@stigmer/protos 0.0.72 → 0.0.73

package/ai/stigmer/iam/identityprovider/v1/io_pb.js

@@ -7,7 +7,7 @@ import { file_buf_validate_validate } from "../../../../../buf/validate/validate
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/io.proto.
  */
-export const file_ai_stigmer_iam_identityprovider_v1_io = /*@__PURE__*/ fileDesc("CithaS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL2lvLnByb3RvEiJhaS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxIi4KEklkZW50aXR5UHJvdmlkZXJJZBIYCgV2YWx1ZRgBIAEoCUIJukgGcgQQARhAIloKEUlkZW50aXR5UHJvdmlkZXJzEkUKB2VudHJpZXMYASADKAsyNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIicgoUSWRlbnRpdHlQcm92aWRlckxpc3QSEwoLdG90YWxfcGFnZXMYASABKAUSRQoHZW50cmllcxgCIAMoCzI0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlcmIGcHJvdG8z", [file_ai_stigmer_iam_identityprovider_v1_api, file_buf_validate_validate]);
+export const file_ai_stigmer_iam_identityprovider_v1_io = /*@__PURE__*/ fileDesc("CithaS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL2lvLnByb3RvEiJhaS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxIi4KEklkZW50aXR5UHJvdmlkZXJJZBIYCgV2YWx1ZRgBIAEoCUIJukgGcgQQARhAIloKEUlkZW50aXR5UHJvdmlkZXJzEkUKB2VudHJpZXMYASADKAsyNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIicgoUSWRlbnRpdHlQcm92aWRlckxpc3QSEwoLdG90YWxfcGFnZXMYASABKAUSRQoHZW50cmllcxgCIAMoCzI0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlciI3Ch9MaXN0SWRlbnRpdHlQcm92aWRlcnNCeU9yZ0lucHV0EhQKA29yZxgBIAEoCUIHukgEcgIQASItChVPcmdhbml6YXRpb25Tc29Mb29rdXASFAoDb3JnGAEgASgJQge6SARyAhABImoKD1Nzb1Byb3ZpZGVySW5mbxIUCgxkaXNwbGF5X25hbWUYASABKAkSFgoOb2lkY19jbGllbnRfaWQYAiABKAkSDgoGaXNzdWVyGAMgASgJEhkKEWV4cGVjdGVkX2F1ZGllbmNlGAQgASgJYgZwcm90bzM", [file_ai_stigmer_iam_identityprovider_v1_api, file_buf_validate_validate]);
 /**
  * Describes the message ai.stigmer.iam.identityprovider.v1.IdentityProviderId.
  * Use `create(IdentityProviderIdSchema)` to create a new message.
@@ -23,4 +23,19 @@ export const IdentityProvidersSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer
  * Use `create(IdentityProviderListSchema)` to create a new message.
  */
 export const IdentityProviderListSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityprovider_v1_io, 2);
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.ListIdentityProvidersByOrgInput.
+ * Use `create(ListIdentityProvidersByOrgInputSchema)` to create a new message.
+ */
+export const ListIdentityProvidersByOrgInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityprovider_v1_io, 3);
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.OrganizationSsoLookup.
+ * Use `create(OrganizationSsoLookupSchema)` to create a new message.
+ */
+export const OrganizationSsoLookupSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityprovider_v1_io, 4);
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.SsoProviderInfo.
+ * Use `create(SsoProviderInfoSchema)` to create a new message.
+ */
+export const SsoProviderInfoSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityprovider_v1_io, 5);
 //# sourceMappingURL=io_pb.js.map

package/ai/stigmer/iam/identityprovider/v1/io_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,0CAA0C,GAAY,aAAa,CAC9E,QAAQ,CAAC,8cAA8c,EAAE,CAAC,2CAA2C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAgBtiB;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAmC,aAAa,CACnF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAgB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,aAAa,CACjF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAuB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,0CAA0C,GAAY,aAAa,CAC9E,QAAQ,CAAC,yuBAAyuB,EAAE,CAAC,2CAA2C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAgBj0B;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAmC,aAAa,CACnF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAgB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,aAAa,CACjF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAuB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAiB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,qCAAqC,GAAgD,aAAa,CAC7G,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAkB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAsC,aAAa,CACzF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAkD7D;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAgC,aAAa,CAC7E,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/query_connect.d.ts

@@ -38,5 +38,44 @@ export declare const IdentityProviderQueryController: {
             readonly O: any;
             readonly kind: any;
         };
+        /**
+         * List all identity providers belonging to an organization.
+         *
+         * Returns every IdentityProvider whose metadata.org matches the input org.
+         * Typically a small set (1-3 per org), so results are not paginated.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the organization resource.
+         *
+         * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.listByOrg
+         */
+        readonly listByOrg: {
+            readonly name: "listByOrg";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Look up the SSO identity provider for an organization.
+         *
+         * Returns the SSO-relevant projection (display name, OIDC client ID, issuer)
+         * of the IdentityProvider where is_sso_provider is true for the given org.
+         * Returns NOT_FOUND if the organization has no SSO provider configured.
+         *
+         * This endpoint is called by the web app's login page before the user has
+         * authenticated, so it requires no authorization. The response intentionally
+         * omits internal IdP configuration (JWKS URI, rate limits, userinfo endpoint).
+         *
+         * @internal
+         * Authorization: none — unauthenticated, public endpoint for login page rendering.
+         *
+         * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.getSsoProvider
+         */
+        readonly getSsoProvider: {
+            readonly name: "getSsoProvider";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
     };
 };

package/ai/stigmer/iam/identityprovider/v1/query_connect.js

@@ -43,6 +43,45 @@ export const IdentityProviderQueryController = {
             O: IdentityProvider,
             kind: MethodKind.Unary,
         },
+        /**
+         * List all identity providers belonging to an organization.
+         *
+         * Returns every IdentityProvider whose metadata.org matches the input org.
+         * Typically a small set (1-3 per org), so results are not paginated.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the organization resource.
+         *
+         * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.listByOrg
+         */
+        listByOrg: {
+            name: "listByOrg",
+            I: ListIdentityProvidersByOrgInput,
+            O: IdentityProviders,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Look up the SSO identity provider for an organization.
+         *
+         * Returns the SSO-relevant projection (display name, OIDC client ID, issuer)
+         * of the IdentityProvider where is_sso_provider is true for the given org.
+         * Returns NOT_FOUND if the organization has no SSO provider configured.
+         *
+         * This endpoint is called by the web app's login page before the user has
+         * authenticated, so it requires no authorization. The response intentionally
+         * omits internal IdP configuration (JWKS URI, rate limits, userinfo endpoint).
+         *
+         * @internal
+         * Authorization: none — unauthenticated, public endpoint for login page rendering.
+         *
+         * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.getSsoProvider
+         */
+        getSsoProvider: {
+            name: "getSsoProvider",
+            I: OrganizationSsoLookup,
+            O: SsoProviderInfo,
+            kind: MethodKind.Unary,
+        },
     }
 };
 //# sourceMappingURL=query_connect.js.map

package/ai/stigmer/iam/identityprovider/v1/query_connect.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,kIAAkI;AAClI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG;IAC7C,QAAQ,EAAE,oEAAoE;IAC9E,OAAO,EAAE;QACP;;;;;;;WAOG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;WAWG;QACH,cAAc,EAAE;YACd,IAAI,EAAE,gBAAgB;YACtB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
+{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,kIAAkI;AAClI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG;IAC7C,QAAQ,EAAE,oEAAoE;IAC9E,OAAO,EAAE;QACP;;;;;;;WAOG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;WAWG;QACH,cAAc,EAAE;YACd,IAAI,EAAE,gBAAgB;YACtB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;WAUG;QACH,SAAS,EAAE;YACT,IAAI,EAAE,WAAW;YACjB,CAAC,EAAE,+BAA+B;YAClC,CAAC,EAAE,iBAAiB;YACpB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;WAeG;QACH,cAAc,EAAE;YACd,IAAI,EAAE,gBAAgB;YACtB,CAAC,EAAE,qBAAqB;YACxB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/query_pb.d.ts

@@ -1,6 +1,7 @@
 import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
 import type { ApiResourceIdSchema, ApiResourceReferenceSchema } from "../../../commons/apiresource/io_pb";
 import type { IdentityProviderSchema } from "./api_pb";
+import type { IdentityProvidersSchema, ListIdentityProvidersByOrgInputSchema, OrganizationSsoLookupSchema, SsoProviderInfoSchema } from "./io_pb";
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/query.proto.
  */
@@ -41,4 +42,41 @@ export declare const IdentityProviderQueryController: GenService<{
         input: typeof ApiResourceReferenceSchema;
         output: typeof IdentityProviderSchema;
     };
+    /**
+     * List all identity providers belonging to an organization.
+     *
+     * Returns every IdentityProvider whose metadata.org matches the input org.
+     * Typically a small set (1-3 per org), so results are not paginated.
+     *
+     * @internal
+     * Authorization: Requires can_view permission on the organization resource.
+     *
+     * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.listByOrg
+     */
+    listByOrg: {
+        methodKind: "unary";
+        input: typeof ListIdentityProvidersByOrgInputSchema;
+        output: typeof IdentityProvidersSchema;
+    };
+    /**
+     * Look up the SSO identity provider for an organization.
+     *
+     * Returns the SSO-relevant projection (display name, OIDC client ID, issuer)
+     * of the IdentityProvider where is_sso_provider is true for the given org.
+     * Returns NOT_FOUND if the organization has no SSO provider configured.
+     *
+     * This endpoint is called by the web app's login page before the user has
+     * authenticated, so it requires no authorization. The response intentionally
+     * omits internal IdP configuration (JWKS URI, rate limits, userinfo endpoint).
+     *
+     * @internal
+     * Authorization: none — unauthenticated, public endpoint for login page rendering.
+     *
+     * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.getSsoProvider
+     */
+    getSsoProvider: {
+        methodKind: "unary";
+        input: typeof OrganizationSsoLookupSchema;
+        output: typeof SsoProviderInfoSchema;
+    };
 }>;

package/ai/stigmer/iam/identityprovider/v1/query_pb.js

@@ -4,12 +4,13 @@
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_io } from "../../../commons/apiresource/io_pb";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "../../iampolicy/v1/rpcauthorization/method_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_identityprovider_v1_api } from "./api_pb";
+import { file_ai_stigmer_iam_identityprovider_v1_io } from "./io_pb";
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/query.proto.
  */
-export const file_ai_stigmer_iam_identityprovider_v1_query = /*@__PURE__*/ fileDesc("Ci5haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3F1ZXJ5LnByb3RvEiJhaS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxMtICCh9JZGVudGl0eVByb3ZpZGVyUXVlcnlDb250cm9sbGVyEqMBCgNnZXQSLS5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VJZBo0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlciI3wrgYMwgDEBUiBXZhbHVlKiZ1bmF1dGhvcml6ZWQgdG8gdmlldyBpZGVudGl0eSBwcm92aWRlchKCAQoOZ2V0QnlSZWZlcmVuY2USNC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VSZWZlcmVuY2UaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiBNC4GAEaBKD/KxViBnByb3RvMw", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityprovider_v1_api]);
+export const file_ai_stigmer_iam_identityprovider_v1_query = /*@__PURE__*/ fileDesc("Ci5haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3F1ZXJ5LnByb3RvEiJhaS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxMrIFCh9JZGVudGl0eVByb3ZpZGVyUXVlcnlDb250cm9sbGVyEqMBCgNnZXQSLS5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VJZBo0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlciI3wrgYMwgBEBUiBXZhbHVlKiZ1bmF1dGhvcml6ZWQgdG8gdmlldyBpZGVudGl0eSBwcm92aWRlchKCAQoOZ2V0QnlSZWZlcmVuY2USNC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VSZWZlcmVuY2UaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiBNC4GAES1AEKCWxpc3RCeU9yZxJDLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuTGlzdElkZW50aXR5UHJvdmlkZXJzQnlPcmdJbnB1dBo1LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlcnMiS8K4GEcIARAeIgNvcmcqPHVuYXV0aG9yaXplZCB0byBsaXN0IGlkZW50aXR5IHByb3ZpZGVycyBpbiB0aGlzIG9yZ2FuaXphdGlvbhKGAQoOZ2V0U3NvUHJvdmlkZXISOS5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLk9yZ2FuaXphdGlvblNzb0xvb2t1cBozLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuU3NvUHJvdmlkZXJJbmZvIgTQuBgBGgSg/ysVYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_identityprovider_v1_api, file_ai_stigmer_iam_identityprovider_v1_io]);
 /**
  * IdentityProviderQueryController provides read operations for identity providers.
  *

package/ai/stigmer/iam/identityprovider/v1/query_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,CAAC,MAAM,6CAA6C,GAAY,aAAa,CACjF,QAAQ,CAAC,okBAAokB,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,gEAAgE,EAAE,2CAA2C,CAAC,CAAC,CAAC;AAEnyB;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GA+BvC,aAAa,CAChB,WAAW,CAAC,6CAA6C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AAEvE,OAAO,EAAE,0CAA0C,EAAE,MAAM,SAAS,CAAC;AAErE;;GAEG;AACH,MAAM,CAAC,MAAM,6CAA6C,GAAY,aAAa,CACjF,QAAQ,CAAC,yhCAAyhC,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,0CAA0C,EAAE,2CAA2C,EAAE,0CAA0C,CAAC,CAAC,CAAC;AAE9wC;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAoEvC,aAAa,CAChB,WAAW,CAAC,6CAA6C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/spec_pb.d.ts

@@ -9,18 +9,19 @@ export declare const file_ai_stigmer_iam_identityprovider_v1_spec: GenFile;
  *
  * An IdentityProvider represents an external platform's trust relationship with Stigmer.
  * It is owned by an organization (e.g., "planton") and configures how Stigmer validates
- * tokens from that platform during token exchange. The platform forwards its OIDC
- * provider's access tokens to Stigmer's token exchange endpoint, which:
- * - Validates the token signature against the configured JWKS
- * - Fetches user profile data from the OIDC UserInfo endpoint
- * - JIT-provisions a federated identity account with email, name, and picture
- * - Issues a Stigmer-native token for subsequent API access
+ * tokens from that platform. When a user authenticates with a JWT issued by this provider,
+ * Stigmer validates the token signature against the configured JWKS and resolves the
+ * user's federated identity account by the JWT's sub claim and this provider's reference.
+ *
+ * For platform-managed IdPs, the platform is responsible for explicitly creating
+ * federated identity accounts before users can authenticate. For SSO providers
+ * (is_sso_provider = true), Stigmer auto-provisions accounts on first login.
  *
  * The spec contains only public validation configuration — no secrets are stored.
  * For OIDC-based integrators (e.g., Auth0), the jwks_uri and userinfo_endpoint
  * point to the OIDC provider's standard endpoints.
  *
- * Example YAML:
+ * Example YAML (platform delegation):
  *   apiVersion: iam.stigmer.ai/v1
  *   kind: IdentityProvider
  *   metadata:
@@ -34,6 +35,21 @@ export declare const file_ai_stigmer_iam_identityprovider_v1_spec: GenFile;
  *     expected_audience: "https://api.planton.ai/"
  *     userinfo_endpoint: "https://planton-prod.us.auth0.com/userinfo"
  *
+ * Example YAML (self-managed SSO):
+ *   apiVersion: iam.stigmer.ai/v1
+ *   kind: IdentityProvider
+ *   metadata:
+ *     name: Acme Corp Okta
+ *     slug: acme-okta
+ *     org: acme
+ *   spec:
+ *     display_name: "Acme Corp Okta"
+ *     jwks_uri: "https://acme.okta.com/oauth2/default/v1/keys"
+ *     allowed_issuers: ["https://acme.okta.com/oauth2/default"]
+ *     expected_audience: "stigmer-api"
+ *     is_sso_provider: true
+ *     oidc_client_id: "0oa1bcdef2ghijk3lmno"
+ *
  * @generated from message ai.stigmer.iam.identityprovider.v1.IdentityProviderSpec
  */
 export type IdentityProviderSpec = Message<"ai.stigmer.iam.identityprovider.v1.IdentityProviderSpec"> & {
@@ -98,6 +114,43 @@ export type IdentityProviderSpec = Message<"ai.stigmer.iam.identityprovider.v1.I
      * @generated from field: string userinfo_endpoint = 6;
      */
     userinfoEndpoint: string;
+    /**
+     * Whether this identity provider serves as the SSO login provider for its
+     * owning organization.
+     *
+     * When true, the Stigmer web app offers a "Sign in with [display_name]"
+     * option on the organization's login page and initiates the OIDC
+     * Authorization Code flow with PKCE using the configured oidc_client_id.
+     *
+     * On first login, SSO users are auto-provisioned: Stigmer creates a
+     * federated identity account from the JWT's OIDC claims and grants the
+     * viewer role on the organization. Org admins can upgrade viewers to
+     * members when ready.
+     *
+     * Constraints:
+     * - At most one IdentityProvider per organization can be the SSO provider.
+     * - An IdP used for platform-managed organization delegation cannot also
+     *   serve as an SSO provider (different trust models).
+     *
+     * @generated from field: bool is_sso_provider = 7;
+     */
+    isSsoProvider: boolean;
+    /**
+     * OIDC client identifier for browser-based SSO login.
+     *
+     * This is the client_id registered with the external IdP (e.g., Okta,
+     * Azure AD) for Stigmer's web application. The web app uses this to
+     * build the OIDC Authorization Code request with PKCE.
+     *
+     * No client_secret is stored — the web app is a public client using PKCE
+     * (Proof Key for Code Exchange), which is the recommended approach for
+     * SPAs per OAuth 2.0 for Browser-Based Apps (RFC draft).
+     *
+     * Required when is_sso_provider is true; must be empty otherwise.
+     *
+     * @generated from field: string oidc_client_id = 8;
+     */
+    oidcClientId: string;
 };
 /**
  * Describes the message ai.stigmer.iam.identityprovider.v1.IdentityProviderSpec.

package/ai/stigmer/iam/identityprovider/v1/spec_pb.js

@@ -6,7 +6,7 @@ import { file_buf_validate_validate } from "../../../../../buf/validate/validate
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/spec.proto.
  */
-export const file_ai_stigmer_iam_identityprovider_v1_spec = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3NwZWMucHJvdG8SImFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEi0AEKFElkZW50aXR5UHJvdmlkZXJTcGVjEh4KDGRpc3BsYXlfbmFtZRgBIAEoCUIIukgFcgMYyAESGgoIandrc191cmkYAiABKAlCCLpIBXIDGIAQEhcKD2FsbG93ZWRfaXNzdWVycxgDIAMoCRIjChFleHBlY3RlZF9hdWRpZW5jZRgEIAEoCUIIukgFcgMYyAESGQoRcmF0ZV9saW1pdF9idWRnZXQYBSABKAUSIwoRdXNlcmluZm9fZW5kcG9pbnQYBiABKAlCCLpIBXIDGIAQYgZwcm90bzM", [file_buf_validate_validate]);
+export const file_ai_stigmer_iam_identityprovider_v1_spec = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3NwZWMucHJvdG8SImFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEiiwIKFElkZW50aXR5UHJvdmlkZXJTcGVjEh4KDGRpc3BsYXlfbmFtZRgBIAEoCUIIukgFcgMYyAESGgoIandrc191cmkYAiABKAlCCLpIBXIDGIAQEhcKD2FsbG93ZWRfaXNzdWVycxgDIAMoCRIjChFleHBlY3RlZF9hdWRpZW5jZRgEIAEoCUIIukgFcgMYyAESGQoRcmF0ZV9saW1pdF9idWRnZXQYBSABKAUSIwoRdXNlcmluZm9fZW5kcG9pbnQYBiABKAlCCLpIBXIDGIAQEhcKD2lzX3Nzb19wcm92aWRlchgHIAEoCBIgCg5vaWRjX2NsaWVudF9pZBgIIAEoCUIIukgFcgMYgAJiBnByb3RvMw", [file_buf_validate_validate]);
 /**
  * Describes the message ai.stigmer.iam.identityprovider.v1.IdentityProviderSpec.
  * Use `create(IdentityProviderSpecSchema)` to create a new message.

package/ai/stigmer/iam/identityprovider/v1/spec_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,iIAAiI;AACjI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,4CAA4C,GAAY,aAAa,CAChF,QAAQ,CAAC,qZAAqZ,EAAE,CAAC,0BAA0B,CAAC,CAAC,CAAC;AAuGhc;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,iIAAiI;AACjI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,4CAA4C,GAAY,aAAa,CAChF,QAAQ,CAAC,oeAAoe,EAAE,CAAC,0BAA0B,CAAC,CAAC,CAAC;AA8J/gB;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/invitation/v1/api_pb.d.ts

@@ -0,0 +1,132 @@
+import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { ApiResourceMetadata } from "../../../commons/apiresource/metadata_pb";
+import type { ApiResourceAudit } from "../../../commons/apiresource/status_pb";
+import type { InvitationState } from "./enum_pb";
+import type { InvitationSpec } from "./spec_pb";
+import type { Timestamp } from "@bufbuild/protobuf/wkt";
+import type { Message } from "@bufbuild/protobuf";
+/**
+ * Describes the file ai/stigmer/iam/invitation/v1/api.proto.
+ */
+export declare const file_ai_stigmer_iam_invitation_v1_api: GenFile;
+/**
+ * Invitation is a shareable link that grants org membership with a configurable role.
+ *
+ * Invitations support two patterns:
+ * - Multi-use (max_redemptions = 0): persistent org invite link, suitable for
+ *   public sharing. Best paired with the viewer role to avoid cost exposure.
+ * - Single-use (max_redemptions = 1): targeted invitation for a specific person.
+ *
+ * The invite URL format is: https://<host>/invite/<token>
+ * where token is a server-generated cryptographically random value.
+ *
+ * Creating an invitation requires can_grant_access on the organization.
+ * Redeeming an invitation requires only a valid token and authentication.
+ *
+ * @generated from message ai.stigmer.iam.invitation.v1.Invitation
+ */
+export type Invitation = Message<"ai.stigmer.iam.invitation.v1.Invitation"> & {
+    /**
+     * API version for this resource type.
+     *
+     * @generated from field: string api_version = 1;
+     */
+    apiVersion: string;
+    /**
+     * Resource kind identifier.
+     *
+     * @generated from field: string kind = 2;
+     */
+    kind: string;
+    /**
+     * Resource metadata including name, organization, and labels.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceMetadata metadata = 3;
+     */
+    metadata?: ApiResourceMetadata;
+    /**
+     * User-provided invitation configuration: role, expiry, and redemption limits.
+     *
+     * @generated from field: ai.stigmer.iam.invitation.v1.InvitationSpec spec = 4;
+     */
+    spec?: InvitationSpec;
+    /**
+     * System-managed state: token, lifecycle state, and redemption history.
+     *
+     * @generated from field: ai.stigmer.iam.invitation.v1.InvitationStatus status = 5;
+     */
+    status?: InvitationStatus;
+};
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.Invitation.
+ * Use `create(InvitationSchema)` to create a new message.
+ */
+export declare const InvitationSchema: GenMessage<Invitation>;
+/**
+ * InvitationStatus contains system-managed state for an invitation.
+ *
+ * @generated from message ai.stigmer.iam.invitation.v1.InvitationStatus
+ */
+export type InvitationStatus = Message<"ai.stigmer.iam.invitation.v1.InvitationStatus"> & {
+    /**
+     * Server-generated cryptographically random token.
+     * Included in the invite URL: /invite/<token>
+     * Generated once at creation; immutable thereafter.
+     *
+     * @generated from field: string token = 1;
+     */
+    token: string;
+    /**
+     * Current lifecycle state of the invitation.
+     *
+     * @generated from field: ai.stigmer.iam.invitation.v1.InvitationState state = 2;
+     */
+    state: InvitationState;
+    /**
+     * Number of times this invitation has been successfully redeemed.
+     *
+     * @generated from field: int32 redemption_count = 3;
+     */
+    redemptionCount: number;
+    /**
+     * Audit trail of each successful redemption.
+     *
+     * @generated from field: repeated ai.stigmer.iam.invitation.v1.InvitationRedemption redemptions = 4;
+     */
+    redemptions: InvitationRedemption[];
+    /**
+     * Standard audit information (created_at, updated_at, created_by, etc.).
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceAudit audit = 99;
+     */
+    audit?: ApiResourceAudit;
+};
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.InvitationStatus.
+ * Use `create(InvitationStatusSchema)` to create a new message.
+ */
+export declare const InvitationStatusSchema: GenMessage<InvitationStatus>;
+/**
+ * InvitationRedemption records a single successful redemption event.
+ *
+ * @generated from message ai.stigmer.iam.invitation.v1.InvitationRedemption
+ */
+export type InvitationRedemption = Message<"ai.stigmer.iam.invitation.v1.InvitationRedemption"> & {
+    /**
+     * The identity account that redeemed the invitation.
+     *
+     * @generated from field: string identity_account_id = 1;
+     */
+    identityAccountId: string;
+    /**
+     * When the redemption occurred.
+     *
+     * @generated from field: google.protobuf.Timestamp redeemed_at = 2;
+     */
+    redeemedAt?: Timestamp;
+};
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.InvitationRedemption.
+ * Use `create(InvitationRedemptionSchema)` to create a new message.
+ */
+export declare const InvitationRedemptionSchema: GenMessage<InvitationRedemption>;

package/ai/stigmer/iam/invitation/v1/api_pb.js

@@ -0,0 +1,30 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/invitation/v1/api.proto (package ai.stigmer.iam.invitation.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_metadata } from "../../../commons/apiresource/metadata_pb";
+import { file_ai_stigmer_commons_apiresource_status } from "../../../commons/apiresource/status_pb";
+import { file_ai_stigmer_iam_invitation_v1_enum } from "./enum_pb";
+import { file_ai_stigmer_iam_invitation_v1_spec } from "./spec_pb";
+import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
+import { file_google_protobuf_timestamp } from "@bufbuild/protobuf/wkt";
+/**
+ * Describes the file ai/stigmer/iam/invitation/v1/api.proto.
+ */
+export const file_ai_stigmer_iam_invitation_v1_api = /*@__PURE__*/ fileDesc("CiZhaS9zdGlnbWVyL2lhbS9pbnZpdGF0aW9uL3YxL2FwaS5wcm90bxIcYWkuc3RpZ21lci5pYW0uaW52aXRhdGlvbi52MSKnAgoKSW52aXRhdGlvbhItCgthcGlfdmVyc2lvbhgBIAEoCUIYukgVchMKEWlhbS5zdGlnbWVyLmFpL3YxEh8KBGtpbmQYAiABKAlCEbpIDnIMCgpJbnZpdGF0aW9uEk0KCG1ldGFkYXRhGAMgASgLMjMuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlTWV0YWRhdGFCBrpIA8gBARI6CgRzcGVjGAQgASgLMiwuYWkuc3RpZ21lci5pYW0uaW52aXRhdGlvbi52MS5JbnZpdGF0aW9uU3BlYxI+CgZzdGF0dXMYBSABKAsyLi5haS5zdGlnbWVyLmlhbS5pbnZpdGF0aW9uLnYxLkludml0YXRpb25TdGF0dXMigwIKEEludml0YXRpb25TdGF0dXMSDQoFdG9rZW4YASABKAkSPAoFc3RhdGUYAiABKA4yLS5haS5zdGlnbWVyLmlhbS5pbnZpdGF0aW9uLnYxLkludml0YXRpb25TdGF0ZRIYChByZWRlbXB0aW9uX2NvdW50GAMgASgFEkcKC3JlZGVtcHRpb25zGAQgAygLMjIuYWkuc3RpZ21lci5pYW0uaW52aXRhdGlvbi52MS5JbnZpdGF0aW9uUmVkZW1wdGlvbhI/CgVhdWRpdBhjIAEoCzIwLmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5BcGlSZXNvdXJjZUF1ZGl0ImQKFEludml0YXRpb25SZWRlbXB0aW9uEhsKE2lkZW50aXR5X2FjY291bnRfaWQYASABKAkSLwoLcmVkZWVtZWRfYXQYAiABKAsyGi5nb29nbGUucHJvdG9idWYuVGltZXN0YW1wYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_metadata, file_ai_stigmer_commons_apiresource_status, file_ai_stigmer_iam_invitation_v1_enum, file_ai_stigmer_iam_invitation_v1_spec, file_buf_validate_validate, file_google_protobuf_timestamp]);
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.Invitation.
+ * Use `create(InvitationSchema)` to create a new message.
+ */
+export const InvitationSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_invitation_v1_api, 0);
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.InvitationStatus.
+ * Use `create(InvitationStatusSchema)` to create a new message.
+ */
+export const InvitationStatusSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_invitation_v1_api, 1);
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.InvitationRedemption.
+ * Use `create(InvitationRedemptionSchema)` to create a new message.
+ */
+export const InvitationRedemptionSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_invitation_v1_api, 2);
+//# sourceMappingURL=api_pb.js.map

package/ai/stigmer/iam/invitation/v1/api_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/invitation/v1/api_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,oHAAoH;AACpH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,4CAA4C,EAAE,MAAM,0CAA0C,CAAC;AAExG,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,sCAAsC,EAAE,MAAM,WAAW,CAAC;AAEnE,OAAO,EAAE,sCAAsC,EAAE,MAAM,WAAW,CAAC;AACnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAErF,OAAO,EAAE,8BAA8B,EAAE,MAAM,wBAAwB,CAAC;AAGxE;;GAEG;AACH,MAAM,CAAC,MAAM,qCAAqC,GAAY,aAAa,CACzE,QAAQ,CAAC,69BAA69B,EAAE,CAAC,4CAA4C,EAAE,0CAA0C,EAAE,sCAAsC,EAAE,sCAAsC,EAAE,0BAA0B,EAAE,8BAA8B,CAAC,CAAC,CAAC;AAuDltC;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAA2B,aAAa,CACnE,WAAW,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC;AA8CxD;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAiC,aAAa,CAC/E,WAAW,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC;AAuBxD;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/invitation/v1/command_connect.d.ts

@@ -0,0 +1,79 @@
+/**
+ * InvitationCommandController handles write operations for invitations.
+ *
+ * @generated from service ai.stigmer.iam.invitation.v1.InvitationCommandController
+ */
+export declare const InvitationCommandController: {
+    readonly typeName: "ai.stigmer.iam.invitation.v1.InvitationCommandController";
+    readonly methods: {
+        /**
+         * Create an invitation link for an organization.
+         *
+         * Generates a cryptographically random token and returns the full
+         * invitation resource including the token. The invite URL is
+         * constructed as: https://<host>/invite/<token>
+         *
+         * The specified role must be in the organization's grantable_roles.
+         * Platform-managed organizations cannot create invitations.
+         *
+         * @internal
+         * Authorization: Requires can_grant_access permission on the organization.
+         *
+         * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.create
+         */
+        readonly create: {
+            readonly name: "create";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Revoke an active invitation, preventing further redemptions.
+         *
+         * Sets the invitation state to revoked. Idempotent — revoking an
+         * already-revoked invitation is a no-op.
+         *
+         * @internal
+         * Authorization is handled in the handler: loads the invitation,
+         * resolves its organization, and checks can_grant_access on the org.
+         * Proto-level auth is skipped because the input (InvitationId) does
+         * not directly identify the org.
+         *
+         * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.revoke
+         */
+        readonly revoke: {
+            readonly name: "revoke";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Redeem an invitation to join an organization.
+         *
+         * Creates an IAM policy granting the invitation's configured role to
+         * the authenticated user on the invitation's organization. The
+         * redemption is atomic: the IAM policy is created and the redemption
+         * count is incremented in a single operation.
+         *
+         * Validation:
+         * - Invitation must be in active state
+         * - Invitation must not be expired
+         * - Invitation must not have reached max_redemptions (if > 0)
+         * - Redeemer must not already be a member of the organization
+         *
+         * @internal
+         * Authorization: The token itself is the authorization mechanism.
+         * The redeemer's identity is resolved from the authentication header.
+         * FGA authorization is skipped — any authenticated user with a valid
+         * token can redeem.
+         *
+         * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.redeem
+         */
+        readonly redeem: {
+            readonly name: "redeem";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+    };
+};