = await client.smartQueries.getByName('employee', 'Active Employees');
- * console.log('Query ID:', activeQuery.data.id);
- *
- * // Execute a smart query:
- * const results = await client.smartQueries.execute('employee', activeQuery.data.id);
- * console.log('Found:', results.data.length, 'employees');
- *
- * // ---- Search ----
- *
- * // Basic full-text search:
- * const searchResults = await client.search('customer email');
- * console.log('Found:', searchResults.data.totalHits, 'results');
- * searchResults.data.hits.forEach(hit => console.log(hit.id, hit.structureSlug));
- *
- * // Search with structure filter:
- * const userResults = await client.search('john', { structures: 'users' });
- *
- * // Search multiple structures with limit:
- * const multiResults = await client.search('active', {
- *   structures: ['users', 'orders'],
- *   limit: 50
- * });
- *
- * // ---- Authorization (BYOT - Bring Your Own Token) ----
- *
- * // Simple authorization check with external IdP token:
- * const authResult = await client.checkAuthorization({
- *   token: clerkJWT, // Token from Clerk, Auth0, Okta, etc.
- *   resource: 'orders',
- *   action: 'read'
- * });
- *
- * if (authResult.data.allowed) {
- *   console.log('Access granted');
- * } else {
- *   console.log('Access denied:', authResult.data.message);
- * }
- *
- * // Authorization with context for policy evaluation:
- * const approveResult = await client.checkAuthorization({
- *   token: clerkJWT,
- *   resource: 'orders',
- *   action: 'approve',
- *   context: {
- *     orderId: 'order-123',
- *     orderAmount: 50000,
- *     department: 'sales'
- *   }
- * });
- * // Policy can reference: ext_role, ext_department (from JWT claims)
- * // and request_metadata.orderId, request_metadata.orderAmount (from context)
- *```
- */
+
+export { type AcceptSuggestionResult, type AddAllowedDomainOptions, type AllowedDomain, type AllowedDomainsListResponse, AllowedDomainsManager, type AnomalyAnalysisResult, type AnomalyDetectionData, type AnomalyEventType, type AnomalyInsight, type AnomalyInsightData, AnomalyInsightsManager, type ApiResponse, type ArrayPropertyDefinition, AuditLogManager, type AuthorizationResult, type BasePropertyDefinition, type BatchScanResult, type BatchScanStatus, type BooleanPropertyDefinition, type BulkOperationResult, CANONICAL_OPERATORS, type CanonicalOperator, CentraliError, CentraliSDK, type CentraliSDKOptions, type CheckAuthorizationOptions, CollectionsManager, type ComputeEventType, type ComputeFunction, ComputeFunctionsManager, type ComputeJobStatus, type ComputeJobStatusResponse, type ConditionOperator, type CreateComputeFunctionInput, type CreateOrchestrationInput, type CreateSmartQueryInput, type CreateStructureInput, type CreateTriggerInput, type CreateWebhookSubscriptionInput, type DateTimePropertyDefinition, type DateWindowOption, type DeleteRecordOptions, type EndpointResponse, type ExecuteSavedQueryValues, type ExecuteSmartQueryOptions, type ExpandOptions, type FieldCondition, type FieldConditionMap, type FileMetadata, FilesManager, type FilterOperators, type FilterValue, type FunctionMemoryUsage, type FunctionRun, type FunctionRunError, type FunctionRunExecutionSource, type FunctionRunStatus, FunctionRunsManager, type FunctionTrigger, type GetRecordOptions, type IncludeClause, type InsightSeverity, type InsightStatus, type InsightType, type InsightsSummary, type InvokeEndpointOptions, type InvokeTriggerOptions, JOINS_MAX_LENGTH, type JoinClause, type JoinType, type LegacyTranslateOptions, type LegacyTranslateResult, type LegacyTranslateWarning, type ListAllTriggersOptions, type ListCollectionsOptions, type ListComputeFunctionsOptions, type ListFunctionRunsOptions, type ListInsightsOptions, type ListOrchestrationRunsOptions, type ListOrchestrationsOptions, type ListSmartQueryOptions, type ListStructuresOptions, type ListValidationSuggestionsOptions, type ListWebhookDeliveriesOptions, type NumberPropertyDefinition, OPERATOR_METADATA, type ObjectPropertyDefinition, type OperatorMeta, type OperatorTypeApplicability, type OperatorValueShape, type Orchestration, type OrchestrationCaseEvaluation, type OrchestrationCondition, type OrchestrationConditionEvaluation, type OrchestrationDecisionCase, type OrchestrationDecisionResult, type OrchestrationDelayConfig, type OrchestrationEventType, type OrchestrationFailureReason, type OrchestrationOnFailure, type OrchestrationOnSuccess, type OrchestrationRetryConfig, type OrchestrationRun, type OrchestrationRunStatus, type OrchestrationRunStep, OrchestrationRunsManager, type OrchestrationScheduleType, type OrchestrationStatus, type OrchestrationStep, type OrchestrationStepError, type OrchestrationStepStatus, type OrchestrationStepType, type OrchestrationTrigger, type OrchestrationTriggerMetadata, type OrchestrationTriggerType, OrchestrationsManager, type PageClause, type PaginatedResponse, type ParsedUrlQuery, type PropertyDefinition, type PropertyType, type QueryDefinition, type QueryError, type QueryErrorCode, type QueryExecutionMode, type QueryHttpError, type QueryHttpErrorCode, QueryManager, type QueryRecordOptions, type QueryResult, type QueryResultMeta, type QueryValidateOptions, type QueryVariableDefinition, RECORDS_PAGE_DEFAULT_LIMIT, RECORDS_PAGE_MAX_LIMIT, type RealtimeAnomalyDetectionEvent, type RealtimeAnomalyInsightEvent, type RealtimeCloseEvent, type RealtimeError, type RealtimeEvent, type RealtimeEventType, type RealtimeFunctionRunEvent, RealtimeManager, type RealtimeOrchestrationRunEvent, type RealtimeRecordEvent, type RealtimeSubscribeOptions, type RealtimeSubscription, type RealtimeValidationBatchEvent, type RealtimeValidationSuggestionEvent, type RecordEventType, RecordEvents, type RecordTtlOptions, RecordsManager, type ReferencePropertyDefinition, type ResourceCategory, type SavedQueryDefinition, type SavedQueryScalarBinding, type ScalarValue, type SchemaDiscoveryMode, type SearchHit, type SearchOptions, type SearchResponse, type SelectClause, SmartQueriesManager, type SmartQuery, type SmartQueryDefinition, type SmartQueryExecuteResult, type SmartQueryFieldCondition, type SmartQueryJoin, type SmartQuerySort, type SmartQueryWhereClause, type SortClause, type StepEncryptedParam, type StringPropertyDefinition, type Structure, StructuresManager, type TestComputeFunctionInput, type TestComputeFunctionResult, type TestSmartQueryInput, type TextSearchClause, type TriggerExecutionType, type TriggerHealthMetrics, type TriggerHealthStatus, type TriggerInvokeResponse, type TriggerOrchestrationRunOptions, type TriggerScanOptions, type TriggerWithHealth, TriggersManager, type UpdateComputeFunctionInput, type UpdateOrchestrationInput, type UpdateSmartQueryInput, type UpdateStructureInput, type UpdateTriggerInput, type UpdateWebhookSubscriptionInput, type UrlParserOptions, type ValidateStructureInput, type ValidationBatchData, type ValidationEventType, type ValidationIssueType, ValidationManager, type ValidationResult, type ValidationSuggestion, type ValidationSuggestionData, type ValidationSuggestionStatus, type ValidationSummary, type VariableType, type WaitForScanOptions, type WebhookCancelResponse, type WebhookDeliveriesListMeta, type WebhookDelivery, type WebhookDeliveryStatus, type WebhookDeliverySummary, type WebhookReplayResponse, type WebhookSubscription, WebhookSubscriptionsManager, type WhereExpression, fetchClientToken, getAllowedDomainsApiPath, getAnomalyAnalysisTriggerApiPath, getAnomalyInsightAcknowledgeApiPath, getAnomalyInsightDismissApiPath, getAnomalyInsightsApiPath, getAnomalyInsightsBulkAcknowledgeApiPath, getAnomalyInsightsSummaryApiPath, getApiUrl, getAuthUrl, getCollectionBySlugApiPath, getCollectionInsightsApiPath, getCollectionValidateApiPath, getCollectionsApiPath, getComputeFunctionTestApiPath, getComputeFunctionsApiPath, getComputeJobStatusApiPath, getEndpointApiPath, getFileUploadApiPath, getFilesCanonicalApiPath, getFunctionRunsApiPath, getFunctionRunsByFunctionApiPath, getFunctionRunsByTriggerApiPath, getFunctionTriggerExecuteApiPath, getFunctionTriggerPauseApiPath, getFunctionTriggerResumeApiPath, getFunctionTriggersApiPath, getOrchestrationRunStepsApiPath, getOrchestrationRunsApiPath, getOrchestrationRunsCanonicalApiPath, getOrchestrationsApiPath, getRealtimeUrl, getRecordApiPath, getSavedQueryCanonicalByIdPath, getSavedQueryCanonicalCollectionPath, getSavedQueryCanonicalExecutePath, getSavedQueryCanonicalTestPath, getSearchApiPath, getSmartQueriesApiPath, getSmartQueriesStructureApiPath, getSmartQueryByNameApiPath, getSmartQueryExecuteApiPath, getSmartQueryTestApiPath, getStructureBySlugApiPath, getStructureInsightsApiPath, getStructureValidateApiPath, getStructuresApiPath, getValidationBulkAcceptApiPath, getValidationBulkRejectApiPath, getValidationPendingCountApiPath, getValidationRecordSuggestionsApiPath, getValidationScanApiPath, getValidationSuggestionAcceptApiPath, getValidationSuggestionRejectApiPath, getValidationSuggestionsApiPath, getValidationSummaryApiPath, getWebhookDeliveryCancelApiPath, getWebhookDeliveryRetryApiPath, getWebhookSubscriptionDeliveriesApiPath, getWebhookSubscriptionRotateSecretApiPath, getWebhookSubscriptionsApiPath, isCentraliError, operatorsForFieldType };