@nizam-os/dashboard-sdk 11.0.0 → 11.1.0

package/dist/api/resources/assets/client/Client.d.ts

@@ -135,6 +135,8 @@ export declare class AssetsClient {
     getAssetImportTemplate(requestOptions?: AssetsClient.RequestOptions): core.HttpResponsePromise<core.BinaryResponse>;
     private __getAssetImportTemplate;
     /**
+     * Returns one asset. Visible to members of the asset's organization and to L4-granted cross-tenant readers; anyone else gets 404 — indistinguishable from a non-existent id (prevents tenant probing).
+     *
      * @param {NizamDashboard.GetAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -154,6 +156,8 @@ export declare class AssetsClient {
     /**
      * Soft-deletes the asset: it disappears from listings immediately and frees its VIN for re-registration. Assignments and historical records are left untouched. There is no synchronous bulk-delete endpoint — delete a selection by fanning out per-id requests (each is naturally idempotent).
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.DeleteAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -173,6 +177,8 @@ export declare class AssetsClient {
     /**
      * Set-only partial update of an asset's mutable fields — display name, sub-kind, autonomy level, and the vehicle identity (VIN, plate, make, model, year). Omitted or null fields are left unchanged. An asset's `kind` is immutable and lifecycle `status` moves through dedicated transitions, so neither is editable here.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.UpdateAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -205,6 +211,8 @@ export declare class AssetsClient {
     /**
      * Returns the asset to `active` service. Idempotent no-op if already active; an illegal edge (e.g. from a terminal sold/lost asset) → 409 `asset.invalid_transition`. No body — fan out per id for a bulk change.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.ActivateAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -225,6 +233,8 @@ export declare class AssetsClient {
     /**
      * Marks the asset `inactive` (idle but still in-fleet). Idempotent no-op if already inactive; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.DeactivateAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -245,6 +255,8 @@ export declare class AssetsClient {
     /**
      * Moves the asset into `maintenance`. Idempotent no-op if already in maintenance; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.EnterAssetMaintenanceRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -265,6 +277,8 @@ export declare class AssetsClient {
     /**
      * Marks the asset `lost` — a terminal state; the asset has left the fleet and accepts no further transitions. Idempotent no-op if already lost; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.ReportAssetLostRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -285,6 +299,8 @@ export declare class AssetsClient {
     /**
      * Retires the asset (`retired`) — decommissioned but still owned; it may later be reactivated, sold, or reported lost. Idempotent no-op if already retired; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.RetireAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -305,6 +321,8 @@ export declare class AssetsClient {
     /**
      * Marks the asset `sold` — a terminal state; the asset has left the fleet and accepts no further transitions. Idempotent no-op if already sold; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.SellAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -325,6 +343,8 @@ export declare class AssetsClient {
     /**
      * Moves the asset `out_of_service`. Idempotent no-op if already out of service; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.TakeAssetOutOfServiceRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *

package/dist/api/resources/assets/client/Client.js

@@ -418,6 +418,8 @@ class AssetsClient {
         return (0, handleNonStatusCodeError_js_1.handleNonStatusCodeError)(_response.error, _response.rawResponse, "GET", "/v1/assets/imports/template");
     }
     /**
+     * Returns one asset. Visible to members of the asset's organization and to L4-granted cross-tenant readers; anyone else gets 404 — indistinguishable from a non-existent id (prevents tenant probing).
+     *
      * @param {NizamDashboard.GetAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -480,6 +482,8 @@ class AssetsClient {
     /**
      * Soft-deletes the asset: it disappears from listings immediately and frees its VIN for re-registration. Assignments and historical records are left untouched. There is no synchronous bulk-delete endpoint — delete a selection by fanning out per-id requests (each is naturally idempotent).
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.DeleteAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -542,6 +546,8 @@ class AssetsClient {
     /**
      * Set-only partial update of an asset's mutable fields — display name, sub-kind, autonomy level, and the vehicle identity (VIN, plate, make, model, year). Omitted or null fields are left unchanged. An asset's `kind` is immutable and lifecycle `status` moves through dedicated transitions, so neither is editable here.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.UpdateAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -624,6 +630,8 @@ class AssetsClient {
     /**
      * Returns the asset to `active` service. Idempotent no-op if already active; an illegal edge (e.g. from a terminal sold/lost asset) → 409 `asset.invalid_transition`. No body — fan out per id for a bulk change.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.ActivateAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -689,6 +697,8 @@ class AssetsClient {
     /**
      * Marks the asset `inactive` (idle but still in-fleet). Idempotent no-op if already inactive; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.DeactivateAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -754,6 +764,8 @@ class AssetsClient {
     /**
      * Moves the asset into `maintenance`. Idempotent no-op if already in maintenance; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.EnterAssetMaintenanceRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -819,6 +831,8 @@ class AssetsClient {
     /**
      * Marks the asset `lost` — a terminal state; the asset has left the fleet and accepts no further transitions. Idempotent no-op if already lost; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.ReportAssetLostRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -884,6 +898,8 @@ class AssetsClient {
     /**
      * Retires the asset (`retired`) — decommissioned but still owned; it may later be reactivated, sold, or reported lost. Idempotent no-op if already retired; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.RetireAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -949,6 +965,8 @@ class AssetsClient {
     /**
      * Marks the asset `sold` — a terminal state; the asset has left the fleet and accepts no further transitions. Idempotent no-op if already sold; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.SellAssetRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *
@@ -1014,6 +1032,8 @@ class AssetsClient {
     /**
      * Moves the asset `out_of_service`. Idempotent no-op if already out of service; an illegal edge → 409 `asset.invalid_transition`. No body.
      *
+     * > **Requires** `manage` on `asset` (SpiceDB permission expression).
+     *
      * @param {NizamDashboard.TakeAssetOutOfServiceRequest} request
      * @param {AssetsClient.RequestOptions} requestOptions - Request-specific configuration.
      *

package/dist/api/resources/organizations/client/Client.d.ts

@@ -86,7 +86,7 @@ export declare class OrganizationsClient {
     getOrganization(request: NizamDashboard.GetOrganizationRequest, requestOptions?: OrganizationsClient.RequestOptions): core.HttpResponsePromise<NizamDashboard.Organization>;
     private __getOrganization;
     /**
-     * Owner-only. Sets `deleted_at` on the organizations row; subsequent reads filter it out. The Keycloak Organization is intentionally left in place — restore is just an UPDATE un-setting `deleted_at`. Members are not removed; their memberships persist alongside the soft-deleted row in case a restore path is added later. L4 @HasPermission ensures the caller is an admin; the owner-only check inside the handler narrows further.
+     * Owner-only. Sets `deleted_at` on the organizations row; subsequent reads filter it out. The Keycloak Organization is intentionally left in place — restore is just an UPDATE un-setting `deleted_at`. Members are not removed; their memberships persist alongside the soft-deleted row in case a restore path is added later. L4 @RequirePermission ensures the caller is an admin; the owner-only check inside the handler narrows further.
      *
      * > **Requires** `administer` on `organization` (SpiceDB permission expression).
      *

package/dist/api/resources/organizations/client/Client.js

@@ -269,7 +269,7 @@ class OrganizationsClient {
         return (0, handleNonStatusCodeError_js_1.handleNonStatusCodeError)(_response.error, _response.rawResponse, "GET", "/v1/organizations/{id}");
     }
     /**
-     * Owner-only. Sets `deleted_at` on the organizations row; subsequent reads filter it out. The Keycloak Organization is intentionally left in place — restore is just an UPDATE un-setting `deleted_at`. Members are not removed; their memberships persist alongside the soft-deleted row in case a restore path is added later. L4 @HasPermission ensures the caller is an admin; the owner-only check inside the handler narrows further.
+     * Owner-only. Sets `deleted_at` on the organizations row; subsequent reads filter it out. The Keycloak Organization is intentionally left in place — restore is just an UPDATE un-setting `deleted_at`. Members are not removed; their memberships persist alongside the soft-deleted row in case a restore path is added later. L4 @RequirePermission ensures the caller is an admin; the owner-only check inside the handler narrows further.
      *
      * > **Requires** `administer` on `organization` (SpiceDB permission expression).
      *

package/dist/api/types/OperatorAsset.d.ts

@@ -0,0 +1,64 @@
+/**
+ * An asset as seen by an operator assigned to operate it — the operational identity fields, without the dashboard's lifecycle-management hints.
+ */
+export interface OperatorAsset {
+    /** Stable UUID. */
+    id: string;
+    /** Top-level kind. */
+    kind: OperatorAsset.Kind;
+    /** Sub-kind within the kind (free-form). */
+    sub_kind?: string | undefined;
+    /** SAE J3016 autonomy level 0..5. */
+    autonomy_level?: number | undefined;
+    /** Lifecycle status. */
+    status: OperatorAsset.Status;
+    /** Display name. */
+    name?: string | undefined;
+    /** Vehicle Identification Number. */
+    vin?: string | undefined;
+    /** License plate. */
+    plate_number?: string | undefined;
+    /** Manufacturer. */
+    make?: string | undefined;
+    /** Model designation. */
+    model?: string | undefined;
+    /** Model year. */
+    year?: number | undefined;
+    /** Owning organization id. */
+    organization_id?: string | undefined;
+    /** Current primary operator (active assignment, role=primary). */
+    current_primary_operator_id?: string | undefined;
+    /** Object type discriminator. */
+    object: OperatorAsset.Object_;
+}
+export declare namespace OperatorAsset {
+    /** Top-level kind. */
+    const Kind: {
+        readonly GroundVehicle: "ground_vehicle";
+        readonly AerialVehicle: "aerial_vehicle";
+        readonly MarineVehicle: "marine_vehicle";
+        readonly Robot: "robot";
+        readonly Agv: "agv";
+        readonly Trailer: "trailer";
+        readonly Container: "container";
+        readonly Pallet: "pallet";
+        readonly Equipment: "equipment";
+    };
+    type Kind = (typeof Kind)[keyof typeof Kind];
+    /** Lifecycle status. */
+    const Status: {
+        readonly Active: "active";
+        readonly Maintenance: "maintenance";
+        readonly OutOfService: "out_of_service";
+        readonly Retired: "retired";
+        readonly Sold: "sold";
+        readonly Inactive: "inactive";
+        readonly Lost: "lost";
+    };
+    type Status = (typeof Status)[keyof typeof Status];
+    /** Object type discriminator. */
+    const Object_: {
+        readonly Asset: "asset";
+    };
+    type Object_ = (typeof Object_)[keyof typeof Object_];
+}

package/dist/api/types/OperatorAsset.js

@@ -0,0 +1,33 @@
+"use strict";
+// This file was auto-generated by Fern from our API Definition.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OperatorAsset = void 0;
+var OperatorAsset;
+(function (OperatorAsset) {
+    /** Top-level kind. */
+    OperatorAsset.Kind = {
+        GroundVehicle: "ground_vehicle",
+        AerialVehicle: "aerial_vehicle",
+        MarineVehicle: "marine_vehicle",
+        Robot: "robot",
+        Agv: "agv",
+        Trailer: "trailer",
+        Container: "container",
+        Pallet: "pallet",
+        Equipment: "equipment",
+    };
+    /** Lifecycle status. */
+    OperatorAsset.Status = {
+        Active: "active",
+        Maintenance: "maintenance",
+        OutOfService: "out_of_service",
+        Retired: "retired",
+        Sold: "sold",
+        Inactive: "inactive",
+        Lost: "lost",
+    };
+    /** Object type discriminator. */
+    OperatorAsset.Object_ = {
+        Asset: "asset",
+    };
+})(OperatorAsset || (exports.OperatorAsset = OperatorAsset = {}));

package/dist/api/types/User.d.ts

@@ -9,6 +9,8 @@ export interface User {
     /** Keycloak Organization id the user belongs to. Null for cross-tenant platform admins. */
     organization_id?: string | undefined;
     roles: string[];
+    /** The caller's effective permission ids for the active organization (epic #317): the union of catalog grants for every role they hold. Gate actions on these (`can("asset:create")`) rather than role strings, so frontend and backend reference the one catalog and cannot drift. Coarse and instance-independent; per-instance authority ('may delete THIS asset') is enforced server-side at the mutation, never precomputed here. */
+    permissions: User.Permissions.Item[];
     /** Email shadowed from Keycloak. Null until the user completes a profile. */
     email?: string | undefined;
     /** Display name shadowed from Keycloak. */
@@ -34,6 +36,26 @@ export declare namespace User {
         readonly Admin: "admin";
     };
     type Portal = (typeof Portal)[keyof typeof Portal];
+    type Permissions = Permissions.Item[];
+    namespace Permissions {
+        const Item: {
+            readonly AssetCreate: "asset:create";
+            readonly AssetDelete: "asset:delete";
+            readonly AssetDispose: "asset:dispose";
+            readonly AssetExport: "asset:export";
+            readonly AssetImport: "asset:import";
+            readonly AssetRead: "asset:read";
+            readonly AssetTransition: "asset:transition";
+            readonly AssetUpdate: "asset:update";
+            readonly KeycloakProjectionAdminister: "keycloak-projection:administer";
+            readonly NotificationDeliveryRead: "notification-delivery:read";
+            readonly OrgMaintenanceAdminister: "org-maintenance:administer";
+            readonly ServiceAccountAdminister: "service-account:administer";
+            readonly UserAdminister: "user:administer";
+            readonly UserInvite: "user:invite";
+        };
+        type Item = (typeof Item)[keyof typeof Item];
+    }
     /** Object type discriminator. */
     const Object_: {
         readonly User: "user";

package/dist/api/types/User.js

@@ -14,6 +14,25 @@ var User;
         PlatformStaff: "platform_staff",
         Admin: "admin",
     };
+    let Permissions;
+    (function (Permissions) {
+        Permissions.Item = {
+            AssetCreate: "asset:create",
+            AssetDelete: "asset:delete",
+            AssetDispose: "asset:dispose",
+            AssetExport: "asset:export",
+            AssetImport: "asset:import",
+            AssetRead: "asset:read",
+            AssetTransition: "asset:transition",
+            AssetUpdate: "asset:update",
+            KeycloakProjectionAdminister: "keycloak-projection:administer",
+            NotificationDeliveryRead: "notification-delivery:read",
+            OrgMaintenanceAdminister: "org-maintenance:administer",
+            ServiceAccountAdminister: "service-account:administer",
+            UserAdminister: "user:administer",
+            UserInvite: "user:invite",
+        };
+    })(Permissions = User.Permissions || (User.Permissions = {}));
     /** Object type discriminator. */
     User.Object_ = {
         User: "user",

package/dist/api/types/index.d.ts

@@ -60,6 +60,7 @@ export * from "./NotificationsArchived.js";
 export * from "./NotificationsMarkedRead.js";
 export * from "./NotificationUnreadCount.js";
 export * from "./Operator.js";
+export * from "./OperatorAsset.js";
 export * from "./OperatorPosition.js";
 export * from "./Organization.js";
 export * from "./Position.js";

package/dist/api/types/index.js

@@ -76,6 +76,7 @@ __exportStar(require("./NotificationsArchived.js"), exports);
 __exportStar(require("./NotificationsMarkedRead.js"), exports);
 __exportStar(require("./NotificationUnreadCount.js"), exports);
 __exportStar(require("./Operator.js"), exports);
+__exportStar(require("./OperatorAsset.js"), exports);
 __exportStar(require("./OperatorPosition.js"), exports);
 __exportStar(require("./Organization.js"), exports);
 __exportStar(require("./Position.js"), exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nizam-os/dashboard-sdk",
-  "version": "11.0.0",
+  "version": "11.1.0",
   "description": "Nizam Dashboard API SDK for TypeScript / JavaScript.",
   "license": "MIT",
   "private": false,