@kinotic-ai/os-api 1.0.16 → 1.2.0

package/dist/index.cjs

@@ -62,6 +62,8 @@ __export(exports_src, {
   PageableC3Type: () => PageableC3Type,
   PageC3Type: () => PageC3Type,
   OsApiPlugin: () => OsApiPlugin,
+  OrganizationService: () => OrganizationService,
+  Organization: () => Organization,
   NotIndexedDecorator: () => NotIndexedDecorator,
   NestedDecorator: () => NestedDecorator,
   NamedQueriesDefinitionService: () => NamedQueriesDefinitionService,
@@ -268,6 +270,7 @@ class TenantSelectionC3Type extends import_idl17.ArrayC3Type {
 // packages/os-api/src/api/model/Application.ts
 class Application {
   id;
+  organizationId;
   description;
   updated = null;
   constructor(id, description) {
@@ -275,9 +278,20 @@ class Application {
     this.description = description;
   }
 }
+// packages/os-api/src/api/model/Organization.ts
+class Organization {
+  id = null;
+  name = "";
+  description = null;
+  oidcConfigurationIds = null;
+  createdBy = null;
+  created = null;
+  updated = null;
+}
 // packages/os-api/src/api/model/Project.ts
 class Project {
   id = null;
+  organizationId;
   applicationId;
   name;
   description;
@@ -308,7 +322,8 @@ class EntityDefinition {
   updated;
   published;
   publishedTimestamp;
-  constructor(applicationId, projectId, name, schema, description) {
+  constructor(organizationId, applicationId, projectId, name, schema, description) {
+    this.organizationId = organizationId;
     this.applicationId = applicationId;
     this.projectId = projectId;
     this.name = name;
@@ -455,6 +470,17 @@ class ApplicationService extends import_core.CrudServiceProxy {
     return this.serviceProxy.invoke("syncIndex", []);
   }
 }
+// packages/os-api/src/api/services/IOrganizationService.ts
+var import_core2 = require("@kinotic-ai/core");
+
+class OrganizationService extends import_core2.CrudServiceProxy {
+  constructor(kinotic) {
+    super(kinotic.serviceProxy("org.kinotic.os.api.services.OrganizationService"));
+  }
+  getOidcConfigurations(organizationId) {
+    return this.serviceProxy.invoke("getOidcConfigurations", [organizationId]);
+  }
+}
 // packages/os-api/src/api/services/ILogManager.ts
 var LogLevel;
 ((LogLevel2) => {
@@ -485,9 +511,9 @@ class LoggersDescriptor {
   groups = new Map;
 }
 // packages/os-api/src/api/services/IProjectService.ts
-var import_core2 = require("@kinotic-ai/core");
+var import_core3 = require("@kinotic-ai/core");
 
-class ProjectService extends import_core2.CrudServiceProxy {
+class ProjectService extends import_core3.CrudServiceProxy {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.os.api.services.ProjectService"));
   }
@@ -499,7 +525,7 @@ class ProjectService extends import_core2.CrudServiceProxy {
   }
   async findAllForApplication(applicationId, pageable) {
     const page = await this.findAllForApplicationSinglePage(applicationId, pageable);
-    return new import_core2.FunctionalIterablePage(pageable, page, (pageable2) => this.findAllForApplicationSinglePage(applicationId, pageable2));
+    return new import_core3.FunctionalIterablePage(pageable, page, (pageable2) => this.findAllForApplicationSinglePage(applicationId, pageable2));
   }
   findAllForApplicationSinglePage(applicationId, pageable) {
     return this.serviceProxy.invoke("findAllForApplication", [applicationId, pageable]);
@@ -535,9 +561,9 @@ class LogManager {
   }
 }
 // packages/os-api/src/api/services/IEntityDefinitionService.ts
-var import_core3 = require("@kinotic-ai/core");
+var import_core4 = require("@kinotic-ai/core");
 
-class EntityDefinitionService extends import_core3.CrudServiceProxy {
+class EntityDefinitionService extends import_core4.CrudServiceProxy {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.persistence.api.services.EntityDefinitionService"));
   }
@@ -552,14 +578,14 @@ class EntityDefinitionService extends import_core3.CrudServiceProxy {
   }
   async findAllForApplication(applicationId, pageable) {
     const page = await this.findAllForApplicationSinglePage(applicationId, pageable);
-    return new import_core3.FunctionalIterablePage(pageable, page, (pageable2) => this.findAllForApplicationSinglePage(applicationId, pageable2));
+    return new import_core4.FunctionalIterablePage(pageable, page, (pageable2) => this.findAllForApplicationSinglePage(applicationId, pageable2));
   }
   findAllPublishedForApplication(applicationId, pageable) {
     return this.serviceProxy.invoke("findAllPublishedForApplication", [applicationId, pageable]);
   }
   async findAllForProject(projectId, pageable) {
     const page = await this.findAllForProjectSinglePage(projectId, pageable);
-    return new import_core3.FunctionalIterablePage(pageable, page, (pageable2) => this.findAllForProjectSinglePage(projectId, pageable2));
+    return new import_core4.FunctionalIterablePage(pageable, page, (pageable2) => this.findAllForProjectSinglePage(projectId, pageable2));
   }
   findAllForProjectSinglePage(projectId, pageable) {
     return this.serviceProxy.invoke("findAllForProject", [projectId, pageable]);
@@ -575,9 +601,9 @@ class EntityDefinitionService extends import_core3.CrudServiceProxy {
   }
 }
 // packages/os-api/src/api/services/INamedQueriesDefinitionService.ts
-var import_core4 = require("@kinotic-ai/core");
+var import_core5 = require("@kinotic-ai/core");
 
-class NamedQueriesDefinitionService extends import_core4.CrudServiceProxy {
+class NamedQueriesDefinitionService extends import_core5.CrudServiceProxy {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.persistence.api.services.NamedQueriesDefinitionService"));
   }
@@ -612,9 +638,9 @@ class DataInsightsService {
   }
 }
 // packages/os-api/src/api/services/IVmNodeService.ts
-var import_core5 = require("@kinotic-ai/core");
+var import_core6 = require("@kinotic-ai/core");
 
-class VmNodeServiceProxy extends import_core5.CrudServiceProxy {
+class VmNodeServiceProxy extends import_core6.CrudServiceProxy {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.os.api.services.VmNodeService"));
   }
@@ -626,15 +652,15 @@ class VmNodeServiceProxy extends import_core5.CrudServiceProxy {
   }
 }
 // packages/os-api/src/api/services/IWorkloadService.ts
-var import_core6 = require("@kinotic-ai/core");
+var import_core7 = require("@kinotic-ai/core");
 
-class WorkloadServiceProxy extends import_core6.CrudServiceProxy {
+class WorkloadServiceProxy extends import_core7.CrudServiceProxy {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.os.api.services.WorkloadService"));
   }
   async findAllForNode(nodeId, pageable) {
     const page = await this.findAllForNodeSinglePage(nodeId, pageable);
-    return new import_core6.FunctionalIterablePage(pageable, page, (pageable2) => this.findAllForNodeSinglePage(nodeId, pageable2));
+    return new import_core7.FunctionalIterablePage(pageable, page, (pageable2) => this.findAllForNodeSinglePage(nodeId, pageable2));
   }
   findAllForNodeSinglePage(nodeId, pageable) {
     return this.serviceProxy.invoke("findAllForNode", [nodeId, pageable]);
@@ -647,9 +673,9 @@ class WorkloadServiceProxy extends import_core6.CrudServiceProxy {
   }
 }
 // packages/os-api/src/api/services/iam/IIamUserService.ts
-var import_core7 = require("@kinotic-ai/core");
+var import_core8 = require("@kinotic-ai/core");
 
-class IamUserService extends import_core7.CrudServiceProxy {
+class IamUserService extends import_core8.CrudServiceProxy {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.os.api.services.iam.IamUserService"));
   }
@@ -668,12 +694,16 @@ class IamUserService extends import_core7.CrudServiceProxy {
   resetPassword(userId, newPassword) {
     return this.serviceProxy.invoke("resetPassword", [userId, newPassword]);
   }
+  findFirstByEmailInScopeType(email, authScopeType) {
+    return this.serviceProxy.invoke("findFirstByEmailInScopeType", [email, authScopeType]);
+  }
 }
 // packages/os-api/src/api/OsApiPlugin.ts
 var OsApiPlugin = {
   install(kinotic) {
     return {
       applications: new ApplicationService(kinotic),
+      organizations: new OrganizationService(kinotic),
       projects: new ProjectService(kinotic),
       logManager: new LogManager(kinotic),
       entityDefinitions: new EntityDefinitionService(kinotic),

package/dist/index.d.cts

@@ -138,21 +138,49 @@ declare class TenantSelectionC3Type extends ArrayC3Type {
 import { Identifiable } from "@kinotic-ai/core";
 declare class Application implements Identifiable<string> {
 	id: string;
+	/**
+	* The id of the organization that owns this application.
+	* Must be set by the caller before save — backend org enforcement rejects entities
+	* with a missing or mismatched organizationId.
+	*/
+	organizationId: string;
 	description: string;
 	updated: number | null;
 	constructor(id: string, description: string);
 }
 import { Identifiable as Identifiable2 } from "@kinotic-ai/core";
+/**
+* Represents an organization developing applications on the Kinotic OS platform.
+* Organizations provide the boundary for teams, applications, users, and shared OIDC configuration.
+*
+* The {@link id} is auto-generated from the {@link name} on save (slugified) and serves as the URL-safe identifier.
+*/
+declare class Organization implements Identifiable2<string> {
+	id: string | null;
+	name: string;
+	description: string | null;
+	oidcConfigurationIds: string[] | null;
+	createdBy: string | null;
+	created: number | null;
+	updated: number | null;
+}
+import { Identifiable as Identifiable3 } from "@kinotic-ai/core";
 declare enum ProjectType {
 	TYPESCRIPT = "TYPESCRIPT"
 }
-declare class Project implements Identifiable2<string> {
+declare class Project implements Identifiable3<string> {
 	/**
 	* The id of the project.
 	* All project ids are unique throughout the entire system.
 	*/
 	id: string | null;
 	/**
+	* The id of the organization that owns this project.
+	* Must be set by the caller before save — backend org enforcement rejects entities
+	* with a missing or mismatched organizationId.
+	*/
+	organizationId: string;
+	/**
 	* The id of the application that this project belongs to.
 	* All application ids are unique throughout the entire system.
 	*/
@@ -176,8 +204,8 @@ declare class Project implements Identifiable2<string> {
 	constructor(id: string | null, applicationId: string, name: string, description?: string);
 }
 import { ObjectC3Type as ObjectC3Type3 } from "@kinotic-ai/idl";
-import { Identifiable as Identifiable3 } from "@kinotic-ai/core";
-declare class EntityDefinition implements Identifiable3<string> {
+import { Identifiable as Identifiable4 } from "@kinotic-ai/core";
+declare class EntityDefinition implements Identifiable4<string> {
 	id: string | null;
 	/**
 	* The id of the organization that owns this entity definition.
@@ -201,14 +229,14 @@ declare class EntityDefinition implements Identifiable3<string> {
 	updated: number;
 	published: boolean;
 	publishedTimestamp: number;
-	constructor(applicationId: string, projectId: string, name: string, schema: ObjectC3Type3, description?: string | null);
+	constructor(organizationId: string, applicationId: string, projectId: string, name: string, schema: ObjectC3Type3, description?: string | null);
 }
-import { Identifiable as Identifiable4 } from "@kinotic-ai/core";
+import { Identifiable as Identifiable5 } from "@kinotic-ai/core";
 import { FunctionDefinition } from "@kinotic-ai/idl";
 /**
 * Provides Metadata that represents Named Queries for an Application
 */
-declare class NamedQueriesDefinition implements Identifiable4<string> {
+declare class NamedQueriesDefinition implements Identifiable5<string> {
 	id: string;
 	organizationId?: string | null;
 	applicationId: string;
@@ -348,7 +376,7 @@ interface InsightRequest {
 	*/
 	additionalContext?: string;
 }
-import { Identifiable as Identifiable5 } from "@kinotic-ai/core";
+import { Identifiable as Identifiable6 } from "@kinotic-ai/core";
 declare enum WorkloadStatus {
 	PENDING = "PENDING",
 	STARTING = "STARTING",
@@ -366,7 +394,7 @@ declare enum VmProviderType {
 * Represents a workload to be managed by the VM manager.
 * A workload defines the configuration for a micro VM instance.
 */
-declare class Workload implements Identifiable5<string> {
+declare class Workload implements Identifiable6<string> {
 	/**
 	* Unique identifier for this workload.
 	*/
@@ -421,7 +449,7 @@ declare class Workload implements Identifiable5<string> {
 	updated: number | null;
 	constructor(name: string, image: string);
 }
-import { Identifiable as Identifiable6 } from "@kinotic-ai/core";
+import { Identifiable as Identifiable7 } from "@kinotic-ai/core";
 declare enum VmNodeStatus {
 	ONLINE = "ONLINE",
 	OFFLINE = "OFFLINE",
@@ -431,7 +459,7 @@ declare enum VmNodeStatus {
 * Represents a node in the cluster that is running a VmManager process
 * and is capable of hosting workloads.
 */
-declare class VmNode implements Identifiable6<string> {
+declare class VmNode implements Identifiable7<string> {
 	/**
 	* Unique identifier for this node.
 	*/
@@ -485,7 +513,7 @@ declare enum AuthType {
 	LOCAL = "LOCAL",
 	OIDC = "OIDC"
 }
-import { Identifiable as Identifiable7 } from "@kinotic-ai/core";
+import { Identifiable as Identifiable8 } from "@kinotic-ai/core";
 /**
 * Represents an authenticated identity at any scope layer in the IAM system.
 * Each user is scoped to exactly one layer and is unique by email within that scope.
@@ -494,7 +522,7 @@ import { Identifiable as Identifiable7 } from "@kinotic-ai/core";
 * - For APPLICATION scopes, {@link tenantId} is required and identifies the
 *   client tenant the user belongs to within the application's data.
 */
-declare class IamUser implements Identifiable7<string> {
+declare class IamUser implements Identifiable8<string> {
 	id: string | null;
 	email: string;
 	displayName: string | null;
@@ -619,6 +647,22 @@ declare class ApplicationService extends CrudServiceProxy<Application> implement
 	createApplicationIfNotExist(id: string, description: string): Promise<Application>;
 	syncIndex(): Promise<void>;
 }
+import { IKinotic as IKinotic2 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy2, ICrudServiceProxy as ICrudServiceProxy2 } from "@kinotic-ai/core";
+interface IOrganizationService extends ICrudServiceProxy2<Organization> {
+	/**
+	* Returns the enabled OIDC configurations registered on the given organization.
+	*
+	* @param organizationId the id of the organization
+	* @return the enabled configurations, or an empty list if the organization is not
+	*         found or has no configurations attached
+	*/
+	getOidcConfigurations(organizationId: string): Promise<any[]>;
+}
+declare class OrganizationService extends CrudServiceProxy2<Organization> implements IOrganizationService {
+	constructor(kinotic: IKinotic2);
+	getOidcConfigurations(organizationId: string): Promise<any[]>;
+}
 declare enum LogLevel {
 	TRACE = "TRACE",
 	DEBUG = "DEBUG",
@@ -668,8 +712,8 @@ interface ILogManager {
 	*/
 	configureLogLevel(nodeId: string, name: string, level: LogLevel): Promise<void>;
 }
-import { CrudServiceProxy as CrudServiceProxy2, IKinotic as IKinotic2, ICrudServiceProxy as ICrudServiceProxy2, IterablePage, Pageable } from "@kinotic-ai/core";
-interface IProjectService extends ICrudServiceProxy2<Project> {
+import { CrudServiceProxy as CrudServiceProxy3, IKinotic as IKinotic3, ICrudServiceProxy as ICrudServiceProxy3, IterablePage, Pageable } from "@kinotic-ai/core";
+interface IProjectService extends ICrudServiceProxy3<Project> {
 	/**
 	* Counts all projects for the given application.
 	* @param applicationId the application to find projects for
@@ -695,24 +739,24 @@ interface IProjectService extends ICrudServiceProxy2<Project> {
 	*/
 	syncIndex(): Promise<void>;
 }
-declare class ProjectService extends CrudServiceProxy2<Project> implements IProjectService {
-	constructor(kinotic: IKinotic2);
+declare class ProjectService extends CrudServiceProxy3<Project> implements IProjectService {
+	constructor(kinotic: IKinotic3);
 	countForApplication(applicationId: string): Promise<number>;
 	createProjectIfNotExist(project: Project): Promise<Project>;
 	findAllForApplication(applicationId: string, pageable: Pageable): Promise<IterablePage<Project>>;
 	findAllForApplicationSinglePage(applicationId: string, pageable: Pageable): Promise<IterablePage<Project>>;
 	syncIndex(): Promise<void>;
 }
-import { IKinotic as IKinotic3 } from "@kinotic-ai/core";
+import { IKinotic as IKinotic4 } from "@kinotic-ai/core";
 declare class LogManager implements ILogManager {
 	private readonly serviceProxy;
-	constructor(kinotic: IKinotic3);
+	constructor(kinotic: IKinotic4);
 	loggers(nodeId: string): Promise<LoggersDescriptor>;
 	loggerLevels(nodeId: string, name: string): Promise<LoggerLevelsDescriptor>;
 	configureLogLevel(nodeId: string, name: string, level: LogLevel): Promise<void>;
 }
-import { CrudServiceProxy as CrudServiceProxy3, IKinotic as IKinotic4, ICrudServiceProxy as ICrudServiceProxy3, IterablePage as IterablePage2, Page, Pageable as Pageable2 } from "@kinotic-ai/core";
-interface IEntityDefinitionService extends ICrudServiceProxy3<EntityDefinition> {
+import { CrudServiceProxy as CrudServiceProxy4, IKinotic as IKinotic5, ICrudServiceProxy as ICrudServiceProxy4, IterablePage as IterablePage2, Page, Pageable as Pageable2 } from "@kinotic-ai/core";
+interface IEntityDefinitionService extends ICrudServiceProxy4<EntityDefinition> {
 	/**
 	* Counts all entity definitions for the given application.
 	* @param applicationId the application to find entity definitions for
@@ -765,8 +809,8 @@ interface IEntityDefinitionService extends ICrudServiceProxy3<EntityDefinition>
 	*/
 	unPublish(entityDefinitionId: string): Promise<void>;
 }
-declare class EntityDefinitionService extends CrudServiceProxy3<EntityDefinition> implements IEntityDefinitionService {
-	constructor(kinotic: IKinotic4);
+declare class EntityDefinitionService extends CrudServiceProxy4<EntityDefinition> implements IEntityDefinitionService {
+	constructor(kinotic: IKinotic5);
 	countForApplication(applicationId: string): Promise<number>;
 	countForProject(projectId: string): Promise<number>;
 	findAllForApplicationSinglePage(applicationId: string, pageable: Pageable2): Promise<Page<EntityDefinition>>;
@@ -778,20 +822,20 @@ declare class EntityDefinitionService extends CrudServiceProxy3<EntityDefinition
 	unPublish(entityDefinitionId: string): Promise<void>;
 	syncIndex(): Promise<void>;
 }
-import { IKinotic as IKinotic5 } from "@kinotic-ai/core";
-import { CrudServiceProxy as CrudServiceProxy4, ICrudServiceProxy as ICrudServiceProxy4 } from "@kinotic-ai/core";
-interface INamedQueriesDefinitionService extends ICrudServiceProxy4<NamedQueriesDefinition> {
+import { IKinotic as IKinotic6 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy5, ICrudServiceProxy as ICrudServiceProxy5 } from "@kinotic-ai/core";
+interface INamedQueriesDefinitionService extends ICrudServiceProxy5<NamedQueriesDefinition> {
 	/**
 	* This operation makes all the recent writes immediately available for search.
 	* @return a Promise that resolves when the operation is complete
 	*/
 	syncIndex(): Promise<void>;
 }
-declare class NamedQueriesDefinitionService extends CrudServiceProxy4<NamedQueriesDefinition> implements INamedQueriesDefinitionService {
-	constructor(kinotic: IKinotic5);
+declare class NamedQueriesDefinitionService extends CrudServiceProxy5<NamedQueriesDefinition> implements INamedQueriesDefinitionService {
+	constructor(kinotic: IKinotic6);
 	syncIndex(): Promise<void>;
 }
-import { IKinotic as IKinotic6 } from "@kinotic-ai/core";
+import { IKinotic as IKinotic7 } from "@kinotic-ai/core";
 /**
 * Service for executing project-specific migrations through the Persistence API.
 * This service allows external clients to apply their own migrations to projects.
@@ -823,12 +867,12 @@ interface IMigrationService {
 }
 declare class MigrationService implements IMigrationService {
 	private readonly serviceProxy;
-	constructor(kinotic: IKinotic6);
+	constructor(kinotic: IKinotic7);
 	executeMigrations(migrationRequest: MigrationRequest): Promise<MigrationResult>;
 	getLastAppliedMigrationVersion(projectId: string): Promise<number | null>;
 	isMigrationApplied(projectId: string, version: string): Promise<boolean>;
 }
-import { IKinotic as IKinotic7 } from "@kinotic-ai/core";
+import { IKinotic as IKinotic8 } from "@kinotic-ai/core";
 import { Observable } from "rxjs";
 /**
 * Provides AI-powered data analysis and visualization code generation capabilities.
@@ -847,12 +891,12 @@ interface IDataInsightsService {
 }
 declare class DataInsightsService implements IDataInsightsService {
 	private readonly serviceProxy;
-	constructor(kinotic: IKinotic7);
+	constructor(kinotic: IKinotic8);
 	processRequest(request: InsightRequest): Observable<InsightProgress>;
 }
-import { IKinotic as IKinotic8 } from "@kinotic-ai/core";
-import { CrudServiceProxy as CrudServiceProxy5, ICrudServiceProxy as ICrudServiceProxy5 } from "@kinotic-ai/core";
-interface IVmNodeService extends ICrudServiceProxy5<VmNode> {
+import { IKinotic as IKinotic9 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy6, ICrudServiceProxy as ICrudServiceProxy6 } from "@kinotic-ai/core";
+interface IVmNodeService extends ICrudServiceProxy6<VmNode> {
 	/**
 	* Finds a node with sufficient resources to host a workload with the given requirements.
 	* @param requiredCpus the number of vCPUs required
@@ -867,13 +911,13 @@ interface IVmNodeService extends ICrudServiceProxy5<VmNode> {
 	*/
 	syncIndex(): Promise<void>;
 }
-declare class VmNodeServiceProxy extends CrudServiceProxy5<VmNode> implements IVmNodeService {
-	constructor(kinotic: IKinotic8);
+declare class VmNodeServiceProxy extends CrudServiceProxy6<VmNode> implements IVmNodeService {
+	constructor(kinotic: IKinotic9);
 	findAvailableNode(requiredCpus: number, requiredMemoryMb: number, requiredDiskMb: number): Promise<VmNode | null>;
 	syncIndex(): Promise<void>;
 }
-import { CrudServiceProxy as CrudServiceProxy6, IKinotic as IKinotic9, ICrudServiceProxy as ICrudServiceProxy6, IterablePage as IterablePage3, Page as Page2, Pageable as Pageable3 } from "@kinotic-ai/core";
-interface IWorkloadService extends ICrudServiceProxy6<Workload> {
+import { CrudServiceProxy as CrudServiceProxy7, IKinotic as IKinotic10, ICrudServiceProxy as ICrudServiceProxy7, IterablePage as IterablePage3, Page as Page2, Pageable as Pageable3 } from "@kinotic-ai/core";
+interface IWorkloadService extends ICrudServiceProxy7<Workload> {
 	/**
 	* Finds all workloads deployed on the given node.
 	* @param nodeId the id of the node to find workloads for
@@ -893,49 +937,77 @@ interface IWorkloadService extends ICrudServiceProxy6<Workload> {
 	*/
 	syncIndex(): Promise<void>;
 }
-declare class WorkloadServiceProxy extends CrudServiceProxy6<Workload> implements IWorkloadService {
-	constructor(kinotic: IKinotic9);
+declare class WorkloadServiceProxy extends CrudServiceProxy7<Workload> implements IWorkloadService {
+	constructor(kinotic: IKinotic10);
 	findAllForNode(nodeId: string, pageable: Pageable3): Promise<IterablePage3<Workload>>;
 	findAllForNodeSinglePage(nodeId: string, pageable: Pageable3): Promise<Page2<Workload>>;
 	countForNode(nodeId: string): Promise<number>;
 	syncIndex(): Promise<void>;
 }
-import { CrudServiceProxy as CrudServiceProxy7, IKinotic as IKinotic10, ICrudServiceProxy as ICrudServiceProxy7, Page as Page3, Pageable as Pageable4 } from "@kinotic-ai/core";
-interface IIamUserService extends ICrudServiceProxy7<IamUser> {
+import { CrudServiceProxy as CrudServiceProxy8, IKinotic as IKinotic11, ICrudServiceProxy as ICrudServiceProxy8, Page as Page3, Pageable as Pageable4 } from "@kinotic-ai/core";
+interface IIamUserService extends ICrudServiceProxy8<IamUser> {
 	/**
 	* Finds the user with the given email within the given auth scope.
-	* @return Promise emitting the user or null if no user matches
+	* @param email the email address to look up
+	* @param authScopeType the scope type the user is registered against (e.g. {@code SYSTEM}, {@code ORGANIZATION}, {@code APPLICATION})
+	* @param authScopeId the id of the scope the user is registered against
+	* @return {@link Promise} emitting the matching user, or {@code null} if no user matches
 	*/
 	findByEmailAndScope(email: string, authScopeType: string, authScopeId: string): Promise<IamUser | null>;
 	/**
 	* Finds all users registered against the given auth scope.
+	* @param authScopeType the scope type to filter by (e.g. {@code SYSTEM}, {@code ORGANIZATION}, {@code APPLICATION})
+	* @param authScopeId the id of the scope to filter by
+	* @param pageable the paging and sort options
+	* @return {@link Promise} emitting a page of users registered against the scope
 	*/
 	findByScope(authScopeType: string, authScopeId: string, pageable: Pageable4): Promise<Page3<IamUser>>;
 	/**
 	* Creates a user and, if a password is provided, the matching credential.
-	* APPLICATION-scoped users must carry a {@code tenantId}; SYSTEM and ORGANIZATION users must not.
+	* {@code APPLICATION}-scoped users must carry a {@code tenantId}; {@code SYSTEM} and {@code ORGANIZATION} users must not.
+	* @param user the user to create
+	* @param password the password to set, or {@code null} to create the user without a credential
+	* @return {@link Promise} emitting the persisted user
 	*/
 	createUser(user: IamUser, password: string | null): Promise<IamUser>;
 	/**
 	* Verifies the current password and updates it. Used when the user knows their current password.
+	* @param userId the id of the user whose password should be changed
+	* @param currentPassword the user's current password
+	* @param newPassword the new password to set
+	* @return {@link Promise} that resolves when the password has been updated
 	*/
 	changePassword(userId: string, currentPassword: string, newPassword: string): Promise<void>;
 	/**
 	* Replaces the user's password without verifying the current one. Administrative reset.
+	* @param userId the id of the user whose password should be reset
+	* @param newPassword the new password to set
+	* @return {@link Promise} that resolves when the password has been reset
 	*/
 	resetPassword(userId: string, newPassword: string): Promise<void>;
+	/**
+	* Finds the first user with the given email across all scope ids of the given scope type.
+	* Used by the sign-up flow to enforce one user per email at organization-creation time,
+	* before the new organization's scope id exists.
+	* @param email the email address to look up
+	* @param authScopeType the scope type to search within (e.g. {@code ORGANIZATION})
+	* @return {@link Promise} emitting the first matching user, or {@code null} if no user matches
+	*/
+	findFirstByEmailInScopeType(email: string, authScopeType: string): Promise<IamUser | null>;
 }
-declare class IamUserService extends CrudServiceProxy7<IamUser> implements IIamUserService {
-	constructor(kinotic: IKinotic10);
+declare class IamUserService extends CrudServiceProxy8<IamUser> implements IIamUserService {
+	constructor(kinotic: IKinotic11);
 	findByEmailAndScope(email: string, authScopeType: string, authScopeId: string): Promise<IamUser | null>;
 	findByScope(authScopeType: string, authScopeId: string, pageable: Pageable4): Promise<Page3<IamUser>>;
 	createUser(user: IamUser, password: string | null): Promise<IamUser>;
 	changePassword(userId: string, currentPassword: string, newPassword: string): Promise<void>;
 	resetPassword(userId: string, newPassword: string): Promise<void>;
+	findFirstByEmailInScopeType(email: string, authScopeType: string): Promise<IamUser | null>;
 }
 import { KinoticPlugin } from "@kinotic-ai/core";
 interface IOsApiExtension {
 	applications: IApplicationService;
+	organizations: IOrganizationService;
 	projects: IProjectService;
 	logManager: ILogManager;
 	entityDefinitions: IEntityDefinitionService;
@@ -950,4 +1022,4 @@ declare const OsApiPlugin: KinoticPlugin<IOsApiExtension>;
 declare module "@kinotic-ai/core" {
 	interface KinoticSingleton extends IOsApiExtension {}
 }
-export { WorkloadStatus, WorkloadServiceProxy, Workload, VmProviderType, VmNodeStatus, VmNodeServiceProxy, VmNode, VersionDecorator, TimeReferenceDecorator, TextDecorator, TenantSelectionC3Type, TenantIdDecorator, SingleLoggerLevelsDescriptor, SignUpRequest, SignUpCompleteRequest, QueryOptionsC3Type, QueryDecorator, ProjectType, ProjectService, Project, ProgressType, PageableC3Type, PageC3Type, OsApiPlugin, NotIndexedDecorator, NestedDecorator, NamedQueriesDefinitionService, NamedQueriesDefinition, MigrationService, MigrationResult, MigrationRequest, MigrationDefinition, LoggersDescriptor, LoggerLevelsDescriptor, LogManager, LogLevel, KinoticProjectConfig, InsightRequest, InsightProgress, IdDecorator, IamUserService, IamUser, IWorkloadService, IVmNodeService, IProjectService, IOsApiExtension, INamedQueriesDefinitionService, IMigrationService, ILogManager, IIamUserService, IEntityDefinitionService, IDataInsightsService, IApplicationService, GroupLoggerLevelsDescriptor, FlattenedDecorator, EsIndexConfigurationDecorator, EntityDefinitionService, EntityDefinition, EntityDecorator, EntitiesPathConfig, DiscriminatorDecorator, DataInsightsService, DataInsightsComponent, AutoGeneratedIdDecorator, AuthType, ApplicationService, Application };
+export { WorkloadStatus, WorkloadServiceProxy, Workload, VmProviderType, VmNodeStatus, VmNodeServiceProxy, VmNode, VersionDecorator, TimeReferenceDecorator, TextDecorator, TenantSelectionC3Type, TenantIdDecorator, SingleLoggerLevelsDescriptor, SignUpRequest, SignUpCompleteRequest, QueryOptionsC3Type, QueryDecorator, ProjectType, ProjectService, Project, ProgressType, PageableC3Type, PageC3Type, OsApiPlugin, OrganizationService, Organization, NotIndexedDecorator, NestedDecorator, NamedQueriesDefinitionService, NamedQueriesDefinition, MigrationService, MigrationResult, MigrationRequest, MigrationDefinition, LoggersDescriptor, LoggerLevelsDescriptor, LogManager, LogLevel, KinoticProjectConfig, InsightRequest, InsightProgress, IdDecorator, IamUserService, IamUser, IWorkloadService, IVmNodeService, IProjectService, IOsApiExtension, IOrganizationService, INamedQueriesDefinitionService, IMigrationService, ILogManager, IIamUserService, IEntityDefinitionService, IDataInsightsService, IApplicationService, GroupLoggerLevelsDescriptor, FlattenedDecorator, EsIndexConfigurationDecorator, EntityDefinitionService, EntityDefinition, EntityDecorator, EntitiesPathConfig, DiscriminatorDecorator, DataInsightsService, DataInsightsComponent, AutoGeneratedIdDecorator, AuthType, ApplicationService, Application };

package/dist/index.d.ts

@@ -138,21 +138,49 @@ declare class TenantSelectionC3Type extends ArrayC3Type {
 import { Identifiable } from "@kinotic-ai/core";
 declare class Application implements Identifiable<string> {
 	id: string;
+	/**
+	* The id of the organization that owns this application.
+	* Must be set by the caller before save — backend org enforcement rejects entities
+	* with a missing or mismatched organizationId.
+	*/
+	organizationId: string;
 	description: string;
 	updated: number | null;
 	constructor(id: string, description: string);
 }
 import { Identifiable as Identifiable2 } from "@kinotic-ai/core";
+/**
+* Represents an organization developing applications on the Kinotic OS platform.
+* Organizations provide the boundary for teams, applications, users, and shared OIDC configuration.
+*
+* The {@link id} is auto-generated from the {@link name} on save (slugified) and serves as the URL-safe identifier.
+*/
+declare class Organization implements Identifiable2<string> {
+	id: string | null;
+	name: string;
+	description: string | null;
+	oidcConfigurationIds: string[] | null;
+	createdBy: string | null;
+	created: number | null;
+	updated: number | null;
+}
+import { Identifiable as Identifiable3 } from "@kinotic-ai/core";
 declare enum ProjectType {
 	TYPESCRIPT = "TYPESCRIPT"
 }
-declare class Project implements Identifiable2<string> {
+declare class Project implements Identifiable3<string> {
 	/**
 	* The id of the project.
 	* All project ids are unique throughout the entire system.
 	*/
 	id: string | null;
 	/**
+	* The id of the organization that owns this project.
+	* Must be set by the caller before save — backend org enforcement rejects entities
+	* with a missing or mismatched organizationId.
+	*/
+	organizationId: string;
+	/**
 	* The id of the application that this project belongs to.
 	* All application ids are unique throughout the entire system.
 	*/
@@ -176,8 +204,8 @@ declare class Project implements Identifiable2<string> {
 	constructor(id: string | null, applicationId: string, name: string, description?: string);
 }
 import { ObjectC3Type as ObjectC3Type3 } from "@kinotic-ai/idl";
-import { Identifiable as Identifiable3 } from "@kinotic-ai/core";
-declare class EntityDefinition implements Identifiable3<string> {
+import { Identifiable as Identifiable4 } from "@kinotic-ai/core";
+declare class EntityDefinition implements Identifiable4<string> {
 	id: string | null;
 	/**
 	* The id of the organization that owns this entity definition.
@@ -201,14 +229,14 @@ declare class EntityDefinition implements Identifiable3<string> {
 	updated: number;
 	published: boolean;
 	publishedTimestamp: number;
-	constructor(applicationId: string, projectId: string, name: string, schema: ObjectC3Type3, description?: string | null);
+	constructor(organizationId: string, applicationId: string, projectId: string, name: string, schema: ObjectC3Type3, description?: string | null);
 }
-import { Identifiable as Identifiable4 } from "@kinotic-ai/core";
+import { Identifiable as Identifiable5 } from "@kinotic-ai/core";
 import { FunctionDefinition } from "@kinotic-ai/idl";
 /**
 * Provides Metadata that represents Named Queries for an Application
 */
-declare class NamedQueriesDefinition implements Identifiable4<string> {
+declare class NamedQueriesDefinition implements Identifiable5<string> {
 	id: string;
 	organizationId?: string | null;
 	applicationId: string;
@@ -348,7 +376,7 @@ interface InsightRequest {
 	*/
 	additionalContext?: string;
 }
-import { Identifiable as Identifiable5 } from "@kinotic-ai/core";
+import { Identifiable as Identifiable6 } from "@kinotic-ai/core";
 declare enum WorkloadStatus {
 	PENDING = "PENDING",
 	STARTING = "STARTING",
@@ -366,7 +394,7 @@ declare enum VmProviderType {
 * Represents a workload to be managed by the VM manager.
 * A workload defines the configuration for a micro VM instance.
 */
-declare class Workload implements Identifiable5<string> {
+declare class Workload implements Identifiable6<string> {
 	/**
 	* Unique identifier for this workload.
 	*/
@@ -421,7 +449,7 @@ declare class Workload implements Identifiable5<string> {
 	updated: number | null;
 	constructor(name: string, image: string);
 }
-import { Identifiable as Identifiable6 } from "@kinotic-ai/core";
+import { Identifiable as Identifiable7 } from "@kinotic-ai/core";
 declare enum VmNodeStatus {
 	ONLINE = "ONLINE",
 	OFFLINE = "OFFLINE",
@@ -431,7 +459,7 @@ declare enum VmNodeStatus {
 * Represents a node in the cluster that is running a VmManager process
 * and is capable of hosting workloads.
 */
-declare class VmNode implements Identifiable6<string> {
+declare class VmNode implements Identifiable7<string> {
 	/**
 	* Unique identifier for this node.
 	*/
@@ -485,7 +513,7 @@ declare enum AuthType {
 	LOCAL = "LOCAL",
 	OIDC = "OIDC"
 }
-import { Identifiable as Identifiable7 } from "@kinotic-ai/core";
+import { Identifiable as Identifiable8 } from "@kinotic-ai/core";
 /**
 * Represents an authenticated identity at any scope layer in the IAM system.
 * Each user is scoped to exactly one layer and is unique by email within that scope.
@@ -494,7 +522,7 @@ import { Identifiable as Identifiable7 } from "@kinotic-ai/core";
 * - For APPLICATION scopes, {@link tenantId} is required and identifies the
 *   client tenant the user belongs to within the application's data.
 */
-declare class IamUser implements Identifiable7<string> {
+declare class IamUser implements Identifiable8<string> {
 	id: string | null;
 	email: string;
 	displayName: string | null;
@@ -619,6 +647,22 @@ declare class ApplicationService extends CrudServiceProxy<Application> implement
 	createApplicationIfNotExist(id: string, description: string): Promise<Application>;
 	syncIndex(): Promise<void>;
 }
+import { IKinotic as IKinotic2 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy2, ICrudServiceProxy as ICrudServiceProxy2 } from "@kinotic-ai/core";
+interface IOrganizationService extends ICrudServiceProxy2<Organization> {
+	/**
+	* Returns the enabled OIDC configurations registered on the given organization.
+	*
+	* @param organizationId the id of the organization
+	* @return the enabled configurations, or an empty list if the organization is not
+	*         found or has no configurations attached
+	*/
+	getOidcConfigurations(organizationId: string): Promise<any[]>;
+}
+declare class OrganizationService extends CrudServiceProxy2<Organization> implements IOrganizationService {
+	constructor(kinotic: IKinotic2);
+	getOidcConfigurations(organizationId: string): Promise<any[]>;
+}
 declare enum LogLevel {
 	TRACE = "TRACE",
 	DEBUG = "DEBUG",
@@ -668,8 +712,8 @@ interface ILogManager {
 	*/
 	configureLogLevel(nodeId: string, name: string, level: LogLevel): Promise<void>;
 }
-import { CrudServiceProxy as CrudServiceProxy2, IKinotic as IKinotic2, ICrudServiceProxy as ICrudServiceProxy2, IterablePage, Pageable } from "@kinotic-ai/core";
-interface IProjectService extends ICrudServiceProxy2<Project> {
+import { CrudServiceProxy as CrudServiceProxy3, IKinotic as IKinotic3, ICrudServiceProxy as ICrudServiceProxy3, IterablePage, Pageable } from "@kinotic-ai/core";
+interface IProjectService extends ICrudServiceProxy3<Project> {
 	/**
 	* Counts all projects for the given application.
 	* @param applicationId the application to find projects for
@@ -695,24 +739,24 @@ interface IProjectService extends ICrudServiceProxy2<Project> {
 	*/
 	syncIndex(): Promise<void>;
 }
-declare class ProjectService extends CrudServiceProxy2<Project> implements IProjectService {
-	constructor(kinotic: IKinotic2);
+declare class ProjectService extends CrudServiceProxy3<Project> implements IProjectService {
+	constructor(kinotic: IKinotic3);
 	countForApplication(applicationId: string): Promise<number>;
 	createProjectIfNotExist(project: Project): Promise<Project>;
 	findAllForApplication(applicationId: string, pageable: Pageable): Promise<IterablePage<Project>>;
 	findAllForApplicationSinglePage(applicationId: string, pageable: Pageable): Promise<IterablePage<Project>>;
 	syncIndex(): Promise<void>;
 }
-import { IKinotic as IKinotic3 } from "@kinotic-ai/core";
+import { IKinotic as IKinotic4 } from "@kinotic-ai/core";
 declare class LogManager implements ILogManager {
 	private readonly serviceProxy;
-	constructor(kinotic: IKinotic3);
+	constructor(kinotic: IKinotic4);
 	loggers(nodeId: string): Promise<LoggersDescriptor>;
 	loggerLevels(nodeId: string, name: string): Promise<LoggerLevelsDescriptor>;
 	configureLogLevel(nodeId: string, name: string, level: LogLevel): Promise<void>;
 }
-import { CrudServiceProxy as CrudServiceProxy3, IKinotic as IKinotic4, ICrudServiceProxy as ICrudServiceProxy3, IterablePage as IterablePage2, Page, Pageable as Pageable2 } from "@kinotic-ai/core";
-interface IEntityDefinitionService extends ICrudServiceProxy3<EntityDefinition> {
+import { CrudServiceProxy as CrudServiceProxy4, IKinotic as IKinotic5, ICrudServiceProxy as ICrudServiceProxy4, IterablePage as IterablePage2, Page, Pageable as Pageable2 } from "@kinotic-ai/core";
+interface IEntityDefinitionService extends ICrudServiceProxy4<EntityDefinition> {
 	/**
 	* Counts all entity definitions for the given application.
 	* @param applicationId the application to find entity definitions for
@@ -765,8 +809,8 @@ interface IEntityDefinitionService extends ICrudServiceProxy3<EntityDefinition>
 	*/
 	unPublish(entityDefinitionId: string): Promise<void>;
 }
-declare class EntityDefinitionService extends CrudServiceProxy3<EntityDefinition> implements IEntityDefinitionService {
-	constructor(kinotic: IKinotic4);
+declare class EntityDefinitionService extends CrudServiceProxy4<EntityDefinition> implements IEntityDefinitionService {
+	constructor(kinotic: IKinotic5);
 	countForApplication(applicationId: string): Promise<number>;
 	countForProject(projectId: string): Promise<number>;
 	findAllForApplicationSinglePage(applicationId: string, pageable: Pageable2): Promise<Page<EntityDefinition>>;
@@ -778,20 +822,20 @@ declare class EntityDefinitionService extends CrudServiceProxy3<EntityDefinition
 	unPublish(entityDefinitionId: string): Promise<void>;
 	syncIndex(): Promise<void>;
 }
-import { IKinotic as IKinotic5 } from "@kinotic-ai/core";
-import { CrudServiceProxy as CrudServiceProxy4, ICrudServiceProxy as ICrudServiceProxy4 } from "@kinotic-ai/core";
-interface INamedQueriesDefinitionService extends ICrudServiceProxy4<NamedQueriesDefinition> {
+import { IKinotic as IKinotic6 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy5, ICrudServiceProxy as ICrudServiceProxy5 } from "@kinotic-ai/core";
+interface INamedQueriesDefinitionService extends ICrudServiceProxy5<NamedQueriesDefinition> {
 	/**
 	* This operation makes all the recent writes immediately available for search.
 	* @return a Promise that resolves when the operation is complete
 	*/
 	syncIndex(): Promise<void>;
 }
-declare class NamedQueriesDefinitionService extends CrudServiceProxy4<NamedQueriesDefinition> implements INamedQueriesDefinitionService {
-	constructor(kinotic: IKinotic5);
+declare class NamedQueriesDefinitionService extends CrudServiceProxy5<NamedQueriesDefinition> implements INamedQueriesDefinitionService {
+	constructor(kinotic: IKinotic6);
 	syncIndex(): Promise<void>;
 }
-import { IKinotic as IKinotic6 } from "@kinotic-ai/core";
+import { IKinotic as IKinotic7 } from "@kinotic-ai/core";
 /**
 * Service for executing project-specific migrations through the Persistence API.
 * This service allows external clients to apply their own migrations to projects.
@@ -823,12 +867,12 @@ interface IMigrationService {
 }
 declare class MigrationService implements IMigrationService {
 	private readonly serviceProxy;
-	constructor(kinotic: IKinotic6);
+	constructor(kinotic: IKinotic7);
 	executeMigrations(migrationRequest: MigrationRequest): Promise<MigrationResult>;
 	getLastAppliedMigrationVersion(projectId: string): Promise<number | null>;
 	isMigrationApplied(projectId: string, version: string): Promise<boolean>;
 }
-import { IKinotic as IKinotic7 } from "@kinotic-ai/core";
+import { IKinotic as IKinotic8 } from "@kinotic-ai/core";
 import { Observable } from "rxjs";
 /**
 * Provides AI-powered data analysis and visualization code generation capabilities.
@@ -847,12 +891,12 @@ interface IDataInsightsService {
 }
 declare class DataInsightsService implements IDataInsightsService {
 	private readonly serviceProxy;
-	constructor(kinotic: IKinotic7);
+	constructor(kinotic: IKinotic8);
 	processRequest(request: InsightRequest): Observable<InsightProgress>;
 }
-import { IKinotic as IKinotic8 } from "@kinotic-ai/core";
-import { CrudServiceProxy as CrudServiceProxy5, ICrudServiceProxy as ICrudServiceProxy5 } from "@kinotic-ai/core";
-interface IVmNodeService extends ICrudServiceProxy5<VmNode> {
+import { IKinotic as IKinotic9 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy6, ICrudServiceProxy as ICrudServiceProxy6 } from "@kinotic-ai/core";
+interface IVmNodeService extends ICrudServiceProxy6<VmNode> {
 	/**
 	* Finds a node with sufficient resources to host a workload with the given requirements.
 	* @param requiredCpus the number of vCPUs required
@@ -867,13 +911,13 @@ interface IVmNodeService extends ICrudServiceProxy5<VmNode> {
 	*/
 	syncIndex(): Promise<void>;
 }
-declare class VmNodeServiceProxy extends CrudServiceProxy5<VmNode> implements IVmNodeService {
-	constructor(kinotic: IKinotic8);
+declare class VmNodeServiceProxy extends CrudServiceProxy6<VmNode> implements IVmNodeService {
+	constructor(kinotic: IKinotic9);
 	findAvailableNode(requiredCpus: number, requiredMemoryMb: number, requiredDiskMb: number): Promise<VmNode | null>;
 	syncIndex(): Promise<void>;
 }
-import { CrudServiceProxy as CrudServiceProxy6, IKinotic as IKinotic9, ICrudServiceProxy as ICrudServiceProxy6, IterablePage as IterablePage3, Page as Page2, Pageable as Pageable3 } from "@kinotic-ai/core";
-interface IWorkloadService extends ICrudServiceProxy6<Workload> {
+import { CrudServiceProxy as CrudServiceProxy7, IKinotic as IKinotic10, ICrudServiceProxy as ICrudServiceProxy7, IterablePage as IterablePage3, Page as Page2, Pageable as Pageable3 } from "@kinotic-ai/core";
+interface IWorkloadService extends ICrudServiceProxy7<Workload> {
 	/**
 	* Finds all workloads deployed on the given node.
 	* @param nodeId the id of the node to find workloads for
@@ -893,49 +937,77 @@ interface IWorkloadService extends ICrudServiceProxy6<Workload> {
 	*/
 	syncIndex(): Promise<void>;
 }
-declare class WorkloadServiceProxy extends CrudServiceProxy6<Workload> implements IWorkloadService {
-	constructor(kinotic: IKinotic9);
+declare class WorkloadServiceProxy extends CrudServiceProxy7<Workload> implements IWorkloadService {
+	constructor(kinotic: IKinotic10);
 	findAllForNode(nodeId: string, pageable: Pageable3): Promise<IterablePage3<Workload>>;
 	findAllForNodeSinglePage(nodeId: string, pageable: Pageable3): Promise<Page2<Workload>>;
 	countForNode(nodeId: string): Promise<number>;
 	syncIndex(): Promise<void>;
 }
-import { CrudServiceProxy as CrudServiceProxy7, IKinotic as IKinotic10, ICrudServiceProxy as ICrudServiceProxy7, Page as Page3, Pageable as Pageable4 } from "@kinotic-ai/core";
-interface IIamUserService extends ICrudServiceProxy7<IamUser> {
+import { CrudServiceProxy as CrudServiceProxy8, IKinotic as IKinotic11, ICrudServiceProxy as ICrudServiceProxy8, Page as Page3, Pageable as Pageable4 } from "@kinotic-ai/core";
+interface IIamUserService extends ICrudServiceProxy8<IamUser> {
 	/**
 	* Finds the user with the given email within the given auth scope.
-	* @return Promise emitting the user or null if no user matches
+	* @param email the email address to look up
+	* @param authScopeType the scope type the user is registered against (e.g. {@code SYSTEM}, {@code ORGANIZATION}, {@code APPLICATION})
+	* @param authScopeId the id of the scope the user is registered against
+	* @return {@link Promise} emitting the matching user, or {@code null} if no user matches
 	*/
 	findByEmailAndScope(email: string, authScopeType: string, authScopeId: string): Promise<IamUser | null>;
 	/**
 	* Finds all users registered against the given auth scope.
+	* @param authScopeType the scope type to filter by (e.g. {@code SYSTEM}, {@code ORGANIZATION}, {@code APPLICATION})
+	* @param authScopeId the id of the scope to filter by
+	* @param pageable the paging and sort options
+	* @return {@link Promise} emitting a page of users registered against the scope
 	*/
 	findByScope(authScopeType: string, authScopeId: string, pageable: Pageable4): Promise<Page3<IamUser>>;
 	/**
 	* Creates a user and, if a password is provided, the matching credential.
-	* APPLICATION-scoped users must carry a {@code tenantId}; SYSTEM and ORGANIZATION users must not.
+	* {@code APPLICATION}-scoped users must carry a {@code tenantId}; {@code SYSTEM} and {@code ORGANIZATION} users must not.
+	* @param user the user to create
+	* @param password the password to set, or {@code null} to create the user without a credential
+	* @return {@link Promise} emitting the persisted user
 	*/
 	createUser(user: IamUser, password: string | null): Promise<IamUser>;
 	/**
 	* Verifies the current password and updates it. Used when the user knows their current password.
+	* @param userId the id of the user whose password should be changed
+	* @param currentPassword the user's current password
+	* @param newPassword the new password to set
+	* @return {@link Promise} that resolves when the password has been updated
 	*/
 	changePassword(userId: string, currentPassword: string, newPassword: string): Promise<void>;
 	/**
 	* Replaces the user's password without verifying the current one. Administrative reset.
+	* @param userId the id of the user whose password should be reset
+	* @param newPassword the new password to set
+	* @return {@link Promise} that resolves when the password has been reset
 	*/
 	resetPassword(userId: string, newPassword: string): Promise<void>;
+	/**
+	* Finds the first user with the given email across all scope ids of the given scope type.
+	* Used by the sign-up flow to enforce one user per email at organization-creation time,
+	* before the new organization's scope id exists.
+	* @param email the email address to look up
+	* @param authScopeType the scope type to search within (e.g. {@code ORGANIZATION})
+	* @return {@link Promise} emitting the first matching user, or {@code null} if no user matches
+	*/
+	findFirstByEmailInScopeType(email: string, authScopeType: string): Promise<IamUser | null>;
 }
-declare class IamUserService extends CrudServiceProxy7<IamUser> implements IIamUserService {
-	constructor(kinotic: IKinotic10);
+declare class IamUserService extends CrudServiceProxy8<IamUser> implements IIamUserService {
+	constructor(kinotic: IKinotic11);
 	findByEmailAndScope(email: string, authScopeType: string, authScopeId: string): Promise<IamUser | null>;
 	findByScope(authScopeType: string, authScopeId: string, pageable: Pageable4): Promise<Page3<IamUser>>;
 	createUser(user: IamUser, password: string | null): Promise<IamUser>;
 	changePassword(userId: string, currentPassword: string, newPassword: string): Promise<void>;
 	resetPassword(userId: string, newPassword: string): Promise<void>;
+	findFirstByEmailInScopeType(email: string, authScopeType: string): Promise<IamUser | null>;
 }
 import { KinoticPlugin } from "@kinotic-ai/core";
 interface IOsApiExtension {
 	applications: IApplicationService;
+	organizations: IOrganizationService;
 	projects: IProjectService;
 	logManager: ILogManager;
 	entityDefinitions: IEntityDefinitionService;
@@ -950,4 +1022,4 @@ declare const OsApiPlugin: KinoticPlugin<IOsApiExtension>;
 declare module "@kinotic-ai/core" {
 	interface KinoticSingleton extends IOsApiExtension {}
 }
-export { WorkloadStatus, WorkloadServiceProxy, Workload, VmProviderType, VmNodeStatus, VmNodeServiceProxy, VmNode, VersionDecorator, TimeReferenceDecorator, TextDecorator, TenantSelectionC3Type, TenantIdDecorator, SingleLoggerLevelsDescriptor, SignUpRequest, SignUpCompleteRequest, QueryOptionsC3Type, QueryDecorator, ProjectType, ProjectService, Project, ProgressType, PageableC3Type, PageC3Type, OsApiPlugin, NotIndexedDecorator, NestedDecorator, NamedQueriesDefinitionService, NamedQueriesDefinition, MigrationService, MigrationResult, MigrationRequest, MigrationDefinition, LoggersDescriptor, LoggerLevelsDescriptor, LogManager, LogLevel, KinoticProjectConfig, InsightRequest, InsightProgress, IdDecorator, IamUserService, IamUser, IWorkloadService, IVmNodeService, IProjectService, IOsApiExtension, INamedQueriesDefinitionService, IMigrationService, ILogManager, IIamUserService, IEntityDefinitionService, IDataInsightsService, IApplicationService, GroupLoggerLevelsDescriptor, FlattenedDecorator, EsIndexConfigurationDecorator, EntityDefinitionService, EntityDefinition, EntityDecorator, EntitiesPathConfig, DiscriminatorDecorator, DataInsightsService, DataInsightsComponent, AutoGeneratedIdDecorator, AuthType, ApplicationService, Application };
+export { WorkloadStatus, WorkloadServiceProxy, Workload, VmProviderType, VmNodeStatus, VmNodeServiceProxy, VmNode, VersionDecorator, TimeReferenceDecorator, TextDecorator, TenantSelectionC3Type, TenantIdDecorator, SingleLoggerLevelsDescriptor, SignUpRequest, SignUpCompleteRequest, QueryOptionsC3Type, QueryDecorator, ProjectType, ProjectService, Project, ProgressType, PageableC3Type, PageC3Type, OsApiPlugin, OrganizationService, Organization, NotIndexedDecorator, NestedDecorator, NamedQueriesDefinitionService, NamedQueriesDefinition, MigrationService, MigrationResult, MigrationRequest, MigrationDefinition, LoggersDescriptor, LoggerLevelsDescriptor, LogManager, LogLevel, KinoticProjectConfig, InsightRequest, InsightProgress, IdDecorator, IamUserService, IamUser, IWorkloadService, IVmNodeService, IProjectService, IOsApiExtension, IOrganizationService, INamedQueriesDefinitionService, IMigrationService, ILogManager, IIamUserService, IEntityDefinitionService, IDataInsightsService, IApplicationService, GroupLoggerLevelsDescriptor, FlattenedDecorator, EsIndexConfigurationDecorator, EntityDefinitionService, EntityDefinition, EntityDecorator, EntitiesPathConfig, DiscriminatorDecorator, DataInsightsService, DataInsightsComponent, AutoGeneratedIdDecorator, AuthType, ApplicationService, Application };

package/dist/index.js

@@ -176,6 +176,7 @@ class TenantSelectionC3Type extends ArrayC3Type {
 // packages/os-api/src/api/model/Application.ts
 class Application {
   id;
+  organizationId;
   description;
   updated = null;
   constructor(id, description) {
@@ -183,9 +184,20 @@ class Application {
     this.description = description;
   }
 }
+// packages/os-api/src/api/model/Organization.ts
+class Organization {
+  id = null;
+  name = "";
+  description = null;
+  oidcConfigurationIds = null;
+  createdBy = null;
+  created = null;
+  updated = null;
+}
 // packages/os-api/src/api/model/Project.ts
 class Project {
   id = null;
+  organizationId;
   applicationId;
   name;
   description;
@@ -216,7 +228,8 @@ class EntityDefinition {
   updated;
   published;
   publishedTimestamp;
-  constructor(applicationId, projectId, name, schema, description) {
+  constructor(organizationId, applicationId, projectId, name, schema, description) {
+    this.organizationId = organizationId;
     this.applicationId = applicationId;
     this.projectId = projectId;
     this.name = name;
@@ -363,6 +376,17 @@ class ApplicationService extends CrudServiceProxy {
     return this.serviceProxy.invoke("syncIndex", []);
   }
 }
+// packages/os-api/src/api/services/IOrganizationService.ts
+import { CrudServiceProxy as CrudServiceProxy2 } from "@kinotic-ai/core";
+
+class OrganizationService extends CrudServiceProxy2 {
+  constructor(kinotic) {
+    super(kinotic.serviceProxy("org.kinotic.os.api.services.OrganizationService"));
+  }
+  getOidcConfigurations(organizationId) {
+    return this.serviceProxy.invoke("getOidcConfigurations", [organizationId]);
+  }
+}
 // packages/os-api/src/api/services/ILogManager.ts
 var LogLevel;
 ((LogLevel2) => {
@@ -393,9 +417,9 @@ class LoggersDescriptor {
   groups = new Map;
 }
 // packages/os-api/src/api/services/IProjectService.ts
-import { CrudServiceProxy as CrudServiceProxy2, FunctionalIterablePage } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy3, FunctionalIterablePage } from "@kinotic-ai/core";
 
-class ProjectService extends CrudServiceProxy2 {
+class ProjectService extends CrudServiceProxy3 {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.os.api.services.ProjectService"));
   }
@@ -443,9 +467,9 @@ class LogManager {
   }
 }
 // packages/os-api/src/api/services/IEntityDefinitionService.ts
-import { CrudServiceProxy as CrudServiceProxy3, FunctionalIterablePage as FunctionalIterablePage2 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy4, FunctionalIterablePage as FunctionalIterablePage2 } from "@kinotic-ai/core";
 
-class EntityDefinitionService extends CrudServiceProxy3 {
+class EntityDefinitionService extends CrudServiceProxy4 {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.persistence.api.services.EntityDefinitionService"));
   }
@@ -483,9 +507,9 @@ class EntityDefinitionService extends CrudServiceProxy3 {
   }
 }
 // packages/os-api/src/api/services/INamedQueriesDefinitionService.ts
-import { CrudServiceProxy as CrudServiceProxy4 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy5 } from "@kinotic-ai/core";
 
-class NamedQueriesDefinitionService extends CrudServiceProxy4 {
+class NamedQueriesDefinitionService extends CrudServiceProxy5 {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.persistence.api.services.NamedQueriesDefinitionService"));
   }
@@ -520,9 +544,9 @@ class DataInsightsService {
   }
 }
 // packages/os-api/src/api/services/IVmNodeService.ts
-import { CrudServiceProxy as CrudServiceProxy5 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy6 } from "@kinotic-ai/core";
 
-class VmNodeServiceProxy extends CrudServiceProxy5 {
+class VmNodeServiceProxy extends CrudServiceProxy6 {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.os.api.services.VmNodeService"));
   }
@@ -534,9 +558,9 @@ class VmNodeServiceProxy extends CrudServiceProxy5 {
   }
 }
 // packages/os-api/src/api/services/IWorkloadService.ts
-import { CrudServiceProxy as CrudServiceProxy6, FunctionalIterablePage as FunctionalIterablePage3 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy7, FunctionalIterablePage as FunctionalIterablePage3 } from "@kinotic-ai/core";
 
-class WorkloadServiceProxy extends CrudServiceProxy6 {
+class WorkloadServiceProxy extends CrudServiceProxy7 {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.os.api.services.WorkloadService"));
   }
@@ -555,9 +579,9 @@ class WorkloadServiceProxy extends CrudServiceProxy6 {
   }
 }
 // packages/os-api/src/api/services/iam/IIamUserService.ts
-import { CrudServiceProxy as CrudServiceProxy7 } from "@kinotic-ai/core";
+import { CrudServiceProxy as CrudServiceProxy8 } from "@kinotic-ai/core";
 
-class IamUserService extends CrudServiceProxy7 {
+class IamUserService extends CrudServiceProxy8 {
   constructor(kinotic) {
     super(kinotic.serviceProxy("org.kinotic.os.api.services.iam.IamUserService"));
   }
@@ -576,12 +600,16 @@ class IamUserService extends CrudServiceProxy7 {
   resetPassword(userId, newPassword) {
     return this.serviceProxy.invoke("resetPassword", [userId, newPassword]);
   }
+  findFirstByEmailInScopeType(email, authScopeType) {
+    return this.serviceProxy.invoke("findFirstByEmailInScopeType", [email, authScopeType]);
+  }
 }
 // packages/os-api/src/api/OsApiPlugin.ts
 var OsApiPlugin = {
   install(kinotic) {
     return {
       applications: new ApplicationService(kinotic),
+      organizations: new OrganizationService(kinotic),
       projects: new ProjectService(kinotic),
       logManager: new LogManager(kinotic),
       entityDefinitions: new EntityDefinitionService(kinotic),
@@ -617,6 +645,8 @@ export {
   PageableC3Type,
   PageC3Type,
   OsApiPlugin,
+  OrganizationService,
+  Organization,
   NotIndexedDecorator,
   NestedDecorator,
   NamedQueriesDefinitionService,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kinotic-ai/os-api",
-  "version": "1.0.16",
+  "version": "1.2.0",
   "type": "module",
   "files": [
     "dist"
@@ -37,7 +37,7 @@
   },
   "dependencies": {
     "@kinotic-ai/idl": "1.0.9",
-    "@kinotic-ai/persistence": "1.1.1",
+    "@kinotic-ai/persistence": "1.2.1",
     "rxjs": "^7.8.2"
   },
   "devDependencies": {