@stigmer/protos 0.0.34

package/ai/stigmer/iam/apikey/v1/spec_pb.d.ts

@@ -0,0 +1,46 @@
+import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { Timestamp } from "@bufbuild/protobuf/wkt";
+import type { Message } from "@bufbuild/protobuf";
+/**
+ * Describes the file ai/stigmer/iam/apikey/v1/spec.proto.
+ */
+export declare const file_ai_stigmer_iam_apikey_v1_spec: GenFile;
+/**
+ * api-key spec
+ *
+ * @generated from message ai.stigmer.iam.apikey.v1.ApiKeySpec
+ */
+export type ApiKeySpec = Message<"ai.stigmer.iam.apikey.v1.ApiKeySpec"> & {
+    /**
+     * SHA-256/Bcrypt hash of the raw key generated by the system during.
+     * the system returns the actual key in this field in create response but the
+     * actual key itself is never persisted in the database.
+     * only the last 6 chars of the key are persisted in the fingerprint field for UI presentation.
+     *
+     * @generated from field: string key_hash = 1;
+     */
+    keyHash: string;
+    /**
+     * UI-visible fingerprint (e.g. last 6 chars)
+     *
+     * @generated from field: string fingerprint = 2;
+     */
+    fingerprint: string;
+    /**
+     * absolute expiry time (null if neverExpires = true)
+     *
+     * @generated from field: google.protobuf.Timestamp expires_at = 3;
+     */
+    expiresAt?: Timestamp;
+    /**
+     * never expire flag (forces expires_at to be ignored)
+     *
+     * @generated from field: bool never_expires = 4;
+     */
+    neverExpires: boolean;
+};
+/**
+ * Describes the message ai.stigmer.iam.apikey.v1.ApiKeySpec.
+ * Use `create(ApiKeySpecSchema)` to create a new message.
+ */
+export declare const ApiKeySpecSchema: GenMessage<ApiKeySpec>;

package/ai/stigmer/iam/apikey/v1/spec_pb.js

@@ -0,0 +1,16 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/apikey/v1/spec.proto (package ai.stigmer.iam.apikey.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_field_options } from "../../../commons/apiresource/field_options_pb";
+import { file_google_protobuf_timestamp } from "@bufbuild/protobuf/wkt";
+/**
+ * Describes the file ai/stigmer/iam/apikey/v1/spec.proto.
+ */
+export const file_ai_stigmer_iam_apikey_v1_spec = /*@__PURE__*/ fileDesc("CiNhaS9zdGlnbWVyL2lhbS9hcGlrZXkvdjEvc3BlYy5wcm90bxIYYWkuc3RpZ21lci5pYW0uYXBpa2V5LnYxIoYBCgpBcGlLZXlTcGVjEhYKCGtleV9oYXNoGAEgASgJQgTIhSwBEhkKC2ZpbmdlcnByaW50GAIgASgJQgTIhSwBEi4KCmV4cGlyZXNfYXQYAyABKAsyGi5nb29nbGUucHJvdG9idWYuVGltZXN0YW1wEhUKDW5ldmVyX2V4cGlyZXMYBCABKAhiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_field_options, file_google_protobuf_timestamp]);
+/**
+ * Describes the message ai.stigmer.iam.apikey.v1.ApiKeySpec.
+ * Use `create(ApiKeySpecSchema)` to create a new message.
+ */
+export const ApiKeySpecSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_apikey_v1_spec, 0);
+//# sourceMappingURL=spec_pb.js.map

package/ai/stigmer/iam/apikey/v1/spec_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/apikey/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,6GAA6G;AAC7G,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,iDAAiD,EAAE,MAAM,+CAA+C,CAAC;AAElH,OAAO,EAAE,8BAA8B,EAAE,MAAM,wBAAwB,CAAC;AAGxE;;GAEG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAAY,aAAa,CACtE,QAAQ,CAAC,wRAAwR,EAAE,CAAC,iDAAiD,EAAE,8BAA8B,CAAC,CAAC,CAAC;AAwC1X;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAA2B,aAAa,CACnE,WAAW,CAAC,kCAAkC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/iampolicy/v1/api_pb.d.ts

@@ -0,0 +1,81 @@
+import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { ApiResourceMetadata } from "../../../commons/apiresource/metadata_pb";
+import type { ApiResourceAudit } from "../../../commons/apiresource/status_pb";
+import type { IamPolicySpec } from "./spec_pb";
+import type { Message } from "@bufbuild/protobuf";
+/**
+ * Describes the file ai/stigmer/iam/iampolicy/v1/api.proto.
+ */
+export declare const file_ai_stigmer_iam_iampolicy_v1_api: GenFile;
+/**
+ * IamPolicy represents a binding between a principal (who), a resource (what),
+ * and a relation/permission (how).
+ *
+ * An IAM policy grants a specific permission (relation) to a principal on a resource.
+ * For example: "Grant 'admin' permission to user 'john@example.com' on VPC 'vpc-123'"
+ *
+ * The policy is the source of truth for authorization and is synced to the
+ * authorization backend (OpenFGA) as FGA tuples.
+ *
+ * @generated from message ai.stigmer.iam.iampolicy.v1.IamPolicy
+ */
+export type IamPolicy = Message<"ai.stigmer.iam.iampolicy.v1.IamPolicy"> & {
+    /**
+     * api-version
+     *
+     * @generated from field: string api_version = 1;
+     */
+    apiVersion: string;
+    /**
+     * resource-kind
+     *
+     * @generated from field: string kind = 2;
+     */
+    kind: string;
+    /**
+     * metadata
+     * id format: iamp-<ulid>
+     * name: human-readable identifier (e.g., "john-vpc-admin")
+     * org: organization this policy belongs to
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceMetadata metadata = 3;
+     */
+    metadata?: ApiResourceMetadata;
+    /**
+     * spec
+     *
+     * @generated from field: ai.stigmer.iam.iampolicy.v1.IamPolicySpec spec = 4;
+     */
+    spec?: IamPolicySpec;
+    /**
+     * status
+     *
+     * @generated from field: ai.stigmer.iam.iampolicy.v1.IamPolicyStatus status = 5;
+     */
+    status?: IamPolicyStatus;
+};
+/**
+ * Describes the message ai.stigmer.iam.iampolicy.v1.IamPolicy.
+ * Use `create(IamPolicySchema)` to create a new message.
+ */
+export declare const IamPolicySchema: GenMessage<IamPolicy>;
+/**
+ * IamPolicyStatus represents the runtime state of the IAM policy.
+ * It contains information about the policy's lifecycle and sync status with
+ * the authorization backend.
+ *
+ * @generated from message ai.stigmer.iam.iampolicy.v1.IamPolicyStatus
+ */
+export type IamPolicyStatus = Message<"ai.stigmer.iam.iampolicy.v1.IamPolicyStatus"> & {
+    /**
+     * Standard audit status containing created_by, created_at, updated_by, updated_at
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceAudit audit = 1;
+     */
+    audit?: ApiResourceAudit;
+};
+/**
+ * Describes the message ai.stigmer.iam.iampolicy.v1.IamPolicyStatus.
+ * Use `create(IamPolicyStatusSchema)` to create a new message.
+ */
+export declare const IamPolicyStatusSchema: GenMessage<IamPolicyStatus>;

package/ai/stigmer/iam/iampolicy/v1/api_pb.js

@@ -0,0 +1,23 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/iampolicy/v1/api.proto (package ai.stigmer.iam.iampolicy.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_metadata } from "../../../commons/apiresource/metadata_pb";
+import { file_ai_stigmer_commons_apiresource_status } from "../../../commons/apiresource/status_pb";
+import { file_ai_stigmer_iam_iampolicy_v1_spec } from "./spec_pb";
+import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
+/**
+ * Describes the file ai/stigmer/iam/iampolicy/v1/api.proto.
+ */
+export const file_ai_stigmer_iam_iampolicy_v1_api = /*@__PURE__*/ fileDesc("CiVhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvYXBpLnByb3RvEhthaS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEimQIKCUlhbVBvbGljeRItCgthcGlfdmVyc2lvbhgBIAEoCUIYukgVchMKEWlhbS5zdGlnbWVyLmFpL3YxEh4KBGtpbmQYAiABKAlCELpIDXILCglJYW1Qb2xpY3kSRQoIbWV0YWRhdGEYAyABKAsyMy5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VNZXRhZGF0YRI4CgRzcGVjGAQgASgLMiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMSPAoGc3RhdHVzGAUgASgLMiwuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVN0YXR1cyJSCg9JYW1Qb2xpY3lTdGF0dXMSPwoFYXVkaXQYASABKAsyMC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VBdWRpdGIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_metadata, file_ai_stigmer_commons_apiresource_status, file_ai_stigmer_iam_iampolicy_v1_spec, file_buf_validate_validate]);
+/**
+ * Describes the message ai.stigmer.iam.iampolicy.v1.IamPolicy.
+ * Use `create(IamPolicySchema)` to create a new message.
+ */
+export const IamPolicySchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_api, 0);
+/**
+ * Describes the message ai.stigmer.iam.iampolicy.v1.IamPolicyStatus.
+ * Use `create(IamPolicyStatusSchema)` to create a new message.
+ */
+export const IamPolicyStatusSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_api, 1);
+//# sourceMappingURL=api_pb.js.map

package/ai/stigmer/iam/iampolicy/v1/api_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/api_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kHAAkH;AAClH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,4CAA4C,EAAE,MAAM,0CAA0C,CAAC;AAExG,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,qCAAqC,EAAE,MAAM,WAAW,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,oCAAoC,GAAY,aAAa,CACxE,QAAQ,CAAC,klBAAklB,EAAE,CAAC,4CAA4C,EAAE,0CAA0C,EAAE,qCAAqC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAsD9vB;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAA0B,aAAa,CACjE,WAAW,CAAC,oCAAoC,EAAE,CAAC,CAAC,CAAC;AAkBvD;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAgC,aAAa,CAC7E,WAAW,CAAC,oCAAoC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/iampolicy/v1/command_connect.d.ts

@@ -0,0 +1,225 @@
+/**
+ * IAM Policy Command Controller
+ *
+ * This service manages the lifecycle of IAM policies in Stigmer.
+ * IAM policies define access control rules by connecting three key elements:
+ * - Principal: WHO gets access (user, team, etc.)
+ * - Resource: WHAT is being accessed (any API resource)
+ * - Relation: HOW they can access it (viewer, admin, user, etc.)
+ *
+ * Under the hood, each IAM policy creates an OpenFGA tuple that enforces
+ * the permission in the authorization system.
+ *
+ * Common Use Cases:
+ * - Granting users access to organizations
+ * - Setting up team-based access control
+ * - Managing fine-grained permissions on any resource
+ *
+ * @generated from service ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController
+ */
+export declare const IamPolicyCommandController: {
+    readonly typeName: "ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController";
+    readonly methods: {
+        /**
+         * Create a new IAM policy
+         *
+         * Creates a single IAM policy that grants a principal access to a resource with a specific relation.
+         * This is the fundamental operation for establishing permissions.
+         *
+         * The operation:
+         * 1. Validates the input (principal, resource, relation are all valid)
+         * 2. Checks for duplicates (skips if the exact policy already exists, idempotent)
+         * 3. Creates the policy in the database with auto-generated ID and metadata
+         * 4. Writes the corresponding tuple to OpenFGA (where authorization is enforced)
+         *
+         * Authorization:
+         * - Caller must have 'can_grant_access' permission on the RESOURCE being shared
+         * - This ensures only resource owners/admins can grant access to their resources
+         *
+         * Example:
+         * Input:
+         *   principal: {kind: "identity_account", id: "ia-alice-123"}
+         *   resource: {kind: "organization", id: "org-demo-456"}
+         *   relation: "viewer"
+         * Result:
+         *   Created IamPolicy with auto-generated ID (e.g., "iamp-01HQ...")
+         *   Alice can view (but not modify) the organization
+         *
+         * Input: IamPolicySpec containing principal, resource, and relation
+         * Output: The created IamPolicy with generated ID and metadata
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.create
+         */
+        readonly create: {
+            readonly name: "create";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Delete a single IAM policy by spec
+         *
+         * Removes an existing IAM policy by matching the principal, resource, and relation.
+         * This is a surgical operation - it removes one specific policy without affecting others.
+         *
+         * The operation:
+         * 1. Finds the policy by matching principal+resource+relation
+         * 2. Removes it from the database
+         * 3. Deletes the corresponding tuple from OpenFGA
+         * 4. If no matching policy exists, the operation is idempotent (no error)
+         *
+         * Authorization:
+         * - Caller must have 'can_grant_access' permission on the RESOURCE referenced in the policy
+         *
+         * Use Cases:
+         * - Revoking a specific permission from a user
+         * - Removing access after a team member leaves
+         * - Cleaning up individual policies
+         *
+         * Example:
+         * Input:
+         *   principal: {kind: "identity_account", id: "ia-alice-123"}
+         *   resource: {kind: "organization", id: "org-demo-456"}
+         *   relation: "viewer"
+         * Result: The policy granting Alice viewer access to the organization is deleted
+         *
+         * Input: IamPolicySpec identifying the policy to delete (principal, resource, relation)
+         * Output: The deleted IamPolicy object (for audit/confirmation purposes)
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.delete
+         */
+        readonly delete: {
+            readonly name: "delete";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Create platform link policy (operator-only)
+         *
+         * Creates a platform link policy that associates an identity account with the platform.
+         * This is a privileged operation that can only be called by platform operators.
+         *
+         * The operation:
+         * 1. Validates that caller has operator permission on platform:stigmer
+         * 2. Validates the input is a platform link (principal=platform, relation=platform)
+         * 3. Checks for duplicates (idempotent if already exists)
+         * 4. Creates the policy in the database with auto-generated ID and metadata
+         * 5. Writes the corresponding tuple to OpenFGA
+         *
+         * Authorization:
+         * - Caller must have 'operator' permission on platform:stigmer
+         * - This is typically only granted to machine accounts (service-to-service)
+         *
+         * Use Cases:
+         * - Bootstrapping new identity accounts
+         * - Initial permission setup when standard authorization cannot work yet
+         * - Establishing platform-level relationships for new resources
+         *
+         * Example:
+         * Input:
+         *   principal: {kind: "platform", id: "stigmer"}
+         *   resource: {kind: "identity_account", id: "ida-alice-123"}
+         *   relation: "platform"
+         * Result:
+         *   Created IamPolicy linking the identity account to the platform
+         *   Machine accounts with operator permission can now manage this account
+         *
+         * Input: IamPolicySpec with principal=platform:stigmer, relation=platform, resource=identity_account:{id}
+         * Output: The created IamPolicy with generated ID and metadata
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.createPlatformLink
+         */
+        readonly createPlatformLink: {
+            readonly name: "createPlatformLink";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Bootstrap IAM policy during resource creation (operator-only)
+         *
+         * Creates IAM policies during resource creation when standard authorization cannot work yet
+         * because no tuples exist. This solves the chicken-and-egg problem where creating the first
+         * policy for a resource requires authorization, but authorization requires that first policy.
+         *
+         * The operation:
+         * 1. Validates that caller has operator permission on platform:stigmer
+         * 2. Validates the input (principal, resource, relation are all valid)
+         * 3. Checks for duplicates (skips if the exact policy already exists, idempotent)
+         * 4. Creates the policy in the database with auto-generated ID and metadata
+         * 5. Writes the corresponding tuple to OpenFGA (where authorization is enforced)
+         *
+         * Authorization:
+         * - Caller must have 'operator' permission on platform:stigmer
+         * - This is typically only called by resource creation handlers running as machine accounts
+         *
+         * Use Cases:
+         * - Creating scope links (agent#organization@organization:acme) during agent creation
+         * - Creating owner relations (agent#owner@identity_account:alice) during agent creation
+         * - Establishing initial authorization tuples for any newly created resource
+         *
+         * Example:
+         * Input:
+         *   principal: {kind: "organization", id: "org-demo-123"}
+         *   resource: {kind: "agent", id: "agt-abc-456"}
+         *   relation: "organization"
+         * Result:
+         *   Created IamPolicy establishing agent's organization scope
+         *   Subsequent IAM policy operations can now use standard authorization
+         *
+         * Note: After the bootstrap policies are created, subsequent IAM policy modifications
+         * must use the standard 'create' RPC which requires 'can_grant_access' permission.
+         *
+         * Input: IamPolicySpec containing principal, resource, and relation
+         * Output: The created IamPolicy with generated ID and metadata
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.bootstrapPolicy
+         */
+        readonly bootstrapPolicy: {
+            readonly name: "bootstrapPolicy";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Cleanup all IAM policies for a deleted resource (operator-only)
+         *
+         * This is a system-level cleanup operation that removes all IAM policies
+         * associated with a deleted resource. It performs bidirectional cleanup:
+         * 1. Policies where resource is the TARGET (policies granting access TO this resource)
+         * 2. Policies where resource is the PRINCIPAL (policies where this resource HAS access)
+         *
+         * The operation:
+         * 1. Validates operator permission on platform:stigmer
+         * 2. Finds all policies where resource_id appears (as principal OR resource)
+         * 3. Deletes all matching policies from MongoDB
+         * 4. Removes all corresponding tuples from OpenFGA
+         * 5. Returns Empty (idempotent if no policies exist)
+         *
+         * Authorization:
+         * - Caller must have 'operator' permission on platform:stigmer
+         * - This is typically only granted to platform services
+         *
+         * Use Cases:
+         * - Resource deletion cleanup
+         * - Preventing orphaned FGA tuples
+         * - Maintaining authorization system integrity
+         *
+         * Example:
+         * Input: {kind: "organization", id: "org-demo-123"}
+         * Result: All policies referencing org-demo-123 are deleted
+         *
+         * Input: ApiResourceRef with resource kind and ID
+         * Output: Empty (google.protobuf.Empty)
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.cleanupResourcePolicies
+         */
+        readonly cleanupResourcePolicies: {
+            readonly name: "cleanupResourcePolicies";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+    };
+};

package/ai/stigmer/iam/iampolicy/v1/command_connect.js

@@ -0,0 +1,231 @@
+// @generated by protoc-gen-connect-es v1.6.1 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/iampolicy/v1/command.proto (package ai.stigmer.iam.iampolicy.v1, syntax proto3)
+/* eslint-disable */
+// @ts-nocheck
+import { Empty, MethodKind } from "@bufbuild/protobuf";
+/**
+ * IAM Policy Command Controller
+ *
+ * This service manages the lifecycle of IAM policies in Stigmer.
+ * IAM policies define access control rules by connecting three key elements:
+ * - Principal: WHO gets access (user, team, etc.)
+ * - Resource: WHAT is being accessed (any API resource)
+ * - Relation: HOW they can access it (viewer, admin, user, etc.)
+ *
+ * Under the hood, each IAM policy creates an OpenFGA tuple that enforces
+ * the permission in the authorization system.
+ *
+ * Common Use Cases:
+ * - Granting users access to organizations
+ * - Setting up team-based access control
+ * - Managing fine-grained permissions on any resource
+ *
+ * @generated from service ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController
+ */
+export const IamPolicyCommandController = {
+    typeName: "ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController",
+    methods: {
+        /**
+         * Create a new IAM policy
+         *
+         * Creates a single IAM policy that grants a principal access to a resource with a specific relation.
+         * This is the fundamental operation for establishing permissions.
+         *
+         * The operation:
+         * 1. Validates the input (principal, resource, relation are all valid)
+         * 2. Checks for duplicates (skips if the exact policy already exists, idempotent)
+         * 3. Creates the policy in the database with auto-generated ID and metadata
+         * 4. Writes the corresponding tuple to OpenFGA (where authorization is enforced)
+         *
+         * Authorization:
+         * - Caller must have 'can_grant_access' permission on the RESOURCE being shared
+         * - This ensures only resource owners/admins can grant access to their resources
+         *
+         * Example:
+         * Input:
+         *   principal: {kind: "identity_account", id: "ia-alice-123"}
+         *   resource: {kind: "organization", id: "org-demo-456"}
+         *   relation: "viewer"
+         * Result:
+         *   Created IamPolicy with auto-generated ID (e.g., "iamp-01HQ...")
+         *   Alice can view (but not modify) the organization
+         *
+         * Input: IamPolicySpec containing principal, resource, and relation
+         * Output: The created IamPolicy with generated ID and metadata
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.create
+         */
+        create: {
+            name: "create",
+            I: IamPolicySpec,
+            O: IamPolicy,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Delete a single IAM policy by spec
+         *
+         * Removes an existing IAM policy by matching the principal, resource, and relation.
+         * This is a surgical operation - it removes one specific policy without affecting others.
+         *
+         * The operation:
+         * 1. Finds the policy by matching principal+resource+relation
+         * 2. Removes it from the database
+         * 3. Deletes the corresponding tuple from OpenFGA
+         * 4. If no matching policy exists, the operation is idempotent (no error)
+         *
+         * Authorization:
+         * - Caller must have 'can_grant_access' permission on the RESOURCE referenced in the policy
+         *
+         * Use Cases:
+         * - Revoking a specific permission from a user
+         * - Removing access after a team member leaves
+         * - Cleaning up individual policies
+         *
+         * Example:
+         * Input:
+         *   principal: {kind: "identity_account", id: "ia-alice-123"}
+         *   resource: {kind: "organization", id: "org-demo-456"}
+         *   relation: "viewer"
+         * Result: The policy granting Alice viewer access to the organization is deleted
+         *
+         * Input: IamPolicySpec identifying the policy to delete (principal, resource, relation)
+         * Output: The deleted IamPolicy object (for audit/confirmation purposes)
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.delete
+         */
+        delete: {
+            name: "delete",
+            I: IamPolicySpec,
+            O: IamPolicy,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Create platform link policy (operator-only)
+         *
+         * Creates a platform link policy that associates an identity account with the platform.
+         * This is a privileged operation that can only be called by platform operators.
+         *
+         * The operation:
+         * 1. Validates that caller has operator permission on platform:stigmer
+         * 2. Validates the input is a platform link (principal=platform, relation=platform)
+         * 3. Checks for duplicates (idempotent if already exists)
+         * 4. Creates the policy in the database with auto-generated ID and metadata
+         * 5. Writes the corresponding tuple to OpenFGA
+         *
+         * Authorization:
+         * - Caller must have 'operator' permission on platform:stigmer
+         * - This is typically only granted to machine accounts (service-to-service)
+         *
+         * Use Cases:
+         * - Bootstrapping new identity accounts
+         * - Initial permission setup when standard authorization cannot work yet
+         * - Establishing platform-level relationships for new resources
+         *
+         * Example:
+         * Input:
+         *   principal: {kind: "platform", id: "stigmer"}
+         *   resource: {kind: "identity_account", id: "ida-alice-123"}
+         *   relation: "platform"
+         * Result:
+         *   Created IamPolicy linking the identity account to the platform
+         *   Machine accounts with operator permission can now manage this account
+         *
+         * Input: IamPolicySpec with principal=platform:stigmer, relation=platform, resource=identity_account:{id}
+         * Output: The created IamPolicy with generated ID and metadata
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.createPlatformLink
+         */
+        createPlatformLink: {
+            name: "createPlatformLink",
+            I: IamPolicySpec,
+            O: IamPolicy,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Bootstrap IAM policy during resource creation (operator-only)
+         *
+         * Creates IAM policies during resource creation when standard authorization cannot work yet
+         * because no tuples exist. This solves the chicken-and-egg problem where creating the first
+         * policy for a resource requires authorization, but authorization requires that first policy.
+         *
+         * The operation:
+         * 1. Validates that caller has operator permission on platform:stigmer
+         * 2. Validates the input (principal, resource, relation are all valid)
+         * 3. Checks for duplicates (skips if the exact policy already exists, idempotent)
+         * 4. Creates the policy in the database with auto-generated ID and metadata
+         * 5. Writes the corresponding tuple to OpenFGA (where authorization is enforced)
+         *
+         * Authorization:
+         * - Caller must have 'operator' permission on platform:stigmer
+         * - This is typically only called by resource creation handlers running as machine accounts
+         *
+         * Use Cases:
+         * - Creating scope links (agent#organization@organization:acme) during agent creation
+         * - Creating owner relations (agent#owner@identity_account:alice) during agent creation
+         * - Establishing initial authorization tuples for any newly created resource
+         *
+         * Example:
+         * Input:
+         *   principal: {kind: "organization", id: "org-demo-123"}
+         *   resource: {kind: "agent", id: "agt-abc-456"}
+         *   relation: "organization"
+         * Result:
+         *   Created IamPolicy establishing agent's organization scope
+         *   Subsequent IAM policy operations can now use standard authorization
+         *
+         * Note: After the bootstrap policies are created, subsequent IAM policy modifications
+         * must use the standard 'create' RPC which requires 'can_grant_access' permission.
+         *
+         * Input: IamPolicySpec containing principal, resource, and relation
+         * Output: The created IamPolicy with generated ID and metadata
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.bootstrapPolicy
+         */
+        bootstrapPolicy: {
+            name: "bootstrapPolicy",
+            I: IamPolicySpec,
+            O: IamPolicy,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Cleanup all IAM policies for a deleted resource (operator-only)
+         *
+         * This is a system-level cleanup operation that removes all IAM policies
+         * associated with a deleted resource. It performs bidirectional cleanup:
+         * 1. Policies where resource is the TARGET (policies granting access TO this resource)
+         * 2. Policies where resource is the PRINCIPAL (policies where this resource HAS access)
+         *
+         * The operation:
+         * 1. Validates operator permission on platform:stigmer
+         * 2. Finds all policies where resource_id appears (as principal OR resource)
+         * 3. Deletes all matching policies from MongoDB
+         * 4. Removes all corresponding tuples from OpenFGA
+         * 5. Returns Empty (idempotent if no policies exist)
+         *
+         * Authorization:
+         * - Caller must have 'operator' permission on platform:stigmer
+         * - This is typically only granted to platform services
+         *
+         * Use Cases:
+         * - Resource deletion cleanup
+         * - Preventing orphaned FGA tuples
+         * - Maintaining authorization system integrity
+         *
+         * Example:
+         * Input: {kind: "organization", id: "org-demo-123"}
+         * Result: All policies referencing org-demo-123 are deleted
+         *
+         * Input: ApiResourceRef with resource kind and ID
+         * Output: Empty (google.protobuf.Empty)
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.cleanupResourcePolicies
+         */
+        cleanupResourcePolicies: {
+            name: "cleanupResourcePolicies",
+            I: ApiResourceRef,
+            O: Empty,
+            kind: MethodKind.Unary,
+        },
+    }
+};
+//# sourceMappingURL=command_connect.js.map

package/ai/stigmer/iam/iampolicy/v1/command_connect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/command_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,sHAAsH;AACtH,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,QAAQ,EAAE,wDAAwD;IAClE,OAAO,EAAE;QACP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA6BG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA+BG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAmCG;QACH,kBAAkB,EAAE;YAClB,IAAI,EAAE,oBAAoB;YAC1B,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAuCG;QACH,eAAe,EAAE;YACf,IAAI,EAAE,iBAAiB;YACvB,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAgCG;QACH,uBAAuB,EAAE;YACvB,IAAI,EAAE,yBAAyB;YAC/B,CAAC,EAAE,cAAc;YACjB,CAAC,EAAE,KAAK;YACR,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}