@fusebase/fusebase-gate-sdk 2.2.21-sdk.1 → 2.2.21-sdk.11

package/dist/apis/IsolatedStoresApi.d.ts

@@ -73,6 +73,19 @@ export declare class IsolatedStoresApi {
         headers?: Record<string, string>;
         body: IsolatedStoreSqlCountRequestContract;
     }): Promise<IsolatedStoreSqlCountResponseContract>;
+    /**
+     * Count rows with RLS bypass
+     * Counts rows in a postgres table through the explicit audited RLS-bypass read path. Intended for Studio/admin data explorer views only; normal runtime reads must use countIsolatedStoreSqlRows.
+     */
+    countIsolatedStoreSqlRowsRlsBypass(params: {
+        path: {
+            orgId: orgIdInPathRequired;
+            storeId: IsolatedStoreIdInPathRequired;
+            stage: IsolatedStoreStageInPathRequired;
+        };
+        headers?: Record<string, string>;
+        body: IsolatedStoreSqlCountRequestContract;
+    }): Promise<IsolatedStoreSqlCountResponseContract>;
     /**
      * Create isolated store
      * Registers a low-level store and binds it to the organization scope plus an isolated source scope such as app.
@@ -379,6 +392,19 @@ export declare class IsolatedStoresApi {
         headers?: Record<string, string>;
         body: IsolatedStoreSqlSelectRequestContract;
     }): Promise<IsolatedStoreSqlSelectResponseContract>;
+    /**
+     * Select rows with RLS bypass
+     * Reads rows through the explicit audited RLS-bypass read path. Intended for Studio/admin data explorer views only; normal runtime reads must use selectIsolatedStoreSqlRows.
+     */
+    selectIsolatedStoreSqlRowsRlsBypass(params: {
+        path: {
+            orgId: orgIdInPathRequired;
+            storeId: IsolatedStoreIdInPathRequired;
+            stage: IsolatedStoreStageInPathRequired;
+        };
+        headers?: Record<string, string>;
+        body: IsolatedStoreSqlSelectRequestContract;
+    }): Promise<IsolatedStoreSqlSelectResponseContract>;
     /**
      * Update rows
      * Updates rows in a postgres table using structured filters. Filterless updates are blocked unless allowAll=true is explicitly set.

package/dist/apis/IsolatedStoresApi.js

@@ -86,6 +86,21 @@ class IsolatedStoresApi {
             expectedContentType: "application/json",
         });
     }
+    /**
+     * Count rows with RLS bypass
+     * Counts rows in a postgres table through the explicit audited RLS-bypass read path. Intended for Studio/admin data explorer views only; normal runtime reads must use countIsolatedStoreSqlRows.
+     */
+    async countIsolatedStoreSqlRowsRlsBypass(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/:orgId/isolated-stores/:storeId/stages/:stage/sql/rows/count/rls-bypass",
+            pathParams: params.path,
+            headers: params.headers,
+            body: params.body,
+            opId: "countIsolatedStoreSqlRowsRlsBypass",
+            expectedContentType: "application/json",
+        });
+    }
     /**
      * Create isolated store
      * Registers a low-level store and binds it to the organization scope plus an isolated source scope such as app.
@@ -438,6 +453,21 @@ class IsolatedStoresApi {
             expectedContentType: "application/json",
         });
     }
+    /**
+     * Select rows with RLS bypass
+     * Reads rows through the explicit audited RLS-bypass read path. Intended for Studio/admin data explorer views only; normal runtime reads must use selectIsolatedStoreSqlRows.
+     */
+    async selectIsolatedStoreSqlRowsRlsBypass(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/:orgId/isolated-stores/:storeId/stages/:stage/sql/rows/select/rls-bypass",
+            pathParams: params.path,
+            headers: params.headers,
+            body: params.body,
+            opId: "selectIsolatedStoreSqlRowsRlsBypass",
+            expectedContentType: "application/json",
+        });
+    }
     /**
      * Update rows
      * Updates rows in a postgres table using structured filters. Filterless updates are blocked unless allowAll=true is explicitly set.

package/dist/apis/PortalsApi.d.ts

@@ -5,7 +5,7 @@
  * Domain: portals
  */
 import type { Client } from "../runtime/transport";
-import type { CreatePortalRequestContract, CreatePortalResponseContract, DuplicatePortalRequestContract, globalIdInPathRequired, orgIdInPathRequired, OrgPortalListResponseContract, PortalDetailContract } from "../types";
+import type { CreatePortalRequestContract, CreatePortalResponseContract, DuplicatePortalRequestContract, globalIdInPathRequired, InviteToPortalRequestContract, InviteToPortalResponseContract, orgIdInPathRequired, OrgPortalListResponseContract, PortalDetailContract } from "../types";
 export declare class PortalsApi {
     private client;
     constructor(client: Client);
@@ -34,7 +34,7 @@ export declare class PortalsApi {
     }): Promise<CreatePortalResponseContract>;
     /**
      * Get portal details
-     * Returns detailed information for a single portal by ID. Requires org.read access.
+     * Returns detailed information for a single portal by ID. Requires portals.read access.
      */
     getPortal(params: {
         path: {
@@ -43,9 +43,21 @@ export declare class PortalsApi {
         };
         headers?: Record<string, string>;
     }): Promise<PortalDetailContract>;
+    /**
+     * Invite a user to a portal
+     * Invites a user (client, member, or manager) to a portal via a magic link. For orgRole='client' (default): isFullAccess controls access to private pages (default true). For orgRole='member' or 'manager': always full access, isFullAccess is ignored. Returns a magic link for direct portal access without email confirmation. Invarian — before calling this operation for a client invite (orgRole='client' or unspecified): ALWAYS ask the user 'Full access (all pages) or Shared only (public pages)?' and wait for their answer before proceeding. Do NOT silently assume a default.
+     */
+    inviteToPortal(params: {
+        path: {
+            orgId: orgIdInPathRequired;
+            portalId: globalIdInPathRequired;
+        };
+        headers?: Record<string, string>;
+        body: InviteToPortalRequestContract;
+    }): Promise<InviteToPortalResponseContract>;
     /**
      * List organization portals
-     * Returns portals visible for the caller in the organization. Requires org.read and org access.
+     * Returns portals visible for the caller in the organization. Requires portals.read and org access.
      */
     listPortals(params: {
         path: {

package/dist/apis/PortalsApi.js

@@ -43,7 +43,7 @@ class PortalsApi {
     }
     /**
      * Get portal details
-     * Returns detailed information for a single portal by ID. Requires org.read access.
+     * Returns detailed information for a single portal by ID. Requires portals.read access.
      */
     async getPortal(params) {
         return this.client.request({
@@ -55,9 +55,24 @@ class PortalsApi {
             expectedContentType: "application/json",
         });
     }
+    /**
+     * Invite a user to a portal
+     * Invites a user (client, member, or manager) to a portal via a magic link. For orgRole='client' (default): isFullAccess controls access to private pages (default true). For orgRole='member' or 'manager': always full access, isFullAccess is ignored. Returns a magic link for direct portal access without email confirmation. Invarian — before calling this operation for a client invite (orgRole='client' or unspecified): ALWAYS ask the user 'Full access (all pages) or Shared only (public pages)?' and wait for their answer before proceeding. Do NOT silently assume a default.
+     */
+    async inviteToPortal(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/:orgId/portals/:portalId/invite",
+            pathParams: params.path,
+            headers: params.headers,
+            body: params.body,
+            opId: "inviteToPortal",
+            expectedContentType: "application/json",
+        });
+    }
     /**
      * List organization portals
-     * Returns portals visible for the caller in the organization. Requires org.read and org access.
+     * Returns portals visible for the caller in the organization. Requires portals.read and org access.
      */
     async listPortals(params) {
         return this.client.request({

package/dist/apis/WorkspacesApi.d.ts

@@ -5,10 +5,21 @@
  * Domain: workspaces
  */
 import type { Client } from "../runtime/transport";
-import type { orgIdInPathRequired, OrgWorkspaceListResponseContract } from "../types";
+import type { CreateWorkspaceRequestContract, orgIdInPathRequired, OrgWorkspaceContract, OrgWorkspaceListResponseContract } from "../types";
 export declare class WorkspacesApi {
     private client;
     constructor(client: Client);
+    /**
+     * Create a new workspace
+     * Creates a new workspace in the organization. Returns the created workspace details. Requires org.write and org access.
+     */
+    createWorkspace(params: {
+        path: {
+            orgId: orgIdInPathRequired;
+        };
+        headers?: Record<string, string>;
+        body: CreateWorkspaceRequestContract;
+    }): Promise<OrgWorkspaceContract>;
     /**
      * List organization workspaces
      * Returns workspaces visible for the caller in the organization and marks the default workspace. Requires org.read and org access.

package/dist/apis/WorkspacesApi.js

@@ -11,6 +11,21 @@ class WorkspacesApi {
     constructor(client) {
         this.client = client;
     }
+    /**
+     * Create a new workspace
+     * Creates a new workspace in the organization. Returns the created workspace details. Requires org.write and org access.
+     */
+    async createWorkspace(params) {
+        return this.client.request({
+            method: "POST",
+            path: "/:orgId/workspaces",
+            pathParams: params.path,
+            headers: params.headers,
+            body: params.body,
+            opId: "createWorkspace",
+            expectedContentType: "application/json",
+        });
+    }
     /**
      * List organization workspaces
      * Returns workspaces visible for the caller in the organization and marks the default workspace. Requires org.read and org access.

package/dist/types/app-api/app-api.d.ts

@@ -11,6 +11,8 @@ export interface AppApiOperationContract {
     description?: string | null;
     visibility?: string | null;
     executionMode?: string | null;
+    allowedCallers?: string[];
+    requiredPermissions?: string[];
     tags: string[];
     manifestVersion?: string | null;
     publishedAt?: string | null;

package/dist/types/index.d.ts

@@ -16,8 +16,8 @@ export * from "./mcp-manager/mcp-manager";
 export type { MeAuthContract, MeOrgGroupContract, MeResponseContract, MeScopeContract, MeUserContract } from "./me/me";
 export * from "./note/note";
 export * from "./org-group/org-group";
-export type { OrgInviteContract, OrgMagicLinkContract, OrgPortalContract, OrgPortalListResponseContract, OrgUserAddRequestContract, OrgUserAddResponseContract, OrgUserContract, OrgUserListResponseContract, OrgWorkspaceContract, OrgWorkspaceInviteContract, OrgWorkspaceListResponseContract, OrgWorkspaceMemberContract } from "./org-user/org-user";
-export type { CreatePortalRequestContract, CreatePortalResponseContract, DuplicatePortalRequestContract, PortalDetailContract, globalIdInPathRequired } from "./portals/portals";
+export type { CreateWorkspaceRequestContract, OrgInviteContract, OrgMagicLinkContract, OrgPortalContract, OrgPortalListResponseContract, OrgUserAddRequestContract, OrgUserAddResponseContract, OrgUserContract, OrgUserListResponseContract, OrgWorkspaceContract, OrgWorkspaceInviteContract, OrgWorkspaceListResponseContract, OrgWorkspaceMemberContract } from "./org-user/org-user";
+export type { CreatePortalRequestContract, CreatePortalResponseContract, DuplicatePortalRequestContract, InviteToPortalRequestContract, InviteToPortalResponseContract, PortalDetailContract, globalIdInPathRequired } from "./portals/portals";
 export * from "./shared/common";
 export * from "./shared/enums";
 export type { GetHealth200ResponseContract } from "./shared/health";

package/dist/types/org-user/org-user.d.ts

@@ -69,6 +69,10 @@ export interface OrgWorkspaceContract {
 export interface OrgWorkspaceListResponseContract {
     workspaces: OrgWorkspaceContract[];
 }
+export interface CreateWorkspaceRequestContract {
+    /** Display name for the new workspace. Required. */
+    title: string;
+}
 export interface OrgPortalContract {
     id: string;
     orgId: string;

package/dist/types/portals/portals.d.ts

@@ -29,3 +29,29 @@ export interface PortalDetailContract {
     cnameValue?: string;
     cnameStatus?: string;
 }
+export interface InviteToPortalRequestContract {
+    email: string;
+    fullName?: string;
+    /**
+     * Org role for the invitee (default: "client").
+     * Supported: "client", "member", "manager".
+     */
+    orgRole?: "client" | "member" | "manager";
+    /** Workspace role (default: "editor"). */
+    workspaceRole?: "reader" | "editor";
+    /**
+     * Only relevant when orgRole="client".
+     * true  = Full access (sees all pages including private) — default.
+     * false = Shared only (public/shared pages only).
+     * For orgRole "member" and "manager" this is always true and the field is ignored.
+     */
+    isFullAccess?: boolean;
+}
+export interface InviteToPortalResponseContract {
+    /** Magic link for direct portal access (no email confirmation needed). */
+    magicLink: string;
+    /** Portal URL. */
+    url: string;
+    /** User ID in the system. */
+    userId: number;
+}

package/dist/types/shared/enums.d.ts

@@ -1,6 +1,6 @@
 export type OrgRoleContract = "owner" | "manager" | "member" | "client" | "guest" | "visitor";
 export type PermissionContract = string & {
-    __pattern: "^[^.]+\\.(?:[^.]+\\.)?(read|write|delete|execute)$";
+    __pattern: "^[^.]+\\.(?:[^.]+\\.)?(read|write|delete|execute|create|manage)$";
 };
 export type RootEntityContract = "custom" | "portal" | "workspace" | "org" | "user" | "client" | "form" | "form-response" | "tracker" | "tracker-result" | "meeting";
 export type ScopeTypeContract = "org" | "workspace" | "portal" | "user" | "client" | "block" | "tracker" | "parent_row" | "parent_table";

package/dist/types/shared/enums.js

@@ -37,7 +37,7 @@ exports.ScopeTypeContract = {
 exports.ScopeTypeOrgContract = {
     Org: "org"
 };
-const PERMISSION_RE = /^[^.]+\.(?:[^.]+\.)?(read|write|delete|execute)$/;
+const PERMISSION_RE = /^[^.]+\.(?:[^.]+\.)?(read|write|delete|execute|create|manage)$/;
 function asPermission(value) {
     if (!PERMISSION_RE.test(value)) {
         throw new Error(`Invalid permission: ${value}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fusebase/fusebase-gate-sdk",
-  "version": "2.2.21-sdk.1",
+  "version": "2.2.21-sdk.11",
   "description": "TypeScript SDK for Fusebase Gate APIs - Generated from contract introspection",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",

package/release-notes/2.2.21-sdk.11.md

@@ -0,0 +1,9 @@
+# Release Notes 2.2.21-sdk.11
+
+- Current ref: `HEAD`
+- Previous tag: `v2.2.21-sdk.11`
+- Generated at: 2026-06-05T03:08:53.595Z
+
+## Included Drafts
+
+- None

package/release-notes/latest.md

@@ -1,8 +1,8 @@
-# Release Notes 2.2.21-sdk.1
+# Release Notes 2.2.21-sdk.11
 
 - Current ref: `HEAD`
-- Previous tag: `v2.2.21-sdk.1`
-- Generated at: 2026-05-29T13:36:35.810Z
+- Previous tag: `v2.2.21-sdk.11`
+- Generated at: 2026-06-05T03:08:53.595Z
 
 ## Included Drafts
 

package/release-notes/2.2.21-sdk.1.md

@@ -1,9 +0,0 @@
-# Release Notes 2.2.21-sdk.1
-
-- Current ref: `HEAD`
-- Previous tag: `v2.2.21-sdk.1`
-- Generated at: 2026-05-29T13:36:35.810Z
-
-## Included Drafts
-
-- None