@stigmer/protos 0.0.39 → 0.0.41

package/ai/stigmer/commons/apiresource/io_pb.js

@@ -3,12 +3,13 @@
 /* eslint-disable */
 import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_apiresourcekind_api_resource_kind } from "./apiresourcekind/api_resource_kind_pb";
+import { file_ai_stigmer_commons_apiresource_enum } from "./enum_pb";
 import { file_ai_stigmer_commons_rpc_pagination } from "../rpc/pagination_pb";
 import { file_buf_validate_validate } from "../../../../buf/validate/validate_pb";
 /**
  * Describes the file ai/stigmer/commons/apiresource/io.proto.
  */
-export const file_ai_stigmer_commons_apiresource_io = /*@__PURE__*/ fileDesc("CidhaS9zdGlnbWVyL2NvbW1vbnMvYXBpcmVzb3VyY2UvaW8ucHJvdG8SHmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZSImCg1BcGlSZXNvdXJjZUlkEhUKBXZhbHVlGAEgASgJQga6SAPIAQEiXQoWQXBpUmVzb3VyY2VEZWxldGVJbnB1dBIbCgtyZXNvdXJjZV9pZBgBIAEoCUIGukgDyAEBEhcKD3ZlcnNpb25fbWVzc2FnZRgCIAEoCRINCgVmb3JjZRgDIAEoCCJKCh1BcGlSZXNvdXJjZUJ5T3JnQnlTbHVnUmVxdWVzdBITCgNvcmcYASABKAlCBrpIA8gBARIUCgRzbHVnGAIgASgJQga6SAPIAQEilAEKF0ZpbmRBcGlSZXNvdXJjZXNSZXF1ZXN0EhMKA29yZxgBIAEoCUIGukgDyAEBEgwKBGtpbmQYAyABKAkSLgoEcGFnZRgEIAEoCzIgLmFpLnN0aWdtZXIuY29tbW9ucy5ycGMuUGFnZUluZm8SEwoLcGFnZV9udW1iZXIYBSABKAUSEQoJcGFnZV9zaXplGAYgASgFIoYCChRBcGlSZXNvdXJjZVJlZmVyZW5jZRIqCgNvcmcYASABKAlCHbpIGnIYGD8yFF4kfF5bYS16XVthLXowLTktXSokEk0KBGtpbmQYAiABKA4yPy5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kLkFwaVJlc291cmNlS2luZBItCgRzbHVnGAMgASgJQh+6SBzIAQFyFxABGD8yEV5bYS16XVthLXowLTktXSokEkQKB3ZlcnNpb24YBCABKAlCM7pIMHIuMixeJHxebGF0ZXN0JHxeW2EtekEtWjAtOS5fLV0rJHxeW2EtZjAtOV17NjR9JGIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_apiresourcekind_api_resource_kind, file_ai_stigmer_commons_rpc_pagination, file_buf_validate_validate]);
+export const file_ai_stigmer_commons_apiresource_io = /*@__PURE__*/ fileDesc("CidhaS9zdGlnbWVyL2NvbW1vbnMvYXBpcmVzb3VyY2UvaW8ucHJvdG8SHmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZSImCg1BcGlSZXNvdXJjZUlkEhUKBXZhbHVlGAEgASgJQga6SAPIAQEiXQoWQXBpUmVzb3VyY2VEZWxldGVJbnB1dBIbCgtyZXNvdXJjZV9pZBgBIAEoCUIGukgDyAEBEhcKD3ZlcnNpb25fbWVzc2FnZRgCIAEoCRINCgVmb3JjZRgDIAEoCCJKCh1BcGlSZXNvdXJjZUJ5T3JnQnlTbHVnUmVxdWVzdBITCgNvcmcYASABKAlCBrpIA8gBARIUCgRzbHVnGAIgASgJQga6SAPIAQEilAEKF0ZpbmRBcGlSZXNvdXJjZXNSZXF1ZXN0EhMKA29yZxgBIAEoCUIGukgDyAEBEgwKBGtpbmQYAyABKAkSLgoEcGFnZRgEIAEoCzIgLmFpLnN0aWdtZXIuY29tbW9ucy5ycGMuUGFnZUluZm8SEwoLcGFnZV9udW1iZXIYBSABKAUSEQoJcGFnZV9zaXplGAYgASgFIosBChVVcGRhdGVWaXNpYmlsaXR5SW5wdXQSGwoLcmVzb3VyY2VfaWQYASABKAlCBrpIA8gBARJVCgp2aXNpYmlsaXR5GAIgASgOMjUuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlVmlzaWJpbGl0eUIKukgHggEEEAEgACKGAgoUQXBpUmVzb3VyY2VSZWZlcmVuY2USKgoDb3JnGAEgASgJQh26SBpyGBg/MhReJHxeW2Etel1bYS16MC05LV0qJBJNCgRraW5kGAIgASgOMj8uYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLmFwaXJlc291cmNla2luZC5BcGlSZXNvdXJjZUtpbmQSLQoEc2x1ZxgDIAEoCUIfukgcyAEBchcQARg/MhFeW2Etel1bYS16MC05LV0qJBJECgd2ZXJzaW9uGAQgASgJQjO6SDByLjIsXiR8XmxhdGVzdCR8XlthLXpBLVowLTkuXy1dKyR8XlthLWYwLTldezY0fSRiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_apiresourcekind_api_resource_kind, file_ai_stigmer_commons_apiresource_enum, file_ai_stigmer_commons_rpc_pagination, file_buf_validate_validate]);
 /**
  * Describes the message ai.stigmer.commons.apiresource.ApiResourceId.
  * Use `create(ApiResourceIdSchema)` to create a new message.
@@ -29,9 +30,14 @@ export const ApiResourceByOrgBySlugRequestSchema = /*@__PURE__*/ messageDesc(fil
  * Use `create(FindApiResourcesRequestSchema)` to create a new message.
  */
 export const FindApiResourcesRequestSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_commons_apiresource_io, 3);
+/**
+ * Describes the message ai.stigmer.commons.apiresource.UpdateVisibilityInput.
+ * Use `create(UpdateVisibilityInputSchema)` to create a new message.
+ */
+export const UpdateVisibilityInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_commons_apiresource_io, 4);
 /**
  * Describes the message ai.stigmer.commons.apiresource.ApiResourceReference.
  * Use `create(ApiResourceReferenceSchema)` to create a new message.
  */
-export const ApiResourceReferenceSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_commons_apiresource_io, 4);
+export const ApiResourceReferenceSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_commons_apiresource_io, 5);
 //# sourceMappingURL=io_pb.js.map

package/ai/stigmer/commons/apiresource/io_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../ai/stigmer/commons/apiresource/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,uHAAuH;AACvH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,qEAAqE,EAAE,MAAM,wCAAwC,CAAC;AAE/H,OAAO,EAAE,sCAAsC,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,0BAA0B,EAAE,MAAM,sCAAsC,CAAC;AAGlF;;GAEG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAY,aAAa,CAC1E,QAAQ,CAAC,k7BAAk7B,EAAE,CAAC,qEAAqE,EAAE,sCAAsC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAc5kC;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAA8B,aAAa,CACzE,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AA+BzD;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAuC,aAAa,CAC3F,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AAuBzD;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAA8C,aAAa,CACzG,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AA4CzD;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwC,aAAa,CAC7F,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AAiEzD;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../ai/stigmer/commons/apiresource/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,uHAAuH;AACvH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,qEAAqE,EAAE,MAAM,wCAAwC,CAAC;AAE/H,OAAO,EAAE,wCAAwC,EAAE,MAAM,WAAW,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,sBAAsB,CAAC;AAC9E,OAAO,EAAE,0BAA0B,EAAE,MAAM,sCAAsC,CAAC;AAGlF;;GAEG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAY,aAAa,CAC1E,QAAQ,CAAC,gnCAAgnC,EAAE,CAAC,qEAAqE,EAAE,wCAAwC,EAAE,sCAAsC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAcpzC;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAA8B,aAAa,CACzE,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AA+BzD;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAuC,aAAa,CAC3F,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AAuBzD;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAA8C,aAAa,CACzG,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AA4CzD;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwC,aAAa,CAC7F,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AAgCzD;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAsC,aAAa,CACzF,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AAiEzD;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/apikey/v1/query_connect.d.ts

@@ -20,9 +20,6 @@ export declare const ApiKeyQueryController: {
         /**
          * lookup api-key by hashed key
          *
-         * Authorization is handled in the handler after loading the resource
-         * (input doesn't contain API key ID, so proto-level auth cannot work)
-         *
          * @generated from rpc ai.stigmer.iam.apikey.v1.ApiKeyQueryController.getByKeyHash
          */
         readonly getByKeyHash: {

package/ai/stigmer/iam/apikey/v1/query_connect.js

@@ -25,9 +25,6 @@ export const ApiKeyQueryController = {
         /**
          * lookup api-key by hashed key
          *
-         * Authorization is handled in the handler after loading the resource
-         * (input doesn't contain API key ID, so proto-level auth cannot work)
-         *
          * @generated from rpc ai.stigmer.iam.apikey.v1.ApiKeyQueryController.getByKeyHash
          */
         getByKeyHash: {

package/ai/stigmer/iam/apikey/v1/query_connect.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/apikey/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,8GAA8G;AAC9G,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,QAAQ,EAAE,gDAAgD;IAC1D,OAAO,EAAE;QACP;;;;WAIG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,QAAQ;YACX,CAAC,EAAE,MAAM;YACT,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,YAAY,EAAE;YACZ,IAAI,EAAE,cAAc;YACpB,CAAC,EAAE,UAAU;YACb,CAAC,EAAE,MAAM;YACT,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;WAIG;QACH,OAAO,EAAE;YACP,IAAI,EAAE,SAAS;YACf,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,OAAO;YACV,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
+{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/apikey/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,8GAA8G;AAC9G,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,QAAQ,EAAE,gDAAgD;IAC1D,OAAO,EAAE;QACP;;;;WAIG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,QAAQ;YACX,CAAC,EAAE,MAAM;YACT,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;WAIG;QACH,YAAY,EAAE;YACZ,IAAI,EAAE,cAAc;YACpB,CAAC,EAAE,UAAU;YACb,CAAC,EAAE,MAAM;YACT,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;WAIG;QACH,OAAO,EAAE;YACP,IAAI,EAAE,SAAS;YACf,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,OAAO;YACV,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/apikey/v1/query_pb.d.ts

@@ -25,9 +25,6 @@ export declare const ApiKeyQueryController: GenService<{
     /**
      * lookup api-key by hashed key
      *
-     * Authorization is handled in the handler after loading the resource
-     * (input doesn't contain API key ID, so proto-level auth cannot work)
-     *
      * @generated from rpc ai.stigmer.iam.apikey.v1.ApiKeyQueryController.getByKeyHash
      */
     getByKeyHash: {

package/ai/stigmer/iam/apikey/v1/query_pb.js

@@ -10,7 +10,7 @@ import { file_google_protobuf_empty } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/apikey/v1/query.proto.
  */
-export const file_ai_stigmer_iam_apikey_v1_query = /*@__PURE__*/ fileDesc("CiRhaS9zdGlnbWVyL2lhbS9hcGlrZXkvdjEvcXVlcnkucHJvdG8SGGFpLnN0aWdtZXIuaWFtLmFwaWtleS52MTK/AgoVQXBpS2V5UXVlcnlDb250cm9sbGVyEnoKA2dldBIiLmFpLnN0aWdtZXIuaWFtLmFwaWtleS52MS5BcGlLZXlJZBogLmFpLnN0aWdtZXIuaWFtLmFwaWtleS52MS5BcGlLZXkiLcK4GCkIAxAMIgV2YWx1ZSocdW5hdXRob3JpemVkIHRvIHZpZXcgYXBpIGtleRJYCgxnZXRCeUtleUhhc2gSJC5haS5zdGlnbWVyLmlhbS5hcGlrZXkudjEuQXBpS2V5SGFzaBogLmFpLnN0aWdtZXIuaWFtLmFwaWtleS52MS5BcGlLZXkiABJKCgdmaW5kQWxsEhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5GiEuYWkuc3RpZ21lci5pYW0uYXBpa2V5LnYxLkFwaUtleXMiBNC4GAEaBKD/KwxiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_apikey_v1_api, file_ai_stigmer_iam_apikey_v1_io, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_google_protobuf_empty]);
+export const file_ai_stigmer_iam_apikey_v1_query = /*@__PURE__*/ fileDesc("CiRhaS9zdGlnbWVyL2lhbS9hcGlrZXkvdjEvcXVlcnkucHJvdG8SGGFpLnN0aWdtZXIuaWFtLmFwaWtleS52MTLDAgoVQXBpS2V5UXVlcnlDb250cm9sbGVyEnoKA2dldBIiLmFpLnN0aWdtZXIuaWFtLmFwaWtleS52MS5BcGlLZXlJZBogLmFpLnN0aWdtZXIuaWFtLmFwaWtleS52MS5BcGlLZXkiLcK4GCkIAxAMIgV2YWx1ZSocdW5hdXRob3JpemVkIHRvIHZpZXcgYXBpIGtleRJcCgxnZXRCeUtleUhhc2gSJC5haS5zdGlnbWVyLmlhbS5hcGlrZXkudjEuQXBpS2V5SGFzaBogLmFpLnN0aWdtZXIuaWFtLmFwaWtleS52MS5BcGlLZXkiBNC4GAESSgoHZmluZEFsbBIWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eRohLmFpLnN0aWdtZXIuaWFtLmFwaWtleS52MS5BcGlLZXlzIgTQuBgBGgSg/ysMYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_apikey_v1_api, file_ai_stigmer_iam_apikey_v1_io, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_google_protobuf_empty]);
 /**
  * api-key query controller
  *

package/ai/stigmer/iam/apikey/v1/query_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/apikey/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,8GAA8G;AAC9G,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,iCAAiC,EAAE,MAAM,UAAU,CAAC;AAE7D,OAAO,EAAE,gCAAgC,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAAY,aAAa,CACvE,QAAQ,CAAC,ghBAAghB,EAAE,CAAC,uDAAuD,EAAE,iCAAiC,EAAE,gCAAgC,EAAE,gEAAgE,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAE3vB;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAkC7B,aAAa,CAChB,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/apikey/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,8GAA8G;AAC9G,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,iCAAiC,EAAE,MAAM,UAAU,CAAC;AAE7D,OAAO,EAAE,gCAAgC,EAAE,MAAM,SAAS,CAAC;AAC3D,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAAY,aAAa,CACvE,QAAQ,CAAC,qhBAAqhB,EAAE,CAAC,uDAAuD,EAAE,iCAAiC,EAAE,gCAAgC,EAAE,gEAAgE,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEhwB;;;;GAIG;AACH,MAAM,CAAC,MAAM,qBAAqB,GA+B7B,aAAa,CAChB,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/iampolicy/v1/command_connect.d.ts

@@ -95,63 +95,21 @@ export declare const IamPolicyCommandController: {
             readonly kind: any;
         };
         /**
-         * Create platform link policy (operator-only)
-         *
-         * Creates a platform link policy that associates an identity account with the platform.
-         * This is a privileged operation that can only be called by platform operators.
-         *
-         * The operation:
-         * 1. Validates that caller has operator permission on platform:stigmer
-         * 2. Validates the input is a platform link (principal=platform, relation=platform)
-         * 3. Checks for duplicates (idempotent if already exists)
-         * 4. Creates the policy in the database with auto-generated ID and metadata
-         * 5. Writes the corresponding tuple to OpenFGA
-         *
-         * Authorization:
-         * - Caller must have 'operator' permission on platform:stigmer
-         * - This is typically only granted to machine accounts (service-to-service)
-         *
-         * Use Cases:
-         * - Bootstrapping new identity accounts
-         * - Initial permission setup when standard authorization cannot work yet
-         * - Establishing platform-level relationships for new resources
-         *
-         * Example:
-         * Input:
-         *   principal: {kind: "platform", id: "stigmer"}
-         *   resource: {kind: "identity_account", id: "ida-alice-123"}
-         *   relation: "platform"
-         * Result:
-         *   Created IamPolicy linking the identity account to the platform
-         *   Machine accounts with operator permission can now manage this account
-         *
-         * Input: IamPolicySpec with principal=platform:stigmer, relation=platform, resource=identity_account:{id}
-         * Output: The created IamPolicy with generated ID and metadata
-         *
-         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.createPlatformLink
-         */
-        readonly createPlatformLink: {
-            readonly name: "createPlatformLink";
-            readonly I: any;
-            readonly O: any;
-            readonly kind: any;
-        };
-        /**
-         * Bootstrap IAM policy during resource creation (operator-only)
+         * Bootstrap IAM policy during resource creation
          *
          * Creates IAM policies during resource creation when standard authorization cannot work yet
          * because no tuples exist. This solves the chicken-and-egg problem where creating the first
          * policy for a resource requires authorization, but authorization requires that first policy.
          *
          * The operation:
-         * 1. Validates that caller has operator permission on platform:stigmer
+         * 1. Validates that caller has can_bootstrap_iam permission on platform:stigmer
          * 2. Validates the input (principal, resource, relation are all valid)
          * 3. Checks for duplicates (skips if the exact policy already exists, idempotent)
          * 4. Creates the policy in the database with auto-generated ID and metadata
          * 5. Writes the corresponding tuple to OpenFGA (where authorization is enforced)
          *
          * Authorization:
-         * - Caller must have 'operator' permission on platform:stigmer
+         * - Caller must have 'can_bootstrap_iam' permission on platform:stigmer
          * - This is typically only called by resource creation handlers running as machine accounts
          *
          * Use Cases:
@@ -183,7 +141,7 @@ export declare const IamPolicyCommandController: {
             readonly kind: any;
         };
         /**
-         * Cleanup all IAM policies for a deleted resource (operator-only)
+         * Cleanup all IAM policies for a deleted resource
          *
          * This is a system-level cleanup operation that removes all IAM policies
          * associated with a deleted resource. It performs bidirectional cleanup:
@@ -191,14 +149,14 @@ export declare const IamPolicyCommandController: {
          * 2. Policies where resource is the PRINCIPAL (policies where this resource HAS access)
          *
          * The operation:
-         * 1. Validates operator permission on platform:stigmer
+         * 1. Validates can_bootstrap_iam permission on platform:stigmer
          * 2. Finds all policies where resource_id appears (as principal OR resource)
          * 3. Deletes all matching policies from MongoDB
          * 4. Removes all corresponding tuples from OpenFGA
          * 5. Returns Empty (idempotent if no policies exist)
          *
          * Authorization:
-         * - Caller must have 'operator' permission on platform:stigmer
+         * - Caller must have 'can_bootstrap_iam' permission on platform:stigmer
          * - This is typically only granted to platform services
          *
          * Use Cases:

package/ai/stigmer/iam/iampolicy/v1/command_connect.js

@@ -100,63 +100,21 @@ export const IamPolicyCommandController = {
             kind: MethodKind.Unary,
         },
         /**
-         * Create platform link policy (operator-only)
-         *
-         * Creates a platform link policy that associates an identity account with the platform.
-         * This is a privileged operation that can only be called by platform operators.
-         *
-         * The operation:
-         * 1. Validates that caller has operator permission on platform:stigmer
-         * 2. Validates the input is a platform link (principal=platform, relation=platform)
-         * 3. Checks for duplicates (idempotent if already exists)
-         * 4. Creates the policy in the database with auto-generated ID and metadata
-         * 5. Writes the corresponding tuple to OpenFGA
-         *
-         * Authorization:
-         * - Caller must have 'operator' permission on platform:stigmer
-         * - This is typically only granted to machine accounts (service-to-service)
-         *
-         * Use Cases:
-         * - Bootstrapping new identity accounts
-         * - Initial permission setup when standard authorization cannot work yet
-         * - Establishing platform-level relationships for new resources
-         *
-         * Example:
-         * Input:
-         *   principal: {kind: "platform", id: "stigmer"}
-         *   resource: {kind: "identity_account", id: "ida-alice-123"}
-         *   relation: "platform"
-         * Result:
-         *   Created IamPolicy linking the identity account to the platform
-         *   Machine accounts with operator permission can now manage this account
-         *
-         * Input: IamPolicySpec with principal=platform:stigmer, relation=platform, resource=identity_account:{id}
-         * Output: The created IamPolicy with generated ID and metadata
-         *
-         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.createPlatformLink
-         */
-        createPlatformLink: {
-            name: "createPlatformLink",
-            I: IamPolicySpec,
-            O: IamPolicy,
-            kind: MethodKind.Unary,
-        },
-        /**
-         * Bootstrap IAM policy during resource creation (operator-only)
+         * Bootstrap IAM policy during resource creation
          *
          * Creates IAM policies during resource creation when standard authorization cannot work yet
          * because no tuples exist. This solves the chicken-and-egg problem where creating the first
          * policy for a resource requires authorization, but authorization requires that first policy.
          *
          * The operation:
-         * 1. Validates that caller has operator permission on platform:stigmer
+         * 1. Validates that caller has can_bootstrap_iam permission on platform:stigmer
          * 2. Validates the input (principal, resource, relation are all valid)
          * 3. Checks for duplicates (skips if the exact policy already exists, idempotent)
          * 4. Creates the policy in the database with auto-generated ID and metadata
          * 5. Writes the corresponding tuple to OpenFGA (where authorization is enforced)
          *
          * Authorization:
-         * - Caller must have 'operator' permission on platform:stigmer
+         * - Caller must have 'can_bootstrap_iam' permission on platform:stigmer
          * - This is typically only called by resource creation handlers running as machine accounts
          *
          * Use Cases:
@@ -188,7 +146,7 @@ export const IamPolicyCommandController = {
             kind: MethodKind.Unary,
         },
         /**
-         * Cleanup all IAM policies for a deleted resource (operator-only)
+         * Cleanup all IAM policies for a deleted resource
          *
          * This is a system-level cleanup operation that removes all IAM policies
          * associated with a deleted resource. It performs bidirectional cleanup:
@@ -196,14 +154,14 @@ export const IamPolicyCommandController = {
          * 2. Policies where resource is the PRINCIPAL (policies where this resource HAS access)
          *
          * The operation:
-         * 1. Validates operator permission on platform:stigmer
+         * 1. Validates can_bootstrap_iam permission on platform:stigmer
          * 2. Finds all policies where resource_id appears (as principal OR resource)
          * 3. Deletes all matching policies from MongoDB
          * 4. Removes all corresponding tuples from OpenFGA
          * 5. Returns Empty (idempotent if no policies exist)
          *
          * Authorization:
-         * - Caller must have 'operator' permission on platform:stigmer
+         * - Caller must have 'can_bootstrap_iam' permission on platform:stigmer
          * - This is typically only granted to platform services
          *
          * Use Cases:

package/ai/stigmer/iam/iampolicy/v1/command_connect.js.map

@@ -1 +1 @@
-{"version":3,"file":"command_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/command_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,sHAAsH;AACtH,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,QAAQ,EAAE,wDAAwD;IAClE,OAAO,EAAE;QACP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA6BG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA+BG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAmCG;QACH,kBAAkB,EAAE;YAClB,IAAI,EAAE,oBAAoB;YAC1B,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAuCG;QACH,eAAe,EAAE;YACf,IAAI,EAAE,iBAAiB;YACvB,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAgCG;QACH,uBAAuB,EAAE;YACvB,IAAI,EAAE,yBAAyB;YAC/B,CAAC,EAAE,cAAc;YACjB,CAAC,EAAE,KAAK;YACR,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
+{"version":3,"file":"command_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/command_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,sHAAsH;AACtH,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,QAAQ,EAAE,wDAAwD;IAClE,OAAO,EAAE;QACP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA6BG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA+BG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAuCG;QACH,eAAe,EAAE;YACf,IAAI,EAAE,iBAAiB;YACvB,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAgCG;QACH,uBAAuB,EAAE;YACvB,IAAI,EAAE,yBAAyB;YAC/B,CAAC,EAAE,cAAc;YACjB,CAAC,EAAE,KAAK;YACR,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/iampolicy/v1/command_pb.d.ts

@@ -99,62 +99,21 @@ export declare const IamPolicyCommandController: GenService<{
         output: typeof IamPolicySchema;
     };
     /**
-     * Create platform link policy (operator-only)
-     *
-     * Creates a platform link policy that associates an identity account with the platform.
-     * This is a privileged operation that can only be called by platform operators.
-     *
-     * The operation:
-     * 1. Validates that caller has operator permission on platform:stigmer
-     * 2. Validates the input is a platform link (principal=platform, relation=platform)
-     * 3. Checks for duplicates (idempotent if already exists)
-     * 4. Creates the policy in the database with auto-generated ID and metadata
-     * 5. Writes the corresponding tuple to OpenFGA
-     *
-     * Authorization:
-     * - Caller must have 'operator' permission on platform:stigmer
-     * - This is typically only granted to machine accounts (service-to-service)
-     *
-     * Use Cases:
-     * - Bootstrapping new identity accounts
-     * - Initial permission setup when standard authorization cannot work yet
-     * - Establishing platform-level relationships for new resources
-     *
-     * Example:
-     * Input:
-     *   principal: {kind: "platform", id: "stigmer"}
-     *   resource: {kind: "identity_account", id: "ida-alice-123"}
-     *   relation: "platform"
-     * Result:
-     *   Created IamPolicy linking the identity account to the platform
-     *   Machine accounts with operator permission can now manage this account
-     *
-     * Input: IamPolicySpec with principal=platform:stigmer, relation=platform, resource=identity_account:{id}
-     * Output: The created IamPolicy with generated ID and metadata
-     *
-     * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.createPlatformLink
-     */
-    createPlatformLink: {
-        methodKind: "unary";
-        input: typeof IamPolicySpecSchema;
-        output: typeof IamPolicySchema;
-    };
-    /**
-     * Bootstrap IAM policy during resource creation (operator-only)
+     * Bootstrap IAM policy during resource creation
      *
      * Creates IAM policies during resource creation when standard authorization cannot work yet
      * because no tuples exist. This solves the chicken-and-egg problem where creating the first
      * policy for a resource requires authorization, but authorization requires that first policy.
      *
      * The operation:
-     * 1. Validates that caller has operator permission on platform:stigmer
+     * 1. Validates that caller has can_bootstrap_iam permission on platform:stigmer
      * 2. Validates the input (principal, resource, relation are all valid)
      * 3. Checks for duplicates (skips if the exact policy already exists, idempotent)
      * 4. Creates the policy in the database with auto-generated ID and metadata
      * 5. Writes the corresponding tuple to OpenFGA (where authorization is enforced)
      *
      * Authorization:
-     * - Caller must have 'operator' permission on platform:stigmer
+     * - Caller must have 'can_bootstrap_iam' permission on platform:stigmer
      * - This is typically only called by resource creation handlers running as machine accounts
      *
      * Use Cases:
@@ -185,7 +144,7 @@ export declare const IamPolicyCommandController: GenService<{
         output: typeof IamPolicySchema;
     };
     /**
-     * Cleanup all IAM policies for a deleted resource (operator-only)
+     * Cleanup all IAM policies for a deleted resource
      *
      * This is a system-level cleanup operation that removes all IAM policies
      * associated with a deleted resource. It performs bidirectional cleanup:
@@ -193,14 +152,14 @@ export declare const IamPolicyCommandController: GenService<{
      * 2. Policies where resource is the PRINCIPAL (policies where this resource HAS access)
      *
      * The operation:
-     * 1. Validates operator permission on platform:stigmer
+     * 1. Validates can_bootstrap_iam permission on platform:stigmer
      * 2. Finds all policies where resource_id appears (as principal OR resource)
      * 3. Deletes all matching policies from MongoDB
      * 4. Removes all corresponding tuples from OpenFGA
      * 5. Returns Empty (idempotent if no policies exist)
      *
      * Authorization:
-     * - Caller must have 'operator' permission on platform:stigmer
+     * - Caller must have 'can_bootstrap_iam' permission on platform:stigmer
      * - This is typically only granted to platform services
      *
      * Use Cases:

package/ai/stigmer/iam/iampolicy/v1/command_pb.js

@@ -10,7 +10,7 @@ import { file_google_protobuf_empty } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/iampolicy/v1/command.proto.
  */
-export const file_ai_stigmer_iam_iampolicy_v1_command = /*@__PURE__*/ fileDesc("CilhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvY29tbWFuZC5wcm90bxIbYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxMuoGChpJYW1Qb2xpY3lDb21tYW5kQ29udHJvbGxlchKCAQoGY3JlYXRlEiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IiTCuBggCAgqHHVuYXV0aG9yaXplZCB0byBncmFudCBhY2Nlc3MSgwEKBmRlbGV0ZRIqLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5JYW1Qb2xpY3lTcGVjGiYuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeSIlwrgYIQgIKh11bmF1dGhvcml6ZWQgdG8gcmV2b2tlIGFjY2VzcxLAAQoSY3JlYXRlUGxhdGZvcm1MaW5rEiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IlbCuBhSCAUQHypDdW5hdXRob3JpemVkIHRvIGNyZWF0ZSBwbGF0Zm9ybSBsaW5rIC0gb3BlcmF0b3IgcGVybWlzc2lvbiByZXF1aXJlZDIHc3RpZ21lchK5AQoPYm9vdHN0cmFwUG9saWN5EiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IlLCuBhOCAUQHyo/dW5hdXRob3JpemVkIHRvIGJvb3RzdHJhcCBwb2xpY3kgLSBvcGVyYXRvciBwZXJtaXNzaW9uIHJlcXVpcmVkMgdzdGlnbWVyErsBChdjbGVhbnVwUmVzb3VyY2VQb2xpY2llcxIrLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BcGlSZXNvdXJjZVJlZhoWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eSJbwrgYVwgFEB8qSHVuYXV0aG9yaXplZCB0byBjbGVhbnVwIHJlc291cmNlIHBvbGljaWVzIC0gb3BlcmF0b3IgcGVybWlzc2lvbiByZXF1aXJlZDIHc3RpZ21lchoEoP8rCmIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_api, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_iampolicy_v1_spec, file_google_protobuf_empty]);
+export const file_ai_stigmer_iam_iampolicy_v1_command = /*@__PURE__*/ fileDesc("CilhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvY29tbWFuZC5wcm90bxIbYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxMrkFChpJYW1Qb2xpY3lDb21tYW5kQ29udHJvbGxlchKCAQoGY3JlYXRlEiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IiTCuBggCAgqHHVuYXV0aG9yaXplZCB0byBncmFudCBhY2Nlc3MSgwEKBmRlbGV0ZRIqLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5JYW1Qb2xpY3lTcGVjGiYuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeSIlwrgYIQgIKh11bmF1dGhvcml6ZWQgdG8gcmV2b2tlIGFjY2VzcxLCAQoPYm9vdHN0cmFwUG9saWN5EiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IlvCuBhXCB0QHypIdW5hdXRob3JpemVkIHRvIGJvb3RzdHJhcCBwb2xpY3kgLSBjYW5fYm9vdHN0cmFwX2lhbSBwZXJtaXNzaW9uIHJlcXVpcmVkMgdzdGlnbWVyEsQBChdjbGVhbnVwUmVzb3VyY2VQb2xpY2llcxIrLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BcGlSZXNvdXJjZVJlZhoWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eSJkwrgYYAgdEB8qUXVuYXV0aG9yaXplZCB0byBjbGVhbnVwIHJlc291cmNlIHBvbGljaWVzIC0gY2FuX2Jvb3RzdHJhcF9pYW0gcGVybWlzc2lvbiByZXF1aXJlZDIHc3RpZ21lchoEoP8rCmIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_api, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_iampolicy_v1_spec, file_google_protobuf_empty]);
 /**
  * IAM Policy Command Controller
  *

package/ai/stigmer/iam/iampolicy/v1/command_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,sHAAsH;AACtH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,oCAAoC,EAAE,MAAM,UAAU,CAAC;AAChE,OAAO,EAAE,gEAAgE,EAAE,MAAM,sCAAsC,CAAC;AAExH,OAAO,EAAE,qCAAqC,EAAE,MAAM,WAAW,CAAC;AAElE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,wCAAwC,GAAY,aAAa,CAC5E,QAAQ,CAAC,8vCAA8vC,EAAE,CAAC,uDAAuD,EAAE,oCAAoC,EAAE,gEAAgE,EAAE,qCAAqC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEj/C;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAqMlC,aAAa,CAChB,WAAW,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,sHAAsH;AACtH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,oCAAoC,EAAE,MAAM,UAAU,CAAC;AAChE,OAAO,EAAE,gEAAgE,EAAE,MAAM,sCAAsC,CAAC;AAExH,OAAO,EAAE,qCAAqC,EAAE,MAAM,WAAW,CAAC;AAElE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,wCAAwC,GAAY,aAAa,CAC5E,QAAQ,CAAC,khCAAkhC,EAAE,CAAC,uDAAuD,EAAE,oCAAoC,EAAE,gEAAgE,EAAE,qCAAqC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAErwC;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,0BAA0B,GA4JlC,aAAa,CAChB,WAAW,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/iampolicy/v1/rpcauthorization/iam_permission_pb.d.ts

@@ -4,8 +4,10 @@ import type { GenEnum, GenFile } from "@bufbuild/protobuf/codegenv1";
  */
 export declare const file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_iam_permission: GenFile;
 /**
- * ApiResourceIamPermission defines the core permissions used in the authorization model.
- * This is a simplified set for a demo project, containing only essential permissions.
+ * ApiResourceIamPermission defines the permissions and structural relations
+ * used in the Stigmer authorization model. Each value maps to an FGA relation
+ * name that appears either in RPC authorization annotations or in FGA tuple
+ * creation logic.
  *
  * @generated from enum ai.stigmer.iam.iampolicy.v1.rpcauthorization.ApiResourceIamPermission
  */
@@ -35,143 +37,115 @@ export declare enum ApiResourceIamPermission {
     /**
      * Platform-level permissions
      *
-     * Platform operator with elevated privileges
-     *
-     * @generated from enum value: operator = 5;
-     */
-    operator = 5,
-    /**
-     * Platform-level access
-     *
-     * @generated from enum value: platform = 6;
-     */
-    platform = 6,
-    /**
-     * Permission to login to back office
-     *
      * @generated from enum value: login_to_back_office = 7;
      */
     login_to_back_office = 7,
     /**
-     * IAM policy management permissions (follows can_* pattern)
-     *
-     * Permission to grant/revoke access (create/delete IAM policies)
+     * IAM policy management permissions
      *
      * @generated from enum value: can_grant_access = 8;
      */
     can_grant_access = 8,
     /**
-     * Permission to view who has access (view IAM policies)
-     *
      * @generated from enum value: can_view_access = 9;
      */
     can_view_access = 9,
     /**
      * Resource ownership and membership
      *
-     * Resource owner
-     *
      * @generated from enum value: owner = 10;
      */
     owner = 10,
     /**
-     * Resource member (for teams, organizations)
-     *
      * @generated from enum value: member = 11;
      */
     member = 11,
+    /**
+     * @generated from enum value: viewer = 26;
+     */
+    viewer = 26,
     /**
      * Structural relations (parent links)
      *
-     * Link to identity account (user-scoped parent)
-     *
      * @generated from enum value: identity_account = 12;
      */
     identity_account = 12,
     /**
-     * Link to organization (org-scoped parent)
-     *
      * @generated from enum value: organization = 13;
      */
     organization = 13,
     /**
-     * Link to session (agent execution parent)
-     *
      * @generated from enum value: session = 14;
      */
     session = 14,
     /**
-     * Link to agent (agent instance parent)
-     *
      * @generated from enum value: agent = 15;
      */
     agent = 15,
     /**
      * Resource-specific creation permissions
      *
-     * Permission to create agents in an organization
-     *
      * @generated from enum value: can_create_agent = 16;
      */
     can_create_agent = 16,
     /**
-     * Permission to create workflows in an organization
-     *
      * @generated from enum value: can_create_workflow = 17;
      */
     can_create_workflow = 17,
     /**
-     * Permission to create sessions in an organization
-     *
      * @generated from enum value: can_create_session = 18;
      */
     can_create_session = 18,
     /**
-     * Permission to create agent executions in a session
-     *
      * @generated from enum value: can_create_execution_in = 19;
      */
     can_create_execution_in = 19,
     /**
-     * Permission to create agent instances (derived from can_execute on parent agent)
-     *
      * @generated from enum value: can_create_instance = 20;
      */
     can_create_instance = 20,
     /**
-     * Permission to create skills in an organization
-     *
      * @generated from enum value: can_create_skill = 21;
      */
     can_create_skill = 21,
     /**
-     * Permission to create projects in an organization
-     *
      * @generated from enum value: can_create_project = 23;
      */
     can_create_project = 23,
     /**
-     * Permission to create identity providers in an organization
-     *
      * @generated from enum value: can_create_idp = 24;
      */
     can_create_idp = 24,
+    /**
+     * @generated from enum value: can_create_environment = 27;
+     */
+    can_create_environment = 27,
     /**
      * Resource-specific operation permissions
      *
-     * Permission to execute agent/session operations
-     *
      * @generated from enum value: can_execute = 22;
      */
     can_execute = 22,
     /**
      * Secret access permissions
      *
-     * Permission to read unredacted secret values (creator-only)
-     *
      * @generated from enum value: can_read_secrets = 25;
      */
-    can_read_secrets = 25
+    can_read_secrets = 25,
+    /**
+     * Platform-level operational permissions (checked against platform:stigmer)
+     *
+     * @generated from enum value: can_bootstrap_iam = 29;
+     */
+    can_bootstrap_iam = 29,
+    /**
+     * @generated from enum value: can_manage_identity_accounts = 30;
+     */
+    can_manage_identity_accounts = 30,
+    /**
+     * @generated from enum value: can_update_execution_status = 31;
+     */
+    can_update_execution_status = 31
 }
 /**
  * Describes the enum ai.stigmer.iam.iampolicy.v1.rpcauthorization.ApiResourceIamPermission.