@stigmer/protos 0.0.89 → 0.0.91

package/ai/stigmer/agentic/agentexecution/v1/approval_pb.d.ts

@@ -102,7 +102,7 @@ export type PendingApproval = Message<"ai.stigmer.agentic.agentexecution.v1.Pend
      * structured argument previews (scalar grids, humanized names)
      * instead of falling back to raw JSON.
      *
-     * Examples: "planton-cloud", "github", "slack"
+     * Examples: "planton", "github", "slack"
      *
      * @generated from field: string mcp_server_slug = 8;
      */

package/ai/stigmer/agentic/agentexecution/v1/message_pb.d.ts

@@ -220,9 +220,9 @@ export type ToolCall = Message<"ai.stigmer.agentic.agentexecution.v1.ToolCall">
      * Empty for built-in sandbox tools.
      * Populated by the worker using the mcp_tools_config reverse lookup.
      *
-     * Examples: "planton-cloud", "github", "slack"
+     * Examples: "planton", "github", "slack"
      *
-     * Used by CLI/UI to render a qualified tool name (e.g., "planton-cloud/search")
+     * Used by CLI/UI to render a qualified tool name (e.g., "planton/search")
      * so users can distinguish tools with the same name from different servers.
      *
      * @generated from field: string mcp_server_slug = 17;

package/ai/stigmer/agentic/workflow/v1/spec_pb.d.ts

@@ -10,7 +10,7 @@ export declare const file_ai_stigmer_agentic_workflow_v1_spec: GenFile;
  * WorkflowSpec defines the configurable properties of a workflow.
  *
  * @internal
- * Follows the "kind + Struct" pattern from CloudResource (Planton Cloud).
+ * Follows the "kind + Struct" pattern from CloudResource (Planton).
  * This replaces the old `synthesized_yaml` field with structured proto definitions.
  * Each workflow task uses WorkflowTaskKind enum + google.protobuf.Struct for configuration,
  * providing maximum flexibility and extensibility.
@@ -102,7 +102,7 @@ export declare const WorkflowDocumentSchema: GenMessage<WorkflowDocument>;
  * WorkflowTask represents a single executable step in a workflow.
  *
  * @internal
- * Uses the "kind + Struct" pattern (like CloudResource in Planton Cloud):
+ * Uses the "kind + Struct" pattern (like CloudResource in Planton):
  * - `kind` determines the task type (set_vars, http_call, switch_case, etc.)
  * - `task_config` contains task-specific configuration as dynamic JSON
  * - Backend unmarshals `task_config` to the appropriate Go struct based on `kind`

package/ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb.d.ts

@@ -200,6 +200,12 @@ export declare enum ApiResourceKind {
      * @generated from enum value: oauth_app = 22;
      */
     oauth_app = 22,
+    /**
+     * OAuth2 client credential for platform builders embedding Stigmer into their products.
+     *
+     * @generated from enum value: platform_client = 23;
+     */
+    platform_client = 23,
     /**
      * Top-level tenant that owns and manages resources.
      *

package/ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb.js

@@ -8,7 +8,7 @@ import { file_google_protobuf_descriptor } from "@bufbuild/protobuf/wkt";
 /**
  * Describes the file ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind.proto.
  */
-export const file_ai_stigmer_commons_apiresource_apiresourcekind_api_resource_kind = /*@__PURE__*/ fileDesc("CkZhaS9zdGlnbWVyL2NvbW1vbnMvYXBpcmVzb3VyY2UvYXBpcmVzb3VyY2VraW5kL2FwaV9yZXNvdXJjZV9raW5kLnByb3RvEi5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kIswDChNBcGlSZXNvdXJjZUtpbmRNZXRhEk8KBWdyb3VwGAEgASgOMkAuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLmFwaXJlc291cmNla2luZC5BcGlSZXNvdXJjZUdyb3VwElMKB3ZlcnNpb24YAiABKA4yQi5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kLkFwaVJlc291cmNlVmVyc2lvbhIMCgRuYW1lGAMgASgJEhQKDGRpc3BsYXlfbmFtZRgEIAEoCRIRCglpZF9wcmVmaXgYBSABKAkSFAoMaXNfdmVyc2lvbmVkGAYgASgIEhoKEm5vdF9zZWFyY2hfaW5kZXhlZBgHIAEoCBJKCgR0aWVyGAggASgOMjwuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLmFwaXJlc291cmNla2luZC5SZXNvdXJjZVRpZXISWgoNYXV0aG9yaXphdGlvbhgJIAEoCzJDLmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5hcGlyZXNvdXJjZWtpbmQuQXV0aG9yaXphdGlvbkNvbmZpZypCChJBcGlSZXNvdXJjZVZlcnNpb24SJAogYXBpX3Jlc291cmNlX3ZlcnNpb25fdW5zcGVjaWZpZWQQABIGCgJ2MRABKk4KDFJlc291cmNlVGllchIdChlyZXNvdXJjZV90aWVyX3Vuc3BlY2lmaWVkEAASDwoLb3Blbl9zb3VyY2UQARIOCgpjbG91ZF9vbmx5EAIqQQoPUGxhdGZvcm1JZFZhbHVlEiEKHXBsYXRmb3JtX2lkX3ZhbHVlX3Vuc3BlY2lmaWVkEAASCwoHc3RpZ21lchABKu0MCg9BcGlSZXNvdXJjZUtpbmQSHQoZYXBpX3Jlc291cmNlX2tpbmRfdW5rbm93bhAAElsKFGFwaV9yZXNvdXJjZV92ZXJzaW9uEAEaQar/Kz0IARABGhJBcGlSZXNvdXJjZVZlcnNpb24iFEFQSSBSZXNvdXJjZSBWZXJzaW9uKgN2ZXI4AUACSgQIBRAEEj8KCmlhbV9wb2xpY3kQChovqv8rKwgCEAEaCUlhbVBvbGljeSIKSUFNIFBvbGljeSoEaWFtcDgBQAJKBAgCEAESTgoQaWRlbnRpdHlfYWNjb3VudBALGjiq/ys0CAIQARoPSWRlbnRpdHlBY2NvdW50IhBJZGVudGl0eSBBY2NvdW50KgNpZGFAAkoECAQQAxI1CgdhcGlfa2V5EAwaKKr/KyQIAhABGgZBcGlLZXkiB0FQSSBLZXkqA2tleTgBQAJKBAgEEAESPwoKaW52aXRhdGlvbhAUGi+q/ysrCAIQARoKSW52aXRhdGlvbiIKSW52aXRhdGlvbioDaW52OAFAAkoECAIQARJXChFpZGVudGl0eV9wcm92aWRlchAVGkCq/ys8CAIQARoQSWRlbnRpdHlQcm92aWRlciIRSWRlbnRpdHkgUHJvdmlkZXIqA2lkcDgBQAJKCAgCEAE6AgEEEkAKCW9hdXRoX2FwcBAWGjGq/ystCAIQARoIT0F1dGhBcHAiCU9BdXRoIEFwcCoEb2FwcDgBQAJKCAgCEAE6AgEEEkkKDG9yZ2FuaXphdGlvbhAeGjeq/yszCAMQARoMT3JnYW5pemF0aW9uIgxPcmdhbml6YXRpb24qA29yZ0ABSgoIBBABOgQBAgMEEjkKCHBsYXRmb3JtEB8aK6r/KycIAxABGghQbGF0Zm9ybSIIUGxhdGZvcm0qA3BsdDgBQAJKBAgFEAQSNgoFYWdlbnQQKBorqv8rJwgBEAEaBUFnZW50IgVBZ2VudCoDYWd0QAFKDAgCEAEqAggBOgIBBBJrCg9hZ2VudF9leGVjdXRpb24QKRpWqv8rUggBEAEaDkFnZW50RXhlY3V0aW9uIg9BZ2VudCBFeGVjdXRpb24qA2FleEABSiQIAxACGh4KB3Nlc3Npb24SB3Nlc3Npb24aCnNlc3Npb25faWQSOAoHc2Vzc2lvbhAqGiuq/ysnCAEQARoHU2Vzc2lvbiIHU2Vzc2lvbioDc2VzQAFKCAgCEAE6AgEEEjgKBXNraWxsECsaLar/KykIARABGgVTa2lsbCIFU2tpbGwqA3NrbDABQAFKDAgCEAEqAggBOgIBBBJECgptY3Bfc2VydmVyECwaNKr/KzAIARABGglNY3BTZXJ2ZXIiCk1DUCBTZXJ2ZXIqA21jcEABSgwIAhABKgIIAToCAQQSagoOYWdlbnRfaW5zdGFuY2UQLRpWqv8rUggBEAEaDUFnZW50SW5zdGFuY2UiDkFnZW50IEluc3RhbmNlKgNhaW5AAUomCAIQASIYCgVhZ2VudBIFYWdlbnQaCGFnZW50X2lkKgIIAToCAQQSPwoId29ya2Zsb3cQMhoxqv8rLQgBEAEaCFdvcmtmbG93IghXb3JrZmxvdyoDd2ZsQAFKDAgCEAEqAggBOgIBBBJ4ChF3b3JrZmxvd19pbnN0YW5jZRAzGmGq/ytdCAEQARoQV29ya2Zsb3dJbnN0YW5jZSIRV29ya2Zsb3cgSW5zdGFuY2UqA3dpbkABSisIAhABIiEKCHdvcmtmbG93Egh3b3JrZmxvdxoLd29ya2Zsb3dfaWQ6AgEEElgKEndvcmtmbG93X2V4ZWN1dGlvbhA0GkCq/ys8CAEQARoRV29ya2Zsb3dFeGVjdXRpb24iEldvcmtmbG93IEV4ZWN1dGlvbioDd2V4QAFKCAgCEAE6AgEEEkYKC2Vudmlyb25tZW50EDUaNar/KzEIARABGgtFbnZpcm9ubWVudCILRW52aXJvbm1lbnQqA2VudkABSgoIAhABMAE6AgEEElIKEWV4ZWN1dGlvbl9jb250ZXh0EDYaO6r/KzcIARABGhBFeGVjdXRpb25Db250ZXh0IhFFeGVjdXRpb24gQ29udGV4dCoEZWN0eEABSgQIBBABEjgKB3Byb2plY3QQPBorqv8rJwgDEAEaB1Byb2plY3QiB1Byb2plY3QqA3ByakABSggIAhABOgIBBDqFAQoJa2luZF9tZXRhEiEuZ29vZ2xlLnByb3RvYnVmLkVudW1WYWx1ZU9wdGlvbnMY9b8FIAEoCzJDLmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5hcGlyZXNvdXJjZWtpbmQuQXBpUmVzb3VyY2VLaW5kTWV0YVIIa2luZE1ldGFCG0IZQXBpUmVzb3VyY2VLaW5kT3V0ZXJDbGFzc2IGcHJvdG8z", [file_ai_stigmer_commons_apiresource_apiresourcekind_api_resource_group, file_ai_stigmer_commons_apiresource_apiresourcekind_authorization_config, file_google_protobuf_descriptor]);
+export const file_ai_stigmer_commons_apiresource_apiresourcekind_api_resource_kind = /*@__PURE__*/ fileDesc("CkZhaS9zdGlnbWVyL2NvbW1vbnMvYXBpcmVzb3VyY2UvYXBpcmVzb3VyY2VraW5kL2FwaV9yZXNvdXJjZV9raW5kLnByb3RvEi5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kIswDChNBcGlSZXNvdXJjZUtpbmRNZXRhEk8KBWdyb3VwGAEgASgOMkAuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLmFwaXJlc291cmNla2luZC5BcGlSZXNvdXJjZUdyb3VwElMKB3ZlcnNpb24YAiABKA4yQi5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kLkFwaVJlc291cmNlVmVyc2lvbhIMCgRuYW1lGAMgASgJEhQKDGRpc3BsYXlfbmFtZRgEIAEoCRIRCglpZF9wcmVmaXgYBSABKAkSFAoMaXNfdmVyc2lvbmVkGAYgASgIEhoKEm5vdF9zZWFyY2hfaW5kZXhlZBgHIAEoCBJKCgR0aWVyGAggASgOMjwuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLmFwaXJlc291cmNla2luZC5SZXNvdXJjZVRpZXISWgoNYXV0aG9yaXphdGlvbhgJIAEoCzJDLmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5hcGlyZXNvdXJjZWtpbmQuQXV0aG9yaXphdGlvbkNvbmZpZypCChJBcGlSZXNvdXJjZVZlcnNpb24SJAogYXBpX3Jlc291cmNlX3ZlcnNpb25fdW5zcGVjaWZpZWQQABIGCgJ2MRABKk4KDFJlc291cmNlVGllchIdChlyZXNvdXJjZV90aWVyX3Vuc3BlY2lmaWVkEAASDwoLb3Blbl9zb3VyY2UQARIOCgpjbG91ZF9vbmx5EAIqQQoPUGxhdGZvcm1JZFZhbHVlEiEKHXBsYXRmb3JtX2lkX3ZhbHVlX3Vuc3BlY2lmaWVkEAASCwoHc3RpZ21lchABKsANCg9BcGlSZXNvdXJjZUtpbmQSHQoZYXBpX3Jlc291cmNlX2tpbmRfdW5rbm93bhAAElsKFGFwaV9yZXNvdXJjZV92ZXJzaW9uEAEaQar/Kz0IARABGhJBcGlSZXNvdXJjZVZlcnNpb24iFEFQSSBSZXNvdXJjZSBWZXJzaW9uKgN2ZXI4AUACSgQIBRAEEj8KCmlhbV9wb2xpY3kQChovqv8rKwgCEAEaCUlhbVBvbGljeSIKSUFNIFBvbGljeSoEaWFtcDgBQAJKBAgCEAESTgoQaWRlbnRpdHlfYWNjb3VudBALGjiq/ys0CAIQARoPSWRlbnRpdHlBY2NvdW50IhBJZGVudGl0eSBBY2NvdW50KgNpZGFAAkoECAQQAxI1CgdhcGlfa2V5EAwaKKr/KyQIAhABGgZBcGlLZXkiB0FQSSBLZXkqA2tleTgBQAJKBAgEEAESPwoKaW52aXRhdGlvbhAUGi+q/ysrCAIQARoKSW52aXRhdGlvbiIKSW52aXRhdGlvbioDaW52OAFAAkoECAIQARJXChFpZGVudGl0eV9wcm92aWRlchAVGkCq/ys8CAIQARoQSWRlbnRpdHlQcm92aWRlciIRSWRlbnRpdHkgUHJvdmlkZXIqA2lkcDgBQAJKCAgCEAE6AgEEEkAKCW9hdXRoX2FwcBAWGjGq/ystCAIQARoIT0F1dGhBcHAiCU9BdXRoIEFwcCoEb2FwcDgBQAJKCAgCEAE6AgEEElEKD3BsYXRmb3JtX2NsaWVudBAXGjyq/ys4CAIQARoOUGxhdGZvcm1DbGllbnQiD1BsYXRmb3JtIENsaWVudCoDcGNsOAFAAkoICAIQAToCAQQSSQoMb3JnYW5pemF0aW9uEB4aN6r/KzMIAxABGgxPcmdhbml6YXRpb24iDE9yZ2FuaXphdGlvbioDb3JnQAFKCggEEAE6BAECAwQSOQoIcGxhdGZvcm0QHxorqv8rJwgDEAEaCFBsYXRmb3JtIghQbGF0Zm9ybSoDcGx0OAFAAkoECAUQBBI2CgVhZ2VudBAoGiuq/ysnCAEQARoFQWdlbnQiBUFnZW50KgNhZ3RAAUoMCAIQASoCCAE6AgEEEmsKD2FnZW50X2V4ZWN1dGlvbhApGlaq/ytSCAEQARoOQWdlbnRFeGVjdXRpb24iD0FnZW50IEV4ZWN1dGlvbioDYWV4QAFKJAgDEAIaHgoHc2Vzc2lvbhIHc2Vzc2lvbhoKc2Vzc2lvbl9pZBI4CgdzZXNzaW9uECoaK6r/KycIARABGgdTZXNzaW9uIgdTZXNzaW9uKgNzZXNAAUoICAIQAToCAQQSOAoFc2tpbGwQKxotqv8rKQgBEAEaBVNraWxsIgVTa2lsbCoDc2tsMAFAAUoMCAIQASoCCAE6AgEEEkQKCm1jcF9zZXJ2ZXIQLBo0qv8rMAgBEAEaCU1jcFNlcnZlciIKTUNQIFNlcnZlcioDbWNwQAFKDAgCEAEqAggBOgIBBBJqCg5hZ2VudF9pbnN0YW5jZRAtGlaq/ytSCAEQARoNQWdlbnRJbnN0YW5jZSIOQWdlbnQgSW5zdGFuY2UqA2FpbkABSiYIAhABIhgKBWFnZW50EgVhZ2VudBoIYWdlbnRfaWQqAggBOgIBBBI/Cgh3b3JrZmxvdxAyGjGq/ystCAEQARoIV29ya2Zsb3ciCFdvcmtmbG93KgN3ZmxAAUoMCAIQASoCCAE6AgEEEngKEXdvcmtmbG93X2luc3RhbmNlEDMaYar/K10IARABGhBXb3JrZmxvd0luc3RhbmNlIhFXb3JrZmxvdyBJbnN0YW5jZSoDd2luQAFKKwgCEAEiIQoId29ya2Zsb3cSCHdvcmtmbG93Ggt3b3JrZmxvd19pZDoCAQQSWAoSd29ya2Zsb3dfZXhlY3V0aW9uEDQaQKr/KzwIARABGhFXb3JrZmxvd0V4ZWN1dGlvbiISV29ya2Zsb3cgRXhlY3V0aW9uKgN3ZXhAAUoICAIQAToCAQQSRgoLZW52aXJvbm1lbnQQNRo1qv8rMQgBEAEaC0Vudmlyb25tZW50IgtFbnZpcm9ubWVudCoDZW52QAFKCggCEAEwAToCAQQSUgoRZXhlY3V0aW9uX2NvbnRleHQQNho7qv8rNwgBEAEaEEV4ZWN1dGlvbkNvbnRleHQiEUV4ZWN1dGlvbiBDb250ZXh0KgRlY3R4QAFKBAgEEAESOAoHcHJvamVjdBA8Giuq/ysnCAMQARoHUHJvamVjdCIHUHJvamVjdCoDcHJqQAFKCAgCEAE6AgEEOoUBCglraW5kX21ldGESIS5nb29nbGUucHJvdG9idWYuRW51bVZhbHVlT3B0aW9ucxj1vwUgASgLMkMuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLmFwaXJlc291cmNla2luZC5BcGlSZXNvdXJjZUtpbmRNZXRhUghraW5kTWV0YUIbQhlBcGlSZXNvdXJjZUtpbmRPdXRlckNsYXNzYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_apiresourcekind_api_resource_group, file_ai_stigmer_commons_apiresource_apiresourcekind_authorization_config, file_google_protobuf_descriptor]);
 /**
  * Describes the message ai.stigmer.commons.apiresource.apiresourcekind.ApiResourceKindMeta.
  * Use `create(ApiResourceKindMetaSchema)` to create a new message.
@@ -145,6 +145,12 @@ export var ApiResourceKind;
      * @generated from enum value: oauth_app = 22;
      */
     ApiResourceKind[ApiResourceKind["oauth_app"] = 22] = "oauth_app";
+    /**
+     * OAuth2 client credential for platform builders embedding Stigmer into their products.
+     *
+     * @generated from enum value: platform_client = 23;
+     */
+    ApiResourceKind[ApiResourceKind["platform_client"] = 23] = "platform_client";
     /**
      * Top-level tenant that owns and manages resources.
      *

package/ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"api_resource_kind_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,sKAAsK;AACtK,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAExF,OAAO,EAAE,sEAAsE,EAAE,MAAM,yBAAyB,CAAC;AAEjH,OAAO,EAAE,wEAAwE,EAAE,MAAM,2BAA2B,CAAC;AAErH,OAAO,EAAE,+BAA+B,EAAE,MAAM,wBAAwB,CAAC;AAGzE;;GAEG;AACH,MAAM,CAAC,MAAM,qEAAqE,GAAY,aAAa,CACzG,QAAQ,CAAC,s6GAAs6G,EAAE,CAAC,sEAAsE,EAAE,wEAAwE,EAAE,+BAA+B,CAAC,CAAC,CAAC;AAwExmH;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAExF;;;;GAIG;AACH,MAAM,CAAN,IAAY,kBAcX;AAdD,WAAY,kBAAkB;IAC5B;;;;OAIG;IACH,mHAAoC,CAAA;IAEpC;;;;OAIG;IACH,uDAAM,CAAA;AACR,CAAC,EAdW,kBAAkB,KAAlB,kBAAkB,QAc7B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAgC,aAAa,CAChF,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;;;GAIG;AACH,MAAM,CAAN,IAAY,YAmBX;AAnBD,WAAY,YAAY;IACtB;;OAEG;IACH,yFAA6B,CAAA;IAE7B;;;;OAIG;IACH,6DAAe,CAAA;IAEf;;;;OAIG;IACH,2DAAc,CAAA;AAChB,CAAC,EAnBW,YAAY,KAAZ,YAAY,QAmBvB;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAA0B,aAAa,CACpE,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;;;;GAKG;AACH,MAAM,CAAN,IAAY,eAaX;AAbD,WAAY,eAAe;IACzB;;OAEG;IACH,uGAAiC,CAAA;IAEjC;;;;;OAKG;IACH,2DAAW,CAAA;AACb,CAAC,EAbW,eAAe,KAAf,eAAe,QAa1B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAA6B,aAAa,CAC1E,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;;;GAIG;AACH,MAAM,CAAN,IAAY,eA0JX;AA1JD,WAAY,eAAe;IACzB;;;;OAIG;IACH,+FAA6B,CAAA;IAE7B;;;;OAIG;IACH,qFAAwB,CAAA;IAExB;;;;OAIG;IACH,kEAAe,CAAA;IAEf;;;;OAIG;IACH,8EAAqB,CAAA;IAErB;;;;OAIG;IACH,4DAAY,CAAA;IAEZ;;;;OAIG;IACH,kEAAe,CAAA;IAEf;;;;OAIG;IACH,gFAAsB,CAAA;IAEtB;;;;OAIG;IACH,gEAAc,CAAA;IAEd;;;;OAIG;IACH,sEAAiB,CAAA;IAEjB;;;;OAIG;IACH,8DAAa,CAAA;IAEb;;;;OAIG;IACH,wDAAU,CAAA;IAEV;;;;OAIG;IACH,4EAAoB,CAAA;IAEpB;;;;OAIG;IACH,4DAAY,CAAA;IAEZ;;;;OAIG;IACH,wDAAU,CAAA;IAEV;;;;OAIG;IACH,kEAAe,CAAA;IAEf;;;;OAIG;IACH,0EAAmB,CAAA;IAEnB;;;;OAIG;IACH,8DAAa,CAAA;IAEb;;;;OAIG;IACH,gFAAsB,CAAA;IAEtB;;;;OAIG;IACH,kFAAuB,CAAA;IAEvB;;;;OAIG;IACH,oEAAgB,CAAA;IAEhB;;;;OAIG;IACH,gFAAsB,CAAA;IAEtB;;;;OAIG;IACH,4DAAY,CAAA;AACd,CAAC,EA1JW,eAAe,KAAf,eAAe,QA0J1B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAA6B,aAAa,CAC1E,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAwD,aAAa,CACzF,OAAO,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"api_resource_kind_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,sKAAsK;AACtK,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAExF,OAAO,EAAE,sEAAsE,EAAE,MAAM,yBAAyB,CAAC;AAEjH,OAAO,EAAE,wEAAwE,EAAE,MAAM,2BAA2B,CAAC;AAErH,OAAO,EAAE,+BAA+B,EAAE,MAAM,wBAAwB,CAAC;AAGzE;;GAEG;AACH,MAAM,CAAC,MAAM,qEAAqE,GAAY,aAAa,CACzG,QAAQ,CAAC,qhHAAqhH,EAAE,CAAC,sEAAsE,EAAE,wEAAwE,EAAE,+BAA+B,CAAC,CAAC,CAAC;AAwEvtH;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAExF;;;;GAIG;AACH,MAAM,CAAN,IAAY,kBAcX;AAdD,WAAY,kBAAkB;IAC5B;;;;OAIG;IACH,mHAAoC,CAAA;IAEpC;;;;OAIG;IACH,uDAAM,CAAA;AACR,CAAC,EAdW,kBAAkB,KAAlB,kBAAkB,QAc7B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAgC,aAAa,CAChF,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;;;GAIG;AACH,MAAM,CAAN,IAAY,YAmBX;AAnBD,WAAY,YAAY;IACtB;;OAEG;IACH,yFAA6B,CAAA;IAE7B;;;;OAIG;IACH,6DAAe,CAAA;IAEf;;;;OAIG;IACH,2DAAc,CAAA;AAChB,CAAC,EAnBW,YAAY,KAAZ,YAAY,QAmBvB;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAA0B,aAAa,CACpE,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;;;;GAKG;AACH,MAAM,CAAN,IAAY,eAaX;AAbD,WAAY,eAAe;IACzB;;OAEG;IACH,uGAAiC,CAAA;IAEjC;;;;;OAKG;IACH,2DAAW,CAAA;AACb,CAAC,EAbW,eAAe,KAAf,eAAe,QAa1B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAA6B,aAAa,CAC1E,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;;;GAIG;AACH,MAAM,CAAN,IAAY,eAiKX;AAjKD,WAAY,eAAe;IACzB;;;;OAIG;IACH,+FAA6B,CAAA;IAE7B;;;;OAIG;IACH,qFAAwB,CAAA;IAExB;;;;OAIG;IACH,kEAAe,CAAA;IAEf;;;;OAIG;IACH,8EAAqB,CAAA;IAErB;;;;OAIG;IACH,4DAAY,CAAA;IAEZ;;;;OAIG;IACH,kEAAe,CAAA;IAEf;;;;OAIG;IACH,gFAAsB,CAAA;IAEtB;;;;OAIG;IACH,gEAAc,CAAA;IAEd;;;;OAIG;IACH,4EAAoB,CAAA;IAEpB;;;;OAIG;IACH,sEAAiB,CAAA;IAEjB;;;;OAIG;IACH,8DAAa,CAAA;IAEb;;;;OAIG;IACH,wDAAU,CAAA;IAEV;;;;OAIG;IACH,4EAAoB,CAAA;IAEpB;;;;OAIG;IACH,4DAAY,CAAA;IAEZ;;;;OAIG;IACH,wDAAU,CAAA;IAEV;;;;OAIG;IACH,kEAAe,CAAA;IAEf;;;;OAIG;IACH,0EAAmB,CAAA;IAEnB;;;;OAIG;IACH,8DAAa,CAAA;IAEb;;;;OAIG;IACH,gFAAsB,CAAA;IAEtB;;;;OAIG;IACH,kFAAuB,CAAA;IAEvB;;;;OAIG;IACH,oEAAgB,CAAA;IAEhB;;;;OAIG;IACH,gFAAsB,CAAA;IAEtB;;;;OAIG;IACH,4DAAY,CAAA;AACd,CAAC,EAjKW,eAAe,KAAf,eAAe,QAiK1B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAA6B,aAAa,CAC1E,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAwD,aAAa,CACzF,OAAO,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/enum_pb.d.ts

@@ -35,7 +35,23 @@ export declare enum IdentityAccountProvisioningMode {
      *
      * @generated from enum value: machine = 3;
      */
-    machine = 3
+    machine = 3,
+    /**
+     * Account provisioned via a PlatformClient's mintUserToken endpoint.
+     *
+     * The idp_id for these accounts uses the composite encoding
+     * "stgm_pc|{platform_client_id}|{external_user_id}", where platform_client_id
+     * is the PlatformClient's permanent client_id (stgm_cid_*) and external_user_id
+     * is the user identifier supplied by the platform builder. The composite is
+     * globally unique by construction — no additional scope field is needed.
+     *
+     * Unlike federated accounts, PlatformClient is not an ongoing authentication
+     * authority. Stigmer signs its own JWTs for these users; the PlatformClient
+     * is the admission credential used at mint time only.
+     *
+     * @generated from enum value: platform_client = 4;
+     */
+    platform_client = 4
 }
 /**
  * Describes the enum ai.stigmer.iam.identityaccount.v1.IdentityAccountProvisioningMode.

package/ai/stigmer/iam/identityaccount/v1/enum_pb.js

@@ -5,7 +5,7 @@ import { enumDesc, fileDesc } from "@bufbuild/protobuf/codegenv1";
 /**
  * Describes the file ai/stigmer/iam/identityaccount/v1/enum.proto.
  */
-export const file_ai_stigmer_iam_identityaccount_v1_enum = /*@__PURE__*/ fileDesc("CixhaS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvZW51bS5wcm90bxIhYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxKn0KH0lkZW50aXR5QWNjb3VudFByb3Zpc2lvbmluZ01vZGUSMgouaWRlbnRpdHlfYWNjb3VudF9wcm92aXNpb25pbmdfbW9kZV91bnNwZWNpZmllZBAAEgoKBmRpcmVjdBABEg0KCWZlZGVyYXRlZBACEgsKB21hY2hpbmUQA2IGcHJvdG8z");
+export const file_ai_stigmer_iam_identityaccount_v1_enum = /*@__PURE__*/ fileDesc("CixhaS9zdGlnbWVyL2lhbS9pZGVudGl0eWFjY291bnQvdjEvZW51bS5wcm90bxIhYWkuc3RpZ21lci5pYW0uaWRlbnRpdHlhY2NvdW50LnYxKpIBCh9JZGVudGl0eUFjY291bnRQcm92aXNpb25pbmdNb2RlEjIKLmlkZW50aXR5X2FjY291bnRfcHJvdmlzaW9uaW5nX21vZGVfdW5zcGVjaWZpZWQQABIKCgZkaXJlY3QQARINCglmZWRlcmF0ZWQQAhILCgdtYWNoaW5lEAMSEwoPcGxhdGZvcm1fY2xpZW50EARiBnByb3RvMw");
 /**
  * IdentityAccountProvisioningMode defines how an identity account was created.
  *
@@ -40,6 +40,22 @@ export var IdentityAccountProvisioningMode;
      * @generated from enum value: machine = 3;
      */
     IdentityAccountProvisioningMode[IdentityAccountProvisioningMode["machine"] = 3] = "machine";
+    /**
+     * Account provisioned via a PlatformClient's mintUserToken endpoint.
+     *
+     * The idp_id for these accounts uses the composite encoding
+     * "stgm_pc|{platform_client_id}|{external_user_id}", where platform_client_id
+     * is the PlatformClient's permanent client_id (stgm_cid_*) and external_user_id
+     * is the user identifier supplied by the platform builder. The composite is
+     * globally unique by construction — no additional scope field is needed.
+     *
+     * Unlike federated accounts, PlatformClient is not an ongoing authentication
+     * authority. Stigmer signs its own JWTs for these users; the PlatformClient
+     * is the admission credential used at mint time only.
+     *
+     * @generated from enum value: platform_client = 4;
+     */
+    IdentityAccountProvisioningMode[IdentityAccountProvisioningMode["platform_client"] = 4] = "platform_client";
 })(IdentityAccountProvisioningMode || (IdentityAccountProvisioningMode = {}));
 /**
  * Describes the enum ai.stigmer.iam.identityaccount.v1.IdentityAccountProvisioningMode.

package/ai/stigmer/iam/identityaccount/v1/enum_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"enum_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/enum_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAElE;;GAEG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAY,aAAa,CAC/E,QAAQ,CAAC,kSAAkS,CAAC,CAAC;AAE/S;;;;;;;GAOG;AACH,MAAM,CAAN,IAAY,+BA4BX;AA5BD,WAAY,+BAA+B;IACzC;;;;OAIG;IACH,yKAAkD,CAAA;IAElD;;;;OAIG;IACH,yFAAU,CAAA;IAEV;;;;OAIG;IACH,+FAAa,CAAA;IAEb;;;;OAIG;IACH,2FAAW,CAAA;AACb,CAAC,EA5BW,+BAA+B,KAA/B,+BAA+B,QA4B1C;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qCAAqC,GAA6C,aAAa,CAC1G,QAAQ,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"enum_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/enum_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAElE;;GAEG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAY,aAAa,CAC/E,QAAQ,CAAC,gUAAgU,CAAC,CAAC;AAE7U;;;;;;;GAOG;AACH,MAAM,CAAN,IAAY,+BA6CX;AA7CD,WAAY,+BAA+B;IACzC;;;;OAIG;IACH,yKAAkD,CAAA;IAElD;;;;OAIG;IACH,yFAAU,CAAA;IAEV;;;;OAIG;IACH,+FAAa,CAAA;IAEb;;;;OAIG;IACH,2FAAW,CAAA;IAEX;;;;;;;;;;;;;;OAcG;IACH,2GAAmB,CAAA;AACrB,CAAC,EA7CW,+BAA+B,KAA/B,+BAA+B,QA6C1C;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qCAAqC,GAA6C,aAAa,CAC1G,QAAQ,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityaccount/v1/spec_pb.d.ts

@@ -11,8 +11,9 @@ export declare const file_ai_stigmer_iam_identityaccount_v1_spec: GenFile;
  *
  * An identity account represents a user or machine principal in Stigmer.
  * Accounts can be direct (signed up via Stigmer), federated (provisioned
- * through an external identity provider), or machine (service-to-service
- * credentials).
+ * through an external identity provider), machine (service-to-service
+ * credentials), or platform_client (provisioned via a PlatformClient's
+ * mintUserToken endpoint).
  *
  * @internal
  * All FGA tuples use identity_account as the principal type.
@@ -21,6 +22,12 @@ export declare const file_ai_stigmer_iam_identityaccount_v1_spec: GenFile;
  * - federated: raw OIDC sub claim (e.g., "google-oauth2|109876543210"),
  *   scoped by identity_provider_ref
  * - machine: Auth0 client ID with "@clients" suffix
+ * - platform_client: composite "stgm_pc|{org}|{external_user_id}" where org
+ *   is the Stigmer org that owns the PlatformClient(s) and external_user_id
+ *   is the platform builder's stable identifier for the user. Scoping by org
+ *   (not by PlatformClient) means a customer's end user resolves to a single
+ *   IdentityAccount across all of that customer's PlatformClients. Globally
+ *   unique by construction.
  *
  * @generated from message ai.stigmer.iam.identityaccount.v1.IdentityAccountSpec
  */
@@ -33,6 +40,12 @@ export type IdentityAccountSpec = Message<"ai.stigmer.iam.identityaccount.v1.Ide
      * provider (e.g., "google-oauth2|109876543210"). Uniqueness is scoped by
      * identity_provider_ref — the pair (identity_provider_ref, idp_id) is unique.
      * For machine accounts: the Auth0 client ID with "@clients" suffix.
+     * For platform_client accounts: composite "stgm_pc|{org}|{external_user_id}"
+     * where org is the Stigmer org that owns the PlatformClient(s) and
+     * external_user_id is the platform builder's stable identifier for the user.
+     * Scoping by org (not by PlatformClient) means the same user_id presented
+     * via any PlatformClient in the same org resolves to the same IdentityAccount.
+     * Globally unique by construction — no additional scope field is needed.
      *
      * @generated from field: string idp_id = 1;
      */

package/ai/stigmer/iam/identityaccount/v1/spec_pb.js.map

@@ -1 +1 @@
-{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,2CAA2C,EAAE,MAAM,WAAW,CAAC;AACxE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAY,aAAa,CAC/E,QAAQ,CAAC,kjBAAkjB,EAAE,CAAC,sCAAsC,EAAE,2CAA2C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAiGlrB;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC"}
+{"version":3,"file":"spec_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/identityaccount/v1/spec_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,+HAA+H;AAC/H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,sCAAsC,EAAE,MAAM,oCAAoC,CAAC;AAE5F,OAAO,EAAE,2CAA2C,EAAE,MAAM,WAAW,CAAC;AACxE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,2CAA2C,GAAY,aAAa,CAC/E,QAAQ,CAAC,kjBAAkjB,EAAE,CAAC,sCAAsC,EAAE,2CAA2C,EAAE,0BAA0B,CAAC,CAAC,CAAC;AA8GlrB;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,2CAA2C,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/identityprovider/v1/api_pb.d.ts

@@ -19,13 +19,13 @@ export declare const file_ai_stigmer_iam_identityprovider_v1_api: GenFile;
  *   apiVersion: iam.stigmer.ai/v1
  *   kind: IdentityProvider
  *   metadata:
- *     name: Planton Cloud
- *     slug: planton-cloud
+ *     name: Planton
+ *     slug: planton
  *     org: planton
  *   spec:
- *     display_name: "Planton Cloud"
+ *     display_name: "Planton"
  *     jwks_uri: "https://api.planton.ai/.well-known/stigmer-jwks.json"
- *     allowed_issuers: ["planton-cloud"]
+ *     allowed_issuers: ["planton"]
  *     expected_audience: "stigmer-api"
  *
  * @generated from message ai.stigmer.iam.identityprovider.v1.IdentityProvider

package/ai/stigmer/iam/identityprovider/v1/query_connect.d.ts

@@ -23,7 +23,7 @@ export declare const IdentityProviderQueryController: {
         /**
          * Get an identity provider by its organization-scoped reference (org/slug).
          *
-         * Resolves a human-readable reference like "acme/planton-cloud" to the full
+         * Resolves a human-readable reference like "acme/planton" to the full
          * IdentityProvider resource.
          *
          * @internal

package/ai/stigmer/iam/identityprovider/v1/query_connect.js

@@ -28,7 +28,7 @@ export const IdentityProviderQueryController = {
         /**
          * Get an identity provider by its organization-scoped reference (org/slug).
          *
-         * Resolves a human-readable reference like "acme/planton-cloud" to the full
+         * Resolves a human-readable reference like "acme/planton" to the full
          * IdentityProvider resource.
          *
          * @internal

package/ai/stigmer/iam/identityprovider/v1/query_pb.d.ts

@@ -28,7 +28,7 @@ export declare const IdentityProviderQueryController: GenService<{
     /**
      * Get an identity provider by its organization-scoped reference (org/slug).
      *
-     * Resolves a human-readable reference like "acme/planton-cloud" to the full
+     * Resolves a human-readable reference like "acme/planton" to the full
      * IdentityProvider resource.
      *
      * @internal

package/ai/stigmer/iam/identityprovider/v1/spec_pb.d.ts

@@ -38,11 +38,11 @@ export declare const file_ai_stigmer_iam_identityprovider_v1_spec: GenFile;
  *   apiVersion: iam.stigmer.ai/v1
  *   kind: IdentityProvider
  *   metadata:
- *     name: Planton Cloud
- *     slug: planton-cloud
+ *     name: Planton
+ *     slug: planton
  *     org: planton
  *   spec:
- *     display_name: "Planton Cloud"
+ *     display_name: "Planton"
  *     jwks_uri: "https://planton-prod.us.auth0.com/.well-known/jwks.json"
  *     allowed_issuers: ["https://planton-prod.us.auth0.com/"]
  *     expected_audience: "https://api.planton.ai/"

package/ai/stigmer/iam/platformclient/v1/api_pb.d.ts

@@ -0,0 +1,107 @@
+import type { GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1";
+import type { ApiResourceMetadata } from "../../../commons/apiresource/metadata_pb";
+import type { ApiResourceAudit } from "../../../commons/apiresource/status_pb";
+import type { PlatformClientSpec } from "./spec_pb";
+import type { Timestamp } from "@bufbuild/protobuf/wkt";
+import type { Message } from "@bufbuild/protobuf";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/api.proto.
+ */
+export declare const file_ai_stigmer_iam_platformclient_v1_api: GenFile;
+/**
+ * PlatformClient represents an OAuth2 client credential for platform builders
+ * who embed Stigmer into their products.
+ *
+ * A PlatformClient is owned by an organization and holds a client_id + client_secret
+ * credential pair. Platform builders use these credentials from their backend to
+ * mint user-scoped JWTs via the mintUserToken RPC, enabling their users to interact
+ * with Stigmer resources through the React SDK without requiring OIDC federation.
+ *
+ * PlatformClient is the inbound auth counterpart to OAuthApp (outbound auth).
+ * While OAuthApp configures how Stigmer authenticates *outward* to external services,
+ * PlatformClient configures how platform builders authenticate *inward* to Stigmer
+ * on behalf of their users.
+ *
+ * Example YAML:
+ *   apiVersion: iam.stigmer.ai/v1
+ *   kind: PlatformClient
+ *   metadata:
+ *     name: Acme Dashboard
+ *     slug: acme-dashboard
+ *     org: acme
+ *   spec:
+ *     auto_provision_accounts: true
+ *     auto_grant_on_org: true
+ *     auto_grant_role: viewer
+ *     allowed_origins: ["https://app.acme.com"]
+ *
+ * @generated from message ai.stigmer.iam.platformclient.v1.PlatformClient
+ */
+export type PlatformClient = Message<"ai.stigmer.iam.platformclient.v1.PlatformClient"> & {
+    /**
+     * API version for this resource type.
+     *
+     * @generated from field: string api_version = 1;
+     */
+    apiVersion: string;
+    /**
+     * Resource kind identifier.
+     *
+     * @generated from field: string kind = 2;
+     */
+    kind: string;
+    /**
+     * Standard resource metadata including name, id, org, visibility, labels, and tags.
+     * The org field identifies which organization owns this platform client.
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceMetadata metadata = 3;
+     */
+    metadata?: ApiResourceMetadata;
+    /**
+     * User-provided platform client configuration (desired state).
+     *
+     * @generated from field: ai.stigmer.iam.platformclient.v1.PlatformClientSpec spec = 4;
+     */
+    spec?: PlatformClientSpec;
+    /**
+     * System-managed state including audit trail and usage tracking.
+     *
+     * @generated from field: ai.stigmer.iam.platformclient.v1.PlatformClientStatus status = 5;
+     */
+    status?: PlatformClientStatus;
+};
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClient.
+ * Use `create(PlatformClientSchema)` to create a new message.
+ */
+export declare const PlatformClientSchema: GenMessage<PlatformClient>;
+/**
+ * PlatformClientStatus contains system-managed state for a platform client.
+ *
+ * Uses a custom status (rather than the generic ApiResourceAuditStatus) to
+ * include credential usage tracking, which is essential for security auditing
+ * and stale credential detection.
+ *
+ * @generated from message ai.stigmer.iam.platformclient.v1.PlatformClientStatus
+ */
+export type PlatformClientStatus = Message<"ai.stigmer.iam.platformclient.v1.PlatformClientStatus"> & {
+    /**
+     * Standard audit information (created_at, updated_at, created_by, etc.).
+     *
+     * @generated from field: ai.stigmer.commons.apiresource.ApiResourceAudit audit = 99;
+     */
+    audit?: ApiResourceAudit;
+    /**
+     * Timestamp of the most recent successful mintUserToken call using this
+     * platform client's credentials. Used for security monitoring — credentials
+     * that have not been used recently may be candidates for rotation or deletion.
+     *
+     * @generated from field: google.protobuf.Timestamp last_used_at = 1;
+     */
+    lastUsedAt?: Timestamp;
+};
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClientStatus.
+ * Use `create(PlatformClientStatusSchema)` to create a new message.
+ */
+export declare const PlatformClientStatusSchema: GenMessage<PlatformClientStatus>;

package/ai/stigmer/iam/platformclient/v1/api_pb.js

@@ -0,0 +1,24 @@
+// @generated by protoc-gen-es v2.2.2 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/platformclient/v1/api.proto (package ai.stigmer.iam.platformclient.v1, syntax proto3)
+/* eslint-disable */
+import { fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_ai_stigmer_commons_apiresource_metadata } from "../../../commons/apiresource/metadata_pb";
+import { file_ai_stigmer_commons_apiresource_status } from "../../../commons/apiresource/status_pb";
+import { file_ai_stigmer_iam_platformclient_v1_spec } from "./spec_pb";
+import { file_buf_validate_validate } from "../../../../../buf/validate/validate_pb";
+import { file_google_protobuf_timestamp } from "@bufbuild/protobuf/wkt";
+/**
+ * Describes the file ai/stigmer/iam/platformclient/v1/api.proto.
+ */
+export const file_ai_stigmer_iam_platformclient_v1_api = /*@__PURE__*/ fileDesc("CiphaS9zdGlnbWVyL2lhbS9wbGF0Zm9ybWNsaWVudC92MS9hcGkucHJvdG8SIGFpLnN0aWdtZXIuaWFtLnBsYXRmb3JtY2xpZW50LnYxIr8CCg5QbGF0Zm9ybUNsaWVudBItCgthcGlfdmVyc2lvbhgBIAEoCUIYukgVchMKEWlhbS5zdGlnbWVyLmFpL3YxEiMKBGtpbmQYAiABKAlCFbpIEnIQCg5QbGF0Zm9ybUNsaWVudBJNCghtZXRhZGF0YRgDIAEoCzIzLmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5BcGlSZXNvdXJjZU1ldGFkYXRhQga6SAPIAQESQgoEc3BlYxgEIAEoCzI0LmFpLnN0aWdtZXIuaWFtLnBsYXRmb3JtY2xpZW50LnYxLlBsYXRmb3JtQ2xpZW50U3BlYxJGCgZzdGF0dXMYBSABKAsyNi5haS5zdGlnbWVyLmlhbS5wbGF0Zm9ybWNsaWVudC52MS5QbGF0Zm9ybUNsaWVudFN0YXR1cyKJAQoUUGxhdGZvcm1DbGllbnRTdGF0dXMSPwoFYXVkaXQYYyABKAsyMC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuQXBpUmVzb3VyY2VBdWRpdBIwCgxsYXN0X3VzZWRfYXQYASABKAsyGi5nb29nbGUucHJvdG9idWYuVGltZXN0YW1wYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_metadata, file_ai_stigmer_commons_apiresource_status, file_ai_stigmer_iam_platformclient_v1_spec, file_buf_validate_validate, file_google_protobuf_timestamp]);
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClient.
+ * Use `create(PlatformClientSchema)` to create a new message.
+ */
+export const PlatformClientSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_platformclient_v1_api, 0);
+/**
+ * Describes the message ai.stigmer.iam.platformclient.v1.PlatformClientStatus.
+ * Use `create(PlatformClientStatusSchema)` to create a new message.
+ */
+export const PlatformClientStatusSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_platformclient_v1_api, 1);
+//# sourceMappingURL=api_pb.js.map

package/ai/stigmer/iam/platformclient/v1/api_pb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/platformclient/v1/api_pb.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,4HAA4H;AAC5H,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,4CAA4C,EAAE,MAAM,0CAA0C,CAAC;AAExG,OAAO,EAAE,0CAA0C,EAAE,MAAM,wCAAwC,CAAC;AAEpG,OAAO,EAAE,0CAA0C,EAAE,MAAM,WAAW,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAErF,OAAO,EAAE,8BAA8B,EAAE,MAAM,wBAAwB,CAAC;AAGxE;;GAEG;AACH,MAAM,CAAC,MAAM,yCAAyC,GAAY,aAAa,CAC7E,QAAQ,CAAC,6tBAA6tB,EAAE,CAAC,4CAA4C,EAAE,0CAA0C,EAAE,0CAA0C,EAAE,0BAA0B,EAAE,8BAA8B,CAAC,CAAC,CAAC;AAqE96B;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAA+B,aAAa,CAC3E,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;AA6B5D;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC"}

package/ai/stigmer/iam/platformclient/v1/command_connect.d.ts

@@ -0,0 +1,97 @@
+/**
+ * PlatformClientCommandController provides write operations for platform client resources.
+ *
+ * Platform clients hold OAuth2 credentials (client_id + client_secret) for
+ * platform builders embedding Stigmer into their products. The client_secret
+ * is generated server-side and returned only once in the create and
+ * rotateSecret responses.
+ *
+ * @internal
+ * PlatformClients hold credential material (client_secret_hash) and are always
+ * org-private. There is no updateVisibility RPC — public visibility is
+ * intentionally unsupported to prevent credential leakage.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientCommandController
+ */
+export declare const PlatformClientCommandController: {
+    readonly typeName: "ai.stigmer.iam.platformclient.v1.PlatformClientCommandController";
+    readonly methods: {
+        /**
+         * Create a platform client.
+         *
+         * Generates a new client_id (stgm_cid_ prefix) and client_secret (stgm_cs_ prefix).
+         * The raw client_secret is included in the response and is never returned again.
+         * Store it securely before discarding the response.
+         *
+         * The creator's organization owns the platform client. The creator is granted
+         * the owner role automatically.
+         *
+         * @internal
+         * Authorization: Requires can_create_platform_client permission in the organization.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.create
+         */
+        readonly create: {
+            readonly name: "create";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Update an existing platform client.
+         *
+         * Only mutable fields can be changed: auto_provision_accounts, auto_grant_on_org,
+         * auto_grant_role, and allowed_origins. Credential fields (client_id,
+         * client_secret_hash, secret_fingerprint) are immutable after creation.
+         * Use rotateSecret to change the client secret.
+         *
+         * @internal
+         * Authorization: Requires can_edit permission on the platform client resource.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.update
+         */
+        readonly update: {
+            readonly name: "update";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Delete a platform client.
+         *
+         * Immediately invalidates the client_id and client_secret. Any tokens
+         * previously minted by this platform client remain valid until their
+         * own expiration — deletion does not revoke already-issued tokens.
+         *
+         * @internal
+         * Authorization: Requires can_delete permission on the platform client resource.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.delete
+         */
+        readonly delete: {
+            readonly name: "delete";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+        /**
+         * Rotate the client secret.
+         *
+         * Generates a new client_secret, invalidates the old one immediately,
+         * and returns the new raw secret in the response. The client_id remains
+         * unchanged — platform builders do not need to update their client_id
+         * configuration after rotation.
+         *
+         * @internal
+         * Authorization: Requires can_edit permission on the platform client resource.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.rotateSecret
+         */
+        readonly rotateSecret: {
+            readonly name: "rotateSecret";
+            readonly I: any;
+            readonly O: any;
+            readonly kind: any;
+        };
+    };
+};

package/ai/stigmer/iam/platformclient/v1/command_connect.js

@@ -0,0 +1,103 @@
+// @generated by protoc-gen-connect-es v1.6.1 with parameter "target=ts"
+// @generated from file ai/stigmer/iam/platformclient/v1/command.proto (package ai.stigmer.iam.platformclient.v1, syntax proto3)
+/* eslint-disable */
+// @ts-nocheck
+import { MethodKind } from "@bufbuild/protobuf";
+/**
+ * PlatformClientCommandController provides write operations for platform client resources.
+ *
+ * Platform clients hold OAuth2 credentials (client_id + client_secret) for
+ * platform builders embedding Stigmer into their products. The client_secret
+ * is generated server-side and returned only once in the create and
+ * rotateSecret responses.
+ *
+ * @internal
+ * PlatformClients hold credential material (client_secret_hash) and are always
+ * org-private. There is no updateVisibility RPC — public visibility is
+ * intentionally unsupported to prevent credential leakage.
+ *
+ * @generated from service ai.stigmer.iam.platformclient.v1.PlatformClientCommandController
+ */
+export const PlatformClientCommandController = {
+    typeName: "ai.stigmer.iam.platformclient.v1.PlatformClientCommandController",
+    methods: {
+        /**
+         * Create a platform client.
+         *
+         * Generates a new client_id (stgm_cid_ prefix) and client_secret (stgm_cs_ prefix).
+         * The raw client_secret is included in the response and is never returned again.
+         * Store it securely before discarding the response.
+         *
+         * The creator's organization owns the platform client. The creator is granted
+         * the owner role automatically.
+         *
+         * @internal
+         * Authorization: Requires can_create_platform_client permission in the organization.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.create
+         */
+        create: {
+            name: "create",
+            I: PlatformClient,
+            O: PlatformClientCreateResponse,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Update an existing platform client.
+         *
+         * Only mutable fields can be changed: auto_provision_accounts, auto_grant_on_org,
+         * auto_grant_role, and allowed_origins. Credential fields (client_id,
+         * client_secret_hash, secret_fingerprint) are immutable after creation.
+         * Use rotateSecret to change the client secret.
+         *
+         * @internal
+         * Authorization: Requires can_edit permission on the platform client resource.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.update
+         */
+        update: {
+            name: "update",
+            I: PlatformClient,
+            O: PlatformClient,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Delete a platform client.
+         *
+         * Immediately invalidates the client_id and client_secret. Any tokens
+         * previously minted by this platform client remain valid until their
+         * own expiration — deletion does not revoke already-issued tokens.
+         *
+         * @internal
+         * Authorization: Requires can_delete permission on the platform client resource.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.delete
+         */
+        delete: {
+            name: "delete",
+            I: ApiResourceDeleteInput,
+            O: PlatformClient,
+            kind: MethodKind.Unary,
+        },
+        /**
+         * Rotate the client secret.
+         *
+         * Generates a new client_secret, invalidates the old one immediately,
+         * and returns the new raw secret in the response. The client_id remains
+         * unchanged — platform builders do not need to update their client_id
+         * configuration after rotation.
+         *
+         * @internal
+         * Authorization: Requires can_edit permission on the platform client resource.
+         *
+         * @generated from rpc ai.stigmer.iam.platformclient.v1.PlatformClientCommandController.rotateSecret
+         */
+        rotateSecret: {
+            name: "rotateSecret",
+            I: PlatformClientId,
+            O: PlatformClientCreateResponse,
+            kind: MethodKind.Unary,
+        },
+    }
+};
+//# sourceMappingURL=command_connect.js.map

package/ai/stigmer/iam/platformclient/v1/command_connect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/platformclient/v1/command_connect.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,gIAAgI;AAChI,oBAAoB;AACpB,cAAc;AAId,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGhD;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG;IAC7C,QAAQ,EAAE,kEAAkE;IAC5E,OAAO,EAAE;QACP;;;;;;;;;;;;;;WAcG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,cAAc;YACjB,CAAC,EAAE,4BAA4B;YAC/B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;WAYG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,cAAc;YACjB,CAAC,EAAE,cAAc;YACjB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;WAWG;QACH,MAAM,EAAE;YACN,IAAI,EAAE,QAAQ;YACd,CAAC,EAAE,sBAAsB;YACzB,CAAC,EAAE,cAAc;YACjB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;WAYG;QACH,YAAY,EAAE;YACZ,IAAI,EAAE,cAAc;YACpB,CAAC,EAAE,gBAAgB;YACnB,CAAC,EAAE,4BAA4B;YAC/B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}