@stigmer/protos 0.0.36 → 0.0.40

package/ai/stigmer/iam/iampolicy/v1/rpcauthorization/iam_permission_pb.js

@@ -5,10 +5,12 @@ import { enumDesc, fileDesc } from "@bufbuild/protobuf/codegenv1";
 /**
  * Describes the file ai/stigmer/iam/iampolicy/v1/rpcauthorization/iam_permission.proto.
  */
-export const file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_iam_permission = /*@__PURE__*/ fileDesc("CkFhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvcnBjYXV0aG9yaXphdGlvbi9pYW1fcGVybWlzc2lvbi5wcm90bxIsYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLnJwY2F1dGhvcml6YXRpb24q6wMKGEFwaVJlc291cmNlSWFtUGVybWlzc2lvbhIPCgt1bnNwZWNpZmllZBAAEgoKBmNyZWF0ZRABEg4KCmNhbl9kZWxldGUQAhIMCghjYW5fdmlldxADEgwKCGNhbl9lZGl0EAQSDAoIb3BlcmF0b3IQBRIMCghwbGF0Zm9ybRAGEhgKFGxvZ2luX3RvX2JhY2tfb2ZmaWNlEAcSFAoQY2FuX2dyYW50X2FjY2VzcxAIEhMKD2Nhbl92aWV3X2FjY2VzcxAJEgkKBW93bmVyEAoSCgoGbWVtYmVyEAsSFAoQaWRlbnRpdHlfYWNjb3VudBAMEhAKDG9yZ2FuaXphdGlvbhANEgsKB3Nlc3Npb24QDhIJCgVhZ2VudBAPEhQKEGNhbl9jcmVhdGVfYWdlbnQQEBIXChNjYW5fY3JlYXRlX3dvcmtmbG93EBESFgoSY2FuX2NyZWF0ZV9zZXNzaW9uEBISGwoXY2FuX2NyZWF0ZV9leGVjdXRpb25faW4QExIXChNjYW5fY3JlYXRlX2luc3RhbmNlEBQSFAoQY2FuX2NyZWF0ZV9za2lsbBAVEhYKEmNhbl9jcmVhdGVfcHJvamVjdBAXEhIKDmNhbl9jcmVhdGVfaWRwEBgSDwoLY2FuX2V4ZWN1dGUQFmIGcHJvdG8z");
+export const file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_iam_permission = /*@__PURE__*/ fileDesc("CkFhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvcnBjYXV0aG9yaXphdGlvbi9pYW1fcGVybWlzc2lvbi5wcm90bxIsYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLnJwY2F1dGhvcml6YXRpb24qoAUKGEFwaVJlc291cmNlSWFtUGVybWlzc2lvbhIPCgt1bnNwZWNpZmllZBAAEgoKBmNyZWF0ZRABEg4KCmNhbl9kZWxldGUQAhIMCghjYW5fdmlldxADEgwKCGNhbl9lZGl0EAQSGAoUbG9naW5fdG9fYmFja19vZmZpY2UQBxIUChBjYW5fZ3JhbnRfYWNjZXNzEAgSEwoPY2FuX3ZpZXdfYWNjZXNzEAkSCQoFb3duZXIQChIKCgZtZW1iZXIQCxIKCgZ2aWV3ZXIQGhIUChBpZGVudGl0eV9hY2NvdW50EAwSEAoMb3JnYW5pemF0aW9uEA0SCwoHc2Vzc2lvbhAOEgkKBWFnZW50EA8SFAoQY2FuX2NyZWF0ZV9hZ2VudBAQEhcKE2Nhbl9jcmVhdGVfd29ya2Zsb3cQERIWChJjYW5fY3JlYXRlX3Nlc3Npb24QEhIbChdjYW5fY3JlYXRlX2V4ZWN1dGlvbl9pbhATEhcKE2Nhbl9jcmVhdGVfaW5zdGFuY2UQFBIUChBjYW5fY3JlYXRlX3NraWxsEBUSFgoSY2FuX2NyZWF0ZV9wcm9qZWN0EBcSEgoOY2FuX2NyZWF0ZV9pZHAQGBIaChZjYW5fY3JlYXRlX2Vudmlyb25tZW50EBsSDwoLY2FuX2V4ZWN1dGUQFhIUChBjYW5fcmVhZF9zZWNyZXRzEBkSFQoRY2FuX2Jvb3RzdHJhcF9pYW0QHRIgChxjYW5fbWFuYWdlX2lkZW50aXR5X2FjY291bnRzEB4SHwobY2FuX3VwZGF0ZV9leGVjdXRpb25fc3RhdHVzEB8iBAgFEAUiBAgGEAYiBAgcEBwqCG9wZXJhdG9yKghwbGF0Zm9ybSoRY2FuX3VwZGF0ZV9zdGF0dXNiBnByb3RvMw");
 /**
- * ApiResourceIamPermission defines the core permissions used in the authorization model.
- * This is a simplified set for a demo project, containing only essential permissions.
+ * ApiResourceIamPermission defines the permissions and structural relations
+ * used in the Stigmer authorization model. Each value maps to an FGA relation
+ * name that appears either in RPC authorization annotations or in FGA tuple
+ * creation logic.
  *
  * @generated from enum ai.stigmer.iam.iampolicy.v1.rpcauthorization.ApiResourceIamPermission
  */
@@ -39,135 +41,115 @@ export var ApiResourceIamPermission;
     /**
      * Platform-level permissions
      *
-     * Platform operator with elevated privileges
-     *
-     * @generated from enum value: operator = 5;
-     */
-    ApiResourceIamPermission[ApiResourceIamPermission["operator"] = 5] = "operator";
-    /**
-     * Platform-level access
-     *
-     * @generated from enum value: platform = 6;
-     */
-    ApiResourceIamPermission[ApiResourceIamPermission["platform"] = 6] = "platform";
-    /**
-     * Permission to login to back office
-     *
      * @generated from enum value: login_to_back_office = 7;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["login_to_back_office"] = 7] = "login_to_back_office";
     /**
-     * IAM policy management permissions (follows can_* pattern)
-     *
-     * Permission to grant/revoke access (create/delete IAM policies)
+     * IAM policy management permissions
      *
      * @generated from enum value: can_grant_access = 8;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_grant_access"] = 8] = "can_grant_access";
     /**
-     * Permission to view who has access (view IAM policies)
-     *
      * @generated from enum value: can_view_access = 9;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_view_access"] = 9] = "can_view_access";
     /**
      * Resource ownership and membership
      *
-     * Resource owner
-     *
      * @generated from enum value: owner = 10;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["owner"] = 10] = "owner";
     /**
-     * Resource member (for teams, organizations)
-     *
      * @generated from enum value: member = 11;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["member"] = 11] = "member";
+    /**
+     * @generated from enum value: viewer = 26;
+     */
+    ApiResourceIamPermission[ApiResourceIamPermission["viewer"] = 26] = "viewer";
     /**
      * Structural relations (parent links)
      *
-     * Link to identity account (user-scoped parent)
-     *
      * @generated from enum value: identity_account = 12;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["identity_account"] = 12] = "identity_account";
     /**
-     * Link to organization (org-scoped parent)
-     *
      * @generated from enum value: organization = 13;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["organization"] = 13] = "organization";
     /**
-     * Link to session (agent execution parent)
-     *
      * @generated from enum value: session = 14;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["session"] = 14] = "session";
     /**
-     * Link to agent (agent instance parent)
-     *
      * @generated from enum value: agent = 15;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["agent"] = 15] = "agent";
     /**
      * Resource-specific creation permissions
      *
-     * Permission to create agents in an organization
-     *
      * @generated from enum value: can_create_agent = 16;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_create_agent"] = 16] = "can_create_agent";
     /**
-     * Permission to create workflows in an organization
-     *
      * @generated from enum value: can_create_workflow = 17;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_create_workflow"] = 17] = "can_create_workflow";
     /**
-     * Permission to create sessions in an organization
-     *
      * @generated from enum value: can_create_session = 18;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_create_session"] = 18] = "can_create_session";
     /**
-     * Permission to create agent executions in a session
-     *
      * @generated from enum value: can_create_execution_in = 19;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_create_execution_in"] = 19] = "can_create_execution_in";
     /**
-     * Permission to create agent instances (derived from can_execute on parent agent)
-     *
      * @generated from enum value: can_create_instance = 20;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_create_instance"] = 20] = "can_create_instance";
     /**
-     * Permission to create skills in an organization
-     *
      * @generated from enum value: can_create_skill = 21;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_create_skill"] = 21] = "can_create_skill";
     /**
-     * Permission to create projects in an organization
-     *
      * @generated from enum value: can_create_project = 23;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_create_project"] = 23] = "can_create_project";
     /**
-     * Permission to create identity providers in an organization
-     *
      * @generated from enum value: can_create_idp = 24;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_create_idp"] = 24] = "can_create_idp";
+    /**
+     * @generated from enum value: can_create_environment = 27;
+     */
+    ApiResourceIamPermission[ApiResourceIamPermission["can_create_environment"] = 27] = "can_create_environment";
     /**
      * Resource-specific operation permissions
      *
-     * Permission to execute agent/session operations
-     *
      * @generated from enum value: can_execute = 22;
      */
     ApiResourceIamPermission[ApiResourceIamPermission["can_execute"] = 22] = "can_execute";
+    /**
+     * Secret access permissions
+     *
+     * @generated from enum value: can_read_secrets = 25;
+     */
+    ApiResourceIamPermission[ApiResourceIamPermission["can_read_secrets"] = 25] = "can_read_secrets";
+    /**
+     * Platform-level operational permissions (checked against platform:stigmer)
+     *
+     * @generated from enum value: can_bootstrap_iam = 29;
+     */
+    ApiResourceIamPermission[ApiResourceIamPermission["can_bootstrap_iam"] = 29] = "can_bootstrap_iam";
+    /**
+     * @generated from enum value: can_manage_identity_accounts = 30;
+     */
+    ApiResourceIamPermission[ApiResourceIamPermission["can_manage_identity_accounts"] = 30] = "can_manage_identity_accounts";
+    /**
+     * @generated from enum value: can_update_execution_status = 31;
+     */
+    ApiResourceIamPermission[ApiResourceIamPermission["can_update_execution_status"] = 31] = "can_update_execution_status";
 })(ApiResourceIamPermission || (ApiResourceIamPermission = {}));
 /**
  * Describes the enum ai.stigmer.iam.iampolicy.v1.rpcauthorization.ApiResourceIamPermission.

package/ai/stigmer/iam/iampolicy/v1/rpcauthorization/iam_permission_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"iam_permission_pb.js","sourceRoot":"","sources":["../../../../../../../ai/stigmer/iam/iampolicy/v1/rpcauthorization/iam_permission_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+JAA+J;AAC/J,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAElE;;GAEG;AACH,MAAM,CAAC,MAAM,gEAAgE,GAAY,aAAa,CACpG,QAAQ,CAAC,szBAAszB,CAAC,CAAC;AAEn0B;;;;;GAKG;AACH,MAAM,CAAN,IAAY,wBAmLX;AAnLD,WAAY,wBAAwB;IAClC;;OAEG;IACH,qFAAe,CAAA;IAEf;;;;OAIG;IACH,2EAAU,CAAA;IAEV;;OAEG;IACH,mFAAc,CAAA;IAEd;;OAEG;IACH,+EAAY,CAAA;IAEZ;;OAEG;IACH,+EAAY,CAAA;IAEZ;;;;;;OAMG;IACH,+EAAY,CAAA;IAEZ;;;;OAIG;IACH,+EAAY,CAAA;IAEZ;;;;OAIG;IACH,uGAAwB,CAAA;IAExB;;;;;;OAMG;IACH,+FAAoB,CAAA;IAEpB;;;;OAIG;IACH,6FAAmB,CAAA;IAEnB;;;;;;OAMG;IACH,0EAAU,CAAA;IAEV;;;;OAIG;IACH,4EAAW,CAAA;IAEX;;;;;;OAMG;IACH,gGAAqB,CAAA;IAErB;;;;OAIG;IACH,wFAAiB,CAAA;IAEjB;;;;OAIG;IACH,8EAAY,CAAA;IAEZ;;;;OAIG;IACH,0EAAU,CAAA;IAEV;;;;;;OAMG;IACH,gGAAqB,CAAA;IAErB;;;;OAIG;IACH,sGAAwB,CAAA;IAExB;;;;OAIG;IACH,oGAAuB,CAAA;IAEvB;;;;OAIG;IACH,8GAA4B,CAAA;IAE5B;;;;OAIG;IACH,sGAAwB,CAAA;IAExB;;;;OAIG;IACH,gGAAqB,CAAA;IAErB;;;;OAIG;IACH,oGAAuB,CAAA;IAEvB;;;;OAIG;IACH,4FAAmB,CAAA;IAEnB;;;;;;OAMG;IACH,sFAAgB,CAAA;AAClB,CAAC,EAnLW,wBAAwB,KAAxB,wBAAwB,QAmLnC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAsC,aAAa,CAC5F,QAAQ,CAAC,gEAAgE,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"iam_permission_pb.js","sourceRoot":"","sources":["../../../../../../../ai/stigmer/iam/iampolicy/v1/rpcauthorization/iam_permission_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+JAA+J;AAC/J,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAElE;;GAEG;AACH,MAAM,CAAC,MAAM,gEAAgE,GAAY,aAAa,CACpG,QAAQ,CAAC,wiCAAwiC,CAAC,CAAC;AAErjC;;;;;;;GAOG;AACH,MAAM,CAAN,IAAY,wBAmKX;AAnKD,WAAY,wBAAwB;IAClC;;OAEG;IACH,qFAAe,CAAA;IAEf;;;;OAIG;IACH,2EAAU,CAAA;IAEV;;OAEG;IACH,mFAAc,CAAA;IAEd;;OAEG;IACH,+EAAY,CAAA;IAEZ;;OAEG;IACH,+EAAY,CAAA;IAEZ;;;;OAIG;IACH,uGAAwB,CAAA;IAExB;;;;OAIG;IACH,+FAAoB,CAAA;IAEpB;;OAEG;IACH,6FAAmB,CAAA;IAEnB;;;;OAIG;IACH,0EAAU,CAAA;IAEV;;OAEG;IACH,4EAAW,CAAA;IAEX;;OAEG;IACH,4EAAW,CAAA;IAEX;;;;OAIG;IACH,gGAAqB,CAAA;IAErB;;OAEG;IACH,wFAAiB,CAAA;IAEjB;;OAEG;IACH,8EAAY,CAAA;IAEZ;;OAEG;IACH,0EAAU,CAAA;IAEV;;;;OAIG;IACH,gGAAqB,CAAA;IAErB;;OAEG;IACH,sGAAwB,CAAA;IAExB;;OAEG;IACH,oGAAuB,CAAA;IAEvB;;OAEG;IACH,8GAA4B,CAAA;IAE5B;;OAEG;IACH,sGAAwB,CAAA;IAExB;;OAEG;IACH,gGAAqB,CAAA;IAErB;;OAEG;IACH,oGAAuB,CAAA;IAEvB;;OAEG;IACH,4FAAmB,CAAA;IAEnB;;OAEG;IACH,4GAA2B,CAAA;IAE3B;;;;OAIG;IACH,sFAAgB,CAAA;IAEhB;;;;OAIG;IACH,gGAAqB,CAAA;IAErB;;;;OAIG;IACH,kGAAsB,CAAA;IAEtB;;OAEG;IACH,wHAAiC,CAAA;IAEjC;;OAEG;IACH,sHAAgC,CAAA;AAClC,CAAC,EAnKW,wBAAwB,KAAxB,wBAAwB,QAmKnC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAsC,aAAa,CAC5F,QAAQ,CAAC,gEAAgE,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/command_pb.js

@@ -10,7 +10,7 @@ import { file_google_protobuf_empty } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/command.proto.
  */
-export const file_ai_stigmer_iam_identityaccount_v1_command = /*@__PURE__*/ fileDesc("Ci9haS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvY29tbWFuZC5wcm90bxIhYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxMuYECiBJZGVudGl0eUFjY291bnRDb21tYW5kQ29udHJvbGxlchJwCgZjcmVhdGUSMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50GjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudBKwAQoGdXBkYXRlEjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiPsK4GDoIBBALIgttZXRhZGF0YS5pZCondW5hdXRob3JpemVkIHRvIHVwZGF0ZSBpZGVudGl0eSBhY2NvdW50EqwBCgZkZWxldGUSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjjCuBg0CAIQCyIFdmFsdWUqJ3VuYXV0aG9yaXplZCB0byBkZWxldGUgaWRlbnRpdHkgYWNjb3VudBJoChVzaW11bGF0ZVNpZ251cFdlYmhvb2sSNy5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50RW1haWwaFi5nb29nbGUucHJvdG9idWYuRW1wdHkaBKD/KwtiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityaccount_v1_api, file_ai_stigmer_iam_identityaccount_v1_io, file_google_protobuf_empty]);
+export const file_ai_stigmer_iam_identityaccount_v1_command = /*@__PURE__*/ fileDesc("Ci9haS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvY29tbWFuZC5wcm90bxIhYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxMvIECiBJZGVudGl0eUFjY291bnRDb21tYW5kQ29udHJvbGxlchJ2CgZjcmVhdGUSMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50GjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCIE0LgYARKwAQoGdXBkYXRlEjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiPsK4GDoIBBALIgttZXRhZGF0YS5pZCondW5hdXRob3JpemVkIHRvIHVwZGF0ZSBpZGVudGl0eSBhY2NvdW50EqwBCgZkZWxldGUSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjjCuBg0CAIQCyIFdmFsdWUqJ3VuYXV0aG9yaXplZCB0byBkZWxldGUgaWRlbnRpdHkgYWNjb3VudBJuChVzaW11bGF0ZVNpZ251cFdlYmhvb2sSNy5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50RW1haWwaFi5nb29nbGUucHJvdG9idWYuRW1wdHkiBNC4GAEaBKD/KwtiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityaccount_v1_api, file_ai_stigmer_iam_identityaccount_v1_io, file_google_protobuf_empty]);
 /**
  * identity-account command controller
  *

package/ai/stigmer/iam/identityaccount/v1/command_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EAAE,yCAAyC,EAAE,MAAM,SAAS,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,8CAA8C,GAAY,aAAa,CAClF,QAAQ,CAAC,o7BAAo7B,EAAE,CAAC,uDAAuD,EAAE,gEAAgE,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEjrC;;;;GAIG;AACH,MAAM,CAAC,MAAM,gCAAgC,GA8CxC,aAAa,CAChB,WAAW,CAAC,8CAA8C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EAAE,yCAAyC,EAAE,MAAM,SAAS,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,8CAA8C,GAAY,aAAa,CAClF,QAAQ,CAAC,o8BAAo8B,EAAE,CAAC,uDAAuD,EAAE,gEAAgE,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEjsC;;;;GAIG;AACH,MAAM,CAAC,MAAM,gCAAgC,GA8CxC,aAAa,CAChB,WAAW,CAAC,8CAA8C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/query_connect.d.ts

@@ -19,6 +19,7 @@ export declare const IdentityProviderQueryController: {
         };
         /**
          * Get an identity provider by reference (org + slug).
+         * Custom authorization in handler.
          *
          * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.getByReference
          */

package/ai/stigmer/iam/identityprovider/v1/query_connect.js

@@ -24,6 +24,7 @@ export const IdentityProviderQueryController = {
         },
         /**
          * Get an identity provider by reference (org + slug).
+         * Custom authorization in handler.
          *
          * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.getByReference
          */

package/ai/stigmer/iam/identityprovider/v1/query_connect.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,kIAAkI;AAClI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG;IAC7C,QAAQ,EAAE,oEAAoE;IAC9E,OAAO,EAAE;QACP;;;;WAIG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;WAIG;QACH,cAAc,EAAE;YACd,IAAI,EAAE,gBAAgB;YACtB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
+{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,kIAAkI;AAClI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG;IAC7C,QAAQ,EAAE,oEAAoE;IAC9E,OAAO,EAAE;QACP;;;;WAIG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;WAKG;QACH,cAAc,EAAE;YACd,IAAI,EAAE,gBAAgB;YACtB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/query_pb.d.ts

@@ -23,6 +23,7 @@ export declare const IdentityProviderQueryController: GenService<{
     };
     /**
      * Get an identity provider by reference (org + slug).
+     * Custom authorization in handler.
      *
      * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.getByReference
      */

package/ai/stigmer/iam/identityprovider/v1/query_pb.js

@@ -9,7 +9,7 @@ import { file_ai_stigmer_iam_identityprovider_v1_api } from "./api_pb";
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/query.proto.
  */
-export const file_ai_stigmer_iam_identityprovider_v1_query = /*@__PURE__*/ fileDesc("Ci5haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3F1ZXJ5LnByb3RvEiJhaS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxMssCCh9JZGVudGl0eVByb3ZpZGVyUXVlcnlDb250cm9sbGVyEqMBCgNnZXQSLS5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VJZBo0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlciI3wrgYMwgDEBUiBXZhbHVlKiZ1bmF1dGhvcml6ZWQgdG8gdmlldyBpZGVudGl0eSBwcm92aWRlchJ8Cg5nZXRCeVJlZmVyZW5jZRI0LmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5BcGlSZXNvdXJjZVJlZmVyZW5jZRo0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlchoEoP8rFWIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityprovider_v1_api]);
+export const file_ai_stigmer_iam_identityprovider_v1_query = /*@__PURE__*/ fileDesc("Ci5haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3F1ZXJ5LnByb3RvEiJhaS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxMtICCh9JZGVudGl0eVByb3ZpZGVyUXVlcnlDb250cm9sbGVyEqMBCgNnZXQSLS5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VJZBo0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlciI3wrgYMwgDEBUiBXZhbHVlKiZ1bmF1dGhvcml6ZWQgdG8gdmlldyBpZGVudGl0eSBwcm92aWRlchKCAQoOZ2V0QnlSZWZlcmVuY2USNC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VSZWZlcmVuY2UaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiBNC4GAEaBKD/KxViBnByb3RvMw", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityprovider_v1_api]);
 /**
  * IdentityProviderQueryController provides read operations for identity providers.
  *

package/ai/stigmer/iam/identityprovider/v1/query_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,CAAC,MAAM,6CAA6C,GAAY,aAAa,CACjF,QAAQ,CAAC,0jBAA0jB,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,gEAAgE,EAAE,2CAA2C,CAAC,CAAC,CAAC;AAEzxB;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAqBvC,aAAa,CAChB,WAAW,CAAC,6CAA6C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,CAAC,MAAM,6CAA6C,GAAY,aAAa,CACjF,QAAQ,CAAC,okBAAokB,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,gEAAgE,EAAE,2CAA2C,CAAC,CAAC,CAAC;AAEnyB;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAsBvC,aAAa,CAChB,WAAW,CAAC,6CAA6C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/platform/github/v1/service_connect.d.ts

@@ -0,0 +1,58 @@
+/**
+ * GitHubService provides OAuth integration with GitHub.
+ *
+ * This is a platform utility service — not a domain resource.
+ * It enables the web console (and SDK consumers) to connect a user's
+ * GitHub account via OAuth, then browse and select repositories
+ * for workspace configuration.
+ *
+ * The service handles the server-side OAuth code exchange (protecting
+ * the client_secret) and provides the authorize URL so the frontend
+ * does not need to know the client_id or redirect_uri.
+ *
+ * Tokens are ephemeral — they are returned to the caller and never
+ * persisted by the backend.
+ *
+ * @generated from service ai.stigmer.platform.github.v1.GitHubService
+ */
+export declare const GitHubService: {
+    readonly typeName: "ai.stigmer.platform.github.v1.GitHubService";
+    readonly methods: {
+        /**
+         * Returns the GitHub OAuth authorize URL for initiating the OAuth flow.
+         *
+         * The backend constructs the URL with the registered client_id, requested
+         * scopes, and a random state parameter for CSRF protection. The frontend
+         * redirects the user to this URL, and GitHub redirects back to the
+         * provided redirect_uri with an authorization code.
+         *
+         * @generated from rpc ai.stigmer.platform.github.v1.GitHubService.getOAuthAuthorizeUrl
+         */
+        readonly getOAuthAuthorizeUrl: {
+            readonly name: "getOAuthAuthorizeUrl";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Exchanges a GitHub OAuth authorization code for an access token.
+         *
+         * The frontend calls this after receiving the authorization code from
+         * GitHub's OAuth redirect. The backend makes the token exchange request
+         * to GitHub using the client_secret (which must never be exposed to
+         * the frontend).
+         *
+         * The returned access_token is NOT stored by the backend. The frontend
+         * is responsible for persisting it (e.g., in localStorage) and including
+         * it in subsequent requests that need GitHub access.
+         *
+         * @generated from rpc ai.stigmer.platform.github.v1.GitHubService.exchangeOAuthCode
+         */
+        readonly exchangeOAuthCode: {
+            readonly name: "exchangeOAuthCode";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+    };
+};

package/ai/stigmer/platform/github/v1/service_connect.js

@@ -0,0 +1,64 @@
+// @generated by protoc-gen-connect-es v1.6.1 with parameter "target=ts"
+// @generated from file ai/stigmer/platform/github/v1/service.proto (package ai.stigmer.platform.github.v1, syntax proto3)
+/* eslint-disable */
+// @ts-nocheck
+import { MethodKind } from "@bufbuild/protobuf";
+/**
+ * GitHubService provides OAuth integration with GitHub.
+ *
+ * This is a platform utility service — not a domain resource.
+ * It enables the web console (and SDK consumers) to connect a user's
+ * GitHub account via OAuth, then browse and select repositories
+ * for workspace configuration.
+ *
+ * The service handles the server-side OAuth code exchange (protecting
+ * the client_secret) and provides the authorize URL so the frontend
+ * does not need to know the client_id or redirect_uri.
+ *
+ * Tokens are ephemeral — they are returned to the caller and never
+ * persisted by the backend.
+ *
+ * @generated from service ai.stigmer.platform.github.v1.GitHubService
+ */
+export const GitHubService = {
+    typeName: "ai.stigmer.platform.github.v1.GitHubService",
+    methods: {
+        /**
+         * Returns the GitHub OAuth authorize URL for initiating the OAuth flow.
+         *
+         * The backend constructs the URL with the registered client_id, requested
+         * scopes, and a random state parameter for CSRF protection. The frontend
+         * redirects the user to this URL, and GitHub redirects back to the
+         * provided redirect_uri with an authorization code.
+         *
+         * @generated from rpc ai.stigmer.platform.github.v1.GitHubService.getOAuthAuthorizeUrl
+         */
+        getOAuthAuthorizeUrl: {
+            name: "getOAuthAuthorizeUrl",
+            I: GetOAuthAuthorizeUrlRequest,
+            O: GetOAuthAuthorizeUrlResponse,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Exchanges a GitHub OAuth authorization code for an access token.
+         *
+         * The frontend calls this after receiving the authorization code from
+         * GitHub's OAuth redirect. The backend makes the token exchange request
+         * to GitHub using the client_secret (which must never be exposed to
+         * the frontend).
+         *
+         * The returned access_token is NOT stored by the backend. The frontend
+         * is responsible for persisting it (e.g., in localStorage) and including
+         * it in subsequent requests that need GitHub access.
+         *
+         * @generated from rpc ai.stigmer.platform.github.v1.GitHubService.exchangeOAuthCode
+         */
+        exchangeOAuthCode: {
+            name: "exchangeOAuthCode",
+            I: ExchangeOAuthCodeRequest,
+            O: ExchangeOAuthCodeResponse,
+            kind: MethodKind.Unary,
+        },
+    }
+};
+//# sourceMappingURL=service_connect.js.map

package/ai/stigmer/platform/github/v1/service_connect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/platform/github/v1/service_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,0HAA0H;AAC1H,oBAAoB;AACpB,cAAc;AAGd,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,QAAQ,EAAE,6CAA6C;IACvD,OAAO,EAAE;QACP;;;;;;;;;WASG;QACH,oBAAoB,EAAE;YACpB,IAAI,EAAE,sBAAsB;YAC5B,CAAC,EAAE,2BAA2B;YAC9B,CAAC,EAAE,4BAA4B;YAC/B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;WAaG;QACH,iBAAiB,EAAE;YACjB,IAAI,EAAE,mBAAmB;YACzB,CAAC,EAAE,wBAAwB;YAC3B,CAAC,EAAE,yBAAyB;YAC5B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/platform/github/v1/service_pb.d.ts

@@ -0,0 +1,164 @@
+import type { GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv1";
+import type { Message } from "@bufbuild/protobuf";
+/**
+ * Describes the file ai/stigmer/platform/github/v1/service.proto.
+ */
+export declare const file_ai_stigmer_platform_github_v1_service: GenFile;
+/**
+ * Request to get the OAuth authorize URL.
+ *
+ * @generated from message ai.stigmer.platform.github.v1.GetOAuthAuthorizeUrlRequest
+ */
+export type GetOAuthAuthorizeUrlRequest = Message<"ai.stigmer.platform.github.v1.GetOAuthAuthorizeUrlRequest"> & {
+    /**
+     * The URI that GitHub will redirect back to after the user authorizes.
+     * Must match one of the callback URLs registered on the GitHub App.
+     *
+     * @generated from field: string redirect_uri = 1;
+     */
+    redirectUri: string;
+};
+/**
+ * Describes the message ai.stigmer.platform.github.v1.GetOAuthAuthorizeUrlRequest.
+ * Use `create(GetOAuthAuthorizeUrlRequestSchema)` to create a new message.
+ */
+export declare const GetOAuthAuthorizeUrlRequestSchema: GenMessage<GetOAuthAuthorizeUrlRequest>;
+/**
+ * Response containing the constructed OAuth authorize URL.
+ *
+ * @generated from message ai.stigmer.platform.github.v1.GetOAuthAuthorizeUrlResponse
+ */
+export type GetOAuthAuthorizeUrlResponse = Message<"ai.stigmer.platform.github.v1.GetOAuthAuthorizeUrlResponse"> & {
+    /**
+     * The full GitHub OAuth authorize URL to redirect the user to.
+     *
+     * @generated from field: string authorize_url = 1;
+     */
+    authorizeUrl: string;
+    /**
+     * A random state value for CSRF protection. The frontend must verify
+     * this matches the state returned in the callback.
+     *
+     * @generated from field: string state = 2;
+     */
+    state: string;
+};
+/**
+ * Describes the message ai.stigmer.platform.github.v1.GetOAuthAuthorizeUrlResponse.
+ * Use `create(GetOAuthAuthorizeUrlResponseSchema)` to create a new message.
+ */
+export declare const GetOAuthAuthorizeUrlResponseSchema: GenMessage<GetOAuthAuthorizeUrlResponse>;
+/**
+ * Request to exchange an authorization code for an access token.
+ *
+ * @generated from message ai.stigmer.platform.github.v1.ExchangeOAuthCodeRequest
+ */
+export type ExchangeOAuthCodeRequest = Message<"ai.stigmer.platform.github.v1.ExchangeOAuthCodeRequest"> & {
+    /**
+     * The authorization code received from GitHub's OAuth redirect.
+     *
+     * @generated from field: string code = 1;
+     */
+    code: string;
+    /**
+     * The state value from the original authorize request, for CSRF verification.
+     *
+     * @generated from field: string state = 2;
+     */
+    state: string;
+    /**
+     * The redirect_uri used in the original authorize request.
+     * GitHub requires this to match for the token exchange.
+     *
+     * @generated from field: string redirect_uri = 3;
+     */
+    redirectUri: string;
+};
+/**
+ * Describes the message ai.stigmer.platform.github.v1.ExchangeOAuthCodeRequest.
+ * Use `create(ExchangeOAuthCodeRequestSchema)` to create a new message.
+ */
+export declare const ExchangeOAuthCodeRequestSchema: GenMessage<ExchangeOAuthCodeRequest>;
+/**
+ * Response containing the exchanged access token.
+ *
+ * @generated from message ai.stigmer.platform.github.v1.ExchangeOAuthCodeResponse
+ */
+export type ExchangeOAuthCodeResponse = Message<"ai.stigmer.platform.github.v1.ExchangeOAuthCodeResponse"> & {
+    /**
+     * The GitHub access token for API calls.
+     *
+     * @generated from field: string access_token = 1;
+     */
+    accessToken: string;
+    /**
+     * The token type (typically "bearer").
+     *
+     * @generated from field: string token_type = 2;
+     */
+    tokenType: string;
+    /**
+     * The granted OAuth scopes (comma-separated).
+     *
+     * @generated from field: string scope = 3;
+     */
+    scope: string;
+};
+/**
+ * Describes the message ai.stigmer.platform.github.v1.ExchangeOAuthCodeResponse.
+ * Use `create(ExchangeOAuthCodeResponseSchema)` to create a new message.
+ */
+export declare const ExchangeOAuthCodeResponseSchema: GenMessage<ExchangeOAuthCodeResponse>;
+/**
+ * GitHubService provides OAuth integration with GitHub.
+ *
+ * This is a platform utility service — not a domain resource.
+ * It enables the web console (and SDK consumers) to connect a user's
+ * GitHub account via OAuth, then browse and select repositories
+ * for workspace configuration.
+ *
+ * The service handles the server-side OAuth code exchange (protecting
+ * the client_secret) and provides the authorize URL so the frontend
+ * does not need to know the client_id or redirect_uri.
+ *
+ * Tokens are ephemeral — they are returned to the caller and never
+ * persisted by the backend.
+ *
+ * @generated from service ai.stigmer.platform.github.v1.GitHubService
+ */
+export declare const GitHubService: GenService<{
+    /**
+     * Returns the GitHub OAuth authorize URL for initiating the OAuth flow.
+     *
+     * The backend constructs the URL with the registered client_id, requested
+     * scopes, and a random state parameter for CSRF protection. The frontend
+     * redirects the user to this URL, and GitHub redirects back to the
+     * provided redirect_uri with an authorization code.
+     *
+     * @generated from rpc ai.stigmer.platform.github.v1.GitHubService.getOAuthAuthorizeUrl
+     */
+    getOAuthAuthorizeUrl: {
+        methodKind: "unary";
+        input: typeof GetOAuthAuthorizeUrlRequestSchema;
+        output: typeof GetOAuthAuthorizeUrlResponseSchema;
+    };
+    /**
+     * Exchanges a GitHub OAuth authorization code for an access token.
+     *
+     * The frontend calls this after receiving the authorization code from
+     * GitHub's OAuth redirect. The backend makes the token exchange request
+     * to GitHub using the client_secret (which must never be exposed to
+     * the frontend).
+     *
+     * The returned access_token is NOT stored by the backend. The frontend
+     * is responsible for persisting it (e.g., in localStorage) and including
+     * it in subsequent requests that need GitHub access.
+     *
+     * @generated from rpc ai.stigmer.platform.github.v1.GitHubService.exchangeOAuthCode
+     */
+    exchangeOAuthCode: {
+        methodKind: "unary";
+        input: typeof ExchangeOAuthCodeRequestSchema;
+        output: typeof ExchangeOAuthCodeResponseSchema;
+    };
+}>;

package/ai/stigmer/platform/github/v1/service_pb.js

@@ -0,0 +1,49 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/platform/github/v1/service.proto (package ai.stigmer.platform.github.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, messageDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "../../../iam/iampolicy/v1/rpcauthorization/method_options_pb";
+import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
+/**
+ * Describes the file ai/stigmer/platform/github/v1/service.proto.
+ */
+export const file_ai_stigmer_platform_github_v1_service = /*@__PURE__*/ fileDesc("CithaS9zdGlnbWVyL3BsYXRmb3JtL2dpdGh1Yi92MS9zZXJ2aWNlLnByb3RvEh1haS5zdGlnbWVyLnBsYXRmb3JtLmdpdGh1Yi52MSI8ChtHZXRPQXV0aEF1dGhvcml6ZVVybFJlcXVlc3QSHQoMcmVkaXJlY3RfdXJpGAEgASgJQge6SARyAhABIkQKHEdldE9BdXRoQXV0aG9yaXplVXJsUmVzcG9uc2USFQoNYXV0aG9yaXplX3VybBgBIAEoCRINCgVzdGF0ZRgCIAEoCSJoChhFeGNoYW5nZU9BdXRoQ29kZVJlcXVlc3QSFQoEY29kZRgBIAEoCUIHukgEcgIQARIWCgVzdGF0ZRgCIAEoCUIHukgEcgIQARIdCgxyZWRpcmVjdF91cmkYAyABKAlCB7pIBHICEAEiVAoZRXhjaGFuZ2VPQXV0aENvZGVSZXNwb25zZRIUCgxhY2Nlc3NfdG9rZW4YASABKAkSEgoKdG9rZW5fdHlwZRgCIAEoCRINCgVzY29wZRgDIAEoCTK2AgoNR2l0SHViU2VydmljZRKVAQoUZ2V0T0F1dGhBdXRob3JpemVVcmwSOi5haS5zdGlnbWVyLnBsYXRmb3JtLmdpdGh1Yi52MS5HZXRPQXV0aEF1dGhvcml6ZVVybFJlcXVlc3QaOy5haS5zdGlnbWVyLnBsYXRmb3JtLmdpdGh1Yi52MS5HZXRPQXV0aEF1dGhvcml6ZVVybFJlc3BvbnNlIgTQuBgBEowBChFleGNoYW5nZU9BdXRoQ29kZRI3LmFpLnN0aWdtZXIucGxhdGZvcm0uZ2l0aHViLnYxLkV4Y2hhbmdlT0F1dGhDb2RlUmVxdWVzdBo4LmFpLnN0aWdtZXIucGxhdGZvcm0uZ2l0aHViLnYxLkV4Y2hhbmdlT0F1dGhDb2RlUmVzcG9uc2UiBNC4GAFiBnByb3RvMw", [file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_buf_validate_validate]);
+/**
+ * Describes the message ai.stigmer.platform.github.v1.GetOAuthAuthorizeUrlRequest.
+ * Use `create(GetOAuthAuthorizeUrlRequestSchema)` to create a new message.
+ */
+export const GetOAuthAuthorizeUrlRequestSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_platform_github_v1_service, 0);
+/**
+ * Describes the message ai.stigmer.platform.github.v1.GetOAuthAuthorizeUrlResponse.
+ * Use `create(GetOAuthAuthorizeUrlResponseSchema)` to create a new message.
+ */
+export const GetOAuthAuthorizeUrlResponseSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_platform_github_v1_service, 1);
+/**
+ * Describes the message ai.stigmer.platform.github.v1.ExchangeOAuthCodeRequest.
+ * Use `create(ExchangeOAuthCodeRequestSchema)` to create a new message.
+ */
+export const ExchangeOAuthCodeRequestSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_platform_github_v1_service, 2);
+/**
+ * Describes the message ai.stigmer.platform.github.v1.ExchangeOAuthCodeResponse.
+ * Use `create(ExchangeOAuthCodeResponseSchema)` to create a new message.
+ */
+export const ExchangeOAuthCodeResponseSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_platform_github_v1_service, 3);
+/**
+ * GitHubService provides OAuth integration with GitHub.
+ *
+ * This is a platform utility service — not a domain resource.
+ * It enables the web console (and SDK consumers) to connect a user's
+ * GitHub account via OAuth, then browse and select repositories
+ * for workspace configuration.
+ *
+ * The service handles the server-side OAuth code exchange (protecting
+ * the client_secret) and provides the authorize URL so the frontend
+ * does not need to know the client_id or redirect_uri.
+ *
+ * Tokens are ephemeral — they are returned to the caller and never
+ * persisted by the backend.
+ *
+ * @generated from service ai.stigmer.platform.github.v1.GitHubService
+ */
+export const GitHubService = /*@__PURE__*/ serviceDesc(file_ai_stigmer_platform_github_v1_service, 0);
+//# sourceMappingURL=service_pb.js.map

package/ai/stigmer/platform/github/v1/service_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/platform/github/v1/service_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,0HAA0H;AAC1H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,gEAAgE,EAAE,MAAM,8DAA8D,CAAC;AAChJ,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,0CAA0C,GAAY,aAAa,CAC9E,QAAQ,CAAC,o8BAAo8B,EAAE,CAAC,gEAAgE,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAiBjjC;;;GAGG;AACH,MAAM,CAAC,MAAM,iCAAiC,GAA4C,aAAa,CACrG,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAwB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAA6C,aAAa,CACvG,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AA+B7D;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAyC,aAAa,CAC/F,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AA8B7D;;;GAGG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAA0C,aAAa,CACjG,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAE7D;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,MAAM,aAAa,GAmCrB,aAAa,CAChB,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/tenancy/organization/v1/spec_pb.d.ts

@@ -53,6 +53,14 @@ export type OrganizationSpec = Message<"ai.stigmer.tenancy.organization.v1.Organ
      * @generated from field: string external_org_id = 5;
      */
     externalOrgId: string;
+    /**
+     * Whether this is a personal organization, auto-created during identity provisioning.
+     * Personal orgs serve as the user's default workspace (like GitHub personal accounts).
+     * Immutable after creation. Set by the server — clients cannot set this to true.
+     *
+     * @generated from field: bool is_personal = 6;
+     */
+    isPersonal: boolean;
 };
 /**
  * Describes the message ai.stigmer.tenancy.organization.v1.OrganizationSpec.

package/ai/stigmer/tenancy/organization/v1/spec_pb.js

@@ -8,7 +8,7 @@ import { file_buf_validate_validate } from "../../../../../buf/validate/validate
 /**
  * Describes the file ai/stigmer/tenancy/organization/v1/spec.proto.
  */
-export const file_ai_stigmer_tenancy_organization_v1_spec = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL3RlbmFuY3kvb3JnYW5pemF0aW9uL3YxL3NwZWMucHJvdG8SImFpLnN0aWdtZXIudGVuYW5jeS5vcmdhbml6YXRpb24udjEiiAIKEE9yZ2FuaXphdGlvblNwZWMSHQoLZGVzY3JpcHRpb24YASABKAlCCLpIBXIDGPQDEhoKCGxvZ29fdXJsGAIgASgJQgi6SAVyAxiAEBJLCg9tYW5hZ2VtZW50X21vZGUYAyABKA4yMi5haS5zdGlnbWVyLnRlbmFuY3kub3JnYW5pemF0aW9uLnYxLk1hbmFnZW1lbnRNb2RlElMKFWlkZW50aXR5X3Byb3ZpZGVyX3JlZhgEIAEoCzI0LmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5BcGlSZXNvdXJjZVJlZmVyZW5jZRIXCg9leHRlcm5hbF9vcmdfaWQYBSABKAliBnByb3RvMw", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_tenancy_organization_v1_enum, file_buf_validate_validate]);
+export const file_ai_stigmer_tenancy_organization_v1_spec = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL3RlbmFuY3kvb3JnYW5pemF0aW9uL3YxL3NwZWMucHJvdG8SImFpLnN0aWdtZXIudGVuYW5jeS5vcmdhbml6YXRpb24udjEinQIKEE9yZ2FuaXphdGlvblNwZWMSHQoLZGVzY3JpcHRpb24YASABKAlCCLpIBXIDGPQDEhoKCGxvZ29fdXJsGAIgASgJQgi6SAVyAxiAEBJLCg9tYW5hZ2VtZW50X21vZGUYAyABKA4yMi5haS5zdGlnbWVyLnRlbmFuY3kub3JnYW5pemF0aW9uLnYxLk1hbmFnZW1lbnRNb2RlElMKFWlkZW50aXR5X3Byb3ZpZGVyX3JlZhgEIAEoCzI0LmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5BcGlSZXNvdXJjZVJlZmVyZW5jZRIXCg9leHRlcm5hbF9vcmdfaWQYBSABKAkSEwoLaXNfcGVyc29uYWwYBiABKAhiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_tenancy_organization_v1_enum, file_buf_validate_validate]);
 /**
  * Describes the message ai.stigmer.tenancy.organization.v1.OrganizationSpec.
  * Use `create(OrganizationSpecSchema)` to create a new message.