npm - @productcraft/heimdall - Versions diffs - 0.0.1 → 0.1.0 - Mend

@productcraft/heimdall 0.0.1 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.cjs CHANGED Viewed

@@ -1,16 +1,1997 @@
 'use strict';
 var core = require('@productcraft/core');
+var jose = require('jose');
+// src/index.ts
+// src/_http.ts
+var HeimdallHttpError = class extends Error {
+  status;
+  statusText;
+  data;
+  constructor(response) {
+    super(
+      `Heimdall request failed: ${response.status} ${response.statusText}`
+    );
+    this.name = "HeimdallHttpError";
+    this.status = response.status;
+    this.statusText = response.statusText;
+    this.data = response.data;
+  }
+};
+function applyAuthHeader(headers, auth) {
+  if (!auth) return;
+  switch (auth.type) {
+    case "apiKey":
+      headers.set("Authorization", `Bearer ${auth.key}`);
+      break;
+    case "bearer":
+      headers.set("Authorization", `Bearer ${auth.token}`);
+      break;
+    case "cookie":
+      headers.set("Cookie", `auth_token=${auth.value}`);
+      break;
+  }
+}
+function buildUrl(baseUrl, path, params) {
+  const url = new URL(path, baseUrl);
+  if (params && typeof params === "object") {
+    for (const [k, v] of Object.entries(params)) {
+      if (v === void 0 || v === null) continue;
+      if (Array.isArray(v)) {
+        for (const item of v) url.searchParams.append(k, String(item));
+      } else {
+        url.searchParams.set(k, String(v));
+      }
+    }
+  }
+  return url;
+}
+function makeHeimdallHttpClient(options) {
+  const fetchImpl = options.fetch ?? globalThis.fetch;
+  if (!fetchImpl) {
+    throw new Error(
+      "@productcraft/heimdall: no `fetch` available \u2014 pass `fetch` in the config or run on Node 18+"
+    );
+  }
+  return async function client2(req) {
+    const url = buildUrl(req.baseURL ?? options.baseUrl, req.url ?? "", req.params);
+    const headers = new Headers(req.headers);
+    applyAuthHeader(headers, options.auth);
+    const hasBody = req.data !== void 0 && req.method !== "GET" && req.method !== "HEAD";
+    const isFormData = typeof FormData !== "undefined" && req.data instanceof FormData;
+    if (hasBody && !isFormData && !headers.has("Content-Type")) {
+      headers.set("Content-Type", "application/json");
+    }
+    const body = hasBody ? isFormData ? req.data : JSON.stringify(req.data) : void 0;
+    const res = await fetchImpl(url, {
+      method: req.method,
+      headers,
+      body,
+      credentials: req.credentials,
+      signal: req.signal
+    });
+    let data = void 0;
+    const ctype = res.headers.get("content-type") ?? "";
+    if (req.responseType === "text") {
+      data = await res.text();
+    } else if (req.responseType === "blob") {
+      data = await res.blob();
+    } else if (req.responseType === "arraybuffer") {
+      data = await res.arrayBuffer();
+    } else if (ctype.includes("application/json") || ctype.includes("application/problem+json")) {
+      data = await res.json().catch(() => void 0);
+    } else if (res.status !== 204) {
+      const text = await res.text().catch(() => "");
+      data = text || void 0;
+    }
+    const response = {
+      data,
+      status: res.status,
+      statusText: res.statusText,
+      headers: res.headers
+    };
+    if (!res.ok) throw new HeimdallHttpError(response);
+    return response;
+  };
+}
+// ../../node_modules/.pnpm/@kubb+plugin-client@4.37.8_@kubb+fabric-core@0.14.0_@kubb+react-fabric@0.14.0/node_modules/@kubb/plugin-client/dist/clients/fetch.js
+var _config = {};
+var getConfig = () => _config;
+var setConfig = (config) => {
+  _config = config;
+  return getConfig();
+};
+var mergeConfig = (...configs) => {
+  return configs.reduce((merged, config) => {
+    return {
+      ...merged,
+      ...config,
+      headers: {
+        ...Array.isArray(merged.headers) ? Object.fromEntries(merged.headers) : merged.headers,
+        ...Array.isArray(config.headers) ? Object.fromEntries(config.headers) : config.headers
+      }
+    };
+  }, {});
+};
+var client = async (paramsConfig) => {
+  const normalizedParams = new URLSearchParams();
+  const config = mergeConfig(getConfig(), paramsConfig);
+  Object.entries(config.params || {}).forEach(([key, value]) => {
+    if (value !== void 0) normalizedParams.append(key, value === null ? "null" : value.toString());
+  });
+  let targetUrl = [config.baseURL, config.url].filter(Boolean).join("");
+  if (config.params) targetUrl += `?${normalizedParams}`;
+  const response = await fetch(targetUrl, {
+    credentials: config.credentials || "same-origin",
+    method: config.method?.toUpperCase(),
+    body: config.data instanceof FormData ? config.data : JSON.stringify(config.data),
+    signal: config.signal,
+    headers: config.headers
+  });
+  return {
+    data: [
+      204,
+      205,
+      304
+    ].includes(response.status) || !response.body ? {} : await response.json(),
+    status: response.status,
+    statusText: response.statusText,
+    headers: response.headers
+  };
+};
+client.getConfig = getConfig;
+client.setConfig = setConfig;
+// src/_generated/clients/apps/appControllerGetApp.ts
+function getAppControllerGetAppUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "GET", url: `/v1/apps/${app_id}` };
+  return res;
+}
+async function appControllerGetApp({ appId }, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getAppControllerGetAppUrl({ appId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/appControllerUpdateApp.ts
+function getAppControllerUpdateAppUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "PATCH", url: `/v1/apps/${app_id}` };
+  return res;
+}
+async function appControllerUpdateApp({
+  appId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "PATCH",
+    url: getAppControllerUpdateAppUrl({ appId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/appControllerDeleteApp.ts
+function getAppControllerDeleteAppUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "DELETE", url: `/v1/apps/${app_id}` };
+  return res;
+}
+async function appControllerDeleteApp({ appId }, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "DELETE",
+    url: getAppControllerDeleteAppUrl({ appId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/appControllerUpdateAppStatus.ts
+function getAppControllerUpdateAppStatusUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "PATCH", url: `/v1/apps/${app_id}/status` };
+  return res;
+}
+async function appControllerUpdateAppStatus({
+  appId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "PATCH",
+    url: getAppControllerUpdateAppStatusUrl({ appId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/authConfigControllerGetConfig.ts
+function getAuthConfigControllerGetConfigUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "GET", url: `/v1/apps/${app_id}/auth-config` };
+  return res;
+}
+async function authConfigControllerGetConfig({ appId }, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getAuthConfigControllerGetConfigUrl({ appId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/authConfigControllerUpdateConfig.ts
+function getAuthConfigControllerUpdateConfigUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = {
+    method: "PATCH",
+    url: `/v1/apps/${app_id}/auth-config`
+  };
+  return res;
+}
+async function authConfigControllerUpdateConfig({
+  appId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "PATCH",
+    url: getAuthConfigControllerUpdateConfigUrl({ appId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/appControllerListInvites.ts
+function getAppControllerListInvitesUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "GET", url: `/v1/apps/${app_id}/invites` };
+  return res;
+}
+async function appControllerListInvites({
+  appId,
+  params
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getAppControllerListInvitesUrl({ appId }).url.toString(),
+    params,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/appControllerCreateInvite.ts
+function getAppControllerCreateInviteUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "POST", url: `/v1/apps/${app_id}/invites` };
+  return res;
+}
+async function appControllerCreateInvite({
+  appId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getAppControllerCreateInviteUrl({ appId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/appControllerRevokeInvite.ts
+function getAppControllerRevokeInviteUrl({
+  appId,
+  inviteId
+}) {
+  const app_id = appId;
+  const invite_id = inviteId;
+  const res = {
+    method: "DELETE",
+    url: `/v1/apps/${app_id}/invites/${invite_id}`
+  };
+  return res;
+}
+async function appControllerRevokeInvite({
+  appId,
+  inviteId
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "DELETE",
+    url: getAppControllerRevokeInviteUrl({ appId, inviteId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/appControllerListMembers.ts
+function getAppControllerListMembersUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "GET", url: `/v1/apps/${app_id}/members` };
+  return res;
+}
+async function appControllerListMembers({
+  appId,
+  params
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getAppControllerListMembersUrl({ appId }).url.toString(),
+    params,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/appControllerRemoveMember.ts
+function getAppControllerRemoveMemberUrl({
+  appId,
+  accountId
+}) {
+  const app_id = appId;
+  const account_id = accountId;
+  const res = {
+    method: "DELETE",
+    url: `/v1/apps/${app_id}/members/${account_id}`
+  };
+  return res;
+}
+async function appControllerRemoveMember({
+  appId,
+  accountId
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "DELETE",
+    url: getAppControllerRemoveMemberUrl({ appId, accountId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/endUsers/endUserControllerListEndUsers.ts
+function getEndUserControllerListEndUsersUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "GET", url: `/v1/apps/${app_id}/end-users` };
+  return res;
+}
+async function endUserControllerListEndUsers({
+  appId,
+  params
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getEndUserControllerListEndUsersUrl({ appId }).url.toString(),
+    params,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/endUsers/endUserControllerGetEndUser.ts
+function getEndUserControllerGetEndUserUrl({
+  appId,
+  userId
+}) {
+  const app_id = appId;
+  const user_id = userId;
+  const res = {
+    method: "GET",
+    url: `/v1/apps/${app_id}/end-users/${user_id}`
+  };
+  return res;
+}
+async function endUserControllerGetEndUser({
+  appId,
+  userId
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getEndUserControllerGetEndUserUrl({ appId, userId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/endUsers/endUserControllerUpdateEndUser.ts
+function getEndUserControllerUpdateEndUserUrl({
+  appId,
+  userId
+}) {
+  const app_id = appId;
+  const user_id = userId;
+  const res = {
+    method: "PATCH",
+    url: `/v1/apps/${app_id}/end-users/${user_id}`
+  };
+  return res;
+}
+async function endUserControllerUpdateEndUser({
+  appId,
+  userId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "PATCH",
+    url: getEndUserControllerUpdateEndUserUrl({ appId, userId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/endUsers/endUserControllerDeleteEndUser.ts
+function getEndUserControllerDeleteEndUserUrl({
+  appId,
+  userId
+}) {
+  const app_id = appId;
+  const user_id = userId;
+  const res = {
+    method: "DELETE",
+    url: `/v1/apps/${app_id}/end-users/${user_id}`
+  };
+  return res;
+}
+async function endUserControllerDeleteEndUser({
+  appId,
+  userId
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "DELETE",
+    url: getEndUserControllerDeleteEndUserUrl({ appId, userId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/endUsers/endUserControllerUpdateRole.ts
+function getEndUserControllerUpdateRoleUrl({
+  appId,
+  userId
+}) {
+  const app_id = appId;
+  const user_id = userId;
+  const res = {
+    method: "PATCH",
+    url: `/v1/apps/${app_id}/end-users/${user_id}/role`
+  };
+  return res;
+}
+async function endUserControllerUpdateRole({
+  appId,
+  userId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "PATCH",
+    url: getEndUserControllerUpdateRoleUrl({ appId, userId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/endUsers/endUserControllerUpdateStatus.ts
+function getEndUserControllerUpdateStatusUrl({
+  appId,
+  userId
+}) {
+  const app_id = appId;
+  const user_id = userId;
+  const res = {
+    method: "PATCH",
+    url: `/v1/apps/${app_id}/end-users/${user_id}/status`
+  };
+  return res;
+}
+async function endUserControllerUpdateStatus({
+  appId,
+  userId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "PATCH",
+    url: getEndUserControllerUpdateStatusUrl({ appId, userId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/roles/roleControllerListRoles.ts
+function getRoleControllerListRolesUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "GET", url: `/v1/apps/${app_id}/roles` };
+  return res;
+}
+async function roleControllerListRoles({
+  appId,
+  params
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getRoleControllerListRolesUrl({ appId }).url.toString(),
+    params,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/roles/roleControllerCreateRole.ts
+function getRoleControllerCreateRoleUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "POST", url: `/v1/apps/${app_id}/roles` };
+  return res;
+}
+async function roleControllerCreateRole({
+  appId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getRoleControllerCreateRoleUrl({ appId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/roles/roleControllerAssignRole.ts
+function getRoleControllerAssignRoleUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = {
+    method: "POST",
+    url: `/v1/apps/${app_id}/roles/assign`
+  };
+  return res;
+}
+async function roleControllerAssignRole({
+  appId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getRoleControllerAssignRoleUrl({ appId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/roles/roleControllerSetPermissions.ts
+function getRoleControllerSetPermissionsUrl({
+  appId,
+  roleName
+}) {
+  const app_id = appId;
+  const role_name = roleName;
+  const res = {
+    method: "PUT",
+    url: `/v1/apps/${app_id}/roles/${role_name}/permissions`
+  };
+  return res;
+}
+async function roleControllerSetPermissions({
+  appId,
+  roleName,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "PUT",
+    url: getRoleControllerSetPermissionsUrl({ appId, roleName }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/roles/roleControllerListPermissions.ts
+function getRoleControllerListPermissionsUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = {
+    method: "GET",
+    url: `/v1/apps/${app_id}/roles/permissions`
+  };
+  return res;
+}
+async function roleControllerListPermissions({ appId }, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getRoleControllerListPermissionsUrl({ appId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/permissions/permissionControllerListPermissions.ts
+function getPermissionControllerListPermissionsUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "GET", url: `/v1/apps/${app_id}/permissions` };
+  return res;
+}
+async function permissionControllerListPermissions({ appId }, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getPermissionControllerListPermissionsUrl({ appId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/permissions/permissionControllerCreatePermission.ts
+function getPermissionControllerCreatePermissionUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = {
+    method: "POST",
+    url: `/v1/apps/${app_id}/permissions`
+  };
+  return res;
+}
+async function permissionControllerCreatePermission({
+  appId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getPermissionControllerCreatePermissionUrl({ appId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/permissions/permissionControllerDeletePermission.ts
+function getPermissionControllerDeletePermissionUrl({
+  appId,
+  permissionKey
+}) {
+  const app_id = appId;
+  const permission_key = permissionKey;
+  const res = {
+    method: "DELETE",
+    url: `/v1/apps/${app_id}/permissions/${permission_key}`
+  };
+  return res;
+}
+async function permissionControllerDeletePermission({
+  appId,
+  permissionKey
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "DELETE",
+    url: getPermissionControllerDeletePermissionUrl({
+      appId,
+      permissionKey
+    }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apiKeys/apiKeyControllerListApiKeys.ts
+function getApiKeyControllerListApiKeysUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "GET", url: `/v1/apps/${app_id}/api-keys` };
+  return res;
+}
+async function apiKeyControllerListApiKeys({ appId }, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getApiKeyControllerListApiKeysUrl({ appId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apiKeys/apiKeyControllerCreateApiKey.ts
+function getApiKeyControllerCreateApiKeyUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "POST", url: `/v1/apps/${app_id}/api-keys` };
+  return res;
+}
+async function apiKeyControllerCreateApiKey({
+  appId,
+  data,
+  headers
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const mappedHeaders = headers ? { "Idempotency-Key": headers.idempotencyKey } : void 0;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getApiKeyControllerCreateApiKeyUrl({ appId }).url.toString(),
+    data: requestData,
+    ...requestConfig,
+    headers: { ...mappedHeaders, ...requestConfig.headers }
+  });
+  return res.data;
+}
+// src/_generated/clients/apiKeys/apiKeyControllerDeleteApiKey.ts
+function getApiKeyControllerDeleteApiKeyUrl({
+  appId,
+  keyId
+}) {
+  const app_id = appId;
+  const key_id = keyId;
+  const res = {
+    method: "DELETE",
+    url: `/v1/apps/${app_id}/api-keys/${key_id}`
+  };
+  return res;
+}
+async function apiKeyControllerDeleteApiKey({
+  appId,
+  keyId
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "DELETE",
+    url: getApiKeyControllerDeleteApiKeyUrl({ appId, keyId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/credentials/M2MControllerListClients.ts
+function getM2MControllerListClientsUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "GET", url: `/v1/apps/${app_id}/credentials` };
+  return res;
+}
+async function M2MControllerListClients({
+  appId,
+  params
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getM2MControllerListClientsUrl({ appId }).url.toString(),
+    params,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/credentials/M2MControllerCreateClient.ts
+function getM2MControllerCreateClientUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = {
+    method: "POST",
+    url: `/v1/apps/${app_id}/credentials`
+  };
+  return res;
+}
+async function M2MControllerCreateClient({
+  appId,
+  data,
+  headers
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const mappedHeaders = headers ? { "Idempotency-Key": headers.idempotencyKey } : void 0;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getM2MControllerCreateClientUrl({ appId }).url.toString(),
+    data: requestData,
+    ...requestConfig,
+    headers: { ...mappedHeaders, ...requestConfig.headers }
+  });
+  return res.data;
+}
+// src/_generated/clients/credentials/M2MControllerGetClient.ts
+function getM2MControllerGetClientUrl({
+  appId,
+  clientId
+}) {
+  const app_id = appId;
+  const client_id = clientId;
+  const res = {
+    method: "GET",
+    url: `/v1/apps/${app_id}/credentials/${client_id}`
+  };
+  return res;
+}
+async function M2MControllerGetClient({
+  appId,
+  clientId
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "GET",
+    url: getM2MControllerGetClientUrl({ appId, clientId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/credentials/M2MControllerUpdateClient.ts
+function getM2MControllerUpdateClientUrl({
+  appId,
+  clientId
+}) {
+  const app_id = appId;
+  const client_id = clientId;
+  const res = {
+    method: "PATCH",
+    url: `/v1/apps/${app_id}/credentials/${client_id}`
+  };
+  return res;
+}
+async function M2MControllerUpdateClient({
+  appId,
+  clientId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "PATCH",
+    url: getM2MControllerUpdateClientUrl({ appId, clientId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/credentials/M2MControllerDeleteClient.ts
+function getM2MControllerDeleteClientUrl({
+  appId,
+  clientId
+}) {
+  const app_id = appId;
+  const client_id = clientId;
+  const res = {
+    method: "DELETE",
+    url: `/v1/apps/${app_id}/credentials/${client_id}`
+  };
+  return res;
+}
+async function M2MControllerDeleteClient({
+  appId,
+  clientId
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "DELETE",
+    url: getM2MControllerDeleteClientUrl({ appId, clientId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/credentials/M2MControllerRotateSecret.ts
+function getM2MControllerRotateSecretUrl({
+  appId,
+  clientId
+}) {
+  const app_id = appId;
+  const client_id = clientId;
+  const res = {
+    method: "POST",
+    url: `/v1/apps/${app_id}/credentials/${client_id}/rotate`
+  };
+  return res;
+}
+async function M2MControllerRotateSecret({
+  appId,
+  clientId
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const res = await request({
+    method: "POST",
+    url: getM2MControllerRotateSecretUrl({ appId, clientId }).url.toString(),
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/credentials/M2MControllerSetScopes.ts
+function getM2MControllerSetScopesUrl({
+  appId,
+  clientId
+}) {
+  const app_id = appId;
+  const client_id = clientId;
+  const res = {
+    method: "PUT",
+    url: `/v1/apps/${app_id}/credentials/${client_id}/scopes`
+  };
+  return res;
+}
+async function M2MControllerSetScopes({
+  appId,
+  clientId,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "PUT",
+    url: getM2MControllerSetScopesUrl({ appId, clientId }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/appAudit/appAuditControllerGetAuditLogs.ts
+function getAppAuditControllerGetAuditLogsUrl({
+  appId
+}) {
+  const app_id = appId;
+  const res = { method: "GET", url: `/v1/apps/${app_id}/audit-logs` };
+  return res;
+}
+async function appAuditControllerGetAuditLogs({
+  appId,
+  params
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const mappedParams = params ? {
+    limit: params.limit,
+    cursor: params.cursor,
+    action: params.action,
+    actor_id: params.actorId
+  } : void 0;
+  const res = await request({
+    method: "GET",
+    url: getAppAuditControllerGetAuditLogsUrl({ appId }).url.toString(),
+    params: mappedParams,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/scopes/app.ts
+var AppScope = class {
+  /** The appId bound to this scope. */
+  appId;
+  client;
+  constructor(appId, client2) {
+    this.appId = appId;
+    this.client = client2;
+  }
+  /**
+   * Direct HTTP escape hatch used to call endpoints whose spec is buggy
+   * — currently those whose path declares `{appId}` but whose
+   * `parameters[]` omits it, so the kubb-generated code leaves the
+   * URL template unfilled. Tracked upstream; remove once the spec is
+   * fixed and the per-call wrappers can move back to kubb's output.
+   */
+  async callDirect(method, url, body) {
+    const res = await this.client({ method, url, data: body });
+    return res.data;
+  }
+  // ─────────────────────────────────────────────────────────────
+  // App meta — operations on the app record itself
+  // ─────────────────────────────────────────────────────────────
+  get = () => appControllerGetApp({ appId: this.appId }, { client: this.client });
+  update = (data) => appControllerUpdateApp({ appId: this.appId, data }, { client: this.client });
+  delete = () => appControllerDeleteApp({ appId: this.appId }, { client: this.client });
+  updateStatus = (data) => appControllerUpdateAppStatus(
+    { appId: this.appId, data },
+    { client: this.client }
+  );
+  // ─────────────────────────────────────────────────────────────
+  // Auth config (workspace-side config for the app's auth surface)
+  // ─────────────────────────────────────────────────────────────
+  authConfig = {
+    get: () => authConfigControllerGetConfig(
+      { appId: this.appId },
+      { client: this.client }
+    ),
+    update: (data) => authConfigControllerUpdateConfig(
+      { appId: this.appId, data },
+      { client: this.client }
+    )
+  };
+  // ─────────────────────────────────────────────────────────────
+  // Invites (workspace members)
+  // ─────────────────────────────────────────────────────────────
+  invites = {
+    list: (params = {}) => appControllerListInvites(
+      { appId: this.appId, params },
+      { client: this.client }
+    ),
+    create: (data) => appControllerCreateInvite(
+      { appId: this.appId, data },
+      { client: this.client }
+    ),
+    revoke: (inviteId) => appControllerRevokeInvite(
+      { appId: this.appId, inviteId },
+      { client: this.client }
+    )
+  };
+  // ─────────────────────────────────────────────────────────────
+  // Members (workspace seats on this app)
+  // ─────────────────────────────────────────────────────────────
+  members = {
+    list: (params = {}) => appControllerListMembers(
+      { appId: this.appId, params },
+      { client: this.client }
+    ),
+    remove: (accountId) => appControllerRemoveMember(
+      { appId: this.appId, accountId },
+      { client: this.client }
+    )
+  };
+  // ─────────────────────────────────────────────────────────────
+  // EndUsers (the app's authenticated users — Heimdall's bread + butter)
+  // ─────────────────────────────────────────────────────────────
+  endUsers = {
+    list: (params = {}) => endUserControllerListEndUsers(
+      { appId: this.appId, params },
+      { client: this.client }
+    ),
+    get: (userId) => endUserControllerGetEndUser(
+      { appId: this.appId, userId },
+      { client: this.client }
+    ),
+    update: (userId, data) => endUserControllerUpdateEndUser(
+      { appId: this.appId, userId, data },
+      { client: this.client }
+    ),
+    delete: (userId) => endUserControllerDeleteEndUser(
+      { appId: this.appId, userId },
+      { client: this.client }
+    ),
+    updateRole: (userId, data) => endUserControllerUpdateRole(
+      { appId: this.appId, userId, data },
+      { client: this.client }
+    ),
+    updateStatus: (userId, data) => endUserControllerUpdateStatus(
+      { appId: this.appId, userId, data },
+      { client: this.client }
+    ),
+    /** Spec bug: appId missing in spec params (see callDirect). */
+    revokeAllSessions: (userId) => this.callDirect(
+      "POST",
+      `/v1/apps/${this.appId}/end-users/${userId}/sessions/revoke-all`
+    )
+  };
+  // ─────────────────────────────────────────────────────────────
+  // Roles
+  // ─────────────────────────────────────────────────────────────
+  roles = {
+    list: (params = {}) => roleControllerListRoles(
+      { appId: this.appId, params },
+      { client: this.client }
+    ),
+    /** Spec bug: appId missing in spec params (see callDirect). */
+    get: (roleName) => this.callDirect("GET", `/v1/apps/${this.appId}/roles/${roleName}`),
+    create: (data) => roleControllerCreateRole(
+      { appId: this.appId, data },
+      { client: this.client }
+    ),
+    /** Spec bug: appId missing in spec params (see callDirect). */
+    update: (roleName, data) => this.callDirect(
+      "PATCH",
+      `/v1/apps/${this.appId}/roles/${roleName}`,
+      data
+    ),
+    /** Spec bug: appId missing in spec params (see callDirect). */
+    delete: (roleName) => this.callDirect("DELETE", `/v1/apps/${this.appId}/roles/${roleName}`),
+    assign: (data) => roleControllerAssignRole(
+      { appId: this.appId, data },
+      { client: this.client }
+    ),
+    setPermissions: (roleName, data) => roleControllerSetPermissions(
+      { appId: this.appId, roleName, data },
+      { client: this.client }
+    ),
+    listPermissions: () => roleControllerListPermissions(
+      { appId: this.appId },
+      { client: this.client }
+    )
+  };
+  // ─────────────────────────────────────────────────────────────
+  // Permissions catalog
+  // ─────────────────────────────────────────────────────────────
+  permissions = {
+    list: () => permissionControllerListPermissions(
+      { appId: this.appId },
+      { client: this.client }
+    ),
+    create: (data) => permissionControllerCreatePermission(
+      { appId: this.appId, data },
+      { client: this.client }
+    ),
+    delete: (permissionKey) => permissionControllerDeletePermission(
+      { appId: this.appId, permissionKey },
+      { client: this.client }
+    )
+  };
+  // ─────────────────────────────────────────────────────────────
+  // API keys (server-to-server platform keys for this app)
+  // ─────────────────────────────────────────────────────────────
+  apiKeys = {
+    list: () => apiKeyControllerListApiKeys(
+      { appId: this.appId },
+      { client: this.client }
+    ),
+    create: (data) => apiKeyControllerCreateApiKey(
+      { appId: this.appId, data },
+      { client: this.client }
+    ),
+    delete: (keyId) => apiKeyControllerDeleteApiKey(
+      { appId: this.appId, keyId },
+      { client: this.client }
+    )
+  };
+  // ─────────────────────────────────────────────────────────────
+  // M2M credentials (client_id + client_secret for service-to-service)
+  // ─────────────────────────────────────────────────────────────
+  credentials = {
+    list: (params = {}) => M2MControllerListClients(
+      { appId: this.appId, params },
+      { client: this.client }
+    ),
+    create: (data) => M2MControllerCreateClient(
+      { appId: this.appId, data },
+      { client: this.client }
+    ),
+    get: (clientId) => M2MControllerGetClient(
+      { appId: this.appId, clientId },
+      { client: this.client }
+    ),
+    update: (clientId, data) => M2MControllerUpdateClient(
+      { appId: this.appId, clientId, data },
+      { client: this.client }
+    ),
+    delete: (clientId) => M2MControllerDeleteClient(
+      { appId: this.appId, clientId },
+      { client: this.client }
+    ),
+    rotateSecret: (clientId) => M2MControllerRotateSecret(
+      { appId: this.appId, clientId },
+      { client: this.client }
+    ),
+    setScopes: (clientId, data) => M2MControllerSetScopes(
+      { appId: this.appId, clientId, data },
+      { client: this.client }
+    )
+  };
+  // ─────────────────────────────────────────────────────────────
+  // Audit logs
+  // ─────────────────────────────────────────────────────────────
+  auditLogs = {
+    list: (params = {}) => appAuditControllerGetAuditLogs(
+      { appId: this.appId, params },
+      { client: this.client }
+    )
+  };
+};
+// src/_generated/clients/consumerAuth/consumerAuthControllerSignin.ts
+function getConsumerAuthControllerSigninUrl({
+  appSlug
+}) {
+  const app_slug = appSlug;
+  const res = { method: "POST", url: `/${app_slug}/v1/auth/signin` };
+  return res;
+}
+async function consumerAuthControllerSignin({
+  appSlug,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getConsumerAuthControllerSigninUrl({ appSlug }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/consumerAuth/consumerAuthControllerRefresh.ts
+function getConsumerAuthControllerRefreshUrl({
+  appSlug
+}) {
+  const app_slug = appSlug;
+  const res = { method: "POST", url: `/${app_slug}/v1/auth/refresh` };
+  return res;
+}
+async function consumerAuthControllerRefresh({
+  appSlug,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getConsumerAuthControllerRefreshUrl({ appSlug }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/consumerAuth/consumerAuthControllerLogout.ts
+function getConsumerAuthControllerLogoutUrl({
+  appSlug
+}) {
+  const app_slug = appSlug;
+  const res = { method: "POST", url: `/${app_slug}/v1/auth/logout` };
+  return res;
+}
+async function consumerAuthControllerLogout({
+  appSlug,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getConsumerAuthControllerLogoutUrl({ appSlug }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/consumerAuth/consumerAuthControllerRequestPasswordReset.ts
+function getConsumerAuthControllerRequestPasswordResetUrl({
+  appSlug
+}) {
+  const app_slug = appSlug;
+  const res = {
+    method: "POST",
+    url: `/${app_slug}/v1/auth/request-password-reset`
+  };
+  return res;
+}
+async function consumerAuthControllerRequestPasswordReset({
+  appSlug,
+  data,
+  headers
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getConsumerAuthControllerRequestPasswordResetUrl({
+      appSlug
+    }).url.toString(),
+    data: requestData,
+    ...requestConfig,
+    headers: { ...headers, ...requestConfig.headers }
+  });
+  return res.data;
+}
+// src/_generated/clients/consumerAuth/consumerAuthControllerResetPassword.ts
+function getConsumerAuthControllerResetPasswordUrl({
+  appSlug
+}) {
+  const app_slug = appSlug;
+  const res = {
+    method: "POST",
+    url: `/${app_slug}/v1/auth/reset-password`
+  };
+  return res;
+}
+async function consumerAuthControllerResetPassword({
+  appSlug,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getConsumerAuthControllerResetPasswordUrl({ appSlug }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/consumerOauthSignIn/consumerIdpControllerNativeSignIn.ts
+function getConsumerIdpControllerNativeSignInUrl({
+  appSlug,
+  provider
+}) {
+  const app_slug = appSlug;
+  const res = {
+    method: "POST",
+    url: `/${app_slug}/v1/auth/oauth/${provider}`
+  };
+  return res;
+}
+async function consumerIdpControllerNativeSignIn({
+  appSlug,
+  provider,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getConsumerIdpControllerNativeSignInUrl({
+      appSlug,
+      provider
+    }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/consumerVerify/consumerVerifyControllerVerify.ts
+function getConsumerVerifyControllerVerifyUrl({
+  appSlug
+}) {
+  const app_slug = appSlug;
+  const res = { method: "POST", url: `/${app_slug}/v1/verify` };
+  return res;
+}
+async function consumerVerifyControllerVerify({
+  appSlug,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getConsumerVerifyControllerVerifyUrl({ appSlug }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/consumerVerify/consumerVerifyControllerAuthorize.ts
+function getConsumerVerifyControllerAuthorizeUrl({
+  appSlug
+}) {
+  const app_slug = appSlug;
+  const res = { method: "POST", url: `/${app_slug}/v1/authorize` };
+  return res;
+}
+async function consumerVerifyControllerAuthorize({
+  appSlug,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getConsumerVerifyControllerAuthorizeUrl({ appSlug }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/consumerVerify/consumerVerifyControllerAuthorizeBatch.ts
+function getConsumerVerifyControllerAuthorizeBatchUrl({
+  appSlug
+}) {
+  const app_slug = appSlug;
+  const res = {
+    method: "POST",
+    url: `/${app_slug}/v1/authorize/batch`
+  };
+  return res;
+}
+async function consumerVerifyControllerAuthorizeBatch({
+  appSlug,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getConsumerVerifyControllerAuthorizeBatchUrl({
+      appSlug
+    }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/consumerOauthM2m/consumerOAuthControllerClientCredentials.ts
+function getConsumerOAuthControllerClientCredentialsUrl({
+  appSlug
+}) {
+  const app_slug = appSlug;
+  const res = { method: "POST", url: `/${app_slug}/v1/oauth/token` };
+  return res;
+}
+async function consumerOAuthControllerClientCredentials({
+  appSlug,
+  data
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getConsumerOAuthControllerClientCredentialsUrl({
+      appSlug
+    }).url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/jwt/errors.ts
+var JwtVerifyError = class extends Error {
+  code;
+  constructor(code, message, options) {
+    super(message, options);
+    this.name = "JwtVerifyError";
+    this.code = code;
+  }
+};
+var JwtInvalidError = class extends JwtVerifyError {
+  constructor(message, options) {
+    super("ERR_JWT_INVALID", message, options);
+    this.name = "JwtInvalidError";
+  }
+};
+var JwtExpiredError = class extends JwtVerifyError {
+  expiredAt;
+  constructor(message, expiredAt, options) {
+    super("ERR_JWT_EXPIRED", message, options);
+    this.name = "JwtExpiredError";
+    this.expiredAt = expiredAt;
+  }
+};
+var JwtNotYetValidError = class extends JwtVerifyError {
+  constructor(message, options) {
+    super("ERR_JWT_NOT_YET_VALID", message, options);
+    this.name = "JwtNotYetValidError";
+  }
+};
+var JwtIssuerMismatchError = class extends JwtVerifyError {
+  constructor(message, options) {
+    super("ERR_JWT_ISS_MISMATCH", message, options);
+    this.name = "JwtIssuerMismatchError";
+  }
+};
+var JwtAudienceMismatchError = class extends JwtVerifyError {
+  constructor(message, options) {
+    super("ERR_JWT_AUD_MISMATCH", message, options);
+    this.name = "JwtAudienceMismatchError";
+  }
+};
+var JwksKeyNotFoundError = class extends JwtVerifyError {
+  kid;
+  constructor(kid, options) {
+    super(
+      "ERR_JWKS_KID_NOT_FOUND",
+      `JWKS has no key matching kid=${kid ?? "(missing)"}`,
+      options
+    );
+    this.name = "JwksKeyNotFoundError";
+    this.kid = kid;
+  }
+};
+var JwksFetchError = class extends JwtVerifyError {
+  constructor(message, options) {
+    super("ERR_JWKS_FETCH", message, options);
+    this.name = "JwksFetchError";
+  }
+};
+// src/jwt/jwks-cache.ts
+var JwksCache = class {
+  url;
+  _jose;
+  constructor(options) {
+    this.url = options.url;
+    const joseOpts = {
+      cacheMaxAge: options.ttlMs ?? 10 * 60 * 1e3,
+      cooldownDuration: options.cooldownMs ?? 3e4,
+      timeoutDuration: options.timeoutMs ?? 5e3
+    };
+    if (options.fetch) {
+      joseOpts[jose.customFetch] = options.fetch;
+    }
+    this._jose = jose.createRemoteJWKSet(
+      options.url,
+      joseOpts
+    );
+  }
+  /**
+   * Resolve a signing key for a given JWT header.
+   * Bound as an arrow-function field so it can be passed around
+   * (`jose.jwtVerify(token, cache.getKey, ...)`, passport-jwt, etc.)
+   * without losing `this`.
+   */
+  getKey = async (header, input) => {
+    try {
+      return await this._jose(header, input);
+    } catch (err) {
+      if (err instanceof jose.errors.JWKSNoMatchingKey) {
+        throw new JwksKeyNotFoundError(header?.kid, { cause: err });
+      }
+      if (err instanceof jose.errors.JWKSTimeout || err instanceof jose.errors.JWKSInvalid || err instanceof jose.errors.JOSEError) {
+        throw new JwksFetchError(
+          `Failed to load JWKS from ${this.url.href}: ${err.message}`,
+          { cause: err }
+        );
+      }
+      throw err;
+    }
+  };
+  /**
+   * Force a refetch on the next verify. Useful in tests and for
+   * external rotation drills — the normal flow self-heals because
+   * jose auto-refetches on kid miss.
+   */
+  refresh() {
+  }
+};
+async function verifyHeimdallToken(token, getKey, opts = {}) {
+  try {
+    const { payload } = await jose.jwtVerify(token, getKey, {
+      algorithms: opts.algorithms ?? ["ES256", "RS256", "EdDSA"],
+      issuer: opts.issuer,
+      audience: opts.audience,
+      clockTolerance: opts.clockTolerance ?? 5,
+      requiredClaims: opts.requiredClaims,
+      currentDate: opts.currentDate,
+      maxTokenAge: opts.maxTokenAge
+    });
+    return payload;
+  } catch (err) {
+    throw translateJoseError(err);
+  }
+}
+function translateJoseError(err) {
+  if (err instanceof JwksKeyNotFoundError || err instanceof JwksFetchError || err instanceof JwtVerifyError) {
+    return err;
+  }
+  const code = err?.code ?? "";
+  const message = err?.message ?? "JWT verification failed";
+  switch (code) {
+    case "ERR_JWT_EXPIRED":
+      return new JwtExpiredError(message, void 0, { cause: err });
+    case "ERR_JWT_CLAIM_VALIDATION_FAILED": {
+      const claim = err?.claim;
+      if (claim === "iss") return new JwtIssuerMismatchError(message, { cause: err });
+      if (claim === "aud") return new JwtAudienceMismatchError(message, { cause: err });
+      if (claim === "nbf") return new JwtNotYetValidError(message, { cause: err });
+      return new JwtInvalidError(message, { cause: err });
+    }
+    case "ERR_JWS_SIGNATURE_VERIFICATION_FAILED":
+    case "ERR_JWS_INVALID":
+    case "ERR_JWT_INVALID":
+      return new JwtInvalidError(message, { cause: err });
+    default:
+      return new JwtInvalidError(message, { cause: err });
+  }
+}
+// src/scopes/consumer.ts
+var ConsumerScope = class {
+  /** The appSlug bound to this scope. */
+  appSlug;
+  /** Default iss claim expected on tokens issued by this app's Heimdall instance. */
+  expectedIssuer;
+  /** Default aud claim. Undefined unless the caller sets it (skip aud check). */
+  expectedAudience;
+  /** jose-compatible JWKS resolver. Drop into `jose.jwtVerify`, passport-jwt, etc. */
+  jwks;
+  client;
+  constructor(appSlug, internals, opts = {}) {
+    this.appSlug = appSlug;
+    this.client = internals.client;
+    this.expectedIssuer = `${internals.baseUrl}/${appSlug}`;
+    this.expectedAudience = opts.audience;
+    this.jwks = new JwksCache({
+      url: new URL(`/${appSlug}/v1/.well-known/jwks.json`, internals.baseUrl),
+      ttlMs: opts.jwksTtlMs,
+      fetch: internals.fetch
+    });
+  }
+  /**
+   * Direct HTTP escape hatch for endpoints whose spec is buggy
+   * (path declares `{appSlug}` but parameters[] omits it). Tracked
+   * upstream; remove once the spec is fixed.
+   */
+  async callDirect(method, url, body, params) {
+    const res = await this.client({ method, url, data: body, params });
+    return res.data;
+  }
+  /** Verify a Heimdall-issued JWT against this app's JWKS. */
+  verifyToken(token, opts = {}) {
+    return verifyHeimdallToken(token, this.jwks.getKey, {
+      issuer: this.expectedIssuer,
+      audience: this.expectedAudience,
+      ...opts
+    });
+  }
+  // ─────────────────────────────────────────────────────────────
+  // Auth — sign-in/up flows, refresh, password reset
+  // ─────────────────────────────────────────────────────────────
+  auth = {
+    signin: (data) => consumerAuthControllerSignin(
+      { appSlug: this.appSlug, data },
+      { client: this.client }
+    ),
+    /**
+     * Signup may require a Platform API Key when the app has
+     * `signup_requires_pak: true`. Configure that on the Heimdall
+     * instance (`new Heimdall({ auth: { type: "apiKey", key: "..." } })`)
+     * — our HTTP client attaches the Authorization header automatically.
+     */
+    signup: (data) => this.callDirect(
+      "POST",
+      `/${this.appSlug}/v1/auth/signup`,
+      data
+    ),
+    refresh: (data) => consumerAuthControllerRefresh(
+      { appSlug: this.appSlug, data },
+      { client: this.client }
+    ),
+    logout: (data) => consumerAuthControllerLogout(
+      { appSlug: this.appSlug, data },
+      { client: this.client }
+    ),
+    /**
+     * PAK-required: caller must instantiate `Heimdall` with
+     * `auth: { type: "apiKey", key: "pcft_live_..." }`. The
+     * kubb-generated `headers.authorization` slot is a stub — the
+     * HTTP client's auth middleware overrides whatever's passed.
+     */
+    requestReset: (data) => consumerAuthControllerRequestPasswordReset(
+      { appSlug: this.appSlug, data, headers: { authorization: "" } },
+      { client: this.client }
+    ),
+    resetPassword: (data) => consumerAuthControllerResetPassword(
+      { appSlug: this.appSlug, data },
+      { client: this.client }
+    ),
+    /**
+     * Sign in / sign up with a provider ID token (native flow).
+     *
+     * Submit the identity token Apple (or Google, once enabled) issued
+     * to a native client (iOS `ASAuthorizationController`, Google
+     * Sign-In for iOS / Android). Heimdall verifies the signature
+     * against the provider's JWKS, pins the issuer, checks the
+     * audience against the app's configured native client ids,
+     * recomputes `sha256(nonce)` and compares to the token's `nonce`
+     * claim, then resolves or creates the EndUser. Same response
+     * shape as `auth.signin`.
+     *
+     * Account linking: when an EndUser already exists with a verified
+     * primary email matching the token's `email` claim, the app's
+     * `oauth_link_policy` decides the outcome:
+     *   - `auto` (default): silently link the identity to the existing
+     *     account (provider claims `email_verified: true` AND the email
+     *     is not an Apple private relay).
+     *   - `confirm`: refuse with 409 `link_required`. UI should sign
+     *     the user in via their original method to bind.
+     *   - `reject`: refuse with 409 `account_exists_with_different_provider`.
+     *
+     * Apple's private-relay emails (`*@privaterelay.appleid.com`) are
+     * persisted as-is on the EndUser's primary email contact and
+     * never participate in auto-link.
+     *
+     * Apple sends the user's display name only on the FIRST sign-in.
+     * Pass it through `user.name` on that call — Heimdall persists it
+     * to the EndUser row. Subsequent sign-ins should omit `user`.
+     */
+    signinWithProvider: (args) => consumerIdpControllerNativeSignIn(
+      {
+        appSlug: this.appSlug,
+        provider: args.provider,
+        data: { id_token: args.id_token, nonce: args.nonce, user: args.user }
+      },
+      { client: this.client }
+    )
+  };
+  // ─────────────────────────────────────────────────────────────
+  // Me — the currently-signed-in EndUser's own resources
+  // All six endpoints currently use callDirect to work around spec
+  // bugs in heimdall.json (appSlug missing from parameters[]).
+  // ─────────────────────────────────────────────────────────────
+  me = {
+    getProfile: () => this.callDirect("GET", `/${this.appSlug}/v1/me`),
+    updateProfile: (data) => this.callDirect("PATCH", `/${this.appSlug}/v1/me`, data),
+    listSessions: (params = {}) => this.callDirect(
+      "GET",
+      `/${this.appSlug}/v1/me/sessions`,
+      void 0,
+      params
+    ),
+    revokeSession: (id) => this.callDirect("DELETE", `/${this.appSlug}/v1/me/sessions/${id}`),
+    getActivity: (params = {}) => this.callDirect(
+      "GET",
+      `/${this.appSlug}/v1/me/activity`,
+      void 0,
+      params
+    ),
+    deleteAccount: () => this.callDirect("DELETE", `/${this.appSlug}/v1/me`)
+  };
+  // ─────────────────────────────────────────────────────────────
+  // Verify — server-to-server token verification + authorization
+  // (typically called by the customer's backend, not the user agent)
+  // ─────────────────────────────────────────────────────────────
+  verify = {
+    verify: (data) => consumerVerifyControllerVerify(
+      { appSlug: this.appSlug, data },
+      { client: this.client }
+    ),
+    authorize: (data) => consumerVerifyControllerAuthorize(
+      { appSlug: this.appSlug, data },
+      { client: this.client }
+    ),
+    authorizeBatch: (data) => consumerVerifyControllerAuthorizeBatch(
+      { appSlug: this.appSlug, data },
+      { client: this.client }
+    )
+  };
+  // ─────────────────────────────────────────────────────────────
+  // OAuth M2M — client_credentials grant for service-to-service tokens
+  // ─────────────────────────────────────────────────────────────
+  oauth = {
+    clientCredentials: (data) => consumerOAuthControllerClientCredentials(
+      { appSlug: this.appSlug, data },
+      { client: this.client }
+    )
+  };
+};
+// src/_generated/clients/apps/appControllerListMyApps.ts
+function getAppControllerListMyAppsUrl() {
+  const res = { method: "GET", url: `/v1/apps` };
+  return res;
+}
+async function appControllerListMyApps({ params }, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const mappedParams = params ? {
+    limit: params.limit,
+    cursor: params.cursor,
+    workspace_id: params.workspaceId
+  } : void 0;
+  const res = await request({
+    method: "GET",
+    url: getAppControllerListMyAppsUrl().url.toString(),
+    params: mappedParams,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/appControllerCreateApp.ts
+function getAppControllerCreateAppUrl() {
+  const res = { method: "POST", url: `/v1/apps` };
+  return res;
+}
+async function appControllerCreateApp({
+  data,
+  headers
+}, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const mappedHeaders = headers ? { "Idempotency-Key": headers.idempotencyKey } : void 0;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getAppControllerCreateAppUrl().url.toString(),
+    data: requestData,
+    ...requestConfig,
+    headers: { ...mappedHeaders, ...requestConfig.headers }
+  });
+  return res.data;
+}
+// src/_generated/clients/apps/appControllerAcceptInvite.ts
+function getAppControllerAcceptInviteUrl() {
+  const res = { method: "POST", url: `/v1/apps/invites/accept` };
+  return res;
+}
+async function appControllerAcceptInvite({ data }, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const requestData = data;
+  const res = await request({
+    method: "POST",
+    url: getAppControllerAcceptInviteUrl().url.toString(),
+    data: requestData,
+    ...requestConfig
+  });
+  return res.data;
+}
+// src/_generated/clients/platformStats/statsControllerGetMyStats.ts
+function getStatsControllerGetMyStatsUrl() {
+  const res = { method: "GET", url: `/v1/stats/me` };
+  return res;
+}
+async function statsControllerGetMyStats({ params }, config = {}) {
+  const { client: request = client, ...requestConfig } = config;
+  const mappedParams = params ? { workspace_id: params.workspaceId } : void 0;
+  const res = await request({
+    method: "GET",
+    url: getStatsControllerGetMyStatsUrl().url.toString(),
+    params: mappedParams,
+    ...requestConfig
+  });
+  return res.data;
+}
 // src/index.ts
 var Heimdall = class {
-  /** The underlying typed client. v0 surface — every endpoint reachable. */
   client;
+  baseUrl;
+  fetch;
+  jwtConfig;
   constructor(config = {}) {
-    this.client = core.makeClient(core.PC_BASE_URL.heimdall, config);
+    this.baseUrl = config.baseUrl ?? core.PC_BASE_URL.heimdall;
+    this.fetch = config.fetch;
+    this.client = makeHeimdallHttpClient({
+      baseUrl: this.baseUrl,
+      auth: config.auth,
+      fetch: this.fetch
+    });
+    this.jwtConfig = {
+      audience: config.expectedAudience,
+      jwksTtlMs: config.jwksTtlMs
+    };
+  }
+  /**
+   * Returns an `AppScope` bound to the given appId. All operations under
+   * `/v1/apps/{appId}/...` are exposed as resource namespaces on the
+   * returned object.
+   */
+  app(appId) {
+    return new AppScope(appId, this.client);
+  }
+  /**
+   * Returns a `ConsumerScope` bound to the given appSlug. Exposes the
+   * `/{appSlug}/v1/...` surface (sign-in, sign-up, me, verify, oauth)
+   * and the JWT-verify helper for tokens issued by this app.
+   */
+  consumer(appSlug) {
+    return new ConsumerScope(
+      appSlug,
+      { client: this.client, baseUrl: this.baseUrl, fetch: this.fetch },
+      this.jwtConfig
+    );
   }
+  // ─────────────────────────────────────────────────────────────
+  // Workspace-wide apps surface
+  // (other admin operations are under `app(appId).*` once an app exists)
+  // ─────────────────────────────────────────────────────────────
+  apps = {
+    /** List apps the caller's workspace can see. */
+    list: (params = {}) => appControllerListMyApps(
+      { params },
+      { client: this.client }
+    ),
+    /** Create a new app under the caller's workspace. */
+    create: (data) => appControllerCreateApp({ data }, { client: this.client }),
+    /** Accept a workspace invite to join an existing app. */
+    acceptInvite: (data) => appControllerAcceptInvite({ data }, { client: this.client })
+  };
+  // ─────────────────────────────────────────────────────────────
+  // Platform stats
+  //
+  // Workspace-level IdP admin (`/v1/idp/*`) was removed from the API
+  // when consumer-side OAuth moved to per-app `auth_config_provider`
+  // rows. Configure providers via the per-app auth-config endpoints
+  // (`app(appId).authConfig.*`) and consume them client-side through
+  // `consumer(slug).auth.signinWithProvider({ ... })`.
+  // ─────────────────────────────────────────────────────────────
+  stats = {
+    /**
+     * Get the signed-in PlatformUser's aggregate counts. Pass
+     * `workspaceId` to scope to a single workspace; omit to total
+     * across every workspace the caller belongs to.
+     */
+    get: (params = {}) => statsControllerGetMyStats(
+      { params },
+      { client: this.client }
+    )
+  };
 };
+exports.AppScope = AppScope;
+exports.ConsumerScope = ConsumerScope;
 exports.Heimdall = Heimdall;
+exports.HeimdallHttpError = HeimdallHttpError;
+exports.JwksCache = JwksCache;
+exports.JwksFetchError = JwksFetchError;
+exports.JwksKeyNotFoundError = JwksKeyNotFoundError;
+exports.JwtAudienceMismatchError = JwtAudienceMismatchError;
+exports.JwtExpiredError = JwtExpiredError;
+exports.JwtInvalidError = JwtInvalidError;
+exports.JwtIssuerMismatchError = JwtIssuerMismatchError;
+exports.JwtNotYetValidError = JwtNotYetValidError;
+exports.JwtVerifyError = JwtVerifyError;
+exports.verifyHeimdallToken = verifyHeimdallToken;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map