@stigmer/protos 0.0.72 → 0.0.73

package/ai/stigmer/iam/identityaccount/v1/io_pb.d.ts

@@ -1,4 +1,5 @@
 import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { ApiResourceReference } from "../../../commons/apiresource/io_pb";
 import type { PageInfo } from "../../../commons/rpc/pagination_pb";
 import type { IdentityAccount } from "./api_pb";
 import type { Message } from "@bufbuild/protobuf";
@@ -150,3 +151,221 @@ export type ListWithIdentityOrg = Message<"ai.stigmer.iam.identityaccount.v1.Lis
  * Use `create(ListWithIdentityOrgSchema)` to create a new message.
  */
 export declare const ListWithIdentityOrgSchema: GenMessage<ListWithIdentityOrg>;
+/**
+ * ExternalSubLookup identifies a federated identity account by its identity provider
+ * reference and external subject identifier (OIDC sub claim).
+ *
+ * Used by platform backends to check whether a federated account already exists
+ * before calling createFederatedAccount.
+ *
+ * @generated from message ai.stigmer.iam.identityaccount.v1.ExternalSubLookup
+ */
+export type ExternalSubLookup = Message<"ai.stigmer.iam.identityaccount.v1.ExternalSubLookup"> & {
+    /**
+     * Organization that owns the identity provider.
+     * Used as the authorization scope: caller must have can_create_identity_account
+     * permission on this organization.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+    /**
+     * Reference to the IdentityProvider that the federated account belongs to.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceReference identity_provider_ref = 2;
+     */
+    identityProviderRef?: ApiResourceReference;
+    /**
+     * External subject identifier from the platform's OIDC provider.
+     * The raw OIDC sub claim (e.g., "google-oauth2|109876543210").
+     *
+     * @generated from field: string external_sub = 3;
+     */
+    externalSub: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.ExternalSubLookup.
+ * Use `create(ExternalSubLookupSchema)` to create a new message.
+ */
+export declare const ExternalSubLookupSchema: GenMessage<ExternalSubLookup>;
+/**
+ * CreateFederatedAccountInput is the command for creating a federated identity account
+ * linked to an external platform's identity provider.
+ *
+ * Called by platform backends (via API key) when a new user signs up on their platform.
+ * The platform provides the user's OIDC subject identifier and profile data.
+ * The account must be created before the user can authenticate via the IdP.
+ *
+ * @generated from message ai.stigmer.iam.identityaccount.v1.CreateFederatedAccountInput
+ */
+export type CreateFederatedAccountInput = Message<"ai.stigmer.iam.identityaccount.v1.CreateFederatedAccountInput"> & {
+    /**
+     * Organization that owns the identity provider.
+     * Used as the authorization scope: caller must have can_create_identity_account
+     * permission on this organization.
+     * Must match identity_provider_ref.org (when identity_provider_ref.org is non-empty).
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+    /**
+     * Reference to the IdentityProvider that this federated account belongs to.
+     * The IdP must exist and belong to the specified org.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceReference identity_provider_ref = 2;
+     */
+    identityProviderRef?: ApiResourceReference;
+    /**
+     * External subject identifier from the platform's OIDC provider.
+     * The raw OIDC sub claim (e.g., "google-oauth2|109876543210").
+     * Stored as-is without any prefix transformation.
+     * Must match the sub claim in JWTs issued by this IdP for authentication to work.
+     *
+     * @generated from field: string external_sub = 3;
+     */
+    externalSub: string;
+    /**
+     * Email address of the user.
+     *
+     * @generated from field: string email = 4;
+     */
+    email: string;
+    /**
+     * First name of the user.
+     *
+     * @generated from field: string first_name = 5;
+     */
+    firstName: string;
+    /**
+     * Last name of the user.
+     *
+     * @generated from field: string last_name = 6;
+     */
+    lastName: string;
+    /**
+     * URL of the user's profile picture.
+     *
+     * @generated from field: string picture_url = 7;
+     */
+    pictureUrl: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.CreateFederatedAccountInput.
+ * Use `create(CreateFederatedAccountInputSchema)` to create a new message.
+ */
+export declare const CreateFederatedAccountInputSchema: GenMessage<CreateFederatedAccountInput>;
+/**
+ * UpdateFederatedAccountInput is the command for updating profile fields on a
+ * federated identity account identified by its natural key (identity provider
+ * reference + external subject).
+ *
+ * Called by platform backends when a user's profile changes on their platform
+ * (e.g., name update, email change). Uses full-replace semantics: all profile
+ * fields must be provided. Identity keys (org, identity_provider_ref, external_sub)
+ * are immutable and used only for lookup.
+ *
+ * @generated from message ai.stigmer.iam.identityaccount.v1.UpdateFederatedAccountInput
+ */
+export type UpdateFederatedAccountInput = Message<"ai.stigmer.iam.identityaccount.v1.UpdateFederatedAccountInput"> & {
+    /**
+     * Organization that owns the identity provider.
+     * Used as the authorization scope: caller must have can_create_identity_account
+     * permission on this organization.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+    /**
+     * Reference to the IdentityProvider that the federated account belongs to.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceReference identity_provider_ref = 2;
+     */
+    identityProviderRef?: ApiResourceReference;
+    /**
+     * External subject identifier (OIDC sub claim) — lookup key, not updatable.
+     *
+     * @generated from field: string external_sub = 3;
+     */
+    externalSub: string;
+    /**
+     * Updated email address.
+     *
+     * @generated from field: string email = 4;
+     */
+    email: string;
+    /**
+     * Updated first name.
+     *
+     * @generated from field: string first_name = 5;
+     */
+    firstName: string;
+    /**
+     * Updated last name.
+     *
+     * @generated from field: string last_name = 6;
+     */
+    lastName: string;
+    /**
+     * Updated profile picture URL.
+     *
+     * @generated from field: string picture_url = 7;
+     */
+    pictureUrl: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.UpdateFederatedAccountInput.
+ * Use `create(UpdateFederatedAccountInputSchema)` to create a new message.
+ */
+export declare const UpdateFederatedAccountInputSchema: GenMessage<UpdateFederatedAccountInput>;
+/**
+ * DeprovisionFederatedAccountInput is the command for revoking a federated
+ * identity account's access, with an option to delete the account entirely.
+ *
+ * Called by platform backends when a user is removed from their platform
+ * (e.g., employee offboarding, account suspension). Uses the natural key
+ * (identity provider reference + external subject) for lookup.
+ *
+ * Two modes:
+ *   - Revoke only (delete_account = false): removes all IAM policies for the
+ *     account in the organization. The identity account is preserved for audit
+ *     trail. The user loses access but the account record remains.
+ *   - Revoke and delete (delete_account = true): revokes access AND deletes
+ *     the identity account. All IAM policies across all organizations are
+ *     cleaned up. Use this for permanent offboarding.
+ *
+ * @generated from message ai.stigmer.iam.identityaccount.v1.DeprovisionFederatedAccountInput
+ */
+export type DeprovisionFederatedAccountInput = Message<"ai.stigmer.iam.identityaccount.v1.DeprovisionFederatedAccountInput"> & {
+    /**
+     * Organization that owns the identity provider.
+     * Used as the authorization scope: caller must have can_create_identity_account
+     * permission on this organization.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+    /**
+     * Reference to the IdentityProvider that the federated account belongs to.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceReference identity_provider_ref = 2;
+     */
+    identityProviderRef?: ApiResourceReference;
+    /**
+     * External subject identifier (OIDC sub claim) — lookup key.
+     *
+     * @generated from field: string external_sub = 3;
+     */
+    externalSub: string;
+    /**
+     * When false (default): revoke the account's access in this organization only.
+     * When true: revoke access AND permanently delete the identity account.
+     *
+     * @generated from field: bool delete_account = 4;
+     */
+    deleteAccount: boolean;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.DeprovisionFederatedAccountInput.
+ * Use `create(DeprovisionFederatedAccountInputSchema)` to create a new message.
+ */
+export declare const DeprovisionFederatedAccountInputSchema: GenMessage<DeprovisionFederatedAccountInput>;

package/ai/stigmer/iam/identityaccount/v1/io_pb.js

@@ -2,13 +2,14 @@
 // @generated from file ai/stigmer/iam/identityaccount/v1/io.proto (package ai.stigmer.iam.identityaccount.v1, syntax proto3)
 /* eslint-disable */
 import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_io } from "../../../commons/apiresource/io_pb";
 import { file_ai_stigmer_commons_rpc_pagination } from "../../../commons/rpc/pagination_pb";
 import { file_ai_stigmer_iam_identityaccount_v1_api } from "./api_pb";
 import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/io.proto.
  */
-export const file_ai_stigmer_iam_identityaccount_v1_io = /*@__PURE__*/ fileDesc("CiphaS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvaW8ucHJvdG8SIWFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MSJXChBJZGVudGl0eUFjY291bnRzEkMKB2VudHJpZXMYASADKAsyMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IioKEUlkZW50aXR5QWNjb3VudElkEhUKBXZhbHVlGAEgASgJQga6SAPIAQEiLQoUSWRlbnRpdHlBY2NvdW50RW1haWwSFQoFdmFsdWUYASABKAlCBrpIA8gBASIeCgVJZHBJZBIVCgV2YWx1ZRgBIAEoCUIGukgDyAEBImsKHExpc3RXaXRoSWRlbnRpdHlBY2NvdW50SWRSZXESGwoTaWRlbnRpdHlfYWNjb3VudF9pZBgBIAEoCRIuCgRwYWdlGAIgASgLMiAuYWkuc3RpZ21lci5jb21tb25zLnJwYy5QYWdlSW5mbyJwChRJZGVudGl0eUFjY291bnRzTGlzdBITCgt0b3RhbF9wYWdlcxgBIAEoBRJDCgdlbnRyaWVzGAIgAygLMjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCJSChNMaXN0V2l0aElkZW50aXR5T3JnEgsKA29yZxgBIAEoCRIuCgRwYWdlGAIgASgLMiAuYWkuc3RpZ21lci5jb21tb25zLnJwYy5QYWdlSW5mb2IGcHJvdG8z", [file_ai_stigmer_commons_rpc_pagination, file_ai_stigmer_iam_identityaccount_v1_api, file_buf_validate_validate]);
+export const file_ai_stigmer_iam_identityaccount_v1_io = /*@__PURE__*/ fileDesc("CiphaS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvaW8ucHJvdG8SIWFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MSJXChBJZGVudGl0eUFjY291bnRzEkMKB2VudHJpZXMYASADKAsyMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IioKEUlkZW50aXR5QWNjb3VudElkEhUKBXZhbHVlGAEgASgJQga6SAPIAQEiLQoUSWRlbnRpdHlBY2NvdW50RW1haWwSFQoFdmFsdWUYASABKAlCBrpIA8gBASIeCgVJZHBJZBIVCgV2YWx1ZRgBIAEoCUIGukgDyAEBImsKHExpc3RXaXRoSWRlbnRpdHlBY2NvdW50SWRSZXESGwoTaWRlbnRpdHlfYWNjb3VudF9pZBgBIAEoCRIuCgRwYWdlGAIgASgLMiAuYWkuc3RpZ21lci5jb21tb25zLnJwYy5QYWdlSW5mbyJwChRJZGVudGl0eUFjY291bnRzTGlzdBITCgt0b3RhbF9wYWdlcxgBIAEoBRJDCgdlbnRyaWVzGAIgAygLMjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCJSChNMaXN0V2l0aElkZW50aXR5T3JnEgsKA29yZxgBIAEoCRIuCgRwYWdlGAIgASgLMiAuYWkuc3RpZ21lci5jb21tb25zLnJwYy5QYWdlSW5mbyKbAQoRRXh0ZXJuYWxTdWJMb29rdXASEwoDb3JnGAEgASgJQga6SAPIAQESUwoVaWRlbnRpdHlfcHJvdmlkZXJfcmVmGAIgASgLMjQuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlUmVmZXJlbmNlEhwKDGV4dGVybmFsX3N1YhgDIAEoCUIGukgDyAEBIvgBChtDcmVhdGVGZWRlcmF0ZWRBY2NvdW50SW5wdXQSEwoDb3JnGAEgASgJQga6SAPIAQESUwoVaWRlbnRpdHlfcHJvdmlkZXJfcmVmGAIgASgLMjQuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlUmVmZXJlbmNlEhwKDGV4dGVybmFsX3N1YhgDIAEoCUIGukgDyAEBEhUKBWVtYWlsGAQgASgJQga6SAPIAQESEgoKZmlyc3RfbmFtZRgFIAEoCRIRCglsYXN0X25hbWUYBiABKAkSEwoLcGljdHVyZV91cmwYByABKAki+AEKG1VwZGF0ZUZlZGVyYXRlZEFjY291bnRJbnB1dBITCgNvcmcYASABKAlCBrpIA8gBARJTChVpZGVudGl0eV9wcm92aWRlcl9yZWYYAiABKAsyNC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VSZWZlcmVuY2USHAoMZXh0ZXJuYWxfc3ViGAMgASgJQga6SAPIAQESFQoFZW1haWwYBCABKAlCBrpIA8gBARISCgpmaXJzdF9uYW1lGAUgASgJEhEKCWxhc3RfbmFtZRgGIAEoCRITCgtwaWN0dXJlX3VybBgHIAEoCSLCAQogRGVwcm92aXNpb25GZWRlcmF0ZWRBY2NvdW50SW5wdXQSEwoDb3JnGAEgASgJQga6SAPIAQESUwoVaWRlbnRpdHlfcHJvdmlkZXJfcmVmGAIgASgLMjQuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlUmVmZXJlbmNlEhwKDGV4dGVybmFsX3N1YhgDIAEoCUIGukgDyAEBEhYKDmRlbGV0ZV9hY2NvdW50GAQgASgIYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_rpc_pagination, file_ai_stigmer_iam_identityaccount_v1_api, file_buf_validate_validate]);
 /**
  * Describes the message ai.stigmer.iam.identityaccount.v1.IdentityAccounts.
  * Use `create(IdentityAccountsSchema)` to create a new message.
@@ -44,4 +45,24 @@ export const IdentityAccountsListSchema = /*@__PURE__*/ messageDesc(file_ai_stig
  * Use `create(ListWithIdentityOrgSchema)` to create a new message.
  */
 export const ListWithIdentityOrgSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityaccount_v1_io, 6);
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.ExternalSubLookup.
+ * Use `create(ExternalSubLookupSchema)` to create a new message.
+ */
+export const ExternalSubLookupSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityaccount_v1_io, 7);
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.CreateFederatedAccountInput.
+ * Use `create(CreateFederatedAccountInputSchema)` to create a new message.
+ */
+export const CreateFederatedAccountInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityaccount_v1_io, 8);
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.UpdateFederatedAccountInput.
+ * Use `create(UpdateFederatedAccountInputSchema)` to create a new message.
+ */
+export const UpdateFederatedAccountInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityaccount_v1_io, 9);
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.DeprovisionFederatedAccountInput.
+ * Use `create(DeprovisionFederatedAccountInputSchema)` to create a new message.
+ */
+export const DeprovisionFederatedAccountInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityaccount_v1_io, 10);
 //# sourceMappingURL=io_pb.js.map

package/ai/stigmer/iam/identityaccount/v1/io_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,6HAA6H;AAC7H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AACtE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,yCAAyC,GAAY,aAAa,CAC7E,QAAQ,CAAC,0yBAA0yB,EAAE,CAAC,sCAAsC,EAAE,0CAA0C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAgBz6B;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAiC,aAAa,CAC/E,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,aAAa,CACjF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAsB,aAAa,CACzD,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAA6C,aAAa,CACvG,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,6HAA6H;AAC7H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AACtE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,yCAAyC,GAAY,aAAa,CAC7E,QAAQ,CAAC,i6DAAi6D,EAAE,CAAC,sCAAsC,EAAE,sCAAsC,EAAE,0CAA0C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAgBxkE;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAiC,aAAa,CAC/E,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,aAAa,CACjF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAsB,aAAa,CACzD,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAA6C,aAAa,CACvG,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAqC5D;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,aAAa,CACjF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAsE5D;;;GAGG;AACH,MAAM,CAAC,MAAM,iCAAiC,GAA4C,aAAa,CACrG,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAmE5D;;;GAGG;AACH,MAAM,CAAC,MAAM,iCAAiC,GAA4C,aAAa,CACrG,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAqD5D;;;GAGG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAiD,aAAa,CAC/G,WAAW,CAAC,yCAAyC,EAAE,EAAE,CAAC,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/query_connect.d.ts

@@ -34,7 +34,10 @@ export declare const IdentityAccountQueryController: {
             readonly kind: any;
         };
         /**
-         * Get an identity account by email address.
+         * Get a direct identity account by email address.
+         *
+         * Only returns direct (non-federated) accounts. Federated accounts are not
+         * returned by this RPC — use getByExternalSub for IdP-scoped federated lookups.
          *
          * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByEmail
          */
@@ -45,7 +48,11 @@ export declare const IdentityAccountQueryController: {
             readonly kind: any;
         };
         /**
-         * Get an identity account by identity provider ID.
+         * Get an identity account by identity provider ID (Auth0 subject).
+         *
+         * Primarily used for direct and machine accounts where the IDP ID is
+         * the Auth0 user_id or client_id. For federated account lookups,
+         * use getByExternalSub which is scoped to a specific identity provider.
          *
          * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByIdpId
          */
@@ -55,6 +62,23 @@ export declare const IdentityAccountQueryController: {
             readonly O: any;
             readonly kind: any;
         };
+        /**
+         * Get a federated identity account by identity provider reference and external subject.
+         *
+         * Used by platform backends to check whether a federated account already exists
+         * for a given OIDC subject before calling createFederatedAccount.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByExternalSub
+         */
+        readonly getByExternalSub: {
+            readonly name: "getByExternalSub";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
         /**
          * Get lightweight actor information for an identity account.
          *

package/ai/stigmer/iam/identityaccount/v1/query_connect.js

@@ -39,7 +39,10 @@ export const IdentityAccountQueryController = {
             kind: MethodKind.Unary,
         },
         /**
-         * Get an identity account by email address.
+         * Get a direct identity account by email address.
+         *
+         * Only returns direct (non-federated) accounts. Federated accounts are not
+         * returned by this RPC — use getByExternalSub for IdP-scoped federated lookups.
          *
          * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByEmail
          */
@@ -50,7 +53,11 @@ export const IdentityAccountQueryController = {
             kind: MethodKind.Unary,
         },
         /**
-         * Get an identity account by identity provider ID.
+         * Get an identity account by identity provider ID (Auth0 subject).
+         *
+         * Primarily used for direct and machine accounts where the IDP ID is
+         * the Auth0 user_id or client_id. For federated account lookups,
+         * use getByExternalSub which is scoped to a specific identity provider.
          *
          * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByIdpId
          */
@@ -60,6 +67,23 @@ export const IdentityAccountQueryController = {
             O: IdentityAccount,
             kind: MethodKind.Unary,
         },
+        /**
+         * Get a federated identity account by identity provider reference and external subject.
+         *
+         * Used by platform backends to check whether a federated account already exists
+         * for a given OIDC subject before calling createFederatedAccount.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByExternalSub
+         */
+        getByExternalSub: {
+            name: "getByExternalSub",
+            I: ExternalSubLookup,
+            O: IdentityAccount,
+            kind: MethodKind.Unary,
+        },
         /**
          * Get lightweight actor information for an identity account.
          *

package/ai/stigmer/iam/identityaccount/v1/query_connect.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,gIAAgI;AAChI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAG;IAC5C,QAAQ,EAAE,kEAAkE;IAC5E,OAAO,EAAE;QACP;;;;WAIG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;WASG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;WAIG;QACH,UAAU,EAAE;YACV,IAAI,EAAE,YAAY;YAClB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;WAIG;QACH,UAAU,EAAE;YACV,IAAI,EAAE,YAAY;YAClB,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;WAmBG;QACH,YAAY,EAAE;YACZ,IAAI,EAAE,cAAc;YACpB,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,qBAAqB;YACxB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
+{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,gIAAgI;AAChI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAG;IAC5C,QAAQ,EAAE,kEAAkE;IAC5E,OAAO,EAAE;QACP;;;;WAIG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;WASG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,UAAU,EAAE;YACV,IAAI,EAAE,YAAY;YAClB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;WAQG;QACH,UAAU,EAAE;YACV,IAAI,EAAE,YAAY;YAClB,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;WAUG;QACH,gBAAgB,EAAE;YAChB,IAAI,EAAE,kBAAkB;YACxB,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;WAmBG;QACH,YAAY,EAAE;YACZ,IAAI,EAAE,cAAc;YACpB,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,qBAAqB;YACxB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/query_pb.d.ts

@@ -1,7 +1,7 @@
 import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
 import type { ApiResourceAuditActorSchema } from "../../../commons/apiresource/status_pb";
 import type { IdentityAccountSchema } from "./api_pb";
-import type { IdentityAccountEmailSchema, IdentityAccountIdSchema, IdpIdSchema } from "./io_pb";
+import type { ExternalSubLookupSchema, IdentityAccountEmailSchema, IdentityAccountIdSchema, IdpIdSchema } from "./io_pb";
 import type { EmptySchema } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/query.proto.
@@ -39,7 +39,10 @@ export declare const IdentityAccountQueryController: GenService<{
         output: typeof IdentityAccountSchema;
     };
     /**
-     * Get an identity account by email address.
+     * Get a direct identity account by email address.
+     *
+     * Only returns direct (non-federated) accounts. Federated accounts are not
+     * returned by this RPC — use getByExternalSub for IdP-scoped federated lookups.
      *
      * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByEmail
      */
@@ -49,7 +52,11 @@ export declare const IdentityAccountQueryController: GenService<{
         output: typeof IdentityAccountSchema;
     };
     /**
-     * Get an identity account by identity provider ID.
+     * Get an identity account by identity provider ID (Auth0 subject).
+     *
+     * Primarily used for direct and machine accounts where the IDP ID is
+     * the Auth0 user_id or client_id. For federated account lookups,
+     * use getByExternalSub which is scoped to a specific identity provider.
      *
      * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByIdpId
      */
@@ -58,6 +65,22 @@ export declare const IdentityAccountQueryController: GenService<{
         input: typeof IdpIdSchema;
         output: typeof IdentityAccountSchema;
     };
+    /**
+     * Get a federated identity account by identity provider reference and external subject.
+     *
+     * Used by platform backends to check whether a federated account already exists
+     * for a given OIDC subject before calling createFederatedAccount.
+     *
+     * Authorization: Requires can_create_identity_account on the organization
+     * that owns the identity provider.
+     *
+     * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByExternalSub
+     */
+    getByExternalSub: {
+        methodKind: "unary";
+        input: typeof ExternalSubLookupSchema;
+        output: typeof IdentityAccountSchema;
+    };
     /**
      * Get lightweight actor information for an identity account.
      *

package/ai/stigmer/iam/identityaccount/v1/query_pb.js

@@ -4,14 +4,14 @@
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
 import { file_ai_stigmer_commons_apiresource_status } from "../../../commons/apiresource/status_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "../../iampolicy/v1/rpcauthorization/method_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_identityaccount_v1_api } from "./api_pb";
 import { file_ai_stigmer_iam_identityaccount_v1_io } from "./io_pb";
 import { file_google_protobuf_empty } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/query.proto.
  */
-export const file_ai_stigmer_iam_identityaccount_v1_query = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvcXVlcnkucHJvdG8SIWFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MTKuBgoeSWRlbnRpdHlBY2NvdW50UXVlcnlDb250cm9sbGVyEqYBCgNnZXQSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjXCuBgxCAMQCyIFdmFsdWUqJHVuYXV0aG9yaXplZCB0byBnZXQgaWRlbnRpdHkgYWNjb3VudBJaCgZ3aG9BbUkSFi5nb29nbGUucHJvdG9idWYuRW1wdHkaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IgTQuBgBErABCgpnZXRCeUVtYWlsEjcuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudEVtYWlsGjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCI1wrgYMQgDEAsiBXZhbHVlKiR1bmF1dGhvcml6ZWQgdG8gZ2V0IGlkZW50aXR5IGFjY291bnQSoQEKCmdldEJ5SWRwSWQSKC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRwSWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjXCuBgxCAMQCyIFdmFsdWUqJHVuYXV0aG9yaXplZCB0byBnZXQgaWRlbnRpdHkgYWNjb3VudBKpAQoMZ2V0QWN0b3JJbmZvEjQuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudElkGjUuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlQXVkaXRBY3RvciIswrgYKAgDEAsqInVuYXV0aG9yaXplZCB0byBsb29rIHVwIGFjdG9yIGluZm8aBKD/KwtiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_apiresource_status, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityaccount_v1_api, file_ai_stigmer_iam_identityaccount_v1_io, file_google_protobuf_empty]);
+export const file_ai_stigmer_iam_identityaccount_v1_query = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvcXVlcnkucHJvdG8SIWFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MTL8BwoeSWRlbnRpdHlBY2NvdW50UXVlcnlDb250cm9sbGVyEqYBCgNnZXQSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjXCuBgxCAEQCyIFdmFsdWUqJHVuYXV0aG9yaXplZCB0byBnZXQgaWRlbnRpdHkgYWNjb3VudBJaCgZ3aG9BbUkSFi5nb29nbGUucHJvdG9idWYuRW1wdHkaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IgTQuBgBErABCgpnZXRCeUVtYWlsEjcuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudEVtYWlsGjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCI1wrgYMQgBEAsiBXZhbHVlKiR1bmF1dGhvcml6ZWQgdG8gZ2V0IGlkZW50aXR5IGFjY291bnQSoQEKCmdldEJ5SWRwSWQSKC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRwSWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjXCuBgxCAEQCyIFdmFsdWUqJHVuYXV0aG9yaXplZCB0byBnZXQgaWRlbnRpdHkgYWNjb3VudBLLAQoQZ2V0QnlFeHRlcm5hbFN1YhI0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5FeHRlcm5hbFN1Ykxvb2t1cBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiTcK4GEkIFRAeIgNvcmcqPnVuYXV0aG9yaXplZCB0byBsb29rIHVwIGlkZW50aXR5IGFjY291bnRzIGluIHRoaXMgb3JnYW5pemF0aW9uEqkBCgxnZXRBY3RvckluZm8SNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaNS5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VBdWRpdEFjdG9yIizCuBgoCAEQCyoidW5hdXRob3JpemVkIHRvIGxvb2sgdXAgYWN0b3IgaW5mbxoEoP8rC2IGcHJvdG8z", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_apiresource_status, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_identityaccount_v1_api, file_ai_stigmer_iam_identityaccount_v1_io, file_google_protobuf_empty]);
 /**
  * IdentityAccountQueryController handles read operations for identity accounts.
  *

package/ai/stigmer/iam/identityaccount/v1/query_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,gIAAgI;AAChI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AACpG,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EAAE,yCAAyC,EAAE,MAAM,SAAS,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,4CAA4C,GAAY,aAAa,CAChF,QAAQ,CAAC,4rCAA4rC,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,gEAAgE,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEr+C;;;;GAIG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAuEtC,aAAa,CAChB,WAAW,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,gIAAgI;AAChI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AACpG,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EAAE,yCAAyC,EAAE,MAAM,SAAS,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,4CAA4C,GAAY,aAAa,CAChF,QAAQ,CAAC,88CAA88C,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,0CAA0C,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEjuD;;;;GAIG;AACH,MAAM,CAAC,MAAM,8BAA8B,GA8FtC,aAAa,CAChB,WAAW,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/spec_pb.d.ts

@@ -18,7 +18,8 @@ export declare const file_ai_stigmer_iam_identityaccount_v1_spec: GenFile;
  * All FGA tuples use identity_account as the principal type.
  * Provisioning details:
  * - direct: Auth0 subject ID (e.g., "auth0|abc123")
- * - federated: compound key "federated:{provider_id}:{external_sub}"
+ * - federated: raw OIDC sub claim (e.g., "google-oauth2|109876543210"),
+ *   scoped by identity_provider_ref
  * - machine: Auth0 client ID with "@clients" suffix
  *
  * @generated from message ai.stigmer.iam.identityaccount.v1.IdentityAccountSpec
@@ -28,8 +29,9 @@ export type IdentityAccountSpec = Message<"ai.stigmer.iam.identityaccount.v1.Ide
      * IDP ID of the identity account.
      *
      * For direct accounts: the Auth0 subject ID (e.g., "auth0|abc123").
-     * For federated accounts: a compound key ensuring global uniqueness across
-     * identity providers (e.g., "federated:idp_01JXY:auth0|user-456").
+     * For federated accounts: the raw OIDC sub claim from the external identity
+     * provider (e.g., "google-oauth2|109876543210"). Uniqueness is scoped by
+     * identity_provider_ref — the pair (identity_provider_ref, idp_id) is unique.
      * For machine accounts: the Auth0 client ID with "@clients" suffix.
      *
      * @generated from field: string idp_id = 1;
@@ -38,8 +40,7 @@ export type IdentityAccountSpec = Message<"ai.stigmer.iam.identityaccount.v1.Ide
     /**
      * Email of the identity account.
      * For direct accounts: based on the email used to sign up.
-     * For federated accounts: fetched from the IdentityProvider's UserInfo endpoint
-     * during JIT provisioning.
+     * For federated accounts: provided by the platform when creating the account.
      * (ignored for create) this value is assigned by backend.
      *
      * @generated from field: string email = 2;
@@ -82,9 +83,10 @@ export type IdentityAccountSpec = Message<"ai.stigmer.iam.identityaccount.v1.Ide
      */
     provisioningMode: IdentityAccountProvisioningMode;
     /**
-     * Reference to the IdentityProvider that provisioned this account.
+     * Reference to the IdentityProvider that owns this federated account.
      * Set only when provisioning_mode is FEDERATED. Identifies which external
-     * platform's trust relationship created this account during federated auth.
+     * platform's identity provider scopes this account. Together with idp_id,
+     * forms the unique identity for federated accounts.
      * (ignored for create) this value is assigned by backend.
      *
      * @generated from field: ai.stigmer.commons.apiresource.ApiResourceReference identity_provider_ref = 8;

package/ai/stigmer/iam/identityaccount/v1/spec_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,2CAA2C,EAAE,MAAM,WAAW,CAAC;AACxE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAY,aAAa,CAC/E,QAAQ,CAAC,kjBAAkjB,EAAE,CAAC,sCAAsC,EAAE,2CAA2C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AA+FlrB;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,2CAA2C,EAAE,MAAM,WAAW,CAAC;AACxE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAY,aAAa,CAC/E,QAAQ,CAAC,kjBAAkjB,EAAE,CAAC,sCAAsC,EAAE,2CAA2C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAiGlrB;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/command_pb.js

@@ -4,12 +4,12 @@
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_io } from "../../../commons/apiresource/io_pb";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "../../iampolicy/v1/rpcauthorization/method_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_identityprovider_v1_api } from "./api_pb";
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/command.proto.
  */
-export const file_ai_stigmer_iam_identityprovider_v1_command = /*@__PURE__*/ fileDesc("CjBhaS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL2NvbW1hbmQucHJvdG8SImFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEy3gUKIUlkZW50aXR5UHJvdmlkZXJDb21tYW5kQ29udHJvbGxlchJzCgVhcHBseRI0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlcho0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlchLLAQoGY3JlYXRlEjQuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlwcm92aWRlci52MS5JZGVudGl0eVByb3ZpZGVyGjQuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlwcm92aWRlci52MS5JZGVudGl0eVByb3ZpZGVyIlXCuBhRCBgQHiIMbWV0YWRhdGEub3JnKj11bmF1dGhvcml6ZWQgdG8gY3JlYXRlIGlkZW50aXR5IHByb3ZpZGVyIGluIHRoaXMgb3JnYW5pemF0aW9uErUBCgZ1cGRhdGUSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiP8K4GDsIBBAVIgttZXRhZGF0YS5pZCoodW5hdXRob3JpemVkIHRvIHVwZGF0ZSBpZGVudGl0eSBwcm92aWRlchK3AQoGZGVsZXRlEjYuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlRGVsZXRlSW5wdXQaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiP8K4GDsIAhAVIgtyZXNvdXJjZV9pZCoodW5hdXRob3JpemVkIHRvIGRlbGV0ZSBpZGVudGl0eSBwcm92aWRlchoEoP8rFWIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityprovider_v1_api]);
+export const file_ai_stigmer_iam_identityprovider_v1_command = /*@__PURE__*/ fileDesc("CjBhaS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL2NvbW1hbmQucHJvdG8SImFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEy3gUKIUlkZW50aXR5UHJvdmlkZXJDb21tYW5kQ29udHJvbGxlchJzCgVhcHBseRI0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlcho0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlchLLAQoGY3JlYXRlEjQuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlwcm92aWRlci52MS5JZGVudGl0eVByb3ZpZGVyGjQuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlwcm92aWRlci52MS5JZGVudGl0eVByb3ZpZGVyIlXCuBhRCAsQHiIMbWV0YWRhdGEub3JnKj11bmF1dGhvcml6ZWQgdG8gY3JlYXRlIGlkZW50aXR5IHByb3ZpZGVyIGluIHRoaXMgb3JnYW5pemF0aW9uErUBCgZ1cGRhdGUSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiP8K4GDsIAhAVIgttZXRhZGF0YS5pZCoodW5hdXRob3JpemVkIHRvIHVwZGF0ZSBpZGVudGl0eSBwcm92aWRlchK3AQoGZGVsZXRlEjYuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlRGVsZXRlSW5wdXQaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiP8K4GDsIAxAVIgtyZXNvdXJjZV9pZCoodW5hdXRob3JpemVkIHRvIGRlbGV0ZSBpZGVudGl0eSBwcm92aWRlchoEoP8rFWIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_identityprovider_v1_api]);
 /**
  * IdentityProviderCommandController provides write operations for identity providers.
  *

package/ai/stigmer/iam/identityprovider/v1/command_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,oIAAoI;AACpI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,CAAC,MAAM,+CAA+C,GAAY,aAAa,CACnF,QAAQ,CAAC,slCAAslC,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,gEAAgE,EAAE,2CAA2C,CAAC,CAAC,CAAC;AAErzC;;;;GAIG;AACH,MAAM,CAAC,MAAM,iCAAiC,GA+DzC,aAAa,CAChB,WAAW,CAAC,+CAA+C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,oIAAoI;AACpI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,CAAC,MAAM,+CAA+C,GAAY,aAAa,CACnF,QAAQ,CAAC,slCAAslC,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,0CAA0C,EAAE,2CAA2C,CAAC,CAAC,CAAC;AAE/xC;;;;GAIG;AACH,MAAM,CAAC,MAAM,iCAAiC,GA+DzC,aAAa,CAChB,WAAW,CAAC,+CAA+C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/io_pb.d.ts

@@ -65,3 +65,91 @@ export type IdentityProviderList = Message<"ai.stigmer.iam.identityprovider.v1.I
  * Use `create(IdentityProviderListSchema)` to create a new message.
  */
 export declare const IdentityProviderListSchema: GenMessage<IdentityProviderList>;
+/**
+ * ListIdentityProvidersByOrgInput specifies the organization whose identity
+ * providers should be returned.
+ *
+ * @generated from message ai.stigmer.iam.identityprovider.v1.ListIdentityProvidersByOrgInput
+ */
+export type ListIdentityProvidersByOrgInput = Message<"ai.stigmer.iam.identityprovider.v1.ListIdentityProvidersByOrgInput"> & {
+    /**
+     * Organization slug to list identity providers for.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.ListIdentityProvidersByOrgInput.
+ * Use `create(ListIdentityProvidersByOrgInputSchema)` to create a new message.
+ */
+export declare const ListIdentityProvidersByOrgInputSchema: GenMessage<ListIdentityProvidersByOrgInput>;
+/**
+ * OrganizationSsoLookup identifies an organization for SSO provider discovery.
+ * Used by the web app's login page to determine whether an organization has
+ * SSO enabled and to retrieve the OIDC configuration needed to initiate login.
+ *
+ * @generated from message ai.stigmer.iam.identityprovider.v1.OrganizationSsoLookup
+ */
+export type OrganizationSsoLookup = Message<"ai.stigmer.iam.identityprovider.v1.OrganizationSsoLookup"> & {
+    /**
+     * Organization slug to look up SSO configuration for.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.OrganizationSsoLookup.
+ * Use `create(OrganizationSsoLookupSchema)` to create a new message.
+ */
+export declare const OrganizationSsoLookupSchema: GenMessage<OrganizationSsoLookup>;
+/**
+ * SsoProviderInfo contains the minimal OIDC configuration the web app needs
+ * to render an SSO login button and initiate the Authorization Code flow.
+ *
+ * This is a projection of the full IdentityProvider resource, exposing only
+ * the fields safe for unauthenticated access. Internal configuration such as
+ * JWKS URI, rate limits, and userinfo endpoint is intentionally excluded.
+ *
+ * @generated from message ai.stigmer.iam.identityprovider.v1.SsoProviderInfo
+ */
+export type SsoProviderInfo = Message<"ai.stigmer.iam.identityprovider.v1.SsoProviderInfo"> & {
+    /**
+     * Display name of the SSO provider (e.g., "Acme Corp Okta").
+     * Shown on the login button: "Sign in with [display_name]".
+     *
+     * @generated from field: string display_name = 1;
+     */
+    displayName: string;
+    /**
+     * OIDC client ID for initiating the Authorization Code flow with PKCE.
+     *
+     * @generated from field: string oidc_client_id = 2;
+     */
+    oidcClientId: string;
+    /**
+     * OIDC issuer URL. The web app appends /.well-known/openid-configuration
+     * to discover the authorization_endpoint, token_endpoint, and other
+     * OIDC metadata required for the login flow.
+     *
+     * @generated from field: string issuer = 3;
+     */
+    issuer: string;
+    /**
+     * Expected JWT audience value for the OIDC token request.
+     * The web app passes this as the audience parameter when initiating the
+     * Authorization Code flow. Some IdPs (e.g., Auth0) require it to issue
+     * a JWT access token with the correct aud claim; others determine the
+     * audience from server-side configuration and ignore this parameter.
+     * Empty means the web app should omit the audience parameter.
+     *
+     * @generated from field: string expected_audience = 4;
+     */
+    expectedAudience: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.SsoProviderInfo.
+ * Use `create(SsoProviderInfoSchema)` to create a new message.
+ */
+export declare const SsoProviderInfoSchema: GenMessage<SsoProviderInfo>;