@stigmer/protos 0.0.89 → 0.0.90

package/ai/stigmer/iam/platformclient/v1/command_pb.d.ts

@@ -0,0 +1,98 @@
+import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
+import type { ApiResourceDeleteInputSchema } from "../../../commons/apiresource/io_pb";
+import type { PlatformClientSchema } from "./api_pb";
+import type { PlatformClientCreateResponseSchema, PlatformClientIdSchema } from "./io_pb";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/command.proto.
+ */
+export declare const file_ai_stigmer_iam_platformclient_v1_command: GenFile;
+/**
+ * PlatformClientCommandController provides write operations for platform client resources.
+ *
+ * Platform clients hold OAuth2 credentials (client_id + client_secret) for
+ * platform builders embedding Stigmer into their products. The client_secret
+ * is generated server-side and returned only once in the create and
+ * rotateSecret responses.
+ *
+ * @internal
+ * PlatformClients hold credential material (client_secret_hash) and are always
+ * org-private. There is no updateVisibility RPC — public visibility is
+ * intentionally unsupported to prevent credential leakage.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientCommandController
+ */
+export declare const PlatformClientCommandController: GenService<{
+    /**
+     * Create a platform client.
+     *
+     * Generates a new client_id (stgm_cid_ prefix) and client_secret (stgm_cs_ prefix).
+     * The raw client_secret is included in the response and is never returned again.
+     * Store it securely before discarding the response.
+     *
+     * The creator's organization owns the platform client. The creator is granted
+     * the owner role automatically.
+     *
+     * @internal
+     * Authorization: Requires can_create_platform_client permission in the organization.
+     *
+     * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.create
+     */
+    create: {
+        methodKind: "unary";
+        input: typeof PlatformClientSchema;
+        output: typeof PlatformClientCreateResponseSchema;
+    };
+    /**
+     * Update an existing platform client.
+     *
+     * Only mutable fields can be changed: auto_provision_accounts, auto_grant_on_org,
+     * auto_grant_role, and allowed_origins. Credential fields (client_id,
+     * client_secret_hash, secret_fingerprint) are immutable after creation.
+     * Use rotateSecret to change the client secret.
+     *
+     * @internal
+     * Authorization: Requires can_edit permission on the platform client resource.
+     *
+     * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.update
+     */
+    update: {
+        methodKind: "unary";
+        input: typeof PlatformClientSchema;
+        output: typeof PlatformClientSchema;
+    };
+    /**
+     * Delete a platform client.
+     *
+     * Immediately invalidates the client_id and client_secret. Any tokens
+     * previously minted by this platform client remain valid until their
+     * own expiration — deletion does not revoke already-issued tokens.
+     *
+     * @internal
+     * Authorization: Requires can_delete permission on the platform client resource.
+     *
+     * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.delete
+     */
+    delete: {
+        methodKind: "unary";
+        input: typeof ApiResourceDeleteInputSchema;
+        output: typeof PlatformClientSchema;
+    };
+    /**
+     * Rotate the client secret.
+     *
+     * Generates a new client_secret, invalidates the old one immediately,
+     * and returns the new raw secret in the response. The client_id remains
+     * unchanged — platform builders do not need to update their client_id
+     * configuration after rotation.
+     *
+     * @internal
+     * Authorization: Requires can_edit permission on the platform client resource.
+     *
+     * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.rotateSecret
+     */
+    rotateSecret: {
+        methodKind: "unary";
+        input: typeof PlatformClientIdSchema;
+        output: typeof PlatformClientCreateResponseSchema;
+    };
+}>;

package/ai/stigmer/iam/platformclient/v1/command_pb.js

@@ -0,0 +1,30 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/platformclient/v1/command.proto (package ai.stigmer.iam.platformclient.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_io } from "../../../commons/apiresource/io_pb";
+import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
+import { file_ai_stigmer_iam_platformclient_v1_api } from "./api_pb";
+import { file_ai_stigmer_iam_platformclient_v1_io } from "./io_pb";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/command.proto.
+ */
+export const file_ai_stigmer_iam_platformclient_v1_command = /*@__PURE__*/ fileDesc("Ci5haS9zdGlnbWVyL2lhbS9wbGF0Zm9ybWNsaWVudC92MS9jb21tYW5kLnByb3RvEiBhaS5zdGlnbWVyLmlhbS5wbGF0Zm9ybWNsaWVudC52MTKgBgofUGxhdGZvcm1DbGllbnRDb21tYW5kQ29udHJvbGxlchLPAQoGY3JlYXRlEjAuYWkuc3RpZ21lci5pYW0ucGxhdGZvcm1jbGllbnQudjEuUGxhdGZvcm1DbGllbnQaPi5haS5zdGlnbWVyLmlhbS5wbGF0Zm9ybWNsaWVudC52MS5QbGF0Zm9ybUNsaWVudENyZWF0ZVJlc3BvbnNlIlPCuBhPCBgQHiIMbWV0YWRhdGEub3JnKjt1bmF1dGhvcml6ZWQgdG8gY3JlYXRlIHBsYXRmb3JtIGNsaWVudCBpbiB0aGlzIG9yZ2FuaXphdGlvbhKrAQoGdXBkYXRlEjAuYWkuc3RpZ21lci5pYW0ucGxhdGZvcm1jbGllbnQudjEuUGxhdGZvcm1DbGllbnQaMC5haS5zdGlnbWVyLmlhbS5wbGF0Zm9ybWNsaWVudC52MS5QbGF0Zm9ybUNsaWVudCI9wrgYOQgCEBciC21ldGFkYXRhLmlkKiZ1bmF1dGhvcml6ZWQgdG8gdXBkYXRlIHBsYXRmb3JtIGNsaWVudBKxAQoGZGVsZXRlEjYuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLkFwaVJlc291cmNlRGVsZXRlSW5wdXQaMC5haS5zdGlnbWVyLmlhbS5wbGF0Zm9ybWNsaWVudC52MS5QbGF0Zm9ybUNsaWVudCI9wrgYOQgDEBciC3Jlc291cmNlX2lkKiZ1bmF1dGhvcml6ZWQgdG8gZGVsZXRlIHBsYXRmb3JtIGNsaWVudBLCAQoMcm90YXRlU2VjcmV0EjIuYWkuc3RpZ21lci5pYW0ucGxhdGZvcm1jbGllbnQudjEuUGxhdGZvcm1DbGllbnRJZBo+LmFpLnN0aWdtZXIuaWFtLnBsYXRmb3JtY2xpZW50LnYxLlBsYXRmb3JtQ2xpZW50Q3JlYXRlUmVzcG9uc2UiPsK4GDoIAhAXIgV2YWx1ZSotdW5hdXRob3JpemVkIHRvIHJvdGF0ZSBwbGF0Zm9ybSBjbGllbnQgc2VjcmV0GgSg/ysXYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_platformclient_v1_api, file_ai_stigmer_iam_platformclient_v1_io]);
+/**
+ * PlatformClientCommandController provides write operations for platform client resources.
+ *
+ * Platform clients hold OAuth2 credentials (client_id + client_secret) for
+ * platform builders embedding Stigmer into their products. The client_secret
+ * is generated server-side and returned only once in the create and
+ * rotateSecret responses.
+ *
+ * @internal
+ * PlatformClients hold credential material (client_secret_hash) and are always
+ * org-private. There is no updateVisibility RPC — public visibility is
+ * intentionally unsupported to prevent credential leakage.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientCommandController
+ */
+export const PlatformClientCommandController = /*@__PURE__*/ serviceDesc(file_ai_stigmer_iam_platformclient_v1_command, 0);
+//# sourceMappingURL=command_pb.js.map

package/ai/stigmer/iam/platformclient/v1/command_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/platformclient/v1/command_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,gIAAgI;AAChI,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,yCAAyC,EAAE,MAAM,UAAU,CAAC;AAErE,OAAO,EAAE,wCAAwC,EAAE,MAAM,SAAS,CAAC;AAEnE;;GAEG;AACH,MAAM,CAAC,MAAM,6CAA6C,GAAY,aAAa,CACjF,QAAQ,CAAC,yqCAAyqC,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,wCAAwC,CAAC,CAAC,CAAC;AAE15C;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,+BAA+B,GA0EvC,aAAa,CAChB,WAAW,CAAC,6CAA6C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/platformclient/v1/io_pb.d.ts

@@ -0,0 +1,95 @@
+import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { PlatformClient } from "./api_pb";
+import type { Message } from "@bufbuild/protobuf";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/io.proto.
+ */
+export declare const file_ai_stigmer_iam_platformclient_v1_io: GenFile;
+/**
+ * PlatformClientId identifies a platform client by its unique identifier.
+ *
+ * @generated from message ai.stigmer.iam.platformclient.v1.PlatformClientId
+ */
+export type PlatformClientId = Message<"ai.stigmer.iam.platformclient.v1.PlatformClientId"> & {
+    /**
+     * Unique identifier of the platform client resource.
+     *
+     * @generated from field: string value = 1;
+     */
+    value: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClientId.
+ * Use `create(PlatformClientIdSchema)` to create a new message.
+ */
+export declare const PlatformClientIdSchema: GenMessage<PlatformClientId>;
+/**
+ * PlatformClients contains a list of platform client resources.
+ *
+ * @generated from message ai.stigmer.iam.platformclient.v1.PlatformClients
+ */
+export type PlatformClients = Message<"ai.stigmer.iam.platformclient.v1.PlatformClients"> & {
+    /**
+     * Platform client entries.
+     *
+     * @generated from field: repeated ai.stigmer.iam.platformclient.v1.PlatformClient entries = 1;
+     */
+    entries: PlatformClient[];
+};
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClients.
+ * Use `create(PlatformClientsSchema)` to create a new message.
+ */
+export declare const PlatformClientsSchema: GenMessage<PlatformClients>;
+/**
+ * ListPlatformClientsByOrgInput specifies the organization whose platform
+ * clients should be returned.
+ *
+ * @generated from message ai.stigmer.iam.platformclient.v1.ListPlatformClientsByOrgInput
+ */
+export type ListPlatformClientsByOrgInput = Message<"ai.stigmer.iam.platformclient.v1.ListPlatformClientsByOrgInput"> & {
+    /**
+     * Organization slug to list platform clients for.
+     *
+     * @generated from field: string org = 1;
+     */
+    org: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.ListPlatformClientsByOrgInput.
+ * Use `create(ListPlatformClientsByOrgInputSchema)` to create a new message.
+ */
+export declare const ListPlatformClientsByOrgInputSchema: GenMessage<ListPlatformClientsByOrgInput>;
+/**
+ * PlatformClientCreateResponse wraps a PlatformClient resource with the
+ * one-time raw client secret.
+ *
+ * Returned by the create and rotateSecret RPCs. The client_secret field
+ * contains the raw secret value that must be stored securely by the caller —
+ * it is never returned again after this response.
+ *
+ * This wrapper makes the one-time secret explicit in the type system rather
+ * than relying on transient field injection in the resource message.
+ *
+ * @generated from message ai.stigmer.iam.platformclient.v1.PlatformClientCreateResponse
+ */
+export type PlatformClientCreateResponse = Message<"ai.stigmer.iam.platformclient.v1.PlatformClientCreateResponse"> & {
+    /**
+     * The created or updated platform client resource.
+     *
+     * @generated from field: ai.stigmer.iam.platformclient.v1.PlatformClient platform_client = 1;
+     */
+    platformClient?: PlatformClient;
+    /**
+     * The raw client secret. Store this value securely — it is not retrievable
+     * after this response. If lost, use rotateSecret to generate a new one.
+     *
+     * @generated from field: string client_secret = 2;
+     */
+    clientSecret: string;
+};
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClientCreateResponse.
+ * Use `create(PlatformClientCreateResponseSchema)` to create a new message.
+ */
+export declare const PlatformClientCreateResponseSchema: GenMessage<PlatformClientCreateResponse>;

package/ai/stigmer/iam/platformclient/v1/io_pb.js

@@ -0,0 +1,31 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/platformclient/v1/io.proto (package ai.stigmer.iam.platformclient.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_iam_platformclient_v1_api } from "./api_pb";
+import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/io.proto.
+ */
+export const file_ai_stigmer_iam_platformclient_v1_io = /*@__PURE__*/ fileDesc("CilhaS9zdGlnbWVyL2lhbS9wbGF0Zm9ybWNsaWVudC92MS9pby5wcm90bxIgYWkuc3RpZ21lci5pYW0ucGxhdGZvcm1jbGllbnQudjEiLAoQUGxhdGZvcm1DbGllbnRJZBIYCgV2YWx1ZRgBIAEoCUIJukgGcgQQARhAIlQKD1BsYXRmb3JtQ2xpZW50cxJBCgdlbnRyaWVzGAEgAygLMjAuYWkuc3RpZ21lci5pYW0ucGxhdGZvcm1jbGllbnQudjEuUGxhdGZvcm1DbGllbnQiNQodTGlzdFBsYXRmb3JtQ2xpZW50c0J5T3JnSW5wdXQSFAoDb3JnGAEgASgJQge6SARyAhABIoABChxQbGF0Zm9ybUNsaWVudENyZWF0ZVJlc3BvbnNlEkkKD3BsYXRmb3JtX2NsaWVudBgBIAEoCzIwLmFpLnN0aWdtZXIuaWFtLnBsYXRmb3JtY2xpZW50LnYxLlBsYXRmb3JtQ2xpZW50EhUKDWNsaWVudF9zZWNyZXQYAiABKAliBnByb3RvMw", [file_ai_stigmer_iam_platformclient_v1_api, file_buf_validate_validate]);
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClientId.
+ * Use `create(PlatformClientIdSchema)` to create a new message.
+ */
+export const PlatformClientIdSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_platformclient_v1_io, 0);
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClients.
+ * Use `create(PlatformClientsSchema)` to create a new message.
+ */
+export const PlatformClientsSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_platformclient_v1_io, 1);
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.ListPlatformClientsByOrgInput.
+ * Use `create(ListPlatformClientsByOrgInputSchema)` to create a new message.
+ */
+export const ListPlatformClientsByOrgInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_platformclient_v1_io, 2);
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClientCreateResponse.
+ * Use `create(PlatformClientCreateResponseSchema)` to create a new message.
+ */
+export const PlatformClientCreateResponseSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_platformclient_v1_io, 3);
+//# sourceMappingURL=io_pb.js.map

package/ai/stigmer/iam/platformclient/v1/io_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/platformclient/v1/io_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,2HAA2H;AAC3H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,yCAAyC,EAAE,MAAM,UAAU,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,wCAAwC,GAAY,aAAa,CAC5E,QAAQ,CAAC,4hBAA4hB,EAAE,CAAC,yCAAyC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAgBlnB;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAiC,aAAa,CAC/E,WAAW,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC;AAgB3D;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAgC,aAAa,CAC7E,WAAW,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC;AAiB3D;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAA8C,aAAa,CACzG,WAAW,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC;AAgC3D;;;GAGG;AACH,MAAM,CAAC,MAAM,kCAAkC,GAA6C,aAAa,CACvG,WAAW,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/platformclient/v1/query_connect.d.ts

@@ -0,0 +1,59 @@
+/**
+ * PlatformClientQueryController provides read operations for platform client resources.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientQueryController
+ */
+export declare const PlatformClientQueryController: {
+    readonly typeName: "ai.stigmer.iam.platformclient.v1.PlatformClientQueryController";
+    readonly methods: {
+        /**
+         * Get a platform client by its unique identifier.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the platform client resource.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientQueryController.get
+         */
+        readonly get: {
+            readonly name: "get";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Get a platform client by its organization-scoped reference (org/slug).
+         *
+         * Resolves a human-readable reference like "acme/acme-dashboard" to the full
+         * PlatformClient resource.
+         *
+         * @internal
+         * Custom authorization in handler — checks both direct resource access
+         * and organization-level visibility permissions.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientQueryController.getByReference
+         */
+        readonly getByReference: {
+            readonly name: "getByReference";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * List all platform clients belonging to an organization.
+         *
+         * Returns every PlatformClient whose metadata.org matches the input org.
+         * Typically a small set per org, so results are not paginated.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the organization resource.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientQueryController.listByOrg
+         */
+        readonly listByOrg: {
+            readonly name: "listByOrg";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+    };
+};

package/ai/stigmer/iam/platformclient/v1/query_connect.js

@@ -0,0 +1,65 @@
+// @generated by protoc-gen-connect-es v1.6.1 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/platformclient/v1/query.proto (package ai.stigmer.iam.platformclient.v1, syntax proto3)
+/* eslint-disable */
+// @ts-nocheck
+import { MethodKind } from "@bufbuild/protobuf";
+/**
+ * PlatformClientQueryController provides read operations for platform client resources.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientQueryController
+ */
+export const PlatformClientQueryController = {
+    typeName: "ai.stigmer.iam.platformclient.v1.PlatformClientQueryController",
+    methods: {
+        /**
+         * Get a platform client by its unique identifier.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the platform client resource.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientQueryController.get
+         */
+        get: {
+            name: "get",
+            I: ApiResourceId,
+            O: PlatformClient,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Get a platform client by its organization-scoped reference (org/slug).
+         *
+         * Resolves a human-readable reference like "acme/acme-dashboard" to the full
+         * PlatformClient resource.
+         *
+         * @internal
+         * Custom authorization in handler — checks both direct resource access
+         * and organization-level visibility permissions.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientQueryController.getByReference
+         */
+        getByReference: {
+            name: "getByReference",
+            I: ApiResourceReference,
+            O: PlatformClient,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * List all platform clients belonging to an organization.
+         *
+         * Returns every PlatformClient whose metadata.org matches the input org.
+         * Typically a small set per org, so results are not paginated.
+         *
+         * @internal
+         * Authorization: Requires can_view permission on the organization resource.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientQueryController.listByOrg
+         */
+        listByOrg: {
+            name: "listByOrg",
+            I: ListPlatformClientsByOrgInput,
+            O: PlatformClients,
+            kind: MethodKind.Unary,
+        },
+    }
+};
+//# sourceMappingURL=query_connect.js.map

package/ai/stigmer/iam/platformclient/v1/query_connect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/platformclient/v1/query_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,8HAA8H;AAC9H,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAG;IAC3C,QAAQ,EAAE,gEAAgE;IAC1E,OAAO,EAAE;QACP;;;;;;;WAOG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,aAAa;YAChB,CAAC,EAAE,cAAc;YACjB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;WAWG;QACH,cAAc,EAAE;YACd,IAAI,EAAE,gBAAgB;YACtB,CAAC,EAAE,oBAAoB;YACvB,CAAC,EAAE,cAAc;YACjB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;WAUG;QACH,SAAS,EAAE;YACT,IAAI,EAAE,WAAW;YACjB,CAAC,EAAE,6BAA6B;YAChC,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}

package/ai/stigmer/iam/platformclient/v1/query_pb.d.ts

@@ -0,0 +1,61 @@
+import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
+import type { ApiResourceIdSchema, ApiResourceReferenceSchema } from "../../../commons/apiresource/io_pb";
+import type { PlatformClientSchema } from "./api_pb";
+import type { ListPlatformClientsByOrgInputSchema, PlatformClientsSchema } from "./io_pb";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/query.proto.
+ */
+export declare const file_ai_stigmer_iam_platformclient_v1_query: GenFile;
+/**
+ * PlatformClientQueryController provides read operations for platform client resources.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientQueryController
+ */
+export declare const PlatformClientQueryController: GenService<{
+    /**
+     * Get a platform client by its unique identifier.
+     *
+     * @internal
+     * Authorization: Requires can_view permission on the platform client resource.
+     *
+     * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientQueryController.get
+     */
+    get: {
+        methodKind: "unary";
+        input: typeof ApiResourceIdSchema;
+        output: typeof PlatformClientSchema;
+    };
+    /**
+     * Get a platform client by its organization-scoped reference (org/slug).
+     *
+     * Resolves a human-readable reference like "acme/acme-dashboard" to the full
+     * PlatformClient resource.
+     *
+     * @internal
+     * Custom authorization in handler — checks both direct resource access
+     * and organization-level visibility permissions.
+     *
+     * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientQueryController.getByReference
+     */
+    getByReference: {
+        methodKind: "unary";
+        input: typeof ApiResourceReferenceSchema;
+        output: typeof PlatformClientSchema;
+    };
+    /**
+     * List all platform clients belonging to an organization.
+     *
+     * Returns every PlatformClient whose metadata.org matches the input org.
+     * Typically a small set per org, so results are not paginated.
+     *
+     * @internal
+     * Authorization: Requires can_view permission on the organization resource.
+     *
+     * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientQueryController.listByOrg
+     */
+    listByOrg: {
+        methodKind: "unary";
+        input: typeof ListPlatformClientsByOrgInputSchema;
+        output: typeof PlatformClientsSchema;
+    };
+}>;

package/ai/stigmer/iam/platformclient/v1/query_pb.js

@@ -0,0 +1,20 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/platformclient/v1/query.proto (package ai.stigmer.iam.platformclient.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_io } from "../../../commons/apiresource/io_pb";
+import { file_ai_stigmer_commons_apiresource_rpc_service_options } from "../../../commons/apiresource/rpc_service_options_pb";
+import { file_ai_stigmer_commons_rpc_method_options } from "../../../commons/rpc/method_options_pb";
+import { file_ai_stigmer_iam_platformclient_v1_api } from "./api_pb";
+import { file_ai_stigmer_iam_platformclient_v1_io } from "./io_pb";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/query.proto.
+ */
+export const file_ai_stigmer_iam_platformclient_v1_query = /*@__PURE__*/ fileDesc("CixhaS9zdGlnbWVyL2lhbS9wbGF0Zm9ybWNsaWVudC92MS9xdWVyeS5wcm90bxIgYWkuc3RpZ21lci5pYW0ucGxhdGZvcm1jbGllbnQudjEykgQKHVBsYXRmb3JtQ2xpZW50UXVlcnlDb250cm9sbGVyEp0BCgNnZXQSLS5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VJZBowLmFpLnN0aWdtZXIuaWFtLnBsYXRmb3JtY2xpZW50LnYxLlBsYXRmb3JtQ2xpZW50IjXCuBgxCAEQFyIFdmFsdWUqJHVuYXV0aG9yaXplZCB0byB2aWV3IHBsYXRmb3JtIGNsaWVudBJ+Cg5nZXRCeVJlZmVyZW5jZRI0LmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5BcGlSZXNvdXJjZVJlZmVyZW5jZRowLmFpLnN0aWdtZXIuaWFtLnBsYXRmb3JtY2xpZW50LnYxLlBsYXRmb3JtQ2xpZW50IgTQuBgBEsoBCglsaXN0QnlPcmcSPy5haS5zdGlnbWVyLmlhbS5wbGF0Zm9ybWNsaWVudC52MS5MaXN0UGxhdGZvcm1DbGllbnRzQnlPcmdJbnB1dBoxLmFpLnN0aWdtZXIuaWFtLnBsYXRmb3JtY2xpZW50LnYxLlBsYXRmb3JtQ2xpZW50cyJJwrgYRQgBEB4iA29yZyo6dW5hdXRob3JpemVkIHRvIGxpc3QgcGxhdGZvcm0gY2xpZW50cyBpbiB0aGlzIG9yZ2FuaXphdGlvbhoEoP8rF2IGcHJvdG8z", [file_ai_stigmer_commons_apiresource_io, file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_platformclient_v1_api, file_ai_stigmer_iam_platformclient_v1_io]);
+/**
+ * PlatformClientQueryController provides read operations for platform client resources.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientQueryController
+ */
+export const PlatformClientQueryController = /*@__PURE__*/ serviceDesc(file_ai_stigmer_iam_platformclient_v1_query, 0);
+//# sourceMappingURL=query_pb.js.map

package/ai/stigmer/iam/platformclient/v1/query_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/platformclient/v1/query_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,8HAA8H;AAC9H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAC5F,OAAO,EAAE,uDAAuD,EAAE,MAAM,qDAAqD,CAAC;AAC9H,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,yCAAyC,EAAE,MAAM,UAAU,CAAC;AAErE,OAAO,EAAE,wCAAwC,EAAE,MAAM,SAAS,CAAC;AAEnE;;GAEG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAY,aAAa,CAC/E,QAAQ,CAAC,8zBAA8zB,EAAE,CAAC,sCAAsC,EAAE,uDAAuD,EAAE,0CAA0C,EAAE,yCAAyC,EAAE,wCAAwC,CAAC,CAAC,CAAC;AAE/iC;;;;GAIG;AACH,MAAM,CAAC,MAAM,6BAA6B,GA+CrC,aAAa,CAChB,WAAW,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/platformclient/v1/spec_pb.d.ts

@@ -0,0 +1,160 @@
+import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { IamRole } from "../../v1/enum_pb";
+import type { Timestamp } from "@bufbuild/protobuf/wkt";
+import type { Message } from "@bufbuild/protobuf";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/spec.proto.
+ */
+export declare const file_ai_stigmer_iam_platformclient_v1_spec: GenFile;
+/**
+ * PlatformClientSpec defines the configuration for a platform client credential.
+ *
+ * A PlatformClient holds an OAuth2 client credential pair (client_id + client_secret)
+ * where Stigmer acts as the authorization server. Platform builders use these
+ * credentials from their backend to mint user-scoped JWTs via the mintUserToken RPC,
+ * enabling their users to interact with Stigmer resources through the React SDK
+ * without requiring OIDC federation setup.
+ *
+ * This is the inbound auth counterpart to OAuthApp (outbound auth):
+ * - OAuthApp: Stigmer authenticates with external vendors on behalf of users.
+ * - PlatformClient: Platform builders authenticate with Stigmer on behalf of their users.
+ *
+ * Credential lifecycle:
+ * - client_id is generated on creation and is permanent (survives secret rotation).
+ * - client_secret is generated on creation, returned once, and only the hash is stored.
+ * - Secret rotation generates a new client_secret and invalidates the old one immediately.
+ *
+ * Identity resolution is org-scoped: the same user_id presented via any
+ * PlatformClient owned by the same organization resolves to a single
+ * IdentityAccount (keyed as "stgm_pc|{org}|{external_user_id}"). This means
+ * a customer with multiple PlatformClients (e.g., dashboard, mobile, admin)
+ * sees one Stigmer identity per end user, with one set of FGA grants.
+ *
+ * Three provisioning modes for users presented via mintUserToken:
+ *
+ *   1. Manual (default): The platform explicitly creates identity accounts and IAM
+ *      policies before minting tokens. mintUserToken fails if the user does not exist.
+ *
+ *   2. JIT (Just-In-Time): When auto_provision_accounts is true, Stigmer creates an
+ *      IdentityAccount from the user identity provided in the mintUserToken request
+ *      on first encounter. Authorization is controlled independently via
+ *      auto_grant_on_org and auto_grant_role.
+ *
+ *   3. JIT + Auto-Grant: When both auto_provision_accounts and auto_grant_on_org are
+ *      true, newly provisioned accounts are immediately granted auto_grant_role on
+ *      the PlatformClient's owning organization.
+ *
+ * Example YAML:
+ *   apiVersion: iam.stigmer.ai/v1
+ *   kind: PlatformClient
+ *   metadata:
+ *     name: Acme Dashboard
+ *     slug: acme-dashboard
+ *     org: acme
+ *   spec:
+ *     auto_provision_accounts: true
+ *     auto_grant_on_org: true
+ *     auto_grant_role: viewer
+ *     allowed_origins: ["https://app.acme.com"]
+ *
+ * @generated from message ai.stigmer.iam.platformclient.v1.PlatformClientSpec
+ */
+export type PlatformClientSpec = Message<"ai.stigmer.iam.platformclient.v1.PlatformClientSpec"> & {
+    /**
+     * OAuth client identifier.
+     * Generated on creation with the prefix "stgm_cid_" followed by 32 random
+     * alphanumeric characters. Permanent across secret rotations — safe for logs,
+     * configuration files, and client-side code.
+     *
+     * @generated from field: string client_id = 1;
+     */
+    clientId: string;
+    /**
+     * SHA-256 hash of the raw client secret.
+     * The raw secret is returned only in the create and rotateSecret responses
+     * and is never stored or retrievable. Authentication compares the hash of
+     * the presented secret against this value.
+     *
+     * @generated from field: string client_secret_hash = 2;
+     */
+    clientSecretHash: string;
+    /**
+     * Short fingerprint of the client secret for display purposes (last 6 characters).
+     * Allows users to identify which secret is active without exposing the full value.
+     *
+     * @generated from field: string secret_fingerprint = 3;
+     */
+    secretFingerprint: string;
+    /**
+     * Expiration time for the client secret. Ignored when never_expires is true.
+     *
+     * @generated from field: google.protobuf.Timestamp expires_at = 4;
+     */
+    expiresAt?: Timestamp;
+    /**
+     * When true, the client secret never expires regardless of expires_at.
+     *
+     * @generated from field: bool never_expires = 5;
+     */
+    neverExpires: boolean;
+    /**
+     * Whether to automatically create an identity account when mintUserToken is
+     * called with a user_id that has no existing account.
+     *
+     * When false (default), the platform must explicitly create identity accounts
+     * before minting tokens. mintUserToken returns NOT_FOUND if the user does
+     * not exist. This gives platforms full control over which users can access
+     * Stigmer resources.
+     *
+     * When true, Stigmer creates an IdentityAccount automatically on first
+     * encounter, using the user_email and user_name from the mintUserToken request
+     * for profile data.
+     *
+     * @generated from field: bool auto_provision_accounts = 6;
+     */
+    autoProvisionAccounts: boolean;
+    /**
+     * Whether to automatically grant a role on the PlatformClient's owning
+     * organization when an account is auto-provisioned.
+     *
+     * When false (default), auto-provisioned accounts receive no organization
+     * access. The platform must create IAM policies to grant access.
+     *
+     * When true, Stigmer grants auto_grant_role (default: viewer) on the
+     * PlatformClient's owning organization immediately after account creation.
+     *
+     * Requires auto_provision_accounts to be true.
+     *
+     * @generated from field: bool auto_grant_on_org = 7;
+     */
+    autoGrantOnOrg: boolean;
+    /**
+     * The role to grant when auto_grant_on_org is true.
+     *
+     * Defaults to viewer when unspecified (iam_role_unspecified). The owner role
+     * is not permitted — organization ownership must be assigned explicitly.
+     *
+     * Only meaningful when auto_grant_on_org is true. Ignored otherwise.
+     *
+     * @generated from field: ai.stigmer.iam.v1.IamRole auto_grant_role = 8;
+     */
+    autoGrantRole: IamRole;
+    /**
+     * CORS origins allowed for browser-based requests using tokens minted by
+     * this PlatformClient.
+     *
+     * When non-empty, the server validates the Origin header of browser requests
+     * against this list. Requests from unlisted origins are rejected.
+     *
+     * When empty, origin validation is not enforced (suitable for development
+     * or when the platform controls all access points).
+     *
+     * @generated from field: repeated string allowed_origins = 9;
+     */
+    allowedOrigins: string[];
+};
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClientSpec.
+ * Use `create(PlatformClientSpecSchema)` to create a new message.
+ */
+export declare const PlatformClientSpecSchema: GenMessage<PlatformClientSpec>;