@clearance/management 0.1.4 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +241 -52
- package/dist/index.mjs +1169 -10462
- package/dist/ops/deploy/compose/docker-compose.production.yml +129 -0
- package/dist/ops/deploy/upgrades/README.md +24 -0
- package/dist/ops/deploy/upgrades/steps/0.2.0/apply.sh +66 -0
- package/dist/ops/deploy/upgrades/steps/0.2.1/apply.sh +66 -0
- package/dist/ops/scripts/backup-create.sh +197 -0
- package/dist/ops/scripts/backup-restore-verify.sh +129 -0
- package/dist/ops/scripts/backup-verify.sh +121 -0
- package/dist/ops/scripts/lib/ops-common.sh +375 -0
- package/dist/ops/scripts/scim-legacy-preflight.sh +103 -0
- package/dist/ops/scripts/upgrade-apply.sh +168 -0
- package/dist/ops/scripts/upgrade-plan.sh +129 -0
- package/dist/ops/scripts/upgrade-preflight.sh +136 -0
- package/dist/ops/scripts/upgrade-rollback.sh +394 -0
- package/dist/ops/scripts/upgrade-verify.sh +98 -0
- package/dist/ops/scripts/validate-production-env.sh +232 -0
- package/package.json +7 -7
package/dist/index.d.mts
CHANGED
|
@@ -1,6 +1,5 @@
|
|
|
1
1
|
import { ClearanceAuthBundle } from "@clearance/auth";
|
|
2
2
|
import { createServer } from "node:http";
|
|
3
|
-
|
|
4
3
|
//#region src/types/resources.d.ts
|
|
5
4
|
type ResourceId = string;
|
|
6
5
|
interface Project {
|
|
@@ -455,7 +454,7 @@ declare function isManagementStore(value: unknown): value is ManagementStore;
|
|
|
455
454
|
//#endregion
|
|
456
455
|
//#region src/store/json-store.d.ts
|
|
457
456
|
declare const STORE_SCHEMA_VERSION = 1;
|
|
458
|
-
declare const CLEARANCE_RELEASE_VERSION = "0.1
|
|
457
|
+
declare const CLEARANCE_RELEASE_VERSION = "0.2.1";
|
|
459
458
|
declare function emptySnapshot(config?: Record<string, string>): DataStoreSnapshot;
|
|
460
459
|
/** Normalize older snapshots missing newer collections. */
|
|
461
460
|
declare function normalizeSnapshot(data: DataStoreSnapshot): DataStoreSnapshot;
|
|
@@ -591,7 +590,9 @@ declare function pgStoreId(): string;
|
|
|
591
590
|
//#endregion
|
|
592
591
|
//#region src/store/create-store.d.ts
|
|
593
592
|
type CreateStoreOptions = {
|
|
594
|
-
/** Explicit file path for JSON backend */
|
|
593
|
+
/** Explicit file path for JSON backend */
|
|
594
|
+
dataPath?: string;
|
|
595
|
+
/** Force backend; default chooses postgres when DATABASE_URL is set */
|
|
595
596
|
backend?: "json" | "postgres" | "auto";
|
|
596
597
|
databaseUrl?: string;
|
|
597
598
|
};
|
|
@@ -683,12 +684,15 @@ declare function parseCorsOrigins(): string[];
|
|
|
683
684
|
//#endregion
|
|
684
685
|
//#region src/services/credentials.d.ts
|
|
685
686
|
type CredentialKeyring = {
|
|
686
|
-
currentKeyId: string;
|
|
687
|
+
currentKeyId: string;
|
|
688
|
+
/** keyId → 32-byte key material */
|
|
687
689
|
keys: Map<string, Buffer>;
|
|
688
690
|
};
|
|
689
691
|
type EncryptedCredential = {
|
|
690
|
-
/** Versioned AEAD envelope (never the plaintext) */
|
|
691
|
-
|
|
692
|
+
/** Versioned AEAD envelope (never the plaintext) */
|
|
693
|
+
ciphertext: string;
|
|
694
|
+
keyId: string;
|
|
695
|
+
/** Short fingerprint of plaintext for comparison without disclosure */
|
|
692
696
|
fingerprint: string;
|
|
693
697
|
};
|
|
694
698
|
declare function fingerprintCredential(value: string): string;
|
|
@@ -800,7 +804,8 @@ declare function encodePageCursor(surface: PageSurface, key: PageCursorKey): str
|
|
|
800
804
|
*/
|
|
801
805
|
declare function decodePageCursor(raw: string | undefined | null, surface: PageSurface, stage: string): PageCursorKey | undefined;
|
|
802
806
|
type ResourcePage<T> = {
|
|
803
|
-
items: T[];
|
|
807
|
+
items: T[];
|
|
808
|
+
/** Opaque cursor for the next page; null when this page is the last. */
|
|
804
809
|
nextCursor: string | null;
|
|
805
810
|
};
|
|
806
811
|
/**
|
|
@@ -832,8 +837,11 @@ declare function normalizePageLimit(limit: number | undefined, spec: {
|
|
|
832
837
|
//#region src/services/idempotency.d.ts
|
|
833
838
|
declare const IDEMPOTENCY_DEFAULT_TTL_MS: number;
|
|
834
839
|
type IdempotencyRecord = {
|
|
835
|
-
/** Route+method scope, e.g. "POST /v1/users" */
|
|
836
|
-
|
|
840
|
+
/** Route+method scope, e.g. "POST /v1/users" */
|
|
841
|
+
scopeKey: string;
|
|
842
|
+
/** Client-supplied Idempotency-Key header value */
|
|
843
|
+
key: string;
|
|
844
|
+
/** sha256 of scopeKey + raw request body — detects key reuse conflicts */
|
|
837
845
|
fingerprint: string;
|
|
838
846
|
status: number;
|
|
839
847
|
contentType: string;
|
|
@@ -876,7 +884,8 @@ declare function assertOwnerInvariant(data: {
|
|
|
876
884
|
memberships: Membership[];
|
|
877
885
|
}, opts: {
|
|
878
886
|
organizationId: string;
|
|
879
|
-
membership: Membership;
|
|
887
|
+
membership: Membership;
|
|
888
|
+
/** Next role after update; omit for remove */
|
|
880
889
|
nextRole?: string;
|
|
881
890
|
stage: string;
|
|
882
891
|
}): void;
|
|
@@ -902,7 +911,8 @@ declare function addMember(store: ManagementStore, input: {
|
|
|
902
911
|
source?: MembershipSource;
|
|
903
912
|
actor?: string;
|
|
904
913
|
auditSource?: MembershipActorSource;
|
|
905
|
-
scope?: ResourceScope;
|
|
914
|
+
scope?: ResourceScope;
|
|
915
|
+
/** Force a specific membership id (runtime id preservation) */
|
|
906
916
|
id?: string;
|
|
907
917
|
}): Membership;
|
|
908
918
|
/**
|
|
@@ -976,13 +986,15 @@ declare function listEnvironments(store: ManagementStore, filter?: {
|
|
|
976
986
|
scope?: ResourceScope;
|
|
977
987
|
}): Environment[];
|
|
978
988
|
type EnvironmentLocalStatus = {
|
|
979
|
-
/** Whether this environment is the operator's active principal environment */
|
|
989
|
+
/** Whether this environment is the operator's active principal environment */
|
|
990
|
+
active: boolean;
|
|
980
991
|
storeBackend: ManagementStore["backend"];
|
|
981
992
|
storePathPresent: boolean;
|
|
982
993
|
schemaVersion: number;
|
|
983
994
|
expectedSchemaVersion: number;
|
|
984
995
|
releaseVersion: string;
|
|
985
|
-
initialized: boolean;
|
|
996
|
+
initialized: boolean;
|
|
997
|
+
/** Configuration presence flags only — never secret values */
|
|
986
998
|
config: {
|
|
987
999
|
hasClearanceSecret: boolean;
|
|
988
1000
|
hasDatabaseUrl: boolean;
|
|
@@ -1056,9 +1068,13 @@ type EnvironmentPromoteResult = {
|
|
|
1056
1068
|
* confirmed attempts (including blocked/idempotent outcomes).
|
|
1057
1069
|
*/
|
|
1058
1070
|
declare function promoteEnvironment(store: ManagementStore, input: {
|
|
1059
|
-
/** Target environment id or slug (required) */
|
|
1060
|
-
|
|
1061
|
-
|
|
1071
|
+
/** Target environment id or slug (required) */
|
|
1072
|
+
to: string;
|
|
1073
|
+
/** Source environment id or slug; defaults to operator principal environment */
|
|
1074
|
+
from?: string;
|
|
1075
|
+
/** Preview only — default when confirm is not true */
|
|
1076
|
+
dryRun?: boolean;
|
|
1077
|
+
/** Required for a confirmed attempt (CLI --yes). Never invents deploy apply. */
|
|
1062
1078
|
confirm?: boolean;
|
|
1063
1079
|
scope?: ResourceScope;
|
|
1064
1080
|
actor?: string;
|
|
@@ -1066,7 +1082,8 @@ declare function promoteEnvironment(store: ManagementStore, input: {
|
|
|
1066
1082
|
}): EnvironmentPromoteResult;
|
|
1067
1083
|
declare function createUser(store: ManagementStore, input: {
|
|
1068
1084
|
email: string;
|
|
1069
|
-
name: string;
|
|
1085
|
+
name: string;
|
|
1086
|
+
/** Optional stable id (e.g. Clearance runtime user id) */
|
|
1070
1087
|
id?: string;
|
|
1071
1088
|
projectId?: string;
|
|
1072
1089
|
environmentId?: string;
|
|
@@ -1077,7 +1094,8 @@ declare function createUser(store: ManagementStore, input: {
|
|
|
1077
1094
|
declare function listUsers(store: ManagementStore, filter?: {
|
|
1078
1095
|
environmentId?: string;
|
|
1079
1096
|
projectId?: string;
|
|
1080
|
-
status?: string;
|
|
1097
|
+
status?: string;
|
|
1098
|
+
/** When true (default for scoped callers), require full scope filter */
|
|
1081
1099
|
scope?: ResourceScope;
|
|
1082
1100
|
}): Principal[];
|
|
1083
1101
|
declare const USERS_LIST_DEFAULT_PAGE_LIMIT = 100;
|
|
@@ -1091,7 +1109,8 @@ declare const USERS_LIST_MAX_PAGE_LIMIT = 1000;
|
|
|
1091
1109
|
declare function listUsersPage(store: ManagementStore, opts?: {
|
|
1092
1110
|
scope?: ResourceScope;
|
|
1093
1111
|
status?: string;
|
|
1094
|
-
limit?: number;
|
|
1112
|
+
limit?: number;
|
|
1113
|
+
/** Opaque cursor from a previous page's nextCursor (fail-closed). */
|
|
1095
1114
|
cursor?: string;
|
|
1096
1115
|
}): {
|
|
1097
1116
|
users: Principal[];
|
|
@@ -1112,7 +1131,8 @@ declare function parseUserStatusInput(status: unknown, stage?: string): "active"
|
|
|
1112
1131
|
*/
|
|
1113
1132
|
declare function updateUser(store: ManagementStore, id: string, input: {
|
|
1114
1133
|
name?: string;
|
|
1115
|
-
email?: string;
|
|
1134
|
+
email?: string;
|
|
1135
|
+
/** Re-enable or set disabled without soft-delete. */
|
|
1116
1136
|
status?: "active" | "disabled" | string;
|
|
1117
1137
|
actor?: string;
|
|
1118
1138
|
source?: "cli" | "console" | "api" | "import" | "scim" | "system";
|
|
@@ -1160,7 +1180,8 @@ declare const ORGS_LIST_MAX_PAGE_LIMIT = 1000;
|
|
|
1160
1180
|
*/
|
|
1161
1181
|
declare function listOrganizationsPage(store: ManagementStore, opts?: {
|
|
1162
1182
|
scope?: ResourceScope;
|
|
1163
|
-
limit?: number;
|
|
1183
|
+
limit?: number;
|
|
1184
|
+
/** Opaque cursor from a previous page's nextCursor (fail-closed). */
|
|
1164
1185
|
cursor?: string;
|
|
1165
1186
|
}): {
|
|
1166
1187
|
organizations: Organization[];
|
|
@@ -1193,7 +1214,8 @@ type ArchiveOrganizationResult = {
|
|
|
1193
1214
|
* and org inspect remain fail-closed for archived orgs (recovery via audit + row).
|
|
1194
1215
|
*/
|
|
1195
1216
|
declare function archiveOrganization(store: ManagementStore, id: string, input?: {
|
|
1196
|
-
dryRun?: boolean;
|
|
1217
|
+
dryRun?: boolean;
|
|
1218
|
+
/** Required for mutation. CLI maps --yes → confirm=true. */
|
|
1197
1219
|
confirm?: boolean;
|
|
1198
1220
|
actor?: string;
|
|
1199
1221
|
source?: "cli" | "console" | "api" | "import" | "system";
|
|
@@ -1204,9 +1226,11 @@ declare const USERS_EXPORT_MAX_LIMIT = 1000;
|
|
|
1204
1226
|
declare const USERS_EXPORT_FORMATS: readonly ["json", "jsonl"];
|
|
1205
1227
|
type UsersExportFormat = (typeof USERS_EXPORT_FORMATS)[number];
|
|
1206
1228
|
type UsersExportOptions = {
|
|
1207
|
-
limit?: number;
|
|
1229
|
+
limit?: number;
|
|
1230
|
+
/** Filter by principal status (active|disabled). Deleted never exported. */
|
|
1208
1231
|
status?: "active" | "disabled" | string;
|
|
1209
|
-
format?: UsersExportFormat | string;
|
|
1232
|
+
format?: UsersExportFormat | string;
|
|
1233
|
+
/** Absolute or relative path; when set, artifact is written atomically (CLI only) */
|
|
1210
1234
|
outputPath?: string;
|
|
1211
1235
|
force?: boolean;
|
|
1212
1236
|
scope?: ResourceScope;
|
|
@@ -1269,7 +1293,8 @@ declare function listEventsPage(store: ManagementStore, filter?: {
|
|
|
1269
1293
|
limit?: number;
|
|
1270
1294
|
organizationId?: string;
|
|
1271
1295
|
action?: string;
|
|
1272
|
-
scope?: ResourceScope;
|
|
1296
|
+
scope?: ResourceScope;
|
|
1297
|
+
/** Opaque cursor from a previous page's nextCursor (fail-closed). */
|
|
1273
1298
|
cursor?: string;
|
|
1274
1299
|
}): {
|
|
1275
1300
|
events: AuditEvent[];
|
|
@@ -1293,8 +1318,11 @@ declare function overviewStats(store: ManagementStore, scope?: ResourceScope): {
|
|
|
1293
1318
|
//#endregion
|
|
1294
1319
|
//#region src/services/export-artifact.d.ts
|
|
1295
1320
|
type WriteExportArtifactCodes = {
|
|
1296
|
-
/** Audit/export stage string (e.g. events.export) */
|
|
1297
|
-
|
|
1321
|
+
/** Audit/export stage string (e.g. events.export) */
|
|
1322
|
+
stage?: string;
|
|
1323
|
+
/** Error code when destination exists and force is false */
|
|
1324
|
+
existsCode?: string;
|
|
1325
|
+
/** Error code when write fails for other reasons */
|
|
1298
1326
|
writeFailedCode?: string;
|
|
1299
1327
|
};
|
|
1300
1328
|
/**
|
|
@@ -1341,13 +1369,17 @@ type EventsExportOptions = {
|
|
|
1341
1369
|
* Archival bound (see audit.ts header): schedule exports with --before so
|
|
1342
1370
|
* events are captured before the retention cap prunes them.
|
|
1343
1371
|
*/
|
|
1344
|
-
before?: string;
|
|
1345
|
-
|
|
1346
|
-
|
|
1372
|
+
before?: string;
|
|
1373
|
+
/** json (envelope) or jsonl (one event object per line) */
|
|
1374
|
+
format?: EventsExportFormat | string;
|
|
1375
|
+
/** Absolute or relative path; when set, artifact is written atomically */
|
|
1376
|
+
outputPath?: string;
|
|
1377
|
+
/** Allow replacing an existing file at outputPath */
|
|
1347
1378
|
force?: boolean;
|
|
1348
1379
|
scope?: ResourceScope;
|
|
1349
1380
|
actor?: string;
|
|
1350
|
-
source?: AuditEvent["source"];
|
|
1381
|
+
source?: AuditEvent["source"];
|
|
1382
|
+
/** When true, skip privileged-read audit (tests / nested callers) */
|
|
1351
1383
|
skipAudit?: boolean;
|
|
1352
1384
|
};
|
|
1353
1385
|
type EventsExportEnvelope = {
|
|
@@ -1376,7 +1408,8 @@ type EventInspectResult = {
|
|
|
1376
1408
|
replayBlocker?: string;
|
|
1377
1409
|
};
|
|
1378
1410
|
type ReplayDiagnosticOptions = {
|
|
1379
|
-
/** Preview only — default safe path when confirm is not true */
|
|
1411
|
+
/** Preview only — default safe path when confirm is not true */
|
|
1412
|
+
dryRun?: boolean;
|
|
1380
1413
|
/**
|
|
1381
1414
|
* Required for mutating apply. CLI maps --yes → confirm=true.
|
|
1382
1415
|
* When confirm is not true, the service always dry-runs.
|
|
@@ -1408,7 +1441,8 @@ declare function sanitizeAuditEvent(event: AuditEvent): AuditEvent;
|
|
|
1408
1441
|
declare function selectEventsForExport(store: ManagementStore, filter: {
|
|
1409
1442
|
limit: number;
|
|
1410
1443
|
organizationId?: string;
|
|
1411
|
-
action?: string;
|
|
1444
|
+
action?: string;
|
|
1445
|
+
/** Normalized ISO bound — only events with createdAt strictly before */
|
|
1412
1446
|
before?: string;
|
|
1413
1447
|
scope: ResourceScope;
|
|
1414
1448
|
}): {
|
|
@@ -1472,7 +1506,8 @@ type SessionView = {
|
|
|
1472
1506
|
};
|
|
1473
1507
|
type SessionSource = "cli" | "console" | "api" | "system";
|
|
1474
1508
|
type RevokeSessionResult = {
|
|
1475
|
-
session: SessionView;
|
|
1509
|
+
session: SessionView;
|
|
1510
|
+
/** True when session was already revoked / absent under authorized contract */
|
|
1476
1511
|
idempotent: boolean;
|
|
1477
1512
|
};
|
|
1478
1513
|
declare function normalizeSessionLimit(limit: number | undefined): number;
|
|
@@ -1487,7 +1522,8 @@ declare function toSessionView(session: SessionRecord, projectId: string, extra?
|
|
|
1487
1522
|
* Defaults to active only. Does not audit (list is not privileged-write).
|
|
1488
1523
|
*/
|
|
1489
1524
|
declare function listSessions(store: ManagementStore, opts?: {
|
|
1490
|
-
scope?: ResourceScope;
|
|
1525
|
+
scope?: ResourceScope;
|
|
1526
|
+
/** When true, include revoked tombstones */
|
|
1491
1527
|
includeRevoked?: boolean;
|
|
1492
1528
|
limit?: number;
|
|
1493
1529
|
}): SessionView[];
|
|
@@ -1498,9 +1534,11 @@ declare function listSessions(store: ManagementStore, opts?: {
|
|
|
1498
1534
|
* Postgres runtime sessions paginate via listSessionsPageInAuth (auth-bridge).
|
|
1499
1535
|
*/
|
|
1500
1536
|
declare function listSessionsPage(store: ManagementStore, opts?: {
|
|
1501
|
-
scope?: ResourceScope;
|
|
1537
|
+
scope?: ResourceScope;
|
|
1538
|
+
/** When true, include revoked tombstones */
|
|
1502
1539
|
includeRevoked?: boolean;
|
|
1503
|
-
limit?: number;
|
|
1540
|
+
limit?: number;
|
|
1541
|
+
/** Opaque cursor from a previous page's nextCursor (fail-closed). */
|
|
1504
1542
|
cursor?: string;
|
|
1505
1543
|
}): {
|
|
1506
1544
|
sessions: SessionView[];
|
|
@@ -1683,7 +1721,8 @@ declare function executeMemberImportPlan(plan: MemberImportPlan, apply: (row: Me
|
|
|
1683
1721
|
//#endregion
|
|
1684
1722
|
//#region src/services/identity.d.ts
|
|
1685
1723
|
type RuntimeUserIdentity = {
|
|
1686
|
-
/** Canonical Clearance / runtime user id — becomes management principal id */
|
|
1724
|
+
/** Canonical Clearance / runtime user id — becomes management principal id */
|
|
1725
|
+
id: string;
|
|
1687
1726
|
email: string;
|
|
1688
1727
|
name: string;
|
|
1689
1728
|
createdAt?: string | Date;
|
|
@@ -1903,7 +1942,8 @@ declare const SCIM_LOCAL_PROTOCOL_EVIDENCE: "local protocol verification (not ex
|
|
|
1903
1942
|
* Network / auth / malformed body / non-success status all fail.
|
|
1904
1943
|
*/
|
|
1905
1944
|
declare function checkScimConnection(store: ManagementStore, id: string, opts?: {
|
|
1906
|
-
/** Override token (tests); otherwise decrypt stored envelope */
|
|
1945
|
+
/** Override token (tests); otherwise decrypt stored envelope */
|
|
1946
|
+
bearerToken?: string;
|
|
1907
1947
|
path?: string;
|
|
1908
1948
|
fetchImpl?: typeof fetch;
|
|
1909
1949
|
}): Promise<{
|
|
@@ -1956,7 +1996,8 @@ type ScimProbeOutcome = {
|
|
|
1956
1996
|
};
|
|
1957
1997
|
type ScimProbeOptions = {
|
|
1958
1998
|
endpoint: string;
|
|
1959
|
-
bearerToken?: string;
|
|
1999
|
+
bearerToken?: string;
|
|
2000
|
+
/** Relative path under endpoint (default ServiceProviderConfig) */
|
|
1960
2001
|
path?: string;
|
|
1961
2002
|
timeoutMs?: number;
|
|
1962
2003
|
fetchImpl?: typeof fetch;
|
|
@@ -2019,7 +2060,8 @@ declare function createSsoConnectionReal(store: ManagementStore, input: {
|
|
|
2019
2060
|
clientId?: string;
|
|
2020
2061
|
clientSecret?: string;
|
|
2021
2062
|
samlEntryPoint?: string;
|
|
2022
|
-
samlCertificate?: string;
|
|
2063
|
+
samlCertificate?: string;
|
|
2064
|
+
/** Load fixtures/sso/{matrix}-oidc.json — okta | entra */
|
|
2023
2065
|
matrix?: "okta" | "entra";
|
|
2024
2066
|
fixturePath?: string;
|
|
2025
2067
|
actor?: string;
|
|
@@ -2166,7 +2208,8 @@ declare function testScimConnectionReal(store: ManagementStore, id: string, opts
|
|
|
2166
2208
|
userName: string;
|
|
2167
2209
|
displayName?: string;
|
|
2168
2210
|
active?: boolean;
|
|
2169
|
-
}>;
|
|
2211
|
+
}>;
|
|
2212
|
+
/** Absolute URL override for local fixture protocol verification */
|
|
2170
2213
|
endpointOverride?: string;
|
|
2171
2214
|
bearerToken?: string;
|
|
2172
2215
|
fetchImpl?: typeof fetch;
|
|
@@ -2236,18 +2279,21 @@ declare function createSetupLink(store: ManagementStore, input: {
|
|
|
2236
2279
|
organizationId: string;
|
|
2237
2280
|
kind: SetupKind;
|
|
2238
2281
|
ttlMinutes?: number;
|
|
2239
|
-
actor?: string;
|
|
2282
|
+
actor?: string;
|
|
2283
|
+
/** Absolute console base; defaults to CLEARANCE_CONSOLE_URL */
|
|
2240
2284
|
baseUrl?: string;
|
|
2241
2285
|
}): {
|
|
2242
2286
|
url: string;
|
|
2243
|
-
expiresAt: string;
|
|
2287
|
+
expiresAt: string;
|
|
2288
|
+
/** Raw capability — return once; never persisted */
|
|
2244
2289
|
token: string;
|
|
2245
2290
|
tokenFingerprint: string;
|
|
2246
2291
|
capabilityId: string;
|
|
2247
2292
|
};
|
|
2248
2293
|
type RedeemSetupLinkInput = {
|
|
2249
2294
|
token: string;
|
|
2250
|
-
kind: SetupKind;
|
|
2295
|
+
kind: SetupKind;
|
|
2296
|
+
/** When set, must match capability */
|
|
2251
2297
|
organizationId?: string;
|
|
2252
2298
|
projectId?: string;
|
|
2253
2299
|
environmentId?: string;
|
|
@@ -2343,7 +2389,9 @@ type MigrationPreview = {
|
|
|
2343
2389
|
members: number;
|
|
2344
2390
|
};
|
|
2345
2391
|
};
|
|
2346
|
-
/**
|
|
2392
|
+
/** Parse and fully validate the one legacy fixture shape accepted by Clearance. */
|
|
2393
|
+
declare function parseLegacyFixture(input: string | unknown): LegacyExportFixture;
|
|
2394
|
+
/** Safely read a local fixture, then apply the same parser used by the API. */
|
|
2347
2395
|
declare function loadLegacyFixture(path: string): LegacyExportFixture;
|
|
2348
2396
|
/** Validate conflicts and calculate a non-mutating Clearance import preview. */
|
|
2349
2397
|
declare function previewMigration(store: ManagementStore, fixture: LegacyExportFixture): MigrationPreview;
|
|
@@ -2431,6 +2479,122 @@ declare function migrateRuntimeSchema(input: {
|
|
|
2431
2479
|
pendingFields?: undefined;
|
|
2432
2480
|
}>;
|
|
2433
2481
|
//#endregion
|
|
2482
|
+
//#region src/services/upgrade.d.ts
|
|
2483
|
+
interface UpgradeOptions {
|
|
2484
|
+
target?: string;
|
|
2485
|
+
plan?: string;
|
|
2486
|
+
dir?: string;
|
|
2487
|
+
healthUrl?: string;
|
|
2488
|
+
current?: string;
|
|
2489
|
+
dryRun?: boolean;
|
|
2490
|
+
yes?: boolean;
|
|
2491
|
+
restoreActive?: boolean;
|
|
2492
|
+
confirm?: string;
|
|
2493
|
+
backupDir?: string;
|
|
2494
|
+
}
|
|
2495
|
+
declare function planUpgrade(opts: UpgradeOptions): Promise<{
|
|
2496
|
+
schemaVersion: string;
|
|
2497
|
+
operation: string;
|
|
2498
|
+
dryRun: boolean;
|
|
2499
|
+
plan: {
|
|
2500
|
+
id: string;
|
|
2501
|
+
path: string;
|
|
2502
|
+
currentVersion: string;
|
|
2503
|
+
targetVersion: string;
|
|
2504
|
+
status: string;
|
|
2505
|
+
};
|
|
2506
|
+
} | {
|
|
2507
|
+
schemaVersion: string;
|
|
2508
|
+
operation: string;
|
|
2509
|
+
dryRun: boolean;
|
|
2510
|
+
plan: {
|
|
2511
|
+
targetVersion: string;
|
|
2512
|
+
currentVersion: string | null;
|
|
2513
|
+
directory: string;
|
|
2514
|
+
createsArtifacts: boolean;
|
|
2515
|
+
};
|
|
2516
|
+
}>;
|
|
2517
|
+
declare function applyUpgrade(opts: UpgradeOptions): Promise<{
|
|
2518
|
+
operation: string;
|
|
2519
|
+
wouldRun: string[];
|
|
2520
|
+
schemaVersion: string;
|
|
2521
|
+
dryRun: boolean;
|
|
2522
|
+
plan: {
|
|
2523
|
+
id: string;
|
|
2524
|
+
path: string;
|
|
2525
|
+
currentVersion: string;
|
|
2526
|
+
targetVersion: string;
|
|
2527
|
+
status: string;
|
|
2528
|
+
};
|
|
2529
|
+
} | {
|
|
2530
|
+
schemaVersion: string;
|
|
2531
|
+
operation: string;
|
|
2532
|
+
dryRun: boolean;
|
|
2533
|
+
plan: {
|
|
2534
|
+
id: string;
|
|
2535
|
+
targetVersion: string;
|
|
2536
|
+
status: string;
|
|
2537
|
+
backupId: string | null;
|
|
2538
|
+
rollbackReference: {} | null;
|
|
2539
|
+
};
|
|
2540
|
+
}>;
|
|
2541
|
+
declare function verifyUpgrade(opts: UpgradeOptions): Promise<{
|
|
2542
|
+
schemaVersion: string;
|
|
2543
|
+
operation: string;
|
|
2544
|
+
dryRun: boolean;
|
|
2545
|
+
plan: {
|
|
2546
|
+
id: string;
|
|
2547
|
+
targetVersion: string;
|
|
2548
|
+
status: string;
|
|
2549
|
+
updatedAt?: undefined;
|
|
2550
|
+
backupId?: undefined;
|
|
2551
|
+
};
|
|
2552
|
+
wouldRun: string[];
|
|
2553
|
+
} | {
|
|
2554
|
+
schemaVersion: string;
|
|
2555
|
+
operation: string;
|
|
2556
|
+
plan: {
|
|
2557
|
+
id: string;
|
|
2558
|
+
targetVersion: string;
|
|
2559
|
+
status: string;
|
|
2560
|
+
updatedAt: string | null;
|
|
2561
|
+
backupId: string | null;
|
|
2562
|
+
};
|
|
2563
|
+
dryRun?: undefined;
|
|
2564
|
+
wouldRun?: undefined;
|
|
2565
|
+
}>;
|
|
2566
|
+
declare function rollbackUpgrade(opts: UpgradeOptions): Promise<{
|
|
2567
|
+
schemaVersion: string;
|
|
2568
|
+
operation: string;
|
|
2569
|
+
dryRun: boolean;
|
|
2570
|
+
mode: string;
|
|
2571
|
+
activeDatabaseUntouched: boolean;
|
|
2572
|
+
wouldModifyActiveDatabase: boolean;
|
|
2573
|
+
plan: {
|
|
2574
|
+
id: string;
|
|
2575
|
+
targetVersion: string;
|
|
2576
|
+
status: string;
|
|
2577
|
+
};
|
|
2578
|
+
wouldRun: string[];
|
|
2579
|
+
rollbackReceipt?: undefined;
|
|
2580
|
+
receipt?: undefined;
|
|
2581
|
+
} | {
|
|
2582
|
+
schemaVersion: string;
|
|
2583
|
+
operation: string;
|
|
2584
|
+
dryRun: boolean;
|
|
2585
|
+
mode: string;
|
|
2586
|
+
activeDatabaseUntouched: boolean;
|
|
2587
|
+
plan: {
|
|
2588
|
+
id: string;
|
|
2589
|
+
targetVersion: string;
|
|
2590
|
+
status: string;
|
|
2591
|
+
};
|
|
2592
|
+
rollbackReceipt: string;
|
|
2593
|
+
receipt: Record<string, unknown>;
|
|
2594
|
+
wouldModifyActiveDatabase?: undefined;
|
|
2595
|
+
wouldRun?: undefined;
|
|
2596
|
+
}>;
|
|
2597
|
+
//#endregion
|
|
2434
2598
|
//#region src/services/backup.d.ts
|
|
2435
2599
|
declare function createBackup(store: ManagementStore, backupDir?: string): BackupRecord;
|
|
2436
2600
|
declare function verifyBackup(store: ManagementStore, backupId: string): BackupRecord;
|
|
@@ -2572,9 +2736,30 @@ declare function listUsersFromDb(): Promise<Principal[]>;
|
|
|
2572
2736
|
declare function createUserInAuth(input: {
|
|
2573
2737
|
email: string;
|
|
2574
2738
|
name: string;
|
|
2575
|
-
password
|
|
2739
|
+
password: string;
|
|
2740
|
+
/** When set, persists the runtime user into management with the same stable id */
|
|
2576
2741
|
managementStore?: ManagementStore;
|
|
2577
2742
|
}): Promise<Principal>;
|
|
2743
|
+
declare const PASSWORD_SETUP_TTL_SECONDS: number;
|
|
2744
|
+
type PasswordSetupGrant = {
|
|
2745
|
+
token: string;
|
|
2746
|
+
expiresAt: string;
|
|
2747
|
+
};
|
|
2748
|
+
/**
|
|
2749
|
+
* Provision a user without issuing a reusable temporary credential.
|
|
2750
|
+
*
|
|
2751
|
+
* The inaccessible random password prevents the credential account from being
|
|
2752
|
+
* used directly. The returned reset token is single-use in the auth runtime and
|
|
2753
|
+
* expires after one hour; it can only establish a caller-chosen password.
|
|
2754
|
+
*/
|
|
2755
|
+
declare function createUserWithPasswordSetupInAuth(input: {
|
|
2756
|
+
email: string;
|
|
2757
|
+
name: string;
|
|
2758
|
+
managementStore?: ManagementStore;
|
|
2759
|
+
}): Promise<{
|
|
2760
|
+
user: Principal;
|
|
2761
|
+
passwordSetup: PasswordSetupGrant;
|
|
2762
|
+
}>;
|
|
2578
2763
|
/**
|
|
2579
2764
|
* Map an already-created runtime user into management (same stable id + scope).
|
|
2580
2765
|
* Prefer this after product signup so CLI/API/console see one identity.
|
|
@@ -2612,7 +2797,8 @@ declare function ensureOperatorUser(): Promise<string>;
|
|
|
2612
2797
|
* Without `id`, generates a new id (CLI/operator path).
|
|
2613
2798
|
*/
|
|
2614
2799
|
declare function insertSsoProvider(input: {
|
|
2615
|
-
/** Deterministic runtime/management id for setup-attempt recovery */
|
|
2800
|
+
/** Deterministic runtime/management id for setup-attempt recovery */
|
|
2801
|
+
id?: string;
|
|
2616
2802
|
providerId: string;
|
|
2617
2803
|
issuer: string;
|
|
2618
2804
|
domain: string;
|
|
@@ -2639,7 +2825,8 @@ declare function deleteSsoProviderById(id: string): Promise<void>;
|
|
|
2639
2825
|
* material only (never persists plaintext). Without `id`, generates new ids.
|
|
2640
2826
|
*/
|
|
2641
2827
|
declare function insertScimProvider(input: {
|
|
2642
|
-
/** Deterministic runtime/management id for setup-attempt recovery */
|
|
2828
|
+
/** Deterministic runtime/management id for setup-attempt recovery */
|
|
2829
|
+
id?: string;
|
|
2643
2830
|
providerId: string;
|
|
2644
2831
|
organizationId?: string;
|
|
2645
2832
|
token?: string;
|
|
@@ -2679,7 +2866,8 @@ declare function listSessionsInAuth(store: ManagementStore, opts?: {
|
|
|
2679
2866
|
*/
|
|
2680
2867
|
declare function listSessionsPageInAuth(store: ManagementStore, opts?: {
|
|
2681
2868
|
scope?: ResourceScope;
|
|
2682
|
-
limit?: number;
|
|
2869
|
+
limit?: number;
|
|
2870
|
+
/** Opaque cursor from a previous page's nextCursor (fail-closed). */
|
|
2683
2871
|
cursor?: string;
|
|
2684
2872
|
}): Promise<{
|
|
2685
2873
|
sessions: SessionView[];
|
|
@@ -2805,11 +2993,12 @@ declare function updateOrganizationInAuth(store: ManagementStore, id: string, in
|
|
|
2805
2993
|
* - Already-archived + missing runtime → success, idempotent=true.
|
|
2806
2994
|
*/
|
|
2807
2995
|
declare function archiveOrganizationInAuth(store: ManagementStore, id: string, input?: {
|
|
2808
|
-
dryRun?: boolean;
|
|
2996
|
+
dryRun?: boolean;
|
|
2997
|
+
/** Required for mutation. CLI maps --yes → confirm=true. */
|
|
2809
2998
|
confirm?: boolean;
|
|
2810
2999
|
actor?: string;
|
|
2811
3000
|
source?: OrgLifecycleSource;
|
|
2812
3001
|
scope?: ResourceScope;
|
|
2813
3002
|
}): Promise<ArchiveOrganizationResult>;
|
|
2814
3003
|
//#endregion
|
|
2815
|
-
export { AUDIT_MAX_EVENTS_DEFAULT, AUDIT_MAX_EVENTS_MAX, AUDIT_MAX_EVENTS_MIN, AUDIT_PRUNED_ACTION, AdversarialFixtureFile, ApiKey, ApiKeyView, ArchiveOrganizationResult, AssignableRole, AuditEvent, AuditEventInput, BUILT_IN_ROLE_SLUGS, BackupRecord, BuiltInRoleSlug, CLEARANCE_RELEASE_VERSION, ClearanceError, type CommitSetupLinkInput, ConfigRecord, ConformanceMode, CreateStoreOptions, CreatedApiKey, CredentialKeyring, CustomRole, DataStoreSnapshot, DiagnosticTrace, DirectoryConnection, DoctorCheck, EVENTS_EXPORT_DEFAULT_LIMIT, EVENTS_EXPORT_FORMATS, EVENTS_EXPORT_MAX_LIMIT, EVENTS_LIST_DEFAULT_PAGE_LIMIT, EVENTS_LIST_MAX_PAGE_LIMIT, EVENTS_TAIL_DEFAULT_LIMIT, EVENTS_TAIL_MAX_LIMIT, EncryptedCredential, Environment, EnvironmentInspectResult, EnvironmentLocalStatus, EnvironmentPromoteBlocker, EnvironmentPromotePlanStep, EnvironmentPromoteResult, EventInspectResult, EventsExportEnvelope, EventsExportFormat, EventsExportOptions, EventsTailCursor, EventsTailFilter, FORBIDDEN_DEFAULT_SECRETS, IDEMPOTENCY_DEFAULT_TTL_MS, IdempotencyBackend, IdempotencyRecord, IdentityConnection, IdentityProtocol, JsonStore, LIVE_CONFORMANCE_MODE, LIVE_EVIDENCE_LABEL, LegacyExportFixture, LiveProbeOptions, LiveProbeResult, LocalOidcSession, MANAGEMENT_SURFACES, ManagementStore, ManagementSurface, MemberImportFormat, MemberImportPlan, MemberImportPlanRow, MemberImportResult, MemberImportRowResult, Membership, MembershipActorSource, MembershipSource, MigrationPlan, MigrationPreview, ORGS_LIST_DEFAULT_PAGE_LIMIT, ORGS_LIST_MAX_PAGE_LIMIT, Organization, PageCursorKey, PageOrder, PageSurface,
|
|
3004
|
+
export { AUDIT_MAX_EVENTS_DEFAULT, AUDIT_MAX_EVENTS_MAX, AUDIT_MAX_EVENTS_MIN, AUDIT_PRUNED_ACTION, AdversarialFixtureFile, ApiKey, ApiKeyView, ArchiveOrganizationResult, AssignableRole, AuditEvent, AuditEventInput, BUILT_IN_ROLE_SLUGS, BackupRecord, BuiltInRoleSlug, CLEARANCE_RELEASE_VERSION, ClearanceError, type CommitSetupLinkInput, ConfigRecord, ConformanceMode, CreateStoreOptions, CreatedApiKey, CredentialKeyring, CustomRole, DataStoreSnapshot, DiagnosticTrace, DirectoryConnection, DoctorCheck, EVENTS_EXPORT_DEFAULT_LIMIT, EVENTS_EXPORT_FORMATS, EVENTS_EXPORT_MAX_LIMIT, EVENTS_LIST_DEFAULT_PAGE_LIMIT, EVENTS_LIST_MAX_PAGE_LIMIT, EVENTS_TAIL_DEFAULT_LIMIT, EVENTS_TAIL_MAX_LIMIT, EncryptedCredential, Environment, EnvironmentInspectResult, EnvironmentLocalStatus, EnvironmentPromoteBlocker, EnvironmentPromotePlanStep, EnvironmentPromoteResult, EventInspectResult, EventsExportEnvelope, EventsExportFormat, EventsExportOptions, EventsTailCursor, EventsTailFilter, FORBIDDEN_DEFAULT_SECRETS, IDEMPOTENCY_DEFAULT_TTL_MS, IdempotencyBackend, IdempotencyRecord, IdentityConnection, IdentityProtocol, JsonStore, LIVE_CONFORMANCE_MODE, LIVE_EVIDENCE_LABEL, LegacyExportFixture, LiveProbeOptions, LiveProbeResult, LocalOidcSession, MANAGEMENT_SURFACES, ManagementStore, ManagementSurface, MemberImportFormat, MemberImportPlan, MemberImportPlanRow, MemberImportResult, MemberImportRowResult, Membership, MembershipActorSource, MembershipSource, MigrationPlan, MigrationPreview, ORGS_LIST_DEFAULT_PAGE_LIMIT, ORGS_LIST_MAX_PAGE_LIMIT, Organization, PASSWORD_SETUP_TTL_SECONDS, PageCursorKey, PageOrder, PageSurface, PasswordSetupGrant, PgStore, PostgresRestoreOptions, Principal, Project, REPLAYABLE_TRACE_SUBSYSTEMS, ReadinessCheck, ReadinessReport, type RedeemSetupLinkInput, type ReleaseSetupLinkInput, ReplayDiagnosticOptions, ReplayDiagnosticResult, ReplayableTraceSubsystem, type ReserveSetupLinkResult, ResourceId, ResourcePage, ResourceScope, RevokeSessionResult, RuntimeOrganizationIdentity, RuntimeSchemaPlanResult, RuntimeUserIdentity, SCIM_FIXTURE_MODE, SCIM_LOCAL_PROTOCOL_EVIDENCE, SCIM_REAL_FIXTURE_MODE, SETUP_RESERVATION_TTL_MS, SSO_FIXTURE_MODE, SSO_LOCAL_EVIDENCE_LABEL, SSO_LOCAL_PROTOCOL_MODE, SSO_MATRIX_NOT_CERTIFIED, SSO_REAL_FIXTURE_MODE, STORE_SCHEMA_VERSION, ScimActorSource, ScimMutationOpts, ScimProbeOptions, ScimProbeOutcome, ScimUserPayload, ScimUsersFixture, ScopedResource, SessionRecord, SessionSource, SessionView, SetupCapability, type SetupKind, SsoActorSource, SsoCreateInput, SsoMutationOpts, SsoOidcFixture, SsoTestFixture, SsoTestOptions, USERS_EXPORT_DEFAULT_LIMIT, USERS_EXPORT_FORMATS, USERS_EXPORT_MAX_LIMIT, USERS_LIST_DEFAULT_PAGE_LIMIT, USERS_LIST_MAX_PAGE_LIMIT, UpgradeOptions, UsersExportEnvelope, UsersExportFormat, UsersExportOptions, WRITE_ONLY_SECRET_FIELDS, WriteExportArtifactCodes, addMember, addMemberInAuth, appendAuditEvent, applyUpgrade, archiveOrganization, archiveOrganizationInAuth, assertClientScopeHeaders, assertCredentialKeyConfigured, assertIdempotencyKeyValid, assertLiveEndpoint, assertMigrationRunnable, assertOwnerInvariant, assertProductionCredentialKey, assertProductionSecret, assertResourceInScope, assertSessionPrincipalInScope, auditMaxEvents, beginEventsTail, bridgeRuntimeUserToManagement, buildAuditEvent, buildAuthorizationUrl, builtInRoleId, checkScimConnection, closeAuthBundle, commitSetupLink, configureSsoConnection, consoleRoutesFromContract, correlationId, countAuthTables, createApiKey, createBackup, createEnvironment, createIdempotencyBackend, createLocalOidcIssuerFixture, createLocalScimFixtureServer, createManagementStore, createOrgInAuth, createOrganization, createPgStore, createPostgresBackup, createProject, createRole, createScimConnection, createScimConnectionReal, createSession, createSetupLink, createSsoConnection, createSsoConnectionReal, createUser, createUserInAuth, createUserWithPasswordSetupInAuth, decodeJwtPayload, decodePageCursor, decryptCredential, defaultDataPath, deleteScimProviderById, deleteSsoProviderById, deleteUser, deleteUserInAuth, deriveSetupConnectionIds, deriveSetupReservationId, diffConfig, disableScimConnection, disableScimConnectionReal, disableSsoConnection, disableSsoConnectionReal, disableUser, disableUserInAuth, dockerDumpArgs, dockerPsqlArgs, emptyIsolatedStorePath, emptySnapshot, encodePageCursor, encryptCredential, enforceAuditRetention, ensureAuthMigrated, ensureOperatorUser, ensurePrivateBackupDirectory, executeMemberImportPlan, exportEvents, exportUsers, findActiveMembership, fingerprint, fingerprintCredential, fingerprintIdempotentRequest, fixturesRoot, generatePkcePair, generateRuntimeSchema, getAuthBundle, getCredentialKeyring, getLatestReadiness, getRuntimeSchemaStatus, idempotencyConflictError, initProject, insertScimProvider, insertSsoProvider, inspectApiKey, inspectEnvironment, inspectEvent, inspectMembership, inspectOrganization, inspectRole, inspectScimConnection, inspectScimTrace, inspectSession, inspectSessionInAuth, inspectSsoConnection, inspectUser, isBuiltInRoleSlug, isClearanceError, isCredentialEnvelope, isDevelopmentLike, isForbiddenDefaultSecret, isManagementStore, isReplayableTraceSubsystem, isSecretLikeConfigEntry, isSecretLikeConfigKey, listApiKeys, listEnvironments, listEvents, listEventsPage, listMembers, listOrganizations, listOrganizationsPage, listOrgsFromDb, listProjects, listRoles, listScimConnections, listSessions, listSessionsFromDb, listSessionsInAuth, listSessionsPage, listSessionsPageInAuth, listSetupLinks, listSsoConnections, listUsers, listUsersFromDb, listUsersPage, loadJsonFixture, loadLegacyFixture, migrateRuntimeSchema, migrationStatus, newId, normalizeAndValidateApiKeyScopes, normalizeAndValidatePermissions, normalizeEventsExportBefore, normalizeEventsExportFormat, normalizeEventsExportLimit, normalizeEventsTailLimit, normalizePageLimit, normalizeSessionLimit, normalizeSnapshot, normalizeUsersExportFormat, normalizeUsersExportLimit, normalizeUsersExportStatus, nowIso, overviewStats, paginateByCreatedAt, parseConfigJson, parseCorsOrigins, parseCredentialEnvelope, parseLegacyFixture, parseUserStatusInput, pgStoreId, planEnvironmentCreate, planMemberImport, planMigration, planProjectCreate, planRuntimeSchema, planUpgrade, pollEventsTail, postgresBackupFailure, postgresContainerSettings, previewMigration, probeOutcomeToError, probeScimEndpoint, promoteEnvironment, publicConfig, publicDirectoryConnection, publicIdentityConnection, recordEvent, redactRecord, redactValue, redeemSetupLink, releaseSetupLink, removeMember, removeMemberInAuth, replayDiagnosticTrace, replayScimTrace, requireOperatorToken, reserveSetupLink, resetAuthBundle, resolveAssignableRole, resolveCredentialKeyring, resolveIdempotencyTtlMs, resolveMembershipId, resolveOperatorScope, resolveScimConnection, resolveSsoConnection, restoreBackup, restorePostgresBackup, revokeApiKey, revokeSession, revokeSessionInAuth, revokeSetupLink, rollbackMigration, rollbackMigrationDurable, rollbackUpgrade, rotateApiKey, rotateCredential, rotateScimCredential, rotateSsoCredential, runDoctor, runMigration, runMigrationDurable, runReadinessCheck, runSsoMatrix, sanitizeAuditEvent, sanitizePrincipalForExport, sanitizeSessionView, scopeFilter, secureBackupArtifact, selectEventsForExport, selectUsersForExport, setConfig, sortEventsDeterministic, sortUsersDeterministic, syncRuntimeOrganizationToManagementDurable, syncRuntimeUserToManagement, syncRuntimeUserToManagementDurable, testScimConnection, testScimConnectionLive, testScimConnectionReal, testSsoConnection, testSsoConnectionLive, testSsoConnectionReal, toSessionView, updateMember, updateMemberInAuth, updateOrganization, updateOrganizationInAuth, updateRole, updateUser, updateUserInAuth, upgradeCheck, upgradeCheckWithDb, validateApiKeyName, validateConfig, validateCurrentConfig, validateIsolatedRestoreDatabaseName, validateRole, validateRoleName, validateRoleSlug, validateSamlProviderConfig, verifyBackup, verifyMigration, verifyMigrationDurable, verifyPostgresBackup, verifySsoOidcLocalProtocol, verifyUpgrade, writeExportArtifact };
|