@stigmer/protos 0.0.86 → 0.0.88

package/ai/stigmer/iam/identityprovider/v1/spec_pb.d.ts

@@ -1,4 +1,5 @@
 import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { IamRole } from "../../v1/enum_pb";
 import type { Message } from "@bufbuild/protobuf";
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/spec.proto.
@@ -13,9 +14,21 @@ export declare const file_ai_stigmer_iam_identityprovider_v1_spec: GenFile;
  * Stigmer validates the token signature against the configured JWKS and resolves the
  * user's federated identity account by the JWT's sub claim and this provider's reference.
  *
- * For platform-managed IdPs, the platform is responsible for explicitly creating
- * federated identity accounts before users can authenticate. For SSO providers
- * (is_sso_provider = true), Stigmer auto-provisions accounts on first login.
+ * Three provisioning modes control how federated accounts are created:
+ *
+ *   1. Manual (default): The platform explicitly creates federated accounts
+ *      via CreateFederatedAccount and manages IAM policies. No accounts are
+ *      created automatically.
+ *
+ *   2. JIT (Just-In-Time): When auto_provision_accounts is true, Stigmer
+ *      creates an IdentityAccount from JWT claims on first authentication.
+ *      Authorization is controlled independently via auto_grant_on_org and
+ *      auto_grant_role. For multi-tenant platforms, tenant_org_claim maps
+ *      a JWT claim to a platform-managed organization for automatic role grants.
+ *
+ *   3. SSO: When is_sso_provider is true, Stigmer auto-provisions accounts
+ *      and grants viewer on the organization. This mode also enables the OIDC
+ *      browser login flow via oidc_client_id.
  *
  * The spec contains only public validation configuration — no secrets are stored.
  * For OIDC-based integrators (e.g., Auth0), the jwks_uri and userinfo_endpoint
@@ -35,6 +48,40 @@ export declare const file_ai_stigmer_iam_identityprovider_v1_spec: GenFile;
  *     expected_audience: "https://api.planton.ai/"
  *     userinfo_endpoint: "https://planton-prod.us.auth0.com/userinfo"
  *
+ * Example YAML (JIT provisioning, single-org):
+ *   apiVersion: iam.stigmer.ai/v1
+ *   kind: IdentityProvider
+ *   metadata:
+ *     name: Acme Platform
+ *     slug: acme-platform
+ *     org: acme
+ *   spec:
+ *     display_name: "Acme Platform"
+ *     jwks_uri: "https://auth.acme.com/.well-known/jwks.json"
+ *     allowed_issuers: ["https://auth.acme.com/"]
+ *     expected_audience: "stigmer-api"
+ *     userinfo_endpoint: "https://auth.acme.com/userinfo"
+ *     auto_provision_accounts: true
+ *     auto_grant_on_org: true
+ *
+ * Example YAML (JIT provisioning, multi-tenant):
+ *   apiVersion: iam.stigmer.ai/v1
+ *   kind: IdentityProvider
+ *   metadata:
+ *     name: SaaS Platform
+ *     slug: saas-platform
+ *     org: saas-co
+ *   spec:
+ *     display_name: "SaaS Platform"
+ *     jwks_uri: "https://auth.saas.co/.well-known/jwks.json"
+ *     allowed_issuers: ["https://auth.saas.co/"]
+ *     expected_audience: "stigmer-api"
+ *     userinfo_endpoint: "https://auth.saas.co/userinfo"
+ *     auto_provision_accounts: true
+ *     auto_grant_on_org: true
+ *     auto_grant_role: member
+ *     tenant_org_claim: "org_id"
+ *
  * Example YAML (self-managed SSO):
  *   apiVersion: iam.stigmer.ai/v1
  *   kind: IdentityProvider
@@ -151,6 +198,107 @@ export type IdentityProviderSpec = Message<"ai.stigmer.iam.identityprovider.v1.I
      * @generated from field: string oidc_client_id = 8;
      */
     oidcClientId: string;
+    /**
+     * Whether to automatically create a federated identity account when a valid
+     * JWT arrives but no account exists for the token's sub claim.
+     *
+     * This controls identity provisioning — establishing that Stigmer recognizes
+     * this user — and is independent of what access the user receives. An
+     * auto-provisioned account has no organization access by default; authorization
+     * is controlled separately by auto_grant_on_org.
+     *
+     * When false (default), the platform must explicitly create federated accounts
+     * via the CreateFederatedAccount API before users can authenticate. This gives
+     * platforms full control over which of their users can access Stigmer resources.
+     *
+     * When true, Stigmer creates the IdentityAccount automatically on first
+     * authentication, using profile data from the JWT claims and the
+     * userinfo_endpoint (if configured). Subsequent authentications refresh
+     * the profile data.
+     *
+     * This field is independent of is_sso_provider. SSO providers always
+     * auto-provision accounts regardless of this setting. For non-SSO identity
+     * providers (platform delegation), this field enables JIT provisioning
+     * without requiring the OIDC browser flow.
+     *
+     * @generated from field: bool auto_provision_accounts = 9;
+     */
+    autoProvisionAccounts: boolean;
+    /**
+     * Whether to automatically grant a role on an organization when an account
+     * is auto-provisioned.
+     *
+     * This controls authorization — determining what access an auto-provisioned
+     * user receives — and is separate from the identity provisioning decision
+     * controlled by auto_provision_accounts.
+     *
+     * When false (default), auto-provisioned accounts receive no organization
+     * access. The platform must create IAM policies to grant access to specific
+     * organizations. This is the appropriate setting for multi-tenant platforms
+     * where users should only access their tenant organization, not the
+     * platform's root organization.
+     *
+     * When true, Stigmer grants auto_grant_role (default: viewer) on the IdP's
+     * owning organization immediately after account creation. This is the
+     * appropriate setting for single-organization platforms where all
+     * authenticated users should have access to the same organization.
+     *
+     * When tenant_org_claim is also set, the role grant targets the resolved
+     * tenant organization instead of the IdP's owning organization.
+     *
+     * Requires auto_provision_accounts to be true.
+     *
+     * @generated from field: bool auto_grant_on_org = 10;
+     */
+    autoGrantOnOrg: boolean;
+    /**
+     * The role to grant when auto_grant_on_org is true.
+     *
+     * Defaults to viewer when unspecified (iam_role_unspecified). The owner role
+     * is not permitted — organization ownership must be assigned explicitly.
+     *
+     * This field is only meaningful when auto_grant_on_org is true. When
+     * auto_grant_on_org is false, this field is ignored regardless of its value.
+     *
+     * Common configurations:
+     *   - viewer (default): Users can browse resources but cannot modify them.
+     *     Org admins upgrade to member or admin when ready.
+     *   - member: Users can immediately create and modify resources.
+     *     Appropriate when all authenticated users are trusted collaborators.
+     *
+     * @generated from field: ai.stigmer.iam.v1.IamRole auto_grant_role = 11;
+     */
+    autoGrantRole: IamRole;
+    /**
+     * Name of the JWT claim that identifies the tenant organization for
+     * multi-tenant provisioning.
+     *
+     * When set, Stigmer extracts this claim from the JWT payload and resolves
+     * it to a platform-managed organization. The resolution algorithm:
+     *
+     *   1. Read the claim value from the JWT (e.g., claim "org_id" yields
+     *      value "tenant-123").
+     *   2. Look up the platform-managed organization where
+     *      identity_provider_ref matches this IdP and external_org_id matches
+     *      the claim value.
+     *   3. If auto_grant_on_org is true, grant auto_grant_role on the resolved
+     *      organization instead of the IdP's owning organization.
+     *
+     * This enables fully automated multi-tenant provisioning: a platform JWT
+     * with a tenant claim works end-to-end without any backend provisioning
+     * steps. The platform only needs to pre-create the tenant organizations
+     * with their external_org_id mappings.
+     *
+     * Requires auto_provision_accounts to be true. The claim name is
+     * case-sensitive and must match the JWT payload key exactly.
+     *
+     * If the JWT does not contain this claim, or the claim value does not
+     * resolve to a known platform-managed organization, the authentication
+     * request is rejected with a descriptive error.
+     *
+     * @generated from field: string tenant_org_claim = 12;
+     */
+    tenantOrgClaim: string;
 };
 /**
  * Describes the message ai.stigmer.iam.identityprovider.v1.IdentityProviderSpec.

package/ai/stigmer/iam/identityprovider/v1/spec_pb.js

@@ -2,11 +2,12 @@
 // @generated from file ai/stigmer/iam/identityprovider/v1/spec.proto (package ai.stigmer.iam.identityprovider.v1, syntax proto3)
 /* eslint-disable */
 import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_iam_v1_enum } from "../../v1/enum_pb";
 import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
 /**
  * Describes the file ai/stigmer/iam/identityprovider/v1/spec.proto.
  */
-export const file_ai_stigmer_iam_identityprovider_v1_spec = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3NwZWMucHJvdG8SImFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEiiwIKFElkZW50aXR5UHJvdmlkZXJTcGVjEh4KDGRpc3BsYXlfbmFtZRgBIAEoCUIIukgFcgMYyAESGgoIandrc191cmkYAiABKAlCCLpIBXIDGIAQEhcKD2FsbG93ZWRfaXNzdWVycxgDIAMoCRIjChFleHBlY3RlZF9hdWRpZW5jZRgEIAEoCUIIukgFcgMYyAESGQoRcmF0ZV9saW1pdF9idWRnZXQYBSABKAUSIwoRdXNlcmluZm9fZW5kcG9pbnQYBiABKAlCCLpIBXIDGIAQEhcKD2lzX3Nzb19wcm92aWRlchgHIAEoCBIgCg5vaWRjX2NsaWVudF9pZBgIIAEoCUIIukgFcgMYgAJiBnByb3RvMw", [file_buf_validate_validate]);
+export const file_ai_stigmer_iam_identityprovider_v1_spec = /*@__PURE__*/ fileDesc("Ci1haS9zdGlnbWVyL2lhbS9pZGVudGl0eXByb3ZpZGVyL3YxL3NwZWMucHJvdG8SImFpLnN0aWdtZXIuaWFtLmlkZW50aXR5cHJvdmlkZXIudjEioAMKFElkZW50aXR5UHJvdmlkZXJTcGVjEh4KDGRpc3BsYXlfbmFtZRgBIAEoCUIIukgFcgMYyAESGgoIandrc191cmkYAiABKAlCCLpIBXIDGIAQEhcKD2FsbG93ZWRfaXNzdWVycxgDIAMoCRIjChFleHBlY3RlZF9hdWRpZW5jZRgEIAEoCUIIukgFcgMYyAESGQoRcmF0ZV9saW1pdF9idWRnZXQYBSABKAUSIwoRdXNlcmluZm9fZW5kcG9pbnQYBiABKAlCCLpIBXIDGIAQEhcKD2lzX3Nzb19wcm92aWRlchgHIAEoCBIgCg5vaWRjX2NsaWVudF9pZBgIIAEoCUIIukgFcgMYgAISHwoXYXV0b19wcm92aXNpb25fYWNjb3VudHMYCSABKAgSGQoRYXV0b19ncmFudF9vbl9vcmcYCiABKAgSMwoPYXV0b19ncmFudF9yb2xlGAsgASgOMhouYWkuc3RpZ21lci5pYW0udjEuSWFtUm9sZRIiChB0ZW5hbnRfb3JnX2NsYWltGAwgASgJQgi6SAVyAxiAAmIGcHJvdG8z", [file_ai_stigmer_iam_v1_enum, file_buf_validate_validate]);
 /**
  * Describes the message ai.stigmer.iam.identityprovider.v1.IdentityProviderSpec.
  * Use `create(IdentityProviderSpecSchema)` to create a new message.

package/ai/stigmer/iam/identityprovider/v1/spec_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,iIAAiI;AACjI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,4CAA4C,GAAY,aAAa,CAChF,QAAQ,CAAC,oeAAoe,EAAE,CAAC,0BAA0B,CAAC,CAAC,CAAC;AA8J/gB;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityprovider/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,iIAAiI;AACjI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,2BAA2B,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,4CAA4C,GAAY,aAAa,CAChF,QAAQ,CAAC,0qBAA0qB,EAAE,CAAC,2BAA2B,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAqTlvB;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stigmer/protos",
-  "version": "0.0.86",
+  "version": "0.0.88",
   "description": "Generated TypeScript protobuf stubs for Stigmer APIs",
   "license": "Apache-2.0",
   "type": "module",