@milaboratories/pl-client 3.7.0 → 3.8.1

package/src/proto-grpc/google/rpc/error_details.ts

@@ -2,7 +2,7 @@
 // @generated from protobuf file "google/rpc/error_details.proto" (package "google.rpc", syntax proto3)
 // tslint:disable
 //
-// Copyright 2026 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -368,17 +368,17 @@ export interface BadRequest_FieldViolation {
      * In this example, in proto `field` could take one of the following values:
      *
      * * `full_name` for a violation in the `full_name` value
-     * * `email_addresses[0].email` for a violation in the `email` field of the
+     * * `email_addresses[1].email` for a violation in the `email` field of the
      *   first `email_addresses` message
-     * * `email_addresses[2].type[1]` for a violation in the second `type`
+     * * `email_addresses[3].type[2]` for a violation in the second `type`
      *   value in the third `email_addresses` message.
      *
      * In JSON, the same values are represented as:
      *
      * * `fullName` for a violation in the `fullName` value
-     * * `emailAddresses[0].email` for a violation in the `email` field of the
+     * * `emailAddresses[1].email` for a violation in the `email` field of the
      *   first `emailAddresses` message
-     * * `emailAddresses[2].type[1]` for a violation in the second `type`
+     * * `emailAddresses[3].type[2]` for a violation in the second `type`
      *   value in the third `emailAddresses` message.
      *
      * @generated from protobuf field: string field = 1

package/src/proto-grpc/google/rpc/http.ts

@@ -2,7 +2,7 @@
 // @generated from protobuf file "google/rpc/http.proto" (package "google.rpc", syntax proto3)
 // tslint:disable
 //
-// Copyright 2026 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

package/src/proto-grpc/google/rpc/status.ts

@@ -2,7 +2,7 @@
 // @generated from protobuf file "google/rpc/status.proto" (package "google.rpc", syntax proto3)
 // tslint:disable
 //
-// Copyright 2026 Google LLC
+// Copyright 2025 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

package/src/proto-rest/plapi.ts

@@ -29,6 +29,11 @@ export interface paths {
     };
     get?: never;
     put?: never;
+    /**
+     * @description Deprecated: Use Login for session creation and role transitions,
+     *      and RefreshToken for token renewal. Backends implementing this API always return
+     *      codes.Unimplemented. Kept here so clients can still call old backends.
+     */
     post: operations["Platform_GetJWTToken"];
     delete?: never;
     options?: never;
@@ -36,6 +41,27 @@ export interface paths {
     patch?: never;
     trace?: never;
   };
+  "/v1/auth/login": {
+    parameters: {
+      query?: never;
+      header?: never;
+      path?: never;
+      cookie?: never;
+    };
+    get?: never;
+    put?: never;
+    /**
+     * @description Login authenticates with the given credentials and returns a new Platforma JWT.
+     *      Every Login call creates a new session. Use RefreshToken to renew an existing one.
+     *      This method is public: no Authorization header is required.
+     */
+    post: operations["Platform_Login"];
+    delete?: never;
+    options?: never;
+    head?: never;
+    patch?: never;
+    trace?: never;
+  };
   "/v1/auth/methods": {
     parameters: {
       query?: never;
@@ -74,6 +100,28 @@ export interface paths {
     patch?: never;
     trace?: never;
   };
+  "/v1/auth/refresh": {
+    parameters: {
+      query?: never;
+      header?: never;
+      path?: never;
+      cookie?: never;
+    };
+    get?: never;
+    put?: never;
+    /**
+     * @description RefreshToken accepts a valid Platforma JWT and re-issues it with the same
+     *      session ID and role. Only the token expiration may be changed.
+     *      Workflow-scoped tokens cannot be refreshed; call Login instead.
+     *      This method is public: no Authorization header is required.
+     */
+    post: operations["Platform_RefreshToken"];
+    delete?: never;
+    options?: never;
+    head?: never;
+    patch?: never;
+    trace?: never;
+  };
   "/v1/auth/revoke-access": {
     parameters: {
       query?: never;
@@ -106,6 +154,27 @@ export interface paths {
     patch?: never;
     trace?: never;
   };
+  "/v1/auth/sso/begin-login": {
+    parameters: {
+      query?: never;
+      header?: never;
+      path?: never;
+      cookie?: never;
+    };
+    get?: never;
+    put?: never;
+    /**
+     * @description BeginSSOLogin returns a fresh one-time nonce that the desktop must place
+     *      into the OIDC auth-request before redirecting to the IdP. Used by the SSO
+     *      login flow. This method is public: no Authorization header is required.
+     */
+    post: operations["Platform_BeginSSOLogin"];
+    delete?: never;
+    options?: never;
+    head?: never;
+    patch?: never;
+    trace?: never;
+  };
   "/v1/auth/user-root": {
     parameters: {
       query?: never;
@@ -503,6 +572,15 @@ export interface paths {
 export type webhooks = Record<string, never>;
 export interface components {
   schemas: {
+    AuthAPI_BeginSSOLogin_PublicPKCE: {
+      nonce: string;
+      /** Format: date-time */
+      expiresAt: string;
+    };
+    AuthAPI_BeginSSOLogin_Request: Record<string, never>;
+    AuthAPI_BeginSSOLogin_Response: {
+      publicPkce: components["schemas"]["AuthAPI_BeginSSOLogin_PublicPKCE"];
+    };
     AuthAPI_GetJWTToken_Request: {
       expiration: string;
       /** Format: enum */
@@ -546,16 +624,76 @@ export interface components {
     AuthAPI_Grant_Permissions: {
       writable: boolean;
     };
+    AuthAPI_ListMethods_BasicAuthMethod: Record<string, never>;
     AuthAPI_ListMethods_MethodInfo: {
-      type: string;
-      name: string;
-      info: {
-        [key: string]: string;
-      };
+      /**
+       * @description id is the stable, machine-readable identifier of the login method
+       *      instance. Unique across the entire server.
+       */
+      id: string;
+      /** @description description is the human-readable label in case we'd like to render it in UI. */
+      description: string;
+      basic: components["schemas"]["AuthAPI_ListMethods_BasicAuthMethod"];
+      token: components["schemas"]["AuthAPI_ListMethods_TokenAuthMethod"];
+      sso: components["schemas"]["AuthAPI_ListMethods_SSOAuthMethod"];
     };
     AuthAPI_ListMethods_Response: {
       methods: components["schemas"]["AuthAPI_ListMethods_MethodInfo"][];
     };
+    /**
+     * @description SSOAuthMethod advertises an external IdP-based login flow. The desktop
+     *      app uses the contents to drive the PKCE exchange locally, then hands the
+     *      resulting IdP token-response back via Login.SSOCredentials.
+     */
+    AuthAPI_ListMethods_SSOAuthMethod: {
+      issuer: string;
+      clientId: string;
+      scopes: string;
+      resource: string;
+      prompt: string;
+      redirectPorts: number[];
+      subjectTokenSource: string;
+      userIdClaim: string;
+      groupsClaim: string;
+      /** Format: enum */
+      flowType: number;
+    };
+    AuthAPI_ListMethods_TokenAuthMethod: Record<string, never>;
+    AuthAPI_Login_BasicCredentials: {
+      login: string;
+      password: string;
+    };
+    AuthAPI_Login_Request: {
+      basic: components["schemas"]["AuthAPI_Login_BasicCredentials"];
+      token: components["schemas"]["AuthAPI_Login_TokenCredentials"];
+      sso: components["schemas"]["AuthAPI_Login_SSOCredentials"];
+      expiration: string;
+      /** Format: enum */
+      requestedRole: number;
+    };
+    AuthAPI_Login_Response: {
+      token: string;
+      /** Format: bytes */
+      sessionId: string;
+      /** Format: enum */
+      role: number;
+    };
+    /**
+     * @description SSOCredentials carries the raw JSON body returned by the IdP's /token
+     *      endpoint after the desktop completes a PKCE exchange.
+     */
+    AuthAPI_Login_SSOCredentials: {
+      /** Format: bytes */
+      tokenResponse: string;
+    };
+    /**
+     * @description TokenCredentials accepts any opaque bearer-style string: a controller
+     *      pre-shared secret, an existing Platforma JWT, or a future OIDC id-token.
+     */
+    AuthAPI_Login_TokenCredentials: {
+      /** Format: bytes */
+      token: string;
+    };
     AuthAPI_MintSignature_Request: {
       resourceId: string;
       /** Format: bytes */
@@ -567,6 +705,17 @@ export interface components {
       /** Format: bytes */
       resourceSignature: string;
     };
+    AuthAPI_RefreshToken_Request: {
+      token: string;
+      expiration: string;
+    };
+    AuthAPI_RefreshToken_Response: {
+      token: string;
+      /** Format: bytes */
+      sessionId: string;
+      /** Format: enum */
+      role: number;
+    };
     AuthAPI_RevokeAccess_Request: {
       resourceId: string;
       /** Format: bytes */
@@ -808,13 +957,16 @@ export interface components {
       os: string;
       arch: string;
       /**
-       * @description Opt-in capabilities advertised by this server instance.
-       *      Tokens follow the "<feature>:<version>" format
-       *      (e.g. "treeFilter:v1", "wasm:v1"); current set:
-       *      see pl/platform/api/plapiserver/server_capabilities.go.
-       *      Block manifests declare what they need via
-       *      meta.requiredCapabilities; Desktop matches against this list
-       *      at install time.
+       * @description Opt-in capabilities advertised by this server instance, used by
+       *      clients to pick between fast and fallback code paths without waiting
+       *      for a failed RPC.
+       *
+       *      Each entry is an opaque token "<feature>:<version>" (e.g.
+       *      "loadSubtree:v1"). Unrecognized tokens are ignored by the client.
+       *      The field is unset on servers predating this mechanism, which the
+       *      client treats as "no optional capabilities advertised".
+       *
+       *      All list see pl/platform/api/plapiserver/server_capabilities.go
        */
       capabilities: string[];
     };
@@ -1047,6 +1199,39 @@ export interface operations {
       };
     };
   };
+  Platform_Login: {
+    parameters: {
+      query?: never;
+      header?: never;
+      path?: never;
+      cookie?: never;
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["AuthAPI_Login_Request"];
+      };
+    };
+    responses: {
+      /** @description OK */
+      200: {
+        headers: {
+          [name: string]: unknown;
+        };
+        content: {
+          "application/json": components["schemas"]["AuthAPI_Login_Response"];
+        };
+      };
+      /** @description Default error response */
+      default: {
+        headers: {
+          [name: string]: unknown;
+        };
+        content: {
+          "application/json": components["schemas"]["Status"];
+        };
+      };
+    };
+  };
   Platform_AuthMethods: {
     parameters: {
       query?: never;
@@ -1109,6 +1294,39 @@ export interface operations {
       };
     };
   };
+  Platform_RefreshToken: {
+    parameters: {
+      query?: never;
+      header?: never;
+      path?: never;
+      cookie?: never;
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["AuthAPI_RefreshToken_Request"];
+      };
+    };
+    responses: {
+      /** @description OK */
+      200: {
+        headers: {
+          [name: string]: unknown;
+        };
+        content: {
+          "application/json": components["schemas"]["AuthAPI_RefreshToken_Response"];
+        };
+      };
+      /** @description Default error response */
+      default: {
+        headers: {
+          [name: string]: unknown;
+        };
+        content: {
+          "application/json": components["schemas"]["Status"];
+        };
+      };
+    };
+  };
   Platform_RevokeAccess: {
     parameters: {
       query?: never;
@@ -1175,6 +1393,39 @@ export interface operations {
       };
     };
   };
+  Platform_BeginSSOLogin: {
+    parameters: {
+      query?: never;
+      header?: never;
+      path?: never;
+      cookie?: never;
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["AuthAPI_BeginSSOLogin_Request"];
+      };
+    };
+    responses: {
+      /** @description OK */
+      200: {
+        headers: {
+          [name: string]: unknown;
+        };
+        content: {
+          "application/json": components["schemas"]["AuthAPI_BeginSSOLogin_Response"];
+        };
+      };
+      /** @description Default error response */
+      default: {
+        headers: {
+          [name: string]: unknown;
+        };
+        content: {
+          "application/json": components["schemas"]["Status"];
+        };
+      };
+    };
+  };
   Platform_GetUserRoot: {
     parameters: {
       query?: never;

package/src/util/pl.ts

@@ -1,7 +1,12 @@
 export type PlJWTPayload = {
+  sub: string; // user ID
+  iss: string; // backend instance ID
+
+  // deprecated. Prior backend capability auth:v2. Use uid instead.
   user: {
     login: string;
   };
+
   exp: number;
   iat: number;
 };