@milaboratories/pl-client 3.6.0 → 3.8.0

package/src/core/ll_client.ts

@@ -21,6 +21,7 @@ import { parsePlJwt } from "../util/pl";
 import { type Dispatcher, interceptors } from "undici";
 import type { Middleware } from "openapi-fetch";
 import { inferAuthRefreshTime } from "./auth";
+import { hasCapability, type BackendCapability } from "./capabilities";
 import { defaultHttpDispatcher } from "@milaboratories/pl-http";
 import type { WireClientProvider, WireClientProviderFactory, WireConnection } from "./wire";
 import { parseHttpAuth } from "@milaboratories/pl-model-common";
@@ -47,6 +48,19 @@ export interface PlCallOps {
   abortSignal?: AbortSignal;
 }
 
+// Parses leading "<major>.<minor>.<patch>" from a version string like
+// "3.1.1" or "3.1.1-rc1" and returns true if the parsed version is >= target.
+// Returns false for unparseable versions (safer to assume an old backend).
+function isVersionAtLeast(version: string, target: [number, number, number]): boolean {
+  const match = /^v?(\d+)\.(\d+)\.(\d+)/.exec(version);
+  if (!match) return false;
+  const parsed: [number, number, number] = [Number(match[1]), Number(match[2]), Number(match[3])];
+  for (let i = 0; i < 3; i++) {
+    if (parsed[i] !== target[i]) return parsed[i] > target[i];
+  }
+  return true;
+}
+
 class WireClientProviderImpl<Client> implements WireClientProvider<Client> {
   private client: Client | undefined = undefined;
 
@@ -78,6 +92,10 @@ export class LLPlClient implements WireClientProviderFactory {
   /** Threshold after which auth info refresh is required */
   private refreshTimestamp?: number;
 
+  /** Cached Ping response. Populated by build() before it returns; refreshed by every later ping(). */
+  private _serverInfo?: grpcTypes.MaintenanceAPI_Ping_Response;
+  private _authMethodsSync?: grpcTypes.AuthAPI_ListMethods_Response;
+
   private _status: PlConnectionStatus = "OK";
   private readonly statusListener?: PlConnectionStatusListener;
 
@@ -112,6 +130,15 @@ export class LLPlClient implements WireClientProviderFactory {
     if (ops.useAutoDetectWireProtocol) {
       await pl.detectOptimalWireProtocol();
     }
+
+    // Guarantee a ping happened so capability-gated paths (login, refresh) can branch synchronously.
+    // In the autodetect path the loop's last successful ping already populated _serverInfo via the
+    // side-effect in ping(); this fallback covers the path where autodetect is disabled.
+    if (!pl._serverInfo) await pl.ping();
+
+    // Guarantee authMethods happened so client can make weighted decision on which auth method to use.
+    if (!pl._authMethodsSync) await pl.authMethods();
+
     return pl;
   }
 
@@ -320,9 +347,12 @@ export class LLPlClient implements WireClientProviderFactory {
   /** null means anonymous connection */
   public get authUser(): string | null {
     if (!this.authenticated) throw new Error("Client is not authenticated");
-    if (this.authInformation?.jwtToken)
+    if (this.authInformation?.jwtToken) {
+      if (this.hasCapability("auth:v2")) {
+        return parsePlJwt(this.authInformation?.jwtToken).sub;
+      }
       return parsePlJwt(this.authInformation?.jwtToken).user.login;
-    else return null;
+    } else return null;
   }
 
   private updateStatus(newStatus: PlConnectionStatus) {
@@ -354,7 +384,10 @@ export class LLPlClient implements WireClientProviderFactory {
     this.authRefreshInProgress = true;
     void (async () => {
       try {
-        const token = await this.getJwtToken(BigInt(this.conf.authTTLSeconds));
+        const ttl = BigInt(this.conf.authTTLSeconds);
+        const token = this.hasCapability("auth:v2")
+          ? await this.refreshToken({ ttlSeconds: ttl })
+          : await this.getJwtToken(ttl);
         this.authInformation = { jwtToken: token };
         this.refreshTimestamp = inferAuthRefreshTime(
           this.authInformation,
@@ -491,10 +524,108 @@ export class LLPlClient implements WireClientProviderFactory {
     }
   }
 
+  /** Login via username/password. Returns a fresh JWT. Backend creates a new session per call. */
+  public async loginBasic(
+    user: string,
+    password: string,
+    opts: { ttlSeconds?: bigint; role?: AuthAPI_Role } = {},
+  ): Promise<string> {
+    const cl = this.clientProvider.get();
+    const ttl = opts.ttlSeconds ?? BigInt(this.conf.authTTLSeconds);
+    const role = opts.role ?? AuthAPI_Role.UNSPECIFIED;
+
+    if (cl instanceof GrpcPlApiClient) {
+      return (
+        await cl.login({
+          credentials: {
+            oneofKind: "basic",
+            basic: { login: user, password },
+          },
+          expiration: { seconds: ttl, nanos: 0 },
+          requestedRole: role,
+        }).response
+      ).token;
+    } else {
+      const resp = cl.POST("/v1/auth/login", {
+        // openapi-typescript generated all body fields as required, but Login.Request
+        // has a credentials oneof — only one of `basic`/`token` is sent. Cast around it.
+        body: {
+          basic: { login: user, password },
+          expiration: `${ttl}s`,
+          requestedRole: role,
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        } as any,
+      });
+      return notEmpty((await resp).data, "REST: empty response for login request").token;
+    }
+  }
+
+  /** Login via opaque bearer token (controller pre-shared secret, OIDC id-token, etc.).
+   * String input is UTF-8 encoded. Returns a fresh Platforma JWT. */
+  public async loginWithToken(
+    token: Uint8Array | string,
+    opts: { ttlSeconds?: bigint; role?: AuthAPI_Role } = {},
+  ): Promise<string> {
+    const cl = this.clientProvider.get();
+    const ttl = opts.ttlSeconds ?? BigInt(this.conf.authTTLSeconds);
+    const role = opts.role ?? AuthAPI_Role.UNSPECIFIED;
+    const bytes = typeof token === "string" ? Buffer.from(token, "utf8") : token;
+
+    if (cl instanceof GrpcPlApiClient) {
+      return (
+        await cl.login({
+          credentials: {
+            oneofKind: "token",
+            token: { token: bytes },
+          },
+          expiration: { seconds: ttl, nanos: 0 },
+          requestedRole: role,
+        }).response
+      ).token;
+    } else {
+      const resp = cl.POST("/v1/auth/login", {
+        // openapi-typescript marks all body fields as required, but Login.Request has a oneof.
+        // REST encodes `bytes` as a base64 string.
+        body: {
+          token: { token: Buffer.from(bytes).toString("base64") },
+          expiration: `${ttl}s`,
+          requestedRole: role,
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        } as any,
+      });
+      return notEmpty((await resp).data, "REST: empty response for login request").token;
+    }
+  }
+
+  /** Refresh the current JWT, preserving session id and role. */
+  public async refreshToken(opts: { ttlSeconds?: bigint } = {}): Promise<string> {
+    const cl = this.clientProvider.get();
+    const ttl = opts.ttlSeconds ?? BigInt(this.conf.authTTLSeconds);
+    const currentToken = notEmpty(
+      this.authInformation?.jwtToken,
+      "refreshToken called without a current JWT",
+    );
+
+    if (cl instanceof GrpcPlApiClient) {
+      return (
+        await cl.refreshToken({
+          token: currentToken,
+          expiration: { seconds: ttl, nanos: 0 },
+        }).response
+      ).token;
+    } else {
+      const resp = cl.POST("/v1/auth/refresh", {
+        body: { token: currentToken, expiration: `${ttl}s` },
+      });
+      return notEmpty((await resp).data, "REST: empty response for refresh request").token;
+    }
+  }
+
   public async ping(): Promise<grpcTypes.MaintenanceAPI_Ping_Response> {
     const cl = this.clientProvider.get();
+    let resp: grpcTypes.MaintenanceAPI_Ping_Response;
     if (cl instanceof GrpcPlApiClient) {
-      return (await cl.ping({})).response;
+      resp = (await cl.ping({})).response;
     } else {
       // The REST ping response predates the `capabilities` field (proto field 9).
       // Old servers omit it; treat absence as empty capability list.
@@ -502,12 +633,32 @@ export class LLPlClient implements WireClientProviderFactory {
         (await cl.GET("/v1/ping")).data,
         "REST: empty response for ping request",
       );
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      return {
+      resp = {
         ...(pingData as unknown as grpcTypes.MaintenanceAPI_Ping_Response),
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
         capabilities: (pingData as any).capabilities ?? [],
       };
     }
+    this._serverInfo = resp;
+    return resp;
+  }
+
+  /** Cached Ping response. Always populated post-build(); throws if accessed earlier. */
+  public get serverInfo(): grpcTypes.MaintenanceAPI_Ping_Response {
+    if (!this._serverInfo) {
+      throw new Error("LLPlClient.serverInfo accessed before build() completed");
+    }
+    return this._serverInfo;
+  }
+
+  /** Synchronous capability check against the cached Ping response. */
+  public hasCapability(capability: BackendCapability): boolean {
+    return hasCapability(this.serverInfo.capabilities, capability);
+  }
+
+  /** True if the backend implements the setDefaultColor TX request. */
+  public get supportsSetDefaultColor(): boolean {
+    return isVersionAtLeast(this.serverInfo.coreVersion, [3, 3, 0]);
   }
 
   /**
@@ -592,14 +743,42 @@ export class LLPlClient implements WireClientProviderFactory {
 
   public async authMethods(): Promise<grpcTypes.AuthAPI_ListMethods_Response> {
     const cl = this.clientProvider.get();
+    let resp: grpcTypes.AuthAPI_ListMethods_Response;
     if (cl instanceof GrpcPlApiClient) {
-      return (await cl.authMethods({})).response;
+      resp = (await cl.authMethods({})).response;
     } else {
-      return notEmpty(
+      const wsResponse = notEmpty(
         (await cl.GET("/v1/auth/methods")).data,
         "REST: empty response for auth methods request",
       );
+      // OpenAPI schema flattens the protobuf oneof into `{ basic?, token? }`,
+      // while protobuf-ts models it as a discriminated union. Reshape per item.
+      resp = {
+        methods: (wsResponse.methods ?? []).map((m): grpcTypes.AuthAPI_ListMethods_MethodInfo => {
+          const base = { id: m.id, description: m.description };
+          if (m.basic !== undefined) {
+            return { ...base, method: { oneofKind: "basic", basic: m.basic } };
+          }
+          if (m.token !== undefined) {
+            return { ...base, method: { oneofKind: "token", token: m.token } };
+          }
+          if (m.sso !== undefined) {
+            return { ...base, method: { oneofKind: "sso", sso: m.sso } };
+          }
+          return { ...base, method: { oneofKind: undefined } };
+        }),
+      };
+    }
+
+    this._authMethodsSync = resp;
+    return resp;
+  }
+
+  public get authMethodsSync(): grpcTypes.AuthAPI_ListMethods_Response {
+    if (!this._authMethodsSync) {
+      throw new Error("LLPlClient.authMethodsSync accessed before build() completed");
     }
+    return this._authMethodsSync;
   }
 
   public async getUserRoot(

package/src/core/ll_transaction.test.ts

@@ -113,11 +113,14 @@ test("check timeout error type (active)", async () => {
     );
     expect(openResponse.txOpen.tx?.isValid).toBeTruthy();
 
-    // Set default color so resource creation succeeds in strict mode
-    await tx.send(
-      { oneofKind: "setDefaultColor", setDefaultColor: { colorProof: rootSig } },
-      false,
-    );
+    // Set default color so resource creation succeeds in strict mode.
+    // Skip on older backends that don't implement the setDefaultColor TX request.
+    if (client.supportsSetDefaultColor) {
+      await tx.send(
+        { oneofKind: "setDefaultColor", setDefaultColor: { colorProof: rootSig } },
+        false,
+      );
+    }
 
     const rData = Uint8Array.from([
       (Math.random() * 256) & 0xff,
@@ -185,10 +188,13 @@ test("check is abort error (active)", async () => {
     expect(openResponse.txOpen.tx?.isValid).toBeTruthy();
 
     // Set default color so resource creation succeeds in strict mode
-    await tx.send(
-      { oneofKind: "setDefaultColor", setDefaultColor: { colorProof: rootSig } },
-      false,
-    );
+    // Skip on older backends that don't implement the setDefaultColor TX request.
+    if (client.supportsSetDefaultColor) {
+      await tx.send(
+        { oneofKind: "setDefaultColor", setDefaultColor: { colorProof: rootSig } },
+        false,
+      );
+    }
 
     const rData = Uint8Array.from([
       Math.random() & 0xff,

package/src/core/transaction.ts

@@ -702,6 +702,7 @@ export class PlTransaction {
           resourceGet: {
             ...this.toSignedResourceId(rId),
             loadFields: loadFields,
+            showSoftDeletes: false,
           },
         },
         (r) => protoToResource(notEmpty(r.resourceGet.resource)),
@@ -1136,6 +1137,7 @@ export class PlTransaction {
         traverseStopRules: opts?.traverseStopRules,
         includeKv: opts?.includeKv ?? false,
         maxDepth: opts?.maxDepth,
+        showSoftDeletes: false,
       },
     });
 

package/src/core/unauth_client.ts

@@ -6,6 +6,7 @@ import type {
 import { LLPlClient } from "./ll_client";
 import { type MiLogger, notEmpty } from "@milaboratories/ts-helpers";
 import { UnauthenticatedError } from "./errors";
+import type { BackendCapability } from "./capabilities";
 
 /** Primarily used for initial authentication (login) */
 export class UnauthenticatedPlClient {
@@ -35,11 +36,49 @@ export class UnauthenticatedPlClient {
     return (await this.authMethods()).methods.length > 0;
   }
 
+  public hasCapability(capability: BackendCapability): boolean {
+    return this.ll.hasCapability(capability);
+  }
+
+  /** Classifies the advertised authentication methods by credential scheme.
+   * On legacy backends (no auth:v2) the typed oneof is empty; callers fall through to {@link login}
+   * which uses the legacy GetJWTToken path. */
+  public get supportedAuthSchemes(): { basic: boolean; token: boolean } {
+    const result = { basic: false, token: false };
+    for (const m of this.ll.authMethodsSync.methods) {
+      if (m.method.oneofKind === "basic") result.basic = true;
+      else if (m.method.oneofKind === "token") result.token = true;
+    }
+    return result;
+  }
+
+  /** Login with username+password.
+   *
+   * On auth:v2 backends the client inspects the advertised AuthMethods:
+   *   - if basic auth is offered, sends {@link LLPlClient.loginBasic};
+   *   - if only token auth is offered, treats `password` as an opaque bearer token and
+   *     sends {@link LLPlClient.loginWithToken} (so deployments configured for static-token
+   *     auth still log in without the caller switching methods).
+   *
+   * On legacy backends (no auth:v2) it falls through to GetJWTToken with the Basic header,
+   * preserving original behavior. */
   public async login(user: string, password: string): Promise<AuthInformation> {
     try {
-      const token = await this.ll.getJwtToken(BigInt(this.ll.conf.authTTLSeconds), {
-        authorization: "Basic " + Buffer.from(user + ":" + password).toString("base64"),
-      });
+      let token: string;
+      if (this.ll.hasCapability("auth:v2")) {
+        const schemes = this.supportedAuthSchemes;
+        if (schemes.basic) {
+          token = await this.ll.loginBasic(user, password);
+        } else if (schemes.token) {
+          token = await this.ll.loginWithToken(password);
+        } else {
+          throw new Error("backend advertises no supported authentication methods");
+        }
+      } else {
+        token = await this.ll.getJwtToken(BigInt(this.ll.conf.authTTLSeconds), {
+          authorization: "Basic " + Buffer.from(user + ":" + password).toString("base64"),
+        });
+      }
       const jwtToken = notEmpty(token);
       if (jwtToken === "") throw new Error("empty token");
       return { jwtToken };

package/src/core/unauth_client_branch.test.ts

@@ -0,0 +1,69 @@
+import { test, expect, vi } from "vitest";
+import { UnauthenticatedPlClient } from "./unauth_client";
+import type { BackendCapability } from "./capabilities";
+
+type Scheme = "basic" | "token" | "none";
+
+function makeStub(opts: { hasAuthV2: boolean; scheme?: Scheme }) {
+  const scheme = opts.scheme ?? "basic";
+  const methods =
+    scheme === "basic"
+      ? [{ id: "basic", method: { oneofKind: "basic", basic: {} } }]
+      : scheme === "token"
+        ? [{ id: "token", method: { oneofKind: "token", token: {} } }]
+        : [];
+  const ll = {
+    hasCapability: vi.fn(
+      (capability: BackendCapability) => capability === "auth:v2" && opts.hasAuthV2,
+    ),
+    loginBasic: vi.fn().mockResolvedValue("jwt-from-loginBasic"),
+    loginWithToken: vi.fn().mockResolvedValue("jwt-from-loginWithToken"),
+    getJwtToken: vi.fn().mockResolvedValue("jwt-from-getJwtToken"),
+    authMethodsSync: { methods },
+    conf: { authTTLSeconds: 100 },
+  };
+  const client = Object.assign(Object.create(UnauthenticatedPlClient.prototype) as object, { ll });
+  return { client: client as UnauthenticatedPlClient, ll };
+}
+
+test("login routes to loginBasic when backend advertises auth:v2 + basic scheme", async () => {
+  const { client, ll } = makeStub({ hasAuthV2: true, scheme: "basic" });
+
+  const info = await client.login("alice", "pw");
+
+  expect(ll.loginBasic).toHaveBeenCalledWith("alice", "pw");
+  expect(ll.loginWithToken).not.toHaveBeenCalled();
+  expect(ll.getJwtToken).not.toHaveBeenCalled();
+  expect(info.jwtToken).toBe("jwt-from-loginBasic");
+});
+
+test("login routes to loginWithToken when backend advertises auth:v2 + token-only scheme", async () => {
+  const { client, ll } = makeStub({ hasAuthV2: true, scheme: "token" });
+
+  const info = await client.login("alice", "opaque-token");
+
+  expect(ll.loginWithToken).toHaveBeenCalledWith("opaque-token");
+  expect(ll.loginBasic).not.toHaveBeenCalled();
+  expect(ll.getJwtToken).not.toHaveBeenCalled();
+  expect(info.jwtToken).toBe("jwt-from-loginWithToken");
+});
+
+test("login falls back to getJwtToken when backend lacks auth:v2", async () => {
+  const { client, ll } = makeStub({ hasAuthV2: false });
+
+  const info = await client.login("alice", "pw");
+
+  expect(ll.getJwtToken).toHaveBeenCalledWith(BigInt(100), {
+    authorization: expect.stringMatching(/^Basic /),
+  });
+  expect(ll.loginBasic).not.toHaveBeenCalled();
+  expect(ll.loginWithToken).not.toHaveBeenCalled();
+  expect(info.jwtToken).toBe("jwt-from-getJwtToken");
+});
+
+test("hasCapability proxies to underlying LLPlClient", () => {
+  const { client, ll } = makeStub({ hasAuthV2: true });
+  expect(client.hasCapability("auth:v2")).toBe(true);
+  expect(client.hasCapability("treeFilter:v1")).toBe(false);
+  expect(ll.hasCapability).toHaveBeenCalledWith("auth:v2");
+});

package/src/index.ts

@@ -8,6 +8,7 @@ export * from "./core/errors";
 export * from "./core/default_client";
 export * from "./core/unauth_client";
 export * from "./core/auth";
+export * from "./core/capabilities";
 export * from "./core/final";
 export * from "./core/tree_filter";
 export * from "./core/user_resources";

package/src/proto-grpc/github.com/googleapis/googleapis/google/rpc/status.ts

@@ -2,7 +2,7 @@
 // @generated from protobuf file "github.com/googleapis/googleapis/google/rpc/status.proto" (package "google.rpc", syntax proto3)
 // tslint:disable
 //
-// Copyright 2026 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

package/src/proto-grpc/github.com/milaboratory/pl/plapi/plapiproto/api.client.ts

@@ -25,6 +25,12 @@ import type { AuthAPI_GrantAccess_Response } from "./api";
 import type { AuthAPI_GrantAccess_Request } from "./api";
 import type { AuthAPI_GetSessionInfo_Response } from "./api";
 import type { AuthAPI_GetSessionInfo_Request } from "./api";
+import type { AuthAPI_RefreshToken_Response } from "./api";
+import type { AuthAPI_RefreshToken_Request } from "./api";
+import type { AuthAPI_BeginSSOLogin_Response } from "./api";
+import type { AuthAPI_BeginSSOLogin_Request } from "./api";
+import type { AuthAPI_Login_Response } from "./api";
+import type { AuthAPI_Login_Request } from "./api";
 import type { AuthAPI_GetJWTToken_Response } from "./api";
 import type { AuthAPI_GetJWTToken_Request } from "./api";
 import type { AuthAPI_ListMethods_Response } from "./api";
@@ -213,9 +219,39 @@ export interface IPlatformClient {
      */
     authMethods(input: AuthAPI_ListMethods_Request, options?: RpcOptions): UnaryCall<AuthAPI_ListMethods_Request, AuthAPI_ListMethods_Response>;
     /**
+     * Deprecated: Use Login for session creation and role transitions,
+     * and RefreshToken for token renewal. Backends implementing this API always return
+     * codes.Unimplemented. Kept here so clients can still call old backends.
+     *
+     * @deprecated
      * @generated from protobuf rpc: GetJWTToken
      */
     getJWTToken(input: AuthAPI_GetJWTToken_Request, options?: RpcOptions): UnaryCall<AuthAPI_GetJWTToken_Request, AuthAPI_GetJWTToken_Response>;
+    /**
+     * Login authenticates with the given credentials and returns a new Platforma JWT.
+     * Every Login call creates a new session. Use RefreshToken to renew an existing one.
+     * This method is public: no Authorization header is required.
+     *
+     * @generated from protobuf rpc: Login
+     */
+    login(input: AuthAPI_Login_Request, options?: RpcOptions): UnaryCall<AuthAPI_Login_Request, AuthAPI_Login_Response>;
+    /**
+     * BeginSSOLogin returns a fresh one-time nonce that the desktop must place
+     * into the OIDC auth-request before redirecting to the IdP. Used by the SSO
+     * login flow. This method is public: no Authorization header is required.
+     *
+     * @generated from protobuf rpc: BeginSSOLogin
+     */
+    beginSSOLogin(input: AuthAPI_BeginSSOLogin_Request, options?: RpcOptions): UnaryCall<AuthAPI_BeginSSOLogin_Request, AuthAPI_BeginSSOLogin_Response>;
+    /**
+     * RefreshToken accepts a valid Platforma JWT and re-issues it with the same
+     * session ID and role. Only the token expiration may be changed.
+     * Workflow-scoped tokens cannot be refreshed; call Login instead.
+     * This method is public: no Authorization header is required.
+     *
+     * @generated from protobuf rpc: RefreshToken
+     */
+    refreshToken(input: AuthAPI_RefreshToken_Request, options?: RpcOptions): UnaryCall<AuthAPI_RefreshToken_Request, AuthAPI_RefreshToken_Response>;
     /**
      * @generated from protobuf rpc: GetSessionInfo
      */
@@ -479,38 +515,77 @@ export class PlatformClient implements IPlatformClient, ServiceInfo {
         return stackIntercept<AuthAPI_ListMethods_Request, AuthAPI_ListMethods_Response>("unary", this._transport, method, opt, input);
     }
     /**
+     * Deprecated: Use Login for session creation and role transitions,
+     * and RefreshToken for token renewal. Backends implementing this API always return
+     * codes.Unimplemented. Kept here so clients can still call old backends.
+     *
+     * @deprecated
      * @generated from protobuf rpc: GetJWTToken
      */
     getJWTToken(input: AuthAPI_GetJWTToken_Request, options?: RpcOptions): UnaryCall<AuthAPI_GetJWTToken_Request, AuthAPI_GetJWTToken_Response> {
         const method = this.methods[23], opt = this._transport.mergeOptions(options);
         return stackIntercept<AuthAPI_GetJWTToken_Request, AuthAPI_GetJWTToken_Response>("unary", this._transport, method, opt, input);
     }
+    /**
+     * Login authenticates with the given credentials and returns a new Platforma JWT.
+     * Every Login call creates a new session. Use RefreshToken to renew an existing one.
+     * This method is public: no Authorization header is required.
+     *
+     * @generated from protobuf rpc: Login
+     */
+    login(input: AuthAPI_Login_Request, options?: RpcOptions): UnaryCall<AuthAPI_Login_Request, AuthAPI_Login_Response> {
+        const method = this.methods[24], opt = this._transport.mergeOptions(options);
+        return stackIntercept<AuthAPI_Login_Request, AuthAPI_Login_Response>("unary", this._transport, method, opt, input);
+    }
+    /**
+     * BeginSSOLogin returns a fresh one-time nonce that the desktop must place
+     * into the OIDC auth-request before redirecting to the IdP. Used by the SSO
+     * login flow. This method is public: no Authorization header is required.
+     *
+     * @generated from protobuf rpc: BeginSSOLogin
+     */
+    beginSSOLogin(input: AuthAPI_BeginSSOLogin_Request, options?: RpcOptions): UnaryCall<AuthAPI_BeginSSOLogin_Request, AuthAPI_BeginSSOLogin_Response> {
+        const method = this.methods[25], opt = this._transport.mergeOptions(options);
+        return stackIntercept<AuthAPI_BeginSSOLogin_Request, AuthAPI_BeginSSOLogin_Response>("unary", this._transport, method, opt, input);
+    }
+    /**
+     * RefreshToken accepts a valid Platforma JWT and re-issues it with the same
+     * session ID and role. Only the token expiration may be changed.
+     * Workflow-scoped tokens cannot be refreshed; call Login instead.
+     * This method is public: no Authorization header is required.
+     *
+     * @generated from protobuf rpc: RefreshToken
+     */
+    refreshToken(input: AuthAPI_RefreshToken_Request, options?: RpcOptions): UnaryCall<AuthAPI_RefreshToken_Request, AuthAPI_RefreshToken_Response> {
+        const method = this.methods[26], opt = this._transport.mergeOptions(options);
+        return stackIntercept<AuthAPI_RefreshToken_Request, AuthAPI_RefreshToken_Response>("unary", this._transport, method, opt, input);
+    }
     /**
      * @generated from protobuf rpc: GetSessionInfo
      */
     getSessionInfo(input: AuthAPI_GetSessionInfo_Request, options?: RpcOptions): UnaryCall<AuthAPI_GetSessionInfo_Request, AuthAPI_GetSessionInfo_Response> {
-        const method = this.methods[24], opt = this._transport.mergeOptions(options);
+        const method = this.methods[27], opt = this._transport.mergeOptions(options);
         return stackIntercept<AuthAPI_GetSessionInfo_Request, AuthAPI_GetSessionInfo_Response>("unary", this._transport, method, opt, input);
     }
     /**
      * @generated from protobuf rpc: GrantAccess
      */
     grantAccess(input: AuthAPI_GrantAccess_Request, options?: RpcOptions): UnaryCall<AuthAPI_GrantAccess_Request, AuthAPI_GrantAccess_Response> {
-        const method = this.methods[25], opt = this._transport.mergeOptions(options);
+        const method = this.methods[28], opt = this._transport.mergeOptions(options);
         return stackIntercept<AuthAPI_GrantAccess_Request, AuthAPI_GrantAccess_Response>("unary", this._transport, method, opt, input);
     }
     /**
      * @generated from protobuf rpc: RevokeAccess
      */
     revokeAccess(input: AuthAPI_RevokeAccess_Request, options?: RpcOptions): UnaryCall<AuthAPI_RevokeAccess_Request, AuthAPI_RevokeAccess_Response> {
-        const method = this.methods[26], opt = this._transport.mergeOptions(options);
+        const method = this.methods[29], opt = this._transport.mergeOptions(options);
         return stackIntercept<AuthAPI_RevokeAccess_Request, AuthAPI_RevokeAccess_Response>("unary", this._transport, method, opt, input);
     }
     /**
      * @generated from protobuf rpc: ListGrants
      */
     listGrants(input: AuthAPI_ListGrants_Request, options?: RpcOptions): ServerStreamingCall<AuthAPI_ListGrants_Request, AuthAPI_ListGrants_Response> {
-        const method = this.methods[27], opt = this._transport.mergeOptions(options);
+        const method = this.methods[30], opt = this._transport.mergeOptions(options);
         return stackIntercept<AuthAPI_ListGrants_Request, AuthAPI_ListGrants_Response>("serverStreaming", this._transport, method, opt, input);
     }
     /**
@@ -521,21 +596,21 @@ export class PlatformClient implements IPlatformClient, ServiceInfo {
      * @generated from protobuf rpc: MintSignature
      */
     mintSignature(input: AuthAPI_MintSignature_Request, options?: RpcOptions): UnaryCall<AuthAPI_MintSignature_Request, AuthAPI_MintSignature_Response> {
-        const method = this.methods[28], opt = this._transport.mergeOptions(options);
+        const method = this.methods[31], opt = this._transport.mergeOptions(options);
         return stackIntercept<AuthAPI_MintSignature_Request, AuthAPI_MintSignature_Response>("unary", this._transport, method, opt, input);
     }
     /**
      * @generated from protobuf rpc: GetUserRoot
      */
     getUserRoot(input: AuthAPI_GetUserRoot_Request, options?: RpcOptions): UnaryCall<AuthAPI_GetUserRoot_Request, AuthAPI_GetUserRoot_Response> {
-        const method = this.methods[29], opt = this._transport.mergeOptions(options);
+        const method = this.methods[32], opt = this._transport.mergeOptions(options);
         return stackIntercept<AuthAPI_GetUserRoot_Request, AuthAPI_GetUserRoot_Response>("unary", this._transport, method, opt, input);
     }
     /**
      * @generated from protobuf rpc: ListUserResources
      */
     listUserResources(input: AuthAPI_ListUserResources_Request, options?: RpcOptions): ServerStreamingCall<AuthAPI_ListUserResources_Request, AuthAPI_ListUserResources_Response> {
-        const method = this.methods[30], opt = this._transport.mergeOptions(options);
+        const method = this.methods[33], opt = this._transport.mergeOptions(options);
         return stackIntercept<AuthAPI_ListUserResources_Request, AuthAPI_ListUserResources_Response>("serverStreaming", this._transport, method, opt, input);
     }
     /**
@@ -546,7 +621,7 @@ export class PlatformClient implements IPlatformClient, ServiceInfo {
      * @generated from protobuf rpc: ListResourceTypes
      */
     listResourceTypes(input: MiscAPI_ListResourceTypes_Request, options?: RpcOptions): UnaryCall<MiscAPI_ListResourceTypes_Request, MiscAPI_ListResourceTypes_Response> {
-        const method = this.methods[31], opt = this._transport.mergeOptions(options);
+        const method = this.methods[34], opt = this._transport.mergeOptions(options);
         return stackIntercept<MiscAPI_ListResourceTypes_Request, MiscAPI_ListResourceTypes_Response>("unary", this._transport, method, opt, input);
     }
     /**
@@ -557,14 +632,14 @@ export class PlatformClient implements IPlatformClient, ServiceInfo {
      * @generated from protobuf rpc: Ping
      */
     ping(input: MaintenanceAPI_Ping_Request, options?: RpcOptions): UnaryCall<MaintenanceAPI_Ping_Request, MaintenanceAPI_Ping_Response> {
-        const method = this.methods[32], opt = this._transport.mergeOptions(options);
+        const method = this.methods[35], opt = this._transport.mergeOptions(options);
         return stackIntercept<MaintenanceAPI_Ping_Request, MaintenanceAPI_Ping_Response>("unary", this._transport, method, opt, input);
     }
     /**
      * @generated from protobuf rpc: License
      */
     license(input: MaintenanceAPI_License_Request, options?: RpcOptions): UnaryCall<MaintenanceAPI_License_Request, MaintenanceAPI_License_Response> {
-        const method = this.methods[33], opt = this._transport.mergeOptions(options);
+        const method = this.methods[36], opt = this._transport.mergeOptions(options);
         return stackIntercept<MaintenanceAPI_License_Request, MaintenanceAPI_License_Response>("unary", this._transport, method, opt, input);
     }
 }