@stigmer/protos 0.0.72 → 0.0.74

package/ai/stigmer/iam/identityprovider/v1/query_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,gEAAgE,EAAE,MAAM,uDAAuD,CAAC;AAEzI,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,CAAC,MAAM,6CAA6C,GAAY,aAAa,CACjF,QAAQ,CAAC,okBAAokB,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,gEAAgE,EAAE,2CAA2C,CAAC,CAAC,CAAC;AAEnyB;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GA+BvC,aAAa,CAChB,WAAW,CAAC,6CAA6C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kIAAkI;AAClI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,2CAA2C,EAAE,MAAM,UAAU,CAAC;AAEvE,OAAO,EAAE,0CAA0C,EAAE,MAAM,SAAS,CAAC;AAErE;;GAEG;AACH,MAAM,CAAC,MAAM,6CAA6C,GAAY,aAAa,CACjF,QAAQ,CAAC,yhCAAyhC,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,0CAA0C,EAAE,2CAA2C,EAAE,0CAA0C,CAAC,CAAC,CAAC;AAE9wC;;;;GAIG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAoEvC,aAAa,CAChB,WAAW,CAAC,6CAA6C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/spec_pb.d.ts

@@ -9,18 +9,19 @@ export declare const file_ai_stigmer_iam_identityprovider_v1_spec: GenFile;
  *
  * An IdentityProvider represents an external platform's trust relationship with Stigmer.
  * It is owned by an organization (e.g., "planton") and configures how Stigmer validates
- * tokens from that platform during token exchange. The platform forwards its OIDC
- * provider's access tokens to Stigmer's token exchange endpoint, which:
- * - Validates the token signature against the configured JWKS
- * - Fetches user profile data from the OIDC UserInfo endpoint
- * - JIT-provisions a federated identity account with email, name, and picture
- * - Issues a Stigmer-native token for subsequent API access
+ * tokens from that platform. When a user authenticates with a JWT issued by this provider,
+ * Stigmer validates the token signature against the configured JWKS and resolves the
+ * user's federated identity account by the JWT's sub claim and this provider's reference.
+ *
+ * For platform-managed IdPs, the platform is responsible for explicitly creating
+ * federated identity accounts before users can authenticate. For SSO providers
+ * (is_sso_provider = true), Stigmer auto-provisions accounts on first login.
  *
  * The spec contains only public validation configuration — no secrets are stored.
  * For OIDC-based integrators (e.g., Auth0), the jwks_uri and userinfo_endpoint
  * point to the OIDC provider's standard endpoints.
  *
- * Example YAML:
+ * Example YAML (platform delegation):
  *   apiVersion: iam.stigmer.ai/v1
  *   kind: IdentityProvider
  *   metadata:
@@ -34,6 +35,21 @@ export declare const file_ai_stigmer_iam_identityprovider_v1_spec: GenFile;
  *     expected_audience: "https://api.planton.ai/"
  *     userinfo_endpoint: "https://planton-prod.us.auth0.com/userinfo"
  *
+ * Example YAML (self-managed SSO):
+ *   apiVersion: iam.stigmer.ai/v1
+ *   kind: IdentityProvider
+ *   metadata:
+ *     name: Acme Corp Okta
+ *     slug: acme-okta
+ *     org: acme
+ *   spec:
+ *     display_name: "Acme Corp Okta"
+ *     jwks_uri: "https://acme.okta.com/oauth2/default/v1/keys"
+ *     allowed_issuers: ["https://acme.okta.com/oauth2/default"]
+ *     expected_audience: "stigmer-api"
+ *     is_sso_provider: true
+ *     oidc_client_id: "0oa1bcdef2ghijk3lmno"
+ *
  * @generated from message ai.stigmer.iam.identityprovider.v1.IdentityProviderSpec
  */
 export type IdentityProviderSpec = Message<"ai.stigmer.iam.identityprovider.v1.IdentityProviderSpec"> & {
@@ -98,6 +114,43 @@ export type IdentityProviderSpec = Message<"ai.stigmer.iam.identityprovider.v1.I
      * @generated from field: string userinfo_endpoint = 6;
      */
     userinfoEndpoint: string;
+    /**
+     * Whether this identity provider serves as the SSO login provider for its
+     * owning organization.
+     *
+     * When true, the Stigmer web app offers a "Sign in with [display_name]"
+     * option on the organization's login page and initiates the OIDC
+     * Authorization Code flow with PKCE using the configured oidc_client_id.
+     *
+     * On first login, SSO users are auto-provisioned: Stigmer creates a
+     * federated identity account from the JWT's OIDC claims and grants the
+     * viewer role on the organization. Org admins can upgrade viewers to
+     * members when ready.
+     *
+     * Constraints:
+     * - At most one IdentityProvider per organization can be the SSO provider.
+     * - An IdP used for platform-managed organization delegation cannot also
+     *   serve as an SSO provider (different trust models).
+     *
+     * @generated from field: bool is_sso_provider = 7;
+     */
+    isSsoProvider: boolean;
+    /**
+     * OIDC client identifier for browser-based SSO login.
+     *
+     * This is the client_id registered with the external IdP (e.g., Okta,
+     * Azure AD) for Stigmer's web application. The web app uses this to
+     * build the OIDC Authorization Code request with PKCE.
+     *
+     * No client_secret is stored — the web app is a public client using PKCE
+     * (Proof Key for Code Exchange), which is the recommended approach for
+     * SPAs per OAuth 2.0 for Browser-Based Apps (RFC draft).
+     *
+     * Required when is_sso_provider is true; must be empty otherwise.
+     *
+     * @generated from field: string oidc_client_id = 8;
+     */
+    oidcClientId: string;
 };
 /**
  * Describes the message ai.stigmer.iam.identityprovider.v1.IdentityProviderSpec.

package/ai/stigmer/iam/identityprovider/v1/spec_pb.js

@@ -6,7 +6,7 @@ import { file_buf_validate_validate } from "../../../../../buf/validate/validate
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/spec.proto.
  */
-export const file_ai_stigmer_iam_identityprovider_v1_spec = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3NwZWMucHJvdG8SImFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEi0AEKFElkZW50aXR5UHJvdmlkZXJTcGVjEh4KDGRpc3BsYXlfbmFtZRgBIAEoCUIIukgFcgMYyAESGgoIandrc191cmkYAiABKAlCCLpIBXIDGIAQEhcKD2FsbG93ZWRfaXNzdWVycxgDIAMoCRIjChFleHBlY3RlZF9hdWRpZW5jZRgEIAEoCUIIukgFcgMYyAESGQoRcmF0ZV9saW1pdF9idWRnZXQYBSABKAUSIwoRdXNlcmluZm9fZW5kcG9pbnQYBiABKAlCCLpIBXIDGIAQYgZwcm90bzM", [file_buf_validate_validate]);
+export const file_ai_stigmer_iam_identityprovider_v1_spec = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3NwZWMucHJvdG8SImFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEiiwIKFElkZW50aXR5UHJvdmlkZXJTcGVjEh4KDGRpc3BsYXlfbmFtZRgBIAEoCUIIukgFcgMYyAESGgoIandrc191cmkYAiABKAlCCLpIBXIDGIAQEhcKD2FsbG93ZWRfaXNzdWVycxgDIAMoCRIjChFleHBlY3RlZF9hdWRpZW5jZRgEIAEoCUIIukgFcgMYyAESGQoRcmF0ZV9saW1pdF9idWRnZXQYBSABKAUSIwoRdXNlcmluZm9fZW5kcG9pbnQYBiABKAlCCLpIBXIDGIAQEhcKD2lzX3Nzb19wcm92aWRlchgHIAEoCBIgCg5vaWRjX2NsaWVudF9pZBgIIAEoCUIIukgFcgMYgAJiBnByb3RvMw", [file_buf_validate_validate]);
 /**
  * Describes the message ai.stigmer.iam.identityprovider.v1.IdentityProviderSpec.
  * Use `create(IdentityProviderSpecSchema)` to create a new message.

package/ai/stigmer/iam/identityprovider/v1/spec_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,iIAAiI;AACjI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,4CAA4C,GAAY,aAAa,CAChF,QAAQ,CAAC,qZAAqZ,EAAE,CAAC,0BAA0B,CAAC,CAAC,CAAC;AAuGhc;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,iIAAiI;AACjI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,4CAA4C,GAAY,aAAa,CAChF,QAAQ,CAAC,oeAAoe,EAAE,CAAC,0BAA0B,CAAC,CAAC,CAAC;AA8J/gB;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/invitation/v1/api_pb.d.ts

@@ -0,0 +1,132 @@
+import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { ApiResourceMetadata } from "../../../commons/apiresource/metadata_pb";
+import type { ApiResourceAudit } from "../../../commons/apiresource/status_pb";
+import type { InvitationState } from "./enum_pb";
+import type { InvitationSpec } from "./spec_pb";
+import type { Timestamp } from "@bufbuild/protobuf/wkt";
+import type { Message } from "@bufbuild/protobuf";
+/**
+ * Describes the file ai/stigmer/iam/invitation/v1/api.proto.
+ */
+export declare const file_ai_stigmer_iam_invitation_v1_api: GenFile;
+/**
+ * Invitation is a shareable link that grants org membership with a configurable role.
+ *
+ * Invitations support two patterns:
+ * - Multi-use (max_redemptions = 0): persistent org invite link, suitable for
+ *   public sharing. Best paired with the viewer role to avoid cost exposure.
+ * - Single-use (max_redemptions = 1): targeted invitation for a specific person.
+ *
+ * The invite URL format is: https://<host>/invite/<token>
+ * where token is a server-generated cryptographically random value.
+ *
+ * Creating an invitation requires can_grant_access on the organization.
+ * Redeeming an invitation requires only a valid token and authentication.
+ *
+ * @generated from message ai.stigmer.iam.invitation.v1.Invitation
+ */
+export type Invitation = Message<"ai.stigmer.iam.invitation.v1.Invitation"> & {
+    /**
+     * API version for this resource type.
+     *
+     * @generated from field: string api_version = 1;
+     */
+    apiVersion: string;
+    /**
+     * Resource kind identifier.
+     *
+     * @generated from field: string kind = 2;
+     */
+    kind: string;
+    /**
+     * Resource metadata including name, organization, and labels.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceMetadata metadata = 3;
+     */
+    metadata?: ApiResourceMetadata;
+    /**
+     * User-provided invitation configuration: role, expiry, and redemption limits.
+     *
+     * @generated from field: ai.stigmer.iam.invitation.v1.InvitationSpec spec = 4;
+     */
+    spec?: InvitationSpec;
+    /**
+     * System-managed state: token, lifecycle state, and redemption history.
+     *
+     * @generated from field: ai.stigmer.iam.invitation.v1.InvitationStatus status = 5;
+     */
+    status?: InvitationStatus;
+};
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.Invitation.
+ * Use `create(InvitationSchema)` to create a new message.
+ */
+export declare const InvitationSchema: GenMessage<Invitation>;
+/**
+ * InvitationStatus contains system-managed state for an invitation.
+ *
+ * @generated from message ai.stigmer.iam.invitation.v1.InvitationStatus
+ */
+export type InvitationStatus = Message<"ai.stigmer.iam.invitation.v1.InvitationStatus"> & {
+    /**
+     * Server-generated cryptographically random token.
+     * Included in the invite URL: /invite/<token>
+     * Generated once at creation; immutable thereafter.
+     *
+     * @generated from field: string token = 1;
+     */
+    token: string;
+    /**
+     * Current lifecycle state of the invitation.
+     *
+     * @generated from field: ai.stigmer.iam.invitation.v1.InvitationState state = 2;
+     */
+    state: InvitationState;
+    /**
+     * Number of times this invitation has been successfully redeemed.
+     *
+     * @generated from field: int32 redemption_count = 3;
+     */
+    redemptionCount: number;
+    /**
+     * Audit trail of each successful redemption.
+     *
+     * @generated from field: repeated ai.stigmer.iam.invitation.v1.InvitationRedemption redemptions = 4;
+     */
+    redemptions: InvitationRedemption[];
+    /**
+     * Standard audit information (created_at, updated_at, created_by, etc.).
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceAudit audit = 99;
+     */
+    audit?: ApiResourceAudit;
+};
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.InvitationStatus.
+ * Use `create(InvitationStatusSchema)` to create a new message.
+ */
+export declare const InvitationStatusSchema: GenMessage<InvitationStatus>;
+/**
+ * InvitationRedemption records a single successful redemption event.
+ *
+ * @generated from message ai.stigmer.iam.invitation.v1.InvitationRedemption
+ */
+export type InvitationRedemption = Message<"ai.stigmer.iam.invitation.v1.InvitationRedemption"> & {
+    /**
+     * The identity account that redeemed the invitation.
+     *
+     * @generated from field: string identity_account_id = 1;
+     */
+    identityAccountId: string;
+    /**
+     * When the redemption occurred.
+     *
+     * @generated from field: google.protobuf.Timestamp redeemed_at = 2;
+     */
+    redeemedAt?: Timestamp;
+};
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.InvitationRedemption.
+ * Use `create(InvitationRedemptionSchema)` to create a new message.
+ */
+export declare const InvitationRedemptionSchema: GenMessage<InvitationRedemption>;

package/ai/stigmer/iam/invitation/v1/api_pb.js

@@ -0,0 +1,30 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/invitation/v1/api.proto (package ai.stigmer.iam.invitation.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_metadata } from "../../../commons/apiresource/metadata_pb";
+import { file_ai_stigmer_commons_apiresource_status } from "../../../commons/apiresource/status_pb";
+import { file_ai_stigmer_iam_invitation_v1_enum } from "./enum_pb";
+import { file_ai_stigmer_iam_invitation_v1_spec } from "./spec_pb";
+import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
+import { file_google_protobuf_timestamp } from "@bufbuild/protobuf/wkt";
+/**
+ * Describes the file ai/stigmer/iam/invitation/v1/api.proto.
+ */
+export const file_ai_stigmer_iam_invitation_v1_api = /*@__PURE__*/ fileDesc("CiZhaS9zdGlnbWVyL2lhbS9pbnZpdGF0aW9uL3YxL2FwaS5wcm90bxIcYWkuc3RpZ21lci5pYW0uaW52aXRhdGlvbi52MSKnAgoKSW52aXRhdGlvbhItCgthcGlfdmVyc2lvbhgBIAEoCUIYukgVchMKEWlhbS5zdGlnbWVyLmFpL3YxEh8KBGtpbmQYAiABKAlCEbpIDnIMCgpJbnZpdGF0aW9uEk0KCG1ldGFkYXRhGAMgASgLMjMuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlTWV0YWRhdGFCBrpIA8gBARI6CgRzcGVjGAQgASgLMiwuYWkuc3RpZ21lci5pYW0uaW52aXRhdGlvbi52MS5JbnZpdGF0aW9uU3BlYxI+CgZzdGF0dXMYBSABKAsyLi5haS5zdGlnbWVyLmlhbS5pbnZpdGF0aW9uLnYxLkludml0YXRpb25TdGF0dXMigwIKEEludml0YXRpb25TdGF0dXMSDQoFdG9rZW4YASABKAkSPAoFc3RhdGUYAiABKA4yLS5haS5zdGlnbWVyLmlhbS5pbnZpdGF0aW9uLnYxLkludml0YXRpb25TdGF0ZRIYChByZWRlbXB0aW9uX2NvdW50GAMgASgFEkcKC3JlZGVtcHRpb25zGAQgAygLMjIuYWkuc3RpZ21lci5pYW0uaW52aXRhdGlvbi52MS5JbnZpdGF0aW9uUmVkZW1wdGlvbhI/CgVhdWRpdBhjIAEoCzIwLmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5BcGlSZXNvdXJjZUF1ZGl0ImQKFEludml0YXRpb25SZWRlbXB0aW9uEhsKE2lkZW50aXR5X2FjY291bnRfaWQYASABKAkSLwoLcmVkZWVtZWRfYXQYAiABKAsyGi5nb29nbGUucHJvdG9idWYuVGltZXN0YW1wYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_metadata, file_ai_stigmer_commons_apiresource_status, file_ai_stigmer_iam_invitation_v1_enum, file_ai_stigmer_iam_invitation_v1_spec, file_buf_validate_validate, file_google_protobuf_timestamp]);
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.Invitation.
+ * Use `create(InvitationSchema)` to create a new message.
+ */
+export const InvitationSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_invitation_v1_api, 0);
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.InvitationStatus.
+ * Use `create(InvitationStatusSchema)` to create a new message.
+ */
+export const InvitationStatusSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_invitation_v1_api, 1);
+/**
+ * Describes the message ai.stigmer.iam.invitation.v1.InvitationRedemption.
+ * Use `create(InvitationRedemptionSchema)` to create a new message.
+ */
+export const InvitationRedemptionSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_invitation_v1_api, 2);
+//# sourceMappingURL=api_pb.js.map

package/ai/stigmer/iam/invitation/v1/api_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/invitation/v1/api_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,oHAAoH;AACpH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,4CAA4C,EAAE,MAAM,0CAA0C,CAAC;AAExG,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,sCAAsC,EAAE,MAAM,WAAW,CAAC;AAEnE,OAAO,EAAE,sCAAsC,EAAE,MAAM,WAAW,CAAC;AACnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAErF,OAAO,EAAE,8BAA8B,EAAE,MAAM,wBAAwB,CAAC;AAGxE;;GAEG;AACH,MAAM,CAAC,MAAM,qCAAqC,GAAY,aAAa,CACzE,QAAQ,CAAC,69BAA69B,EAAE,CAAC,4CAA4C,EAAE,0CAA0C,EAAE,sCAAsC,EAAE,sCAAsC,EAAE,0BAA0B,EAAE,8BAA8B,CAAC,CAAC,CAAC;AAuDltC;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAA2B,aAAa,CACnE,WAAW,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC;AA8CxD;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAiC,aAAa,CAC/E,WAAW,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC;AAuBxD;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/invitation/v1/command_connect.d.ts

@@ -0,0 +1,79 @@
+/**
+ * InvitationCommandController handles write operations for invitations.
+ *
+ * @generated from service ai.stigmer.iam.invitation.v1.InvitationCommandController
+ */
+export declare const InvitationCommandController: {
+    readonly typeName: "ai.stigmer.iam.invitation.v1.InvitationCommandController";
+    readonly methods: {
+        /**
+         * Create an invitation link for an organization.
+         *
+         * Generates a cryptographically random token and returns the full
+         * invitation resource including the token. The invite URL is
+         * constructed as: https://<host>/invite/<token>
+         *
+         * The specified role must be in the organization's grantable_roles.
+         * Platform-managed organizations cannot create invitations.
+         *
+         * @internal
+         * Authorization: Requires can_grant_access permission on the organization.
+         *
+         * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.create
+         */
+        readonly create: {
+            readonly name: "create";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Revoke an active invitation, preventing further redemptions.
+         *
+         * Sets the invitation state to revoked. Idempotent — revoking an
+         * already-revoked invitation is a no-op.
+         *
+         * @internal
+         * Authorization is handled in the handler: loads the invitation,
+         * resolves its organization, and checks can_grant_access on the org.
+         * Proto-level auth is skipped because the input (InvitationId) does
+         * not directly identify the org.
+         *
+         * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.revoke
+         */
+        readonly revoke: {
+            readonly name: "revoke";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Redeem an invitation to join an organization.
+         *
+         * Creates an IAM policy granting the invitation's configured role to
+         * the authenticated user on the invitation's organization. The
+         * redemption is atomic: the IAM policy is created and the redemption
+         * count is incremented in a single operation.
+         *
+         * Validation:
+         * - Invitation must be in active state
+         * - Invitation must not be expired
+         * - Invitation must not have reached max_redemptions (if > 0)
+         * - Redeemer must not already be a member of the organization
+         *
+         * @internal
+         * Authorization: The token itself is the authorization mechanism.
+         * The redeemer's identity is resolved from the authentication header.
+         * FGA authorization is skipped — any authenticated user with a valid
+         * token can redeem.
+         *
+         * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.redeem
+         */
+        readonly redeem: {
+            readonly name: "redeem";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+    };
+};

package/ai/stigmer/iam/invitation/v1/command_connect.js

@@ -0,0 +1,85 @@
+// @generated by protoc-gen-connect-es v1.6.1 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/invitation/v1/command.proto (package ai.stigmer.iam.invitation.v1, syntax proto3)
+/* eslint-disable */
+// @ts-nocheck
+import { MethodKind } from "@bufbuild/protobuf";
+/**
+ * InvitationCommandController handles write operations for invitations.
+ *
+ * @generated from service ai.stigmer.iam.invitation.v1.InvitationCommandController
+ */
+export const InvitationCommandController = {
+    typeName: "ai.stigmer.iam.invitation.v1.InvitationCommandController",
+    methods: {
+        /**
+         * Create an invitation link for an organization.
+         *
+         * Generates a cryptographically random token and returns the full
+         * invitation resource including the token. The invite URL is
+         * constructed as: https://<host>/invite/<token>
+         *
+         * The specified role must be in the organization's grantable_roles.
+         * Platform-managed organizations cannot create invitations.
+         *
+         * @internal
+         * Authorization: Requires can_grant_access permission on the organization.
+         *
+         * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.create
+         */
+        create: {
+            name: "create",
+            I: Invitation,
+            O: Invitation,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Revoke an active invitation, preventing further redemptions.
+         *
+         * Sets the invitation state to revoked. Idempotent — revoking an
+         * already-revoked invitation is a no-op.
+         *
+         * @internal
+         * Authorization is handled in the handler: loads the invitation,
+         * resolves its organization, and checks can_grant_access on the org.
+         * Proto-level auth is skipped because the input (InvitationId) does
+         * not directly identify the org.
+         *
+         * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.revoke
+         */
+        revoke: {
+            name: "revoke",
+            I: InvitationId,
+            O: Invitation,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Redeem an invitation to join an organization.
+         *
+         * Creates an IAM policy granting the invitation's configured role to
+         * the authenticated user on the invitation's organization. The
+         * redemption is atomic: the IAM policy is created and the redemption
+         * count is incremented in a single operation.
+         *
+         * Validation:
+         * - Invitation must be in active state
+         * - Invitation must not be expired
+         * - Invitation must not have reached max_redemptions (if > 0)
+         * - Redeemer must not already be a member of the organization
+         *
+         * @internal
+         * Authorization: The token itself is the authorization mechanism.
+         * The redeemer's identity is resolved from the authentication header.
+         * FGA authorization is skipped — any authenticated user with a valid
+         * token can redeem.
+         *
+         * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.redeem
+         */
+        redeem: {
+            name: "redeem",
+            I: RedeemInvitationInput,
+            O: Invitation,
+            kind: MethodKind.Unary,
+        },
+    }
+};
+//# sourceMappingURL=command_connect.js.map

package/ai/stigmer/iam/invitation/v1/command_connect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/invitation/v1/command_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,wHAAwH;AACxH,oBAAoB;AACpB,cAAc;AAGd,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG;IACzC,QAAQ,EAAE,0DAA0D;IACpE,OAAO,EAAE;QACP;;;;;;;;;;;;;;WAcG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,UAAU;YACb,CAAC,EAAE,UAAU;YACb,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;WAaG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,YAAY;YACf,CAAC,EAAE,UAAU;YACb,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;WAqBG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,qBAAqB;YACxB,CAAC,EAAE,UAAU;YACb,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/invitation/v1/command_pb.d.ts

@@ -0,0 +1,80 @@
+import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
+import type { InvitationSchema } from "./api_pb";
+import type { InvitationIdSchema, RedeemInvitationInputSchema } from "./io_pb";
+/**
+ * Describes the file ai/stigmer/iam/invitation/v1/command.proto.
+ */
+export declare const file_ai_stigmer_iam_invitation_v1_command: GenFile;
+/**
+ * InvitationCommandController handles write operations for invitations.
+ *
+ * @generated from service ai.stigmer.iam.invitation.v1.InvitationCommandController
+ */
+export declare const InvitationCommandController: GenService<{
+    /**
+     * Create an invitation link for an organization.
+     *
+     * Generates a cryptographically random token and returns the full
+     * invitation resource including the token. The invite URL is
+     * constructed as: https://<host>/invite/<token>
+     *
+     * The specified role must be in the organization's grantable_roles.
+     * Platform-managed organizations cannot create invitations.
+     *
+     * @internal
+     * Authorization: Requires can_grant_access permission on the organization.
+     *
+     * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.create
+     */
+    create: {
+        methodKind: "unary";
+        input: typeof InvitationSchema;
+        output: typeof InvitationSchema;
+    };
+    /**
+     * Revoke an active invitation, preventing further redemptions.
+     *
+     * Sets the invitation state to revoked. Idempotent — revoking an
+     * already-revoked invitation is a no-op.
+     *
+     * @internal
+     * Authorization is handled in the handler: loads the invitation,
+     * resolves its organization, and checks can_grant_access on the org.
+     * Proto-level auth is skipped because the input (InvitationId) does
+     * not directly identify the org.
+     *
+     * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.revoke
+     */
+    revoke: {
+        methodKind: "unary";
+        input: typeof InvitationIdSchema;
+        output: typeof InvitationSchema;
+    };
+    /**
+     * Redeem an invitation to join an organization.
+     *
+     * Creates an IAM policy granting the invitation's configured role to
+     * the authenticated user on the invitation's organization. The
+     * redemption is atomic: the IAM policy is created and the redemption
+     * count is incremented in a single operation.
+     *
+     * Validation:
+     * - Invitation must be in active state
+     * - Invitation must not be expired
+     * - Invitation must not have reached max_redemptions (if > 0)
+     * - Redeemer must not already be a member of the organization
+     *
+     * @internal
+     * Authorization: The token itself is the authorization mechanism.
+     * The redeemer's identity is resolved from the authentication header.
+     * FGA authorization is skipped — any authenticated user with a valid
+     * token can redeem.
+     *
+     * @generated from rpc ai.stigmer.iam.invitation.v1.InvitationCommandController.redeem
+     */
+    redeem: {
+        methodKind: "unary";
+        input: typeof RedeemInvitationInputSchema;
+        output: typeof InvitationSchema;
+    };
+}>;

package/ai/stigmer/iam/invitation/v1/command_pb.js

@@ -0,0 +1,19 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/invitation/v1/command.proto (package ai.stigmer.iam.invitation.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
+import { file_ai_stigmer_iam_invitation_v1_api } from "./api_pb";
+import { file_ai_stigmer_iam_invitation_v1_io } from "./io_pb";
+/**
+ * Describes the file ai/stigmer/iam/invitation/v1/command.proto.
+ */
+export const file_ai_stigmer_iam_invitation_v1_command = /*@__PURE__*/ fileDesc("CiphaS9zdGlnbWVyL2lhbS9pbnZpdGF0aW9uL3YxL2NvbW1hbmQucHJvdG8SHGFpLnN0aWdtZXIuaWFtLmludml0YXRpb24udjEypwMKG0ludml0YXRpb25Db21tYW5kQ29udHJvbGxlchKsAQoGY3JlYXRlEiguYWkuc3RpZ21lci5pYW0uaW52aXRhdGlvbi52MS5JbnZpdGF0aW9uGiguYWkuc3RpZ21lci5pYW0uaW52aXRhdGlvbi52MS5JbnZpdGF0aW9uIk7CuBhKCAQQHiIMbWV0YWRhdGEub3JnKjZ1bmF1dGhvcml6ZWQgdG8gY3JlYXRlIGludml0YXRpb24gaW4gdGhpcyBvcmdhbml6YXRpb24SZAoGcmV2b2tlEiouYWkuc3RpZ21lci5pYW0uaW52aXRhdGlvbi52MS5JbnZpdGF0aW9uSWQaKC5haS5zdGlnbWVyLmlhbS5pbnZpdGF0aW9uLnYxLkludml0YXRpb24iBNC4GAESbQoGcmVkZWVtEjMuYWkuc3RpZ21lci5pYW0uaW52aXRhdGlvbi52MS5SZWRlZW1JbnZpdGF0aW9uSW5wdXQaKC5haS5zdGlnbWVyLmlhbS5pbnZpdGF0aW9uLnYxLkludml0YXRpb24iBNC4GAEaBKD/KxRiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_invitation_v1_api, file_ai_stigmer_iam_invitation_v1_io]);
+/**
+ * InvitationCommandController handles write operations for invitations.
+ *
+ * @generated from service ai.stigmer.iam.invitation.v1.InvitationCommandController
+ */
+export const InvitationCommandController = /*@__PURE__*/ serviceDesc(file_ai_stigmer_iam_invitation_v1_command, 0);
+//# sourceMappingURL=command_pb.js.map

package/ai/stigmer/iam/invitation/v1/command_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/invitation/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,wHAAwH;AACxH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,qCAAqC,EAAE,MAAM,UAAU,CAAC;AAEjE,OAAO,EAAE,oCAAoC,EAAE,MAAM,SAAS,CAAC;AAE/D;;GAEG;AACH,MAAM,CAAC,MAAM,yCAAyC,GAAY,aAAa,CAC7E,QAAQ,CAAC,wqBAAwqB,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,qCAAqC,EAAE,oCAAoC,CAAC,CAAC,CAAC;AAEz2B;;;;GAIG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAmEnC,aAAa,CAChB,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/invitation/v1/enum_pb.d.ts

@@ -0,0 +1,49 @@
+import type { GenEnum, GenFile } from "@bufbuild/protobuf/codegenv1";
+/**
+ * Describes the file ai/stigmer/iam/invitation/v1/enum.proto.
+ */
+export declare const file_ai_stigmer_iam_invitation_v1_enum: GenFile;
+/**
+ * InvitationState tracks the lifecycle of an invitation link.
+ *
+ * State transitions:
+ *   active -> expired       (system: past expires_at)
+ *   active -> revoked       (admin: explicit revocation)
+ *   active -> fully_redeemed (system: redemption_count >= max_redemptions)
+ *
+ * @generated from enum ai.stigmer.iam.invitation.v1.InvitationState
+ */
+export declare enum InvitationState {
+    /**
+     * @generated from enum value: invitation_state_unspecified = 0;
+     */
+    invitation_state_unspecified = 0,
+    /**
+     * The invitation is valid and can be redeemed.
+     *
+     * @generated from enum value: active = 1;
+     */
+    active = 1,
+    /**
+     * The invitation has passed its expires_at timestamp.
+     *
+     * @generated from enum value: expired = 2;
+     */
+    expired = 2,
+    /**
+     * An org admin explicitly revoked the invitation.
+     *
+     * @generated from enum value: revoked = 3;
+     */
+    revoked = 3,
+    /**
+     * The invitation reached its max_redemptions limit.
+     *
+     * @generated from enum value: fully_redeemed = 4;
+     */
+    fully_redeemed = 4
+}
+/**
+ * Describes the enum ai.stigmer.iam.invitation.v1.InvitationState.
+ */
+export declare const InvitationStateSchema: GenEnum<InvitationState>;