@stigmer/protos 0.0.72 → 0.0.73

package/ai/stigmer/iam/iampolicy/v1/command_pb.d.ts

@@ -1,5 +1,6 @@
 import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
 import type { IamPolicySchema } from "./api_pb";
+import type { RevokeOrgAccessInputSchema } from "./io_pb";
 import type { ApiResourceRefSchema, IamPolicySpecSchema } from "./spec_pb";
 import type { EmptySchema } from "@bufbuild/protobuf/wkt";
 /**
@@ -188,4 +189,36 @@ export declare const IamPolicyCommandController: GenService<{
         input: typeof ApiResourceRefSchema;
         output: typeof EmptySchema;
     };
+    /**
+     * Revoke all of a user's access to an organization.
+     *
+     * Removes every IAM policy that grants the specified identity account access to
+     * resources within the given organization, including policies on the organization
+     * itself and on child resources (environments, agents, etc.).
+     *
+     * @internal
+     * The operation:
+     * 1. Validates the input (identity_account_id and organization_id are present)
+     * 2. Authorizes caller (can_grant_access on the organization)
+     * 3. Loads all policies where the user is principal within the org scope
+     * 4. Deletes all matching policies from MongoDB
+     * 5. Removes all corresponding tuples from OpenFGA
+     *
+     * Authorization:
+     * - Caller must have 'can_grant_access' permission on the organization
+     *
+     * Use Cases:
+     * - Removing a member from an organization
+     * - Offboarding a user from all org resources in one operation
+     *
+     * Input: RevokeOrgAccessInput with identity_account_id and organization_id
+     * Output: Empty (google.protobuf.Empty)
+     *
+     * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyCommandController.revokeOrgAccess
+     */
+    revokeOrgAccess: {
+        methodKind: "unary";
+        input: typeof RevokeOrgAccessInputSchema;
+        output: typeof EmptySchema;
+    };
 }>;

package/ai/stigmer/iam/iampolicy/v1/command_pb.js

@@ -3,14 +3,15 @@
 /* eslint-disable */
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_iampolicy_v1_api } from "./api_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "./rpcauthorization/method_options_pb";
+import { file_ai_stigmer_iam_iampolicy_v1_io } from "./io_pb";
 import { file_ai_stigmer_iam_iampolicy_v1_spec } from "./spec_pb";
 import { file_google_protobuf_empty } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/iampolicy/v1/command.proto.
  */
-export const file_ai_stigmer_iam_iampolicy_v1_command = /*@__PURE__*/ fileDesc("CilhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvY29tbWFuZC5wcm90bxIbYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxMrkFChpJYW1Qb2xpY3lDb21tYW5kQ29udHJvbGxlchKCAQoGY3JlYXRlEiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IiTCuBggCAgqHHVuYXV0aG9yaXplZCB0byBncmFudCBhY2Nlc3MSgwEKBmRlbGV0ZRIqLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5JYW1Qb2xpY3lTcGVjGiYuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeSIlwrgYIQgIKh11bmF1dGhvcml6ZWQgdG8gcmV2b2tlIGFjY2VzcxLCAQoPYm9vdHN0cmFwUG9saWN5EiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IlvCuBhXCB0QHypIdW5hdXRob3JpemVkIHRvIGJvb3RzdHJhcCBwb2xpY3kgLSBjYW5fYm9vdHN0cmFwX2lhbSBwZXJtaXNzaW9uIHJlcXVpcmVkMgdzdGlnbWVyEsQBChdjbGVhbnVwUmVzb3VyY2VQb2xpY2llcxIrLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BcGlSZXNvdXJjZVJlZhoWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eSJkwrgYYAgdEB8qUXVuYXV0aG9yaXplZCB0byBjbGVhbnVwIHJlc291cmNlIHBvbGljaWVzIC0gY2FuX2Jvb3RzdHJhcF9pYW0gcGVybWlzc2lvbiByZXF1aXJlZDIHc3RpZ21lchoEoP8rCmIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_api, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_iampolicy_v1_spec, file_google_protobuf_empty]);
+export const file_ai_stigmer_iam_iampolicy_v1_command = /*@__PURE__*/ fileDesc("CilhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvY29tbWFuZC5wcm90bxIbYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxMswGChpJYW1Qb2xpY3lDb21tYW5kQ29udHJvbGxlchKCAQoGY3JlYXRlEiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IiTCuBggCAQqHHVuYXV0aG9yaXplZCB0byBncmFudCBhY2Nlc3MSgwEKBmRlbGV0ZRIqLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5JYW1Qb2xpY3lTcGVjGiYuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeSIlwrgYIQgEKh11bmF1dGhvcml6ZWQgdG8gcmV2b2tlIGFjY2VzcxLCAQoPYm9vdHN0cmFwUG9saWN5EiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IlvCuBhXCBEQHypIdW5hdXRob3JpemVkIHRvIGJvb3RzdHJhcCBwb2xpY3kgLSBjYW5fYm9vdHN0cmFwX2lhbSBwZXJtaXNzaW9uIHJlcXVpcmVkMgdzdGlnbWVyEsQBChdjbGVhbnVwUmVzb3VyY2VQb2xpY2llcxIrLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BcGlSZXNvdXJjZVJlZhoWLmdvb2dsZS5wcm90b2J1Zi5FbXB0eSJkwrgYYAgREB8qUXVuYXV0aG9yaXplZCB0byBjbGVhbnVwIHJlc291cmNlIHBvbGljaWVzIC0gY2FuX2Jvb3RzdHJhcF9pYW0gcGVybWlzc2lvbiByZXF1aXJlZDIHc3RpZ21lchKQAQoPcmV2b2tlT3JnQWNjZXNzEjEuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLlJldm9rZU9yZ0FjY2Vzc0lucHV0GhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5IjLCuBguCAQqKnVuYXV0aG9yaXplZCB0byByZXZva2Ugb3JnYW5pemF0aW9uIGFjY2VzcxoEoP8rCmIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_iampolicy_v1_api, file_ai_stigmer_iam_iampolicy_v1_io, file_ai_stigmer_iam_iampolicy_v1_spec, file_google_protobuf_empty]);
 /**
  * IAM Policy Command Controller
  *

package/ai/stigmer/iam/iampolicy/v1/command_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,sHAAsH;AACtH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,oCAAoC,EAAE,MAAM,UAAU,CAAC;AAChE,OAAO,EAAE,gEAAgE,EAAE,MAAM,sCAAsC,CAAC;AAExH,OAAO,EAAE,qCAAqC,EAAE,MAAM,WAAW,CAAC;AAElE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,wCAAwC,GAAY,aAAa,CAC5E,QAAQ,CAAC,khCAAkhC,EAAE,CAAC,uDAAuD,EAAE,oCAAoC,EAAE,gEAAgE,EAAE,qCAAqC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAErwC;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAmKlC,aAAa,CAChB,WAAW,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,sHAAsH;AACtH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,oCAAoC,EAAE,MAAM,UAAU,CAAC;AAEhE,OAAO,EAAE,mCAAmC,EAAE,MAAM,SAAS,CAAC;AAE9D,OAAO,EAAE,qCAAqC,EAAE,MAAM,WAAW,CAAC;AAElE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,wCAAwC,GAAY,aAAa,CAC5E,QAAQ,CAAC,stCAAstC,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,oCAAoC,EAAE,mCAAmC,EAAE,qCAAqC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEx9C;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAmMlC,aAAa,CAChB,WAAW,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/iampolicy/v1/query_connect.d.ts

@@ -92,5 +92,71 @@ export declare const IamPolicyQueryController: {
             readonly O: any;
             readonly kind: any;
         };
+        /**
+         * List all principals and their roles on a resource, grouped by principal.
+         *
+         * This RPC answers: "Who has access to this resource, and what roles do they have?"
+         * Returns each principal with full display information and all their role grants,
+         * optionally including roles inherited from parent resources.
+         *
+         * Use Cases:
+         * - Organization members page (show all users and their roles)
+         * - Resource "Share" dialog (show who already has access)
+         * - Access audit views
+         *
+         * Input: ListResourceAccessInput with resource ref and include_inherited flag
+         * Output: ResourceAccessByPrincipalList with PrincipalAccess entries
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.listResourceAccessByPrincipal
+         */
+        readonly listResourceAccessByPrincipal: {
+            readonly name: "listResourceAccessByPrincipal";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Get all roles a specific principal has on a specific resource.
+         *
+         * This RPC answers: "What roles does [principal] have on [resource]?"
+         * Returns role metadata (code, display name, description) for each assigned role.
+         *
+         * Use Cases:
+         * - Displaying a user's current role in a resource detail view
+         * - Pre-populating role selectors when editing access
+         * - Permission summary for a specific user-resource pair
+         *
+         * Input: PrincipalResourceInput with principal and resource refs
+         * Output: PrincipalResourceRoles with list of RoleInfo entries
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.getPrincipalResourceRoles
+         */
+        readonly getPrincipalResourceRoles: {
+            readonly name: "getPrincipalResourceRoles";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Count distinct principals that have access to a resource.
+         *
+         * This RPC answers: "How many [principal-kind] have access to this organization?"
+         * Used for member count badges and summary statistics.
+         *
+         * Use Cases:
+         * - Organization members count badge in navigation
+         * - Settings page member summary
+         *
+         * Input: GetPrincipalsCountInput with org_id and principal_kind
+         * Output: PrincipalsCount with integer count
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.getPrincipalsCount
+         */
+        readonly getPrincipalsCount: {
+            readonly name: "getPrincipalsCount";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
     };
 };

package/ai/stigmer/iam/iampolicy/v1/query_connect.js

@@ -97,6 +97,72 @@ export const IamPolicyQueryController = {
             O: AuthorizedPrincipalIdsList,
             kind: MethodKind.Unary,
         },
+        /**
+         * List all principals and their roles on a resource, grouped by principal.
+         *
+         * This RPC answers: "Who has access to this resource, and what roles do they have?"
+         * Returns each principal with full display information and all their role grants,
+         * optionally including roles inherited from parent resources.
+         *
+         * Use Cases:
+         * - Organization members page (show all users and their roles)
+         * - Resource "Share" dialog (show who already has access)
+         * - Access audit views
+         *
+         * Input: ListResourceAccessInput with resource ref and include_inherited flag
+         * Output: ResourceAccessByPrincipalList with PrincipalAccess entries
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.listResourceAccessByPrincipal
+         */
+        listResourceAccessByPrincipal: {
+            name: "listResourceAccessByPrincipal",
+            I: ListResourceAccessInput,
+            O: ResourceAccessByPrincipalList,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Get all roles a specific principal has on a specific resource.
+         *
+         * This RPC answers: "What roles does [principal] have on [resource]?"
+         * Returns role metadata (code, display name, description) for each assigned role.
+         *
+         * Use Cases:
+         * - Displaying a user's current role in a resource detail view
+         * - Pre-populating role selectors when editing access
+         * - Permission summary for a specific user-resource pair
+         *
+         * Input: PrincipalResourceInput with principal and resource refs
+         * Output: PrincipalResourceRoles with list of RoleInfo entries
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.getPrincipalResourceRoles
+         */
+        getPrincipalResourceRoles: {
+            name: "getPrincipalResourceRoles",
+            I: PrincipalResourceInput,
+            O: PrincipalResourceRoles,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Count distinct principals that have access to a resource.
+         *
+         * This RPC answers: "How many [principal-kind] have access to this organization?"
+         * Used for member count badges and summary statistics.
+         *
+         * Use Cases:
+         * - Organization members count badge in navigation
+         * - Settings page member summary
+         *
+         * Input: GetPrincipalsCountInput with org_id and principal_kind
+         * Output: PrincipalsCount with integer count
+         *
+         * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.getPrincipalsCount
+         */
+        getPrincipalsCount: {
+            name: "getPrincipalsCount",
+            I: GetPrincipalsCountInput,
+            O: PrincipalsCount,
+            kind: MethodKind.Unary,
+        },
     }
 };
 //# sourceMappingURL=query_connect.js.map

package/ai/stigmer/iam/iampolicy/v1/query_connect.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,oHAAoH;AACpH,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,QAAQ,EAAE,sDAAsD;IAChE,OAAO,EAAE;QACP;;;;;;;;;WASG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,WAAW;YACd,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;WAmBG;QACH,kBAAkB,EAAE;YAClB,IAAI,EAAE,oBAAoB;YAC1B,CAAC,EAAE,uBAAuB;YAC1B,CAAC,EAAE,wBAAwB;YAC3B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;WAeG;QACH,yBAAyB,EAAE;YACzB,IAAI,EAAE,2BAA2B;YACjC,CAAC,EAAE,8BAA8B;YACjC,CAAC,EAAE,yBAAyB;YAC5B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;WAeG;QACH,0BAA0B,EAAE;YAC1B,IAAI,EAAE,4BAA4B;YAClC,CAAC,EAAE,+BAA+B;YAClC,CAAC,EAAE,0BAA0B;YAC7B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
+{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,oHAAoH;AACpH,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,QAAQ,EAAE,sDAAsD;IAChE,OAAO,EAAE;QACP;;;;;;;;;WASG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,WAAW;YACd,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;WAmBG;QACH,kBAAkB,EAAE;YAClB,IAAI,EAAE,oBAAoB;YAC1B,CAAC,EAAE,uBAAuB;YAC1B,CAAC,EAAE,wBAAwB;YAC3B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;WAeG;QACH,yBAAyB,EAAE;YACzB,IAAI,EAAE,2BAA2B;YACjC,CAAC,EAAE,8BAA8B;YACjC,CAAC,EAAE,yBAAyB;YAC5B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;WAeG;QACH,0BAA0B,EAAE;YAC1B,IAAI,EAAE,4BAA4B;YAClC,CAAC,EAAE,+BAA+B;YAClC,CAAC,EAAE,0BAA0B;YAC7B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;WAgBG;QACH,6BAA6B,EAAE;YAC7B,IAAI,EAAE,+BAA+B;YACrC,CAAC,EAAE,uBAAuB;YAC1B,CAAC,EAAE,6BAA6B;YAChC,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;WAeG;QACH,yBAAyB,EAAE;YACzB,IAAI,EAAE,2BAA2B;YACjC,CAAC,EAAE,sBAAsB;YACzB,CAAC,EAAE,sBAAsB;YACzB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;WAcG;QACH,kBAAkB,EAAE;YAClB,IAAI,EAAE,oBAAoB;YAC1B,CAAC,EAAE,uBAAuB;YAC1B,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/iampolicy/v1/query_pb.d.ts

@@ -1,6 +1,6 @@
 import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
 import type { IamPolicySchema } from "./api_pb";
-import type { AuthorizedPrincipalIdsListSchema, AuthorizedResourceIdsListSchema, CheckAuthorizationInputSchema, CheckAuthorizationResultSchema, IamPolicyIdSchema, ListAuthorizedPrincipalIdsInputSchema, ListAuthorizedResourceIdsInputSchema } from "./io_pb";
+import type { AuthorizedPrincipalIdsListSchema, AuthorizedResourceIdsListSchema, CheckAuthorizationInputSchema, CheckAuthorizationResultSchema, GetPrincipalsCountInputSchema, IamPolicyIdSchema, ListAuthorizedPrincipalIdsInputSchema, ListAuthorizedResourceIdsInputSchema, ListResourceAccessInputSchema, PrincipalResourceInputSchema, PrincipalResourceRolesSchema, PrincipalsCountSchema, ResourceAccessByPrincipalListSchema } from "./io_pb";
 /**
  * Describes the file ai/stigmer/iam/iampolicy/v1/query.proto.
  */
@@ -93,4 +93,67 @@ export declare const IamPolicyQueryController: GenService<{
         input: typeof ListAuthorizedPrincipalIdsInputSchema;
         output: typeof AuthorizedPrincipalIdsListSchema;
     };
+    /**
+     * List all principals and their roles on a resource, grouped by principal.
+     *
+     * This RPC answers: "Who has access to this resource, and what roles do they have?"
+     * Returns each principal with full display information and all their role grants,
+     * optionally including roles inherited from parent resources.
+     *
+     * Use Cases:
+     * - Organization members page (show all users and their roles)
+     * - Resource "Share" dialog (show who already has access)
+     * - Access audit views
+     *
+     * Input: ListResourceAccessInput with resource ref and include_inherited flag
+     * Output: ResourceAccessByPrincipalList with PrincipalAccess entries
+     *
+     * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.listResourceAccessByPrincipal
+     */
+    listResourceAccessByPrincipal: {
+        methodKind: "unary";
+        input: typeof ListResourceAccessInputSchema;
+        output: typeof ResourceAccessByPrincipalListSchema;
+    };
+    /**
+     * Get all roles a specific principal has on a specific resource.
+     *
+     * This RPC answers: "What roles does [principal] have on [resource]?"
+     * Returns role metadata (code, display name, description) for each assigned role.
+     *
+     * Use Cases:
+     * - Displaying a user's current role in a resource detail view
+     * - Pre-populating role selectors when editing access
+     * - Permission summary for a specific user-resource pair
+     *
+     * Input: PrincipalResourceInput with principal and resource refs
+     * Output: PrincipalResourceRoles with list of RoleInfo entries
+     *
+     * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.getPrincipalResourceRoles
+     */
+    getPrincipalResourceRoles: {
+        methodKind: "unary";
+        input: typeof PrincipalResourceInputSchema;
+        output: typeof PrincipalResourceRolesSchema;
+    };
+    /**
+     * Count distinct principals that have access to a resource.
+     *
+     * This RPC answers: "How many [principal-kind] have access to this organization?"
+     * Used for member count badges and summary statistics.
+     *
+     * Use Cases:
+     * - Organization members count badge in navigation
+     * - Settings page member summary
+     *
+     * Input: GetPrincipalsCountInput with org_id and principal_kind
+     * Output: PrincipalsCount with integer count
+     *
+     * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.getPrincipalsCount
+     */
+    getPrincipalsCount: {
+        methodKind: "unary";
+        input: typeof GetPrincipalsCountInputSchema;
+        output: typeof PrincipalsCountSchema;
+    };
 }>;

package/ai/stigmer/iam/iampolicy/v1/query_pb.js

@@ -3,13 +3,13 @@
 /* eslint-disable */
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_iampolicy_v1_api } from "./api_pb";
 import { file_ai_stigmer_iam_iampolicy_v1_io } from "./io_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "./rpcauthorization/method_options_pb";
 /**
  * Describes the file ai/stigmer/iam/iampolicy/v1/query.proto.
  */
-export const file_ai_stigmer_iam_iampolicy_v1_query = /*@__PURE__*/ fileDesc("CidhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvcXVlcnkucHJvdG8SG2FpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MTLIBQoYSWFtUG9saWN5UXVlcnlDb250cm9sbGVyEoUBCgNnZXQSKC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5SWQaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IizCuBgoCAkqJHVuYXV0aG9yaXplZCB0byB2aWV3IGFjY2VzcyBwb2xpY2llcxKHAQoSY2hlY2tBdXRob3JpemF0aW9uEjQuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkNoZWNrQXV0aG9yaXphdGlvbklucHV0GjUuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkNoZWNrQXV0aG9yaXphdGlvblJlc3VsdCIE0LgYARLGAQoZbGlzdEF1dGhvcml6ZWRSZXNvdXJjZUlkcxI7LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5MaXN0QXV0aG9yaXplZFJlc291cmNlSWRzSW5wdXQaNi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuQXV0aG9yaXplZFJlc291cmNlSWRzTGlzdCI0wrgYMAgJKix1bmF1dGhvcml6ZWQgdG8gdmlldyBhdXRob3JpemVkIHJlc291cmNlIGlkcxLKAQoabGlzdEF1dGhvcml6ZWRQcmluY2lwYWxJZHMSPC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuTGlzdEF1dGhvcml6ZWRQcmluY2lwYWxJZHNJbnB1dBo3LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BdXRob3JpemVkUHJpbmNpcGFsSWRzTGlzdCI1wrgYMQgJKi11bmF1dGhvcml6ZWQgdG8gdmlldyBhdXRob3JpemVkIHByaW5jaXBhbCBpZHMaBKD/KwpiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_api, file_ai_stigmer_iam_iampolicy_v1_io, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options]);
+export const file_ai_stigmer_iam_iampolicy_v1_query = /*@__PURE__*/ fileDesc("CidhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvcXVlcnkucHJvdG8SG2FpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MTLqCQoYSWFtUG9saWN5UXVlcnlDb250cm9sbGVyEoUBCgNnZXQSKC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5SWQaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IizCuBgoCAUqJHVuYXV0aG9yaXplZCB0byB2aWV3IGFjY2VzcyBwb2xpY2llcxKHAQoSY2hlY2tBdXRob3JpemF0aW9uEjQuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkNoZWNrQXV0aG9yaXphdGlvbklucHV0GjUuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkNoZWNrQXV0aG9yaXphdGlvblJlc3VsdCIE0LgYARLGAQoZbGlzdEF1dGhvcml6ZWRSZXNvdXJjZUlkcxI7LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5MaXN0QXV0aG9yaXplZFJlc291cmNlSWRzSW5wdXQaNi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuQXV0aG9yaXplZFJlc291cmNlSWRzTGlzdCI0wrgYMAgFKix1bmF1dGhvcml6ZWQgdG8gdmlldyBhdXRob3JpemVkIHJlc291cmNlIGlkcxLKAQoabGlzdEF1dGhvcml6ZWRQcmluY2lwYWxJZHMSPC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuTGlzdEF1dGhvcml6ZWRQcmluY2lwYWxJZHNJbnB1dBo3LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BdXRob3JpemVkUHJpbmNpcGFsSWRzTGlzdCI1wrgYMQgFKi11bmF1dGhvcml6ZWQgdG8gdmlldyBhdXRob3JpemVkIHByaW5jaXBhbCBpZHMSvwEKHWxpc3RSZXNvdXJjZUFjY2Vzc0J5UHJpbmNpcGFsEjQuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkxpc3RSZXNvdXJjZUFjY2Vzc0lucHV0GjouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLlJlc291cmNlQWNjZXNzQnlQcmluY2lwYWxMaXN0IizCuBgoCAUqJHVuYXV0aG9yaXplZCB0byB2aWV3IHJlc291cmNlIGFjY2VzcxKzAQoZZ2V0UHJpbmNpcGFsUmVzb3VyY2VSb2xlcxIzLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5QcmluY2lwYWxSZXNvdXJjZUlucHV0GjMuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLlByaW5jaXBhbFJlc291cmNlUm9sZXMiLMK4GCgIBSokdW5hdXRob3JpemVkIHRvIHZpZXcgcHJpbmNpcGFsIHJvbGVzEqcBChJnZXRQcmluY2lwYWxzQ291bnQSNC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuR2V0UHJpbmNpcGFsc0NvdW50SW5wdXQaLC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuUHJpbmNpcGFsc0NvdW50Ii3CuBgpCAUqJXVuYXV0aG9yaXplZCB0byB2aWV3IHByaW5jaXBhbHMgY291bnQaBKD/KwpiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_iampolicy_v1_api, file_ai_stigmer_iam_iampolicy_v1_io]);
 /**
  * IamPolicyQueryController handles read operations for IAM policies.
  *

package/ai/stigmer/iam/iampolicy/v1/query_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,oHAAoH;AACpH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,oCAAoC,EAAE,MAAM,UAAU,CAAC;AAEhE,OAAO,EAAE,mCAAmC,EAAE,MAAM,SAAS,CAAC;AAC9D,OAAO,EAAE,gEAAgE,EAAE,MAAM,sCAAsC,CAAC;AAExH;;GAEG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAY,aAAa,CAC1E,QAAQ,CAAC,oiCAAoiC,EAAE,CAAC,uDAAuD,EAAE,oCAAoC,EAAE,mCAAmC,EAAE,gEAAgE,CAAC,CAAC,CAAC;AAEzvC;;;;GAIG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAmFhC,aAAa,CAChB,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,oHAAoH;AACpH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,oCAAoC,EAAE,MAAM,UAAU,CAAC;AAEhE,OAAO,EAAE,mCAAmC,EAAE,MAAM,SAAS,CAAC;AAE9D;;GAEG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAY,aAAa,CAC1E,QAAQ,CAAC,4vDAA4vD,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,oCAAoC,EAAE,mCAAmC,CAAC,CAAC,CAAC;AAE37D;;;;GAIG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAkJhC,aAAa,CAChB,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/iampolicy/v1/spec_pb.d.ts

@@ -36,7 +36,7 @@ export type IamPolicySpec = Message<"ai.stigmer.iam.iampolicy.v1.IamPolicySpec">
     resource?: ApiResourceRef;
     /**
      * The permission being granted (e.g., "admin", "viewer", "owner").
-     * Maps to the role_code from IamRole.
+     * Maps to a role_code from ai.stigmer.iam.v1.IamRole.
      * Examples: "admin", "editor", "viewer", "owner", "member"
      *
      * @internal

package/ai/stigmer/iam/identityaccount/v1/command_connect.d.ts

@@ -10,7 +10,7 @@ export declare const IdentityAccountCommandController: {
          * Create a new identity account.
          *
          * @internal
-         * System-level RPC used by federated JIT provisioning and Auth0 webhook flow.
+         * System-level RPC used by Auth0 webhook flow and federated account creation.
          * No FGA authorization — called via inProcessChannelAsSystem (machine account).
          * The handler's createAuthorizationTuples step writes the self-ownership tuple after creation.
          *
@@ -50,6 +50,66 @@ export declare const IdentityAccountCommandController: {
             readonly O: any;
             readonly kind: any;
         };
+        /**
+         * Create a federated identity account for an external platform user.
+         *
+         * Called by platform backends (via API key) when a new user signs up on their
+         * platform. The platform provides the user's OIDC subject identifier and profile
+         * data. The account must be created before the user can authenticate via the IdP.
+         *
+         * Returns the full identity account including its ID, which the platform uses
+         * to grant roles via IAM policies.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.createFederatedAccount
+         */
+        readonly createFederatedAccount: {
+            readonly name: "createFederatedAccount";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Update profile fields on a federated identity account.
+         *
+         * Looks up the account by natural key (identity_provider_ref + external_sub)
+         * and updates email, name, and picture. Identity keys are immutable.
+         *
+         * Called by platform backends when a user's profile changes on their platform.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.updateFederatedAccount
+         */
+        readonly updateFederatedAccount: {
+            readonly name: "updateFederatedAccount";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Deprovision a federated identity account by revoking access or deleting it.
+         *
+         * Looks up the account by natural key (identity_provider_ref + external_sub).
+         * When delete_account is false, revokes all IAM policies in the organization.
+         * When delete_account is true, revokes policies and deletes the account.
+         *
+         * Called by platform backends during user offboarding.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.deprovisionFederatedAccount
+         */
+        readonly deprovisionFederatedAccount: {
+            readonly name: "deprovisionFederatedAccount";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
         /**
          * Trigger account provisioning for a user who exists in Auth0 but not in Stigmer.
          *

package/ai/stigmer/iam/identityaccount/v1/command_connect.js

@@ -15,7 +15,7 @@ export const IdentityAccountCommandController = {
          * Create a new identity account.
          *
          * @internal
-         * System-level RPC used by federated JIT provisioning and Auth0 webhook flow.
+         * System-level RPC used by Auth0 webhook flow and federated account creation.
          * No FGA authorization — called via inProcessChannelAsSystem (machine account).
          * The handler's createAuthorizationTuples step writes the self-ownership tuple after creation.
          *
@@ -55,6 +55,66 @@ export const IdentityAccountCommandController = {
             O: IdentityAccount,
             kind: MethodKind.Unary,
         },
+        /**
+         * Create a federated identity account for an external platform user.
+         *
+         * Called by platform backends (via API key) when a new user signs up on their
+         * platform. The platform provides the user's OIDC subject identifier and profile
+         * data. The account must be created before the user can authenticate via the IdP.
+         *
+         * Returns the full identity account including its ID, which the platform uses
+         * to grant roles via IAM policies.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.createFederatedAccount
+         */
+        createFederatedAccount: {
+            name: "createFederatedAccount",
+            I: CreateFederatedAccountInput,
+            O: IdentityAccount,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Update profile fields on a federated identity account.
+         *
+         * Looks up the account by natural key (identity_provider_ref + external_sub)
+         * and updates email, name, and picture. Identity keys are immutable.
+         *
+         * Called by platform backends when a user's profile changes on their platform.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.updateFederatedAccount
+         */
+        updateFederatedAccount: {
+            name: "updateFederatedAccount",
+            I: UpdateFederatedAccountInput,
+            O: IdentityAccount,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Deprovision a federated identity account by revoking access or deleting it.
+         *
+         * Looks up the account by natural key (identity_provider_ref + external_sub).
+         * When delete_account is false, revokes all IAM policies in the organization.
+         * When delete_account is true, revokes policies and deletes the account.
+         *
+         * Called by platform backends during user offboarding.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.deprovisionFederatedAccount
+         */
+        deprovisionFederatedAccount: {
+            name: "deprovisionFederatedAccount",
+            I: DeprovisionFederatedAccountInput,
+            O: IdentityAccount,
+            kind: MethodKind.Unary,
+        },
         /**
          * Trigger account provisioning for a user who exists in Auth0 but not in Stigmer.
          *

package/ai/stigmer/iam/identityaccount/v1/command_connect.js.map

@@ -1 +1 @@
-{"version":3,"file":"command_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/command_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,kIAAkI;AAClI,oBAAoB;AACpB,cAAc;AAGd,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG;IAC9C,QAAQ,EAAE,oEAAoE;IAC9E,OAAO,EAAE;QACP;;;;;;;;;WASG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,eAAe;YAClB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,eAAe;YAClB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;WASG;QACH,qBAAqB,EAAE;YACrB,IAAI,EAAE,uBAAuB;YAC7B,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,KAAK;YACR,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
+{"version":3,"file":"command_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/command_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,kIAAkI;AAClI,oBAAoB;AACpB,cAAc;AAGd,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG;IAC9C,QAAQ,EAAE,oEAAoE;IAC9E,OAAO,EAAE;QACP;;;;;;;;;WASG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,eAAe;YAClB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,eAAe;YAClB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;WAcG;QACH,sBAAsB,EAAE;YACtB,IAAI,EAAE,wBAAwB;YAC9B,CAAC,EAAE,2BAA2B;YAC9B,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;WAYG;QACH,sBAAsB,EAAE;YACtB,IAAI,EAAE,wBAAwB;YAC9B,CAAC,EAAE,2BAA2B;YAC9B,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;WAaG;QACH,2BAA2B,EAAE;YAC3B,IAAI,EAAE,6BAA6B;YACnC,CAAC,EAAE,gCAAgC;YACnC,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;WASG;QACH,qBAAqB,EAAE;YACrB,IAAI,EAAE,uBAAuB;YAC7B,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,KAAK;YACR,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/command_pb.d.ts

@@ -1,6 +1,6 @@
 import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
 import type { IdentityAccountSchema } from "./api_pb";
-import type { IdentityAccountEmailSchema, IdentityAccountIdSchema } from "./io_pb";
+import type { CreateFederatedAccountInputSchema, DeprovisionFederatedAccountInputSchema, IdentityAccountEmailSchema, IdentityAccountIdSchema, UpdateFederatedAccountInputSchema } from "./io_pb";
 import type { EmptySchema } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/command.proto.
@@ -16,7 +16,7 @@ export declare const IdentityAccountCommandController: GenService<{
      * Create a new identity account.
      *
      * @internal
-     * System-level RPC used by federated JIT provisioning and Auth0 webhook flow.
+     * System-level RPC used by Auth0 webhook flow and federated account creation.
      * No FGA authorization — called via inProcessChannelAsSystem (machine account).
      * The handler's createAuthorizationTuples step writes the self-ownership tuple after creation.
      *
@@ -53,6 +53,63 @@ export declare const IdentityAccountCommandController: GenService<{
         input: typeof IdentityAccountIdSchema;
         output: typeof IdentityAccountSchema;
     };
+    /**
+     * Create a federated identity account for an external platform user.
+     *
+     * Called by platform backends (via API key) when a new user signs up on their
+     * platform. The platform provides the user's OIDC subject identifier and profile
+     * data. The account must be created before the user can authenticate via the IdP.
+     *
+     * Returns the full identity account including its ID, which the platform uses
+     * to grant roles via IAM policies.
+     *
+     * Authorization: Requires can_create_identity_account on the organization
+     * that owns the identity provider.
+     *
+     * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.createFederatedAccount
+     */
+    createFederatedAccount: {
+        methodKind: "unary";
+        input: typeof CreateFederatedAccountInputSchema;
+        output: typeof IdentityAccountSchema;
+    };
+    /**
+     * Update profile fields on a federated identity account.
+     *
+     * Looks up the account by natural key (identity_provider_ref + external_sub)
+     * and updates email, name, and picture. Identity keys are immutable.
+     *
+     * Called by platform backends when a user's profile changes on their platform.
+     *
+     * Authorization: Requires can_create_identity_account on the organization
+     * that owns the identity provider.
+     *
+     * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.updateFederatedAccount
+     */
+    updateFederatedAccount: {
+        methodKind: "unary";
+        input: typeof UpdateFederatedAccountInputSchema;
+        output: typeof IdentityAccountSchema;
+    };
+    /**
+     * Deprovision a federated identity account by revoking access or deleting it.
+     *
+     * Looks up the account by natural key (identity_provider_ref + external_sub).
+     * When delete_account is false, revokes all IAM policies in the organization.
+     * When delete_account is true, revokes policies and deletes the account.
+     *
+     * Called by platform backends during user offboarding.
+     *
+     * Authorization: Requires can_create_identity_account on the organization
+     * that owns the identity provider.
+     *
+     * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.deprovisionFederatedAccount
+     */
+    deprovisionFederatedAccount: {
+        methodKind: "unary";
+        input: typeof DeprovisionFederatedAccountInputSchema;
+        output: typeof IdentityAccountSchema;
+    };
     /**
      * Trigger account provisioning for a user who exists in Auth0 but not in Stigmer.
      *

package/ai/stigmer/iam/identityaccount/v1/command_pb.js

@@ -3,14 +3,14 @@
 /* eslint-disable */
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "../../iampolicy/v1/rpcauthorization/method_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_identityaccount_v1_api } from "./api_pb";
 import { file_ai_stigmer_iam_identityaccount_v1_io } from "./io_pb";
 import { file_google_protobuf_empty } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/command.proto.
  */
-export const file_ai_stigmer_iam_identityaccount_v1_command = /*@__PURE__*/ fileDesc("Ci9haS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvY29tbWFuZC5wcm90bxIhYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxMvIECiBJZGVudGl0eUFjY291bnRDb21tYW5kQ29udHJvbGxlchJ2CgZjcmVhdGUSMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50GjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCIE0LgYARKwAQoGdXBkYXRlEjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiPsK4GDoIBBALIgttZXRhZGF0YS5pZCondW5hdXRob3JpemVkIHRvIHVwZGF0ZSBpZGVudGl0eSBhY2NvdW50EqwBCgZkZWxldGUSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjjCuBg0CAIQCyIFdmFsdWUqJ3VuYXV0aG9yaXplZCB0byBkZWxldGUgaWRlbnRpdHkgYWNjb3VudBJuChVzaW11bGF0ZVNpZ251cFdlYmhvb2sSNy5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50RW1haWwaFi5nb29nbGUucHJvdG9idWYuRW1wdHkiBNC4GAEaBKD/KwtiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityaccount_v1_api, file_ai_stigmer_iam_identityaccount_v1_io, file_google_protobuf_empty]);
+export const file_ai_stigmer_iam_identityaccount_v1_command = /*@__PURE__*/ fileDesc("Ci9haS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvY29tbWFuZC5wcm90bxIhYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxMpMKCiBJZGVudGl0eUFjY291bnRDb21tYW5kQ29udHJvbGxlchJ2CgZjcmVhdGUSMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50GjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCIE0LgYARKwAQoGdXBkYXRlEjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiPsK4GDoIAhALIgttZXRhZGF0YS5pZCondW5hdXRob3JpemVkIHRvIHVwZGF0ZSBpZGVudGl0eSBhY2NvdW50EqwBCgZkZWxldGUSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjjCuBg0CAMQCyIFdmFsdWUqJ3VuYXV0aG9yaXplZCB0byBkZWxldGUgaWRlbnRpdHkgYWNjb3VudBLaAQoWY3JlYXRlRmVkZXJhdGVkQWNjb3VudBI+LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5DcmVhdGVGZWRlcmF0ZWRBY2NvdW50SW5wdXQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IkzCuBhICBUQHiIDb3JnKj11bmF1dGhvcml6ZWQgdG8gY3JlYXRlIGlkZW50aXR5IGFjY291bnRzIGluIHRoaXMgb3JnYW5pemF0aW9uEtoBChZ1cGRhdGVGZWRlcmF0ZWRBY2NvdW50Ej4uYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLlVwZGF0ZUZlZGVyYXRlZEFjY291bnRJbnB1dBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiTMK4GEgIFRAeIgNvcmcqPXVuYXV0aG9yaXplZCB0byBtYW5hZ2UgaWRlbnRpdHkgYWNjb3VudHMgaW4gdGhpcyBvcmdhbml6YXRpb24S5AEKG2RlcHJvdmlzaW9uRmVkZXJhdGVkQWNjb3VudBJDLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5EZXByb3Zpc2lvbkZlZGVyYXRlZEFjY291bnRJbnB1dBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiTMK4GEgIFRAeIgNvcmcqPXVuYXV0aG9yaXplZCB0byBtYW5hZ2UgaWRlbnRpdHkgYWNjb3VudHMgaW4gdGhpcyBvcmdhbml6YXRpb24SbgoVc2ltdWxhdGVTaWdudXBXZWJob29rEjcuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudEVtYWlsGhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5IgTQuBgBGgSg/ysLYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_identityaccount_v1_api, file_ai_stigmer_iam_identityaccount_v1_io, file_google_protobuf_empty]);
 /**
  * IdentityAccountCommandController handles write operations for identity accounts.
  *

package/ai/stigmer/iam/identityaccount/v1/command_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EAAE,yCAAyC,EAAE,MAAM,SAAS,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,8CAA8C,GAAY,aAAa,CAClF,QAAQ,CAAC,o8BAAo8B,EAAE,CAAC,uDAAuD,EAAE,gEAAgE,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEjsC;;;;GAIG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAyDxC,aAAa,CAChB,WAAW,CAAC,8CAA8C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EAAE,yCAAyC,EAAE,MAAM,SAAS,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,8CAA8C,GAAY,aAAa,CAClF,QAAQ,CAAC,q0DAAq0D,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAE5iE;;;;GAIG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAkHxC,aAAa,CAChB,WAAW,CAAC,8CAA8C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/enum_pb.d.ts

@@ -25,7 +25,7 @@ export declare enum IdentityAccountProvisioningMode {
      */
     direct = 1,
     /**
-     * Account was JIT-provisioned during federated authentication via an IdentityProvider.
+     * Account was created by the platform for federated authentication via an IdentityProvider.
      *
      * @generated from enum value: federated = 2;
      */

package/ai/stigmer/iam/identityaccount/v1/enum_pb.js

@@ -29,7 +29,7 @@ export var IdentityAccountProvisioningMode;
      */
     IdentityAccountProvisioningMode[IdentityAccountProvisioningMode["direct"] = 1] = "direct";
     /**
-     * Account was JIT-provisioned during federated authentication via an IdentityProvider.
+     * Account was created by the platform for federated authentication via an IdentityProvider.
      *
      * @generated from enum value: federated = 2;
      */