@stigmer/protos 0.0.72 → 0.0.74

package/ai/stigmer/iam/iampolicy/v1/query_pb.d.ts

@@ -1,6 +1,6 @@
 import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
 import type { IamPolicySchema } from "./api_pb";
-import type { AuthorizedPrincipalIdsListSchema, AuthorizedResourceIdsListSchema, CheckAuthorizationInputSchema, CheckAuthorizationResultSchema, IamPolicyIdSchema, ListAuthorizedPrincipalIdsInputSchema, ListAuthorizedResourceIdsInputSchema } from "./io_pb";
+import type { AuthorizedPrincipalIdsListSchema, AuthorizedResourceIdsListSchema, CheckAuthorizationInputSchema, CheckAuthorizationResultSchema, GetPrincipalsCountInputSchema, IamPolicyIdSchema, ListAuthorizedPrincipalIdsInputSchema, ListAuthorizedResourceIdsInputSchema, ListResourceAccessInputSchema, PrincipalResourceInputSchema, PrincipalResourceRolesSchema, PrincipalsCountSchema, ResourceAccessByPrincipalListSchema } from "./io_pb";
 /**
  * Describes the file ai/stigmer/iam/iampolicy/v1/query.proto.
  */
@@ -93,4 +93,67 @@ export declare const IamPolicyQueryController: GenService<{
         input: typeof ListAuthorizedPrincipalIdsInputSchema;
         output: typeof AuthorizedPrincipalIdsListSchema;
     };
+    /**
+     * List all principals and their roles on a resource, grouped by principal.
+     *
+     * This RPC answers: "Who has access to this resource, and what roles do they have?"
+     * Returns each principal with full display information and all their role grants,
+     * optionally including roles inherited from parent resources.
+     *
+     * Use Cases:
+     * - Organization members page (show all users and their roles)
+     * - Resource "Share" dialog (show who already has access)
+     * - Access audit views
+     *
+     * Input: ListResourceAccessInput with resource ref and include_inherited flag
+     * Output: ResourceAccessByPrincipalList with PrincipalAccess entries
+     *
+     * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.listResourceAccessByPrincipal
+     */
+    listResourceAccessByPrincipal: {
+        methodKind: "unary";
+        input: typeof ListResourceAccessInputSchema;
+        output: typeof ResourceAccessByPrincipalListSchema;
+    };
+    /**
+     * Get all roles a specific principal has on a specific resource.
+     *
+     * This RPC answers: "What roles does [principal] have on [resource]?"
+     * Returns role metadata (code, display name, description) for each assigned role.
+     *
+     * Use Cases:
+     * - Displaying a user's current role in a resource detail view
+     * - Pre-populating role selectors when editing access
+     * - Permission summary for a specific user-resource pair
+     *
+     * Input: PrincipalResourceInput with principal and resource refs
+     * Output: PrincipalResourceRoles with list of RoleInfo entries
+     *
+     * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.getPrincipalResourceRoles
+     */
+    getPrincipalResourceRoles: {
+        methodKind: "unary";
+        input: typeof PrincipalResourceInputSchema;
+        output: typeof PrincipalResourceRolesSchema;
+    };
+    /**
+     * Count distinct principals that have access to a resource.
+     *
+     * This RPC answers: "How many [principal-kind] have access to this organization?"
+     * Used for member count badges and summary statistics.
+     *
+     * Use Cases:
+     * - Organization members count badge in navigation
+     * - Settings page member summary
+     *
+     * Input: GetPrincipalsCountInput with org_id and principal_kind
+     * Output: PrincipalsCount with integer count
+     *
+     * @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.getPrincipalsCount
+     */
+    getPrincipalsCount: {
+        methodKind: "unary";
+        input: typeof GetPrincipalsCountInputSchema;
+        output: typeof PrincipalsCountSchema;
+    };
 }>;

package/ai/stigmer/iam/iampolicy/v1/query_pb.js

@@ -3,13 +3,13 @@
 /* eslint-disable */
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_iampolicy_v1_api } from "./api_pb";
 import { file_ai_stigmer_iam_iampolicy_v1_io } from "./io_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "./rpcauthorization/method_options_pb";
 /**
  * Describes the file ai/stigmer/iam/iampolicy/v1/query.proto.
  */
-export const file_ai_stigmer_iam_iampolicy_v1_query = /*@__PURE__*/ fileDesc("CidhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvcXVlcnkucHJvdG8SG2FpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MTLIBQoYSWFtUG9saWN5UXVlcnlDb250cm9sbGVyEoUBCgNnZXQSKC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5SWQaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IizCuBgoCAkqJHVuYXV0aG9yaXplZCB0byB2aWV3IGFjY2VzcyBwb2xpY2llcxKHAQoSY2hlY2tBdXRob3JpemF0aW9uEjQuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkNoZWNrQXV0aG9yaXphdGlvbklucHV0GjUuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkNoZWNrQXV0aG9yaXphdGlvblJlc3VsdCIE0LgYARLGAQoZbGlzdEF1dGhvcml6ZWRSZXNvdXJjZUlkcxI7LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5MaXN0QXV0aG9yaXplZFJlc291cmNlSWRzSW5wdXQaNi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuQXV0aG9yaXplZFJlc291cmNlSWRzTGlzdCI0wrgYMAgJKix1bmF1dGhvcml6ZWQgdG8gdmlldyBhdXRob3JpemVkIHJlc291cmNlIGlkcxLKAQoabGlzdEF1dGhvcml6ZWRQcmluY2lwYWxJZHMSPC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuTGlzdEF1dGhvcml6ZWRQcmluY2lwYWxJZHNJbnB1dBo3LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BdXRob3JpemVkUHJpbmNpcGFsSWRzTGlzdCI1wrgYMQgJKi11bmF1dGhvcml6ZWQgdG8gdmlldyBhdXRob3JpemVkIHByaW5jaXBhbCBpZHMaBKD/KwpiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_api, file_ai_stigmer_iam_iampolicy_v1_io, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options]);
+export const file_ai_stigmer_iam_iampolicy_v1_query = /*@__PURE__*/ fileDesc("CidhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvcXVlcnkucHJvdG8SG2FpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MTLqCQoYSWFtUG9saWN5UXVlcnlDb250cm9sbGVyEoUBCgNnZXQSKC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5SWQaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IizCuBgoCAUqJHVuYXV0aG9yaXplZCB0byB2aWV3IGFjY2VzcyBwb2xpY2llcxKHAQoSY2hlY2tBdXRob3JpemF0aW9uEjQuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkNoZWNrQXV0aG9yaXphdGlvbklucHV0GjUuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkNoZWNrQXV0aG9yaXphdGlvblJlc3VsdCIE0LgYARLGAQoZbGlzdEF1dGhvcml6ZWRSZXNvdXJjZUlkcxI7LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5MaXN0QXV0aG9yaXplZFJlc291cmNlSWRzSW5wdXQaNi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuQXV0aG9yaXplZFJlc291cmNlSWRzTGlzdCI0wrgYMAgFKix1bmF1dGhvcml6ZWQgdG8gdmlldyBhdXRob3JpemVkIHJlc291cmNlIGlkcxLKAQoabGlzdEF1dGhvcml6ZWRQcmluY2lwYWxJZHMSPC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuTGlzdEF1dGhvcml6ZWRQcmluY2lwYWxJZHNJbnB1dBo3LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BdXRob3JpemVkUHJpbmNpcGFsSWRzTGlzdCI1wrgYMQgFKi11bmF1dGhvcml6ZWQgdG8gdmlldyBhdXRob3JpemVkIHByaW5jaXBhbCBpZHMSvwEKHWxpc3RSZXNvdXJjZUFjY2Vzc0J5UHJpbmNpcGFsEjQuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkxpc3RSZXNvdXJjZUFjY2Vzc0lucHV0GjouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLlJlc291cmNlQWNjZXNzQnlQcmluY2lwYWxMaXN0IizCuBgoCAUqJHVuYXV0aG9yaXplZCB0byB2aWV3IHJlc291cmNlIGFjY2VzcxKzAQoZZ2V0UHJpbmNpcGFsUmVzb3VyY2VSb2xlcxIzLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5QcmluY2lwYWxSZXNvdXJjZUlucHV0GjMuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLlByaW5jaXBhbFJlc291cmNlUm9sZXMiLMK4GCgIBSokdW5hdXRob3JpemVkIHRvIHZpZXcgcHJpbmNpcGFsIHJvbGVzEqcBChJnZXRQcmluY2lwYWxzQ291bnQSNC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuR2V0UHJpbmNpcGFsc0NvdW50SW5wdXQaLC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuUHJpbmNpcGFsc0NvdW50Ii3CuBgpCAUqJXVuYXV0aG9yaXplZCB0byB2aWV3IHByaW5jaXBhbHMgY291bnQaBKD/KwpiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_iampolicy_v1_api, file_ai_stigmer_iam_iampolicy_v1_io]);
 /**
  * IamPolicyQueryController handles read operations for IAM policies.
  *

package/ai/stigmer/iam/iampolicy/v1/query_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,oHAAoH;AACpH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,oCAAoC,EAAE,MAAM,UAAU,CAAC;AAEhE,OAAO,EAAE,mCAAmC,EAAE,MAAM,SAAS,CAAC;AAC9D,OAAO,EAAE,gEAAgE,EAAE,MAAM,sCAAsC,CAAC;AAExH;;GAEG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAY,aAAa,CAC1E,QAAQ,CAAC,oiCAAoiC,EAAE,CAAC,uDAAuD,EAAE,oCAAoC,EAAE,mCAAmC,EAAE,gEAAgE,CAAC,CAAC,CAAC;AAEzvC;;;;GAIG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAmFhC,aAAa,CAChB,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,oHAAoH;AACpH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,oCAAoC,EAAE,MAAM,UAAU,CAAC;AAEhE,OAAO,EAAE,mCAAmC,EAAE,MAAM,SAAS,CAAC;AAE9D;;GAEG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAY,aAAa,CAC1E,QAAQ,CAAC,4vDAA4vD,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,oCAAoC,EAAE,mCAAmC,CAAC,CAAC,CAAC;AAE37D;;;;GAIG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAkJhC,aAAa,CAChB,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/iampolicy/v1/spec_pb.d.ts

@@ -36,7 +36,7 @@ export type IamPolicySpec = Message<"ai.stigmer.iam.iampolicy.v1.IamPolicySpec">
     resource?: ApiResourceRef;
     /**
      * The permission being granted (e.g., "admin", "viewer", "owner").
-     * Maps to the role_code from IamRole.
+     * Maps to a role_code from ai.stigmer.iam.v1.IamRole.
      * Examples: "admin", "editor", "viewer", "owner", "member"
      *
      * @internal

package/ai/stigmer/iam/identityaccount/v1/command_connect.d.ts

@@ -10,7 +10,7 @@ export declare const IdentityAccountCommandController: {
          * Create a new identity account.
          *
          * @internal
-         * System-level RPC used by federated JIT provisioning and Auth0 webhook flow.
+         * System-level RPC used by Auth0 webhook flow and federated account creation.
          * No FGA authorization — called via inProcessChannelAsSystem (machine account).
          * The handler's createAuthorizationTuples step writes the self-ownership tuple after creation.
          *
@@ -50,6 +50,66 @@ export declare const IdentityAccountCommandController: {
             readonly O: any;
             readonly kind: any;
         };
+        /**
+         * Create a federated identity account for an external platform user.
+         *
+         * Called by platform backends (via API key) when a new user signs up on their
+         * platform. The platform provides the user's OIDC subject identifier and profile
+         * data. The account must be created before the user can authenticate via the IdP.
+         *
+         * Returns the full identity account including its ID, which the platform uses
+         * to grant roles via IAM policies.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.createFederatedAccount
+         */
+        readonly createFederatedAccount: {
+            readonly name: "createFederatedAccount";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Update profile fields on a federated identity account.
+         *
+         * Looks up the account by natural key (identity_provider_ref + external_sub)
+         * and updates email, name, and picture. Identity keys are immutable.
+         *
+         * Called by platform backends when a user's profile changes on their platform.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.updateFederatedAccount
+         */
+        readonly updateFederatedAccount: {
+            readonly name: "updateFederatedAccount";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Deprovision a federated identity account by revoking access or deleting it.
+         *
+         * Looks up the account by natural key (identity_provider_ref + external_sub).
+         * When delete_account is false, revokes all IAM policies in the organization.
+         * When delete_account is true, revokes policies and deletes the account.
+         *
+         * Called by platform backends during user offboarding.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.deprovisionFederatedAccount
+         */
+        readonly deprovisionFederatedAccount: {
+            readonly name: "deprovisionFederatedAccount";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
         /**
          * Trigger account provisioning for a user who exists in Auth0 but not in Stigmer.
          *

package/ai/stigmer/iam/identityaccount/v1/command_connect.js

@@ -15,7 +15,7 @@ export const IdentityAccountCommandController = {
          * Create a new identity account.
          *
          * @internal
-         * System-level RPC used by federated JIT provisioning and Auth0 webhook flow.
+         * System-level RPC used by Auth0 webhook flow and federated account creation.
          * No FGA authorization — called via inProcessChannelAsSystem (machine account).
          * The handler's createAuthorizationTuples step writes the self-ownership tuple after creation.
          *
@@ -55,6 +55,66 @@ export const IdentityAccountCommandController = {
             O: IdentityAccount,
             kind: MethodKind.Unary,
         },
+        /**
+         * Create a federated identity account for an external platform user.
+         *
+         * Called by platform backends (via API key) when a new user signs up on their
+         * platform. The platform provides the user's OIDC subject identifier and profile
+         * data. The account must be created before the user can authenticate via the IdP.
+         *
+         * Returns the full identity account including its ID, which the platform uses
+         * to grant roles via IAM policies.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.createFederatedAccount
+         */
+        createFederatedAccount: {
+            name: "createFederatedAccount",
+            I: CreateFederatedAccountInput,
+            O: IdentityAccount,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Update profile fields on a federated identity account.
+         *
+         * Looks up the account by natural key (identity_provider_ref + external_sub)
+         * and updates email, name, and picture. Identity keys are immutable.
+         *
+         * Called by platform backends when a user's profile changes on their platform.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.updateFederatedAccount
+         */
+        updateFederatedAccount: {
+            name: "updateFederatedAccount",
+            I: UpdateFederatedAccountInput,
+            O: IdentityAccount,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Deprovision a federated identity account by revoking access or deleting it.
+         *
+         * Looks up the account by natural key (identity_provider_ref + external_sub).
+         * When delete_account is false, revokes all IAM policies in the organization.
+         * When delete_account is true, revokes policies and deletes the account.
+         *
+         * Called by platform backends during user offboarding.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.deprovisionFederatedAccount
+         */
+        deprovisionFederatedAccount: {
+            name: "deprovisionFederatedAccount",
+            I: DeprovisionFederatedAccountInput,
+            O: IdentityAccount,
+            kind: MethodKind.Unary,
+        },
         /**
          * Trigger account provisioning for a user who exists in Auth0 but not in Stigmer.
          *

package/ai/stigmer/iam/identityaccount/v1/command_connect.js.map

@@ -1 +1 @@
-{"version":3,"file":"command_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/command_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,kIAAkI;AAClI,oBAAoB;AACpB,cAAc;AAGd,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG;IAC9C,QAAQ,EAAE,oEAAoE;IAC9E,OAAO,EAAE;QACP;;;;;;;;;WASG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,eAAe;YAClB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,eAAe;YAClB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;WASG;QACH,qBAAqB,EAAE;YACrB,IAAI,EAAE,uBAAuB;YAC7B,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,KAAK;YACR,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
+{"version":3,"file":"command_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/command_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,kIAAkI;AAClI,oBAAoB;AACpB,cAAc;AAGd,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG;IAC9C,QAAQ,EAAE,oEAAoE;IAC9E,OAAO,EAAE;QACP;;;;;;;;;WASG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,eAAe;YAClB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,eAAe;YAClB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;WAcG;QACH,sBAAsB,EAAE;YACtB,IAAI,EAAE,wBAAwB;YAC9B,CAAC,EAAE,2BAA2B;YAC9B,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;WAYG;QACH,sBAAsB,EAAE;YACtB,IAAI,EAAE,wBAAwB;YAC9B,CAAC,EAAE,2BAA2B;YAC9B,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;WAaG;QACH,2BAA2B,EAAE;YAC3B,IAAI,EAAE,6BAA6B;YACnC,CAAC,EAAE,gCAAgC;YACnC,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;WASG;QACH,qBAAqB,EAAE;YACrB,IAAI,EAAE,uBAAuB;YAC7B,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,KAAK;YACR,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/command_pb.d.ts

@@ -1,6 +1,6 @@
 import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
 import type { IdentityAccountSchema } from "./api_pb";
-import type { IdentityAccountEmailSchema, IdentityAccountIdSchema } from "./io_pb";
+import type { CreateFederatedAccountInputSchema, DeprovisionFederatedAccountInputSchema, IdentityAccountEmailSchema, IdentityAccountIdSchema, UpdateFederatedAccountInputSchema } from "./io_pb";
 import type { EmptySchema } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/command.proto.
@@ -16,7 +16,7 @@ export declare const IdentityAccountCommandController: GenService<{
      * Create a new identity account.
      *
      * @internal
-     * System-level RPC used by federated JIT provisioning and Auth0 webhook flow.
+     * System-level RPC used by Auth0 webhook flow and federated account creation.
      * No FGA authorization — called via inProcessChannelAsSystem (machine account).
      * The handler's createAuthorizationTuples step writes the self-ownership tuple after creation.
      *
@@ -53,6 +53,63 @@ export declare const IdentityAccountCommandController: GenService<{
         input: typeof IdentityAccountIdSchema;
         output: typeof IdentityAccountSchema;
     };
+    /**
+     * Create a federated identity account for an external platform user.
+     *
+     * Called by platform backends (via API key) when a new user signs up on their
+     * platform. The platform provides the user's OIDC subject identifier and profile
+     * data. The account must be created before the user can authenticate via the IdP.
+     *
+     * Returns the full identity account including its ID, which the platform uses
+     * to grant roles via IAM policies.
+     *
+     * Authorization: Requires can_create_identity_account on the organization
+     * that owns the identity provider.
+     *
+     * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.createFederatedAccount
+     */
+    createFederatedAccount: {
+        methodKind: "unary";
+        input: typeof CreateFederatedAccountInputSchema;
+        output: typeof IdentityAccountSchema;
+    };
+    /**
+     * Update profile fields on a federated identity account.
+     *
+     * Looks up the account by natural key (identity_provider_ref + external_sub)
+     * and updates email, name, and picture. Identity keys are immutable.
+     *
+     * Called by platform backends when a user's profile changes on their platform.
+     *
+     * Authorization: Requires can_create_identity_account on the organization
+     * that owns the identity provider.
+     *
+     * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.updateFederatedAccount
+     */
+    updateFederatedAccount: {
+        methodKind: "unary";
+        input: typeof UpdateFederatedAccountInputSchema;
+        output: typeof IdentityAccountSchema;
+    };
+    /**
+     * Deprovision a federated identity account by revoking access or deleting it.
+     *
+     * Looks up the account by natural key (identity_provider_ref + external_sub).
+     * When delete_account is false, revokes all IAM policies in the organization.
+     * When delete_account is true, revokes policies and deletes the account.
+     *
+     * Called by platform backends during user offboarding.
+     *
+     * Authorization: Requires can_create_identity_account on the organization
+     * that owns the identity provider.
+     *
+     * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountCommandController.deprovisionFederatedAccount
+     */
+    deprovisionFederatedAccount: {
+        methodKind: "unary";
+        input: typeof DeprovisionFederatedAccountInputSchema;
+        output: typeof IdentityAccountSchema;
+    };
     /**
      * Trigger account provisioning for a user who exists in Auth0 but not in Stigmer.
      *

package/ai/stigmer/iam/identityaccount/v1/command_pb.js

@@ -3,14 +3,14 @@
 /* eslint-disable */
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "../../iampolicy/v1/rpcauthorization/method_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_identityaccount_v1_api } from "./api_pb";
 import { file_ai_stigmer_iam_identityaccount_v1_io } from "./io_pb";
 import { file_google_protobuf_empty } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/command.proto.
  */
-export const file_ai_stigmer_iam_identityaccount_v1_command = /*@__PURE__*/ fileDesc("Ci9haS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvY29tbWFuZC5wcm90bxIhYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxMvIECiBJZGVudGl0eUFjY291bnRDb21tYW5kQ29udHJvbGxlchJ2CgZjcmVhdGUSMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50GjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCIE0LgYARKwAQoGdXBkYXRlEjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiPsK4GDoIBBALIgttZXRhZGF0YS5pZCondW5hdXRob3JpemVkIHRvIHVwZGF0ZSBpZGVudGl0eSBhY2NvdW50EqwBCgZkZWxldGUSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjjCuBg0CAIQCyIFdmFsdWUqJ3VuYXV0aG9yaXplZCB0byBkZWxldGUgaWRlbnRpdHkgYWNjb3VudBJuChVzaW11bGF0ZVNpZ251cFdlYmhvb2sSNy5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50RW1haWwaFi5nb29nbGUucHJvdG9idWYuRW1wdHkiBNC4GAEaBKD/KwtiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityaccount_v1_api, file_ai_stigmer_iam_identityaccount_v1_io, file_google_protobuf_empty]);
+export const file_ai_stigmer_iam_identityaccount_v1_command = /*@__PURE__*/ fileDesc("Ci9haS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvY29tbWFuZC5wcm90bxIhYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxMpMKCiBJZGVudGl0eUFjY291bnRDb21tYW5kQ29udHJvbGxlchJ2CgZjcmVhdGUSMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50GjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCIE0LgYARKwAQoGdXBkYXRlEjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiPsK4GDoIAhALIgttZXRhZGF0YS5pZCondW5hdXRob3JpemVkIHRvIHVwZGF0ZSBpZGVudGl0eSBhY2NvdW50EqwBCgZkZWxldGUSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjjCuBg0CAMQCyIFdmFsdWUqJ3VuYXV0aG9yaXplZCB0byBkZWxldGUgaWRlbnRpdHkgYWNjb3VudBLaAQoWY3JlYXRlRmVkZXJhdGVkQWNjb3VudBI+LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5DcmVhdGVGZWRlcmF0ZWRBY2NvdW50SW5wdXQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IkzCuBhICBUQHiIDb3JnKj11bmF1dGhvcml6ZWQgdG8gY3JlYXRlIGlkZW50aXR5IGFjY291bnRzIGluIHRoaXMgb3JnYW5pemF0aW9uEtoBChZ1cGRhdGVGZWRlcmF0ZWRBY2NvdW50Ej4uYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLlVwZGF0ZUZlZGVyYXRlZEFjY291bnRJbnB1dBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiTMK4GEgIFRAeIgNvcmcqPXVuYXV0aG9yaXplZCB0byBtYW5hZ2UgaWRlbnRpdHkgYWNjb3VudHMgaW4gdGhpcyBvcmdhbml6YXRpb24S5AEKG2RlcHJvdmlzaW9uRmVkZXJhdGVkQWNjb3VudBJDLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5EZXByb3Zpc2lvbkZlZGVyYXRlZEFjY291bnRJbnB1dBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiTMK4GEgIFRAeIgNvcmcqPXVuYXV0aG9yaXplZCB0byBtYW5hZ2UgaWRlbnRpdHkgYWNjb3VudHMgaW4gdGhpcyBvcmdhbml6YXRpb24SbgoVc2ltdWxhdGVTaWdudXBXZWJob29rEjcuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudEVtYWlsGhYuZ29vZ2xlLnByb3RvYnVmLkVtcHR5IgTQuBgBGgSg/ysLYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_identityaccount_v1_api, file_ai_stigmer_iam_identityaccount_v1_io, file_google_protobuf_empty]);
 /**
  * IdentityAccountCommandController handles write operations for identity accounts.
  *

package/ai/stigmer/iam/identityaccount/v1/command_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EAAE,yCAAyC,EAAE,MAAM,SAAS,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,8CAA8C,GAAY,aAAa,CAClF,QAAQ,CAAC,o8BAAo8B,EAAE,CAAC,uDAAuD,EAAE,gEAAgE,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEjsC;;;;GAIG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAyDxC,aAAa,CAChB,WAAW,CAAC,8CAA8C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EAAE,yCAAyC,EAAE,MAAM,SAAS,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,8CAA8C,GAAY,aAAa,CAClF,QAAQ,CAAC,q0DAAq0D,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAE5iE;;;;GAIG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAkHxC,aAAa,CAChB,WAAW,CAAC,8CAA8C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/enum_pb.d.ts

@@ -25,7 +25,7 @@ export declare enum IdentityAccountProvisioningMode {
      */
     direct = 1,
     /**
-     * Account was JIT-provisioned during federated authentication via an IdentityProvider.
+     * Account was created by the platform for federated authentication via an IdentityProvider.
      *
      * @generated from enum value: federated = 2;
      */

package/ai/stigmer/iam/identityaccount/v1/enum_pb.js

@@ -29,7 +29,7 @@ export var IdentityAccountProvisioningMode;
      */
     IdentityAccountProvisioningMode[IdentityAccountProvisioningMode["direct"] = 1] = "direct";
     /**
-     * Account was JIT-provisioned during federated authentication via an IdentityProvider.
+     * Account was created by the platform for federated authentication via an IdentityProvider.
      *
      * @generated from enum value: federated = 2;
      */

package/ai/stigmer/iam/identityaccount/v1/io_pb.d.ts

@@ -1,4 +1,5 @@
 import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { ApiResourceReference } from "../../../commons/apiresource/io_pb";
 import type { PageInfo } from "../../../commons/rpc/pagination_pb";
 import type { IdentityAccount } from "./api_pb";
 import type { Message } from "@bufbuild/protobuf";
@@ -150,3 +151,221 @@ export type ListWithIdentityOrg = Message<"ai.stigmer.iam.identityaccount.v1.Lis
  * Use `create(ListWithIdentityOrgSchema)` to create a new message.
  */
 export declare const ListWithIdentityOrgSchema: GenMessage<ListWithIdentityOrg>;
+/**
+ * ExternalSubLookup identifies a federated identity account by its identity provider
+ * reference and external subject identifier (OIDC sub claim).
+ *
+ * Used by platform backends to check whether a federated account already exists
+ * before calling createFederatedAccount.
+ *
+ * @generated from message ai.stigmer.iam.identityaccount.v1.ExternalSubLookup
+ */
+export type ExternalSubLookup = Message<"ai.stigmer.iam.identityaccount.v1.ExternalSubLookup"> & {
+    /**
+     * Organization that owns the identity provider.
+     * Used as the authorization scope: caller must have can_create_identity_account
+     * permission on this organization.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+    /**
+     * Reference to the IdentityProvider that the federated account belongs to.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceReference identity_provider_ref = 2;
+     */
+    identityProviderRef?: ApiResourceReference;
+    /**
+     * External subject identifier from the platform's OIDC provider.
+     * The raw OIDC sub claim (e.g., "google-oauth2|109876543210").
+     *
+     * @generated from field: string external_sub = 3;
+     */
+    externalSub: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.ExternalSubLookup.
+ * Use `create(ExternalSubLookupSchema)` to create a new message.
+ */
+export declare const ExternalSubLookupSchema: GenMessage<ExternalSubLookup>;
+/**
+ * CreateFederatedAccountInput is the command for creating a federated identity account
+ * linked to an external platform's identity provider.
+ *
+ * Called by platform backends (via API key) when a new user signs up on their platform.
+ * The platform provides the user's OIDC subject identifier and profile data.
+ * The account must be created before the user can authenticate via the IdP.
+ *
+ * @generated from message ai.stigmer.iam.identityaccount.v1.CreateFederatedAccountInput
+ */
+export type CreateFederatedAccountInput = Message<"ai.stigmer.iam.identityaccount.v1.CreateFederatedAccountInput"> & {
+    /**
+     * Organization that owns the identity provider.
+     * Used as the authorization scope: caller must have can_create_identity_account
+     * permission on this organization.
+     * Must match identity_provider_ref.org (when identity_provider_ref.org is non-empty).
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+    /**
+     * Reference to the IdentityProvider that this federated account belongs to.
+     * The IdP must exist and belong to the specified org.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceReference identity_provider_ref = 2;
+     */
+    identityProviderRef?: ApiResourceReference;
+    /**
+     * External subject identifier from the platform's OIDC provider.
+     * The raw OIDC sub claim (e.g., "google-oauth2|109876543210").
+     * Stored as-is without any prefix transformation.
+     * Must match the sub claim in JWTs issued by this IdP for authentication to work.
+     *
+     * @generated from field: string external_sub = 3;
+     */
+    externalSub: string;
+    /**
+     * Email address of the user.
+     *
+     * @generated from field: string email = 4;
+     */
+    email: string;
+    /**
+     * First name of the user.
+     *
+     * @generated from field: string first_name = 5;
+     */
+    firstName: string;
+    /**
+     * Last name of the user.
+     *
+     * @generated from field: string last_name = 6;
+     */
+    lastName: string;
+    /**
+     * URL of the user's profile picture.
+     *
+     * @generated from field: string picture_url = 7;
+     */
+    pictureUrl: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.CreateFederatedAccountInput.
+ * Use `create(CreateFederatedAccountInputSchema)` to create a new message.
+ */
+export declare const CreateFederatedAccountInputSchema: GenMessage<CreateFederatedAccountInput>;
+/**
+ * UpdateFederatedAccountInput is the command for updating profile fields on a
+ * federated identity account identified by its natural key (identity provider
+ * reference + external subject).
+ *
+ * Called by platform backends when a user's profile changes on their platform
+ * (e.g., name update, email change). Uses full-replace semantics: all profile
+ * fields must be provided. Identity keys (org, identity_provider_ref, external_sub)
+ * are immutable and used only for lookup.
+ *
+ * @generated from message ai.stigmer.iam.identityaccount.v1.UpdateFederatedAccountInput
+ */
+export type UpdateFederatedAccountInput = Message<"ai.stigmer.iam.identityaccount.v1.UpdateFederatedAccountInput"> & {
+    /**
+     * Organization that owns the identity provider.
+     * Used as the authorization scope: caller must have can_create_identity_account
+     * permission on this organization.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+    /**
+     * Reference to the IdentityProvider that the federated account belongs to.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceReference identity_provider_ref = 2;
+     */
+    identityProviderRef?: ApiResourceReference;
+    /**
+     * External subject identifier (OIDC sub claim) — lookup key, not updatable.
+     *
+     * @generated from field: string external_sub = 3;
+     */
+    externalSub: string;
+    /**
+     * Updated email address.
+     *
+     * @generated from field: string email = 4;
+     */
+    email: string;
+    /**
+     * Updated first name.
+     *
+     * @generated from field: string first_name = 5;
+     */
+    firstName: string;
+    /**
+     * Updated last name.
+     *
+     * @generated from field: string last_name = 6;
+     */
+    lastName: string;
+    /**
+     * Updated profile picture URL.
+     *
+     * @generated from field: string picture_url = 7;
+     */
+    pictureUrl: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.UpdateFederatedAccountInput.
+ * Use `create(UpdateFederatedAccountInputSchema)` to create a new message.
+ */
+export declare const UpdateFederatedAccountInputSchema: GenMessage<UpdateFederatedAccountInput>;
+/**
+ * DeprovisionFederatedAccountInput is the command for revoking a federated
+ * identity account's access, with an option to delete the account entirely.
+ *
+ * Called by platform backends when a user is removed from their platform
+ * (e.g., employee offboarding, account suspension). Uses the natural key
+ * (identity provider reference + external subject) for lookup.
+ *
+ * Two modes:
+ *   - Revoke only (delete_account = false): removes all IAM policies for the
+ *     account in the organization. The identity account is preserved for audit
+ *     trail. The user loses access but the account record remains.
+ *   - Revoke and delete (delete_account = true): revokes access AND deletes
+ *     the identity account. All IAM policies across all organizations are
+ *     cleaned up. Use this for permanent offboarding.
+ *
+ * @generated from message ai.stigmer.iam.identityaccount.v1.DeprovisionFederatedAccountInput
+ */
+export type DeprovisionFederatedAccountInput = Message<"ai.stigmer.iam.identityaccount.v1.DeprovisionFederatedAccountInput"> & {
+    /**
+     * Organization that owns the identity provider.
+     * Used as the authorization scope: caller must have can_create_identity_account
+     * permission on this organization.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+    /**
+     * Reference to the IdentityProvider that the federated account belongs to.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceReference identity_provider_ref = 2;
+     */
+    identityProviderRef?: ApiResourceReference;
+    /**
+     * External subject identifier (OIDC sub claim) — lookup key.
+     *
+     * @generated from field: string external_sub = 3;
+     */
+    externalSub: string;
+    /**
+     * When false (default): revoke the account's access in this organization only.
+     * When true: revoke access AND permanently delete the identity account.
+     *
+     * @generated from field: bool delete_account = 4;
+     */
+    deleteAccount: boolean;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.DeprovisionFederatedAccountInput.
+ * Use `create(DeprovisionFederatedAccountInputSchema)` to create a new message.
+ */
+export declare const DeprovisionFederatedAccountInputSchema: GenMessage<DeprovisionFederatedAccountInput>;