@stigmer/protos 0.0.88 → 0.0.90

package/ai/stigmer/iam/platformclient/v1/spec_pb.js

@@ -0,0 +1,17 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/platformclient/v1/spec.proto (package ai.stigmer.iam.platformclient.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_field_options } from "../../../commons/apiresource/field_options_pb";
+import { file_ai_stigmer_iam_v1_enum } from "../../v1/enum_pb";
+import { file_google_protobuf_timestamp } from "@bufbuild/protobuf/wkt";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/spec.proto.
+ */
+export const file_ai_stigmer_iam_platformclient_v1_spec = /*@__PURE__*/ fileDesc("CithaS9zdGlnbWVyL2lhbS9wbGF0Zm9ybWNsaWVudC92MS9zcGVjLnByb3RvEiBhaS5zdGlnbWVyLmlhbS5wbGF0Zm9ybWNsaWVudC52MSLCAgoSUGxhdGZvcm1DbGllbnRTcGVjEhcKCWNsaWVudF9pZBgBIAEoCUIEyIUsARIgChJjbGllbnRfc2VjcmV0X2hhc2gYAiABKAlCBMiFLAESIAoSc2VjcmV0X2ZpbmdlcnByaW50GAMgASgJQgTIhSwBEi4KCmV4cGlyZXNfYXQYBCABKAsyGi5nb29nbGUucHJvdG9idWYuVGltZXN0YW1wEhUKDW5ldmVyX2V4cGlyZXMYBSABKAgSHwoXYXV0b19wcm92aXNpb25fYWNjb3VudHMYBiABKAgSGQoRYXV0b19ncmFudF9vbl9vcmcYByABKAgSMwoPYXV0b19ncmFudF9yb2xlGAggASgOMhouYWkuc3RpZ21lci5pYW0udjEuSWFtUm9sZRIXCg9hbGxvd2VkX29yaWdpbnMYCSADKAliBnByb3RvMw", [file_ai_stigmer_commons_apiresource_field_options, file_ai_stigmer_iam_v1_enum, file_google_protobuf_timestamp]);
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClientSpec.
+ * Use `create(PlatformClientSpecSchema)` to create a new message.
+ */
+export const PlatformClientSpecSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_platformclient_v1_spec, 0);
+//# sourceMappingURL=spec_pb.js.map

package/ai/stigmer/iam/platformclient/v1/spec_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/platformclient/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,6HAA6H;AAC7H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,iDAAiD,EAAE,MAAM,+CAA+C,CAAC;AAElH,OAAO,EAAE,2BAA2B,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EAAE,8BAA8B,EAAE,MAAM,wBAAwB,CAAC;AAGxE;;GAEG;AACH,MAAM,CAAC,MAAM,0CAA0C,GAAY,aAAa,CAC9E,QAAQ,CAAC,wiBAAwiB,EAAE,CAAC,iDAAiD,EAAE,2BAA2B,EAAE,8BAA8B,CAAC,CAAC,CAAC;AA8JvqB;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAmC,aAAa,CACnF,WAAW,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/platformclient/v1/token_connect.d.ts

@@ -0,0 +1,56 @@
+/**
+ * PlatformClientTokenController provides token-minting operations for
+ * platform builders embedding Stigmer into their products.
+ *
+ * This service is distinct from the CRUD controllers — it does not manage
+ * a resource lifecycle. Instead, it issues Stigmer-signed JWTs on behalf
+ * of platform builder users, authenticated via PlatformClient credentials
+ * (client_id + client_secret).
+ *
+ * The minted JWT is signed by Stigmer's own key pair (not Auth0). The auth
+ * chain validates these tokens via a dedicated PlatformClientTokenAuthenticationProvider
+ * that checks the Stigmer-issued signature and resolves the identity account.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientTokenController
+ */
+export declare const PlatformClientTokenController: {
+    readonly typeName: "ai.stigmer.iam.platformclient.v1.PlatformClientTokenController";
+    readonly methods: {
+        /**
+         * Mint a user-scoped JWT for browser-based access to Stigmer resources.
+         *
+         * The platform builder's backend calls this RPC with its PlatformClient
+         * credentials (client_id + client_secret) and the end user's identity.
+         * Stigmer validates the credentials, optionally JIT-provisions the user's
+         * identity account, and returns a Stigmer-signed JWT.
+         *
+         * The returned JWT can be used by the React SDK (via StigmerProvider's
+         * getAccessToken callback) to authenticate API calls from the browser.
+         *
+         * Authentication flow:
+         * 1. Validate client_id + client_secret against stored hash
+         * 2. Resolve or JIT-provision the identity account for user_id
+         * 3. If auto_grant_on_org is enabled, grant the configured role
+         * 4. Sign a JWT with Stigmer's private key containing the user's identity
+         *
+         * Error scenarios:
+         * - UNAUTHENTICATED: Invalid client_id or client_secret
+         * - NOT_FOUND: user_id does not exist and auto_provision_accounts is false
+         * - FAILED_PRECONDITION: PlatformClient secret has expired
+         * - PERMISSION_DENIED: Origin not in allowed_origins (when configured)
+         *
+         * @internal
+         * This RPC is public — no Bearer token is required. The caller authenticates
+         * by providing client_id + client_secret in the request body. The handler
+         * validates these credentials as business logic, not via the auth interceptor.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientTokenController.mintUserToken
+         */
+        readonly mintUserToken: {
+            readonly name: "mintUserToken";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+    };
+};

package/ai/stigmer/iam/platformclient/v1/token_connect.js

@@ -0,0 +1,62 @@
+// @generated by protoc-gen-connect-es v1.6.1 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/platformclient/v1/token.proto (package ai.stigmer.iam.platformclient.v1, syntax proto3)
+/* eslint-disable */
+// @ts-nocheck
+import { MethodKind } from "@bufbuild/protobuf";
+/**
+ * PlatformClientTokenController provides token-minting operations for
+ * platform builders embedding Stigmer into their products.
+ *
+ * This service is distinct from the CRUD controllers — it does not manage
+ * a resource lifecycle. Instead, it issues Stigmer-signed JWTs on behalf
+ * of platform builder users, authenticated via PlatformClient credentials
+ * (client_id + client_secret).
+ *
+ * The minted JWT is signed by Stigmer's own key pair (not Auth0). The auth
+ * chain validates these tokens via a dedicated PlatformClientTokenAuthenticationProvider
+ * that checks the Stigmer-issued signature and resolves the identity account.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientTokenController
+ */
+export const PlatformClientTokenController = {
+    typeName: "ai.stigmer.iam.platformclient.v1.PlatformClientTokenController",
+    methods: {
+        /**
+         * Mint a user-scoped JWT for browser-based access to Stigmer resources.
+         *
+         * The platform builder's backend calls this RPC with its PlatformClient
+         * credentials (client_id + client_secret) and the end user's identity.
+         * Stigmer validates the credentials, optionally JIT-provisions the user's
+         * identity account, and returns a Stigmer-signed JWT.
+         *
+         * The returned JWT can be used by the React SDK (via StigmerProvider's
+         * getAccessToken callback) to authenticate API calls from the browser.
+         *
+         * Authentication flow:
+         * 1. Validate client_id + client_secret against stored hash
+         * 2. Resolve or JIT-provision the identity account for user_id
+         * 3. If auto_grant_on_org is enabled, grant the configured role
+         * 4. Sign a JWT with Stigmer's private key containing the user's identity
+         *
+         * Error scenarios:
+         * - UNAUTHENTICATED: Invalid client_id or client_secret
+         * - NOT_FOUND: user_id does not exist and auto_provision_accounts is false
+         * - FAILED_PRECONDITION: PlatformClient secret has expired
+         * - PERMISSION_DENIED: Origin not in allowed_origins (when configured)
+         *
+         * @internal
+         * This RPC is public — no Bearer token is required. The caller authenticates
+         * by providing client_id + client_secret in the request body. The handler
+         * validates these credentials as business logic, not via the auth interceptor.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientTokenController.mintUserToken
+         */
+        mintUserToken: {
+            name: "mintUserToken",
+            I: MintUserTokenRequest,
+            O: MintUserTokenResponse,
+            kind: MethodKind.Unary,
+        },
+    }
+};
+//# sourceMappingURL=token_connect.js.map

package/ai/stigmer/iam/platformclient/v1/token_connect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/platformclient/v1/token_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,8HAA8H;AAC9H,oBAAoB;AACpB,cAAc;AAGd,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAG;IAC3C,QAAQ,EAAE,gEAAgE;IAC1E,OAAO,EAAE;QACP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA6BG;QACH,aAAa,EAAE;YACb,IAAI,EAAE,eAAe;YACrB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,qBAAqB;YACxB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/platformclient/v1/token_pb.d.ts

@@ -0,0 +1,155 @@
+import type { GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv1";
+import type { Message } from "@bufbuild/protobuf";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/token.proto.
+ */
+export declare const file_ai_stigmer_iam_platformclient_v1_token: GenFile;
+/**
+ * MintUserTokenRequest contains the credentials and user identity needed
+ * to mint a Stigmer JWT.
+ *
+ * Called from the platform builder's backend — never from a browser.
+ * The client_secret must be transmitted over TLS and never exposed in
+ * client-side code.
+ *
+ * @generated from message ai.stigmer.iam.platformclient.v1.MintUserTokenRequest
+ */
+export type MintUserTokenRequest = Message<"ai.stigmer.iam.platformclient.v1.MintUserTokenRequest"> & {
+    /**
+     * The PlatformClient's client identifier (stgm_cid_ prefix).
+     * Used together with client_secret to authenticate the request.
+     *
+     * @generated from field: string client_id = 1;
+     */
+    clientId: string;
+    /**
+     * The raw client secret (stgm_cs_ prefix).
+     * Validated against the stored client_secret_hash.
+     *
+     * @generated from field: string client_secret = 2;
+     */
+    clientSecret: string;
+    /**
+     * Platform's stable user identifier for the end user. Used together with
+     * the PlatformClient's owning org to resolve or create an IdentityAccount
+     * (keyed as "stgm_pc|{org}|{user_id}").
+     *
+     * Must be unique and stable within the org — the same user_id presented
+     * via any PlatformClient in the same org resolves to the same identity.
+     * Changing this value for the same user creates a new identity account.
+     *
+     * @generated from field: string user_id = 3;
+     */
+    userId: string;
+    /**
+     * User's email address. Used for profile enrichment when JIT-provisioning
+     * an identity account. Updated on each token mint if the account exists.
+     *
+     * @generated from field: string user_email = 4;
+     */
+    userEmail: string;
+    /**
+     * User's display name. Used for profile enrichment when JIT-provisioning
+     * an identity account. Updated on each token mint if the account exists.
+     *
+     * @generated from field: string user_name = 5;
+     */
+    userName: string;
+    /**
+     * Optional organization to scope the minted token to.
+     * When set, the JWT's claims include this org context, and the user must
+     * have access to this organization. When empty, the token is scoped to
+     * the PlatformClient's owning organization.
+     *
+     * @generated from field: string org_id = 6;
+     */
+    orgId: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.MintUserTokenRequest.
+ * Use `create(MintUserTokenRequestSchema)` to create a new message.
+ */
+export declare const MintUserTokenRequestSchema: GenMessage<MintUserTokenRequest>;
+/**
+ * MintUserTokenResponse contains the Stigmer-signed JWT and its metadata.
+ *
+ * @generated from message ai.stigmer.iam.platformclient.v1.MintUserTokenResponse
+ */
+export type MintUserTokenResponse = Message<"ai.stigmer.iam.platformclient.v1.MintUserTokenResponse"> & {
+    /**
+     * Stigmer-signed JWT for authenticating browser-based API calls.
+     * Pass this to the React SDK's StigmerProvider via getAccessToken.
+     *
+     * @generated from field: string access_token = 1;
+     */
+    accessToken: string;
+    /**
+     * Token type. Always "Bearer".
+     *
+     * @generated from field: string token_type = 2;
+     */
+    tokenType: string;
+    /**
+     * Token lifetime in seconds from the time of issuance.
+     *
+     * @generated from field: int32 expires_in = 3;
+     */
+    expiresIn: number;
+};
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.MintUserTokenResponse.
+ * Use `create(MintUserTokenResponseSchema)` to create a new message.
+ */
+export declare const MintUserTokenResponseSchema: GenMessage<MintUserTokenResponse>;
+/**
+ * PlatformClientTokenController provides token-minting operations for
+ * platform builders embedding Stigmer into their products.
+ *
+ * This service is distinct from the CRUD controllers — it does not manage
+ * a resource lifecycle. Instead, it issues Stigmer-signed JWTs on behalf
+ * of platform builder users, authenticated via PlatformClient credentials
+ * (client_id + client_secret).
+ *
+ * The minted JWT is signed by Stigmer's own key pair (not Auth0). The auth
+ * chain validates these tokens via a dedicated PlatformClientTokenAuthenticationProvider
+ * that checks the Stigmer-issued signature and resolves the identity account.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientTokenController
+ */
+export declare const PlatformClientTokenController: GenService<{
+    /**
+     * Mint a user-scoped JWT for browser-based access to Stigmer resources.
+     *
+     * The platform builder's backend calls this RPC with its PlatformClient
+     * credentials (client_id + client_secret) and the end user's identity.
+     * Stigmer validates the credentials, optionally JIT-provisions the user's
+     * identity account, and returns a Stigmer-signed JWT.
+     *
+     * The returned JWT can be used by the React SDK (via StigmerProvider's
+     * getAccessToken callback) to authenticate API calls from the browser.
+     *
+     * Authentication flow:
+     * 1. Validate client_id + client_secret against stored hash
+     * 2. Resolve or JIT-provision the identity account for user_id
+     * 3. If auto_grant_on_org is enabled, grant the configured role
+     * 4. Sign a JWT with Stigmer's private key containing the user's identity
+     *
+     * Error scenarios:
+     * - UNAUTHENTICATED: Invalid client_id or client_secret
+     * - NOT_FOUND: user_id does not exist and auto_provision_accounts is false
+     * - FAILED_PRECONDITION: PlatformClient secret has expired
+     * - PERMISSION_DENIED: Origin not in allowed_origins (when configured)
+     *
+     * @internal
+     * This RPC is public — no Bearer token is required. The caller authenticates
+     * by providing client_id + client_secret in the request body. The handler
+     * validates these credentials as business logic, not via the auth interceptor.
+     *
+     * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientTokenController.mintUserToken
+     */
+    mintUserToken: {
+        methodKind: "unary";
+        input: typeof MintUserTokenRequestSchema;
+        output: typeof MintUserTokenResponseSchema;
+    };
+}>;

package/ai/stigmer/iam/platformclient/v1/token_pb.js

@@ -0,0 +1,37 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/platformclient/v1/token.proto (package ai.stigmer.iam.platformclient.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, messageDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
+import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/token.proto.
+ */
+export const file_ai_stigmer_iam_platformclient_v1_token = /*@__PURE__*/ fileDesc("CixhaS9zdGlnbWVyL2lhbS9wbGF0Zm9ybWNsaWVudC92MS90b2tlbi5wcm90bxIgYWkuc3RpZ21lci5pYW0ucGxhdGZvcm1jbGllbnQudjEiowEKFE1pbnRVc2VyVG9rZW5SZXF1ZXN0EhoKCWNsaWVudF9pZBgBIAEoCUIHukgEcgIQARIeCg1jbGllbnRfc2VjcmV0GAIgASgJQge6SARyAhABEhgKB3VzZXJfaWQYAyABKAlCB7pIBHICEAESEgoKdXNlcl9lbWFpbBgEIAEoCRIRCgl1c2VyX25hbWUYBSABKAkSDgoGb3JnX2lkGAYgASgJIlUKFU1pbnRVc2VyVG9rZW5SZXNwb25zZRIUCgxhY2Nlc3NfdG9rZW4YASABKAkSEgoKdG9rZW5fdHlwZRgCIAEoCRISCgpleHBpcmVzX2luGAMgASgFMqgBCh1QbGF0Zm9ybUNsaWVudFRva2VuQ29udHJvbGxlchKGAQoNbWludFVzZXJUb2tlbhI2LmFpLnN0aWdtZXIuaWFtLnBsYXRmb3JtY2xpZW50LnYxLk1pbnRVc2VyVG9rZW5SZXF1ZXN0GjcuYWkuc3RpZ21lci5pYW0ucGxhdGZvcm1jbGllbnQudjEuTWludFVzZXJUb2tlblJlc3BvbnNlIgTIuBgBYgZwcm90bzM", [file_ai_stigmer_commons_rpc_method_options, file_buf_validate_validate]);
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.MintUserTokenRequest.
+ * Use `create(MintUserTokenRequestSchema)` to create a new message.
+ */
+export const MintUserTokenRequestSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_platformclient_v1_token, 0);
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.MintUserTokenResponse.
+ * Use `create(MintUserTokenResponseSchema)` to create a new message.
+ */
+export const MintUserTokenResponseSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_platformclient_v1_token, 1);
+/**
+ * PlatformClientTokenController provides token-minting operations for
+ * platform builders embedding Stigmer into their products.
+ *
+ * This service is distinct from the CRUD controllers — it does not manage
+ * a resource lifecycle. Instead, it issues Stigmer-signed JWTs on behalf
+ * of platform builder users, authenticated via PlatformClient credentials
+ * (client_id + client_secret).
+ *
+ * The minted JWT is signed by Stigmer's own key pair (not Auth0). The auth
+ * chain validates these tokens via a dedicated PlatformClientTokenAuthenticationProvider
+ * that checks the Stigmer-issued signature and resolves the identity account.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientTokenController
+ */
+export const PlatformClientTokenController = /*@__PURE__*/ serviceDesc(file_ai_stigmer_iam_platformclient_v1_token, 0);
+//# sourceMappingURL=token_pb.js.map

package/ai/stigmer/iam/platformclient/v1/token_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/platformclient/v1/token_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,8HAA8H;AAC9H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAClF,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AACpG,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAY,aAAa,CAC/E,QAAQ,CAAC,6qBAA6qB,EAAE,CAAC,0CAA0C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAqEpwB;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC;AA+B9D;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAsC,aAAa,CACzF,WAAW,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC;AAE9D;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAoCrC,aAAa,CAChB,WAAW,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/v1/enum_pb.d.ts

@@ -84,6 +84,10 @@ export declare enum IamPermission {
      * @generated from enum value: can_create_oauth_app = 23;
      */
     can_create_oauth_app = 23,
+    /**
+     * @generated from enum value: can_create_platform_client = 24;
+     */
+    can_create_platform_client = 24,
     /**
      * Resource-level create permissions.
      *

package/ai/stigmer/iam/v1/enum_pb.js

@@ -5,7 +5,7 @@ import { enumDesc, fileDesc } from "@bufbuild/protobuf/codegenv1";
 /**
  * Describes the file ai/stigmer/iam/v1/enum.proto.
  */
-export const file_ai_stigmer_iam_v1_enum = /*@__PURE__*/ fileDesc("ChxhaS9zdGlnbWVyL2lhbS92MS9lbnVtLnByb3RvEhFhaS5zdGlnbWVyLmlhbS52MSq5BAoNSWFtUGVybWlzc2lvbhIPCgt1bnNwZWNpZmllZBAAEgwKCGNhbl92aWV3EAESDAoIY2FuX2VkaXQQAhIOCgpjYW5fZGVsZXRlEAMSFAoQY2FuX2dyYW50X2FjY2VzcxAEEhMKD2Nhbl92aWV3X2FjY2VzcxAFEhQKEGNhbl9jcmVhdGVfYWdlbnQQBhIXChNjYW5fY3JlYXRlX3dvcmtmbG93EAcSFgoSY2FuX2NyZWF0ZV9zZXNzaW9uEAgSFAoQY2FuX2NyZWF0ZV9za2lsbBAJEhYKEmNhbl9jcmVhdGVfcHJvamVjdBAKEhIKDmNhbl9jcmVhdGVfaWRwEAsSGgoWY2FuX2NyZWF0ZV9lbnZpcm9ubWVudBAMEh8KG2Nhbl9jcmVhdGVfaWRlbnRpdHlfYWNjb3VudBAVEhgKFGNhbl9jcmVhdGVfb2F1dGhfYXBwEBcSGwoXY2FuX2NyZWF0ZV9leGVjdXRpb25faW4QDRIXChNjYW5fY3JlYXRlX2luc3RhbmNlEA4SDwoLY2FuX2V4ZWN1dGUQDxIUChBjYW5fcmVhZF9zZWNyZXRzEBASFQoRY2FuX2Jvb3RzdHJhcF9pYW0QERIgChxjYW5fbWFuYWdlX2lkZW50aXR5X2FjY291bnRzEBISHwobY2FuX3VwZGF0ZV9leGVjdXRpb25fc3RhdHVzEBMSGAoUbG9naW5fdG9fYmFja19vZmZpY2UQFBIPCgtjYW5fY29ubmVjdBAWKlEKB0lhbVJvbGUSGAoUaWFtX3JvbGVfdW5zcGVjaWZpZWQQABIJCgVvd25lchABEgkKBWFkbWluEAISCgoGbWVtYmVyEAMSCgoGdmlld2VyEARiBnByb3RvMw");
+export const file_ai_stigmer_iam_v1_enum = /*@__PURE__*/ fileDesc("ChxhaS9zdGlnbWVyL2lhbS92MS9lbnVtLnByb3RvEhFhaS5zdGlnbWVyLmlhbS52MSrZBAoNSWFtUGVybWlzc2lvbhIPCgt1bnNwZWNpZmllZBAAEgwKCGNhbl92aWV3EAESDAoIY2FuX2VkaXQQAhIOCgpjYW5fZGVsZXRlEAMSFAoQY2FuX2dyYW50X2FjY2VzcxAEEhMKD2Nhbl92aWV3X2FjY2VzcxAFEhQKEGNhbl9jcmVhdGVfYWdlbnQQBhIXChNjYW5fY3JlYXRlX3dvcmtmbG93EAcSFgoSY2FuX2NyZWF0ZV9zZXNzaW9uEAgSFAoQY2FuX2NyZWF0ZV9za2lsbBAJEhYKEmNhbl9jcmVhdGVfcHJvamVjdBAKEhIKDmNhbl9jcmVhdGVfaWRwEAsSGgoWY2FuX2NyZWF0ZV9lbnZpcm9ubWVudBAMEh8KG2Nhbl9jcmVhdGVfaWRlbnRpdHlfYWNjb3VudBAVEhgKFGNhbl9jcmVhdGVfb2F1dGhfYXBwEBcSHgoaY2FuX2NyZWF0ZV9wbGF0Zm9ybV9jbGllbnQQGBIbChdjYW5fY3JlYXRlX2V4ZWN1dGlvbl9pbhANEhcKE2Nhbl9jcmVhdGVfaW5zdGFuY2UQDhIPCgtjYW5fZXhlY3V0ZRAPEhQKEGNhbl9yZWFkX3NlY3JldHMQEBIVChFjYW5fYm9vdHN0cmFwX2lhbRAREiAKHGNhbl9tYW5hZ2VfaWRlbnRpdHlfYWNjb3VudHMQEhIfChtjYW5fdXBkYXRlX2V4ZWN1dGlvbl9zdGF0dXMQExIYChRsb2dpbl90b19iYWNrX29mZmljZRAUEg8KC2Nhbl9jb25uZWN0EBYqUQoHSWFtUm9sZRIYChRpYW1fcm9sZV91bnNwZWNpZmllZBAAEgkKBW93bmVyEAESCQoFYWRtaW4QAhIKCgZtZW1iZXIQAxIKCgZ2aWV3ZXIQBGIGcHJvdG8z");
 /**
  * IamPermission defines the permissions checked by the authorization
  * interceptor before an RPC handler executes.
@@ -88,6 +88,10 @@ export var IamPermission;
      * @generated from enum value: can_create_oauth_app = 23;
      */
     IamPermission[IamPermission["can_create_oauth_app"] = 23] = "can_create_oauth_app";
+    /**
+     * @generated from enum value: can_create_platform_client = 24;
+     */
+    IamPermission[IamPermission["can_create_platform_client"] = 24] = "can_create_platform_client";
     /**
      * Resource-level create permissions.
      *

package/ai/stigmer/iam/v1/enum_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"enum_pb.js","sourceRoot":"","sources":["../../../../../ai/stigmer/iam/v1/enum_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+FAA+F;AAC/F,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAElE;;GAEG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAY,aAAa,CAC/D,QAAQ,CAAC,w7BAAw7B,CAAC,CAAC;AAEr8B;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAN,IAAY,aA0IX;AA1ID,WAAY,aAAa;IACvB;;OAEG;IACH,+DAAe,CAAA;IAEf;;;;OAIG;IACH,yDAAY,CAAA;IAEZ;;OAEG;IACH,yDAAY,CAAA;IAEZ;;OAEG;IACH,6DAAc,CAAA;IAEd;;;;OAIG;IACH,yEAAoB,CAAA;IAEpB;;OAEG;IACH,uEAAmB,CAAA;IAEnB;;;;OAIG;IACH,yEAAoB,CAAA;IAEpB;;OAEG;IACH,+EAAuB,CAAA;IAEvB;;OAEG;IACH,6EAAsB,CAAA;IAEtB;;OAEG;IACH,yEAAoB,CAAA;IAEpB;;OAEG;IACH,8EAAuB,CAAA;IAEvB;;OAEG;IACH,sEAAmB,CAAA;IAEnB;;OAEG;IACH,sFAA2B,CAAA;IAE3B;;OAEG;IACH,gGAAgC,CAAA;IAEhC;;OAEG;IACH,kFAAyB,CAAA;IAEzB;;;;OAIG;IACH,wFAA4B,CAAA;IAE5B;;OAEG;IACH,gFAAwB,CAAA;IAExB;;;;OAIG;IACH,gEAAgB,CAAA;IAEhB;;;;OAIG;IACH,0EAAqB,CAAA;IAErB;;;;OAIG;IACH,4EAAsB,CAAA;IAEtB;;OAEG;IACH,kGAAiC,CAAA;IAEjC;;OAEG;IACH,gGAAgC,CAAA;IAEhC;;;;OAIG;IACH,kFAAyB,CAAA;IAEzB;;;;OAIG;IACH,gEAAgB,CAAA;AAClB,CAAC,EA1IW,aAAa,KAAb,aAAa,QA0IxB;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAA2B,aAAa,CACtE,QAAQ,CAAC,2BAA2B,EAAE,CAAC,CAAC,CAAC;AAE3C;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAN,IAAY,OAiCX;AAjCD,WAAY,OAAO;IACjB;;OAEG;IACH,qEAAwB,CAAA;IAExB;;;;OAIG;IACH,uCAAS,CAAA;IAET;;;;OAIG;IACH,uCAAS,CAAA;IAET;;;;OAIG;IACH,yCAAU,CAAA;IAEV;;;;OAIG;IACH,yCAAU,CAAA;AACZ,CAAC,EAjCW,OAAO,KAAP,OAAO,QAiClB;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAqB,aAAa,CAC1D,QAAQ,CAAC,2BAA2B,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"enum_pb.js","sourceRoot":"","sources":["../../../../../ai/stigmer/iam/v1/enum_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+FAA+F;AAC/F,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAElE;;GAEG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAY,aAAa,CAC/D,QAAQ,CAAC,k+BAAk+B,CAAC,CAAC;AAE/+B;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAN,IAAY,aA+IX;AA/ID,WAAY,aAAa;IACvB;;OAEG;IACH,+DAAe,CAAA;IAEf;;;;OAIG;IACH,yDAAY,CAAA;IAEZ;;OAEG;IACH,yDAAY,CAAA;IAEZ;;OAEG;IACH,6DAAc,CAAA;IAEd;;;;OAIG;IACH,yEAAoB,CAAA;IAEpB;;OAEG;IACH,uEAAmB,CAAA;IAEnB;;;;OAIG;IACH,yEAAoB,CAAA;IAEpB;;OAEG;IACH,+EAAuB,CAAA;IAEvB;;OAEG;IACH,6EAAsB,CAAA;IAEtB;;OAEG;IACH,yEAAoB,CAAA;IAEpB;;OAEG;IACH,8EAAuB,CAAA;IAEvB;;OAEG;IACH,sEAAmB,CAAA;IAEnB;;OAEG;IACH,sFAA2B,CAAA;IAE3B;;OAEG;IACH,gGAAgC,CAAA;IAEhC;;OAEG;IACH,kFAAyB,CAAA;IAEzB;;OAEG;IACH,8FAA+B,CAAA;IAE/B;;;;OAIG;IACH,wFAA4B,CAAA;IAE5B;;OAEG;IACH,gFAAwB,CAAA;IAExB;;;;OAIG;IACH,gEAAgB,CAAA;IAEhB;;;;OAIG;IACH,0EAAqB,CAAA;IAErB;;;;OAIG;IACH,4EAAsB,CAAA;IAEtB;;OAEG;IACH,kGAAiC,CAAA;IAEjC;;OAEG;IACH,gGAAgC,CAAA;IAEhC;;;;OAIG;IACH,kFAAyB,CAAA;IAEzB;;;;OAIG;IACH,gEAAgB,CAAA;AAClB,CAAC,EA/IW,aAAa,KAAb,aAAa,QA+IxB;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAA2B,aAAa,CACtE,QAAQ,CAAC,2BAA2B,EAAE,CAAC,CAAC,CAAC;AAE3C;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAN,IAAY,OAiCX;AAjCD,WAAY,OAAO;IACjB;;OAEG;IACH,qEAAwB,CAAA;IAExB;;;;OAIG;IACH,uCAAS,CAAA;IAET;;;;OAIG;IACH,uCAAS,CAAA;IAET;;;;OAIG;IACH,yCAAU,CAAA;IAEV;;;;OAIG;IACH,yCAAU,CAAA;AACZ,CAAC,EAjCW,OAAO,KAAP,OAAO,QAiClB;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAqB,aAAa,CAC1D,QAAQ,CAAC,2BAA2B,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/tenancy/organization/v1/enum_pb.d.ts

@@ -9,7 +9,7 @@ export declare const file_ai_stigmer_tenancy_organization_v1_enum: GenFile;
  * @internal
  * Immutable after organization creation.
  * - self_managed: User signed up directly, manages the org via Stigmer UI/CLI/API.
- * - platform_managed: Created programmatically by an external platform (e.g., Planton Cloud)
+ * - platform_managed: Created programmatically by an external platform (e.g., Planton)
  *   via an IdentityProvider. Operated by the platform on behalf of its users.
  *
  * @generated from enum ai.stigmer.tenancy.organization.v1.ManagementMode

package/ai/stigmer/tenancy/organization/v1/enum_pb.js

@@ -12,7 +12,7 @@ export const file_ai_stigmer_tenancy_organization_v1_enum = /*@__PURE__*/ fileDe
  * @internal
  * Immutable after organization creation.
  * - self_managed: User signed up directly, manages the org via Stigmer UI/CLI/API.
- * - platform_managed: Created programmatically by an external platform (e.g., Planton Cloud)
+ * - platform_managed: Created programmatically by an external platform (e.g., Planton)
  *   via an IdentityProvider. Operated by the platform on behalf of its users.
  *
  * @generated from enum ai.stigmer.tenancy.organization.v1.ManagementMode

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stigmer/protos",
-  "version": "0.0.88",
+  "version": "0.0.90",
   "description": "Generated TypeScript protobuf stubs for Stigmer APIs",
   "license": "Apache-2.0",
   "type": "module",