@fusebase/fusebase-gate-sdk 2.2.18 → 2.2.20-sdk.1

package/dist/apis/IsolatedStoresApi.d.ts

@@ -5,7 +5,7 @@
  * Domain: isolated-stores
  */
 import type { Client } from "../runtime/transport";
-import type { AdoptIsolatedStoreSqlMigrationBaselineRequestContract, AdoptIsolatedStoreSqlMigrationBaselineResponseContract, ApplyIsolatedStoreSqlMigrationsRequestContract, ApplyIsolatedStoreSqlMigrationsResponseContract, AttachIsolatedStoreSourceScopeRequestContract, AttachIsolatedStoreSourceScopeResponseContract, CreateIsolatedStoreCheckpointRequestContract, CreateIsolatedStoreCheckpointResponseContract, CreateIsolatedStoreRequestContract, CreateIsolatedStoreResponseContract, DeleteIsolatedStoreResponseContract, DeleteIsolatedStoreStageResponseContract, GetIsolatedStoreSqlMigrationStatusRequestContract, GetOrCreateIsolatedStoreRequestContract, GetOrCreateIsolatedStoreResponseContract, InitIsolatedStoreStageRequestContract, InitIsolatedStoreStageResponseContract, IsolatedStoreIdInPathRequired, IsolatedStoreListResponseContract, IsolatedStoreResponseContract, IsolatedStoreRevisionIdInPathRequired, IsolatedStoreRevisionListResponseContract, IsolatedStoreSqlBatchInsertRequestContract, IsolatedStoreSqlBatchInsertResponseContract, IsolatedStoreSqlCountRequestContract, IsolatedStoreSqlCountResponseContract, IsolatedStoreSqlDeleteRequestContract, IsolatedStoreSqlDeleteResponseContract, IsolatedStoreSqlDescribeTableResponseContract, IsolatedStoreSqlExecuteRequestContract, IsolatedStoreSqlExecuteResponseContract, IsolatedStoreSqlImportRequestContract, IsolatedStoreSqlImportResponseContract, IsolatedStoreSqlInsertRequestContract, IsolatedStoreSqlInsertResponseContract, IsolatedStoreSqlListTablesResponseContract, IsolatedStoreSqlMigrationStatusContract, IsolatedStoreSqlQueryRequestContract, IsolatedStoreSqlQueryResponseContract, IsolatedStoreSqlSchemaNameInQueryOptional, IsolatedStoreSqlSelectRequestContract, IsolatedStoreSqlSelectResponseContract, IsolatedStoreSqlStatsResponseContract, IsolatedStoreSqlTableNameInPathRequired, IsolatedStoreSqlUpdateRequestContract, IsolatedStoreSqlUpdateResponseContract, IsolatedStoreStageInPathRequired, IsolatedStoreStageListResponseContract, ListIsolatedStoresAliasLikeInQueryOptional, ListIsolatedStoresClientIdInQueryOptional, orgIdInPathRequired, RepairIsolatedStoreSqlMigrationJournalChecksumsRequestContract, RepairIsolatedStoreSqlMigrationJournalChecksumsResponseContract, RestoreIsolatedStoreRevisionResponseContract } from "../types";
+import type { AdoptIsolatedStoreSqlMigrationBaselineRequestContract, AdoptIsolatedStoreSqlMigrationBaselineResponseContract, ApplyIsolatedStoreSqlMigrationsRequestContract, ApplyIsolatedStoreSqlMigrationsResponseContract, AttachIsolatedStoreSourceScopeRequestContract, AttachIsolatedStoreSourceScopeResponseContract, CreateIsolatedStoreCheckpointRequestContract, CreateIsolatedStoreCheckpointResponseContract, CreateIsolatedStoreRequestContract, CreateIsolatedStoreResponseContract, DeleteIsolatedStoreResponseContract, DeleteIsolatedStoreStageResponseContract, GetIsolatedStoreSqlMigrationStatusRequestContract, GetOrCreateIsolatedStoreRequestContract, GetOrCreateIsolatedStoreResponseContract, InitIsolatedStoreStageRequestContract, InitIsolatedStoreStageResponseContract, IsolatedStoreIdInPathRequired, IsolatedStoreListResponseContract, IsolatedStoreResponseContract, IsolatedStoreRevisionIdInPathRequired, IsolatedStoreRevisionListResponseContract, IsolatedStoreSqlBatchInsertRequestContract, IsolatedStoreSqlBatchInsertResponseContract, IsolatedStoreSqlCountRequestContract, IsolatedStoreSqlCountResponseContract, IsolatedStoreSqlDeleteRequestContract, IsolatedStoreSqlDeleteResponseContract, IsolatedStoreSqlDescribeTableResponseContract, IsolatedStoreSqlExecuteRequestContract, IsolatedStoreSqlExecuteResponseContract, IsolatedStoreSqlImportRequestContract, IsolatedStoreSqlImportResponseContract, IsolatedStoreSqlInsertRequestContract, IsolatedStoreSqlInsertResponseContract, IsolatedStoreSqlListTablesResponseContract, IsolatedStoreSqlMigrationStatusContract, IsolatedStoreSqlQueryRequestContract, IsolatedStoreSqlQueryResponseContract, IsolatedStoreSqlRlsStatusResponseContract, IsolatedStoreSqlSchemaNameInQueryOptional, IsolatedStoreSqlSelectRequestContract, IsolatedStoreSqlSelectResponseContract, IsolatedStoreSqlStatsResponseContract, IsolatedStoreSqlTableNameInPathRequired, IsolatedStoreSqlUpdateRequestContract, IsolatedStoreSqlUpdateResponseContract, IsolatedStoreStageInPathRequired, IsolatedStoreStageListResponseContract, ListIsolatedStoresAliasLikeInQueryOptional, ListIsolatedStoresClientIdInQueryOptional, orgIdInPathRequired, RepairIsolatedStoreSqlMigrationJournalChecksumsRequestContract, RepairIsolatedStoreSqlMigrationJournalChecksumsResponseContract, RestoreIsolatedStoreRevisionResponseContract } from "../types";
 export declare class IsolatedStoresApi {
     private client;
     constructor(client: Client);
@@ -199,6 +199,21 @@ export declare class IsolatedStoresApi {
         headers?: Record<string, string>;
         body: GetIsolatedStoreSqlMigrationStatusRequestContract;
     }): Promise<IsolatedStoreSqlMigrationStatusContract>;
+    /**
+     * Get SQL RLS status
+     * Returns read-only PostgreSQL row-level security introspection for the selected isolated store stage: table RLS flags, FORCE RLS flags, policies, columns, indexes, and table-level warnings. This is intended for Studio/support visibility; policy changes must still flow through app migrations.
+     */
+    getIsolatedStoreSqlRlsStatus(params: {
+        path: {
+            orgId: orgIdInPathRequired;
+            storeId: IsolatedStoreIdInPathRequired;
+            stage: IsolatedStoreStageInPathRequired;
+        };
+        query?: {
+            schemaName?: IsolatedStoreSqlSchemaNameInQueryOptional;
+        };
+        headers?: Record<string, string>;
+    }): Promise<IsolatedStoreSqlRlsStatusResponseContract>;
     /**
      * Get SQL stats
      * Returns table-level stats for the selected isolated postgres stage, including tables, columns, row counts, and relation-size hints.

package/dist/apis/IsolatedStoresApi.js

@@ -232,6 +232,21 @@ class IsolatedStoresApi {
             expectedContentType: "application/json",
         });
     }
+    /**
+     * Get SQL RLS status
+     * Returns read-only PostgreSQL row-level security introspection for the selected isolated store stage: table RLS flags, FORCE RLS flags, policies, columns, indexes, and table-level warnings. This is intended for Studio/support visibility; policy changes must still flow through app migrations.
+     */
+    async getIsolatedStoreSqlRlsStatus(params) {
+        return this.client.request({
+            method: "GET",
+            path: "/:orgId/isolated-stores/:storeId/stages/:stage/sql/rls/status",
+            pathParams: params.path,
+            query: params.query,
+            headers: params.headers,
+            opId: "getIsolatedStoreSqlRlsStatus",
+            expectedContentType: "application/json",
+        });
+    }
     /**
      * Get SQL stats
      * Returns table-level stats for the selected isolated postgres stage, including tables, columns, row counts, and relation-size hints.

package/dist/apis/PortalsApi.d.ts

@@ -5,10 +5,32 @@
  * Domain: portals
  */
 import type { Client } from "../runtime/transport";
-import type { orgIdInPathRequired, OrgPortalListResponseContract } from "../types";
+import type { CreatePortalRequestContract, CreatePortalResponseContract, globalIdInPathRequired, orgIdInPathRequired, OrgPortalListResponseContract, PortalDetailContract } from "../types";
 export declare class PortalsApi {
     private client;
     constructor(client: Client);
+    /**
+     * Create a new portal
+     * Creates a new portal under the given org and workspace. Returns portal details and one-time admin credentials for the portal customizer. Requires org.write and org access.
+     */
+    createPortal(params: {
+        path: {
+            orgId: orgIdInPathRequired;
+        };
+        headers?: Record<string, string>;
+        body: CreatePortalRequestContract;
+    }): Promise<CreatePortalResponseContract>;
+    /**
+     * Get portal details
+     * Returns detailed information for a single portal by ID. Requires org.read access.
+     */
+    getPortal(params: {
+        path: {
+            orgId: orgIdInPathRequired;
+            globalId: globalIdInPathRequired;
+        };
+        headers?: Record<string, string>;
+    }): Promise<PortalDetailContract>;
     /**
      * List organization portals
      * Returns portals visible for the caller in the organization. Requires org.read and org access.

package/dist/apis/PortalsApi.js

@@ -11,6 +11,35 @@ class PortalsApi {
     constructor(client) {
         this.client = client;
     }
+    /**
+     * Create a new portal
+     * Creates a new portal under the given org and workspace. Returns portal details and one-time admin credentials for the portal customizer. Requires org.write and org access.
+     */
+    async createPortal(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/:orgId/portals",
+            pathParams: params.path,
+            headers: params.headers,
+            body: params.body,
+            opId: "createPortal",
+            expectedContentType: "application/json",
+        });
+    }
+    /**
+     * Get portal details
+     * Returns detailed information for a single portal by ID. Requires org.read access.
+     */
+    async getPortal(params) {
+        return this.client.request({
+            method: "GET",
+            path: "/:orgId/portals/:globalId",
+            pathParams: params.path,
+            headers: params.headers,
+            opId: "getPortal",
+            expectedContentType: "application/json",
+        });
+    }
     /**
      * List organization portals
      * Returns portals visible for the caller in the organization. Requires org.read and org access.

package/dist/types/index.d.ts

@@ -17,6 +17,7 @@ export type { MeAuthContract, MeOrgGroupContract, MeResponseContract, MeScopeCon
 export * from "./note/note";
 export * from "./org-group/org-group";
 export type { OrgInviteContract, OrgMagicLinkContract, OrgPortalContract, OrgPortalListResponseContract, OrgUserAddRequestContract, OrgUserAddResponseContract, OrgUserContract, OrgUserListResponseContract, OrgWorkspaceContract, OrgWorkspaceInviteContract, OrgWorkspaceListResponseContract, OrgWorkspaceMemberContract } from "./org-user/org-user";
+export type { CreatePortalRequestContract, CreatePortalResponseContract, PortalDetailContract, globalIdInPathRequired } from "./portals/portals";
 export * from "./shared/common";
 export * from "./shared/enums";
 export type { GetHealth200ResponseContract } from "./shared/health";

package/dist/types/isolated-store/isolated-store.d.ts

@@ -107,6 +107,76 @@ export interface IsolatedStoreSqlStatsResponseContract {
     totalBytes?: number | null;
     tables: IsolatedStoreSqlTableStatsContract[];
 }
+export type IsolatedStoreSqlRlsWarningCodeContract = "rls_not_enabled" | "rls_not_forced" | "rls_enabled_without_policies";
+export interface IsolatedStoreSqlRlsWarningContract {
+    code: IsolatedStoreSqlRlsWarningCodeContract;
+    message: string;
+}
+export interface IsolatedStoreSqlRlsPolicyContract {
+    policyName: string;
+    command: string;
+    roles: string[];
+    usingExpression?: string | null;
+    withCheckExpression?: string | null;
+}
+export interface IsolatedStoreSqlRlsIndexContract {
+    indexName: string;
+    isUnique: boolean;
+    columnNames: string[];
+    indexDefinition: string;
+}
+export interface IsolatedStoreSqlRlsTableStatusContract {
+    schemaName: string;
+    tableName: string;
+    tableType: string;
+    rlsEnabled: boolean;
+    rlsForced: boolean;
+    columns: IsolatedStoreSqlColumnContract[];
+    indexes: IsolatedStoreSqlRlsIndexContract[];
+    policies: IsolatedStoreSqlRlsPolicyContract[];
+    warnings: IsolatedStoreSqlRlsWarningContract[];
+}
+export interface IsolatedStoreSqlRlsStatusResponseContract {
+    databaseName: string;
+    schemaName: string;
+    tableCount: number;
+    rlsEnabledCount: number;
+    rlsForcedCount: number;
+    tables: IsolatedStoreSqlRlsTableStatusContract[];
+}
+export type IsolatedStoreSqlRlsTableClassificationContract = "tenant" | "user" | "owner_collaborator" | "scoped" | "none" | "technical";
+export interface IsolatedStoreSqlRlsScopeManifestContract {
+    name: string;
+    column: string;
+    setting?: string | null;
+}
+export interface IsolatedStoreSqlRlsTableManifestContract {
+    classification: IsolatedStoreSqlRlsTableClassificationContract;
+    schemaName?: string | null;
+    orgColumn?: string | null;
+    userColumn?: string | null;
+    ownerColumn?: string | null;
+    collaboratorTable?: string | null;
+    scopes?: IsolatedStoreSqlRlsScopeManifestContract[] | null;
+    reason?: string | null;
+}
+export interface IsolatedStoreSqlRlsManifestContract {
+    tables: Record<string, IsolatedStoreSqlRlsTableManifestContract>;
+}
+export type IsolatedStoreSqlRlsValidationWarningCodeContract = "rls_manifest_table_missing" | "rls_manifest_column_missing" | "rls_manifest_index_missing" | "rls_manifest_policy_missing" | "rls_manifest_rls_not_enabled" | "rls_manifest_rls_not_forced" | "rls_manifest_exemption_reason_missing" | "rls_manifest_collaborator_table_missing";
+export interface IsolatedStoreSqlRlsValidationWarningContract {
+    code: IsolatedStoreSqlRlsValidationWarningCodeContract;
+    message: string;
+    tableName: string;
+    schemaName?: string | null;
+    columnName?: string | null;
+}
+export interface IsolatedStoreSqlRlsValidationResultContract {
+    mode: "warn";
+    tableCount: number;
+    warningCount: number;
+    warnings: IsolatedStoreSqlRlsValidationWarningContract[];
+}
 export interface IsolatedStoreSqlMigrationBundleEntryContract {
     version: number;
     name: string;
@@ -173,10 +243,12 @@ export interface IsolatedStoreSqlMigrationStatusContract {
     structuredIssues: IsolatedStoreSqlMigrationIssueContract[];
     appliedMigrations: IsolatedStoreSqlAppliedMigrationContract[];
     pendingMigrations: IsolatedStoreSqlMigrationBundleEntryContract[];
+    rlsValidation?: IsolatedStoreSqlRlsValidationResultContract | null;
 }
 export interface GetIsolatedStoreSqlMigrationStatusRequestContract {
     schemaName?: IsolatedStoreSqlSchemaNameInQueryOptional;
     bundle: IsolatedStoreSqlMigrationBundleContract;
+    rlsManifest?: IsolatedStoreSqlRlsManifestContract | null;
     /** Same optimistic-lock semantics as `applyIsolatedStoreSqlMigrations`; HTTP 409 when the journal tail disagrees. */
     expectedLastAppliedVersion?: number | null;
     expectedLastAppliedChecksum?: string | null;
@@ -189,6 +261,8 @@ export interface ApplyIsolatedStoreSqlMigrationsRequestContract {
      * expected-head validation) but does not execute SQL or write the journal.
      */
     dryRun?: boolean | null;
+    /** Optional warn-only RLS manifest validation for current/post-apply database state. */
+    rlsManifest?: IsolatedStoreSqlRlsManifestContract | null;
     /**
      * Optimistic lock: last applied migration version on the server must match.
      * Omit to skip. Use `null` to require an empty journal (no rows applied).
@@ -211,6 +285,7 @@ export interface ApplyIsolatedStoreSqlMigrationsResponseContract {
 export interface AdoptIsolatedStoreSqlMigrationBaselineRequestContract {
     schemaName?: IsolatedStoreSqlSchemaNameInQueryOptional;
     bundle: IsolatedStoreSqlMigrationBundleContract;
+    rlsManifest?: IsolatedStoreSqlRlsManifestContract | null;
     /** Validate eligibility and return the projected post-adoption status without writing the journal. */
     dryRun?: boolean | null;
 }
@@ -255,6 +330,7 @@ export interface IsolatedStoreSqlDescribeTableResponseContract {
 export interface IsolatedStoreSqlQueryRequestContract {
     sql: string;
     params?: unknown[] | null;
+    rlsContext?: IsolatedStoreSqlRlsContextContract | null;
 }
 export interface IsolatedStoreSqlQueryResultContract {
     command: string;
@@ -268,7 +344,10 @@ export interface IsolatedStoreSqlQueryResponseContract {
 export interface IsolatedStoreSqlExecuteRequestContract {
     sql: string;
     params?: unknown[] | null;
+    rlsContext?: IsolatedStoreSqlRlsContextContract | null;
 }
+export type IsolatedStoreSqlRlsContextValueContract = string | number | boolean | null;
+export type IsolatedStoreSqlRlsContextContract = Record<string, IsolatedStoreSqlRlsContextValueContract>;
 export interface IsolatedStoreSqlExecuteResponseContract {
     result: IsolatedStoreSqlQueryResultContract;
 }
@@ -287,6 +366,7 @@ export interface IsolatedStoreSqlCountRequestContract {
     schemaName?: IsolatedStoreSqlSchemaNameInQueryOptional;
     tableName: string;
     filters?: IsolatedStoreSqlFilterContract[] | null;
+    rlsContext?: IsolatedStoreSqlRlsContextContract | null;
 }
 export interface IsolatedStoreSqlCountResponseContract {
     count: number;
@@ -299,6 +379,7 @@ export interface IsolatedStoreSqlSelectRequestContract {
     sort?: IsolatedStoreSqlSortContract[] | null;
     limit?: number | null;
     offset?: number | null;
+    rlsContext?: IsolatedStoreSqlRlsContextContract | null;
 }
 export interface IsolatedStoreSqlSelectResponseContract {
     columns: string[];
@@ -314,6 +395,7 @@ export interface IsolatedStoreSqlInsertRequestContract {
     tableName: string;
     values: Record<string, unknown>;
     returning?: string[] | null;
+    rlsContext?: IsolatedStoreSqlRlsContextContract | null;
 }
 export interface IsolatedStoreSqlInsertResponseContract {
     rowCount: number;
@@ -324,6 +406,7 @@ export interface IsolatedStoreSqlBatchInsertRequestContract {
     tableName: string;
     rows: Record<string, unknown>[];
     returning?: string[] | null;
+    rlsContext?: IsolatedStoreSqlRlsContextContract | null;
 }
 export interface IsolatedStoreSqlBatchInsertResponseContract {
     rowCount: number;
@@ -338,6 +421,7 @@ export interface IsolatedStoreSqlImportRequestContract {
     columns?: string[] | null;
     hasHeader?: boolean | null;
     nullString?: string | null;
+    rlsContext?: IsolatedStoreSqlRlsContextContract | null;
 }
 export interface IsolatedStoreSqlImportResponseContract {
     imported: true;
@@ -352,6 +436,7 @@ export interface IsolatedStoreSqlUpdateRequestContract {
     filters?: IsolatedStoreSqlFilterContract[] | null;
     allowAll?: boolean | null;
     returning?: string[] | null;
+    rlsContext?: IsolatedStoreSqlRlsContextContract | null;
 }
 export interface IsolatedStoreSqlUpdateResponseContract {
     rowCount: number;
@@ -362,6 +447,7 @@ export interface IsolatedStoreSqlDeleteRequestContract {
     tableName: string;
     filters?: IsolatedStoreSqlFilterContract[] | null;
     allowAll?: boolean | null;
+    rlsContext?: IsolatedStoreSqlRlsContextContract | null;
 }
 export interface IsolatedStoreSqlDeleteResponseContract {
     rowCount: number;
@@ -487,6 +573,29 @@ export declare const IsolatedStoreScopeTypeContract: {
     readonly ParentRow: "parent_row";
     readonly ParentTable: "parent_table";
 };
+export declare const IsolatedStoreSqlRlsWarningCodeContract: {
+    readonly RlsNotEnabled: "rls_not_enabled";
+    readonly RlsNotForced: "rls_not_forced";
+    readonly RlsEnabledWithoutPolicies: "rls_enabled_without_policies";
+};
+export declare const IsolatedStoreSqlRlsTableClassificationContract: {
+    readonly Tenant: "tenant";
+    readonly User: "user";
+    readonly OwnerCollaborator: "owner_collaborator";
+    readonly Scoped: "scoped";
+    readonly None: "none";
+    readonly Technical: "technical";
+};
+export declare const IsolatedStoreSqlRlsValidationWarningCodeContract: {
+    readonly RlsManifestTableMissing: "rls_manifest_table_missing";
+    readonly RlsManifestColumnMissing: "rls_manifest_column_missing";
+    readonly RlsManifestIndexMissing: "rls_manifest_index_missing";
+    readonly RlsManifestPolicyMissing: "rls_manifest_policy_missing";
+    readonly RlsManifestRlsNotEnabled: "rls_manifest_rls_not_enabled";
+    readonly RlsManifestRlsNotForced: "rls_manifest_rls_not_forced";
+    readonly RlsManifestExemptionReasonMissing: "rls_manifest_exemption_reason_missing";
+    readonly RlsManifestCollaboratorTableMissing: "rls_manifest_collaborator_table_missing";
+};
 export declare const IsolatedStoreSqlMigrationIssueCodeContract: {
     readonly IsolatedSqlJournalLongerThanBundle: "isolated_sql_journal_longer_than_bundle";
     readonly IsolatedSqlVersionMismatch: "isolated_sql_version_mismatch";

package/dist/types/isolated-store/isolated-store.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.IsolatedStoreSqlImportFormatContract = exports.IsolatedStoreSqlSortDirectionContract = exports.IsolatedStoreSqlFilterOperatorContract = exports.IsolatedStoreSqlMigrationIssueFieldContract = exports.IsolatedStoreSqlMigrationIssueCodeContract = exports.IsolatedStoreScopeTypeContract = exports.IsolatedStoreRevisionKindContract = exports.IsolatedStoreStageStatusContract = exports.IsolatedStoreStatusContract = exports.IsolatedStoreEngineContract = exports.IsolatedStoreTypeContract = void 0;
+exports.IsolatedStoreSqlImportFormatContract = exports.IsolatedStoreSqlSortDirectionContract = exports.IsolatedStoreSqlFilterOperatorContract = exports.IsolatedStoreSqlMigrationIssueFieldContract = exports.IsolatedStoreSqlMigrationIssueCodeContract = exports.IsolatedStoreSqlRlsValidationWarningCodeContract = exports.IsolatedStoreSqlRlsTableClassificationContract = exports.IsolatedStoreSqlRlsWarningCodeContract = exports.IsolatedStoreScopeTypeContract = exports.IsolatedStoreRevisionKindContract = exports.IsolatedStoreStageStatusContract = exports.IsolatedStoreStatusContract = exports.IsolatedStoreEngineContract = exports.IsolatedStoreTypeContract = void 0;
 exports.IsolatedStoreTypeContract = {
     Sql: "sql"
 };
@@ -32,6 +32,29 @@ exports.IsolatedStoreScopeTypeContract = {
     ParentRow: "parent_row",
     ParentTable: "parent_table"
 };
+exports.IsolatedStoreSqlRlsWarningCodeContract = {
+    RlsNotEnabled: "rls_not_enabled",
+    RlsNotForced: "rls_not_forced",
+    RlsEnabledWithoutPolicies: "rls_enabled_without_policies"
+};
+exports.IsolatedStoreSqlRlsTableClassificationContract = {
+    Tenant: "tenant",
+    User: "user",
+    OwnerCollaborator: "owner_collaborator",
+    Scoped: "scoped",
+    None: "none",
+    Technical: "technical"
+};
+exports.IsolatedStoreSqlRlsValidationWarningCodeContract = {
+    RlsManifestTableMissing: "rls_manifest_table_missing",
+    RlsManifestColumnMissing: "rls_manifest_column_missing",
+    RlsManifestIndexMissing: "rls_manifest_index_missing",
+    RlsManifestPolicyMissing: "rls_manifest_policy_missing",
+    RlsManifestRlsNotEnabled: "rls_manifest_rls_not_enabled",
+    RlsManifestRlsNotForced: "rls_manifest_rls_not_forced",
+    RlsManifestExemptionReasonMissing: "rls_manifest_exemption_reason_missing",
+    RlsManifestCollaboratorTableMissing: "rls_manifest_collaborator_table_missing"
+};
 exports.IsolatedStoreSqlMigrationIssueCodeContract = {
     IsolatedSqlJournalLongerThanBundle: "isolated_sql_journal_longer_than_bundle",
     IsolatedSqlVersionMismatch: "isolated_sql_version_mismatch",

package/dist/types/portals/portals.d.ts

@@ -0,0 +1,26 @@
+export type globalIdInPathRequired = string;
+export type PortalThemeKey = "light_purple" | "soft_light" | "quite_green" | "space_gray" | "carbon" | "oxford" | "ultramarine" | "milky_blue" | "shades_of_green" | "savvy_red" | "light_orange" | "light_blue" | "lemon_drop";
+export interface CreatePortalRequestContract {
+    workspaceId: string;
+    domain: string;
+    name?: string;
+    /** Color theme key for the portal. When provided, applied via updateThemeSettings changeEvent. */
+    theme?: PortalThemeKey;
+}
+export interface CreatePortalResponseContract {
+    portal: PortalDetailContract;
+}
+export interface PortalDetailContract {
+    id: string;
+    orgId: string;
+    workspaceId: string;
+    domain: string;
+    status: string;
+    createdAt: number;
+    updatedAt: number;
+    lastPublishedAt?: number;
+    version: number;
+    cnameType?: string;
+    cnameValue?: string;
+    cnameStatus?: string;
+}

package/dist/types/portals/portals.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fusebase/fusebase-gate-sdk",
-  "version": "2.2.18",
+  "version": "2.2.20-sdk.1",
   "description": "TypeScript SDK for Fusebase Gate APIs - Generated from contract introspection",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",

package/release-notes/2.2.20-sdk.1.md

@@ -0,0 +1,9 @@
+# Release Notes 2.2.20-sdk.1
+
+- Current ref: `HEAD`
+- Previous tag: `v2.2.20-sdk.1`
+- Generated at: 2026-05-28T11:36:01.681Z
+
+## Included Drafts
+
+- None

package/release-notes/latest.md

@@ -1,8 +1,8 @@
-# Release Notes 2.2.18
+# Release Notes 2.2.20-sdk.1
 
 - Current ref: `HEAD`
-- Previous tag: `v2.2.18`
-- Generated at: 2026-05-27T10:22:43.939Z
+- Previous tag: `v2.2.20-sdk.1`
+- Generated at: 2026-05-28T11:36:01.681Z
 
 ## Included Drafts
 

package/release-notes/2.2.15-sdk.7.md

@@ -1,122 +0,0 @@
-# Release Notes 2.2.15-sdk.7
-
-- Current ref: `HEAD`
-- Previous tag: `v2.2.15-sdk.5`
-- Generated at: 2026-05-22T11:41:28.271Z
-
-## Included Drafts
-
-- `docs/release-notes/2026-05-06-app-magic-links.md` - 2026-05-06-app-magic-links
-- `docs/release-notes/2026-05-20-app-magic-links-product-app-naming.md` - 2026-05-20-app-magic-links-product-app-naming
-- `docs/release-notes/2026-05-21-fusebase-auth-app-flows.md` - 2026-05-21-fusebase-auth-app-flows
-- `docs/release-notes/2026-05-22-magic-link-access-principals-skills.md` - 2026-05-22 — Magic-link accessPrincipals and session-exchange skill guidance
-
-## Summary
-
-### 2026-05-06-app-magic-links
-
-Surface AI App **Magic Link** flows through Gate. Three new ops let app owners and runtime apps issue, request, and activate magic links against `nimbus-ai`'s storage layer. Ships with a new `appMagicLinks` MCP prompt group and the regenerated `app-magic-links.md` skill reference under `generated/claude_skills/fusebase-gate/references/`.
-
-### 2026-05-20-app-magic-links-product-app-naming
-
-Update the `appMagicLinks` MCP prompt (and the regenerated `app-magic-links.md` skill reference) so it accounts for the `app → product` / `feature → app` rename. The magic-link **wire contract still uses the pre-rename field names** (`appId`, `appFeatureId`, `featureToken`), which no longer match the CLI (`fusebase.json`, `fusebase app list`). The stale skill caused agents to pass an App id where Gate expects a Product id, failing with `App not found`. No API, SDK, or permission changes — skill/prompt content only.
-
-### 2026-05-22 — Magic-link accessPrincipals and session-exchange skill guidance
-
-Expand MCP prompt / skill guidance so agents and app builders do not confuse **org membership** with **App `accessPrincipals`** (silent `requestAppMagicLink` no-ops) and document the **post-activation** pattern: exchange `featureToken` + `sessionToken` on the app backend with `EverHelper-Session-ID` before relying on platform cookies.
-
-
-## API / SDK Changes
-
-### 2026-05-06-app-magic-links
-
-- New ops in `src/api/contracts/ops/app-magic-links/app-magic-links.ts`:
-  - `createAppMagicLink` — `POST /:orgId/apps/:appId/magic-links`. Owner/admin invite flow. Requires the new permission `app_magic_link.write` and org access.
-  - `requestAppMagicLink` — `POST /apps/by-host/:host/magic-links/request`. Visitor self-service flow (no auth). Always returns `{ ok: true }` so it cannot be used to enumerate emails or access state. Apply per-IP rate limiting upstream.
-  - `activateAppMagicLink` — `POST /apps/magic-links/:globalId/activate`. Visitor activation (no auth). Returns `{ id, sessionToken, featureToken, dashboardToken, redirectPath, expiresAt, appFeatureId }`. Surfaces `403` with `reason=expired|revoked` and `404` for unknown/deleted links.
-- New permission `app_magic_link.write` registered in `GatePermission` and granted to owner/manager/member/guest roles via the existing `GATE_ALL_PERMISSIONS` set.
-- New controller `AppMagicLinksController` (`src/controllers/app-magic-links/app-magic-links.ts`) and nimbus-ai client wrapper `src/clients/app-magic-link-client.ts`. The wrapper forwards the caller's userId via the standard `Authorization: Internal <userId>:gate` + `X-Secret` header pair on the create endpoint, and only `X-Secret` on the visitor endpoints.
-- Bumped `@internal/nimbus-ai` peer to `^1.58.0` to pick up the new `apiCreateAppMagicLink`, `apiRequestAppMagicLink`, and `apiActivateAppMagicLink` methods. The 1.58.0 client is published by the nimbus-ai NIM-40935 MR (`internal/nimbus-ai!65`); CI on this MR will be red until that MR lands and the registry has 1.58.0.
-
-### 2026-05-20-app-magic-links-product-app-naming
-
-- None. The HTTP contracts, SDK, OpenAPI spec, and permissions are unchanged.
-
-
-## Consumer Impact
-
-### 2026-05-06-app-magic-links
-
-- New SDK domain `AppMagicLinksApi` with three methods (`createAppMagicLink`, `requestAppMagicLink`, `activateAppMagicLink`) materialized in `generated/sdk-client/src/apis/AppMagicLinksApi.ts`.
-- New SDK type module `generated/sdk-client/src/types/app-magic-link/`.
-- Apps that want to ship a one-click client onboarding flow can now invite-by-email (with optional `addToAccessPrincipals=true` to provision a brand-new user) and surface a `/link?id=…&redirect=…` route in their SPA scaffold (see follow-up subtask NIM-41013 for the apps-cli template).
-- The `request` endpoint never mutates `accessPrincipals` and never provisions users, by design — visitors can self-service only when they already have access.
-- New MCP prompt group `appMagicLinks` (registered in `src/mcp/prompts/index.ts`) covers when to use each flow, deep-link `redirectPath` rules, and expired/revoked link handling. The op contracts declare `promptGroups: ["authz", "sdk", "appMagicLinks"]` (authed) and `["sdk", "appMagicLinks"]` (visitor), so prompt-aware MCP clients receive the guidance automatically.
-- New skill reference file `generated/claude_skills/fusebase-gate/references/app-magic-links.md` (marker `mcp-app-magic-links-loaded`). `npm run mcp:skills:copy-to-apps-cli:local` propagates it into `apps-cli/project-template/.claude/skills/fusebase-gate/references/` for fresh `fusebase init` output.
-
-### 2026-05-20-app-magic-links-product-app-naming
-
-- `src/mcp/prompts/app-magic-links.ts` — bumped `version` `1.0.0` → `1.1.0`. New "Terminology: `product` / `app` vs the Gate wire contract" section maps the renamed concepts onto the unchanged wire fields:
-  - `createAppMagicLink`'s `appId` **path segment** is the **Product id** (`productId` in `fusebase.json`), not an App id.
-  - `appFeatureId` in the activation response and the scope of `featureToken` is an **App** id (`apps[].id` / `fusebase app list`).
-  - The wire field names stay at their pre-rename spelling for backward compatibility; only the human-facing concepts were renamed.
-- The Invite-flow, Identity/Scoping, Activation, and Working-Rules sections now use `Product` / `App` consistently ("every App of the Product", "App-scoped by host", etc.) and call out the `App not found` failure mode explicitly.
-- The Activation section now folds in the SPA `fetch`-vs-SDK note and the `fbsdashboardtoken` cookie detail, so the next `mcp:skills:copy-to-apps-cli` no longer reverts the apps-cli-side hand edits — the generated skill is the single source of truth again.
-- Regenerated `generated/claude_skills/fusebase-gate/references/app-magic-links.md` (frontmatter `version: 1.1.0`). `apps-cli` receives the same file under `project-template/.claude/skills/fusebase-gate/references/`.
-
-
-## Verification
-
-### 2026-05-06-app-magic-links
-
-- `npm run lint`
-- `npm test` (190 tests pass; new tests in `tests/unit/app-magic-links-contracts.test.ts` and `tests/unit/app-magic-links-controller.test.ts`)
-- `npm run build`
-- `FEATURE_FLAGS=isolated_sql_stores,isolated_nosql_stores npm run build:sdk` — SDK regenerated, `dist/apis/AppMagicLinksApi.{js,d.ts}` and `dist/types/app-magic-link/` produced; OpenAPI spec updated.
-- `npm run mcp:skills:generate` — `app-magic-links.md` written under `generated/claude_skills/fusebase-gate/references/`; `SKILL.md` TOC updated.
-- `npm run mcp:skills:validate` — passes (1 skill).
-- `npm run mcp:skills:copy-to-apps-cli:local` — generated skill copied into the local apps-cli checkout (commit owned by NIM-41013).
-
-### 2026-05-20-app-magic-links-product-app-naming
-
-- `npm run build` — clean.
-- `npm run lint` — 0 errors (5 pre-existing `dist/` warnings).
-- `npm test` — 216 pass / 1 skipped, including the new `mcp-prompts.test.ts` case `maps the product/app rename onto the magic-link wire contract`.
-- `npm run mcp:skills:generate` — only `app-magic-links.md` rewritten.
-- `npm run mcp:skills:validate` — passes (1 skill).
-
-### 2026-05-22 — Magic-link accessPrincipals and session-exchange skill guidance
-
-- `npm test -- --runInBand tests/unit/mcp-prompts.test.ts`
-- `npm run mcp:skills:generate`
-- `npm run mcp:skills:validate`
-- `npm run mcp:skills:copy-to-apps-cli:local` (optional; propagates to `apps-cli/project-template`)
-
-
-## Follow-ups
-
-### 2026-05-06-app-magic-links
-
-- **CI dependency:** the dependency bump to `@internal/nimbus-ai@^1.58.0` requires `internal/nimbus-ai!65` (NIM-40935) to merge and publish 1.58.0 to the GitLab npm registry. After it merges, this branch should be rebased and `npm install` re-run to refresh the lock file with the upstream-published integrity hash.
-- **NIM-41013:** receive the generated skill in `apps-cli` and ship the `/link` route example in `feature-templates/spa/`. The skill file is already in the local apps-cli working tree from `mcp:skills:copy-to-apps-cli:local`; NIM-41013 owns the apps-cli commit.
-
-### 2026-05-20-app-magic-links-product-app-naming
-
-- Optional: align the magic-link wire field names (`appId` → `productId`, `appFeatureId` → `appId`) and the `nimbus-ai` `app_magic_links` columns with the new terminology. That is a contract/SDK change deferred as a separate product decision (see story-spec `NIM-40935/README.md` Open Questions); this change only makes the skill describe the current contract correctly.
-
-
-## Changes
-
-### 2026-05-22 — Magic-link accessPrincipals and session-exchange skill guidance
-
-- `src/mcp/prompts/fusebase-auth.ts` — `1.0.0` → `1.1.0`: `accessPrincipals` vs org membership, Memberspace `--access` checklist, magic-link → app session exchange.
-- `src/mcp/prompts/app-magic-links.ts` — `1.1.0` → `1.2.0`: self-service diagnostics, principals table, activation/session exchange section; clarify `sessionToken` vs `featureToken`.
-- `src/mcp/prompts/users.ts` — `1.0.0` → `1.1.0`: `addOrgUser` does not grant app principals / magic-link dispatch.
-- Regenerated `generated/claude_skills/fusebase-gate/references/{fusebase-auth,app-magic-links,users}.md`.
-
-
-## Consumer impact
-
-### 2026-05-22 — Magic-link accessPrincipals and session-exchange skill guidance
-
-Documentation / agent guidance only — no API or permission changes.

package/release-notes/2.2.18.md

@@ -1,9 +0,0 @@
-# Release Notes 2.2.18
-
-- Current ref: `HEAD`
-- Previous tag: `v2.2.18`
-- Generated at: 2026-05-27T10:22:43.939Z
-
-## Included Drafts
-
-- None