@stigmer/protos 0.0.72 → 0.0.74

package/ai/stigmer/iam/identityaccount/v1/io_pb.js

@@ -2,13 +2,14 @@
 // @generated from file ai/stigmer/iam/identityaccount/v1/io.proto (package ai.stigmer.iam.identityaccount.v1, syntax proto3)
 /* eslint-disable */
 import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_io } from "../../../commons/apiresource/io_pb";
 import { file_ai_stigmer_commons_rpc_pagination } from "../../../commons/rpc/pagination_pb";
 import { file_ai_stigmer_iam_identityaccount_v1_api } from "./api_pb";
 import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/io.proto.
  */
-export const file_ai_stigmer_iam_identityaccount_v1_io = /*@__PURE__*/ fileDesc("CiphaS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvaW8ucHJvdG8SIWFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MSJXChBJZGVudGl0eUFjY291bnRzEkMKB2VudHJpZXMYASADKAsyMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IioKEUlkZW50aXR5QWNjb3VudElkEhUKBXZhbHVlGAEgASgJQga6SAPIAQEiLQoUSWRlbnRpdHlBY2NvdW50RW1haWwSFQoFdmFsdWUYASABKAlCBrpIA8gBASIeCgVJZHBJZBIVCgV2YWx1ZRgBIAEoCUIGukgDyAEBImsKHExpc3RXaXRoSWRlbnRpdHlBY2NvdW50SWRSZXESGwoTaWRlbnRpdHlfYWNjb3VudF9pZBgBIAEoCRIuCgRwYWdlGAIgASgLMiAuYWkuc3RpZ21lci5jb21tb25zLnJwYy5QYWdlSW5mbyJwChRJZGVudGl0eUFjY291bnRzTGlzdBITCgt0b3RhbF9wYWdlcxgBIAEoBRJDCgdlbnRyaWVzGAIgAygLMjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCJSChNMaXN0V2l0aElkZW50aXR5T3JnEgsKA29yZxgBIAEoCRIuCgRwYWdlGAIgASgLMiAuYWkuc3RpZ21lci5jb21tb25zLnJwYy5QYWdlSW5mb2IGcHJvdG8z", [file_ai_stigmer_commons_rpc_pagination, file_ai_stigmer_iam_identityaccount_v1_api, file_buf_validate_validate]);
+export const file_ai_stigmer_iam_identityaccount_v1_io = /*@__PURE__*/ fileDesc("CiphaS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvaW8ucHJvdG8SIWFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MSJXChBJZGVudGl0eUFjY291bnRzEkMKB2VudHJpZXMYASADKAsyMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IioKEUlkZW50aXR5QWNjb3VudElkEhUKBXZhbHVlGAEgASgJQga6SAPIAQEiLQoUSWRlbnRpdHlBY2NvdW50RW1haWwSFQoFdmFsdWUYASABKAlCBrpIA8gBASIeCgVJZHBJZBIVCgV2YWx1ZRgBIAEoCUIGukgDyAEBImsKHExpc3RXaXRoSWRlbnRpdHlBY2NvdW50SWRSZXESGwoTaWRlbnRpdHlfYWNjb3VudF9pZBgBIAEoCRIuCgRwYWdlGAIgASgLMiAuYWkuc3RpZ21lci5jb21tb25zLnJwYy5QYWdlSW5mbyJwChRJZGVudGl0eUFjY291bnRzTGlzdBITCgt0b3RhbF9wYWdlcxgBIAEoBRJDCgdlbnRyaWVzGAIgAygLMjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCJSChNMaXN0V2l0aElkZW50aXR5T3JnEgsKA29yZxgBIAEoCRIuCgRwYWdlGAIgASgLMiAuYWkuc3RpZ21lci5jb21tb25zLnJwYy5QYWdlSW5mbyKbAQoRRXh0ZXJuYWxTdWJMb29rdXASEwoDb3JnGAEgASgJQga6SAPIAQESUwoVaWRlbnRpdHlfcHJvdmlkZXJfcmVmGAIgASgLMjQuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlUmVmZXJlbmNlEhwKDGV4dGVybmFsX3N1YhgDIAEoCUIGukgDyAEBIvgBChtDcmVhdGVGZWRlcmF0ZWRBY2NvdW50SW5wdXQSEwoDb3JnGAEgASgJQga6SAPIAQESUwoVaWRlbnRpdHlfcHJvdmlkZXJfcmVmGAIgASgLMjQuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlUmVmZXJlbmNlEhwKDGV4dGVybmFsX3N1YhgDIAEoCUIGukgDyAEBEhUKBWVtYWlsGAQgASgJQga6SAPIAQESEgoKZmlyc3RfbmFtZRgFIAEoCRIRCglsYXN0X25hbWUYBiABKAkSEwoLcGljdHVyZV91cmwYByABKAki+AEKG1VwZGF0ZUZlZGVyYXRlZEFjY291bnRJbnB1dBITCgNvcmcYASABKAlCBrpIA8gBARJTChVpZGVudGl0eV9wcm92aWRlcl9yZWYYAiABKAsyNC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VSZWZlcmVuY2USHAoMZXh0ZXJuYWxfc3ViGAMgASgJQga6SAPIAQESFQoFZW1haWwYBCABKAlCBrpIA8gBARISCgpmaXJzdF9uYW1lGAUgASgJEhEKCWxhc3RfbmFtZRgGIAEoCRITCgtwaWN0dXJlX3VybBgHIAEoCSLCAQogRGVwcm92aXNpb25GZWRlcmF0ZWRBY2NvdW50SW5wdXQSEwoDb3JnGAEgASgJQga6SAPIAQESUwoVaWRlbnRpdHlfcHJvdmlkZXJfcmVmGAIgASgLMjQuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlUmVmZXJlbmNlEhwKDGV4dGVybmFsX3N1YhgDIAEoCUIGukgDyAEBEhYKDmRlbGV0ZV9hY2NvdW50GAQgASgIYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_rpc_pagination, file_ai_stigmer_iam_identityaccount_v1_api, file_buf_validate_validate]);
 /**
  * Describes the message ai.stigmer.iam.identityaccount.v1.IdentityAccounts.
  * Use `create(IdentityAccountsSchema)` to create a new message.
@@ -44,4 +45,24 @@ export const IdentityAccountsListSchema = /*@__PURE__*/ messageDesc(file_ai_stig
  * Use `create(ListWithIdentityOrgSchema)` to create a new message.
  */
 export const ListWithIdentityOrgSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityaccount_v1_io, 6);
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.ExternalSubLookup.
+ * Use `create(ExternalSubLookupSchema)` to create a new message.
+ */
+export const ExternalSubLookupSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityaccount_v1_io, 7);
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.CreateFederatedAccountInput.
+ * Use `create(CreateFederatedAccountInputSchema)` to create a new message.
+ */
+export const CreateFederatedAccountInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityaccount_v1_io, 8);
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.UpdateFederatedAccountInput.
+ * Use `create(UpdateFederatedAccountInputSchema)` to create a new message.
+ */
+export const UpdateFederatedAccountInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityaccount_v1_io, 9);
+/**
+ * Describes the message ai.stigmer.iam.identityaccount.v1.DeprovisionFederatedAccountInput.
+ * Use `create(DeprovisionFederatedAccountInputSchema)` to create a new message.
+ */
+export const DeprovisionFederatedAccountInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityaccount_v1_io, 10);
 //# sourceMappingURL=io_pb.js.map

package/ai/stigmer/iam/identityaccount/v1/io_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,6HAA6H;AAC7H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AACtE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,yCAAyC,GAAY,aAAa,CAC7E,QAAQ,CAAC,0yBAA0yB,EAAE,CAAC,sCAAsC,EAAE,0CAA0C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAgBz6B;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAiC,aAAa,CAC/E,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,aAAa,CACjF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAsB,aAAa,CACzD,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAA6C,aAAa,CACvG,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,6HAA6H;AAC7H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AACtE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,yCAAyC,GAAY,aAAa,CAC7E,QAAQ,CAAC,i6DAAi6D,EAAE,CAAC,sCAAsC,EAAE,sCAAsC,EAAE,0CAA0C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAgBxkE;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAiC,aAAa,CAC/E,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,aAAa,CACjF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAgB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAsB,aAAa,CACzD,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAA6C,aAAa,CACvG,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAuB5D;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAqC5D;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,aAAa,CACjF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAsE5D;;;GAGG;AACH,MAAM,CAAC,MAAM,iCAAiC,GAA4C,aAAa,CACrG,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAmE5D;;;GAGG;AACH,MAAM,CAAC,MAAM,iCAAiC,GAA4C,aAAa,CACrG,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AAqD5D;;;GAGG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAiD,aAAa,CAC/G,WAAW,CAAC,yCAAyC,EAAE,EAAE,CAAC,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/query_connect.d.ts

@@ -34,7 +34,10 @@ export declare const IdentityAccountQueryController: {
             readonly kind: any;
         };
         /**
-         * Get an identity account by email address.
+         * Get a direct identity account by email address.
+         *
+         * Only returns direct (non-federated) accounts. Federated accounts are not
+         * returned by this RPC — use getByExternalSub for IdP-scoped federated lookups.
          *
          * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByEmail
          */
@@ -45,7 +48,11 @@ export declare const IdentityAccountQueryController: {
             readonly kind: any;
         };
         /**
-         * Get an identity account by identity provider ID.
+         * Get an identity account by identity provider ID (Auth0 subject).
+         *
+         * Primarily used for direct and machine accounts where the IDP ID is
+         * the Auth0 user_id or client_id. For federated account lookups,
+         * use getByExternalSub which is scoped to a specific identity provider.
          *
          * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByIdpId
          */
@@ -55,6 +62,23 @@ export declare const IdentityAccountQueryController: {
             readonly O: any;
             readonly kind: any;
         };
+        /**
+         * Get a federated identity account by identity provider reference and external subject.
+         *
+         * Used by platform backends to check whether a federated account already exists
+         * for a given OIDC subject before calling createFederatedAccount.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByExternalSub
+         */
+        readonly getByExternalSub: {
+            readonly name: "getByExternalSub";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
         /**
          * Get lightweight actor information for an identity account.
          *

package/ai/stigmer/iam/identityaccount/v1/query_connect.js

@@ -39,7 +39,10 @@ export const IdentityAccountQueryController = {
             kind: MethodKind.Unary,
         },
         /**
-         * Get an identity account by email address.
+         * Get a direct identity account by email address.
+         *
+         * Only returns direct (non-federated) accounts. Federated accounts are not
+         * returned by this RPC — use getByExternalSub for IdP-scoped federated lookups.
          *
          * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByEmail
          */
@@ -50,7 +53,11 @@ export const IdentityAccountQueryController = {
             kind: MethodKind.Unary,
         },
         /**
-         * Get an identity account by identity provider ID.
+         * Get an identity account by identity provider ID (Auth0 subject).
+         *
+         * Primarily used for direct and machine accounts where the IDP ID is
+         * the Auth0 user_id or client_id. For federated account lookups,
+         * use getByExternalSub which is scoped to a specific identity provider.
          *
          * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByIdpId
          */
@@ -60,6 +67,23 @@ export const IdentityAccountQueryController = {
             O: IdentityAccount,
             kind: MethodKind.Unary,
         },
+        /**
+         * Get a federated identity account by identity provider reference and external subject.
+         *
+         * Used by platform backends to check whether a federated account already exists
+         * for a given OIDC subject before calling createFederatedAccount.
+         *
+         * Authorization: Requires can_create_identity_account on the organization
+         * that owns the identity provider.
+         *
+         * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByExternalSub
+         */
+        getByExternalSub: {
+            name: "getByExternalSub",
+            I: ExternalSubLookup,
+            O: IdentityAccount,
+            kind: MethodKind.Unary,
+        },
         /**
          * Get lightweight actor information for an identity account.
          *

package/ai/stigmer/iam/identityaccount/v1/query_connect.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,gIAAgI;AAChI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAG;IAC5C,QAAQ,EAAE,kEAAkE;IAC5E,OAAO,EAAE;QACP;;;;WAIG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;WASG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;WAIG;QACH,UAAU,EAAE;YACV,IAAI,EAAE,YAAY;YAClB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;WAIG;QACH,UAAU,EAAE;YACV,IAAI,EAAE,YAAY;YAClB,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;WAmBG;QACH,YAAY,EAAE;YACZ,IAAI,EAAE,cAAc;YACpB,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,qBAAqB;YACxB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
+{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,gIAAgI;AAChI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGvD;;;;GAIG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAG;IAC5C,QAAQ,EAAE,kEAAkE;IAC5E,OAAO,EAAE;QACP;;;;WAIG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;WASG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;WAOG;QACH,UAAU,EAAE;YACV,IAAI,EAAE,YAAY;YAClB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;WAQG;QACH,UAAU,EAAE;YACV,IAAI,EAAE,YAAY;YAClB,CAAC,EAAE,KAAK;YACR,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;WAUG;QACH,gBAAgB,EAAE;YAChB,IAAI,EAAE,kBAAkB;YACxB,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;WAmBG;QACH,YAAY,EAAE;YACZ,IAAI,EAAE,cAAc;YACpB,CAAC,EAAE,iBAAiB;YACpB,CAAC,EAAE,qBAAqB;YACxB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/query_pb.d.ts

@@ -1,7 +1,7 @@
 import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
 import type { ApiResourceAuditActorSchema } from "../../../commons/apiresource/status_pb";
 import type { IdentityAccountSchema } from "./api_pb";
-import type { IdentityAccountEmailSchema, IdentityAccountIdSchema, IdpIdSchema } from "./io_pb";
+import type { ExternalSubLookupSchema, IdentityAccountEmailSchema, IdentityAccountIdSchema, IdpIdSchema } from "./io_pb";
 import type { EmptySchema } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/query.proto.
@@ -39,7 +39,10 @@ export declare const IdentityAccountQueryController: GenService<{
         output: typeof IdentityAccountSchema;
     };
     /**
-     * Get an identity account by email address.
+     * Get a direct identity account by email address.
+     *
+     * Only returns direct (non-federated) accounts. Federated accounts are not
+     * returned by this RPC — use getByExternalSub for IdP-scoped federated lookups.
      *
      * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByEmail
      */
@@ -49,7 +52,11 @@ export declare const IdentityAccountQueryController: GenService<{
         output: typeof IdentityAccountSchema;
     };
     /**
-     * Get an identity account by identity provider ID.
+     * Get an identity account by identity provider ID (Auth0 subject).
+     *
+     * Primarily used for direct and machine accounts where the IDP ID is
+     * the Auth0 user_id or client_id. For federated account lookups,
+     * use getByExternalSub which is scoped to a specific identity provider.
      *
      * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByIdpId
      */
@@ -58,6 +65,22 @@ export declare const IdentityAccountQueryController: GenService<{
         input: typeof IdpIdSchema;
         output: typeof IdentityAccountSchema;
     };
+    /**
+     * Get a federated identity account by identity provider reference and external subject.
+     *
+     * Used by platform backends to check whether a federated account already exists
+     * for a given OIDC subject before calling createFederatedAccount.
+     *
+     * Authorization: Requires can_create_identity_account on the organization
+     * that owns the identity provider.
+     *
+     * @generated from rpc ai.stigmer.iam.identityaccount.v1.IdentityAccountQueryController.getByExternalSub
+     */
+    getByExternalSub: {
+        methodKind: "unary";
+        input: typeof ExternalSubLookupSchema;
+        output: typeof IdentityAccountSchema;
+    };
     /**
      * Get lightweight actor information for an identity account.
      *

package/ai/stigmer/iam/identityaccount/v1/query_pb.js

@@ -4,14 +4,14 @@
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
 import { file_ai_stigmer_commons_apiresource_status } from "../../../commons/apiresource/status_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "../../iampolicy/v1/rpcauthorization/method_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_identityaccount_v1_api } from "./api_pb";
 import { file_ai_stigmer_iam_identityaccount_v1_io } from "./io_pb";
 import { file_google_protobuf_empty } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/query.proto.
  */
-export const file_ai_stigmer_iam_identityaccount_v1_query = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvcXVlcnkucHJvdG8SIWFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MTKuBgoeSWRlbnRpdHlBY2NvdW50UXVlcnlDb250cm9sbGVyEqYBCgNnZXQSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjXCuBgxCAMQCyIFdmFsdWUqJHVuYXV0aG9yaXplZCB0byBnZXQgaWRlbnRpdHkgYWNjb3VudBJaCgZ3aG9BbUkSFi5nb29nbGUucHJvdG9idWYuRW1wdHkaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IgTQuBgBErABCgpnZXRCeUVtYWlsEjcuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudEVtYWlsGjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCI1wrgYMQgDEAsiBXZhbHVlKiR1bmF1dGhvcml6ZWQgdG8gZ2V0IGlkZW50aXR5IGFjY291bnQSoQEKCmdldEJ5SWRwSWQSKC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRwSWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjXCuBgxCAMQCyIFdmFsdWUqJHVuYXV0aG9yaXplZCB0byBnZXQgaWRlbnRpdHkgYWNjb3VudBKpAQoMZ2V0QWN0b3JJbmZvEjQuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudElkGjUuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlQXVkaXRBY3RvciIswrgYKAgDEAsqInVuYXV0aG9yaXplZCB0byBsb29rIHVwIGFjdG9yIGluZm8aBKD/KwtiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_apiresource_status, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityaccount_v1_api, file_ai_stigmer_iam_identityaccount_v1_io, file_google_protobuf_empty]);
+export const file_ai_stigmer_iam_identityaccount_v1_query = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvcXVlcnkucHJvdG8SIWFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MTL8BwoeSWRlbnRpdHlBY2NvdW50UXVlcnlDb250cm9sbGVyEqYBCgNnZXQSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjXCuBgxCAEQCyIFdmFsdWUqJHVuYXV0aG9yaXplZCB0byBnZXQgaWRlbnRpdHkgYWNjb3VudBJaCgZ3aG9BbUkSFi5nb29nbGUucHJvdG9idWYuRW1wdHkaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IgTQuBgBErABCgpnZXRCeUVtYWlsEjcuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudEVtYWlsGjIuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxLklkZW50aXR5QWNjb3VudCI1wrgYMQgBEAsiBXZhbHVlKiR1bmF1dGhvcml6ZWQgdG8gZ2V0IGlkZW50aXR5IGFjY291bnQSoQEKCmdldEJ5SWRwSWQSKC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRwSWQaMi5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50IjXCuBgxCAEQCyIFdmFsdWUqJHVuYXV0aG9yaXplZCB0byBnZXQgaWRlbnRpdHkgYWNjb3VudBLLAQoQZ2V0QnlFeHRlcm5hbFN1YhI0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5FeHRlcm5hbFN1Ykxvb2t1cBoyLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5YWNjb3VudC52MS5JZGVudGl0eUFjY291bnQiTcK4GEkIFRAeIgNvcmcqPnVuYXV0aG9yaXplZCB0byBsb29rIHVwIGlkZW50aXR5IGFjY291bnRzIGluIHRoaXMgb3JnYW5pemF0aW9uEqkBCgxnZXRBY3RvckluZm8SNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eWFjY291bnQudjEuSWRlbnRpdHlBY2NvdW50SWQaNS5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VBdWRpdEFjdG9yIizCuBgoCAEQCyoidW5hdXRob3JpemVkIHRvIGxvb2sgdXAgYWN0b3IgaW5mbxoEoP8rC2IGcHJvdG8z", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_apiresource_status, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_identityaccount_v1_api, file_ai_stigmer_iam_identityaccount_v1_io, file_google_protobuf_empty]);
 /**
  * IdentityAccountQueryController handles read operations for identity accounts.
  *

package/ai/stigmer/iam/identityaccount/v1/query_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,gIAAgI;AAChI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AACpG,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EAAE,yCAAyC,EAAE,MAAM,SAAS,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,4CAA4C,GAAY,aAAa,CAChF,QAAQ,CAAC,4rCAA4rC,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,gEAAgE,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEr+C;;;;GAIG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAuEtC,aAAa,CAChB,WAAW,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,gIAAgI;AAChI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAE9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AACpG,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,0CAA0C,EAAE,MAAM,UAAU,CAAC;AAEtE,OAAO,EAAE,yCAAyC,EAAE,MAAM,SAAS,CAAC;AAEpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAEpE;;GAEG;AACH,MAAM,CAAC,MAAM,4CAA4C,GAAY,aAAa,CAChF,QAAQ,CAAC,88CAA88C,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,0CAA0C,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAEjuD;;;;GAIG;AACH,MAAM,CAAC,MAAM,8BAA8B,GA8FtC,aAAa,CAChB,WAAW,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/spec_pb.d.ts

@@ -18,7 +18,8 @@ export declare const file_ai_stigmer_iam_identityaccount_v1_spec: GenFile;
  * All FGA tuples use identity_account as the principal type.
  * Provisioning details:
  * - direct: Auth0 subject ID (e.g., "auth0|abc123")
- * - federated: compound key "federated:{provider_id}:{external_sub}"
+ * - federated: raw OIDC sub claim (e.g., "google-oauth2|109876543210"),
+ *   scoped by identity_provider_ref
  * - machine: Auth0 client ID with "@clients" suffix
  *
  * @generated from message ai.stigmer.iam.identityaccount.v1.IdentityAccountSpec
@@ -28,8 +29,9 @@ export type IdentityAccountSpec = Message<"ai.stigmer.iam.identityaccount.v1.Ide
      * IDP ID of the identity account.
      *
      * For direct accounts: the Auth0 subject ID (e.g., "auth0|abc123").
-     * For federated accounts: a compound key ensuring global uniqueness across
-     * identity providers (e.g., "federated:idp_01JXY:auth0|user-456").
+     * For federated accounts: the raw OIDC sub claim from the external identity
+     * provider (e.g., "google-oauth2|109876543210"). Uniqueness is scoped by
+     * identity_provider_ref — the pair (identity_provider_ref, idp_id) is unique.
      * For machine accounts: the Auth0 client ID with "@clients" suffix.
      *
      * @generated from field: string idp_id = 1;
@@ -38,8 +40,7 @@ export type IdentityAccountSpec = Message<"ai.stigmer.iam.identityaccount.v1.Ide
     /**
      * Email of the identity account.
      * For direct accounts: based on the email used to sign up.
-     * For federated accounts: fetched from the IdentityProvider's UserInfo endpoint
-     * during JIT provisioning.
+     * For federated accounts: provided by the platform when creating the account.
      * (ignored for create) this value is assigned by backend.
      *
      * @generated from field: string email = 2;
@@ -82,9 +83,10 @@ export type IdentityAccountSpec = Message<"ai.stigmer.iam.identityaccount.v1.Ide
      */
     provisioningMode: IdentityAccountProvisioningMode;
     /**
-     * Reference to the IdentityProvider that provisioned this account.
+     * Reference to the IdentityProvider that owns this federated account.
      * Set only when provisioning_mode is FEDERATED. Identifies which external
-     * platform's trust relationship created this account during federated auth.
+     * platform's identity provider scopes this account. Together with idp_id,
+     * forms the unique identity for federated accounts.
      * (ignored for create) this value is assigned by backend.
      *
      * @generated from field: ai.stigmer.commons.apiresource.ApiResourceReference identity_provider_ref = 8;

package/ai/stigmer/iam/identityaccount/v1/spec_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,2CAA2C,EAAE,MAAM,WAAW,CAAC;AACxE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAY,aAAa,CAC/E,QAAQ,CAAC,kjBAAkjB,EAAE,CAAC,sCAAsC,EAAE,2CAA2C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AA+FlrB;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,2CAA2C,EAAE,MAAM,WAAW,CAAC;AACxE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAY,aAAa,CAC/E,QAAQ,CAAC,kjBAAkjB,EAAE,CAAC,sCAAsC,EAAE,2CAA2C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAiGlrB;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/command_pb.js

@@ -4,12 +4,12 @@
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_io } from "../../../commons/apiresource/io_pb";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "../../iampolicy/v1/rpcauthorization/method_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_identityprovider_v1_api } from "./api_pb";
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/command.proto.
  */
-export const file_ai_stigmer_iam_identityprovider_v1_command = /*@__PURE__*/ fileDesc("CjBhaS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL2NvbW1hbmQucHJvdG8SImFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEy3gUKIUlkZW50aXR5UHJvdmlkZXJDb21tYW5kQ29udHJvbGxlchJzCgVhcHBseRI0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlcho0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlchLLAQoGY3JlYXRlEjQuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlwcm92aWRlci52MS5JZGVudGl0eVByb3ZpZGVyGjQuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlwcm92aWRlci52MS5JZGVudGl0eVByb3ZpZGVyIlXCuBhRCBgQHiIMbWV0YWRhdGEub3JnKj11bmF1dGhvcml6ZWQgdG8gY3JlYXRlIGlkZW50aXR5IHByb3ZpZGVyIGluIHRoaXMgb3JnYW5pemF0aW9uErUBCgZ1cGRhdGUSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiP8K4GDsIBBAVIgttZXRhZGF0YS5pZCoodW5hdXRob3JpemVkIHRvIHVwZGF0ZSBpZGVudGl0eSBwcm92aWRlchK3AQoGZGVsZXRlEjYuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlRGVsZXRlSW5wdXQaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiP8K4GDsIAhAVIgtyZXNvdXJjZV9pZCoodW5hdXRob3JpemVkIHRvIGRlbGV0ZSBpZGVudGl0eSBwcm92aWRlchoEoP8rFWIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityprovider_v1_api]);
+export const file_ai_stigmer_iam_identityprovider_v1_command = /*@__PURE__*/ fileDesc("CjBhaS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL2NvbW1hbmQucHJvdG8SImFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEy3gUKIUlkZW50aXR5UHJvdmlkZXJDb21tYW5kQ29udHJvbGxlchJzCgVhcHBseRI0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlcho0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlchLLAQoGY3JlYXRlEjQuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlwcm92aWRlci52MS5JZGVudGl0eVByb3ZpZGVyGjQuYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlwcm92aWRlci52MS5JZGVudGl0eVByb3ZpZGVyIlXCuBhRCAsQHiIMbWV0YWRhdGEub3JnKj11bmF1dGhvcml6ZWQgdG8gY3JlYXRlIGlkZW50aXR5IHByb3ZpZGVyIGluIHRoaXMgb3JnYW5pemF0aW9uErUBCgZ1cGRhdGUSNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiP8K4GDsIAhAVIgttZXRhZGF0YS5pZCoodW5hdXRob3JpemVkIHRvIHVwZGF0ZSBpZGVudGl0eSBwcm92aWRlchK3AQoGZGVsZXRlEjYuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlRGVsZXRlSW5wdXQaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiP8K4GDsIAxAVIgtyZXNvdXJjZV9pZCoodW5hdXRob3JpemVkIHRvIGRlbGV0ZSBpZGVudGl0eSBwcm92aWRlchoEoP8rFWIGcHJvdG8z", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_identityprovider_v1_api]);
 /**
  * IdentityProviderCommandController provides write operations for identity providers.
  *

package/ai/stigmer/iam/identityprovider/v1/command_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,oIAAoI;AACpI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,CAAC,MAAM,+CAA+C,GAAY,aAAa,CACnF,QAAQ,CAAC,slCAAslC,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,gEAAgE,EAAE,2CAA2C,CAAC,CAAC,CAAC;AAErzC;;;;GAIG;AACH,MAAM,CAAC,MAAM,iCAAiC,GA+DzC,aAAa,CAChB,WAAW,CAAC,+CAA+C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,oIAAoI;AACpI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,CAAC,MAAM,+CAA+C,GAAY,aAAa,CACnF,QAAQ,CAAC,slCAAslC,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,0CAA0C,EAAE,2CAA2C,CAAC,CAAC,CAAC;AAE/xC;;;;GAIG;AACH,MAAM,CAAC,MAAM,iCAAiC,GA+DzC,aAAa,CAChB,WAAW,CAAC,+CAA+C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/io_pb.d.ts

@@ -65,3 +65,91 @@ export type IdentityProviderList = Message<"ai.stigmer.iam.identityprovider.v1.I
  * Use `create(IdentityProviderListSchema)` to create a new message.
  */
 export declare const IdentityProviderListSchema: GenMessage<IdentityProviderList>;
+/**
+ * ListIdentityProvidersByOrgInput specifies the organization whose identity
+ * providers should be returned.
+ *
+ * @generated from message ai.stigmer.iam.identityprovider.v1.ListIdentityProvidersByOrgInput
+ */
+export type ListIdentityProvidersByOrgInput = Message<"ai.stigmer.iam.identityprovider.v1.ListIdentityProvidersByOrgInput"> & {
+    /**
+     * Organization slug to list identity providers for.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.ListIdentityProvidersByOrgInput.
+ * Use `create(ListIdentityProvidersByOrgInputSchema)` to create a new message.
+ */
+export declare const ListIdentityProvidersByOrgInputSchema: GenMessage<ListIdentityProvidersByOrgInput>;
+/**
+ * OrganizationSsoLookup identifies an organization for SSO provider discovery.
+ * Used by the web app's login page to determine whether an organization has
+ * SSO enabled and to retrieve the OIDC configuration needed to initiate login.
+ *
+ * @generated from message ai.stigmer.iam.identityprovider.v1.OrganizationSsoLookup
+ */
+export type OrganizationSsoLookup = Message<"ai.stigmer.iam.identityprovider.v1.OrganizationSsoLookup"> & {
+    /**
+     * Organization slug to look up SSO configuration for.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.OrganizationSsoLookup.
+ * Use `create(OrganizationSsoLookupSchema)` to create a new message.
+ */
+export declare const OrganizationSsoLookupSchema: GenMessage<OrganizationSsoLookup>;
+/**
+ * SsoProviderInfo contains the minimal OIDC configuration the web app needs
+ * to render an SSO login button and initiate the Authorization Code flow.
+ *
+ * This is a projection of the full IdentityProvider resource, exposing only
+ * the fields safe for unauthenticated access. Internal configuration such as
+ * JWKS URI, rate limits, and userinfo endpoint is intentionally excluded.
+ *
+ * @generated from message ai.stigmer.iam.identityprovider.v1.SsoProviderInfo
+ */
+export type SsoProviderInfo = Message<"ai.stigmer.iam.identityprovider.v1.SsoProviderInfo"> & {
+    /**
+     * Display name of the SSO provider (e.g., "Acme Corp Okta").
+     * Shown on the login button: "Sign in with [display_name]".
+     *
+     * @generated from field: string display_name = 1;
+     */
+    displayName: string;
+    /**
+     * OIDC client ID for initiating the Authorization Code flow with PKCE.
+     *
+     * @generated from field: string oidc_client_id = 2;
+     */
+    oidcClientId: string;
+    /**
+     * OIDC issuer URL. The web app appends /.well-known/openid-configuration
+     * to discover the authorization_endpoint, token_endpoint, and other
+     * OIDC metadata required for the login flow.
+     *
+     * @generated from field: string issuer = 3;
+     */
+    issuer: string;
+    /**
+     * Expected JWT audience value for the OIDC token request.
+     * The web app passes this as the audience parameter when initiating the
+     * Authorization Code flow. Some IdPs (e.g., Auth0) require it to issue
+     * a JWT access token with the correct aud claim; others determine the
+     * audience from server-side configuration and ignore this parameter.
+     * Empty means the web app should omit the audience parameter.
+     *
+     * @generated from field: string expected_audience = 4;
+     */
+    expectedAudience: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.SsoProviderInfo.
+ * Use `create(SsoProviderInfoSchema)` to create a new message.
+ */
+export declare const SsoProviderInfoSchema: GenMessage<SsoProviderInfo>;

package/ai/stigmer/iam/identityprovider/v1/io_pb.js

@@ -7,7 +7,7 @@ import { file_buf_validate_validate } from "../../../../../buf/validate/validate
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/io.proto.
  */
-export const file_ai_stigmer_iam_identityprovider_v1_io = /*@__PURE__*/ fileDesc("CithaS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL2lvLnByb3RvEiJhaS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxIi4KEklkZW50aXR5UHJvdmlkZXJJZBIYCgV2YWx1ZRgBIAEoCUIJukgGcgQQARhAIloKEUlkZW50aXR5UHJvdmlkZXJzEkUKB2VudHJpZXMYASADKAsyNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIicgoUSWRlbnRpdHlQcm92aWRlckxpc3QSEwoLdG90YWxfcGFnZXMYASABKAUSRQoHZW50cmllcxgCIAMoCzI0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlcmIGcHJvdG8z", [file_ai_stigmer_iam_identityprovider_v1_api, file_buf_validate_validate]);
+export const file_ai_stigmer_iam_identityprovider_v1_io = /*@__PURE__*/ fileDesc("CithaS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL2lvLnByb3RvEiJhaS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxIi4KEklkZW50aXR5UHJvdmlkZXJJZBIYCgV2YWx1ZRgBIAEoCUIJukgGcgQQARhAIloKEUlkZW50aXR5UHJvdmlkZXJzEkUKB2VudHJpZXMYASADKAsyNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIicgoUSWRlbnRpdHlQcm92aWRlckxpc3QSEwoLdG90YWxfcGFnZXMYASABKAUSRQoHZW50cmllcxgCIAMoCzI0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlciI3Ch9MaXN0SWRlbnRpdHlQcm92aWRlcnNCeU9yZ0lucHV0EhQKA29yZxgBIAEoCUIHukgEcgIQASItChVPcmdhbml6YXRpb25Tc29Mb29rdXASFAoDb3JnGAEgASgJQge6SARyAhABImoKD1Nzb1Byb3ZpZGVySW5mbxIUCgxkaXNwbGF5X25hbWUYASABKAkSFgoOb2lkY19jbGllbnRfaWQYAiABKAkSDgoGaXNzdWVyGAMgASgJEhkKEWV4cGVjdGVkX2F1ZGllbmNlGAQgASgJYgZwcm90bzM", [file_ai_stigmer_iam_identityprovider_v1_api, file_buf_validate_validate]);
 /**
  * Describes the message ai.stigmer.iam.identityprovider.v1.IdentityProviderId.
  * Use `create(IdentityProviderIdSchema)` to create a new message.
@@ -23,4 +23,19 @@ export const IdentityProvidersSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer
  * Use `create(IdentityProviderListSchema)` to create a new message.
  */
 export const IdentityProviderListSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityprovider_v1_io, 2);
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.ListIdentityProvidersByOrgInput.
+ * Use `create(ListIdentityProvidersByOrgInputSchema)` to create a new message.
+ */
+export const ListIdentityProvidersByOrgInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityprovider_v1_io, 3);
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.OrganizationSsoLookup.
+ * Use `create(OrganizationSsoLookupSchema)` to create a new message.
+ */
+export const OrganizationSsoLookupSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityprovider_v1_io, 4);
+/**
+ * Describes the message ai.stigmer.iam.identityprovider.v1.SsoProviderInfo.
+ * Use `create(SsoProviderInfoSchema)` to create a new message.
+ */
+export const SsoProviderInfoSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_identityprovider_v1_io, 5);
 //# sourceMappingURL=io_pb.js.map

package/ai/stigmer/iam/identityprovider/v1/io_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,0CAA0C,GAAY,aAAa,CAC9E,QAAQ,CAAC,8cAA8c,EAAE,CAAC,2CAA2C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAgBtiB;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAmC,aAAa,CACnF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAgB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,aAAa,CACjF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAuB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,0CAA0C,GAAY,aAAa,CAC9E,QAAQ,CAAC,yuBAAyuB,EAAE,CAAC,2CAA2C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAgBj0B;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAmC,aAAa,CACnF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAgB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAkC,aAAa,CACjF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAuB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAiB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,qCAAqC,GAAgD,aAAa,CAC7G,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAkB7D;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAsC,aAAa,CACzF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;AAkD7D;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAgC,aAAa,CAC7E,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/query_connect.d.ts

@@ -38,5 +38,44 @@ export declare const IdentityProviderQueryController: {
             readonly O: any;
             readonly kind: any;
         };
+        /**
+         * List all identity providers belonging to an organization.
+         *
+         * Returns every IdentityProvider whose metadata.org matches the input org.
+         * Typically a small set (1-3 per org), so results are not paginated.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the organization resource.
+         *
+         * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.listByOrg
+         */
+        readonly listByOrg: {
+            readonly name: "listByOrg";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Look up the SSO identity provider for an organization.
+         *
+         * Returns the SSO-relevant projection (display name, OIDC client ID, issuer)
+         * of the IdentityProvider where is_sso_provider is true for the given org.
+         * Returns NOT_FOUND if the organization has no SSO provider configured.
+         *
+         * This endpoint is called by the web app's login page before the user has
+         * authenticated, so it requires no authorization. The response intentionally
+         * omits internal IdP configuration (JWKS URI, rate limits, userinfo endpoint).
+         *
+         * @internal
+         * Authorization: none — unauthenticated, public endpoint for login page rendering.
+         *
+         * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.getSsoProvider
+         */
+        readonly getSsoProvider: {
+            readonly name: "getSsoProvider";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
     };
 };

package/ai/stigmer/iam/identityprovider/v1/query_connect.js

@@ -43,6 +43,45 @@ export const IdentityProviderQueryController = {
             O: IdentityProvider,
             kind: MethodKind.Unary,
         },
+        /**
+         * List all identity providers belonging to an organization.
+         *
+         * Returns every IdentityProvider whose metadata.org matches the input org.
+         * Typically a small set (1-3 per org), so results are not paginated.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the organization resource.
+         *
+         * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.listByOrg
+         */
+        listByOrg: {
+            name: "listByOrg",
+            I: ListIdentityProvidersByOrgInput,
+            O: IdentityProviders,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Look up the SSO identity provider for an organization.
+         *
+         * Returns the SSO-relevant projection (display name, OIDC client ID, issuer)
+         * of the IdentityProvider where is_sso_provider is true for the given org.
+         * Returns NOT_FOUND if the organization has no SSO provider configured.
+         *
+         * This endpoint is called by the web app's login page before the user has
+         * authenticated, so it requires no authorization. The response intentionally
+         * omits internal IdP configuration (JWKS URI, rate limits, userinfo endpoint).
+         *
+         * @internal
+         * Authorization: none — unauthenticated, public endpoint for login page rendering.
+         *
+         * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.getSsoProvider
+         */
+        getSsoProvider: {
+            name: "getSsoProvider",
+            I: OrganizationSsoLookup,
+            O: SsoProviderInfo,
+            kind: MethodKind.Unary,
+        },
     }
 };
 //# sourceMappingURL=query_connect.js.map

package/ai/stigmer/iam/identityprovider/v1/query_connect.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,kIAAkI;AAClI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG;IAC7C,QAAQ,EAAE,oEAAoE;IAC9E,OAAO,EAAE;QACP;;;;;;;WAOG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;WAWG;QACH,cAAc,EAAE;YACd,IAAI,EAAE,gBAAgB;YACtB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
+{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,kIAAkI;AAClI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG;IAC7C,QAAQ,EAAE,oEAAoE;IAC9E,OAAO,EAAE;QACP;;;;;;;WAOG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;WAWG;QACH,cAAc,EAAE;YACd,IAAI,EAAE,gBAAgB;YACtB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,gBAAgB;YACnB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;WAUG;QACH,SAAS,EAAE;YACT,IAAI,EAAE,WAAW;YACjB,CAAC,EAAE,+BAA+B;YAClC,CAAC,EAAE,iBAAiB;YACpB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;WAeG;QACH,cAAc,EAAE;YACd,IAAI,EAAE,gBAAgB;YACtB,CAAC,EAAE,qBAAqB;YACxB,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/query_pb.d.ts

@@ -1,6 +1,7 @@
 import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
 import type { ApiResourceIdSchema, ApiResourceReferenceSchema } from "../../../commons/apiresource/io_pb";
 import type { IdentityProviderSchema } from "./api_pb";
+import type { IdentityProvidersSchema, ListIdentityProvidersByOrgInputSchema, OrganizationSsoLookupSchema, SsoProviderInfoSchema } from "./io_pb";
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/query.proto.
  */
@@ -41,4 +42,41 @@ export declare const IdentityProviderQueryController: GenService<{
         input: typeof ApiResourceReferenceSchema;
         output: typeof IdentityProviderSchema;
     };
+    /**
+     * List all identity providers belonging to an organization.
+     *
+     * Returns every IdentityProvider whose metadata.org matches the input org.
+     * Typically a small set (1-3 per org), so results are not paginated.
+     *
+     * @internal
+     * Authorization: Requires can_view permission on the organization resource.
+     *
+     * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.listByOrg
+     */
+    listByOrg: {
+        methodKind: "unary";
+        input: typeof ListIdentityProvidersByOrgInputSchema;
+        output: typeof IdentityProvidersSchema;
+    };
+    /**
+     * Look up the SSO identity provider for an organization.
+     *
+     * Returns the SSO-relevant projection (display name, OIDC client ID, issuer)
+     * of the IdentityProvider where is_sso_provider is true for the given org.
+     * Returns NOT_FOUND if the organization has no SSO provider configured.
+     *
+     * This endpoint is called by the web app's login page before the user has
+     * authenticated, so it requires no authorization. The response intentionally
+     * omits internal IdP configuration (JWKS URI, rate limits, userinfo endpoint).
+     *
+     * @internal
+     * Authorization: none — unauthenticated, public endpoint for login page rendering.
+     *
+     * @generated from rpc ai.stigmer.iam.identityprovider.v1.IdentityProviderQueryController.getSsoProvider
+     */
+    getSsoProvider: {
+        methodKind: "unary";
+        input: typeof OrganizationSsoLookupSchema;
+        output: typeof SsoProviderInfoSchema;
+    };
 }>;

package/ai/stigmer/iam/identityprovider/v1/query_pb.js

@@ -4,12 +4,13 @@
 import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
 import { file_ai_stigmer_commons_apiresource_io } from "../../../commons/apiresource/io_pb";
 import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
-import { file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options } from "../../iampolicy/v1/rpcauthorization/method_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
 import { file_ai_stigmer_iam_identityprovider_v1_api } from "./api_pb";
+import { file_ai_stigmer_iam_identityprovider_v1_io } from "./io_pb";
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/query.proto.
  */
-export const file_ai_stigmer_iam_identityprovider_v1_query = /*@__PURE__*/ fileDesc("Ci5haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3F1ZXJ5LnByb3RvEiJhaS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxMtICCh9JZGVudGl0eVByb3ZpZGVyUXVlcnlDb250cm9sbGVyEqMBCgNnZXQSLS5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VJZBo0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlciI3wrgYMwgDEBUiBXZhbHVlKiZ1bmF1dGhvcml6ZWQgdG8gdmlldyBpZGVudGl0eSBwcm92aWRlchKCAQoOZ2V0QnlSZWZlcmVuY2USNC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VSZWZlcmVuY2UaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiBNC4GAEaBKD/KxViBnByb3RvMw", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_iam_iampolicy_v1_rpcauthorization_method_options, file_ai_stigmer_iam_identityprovider_v1_api]);
+export const file_ai_stigmer_iam_identityprovider_v1_query = /*@__PURE__*/ fileDesc("Ci5haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3F1ZXJ5LnByb3RvEiJhaS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxMrIFCh9JZGVudGl0eVByb3ZpZGVyUXVlcnlDb250cm9sbGVyEqMBCgNnZXQSLS5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VJZBo0LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlciI3wrgYMwgBEBUiBXZhbHVlKiZ1bmF1dGhvcml6ZWQgdG8gdmlldyBpZGVudGl0eSBwcm92aWRlchKCAQoOZ2V0QnlSZWZlcmVuY2USNC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VSZWZlcmVuY2UaNC5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLklkZW50aXR5UHJvdmlkZXIiBNC4GAES1AEKCWxpc3RCeU9yZxJDLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuTGlzdElkZW50aXR5UHJvdmlkZXJzQnlPcmdJbnB1dBo1LmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuSWRlbnRpdHlQcm92aWRlcnMiS8K4GEcIARAeIgNvcmcqPHVuYXV0aG9yaXplZCB0byBsaXN0IGlkZW50aXR5IHByb3ZpZGVycyBpbiB0aGlzIG9yZ2FuaXphdGlvbhKGAQoOZ2V0U3NvUHJvdmlkZXISOS5haS5zdGlnbWVyLmlhbS5pZGVudGl0eXByb3ZpZGVyLnYxLk9yZ2FuaXphdGlvblNzb0xvb2t1cBozLmFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEuU3NvUHJvdmlkZXJJbmZvIgTQuBgBGgSg/ysVYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_identityprovider_v1_api, file_ai_stigmer_iam_identityprovider_v1_io]);
 /**
  * IdentityProviderQueryController provides read operations for identity providers.
  *