@stigmer/protos 3.0.4 → 3.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb.js +1 -1
- package/ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb.js.map +1 -1
- package/ai/stigmer/commons/apiresource/apiresourcekind/authorization_config_pb.d.ts +88 -18
- package/ai/stigmer/commons/apiresource/apiresourcekind/authorization_config_pb.js +1 -1
- package/ai/stigmer/commons/apiresource/apiresourcekind/authorization_config_pb.js.map +1 -1
- package/ai/stigmer/commons/apiresource/enum_pb.d.ts +30 -2
- package/ai/stigmer/commons/apiresource/enum_pb.js +30 -2
- package/ai/stigmer/commons/apiresource/enum_pb.js.map +1 -1
- package/ai/stigmer/commons/apiresource/io_pb.d.ts +19 -13
- package/ai/stigmer/commons/apiresource/io_pb.js.map +1 -1
- package/ai/stigmer/iam/iampolicy/v1/io_pb.d.ts +43 -0
- package/ai/stigmer/iam/iampolicy/v1/io_pb.js +12 -7
- package/ai/stigmer/iam/iampolicy/v1/io_pb.js.map +1 -1
- package/ai/stigmer/iam/iampolicy/v1/query_connect.d.ts +40 -1
- package/ai/stigmer/iam/iampolicy/v1/query_connect.js +41 -2
- package/ai/stigmer/iam/iampolicy/v1/query_connect.js.map +1 -1
- package/ai/stigmer/iam/iampolicy/v1/query_pb.d.ts +40 -2
- package/ai/stigmer/iam/iampolicy/v1/query_pb.js +1 -1
- package/ai/stigmer/iam/iampolicy/v1/query_pb.js.map +1 -1
- package/package.json +1 -1
|
@@ -8,7 +8,7 @@ import { file_google_protobuf_descriptor } from "@bufbuild/protobuf/wkt";
|
|
|
8
8
|
/**
|
|
9
9
|
* Describes the file ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind.proto.
|
|
10
10
|
*/
|
|
11
|
-
export const file_ai_stigmer_commons_apiresource_apiresourcekind_api_resource_kind = /*@__PURE__*/ fileDesc("
|
|
11
|
+
export const file_ai_stigmer_commons_apiresource_apiresourcekind_api_resource_kind = /*@__PURE__*/ fileDesc("CkZhaS9zdGlnbWVyL2NvbW1vbnMvYXBpcmVzb3VyY2UvYXBpcmVzb3VyY2VraW5kL2FwaV9yZXNvdXJjZV9raW5kLnByb3RvEi5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kIswDChNBcGlSZXNvdXJjZUtpbmRNZXRhEk8KBWdyb3VwGAEgASgOMkAuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLmFwaXJlc291cmNla2luZC5BcGlSZXNvdXJjZUdyb3VwElMKB3ZlcnNpb24YAiABKA4yQi5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kLkFwaVJlc291cmNlVmVyc2lvbhIMCgRuYW1lGAMgASgJEhQKDGRpc3BsYXlfbmFtZRgEIAEoCRIRCglpZF9wcmVmaXgYBSABKAkSFAoMaXNfdmVyc2lvbmVkGAYgASgIEhoKEm5vdF9zZWFyY2hfaW5kZXhlZBgHIAEoCBJKCgR0aWVyGAggASgOMjwuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLmFwaXJlc291cmNla2luZC5SZXNvdXJjZVRpZXISWgoNYXV0aG9yaXphdGlvbhgJIAEoCzJDLmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5hcGlyZXNvdXJjZWtpbmQuQXV0aG9yaXphdGlvbkNvbmZpZypCChJBcGlSZXNvdXJjZVZlcnNpb24SJAogYXBpX3Jlc291cmNlX3ZlcnNpb25fdW5zcGVjaWZpZWQQABIGCgJ2MRABKk4KDFJlc291cmNlVGllchIdChlyZXNvdXJjZV90aWVyX3Vuc3BlY2lmaWVkEAASDwoLb3Blbl9zb3VyY2UQARIOCgpjbG91ZF9vbmx5EAIqQQoPUGxhdGZvcm1JZFZhbHVlEiEKHXBsYXRmb3JtX2lkX3ZhbHVlX3Vuc3BlY2lmaWVkEAASCwoHc3RpZ21lchABKp8OCg9BcGlSZXNvdXJjZUtpbmQSHQoZYXBpX3Jlc291cmNlX2tpbmRfdW5rbm93bhAAElsKFGFwaV9yZXNvdXJjZV92ZXJzaW9uEAEaQar/Kz0IARABGhJBcGlSZXNvdXJjZVZlcnNpb24iFEFQSSBSZXNvdXJjZSBWZXJzaW9uKgN2ZXI4AUACSgQIBRAEEj8KCmlhbV9wb2xpY3kQChovqv8rKwgCEAEaCUlhbVBvbGljeSIKSUFNIFBvbGljeSoEaWFtcDgBQAJKBAgCEAESTgoQaWRlbnRpdHlfYWNjb3VudBALGjiq/ys0CAIQARoPSWRlbnRpdHlBY2NvdW50IhBJZGVudGl0eSBBY2NvdW50KgNpZGFAAkoECAQQAxI1CgdhcGlfa2V5EAwaKKr/KyQIAhABGgZBcGlLZXkiB0FQSSBLZXkqA2tleTgBQAJKBAgEEAESPwoKaW52aXRhdGlvbhAUGi+q/ysrCAIQARoKSW52aXRhdGlvbiIKSW52aXRhdGlvbioDaW52OAFAAkoECAIQARJXChFpZGVudGl0eV9wcm92aWRlchAVGkCq/ys8CAIQARoQSWRlbnRpdHlQcm92aWRlciIRSWRlbnRpdHkgUHJvdmlkZXIqA2lkcDgBQAJKCAgCEAE6AgEEEkAKCW9hdXRoX2FwcBAWGjGq/ystCAIQARoIT0F1dGhBcHAiCU9BdXRoIEFwcCoEb2FwcDgBQAJKCAgCEAE6AgEEElEKD3BsYXRmb3JtX2NsaWVudBAXGjyq/ys4CAIQARoOUGxhdGZvcm1DbGllbnQiD1BsYXRmb3JtIENsaWVudCoDcGNsOAFAAkoICAIQAToCAQQSSQoMb3JnYW5pemF0aW9uEB4aN6r/KzMIAxABGgxPcmdhbml6YXRpb24iDE9yZ2FuaXphdGlvbioDb3JnQAFKCggEEAE6BAECAwQSOQoIcGxhdGZvcm0QHxorqv8rJwgDEAEaCFBsYXRmb3JtIghQbGF0Zm9ybSoDcGx0OAFAAkoECAUQBBI8CgVhZ2VudBAoGjGq/ystCAEQARoFQWdlbnQiBUFnZW50KgNhZ3RAAUoSCAIQASoICAEQARgBIAE6AgEEEmsKD2FnZW50X2V4ZWN1dGlvbhApGlaq/ytSCAEQARoOQWdlbnRFeGVjdXRpb24iD0FnZW50IEV4ZWN1dGlvbioDYWV4QAFKJAgDEAIaHgoHc2Vzc2lvbhIHc2Vzc2lvbhoKc2Vzc2lvbl9pZBI4CgdzZXNzaW9uECoaK6r/KycIARABGgdTZXNzaW9uIgdTZXNzaW9uKgNzZXNAAUoICAIQAToCAQQSPgoFc2tpbGwQKxozqv8rLwgBEAEaBVNraWxsIgVTa2lsbCoDc2tsMAFAAUoSCAIQASoICAEQARgBIAE6AgEEEkoKCm1jcF9zZXJ2ZXIQLBo6qv8rNggBEAEaCU1jcFNlcnZlciIKTUNQIFNlcnZlcioDbWNwQAFKEggCEAEqCAgBEAEYASABOgIBBBJsCg5hZ2VudF9pbnN0YW5jZRAtGliq/ytUCAEQARoNQWdlbnRJbnN0YW5jZSIOQWdlbnQgSW5zdGFuY2UqA2FpbkABSigIAhABIhgKBWFnZW50EgVhZ2VudBoIYWdlbnRfaWQqBAgBGAE6AgEEEkcKCHdvcmtmbG93EDIaOar/KzUIARABGghXb3JrZmxvdyIIV29ya2Zsb3cqA3dmbDABQAFKEggCEAEqCAgBEAEYASABOgIBBBJ+ChF3b3JrZmxvd19pbnN0YW5jZRAzGmeq/ytjCAEQARoQV29ya2Zsb3dJbnN0YW5jZSIRV29ya2Zsb3cgSW5zdGFuY2UqA3dpbkABSjEIAhABIiEKCHdvcmtmbG93Egh3b3JrZmxvdxoLd29ya2Zsb3dfaWQqBAgBGAE6AgEEElgKEndvcmtmbG93X2V4ZWN1dGlvbhA0GkCq/ys8CAEQARoRV29ya2Zsb3dFeGVjdXRpb24iEldvcmtmbG93IEV4ZWN1dGlvbioDd2V4QAFKCAgCEAE6AgEEEkYKC2Vudmlyb25tZW50EDUaNar/KzEIARABGgtFbnZpcm9ubWVudCILRW52aXJvbm1lbnQqA2VudkABSgoIAhABMAE6AgEEEjsKCGFydGlmYWN0EDcaLar/KykIARABGghBcnRpZmFjdCIIQXJ0aWZhY3QqA2FydEABSggIAhABOgIBBBJSChFleGVjdXRpb25fY29udGV4dBA2Gjuq/ys3CAEQARoQRXhlY3V0aW9uQ29udGV4dCIRRXhlY3V0aW9uIENvbnRleHQqBGVjdHhAAUoECAQQARI4Cgdwcm9qZWN0EDwaK6r/KycIAxABGgdQcm9qZWN0IgdQcm9qZWN0KgNwcmpAAUoICAIQAToCAQQ6hQEKCWtpbmRfbWV0YRIhLmdvb2dsZS5wcm90b2J1Zi5FbnVtVmFsdWVPcHRpb25zGPW/BSABKAsyQy5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kLkFwaVJlc291cmNlS2luZE1ldGFSCGtpbmRNZXRhQhtCGUFwaVJlc291cmNlS2luZE91dGVyQ2xhc3NiBnByb3RvMw", [file_ai_stigmer_commons_apiresource_apiresourcekind_api_resource_group, file_ai_stigmer_commons_apiresource_apiresourcekind_authorization_config, file_google_protobuf_descriptor]);
|
|
12
12
|
/**
|
|
13
13
|
* Describes the message ai.stigmer.commons.apiresource.apiresourcekind.ApiResourceKindMeta.
|
|
14
14
|
* Use `create(ApiResourceKindMetaSchema)` to create a new message.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"api_resource_kind_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,sKAAsK;AACtK,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAExF,OAAO,EAAE,sEAAsE,EAAE,MAAM,4BAA4B,CAAC;AAEpH,OAAO,EAAE,wEAAwE,EAAE,MAAM,8BAA8B,CAAC;AAExH,OAAO,EAAE,+BAA+B,EAAE,MAAM,wBAAwB,CAAC;AAGzE;;GAEG;AACH,MAAM,CAAC,MAAM,qEAAqE,GAAY,aAAa,CACzG,QAAQ,CAAC,
|
|
1
|
+
{"version":3,"file":"api_resource_kind_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/commons/apiresource/apiresourcekind/api_resource_kind_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,sKAAsK;AACtK,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAExF,OAAO,EAAE,sEAAsE,EAAE,MAAM,4BAA4B,CAAC;AAEpH,OAAO,EAAE,wEAAwE,EAAE,MAAM,8BAA8B,CAAC;AAExH,OAAO,EAAE,+BAA+B,EAAE,MAAM,wBAAwB,CAAC;AAGzE;;GAEG;AACH,MAAM,CAAC,MAAM,qEAAqE,GAAY,aAAa,CACzG,QAAQ,CAAC,opHAAopH,EAAE,CAAC,sEAAsE,EAAE,wEAAwE,EAAE,+BAA+B,CAAC,CAAC,CAAC;AAwEt1H;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAExF;;;;GAIG;AACH,MAAM,CAAN,IAAY,kBAcX;AAdD,WAAY,kBAAkB;IAC5B;;;;OAIG;IACH,mHAAoC,CAAA;IAEpC;;;;OAIG;IACH,uDAAM,CAAA;AACR,CAAC,EAdW,kBAAkB,KAAlB,kBAAkB,QAc7B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAgC,aAAa,CAChF,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;;;GAIG;AACH,MAAM,CAAN,IAAY,YAmBX;AAnBD,WAAY,YAAY;IACtB;;OAEG;IACH,yFAA6B,CAAA;IAE7B;;;;OAIG;IACH,6DAAe,CAAA;IAEf;;;;OAIG;IACH,2DAAc,CAAA;AAChB,CAAC,EAnBW,YAAY,KAAZ,YAAY,QAmBvB;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAA0B,aAAa,CACpE,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;;;;GAKG;AACH,MAAM,CAAN,IAAY,eAaX;AAbD,WAAY,eAAe;IACzB;;OAEG;IACH,uGAAiC,CAAA;IAEjC;;;;;OAKG;IACH,2DAAW,CAAA;AACb,CAAC,EAbW,eAAe,KAAf,eAAe,QAa1B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAA6B,aAAa,CAC1E,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;;;GAIG;AACH,MAAM,CAAN,IAAY,eAwKX;AAxKD,WAAY,eAAe;IACzB;;;;OAIG;IACH,+FAA6B,CAAA;IAE7B;;;;OAIG;IACH,qFAAwB,CAAA;IAExB;;;;OAIG;IACH,kEAAe,CAAA;IAEf;;;;OAIG;IACH,8EAAqB,CAAA;IAErB;;;;OAIG;IACH,4DAAY,CAAA;IAEZ;;;;OAIG;IACH,kEAAe,CAAA;IAEf;;;;OAIG;IACH,gFAAsB,CAAA;IAEtB;;;;OAIG;IACH,gEAAc,CAAA;IAEd;;;;OAIG;IACH,4EAAoB,CAAA;IAEpB;;;;OAIG;IACH,sEAAiB,CAAA;IAEjB;;;;OAIG;IACH,8DAAa,CAAA;IAEb;;;;OAIG;IACH,wDAAU,CAAA;IAEV;;;;OAIG;IACH,4EAAoB,CAAA;IAEpB;;;;OAIG;IACH,4DAAY,CAAA;IAEZ;;;;OAIG;IACH,wDAAU,CAAA;IAEV;;;;OAIG;IACH,kEAAe,CAAA;IAEf;;;;OAIG;IACH,0EAAmB,CAAA;IAEnB;;;;OAIG;IACH,8DAAa,CAAA;IAEb;;;;OAIG;IACH,gFAAsB,CAAA;IAEtB;;;;OAIG;IACH,kFAAuB,CAAA;IAEvB;;;;OAIG;IACH,oEAAgB,CAAA;IAEhB;;;;OAIG;IACH,8DAAa,CAAA;IAEb;;;;OAIG;IACH,gFAAsB,CAAA;IAEtB;;;;OAIG;IACH,4DAAY,CAAA;AACd,CAAC,EAxKW,eAAe,KAAf,eAAe,QAwK1B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAA6B,aAAa,CAC1E,QAAQ,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC;AAErF;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAwD,aAAa,CACzF,OAAO,CAAC,qEAAqE,EAAE,CAAC,CAAC,CAAC"}
|
|
@@ -6,32 +6,103 @@ import type { Message } from "@bufbuild/protobuf";
|
|
|
6
6
|
*/
|
|
7
7
|
export declare const file_ai_stigmer_commons_apiresource_apiresourcekind_authorization_config: GenFile;
|
|
8
8
|
/**
|
|
9
|
-
* Visibility configuration
|
|
10
|
-
*
|
|
9
|
+
* Visibility configuration: the set of visibility levels a resource kind
|
|
10
|
+
* may be set to. The declared levels drive both request validation (an
|
|
11
|
+
* unsupported level is rejected with INVALID_ARGUMENT before persist) and
|
|
12
|
+
* FGA tuple reconciliation (each level maps to exactly one tuple shape):
|
|
11
13
|
*
|
|
12
|
-
*
|
|
13
|
-
* -
|
|
14
|
-
* -
|
|
15
|
-
*
|
|
14
|
+
* - visibility_private: no visibility tuple (owner + explicit grants only)
|
|
15
|
+
* - visibility_org: resource#viewer@organization:<org>#member
|
|
16
|
+
* - visibility_public: resource#viewer@identity_account:* (conditional
|
|
17
|
+
* wildcard gated by allow_public)
|
|
18
|
+
* - visibility_platform: resource#platform_viewer@identity_provider:<idp>#platform_user
|
|
19
|
+
* (the "private catalog" primitive: grants access to
|
|
20
|
+
* all members of all platform_managed orgs linked to
|
|
21
|
+
* the owning org's IdentityProvider)
|
|
16
22
|
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
23
|
+
* Kinds WITHOUT a visibility config accept only visibility_private (or
|
|
24
|
+
* unspecified) — they are personal or org-structural resources whose access
|
|
25
|
+
* is fully defined by their FGA model, never by per-resource visibility
|
|
26
|
+
* tuples (session, environment, executions, etc.).
|
|
19
27
|
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
28
|
+
* Current classification:
|
|
29
|
+
* - Blueprint kinds (agent, skill, workflow, mcp_server):
|
|
30
|
+
* private, org, public, platform
|
|
31
|
+
* - Instance kinds (agent_instance, workflow_instance):
|
|
32
|
+
* private, org, public — platform is deliberately excluded to preserve
|
|
33
|
+
* tenant isolation: each managed org instantiates shared blueprints
|
|
34
|
+
* inside its own boundary. (System-managed DEFAULT instances opt out of
|
|
35
|
+
* visibility entirely: their access tracks the parent blueprint
|
|
36
|
+
* structurally via the default_of FGA relation.)
|
|
37
|
+
*
|
|
38
|
+
* Note: levels are declared as one bool per level instead of a repeated
|
|
39
|
+
* ApiResourceVisibility because that enum lives in the parent apiresource
|
|
40
|
+
* package, whose generated Go package already imports this one — a typed
|
|
41
|
+
* reference here would create a Go package import cycle.
|
|
23
42
|
*
|
|
24
43
|
* @generated from message ai.stigmer.commons.apiresource.apiresourcekind.VisibilityConfig
|
|
25
44
|
*/
|
|
26
45
|
export type VisibilityConfig = Message<"ai.stigmer.commons.apiresource.apiresourcekind.VisibilityConfig"> & {
|
|
27
46
|
/**
|
|
28
|
-
* Whether this
|
|
29
|
-
*
|
|
30
|
-
* - false: Resources are always org-restricted, PUBLIC visibility is rejected
|
|
47
|
+
* Whether resources of this kind can be set to visibility_public.
|
|
48
|
+
* FGA tuple: resource#viewer@identity_account:* (gated by allow_public)
|
|
31
49
|
*
|
|
32
50
|
* @generated from field: bool supports_public = 1;
|
|
33
51
|
*/
|
|
34
52
|
supportsPublic: boolean;
|
|
53
|
+
/**
|
|
54
|
+
* Whether resources of this kind can be set to visibility_platform.
|
|
55
|
+
* FGA tuple: resource#platform_viewer@identity_provider:<idp>#platform_user
|
|
56
|
+
*
|
|
57
|
+
* Reserved for blueprint kinds (agent, skill, workflow, mcp_server).
|
|
58
|
+
* Instance kinds are deliberately excluded to preserve tenant isolation.
|
|
59
|
+
*
|
|
60
|
+
* @generated from field: bool supports_platform = 2;
|
|
61
|
+
*/
|
|
62
|
+
supportsPlatform: boolean;
|
|
63
|
+
/**
|
|
64
|
+
* Whether resources of this kind can be set to visibility_org.
|
|
65
|
+
* FGA tuple: resource#viewer@organization:<org>#member
|
|
66
|
+
*
|
|
67
|
+
* Historically org support was inferred from supports_public, which made
|
|
68
|
+
* it impossible to declare "org but not public" and silently skipped org
|
|
69
|
+
* tuples for kinds with no visibility config (the workflow_instance gap).
|
|
70
|
+
*
|
|
71
|
+
* @generated from field: bool supports_org = 3;
|
|
72
|
+
*/
|
|
73
|
+
supportsOrg: boolean;
|
|
74
|
+
/**
|
|
75
|
+
* Whether resources of this kind default to visibility_org when created
|
|
76
|
+
* with unspecified visibility. When false (or when no visibility config
|
|
77
|
+
* is declared), unspecified visibility defaults to visibility_private.
|
|
78
|
+
*
|
|
79
|
+
* Set on blueprint kinds (agent, skill, workflow, mcp_server): blueprints
|
|
80
|
+
* are shared org assets, and before private visibility became real (the
|
|
81
|
+
* unconditional `viewer from organization` FGA grant was removed) every
|
|
82
|
+
* blueprint was effectively org-visible regardless of its enum value.
|
|
83
|
+
* Defaulting to org preserves that collaborative behavior — Private is an
|
|
84
|
+
* explicit opt-in, never a surprise.
|
|
85
|
+
*
|
|
86
|
+
* The flag carries a second, coupled semantic for the same kinds — the
|
|
87
|
+
* ORG FLOOR: when visibility is platform or public, the org viewer tuple
|
|
88
|
+
* is written IN ADDITION to the level's own tuple. Sharing a blueprint
|
|
89
|
+
* beyond the org must never make it less visible to the owning org's own
|
|
90
|
+
* members (org-scoped listings resolve through FGA ListObjects with the
|
|
91
|
+
* public wildcard suppressed, so the explicit org tuple is what keeps
|
|
92
|
+
* shared blueprints listable at home).
|
|
93
|
+
*
|
|
94
|
+
* Instance kinds deliberately leave this false: instances are personal
|
|
95
|
+
* resources (configuration, secrets) that must start private, and their
|
|
96
|
+
* visibility levels are exactly what the user chose — no floor.
|
|
97
|
+
*
|
|
98
|
+
* Note: a single ApiResourceVisibility-typed default field would be
|
|
99
|
+
* cleaner, but that enum lives in the parent apiresource package whose
|
|
100
|
+
* generated Go package imports this one (see the file-level note above) —
|
|
101
|
+
* hence the boolean, consistent with the supports_* flags.
|
|
102
|
+
*
|
|
103
|
+
* @generated from field: bool defaults_to_org_visibility = 4;
|
|
104
|
+
*/
|
|
105
|
+
defaultsToOrgVisibility: boolean;
|
|
35
106
|
};
|
|
36
107
|
/**
|
|
37
108
|
* Describes the message ai.stigmer.commons.apiresource.apiresourcekind.VisibilityConfig.
|
|
@@ -159,10 +230,9 @@ export type AuthorizationConfig = Message<"ai.stigmer.commons.apiresource.apires
|
|
|
159
230
|
*/
|
|
160
231
|
additionalParents: ParentRelationConfig[];
|
|
161
232
|
/**
|
|
162
|
-
* Visibility configuration
|
|
163
|
-
*
|
|
164
|
-
*
|
|
165
|
-
* to all authenticated users via FGA.
|
|
233
|
+
* Visibility configuration: which visibility levels this kind supports.
|
|
234
|
+
* Not configured means the kind accepts only visibility_private — no
|
|
235
|
+
* visibility tuples are ever written for it.
|
|
166
236
|
*
|
|
167
237
|
* @generated from field: ai.stigmer.commons.apiresource.apiresourcekind.VisibilityConfig visibility = 5;
|
|
168
238
|
*/
|
|
@@ -6,7 +6,7 @@ import { file_ai_stigmer_iam_v1_enum } from "../../../iam/v1/enum_pb.js";
|
|
|
6
6
|
/**
|
|
7
7
|
* Describes the file ai/stigmer/commons/apiresource/apiresourcekind/authorization_config.proto.
|
|
8
8
|
*/
|
|
9
|
-
export const file_ai_stigmer_commons_apiresource_apiresourcekind_authorization_config = /*@__PURE__*/ fileDesc("
|
|
9
|
+
export const file_ai_stigmer_commons_apiresource_apiresourcekind_authorization_config = /*@__PURE__*/ fileDesc("CklhaS9zdGlnbWVyL2NvbW1vbnMvYXBpcmVzb3VyY2UvYXBpcmVzb3VyY2VraW5kL2F1dGhvcml6YXRpb25fY29uZmlnLnByb3RvEi5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kIoABChBWaXNpYmlsaXR5Q29uZmlnEhcKD3N1cHBvcnRzX3B1YmxpYxgBIAEoCBIZChFzdXBwb3J0c19wbGF0Zm9ybRgCIAEoCBIUCgxzdXBwb3J0c19vcmcYAyABKAgSIgoaZGVmYXVsdHNfdG9fb3JnX3Zpc2liaWxpdHkYBCABKAgiSgoUUGFyZW50UmVsYXRpb25Db25maWcSDAoEa2luZBgBIAEoCRIQCghyZWxhdGlvbhgCIAEoCRISCgpzcGVjX2ZpZWxkGAMgASgJIq4EChNBdXRob3JpemF0aW9uQ29uZmlnEloKCnNjb3BlX3R5cGUYASABKA4yRi5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kLkF1dGhvcml6YXRpb25TY29wZVR5cGUSWAoKb3duZXJfdHlwZRgCIAEoDjJELmFpLnN0aWdtZXIuY29tbW9ucy5hcGlyZXNvdXJjZS5hcGlyZXNvdXJjZWtpbmQuT3duZXJBdHRyaWJ1dGlvblR5cGUSVAoGcGFyZW50GAMgASgLMkQuYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlLmFwaXJlc291cmNla2luZC5QYXJlbnRSZWxhdGlvbkNvbmZpZxJgChJhZGRpdGlvbmFsX3BhcmVudHMYBCADKAsyRC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kLlBhcmVudFJlbGF0aW9uQ29uZmlnElQKCnZpc2liaWxpdHkYBSABKAsyQC5haS5zdGlnbWVyLmNvbW1vbnMuYXBpcmVzb3VyY2UuYXBpcmVzb3VyY2VraW5kLlZpc2liaWxpdHlDb25maWcSHgoWcmVxdWlyZXNfY3JlYXRvcl90dXBsZRgGIAEoCBIzCg9ncmFudGFibGVfcm9sZXMYByADKA4yGi5haS5zdGlnbWVyLmlhbS52MS5JYW1Sb2xlKoUCChZBdXRob3JpemF0aW9uU2NvcGVUeXBlEigKJEFVVEhPUklaQVRJT05fU0NPUEVfVFlQRV9VTlNQRUNJRklFRBAAEiUKIUFVVEhPUklaQVRJT05fU0NPUEVfVFlQRV9QTEFURk9STRABEikKJUFVVEhPUklaQVRJT05fU0NPUEVfVFlQRV9PUkdBTklaQVRJT04QAhIjCh9BVVRIT1JJWkFUSU9OX1NDT1BFX1RZUEVfUEFSRU5UEAMSJwojQVVUSE9SSVpBVElPTl9TQ09QRV9UWVBFX09XTkVSX09OTFkQBBIhCh1BVVRIT1JJWkFUSU9OX1NDT1BFX1RZUEVfTk9ORRAFKskBChRPd25lckF0dHJpYnV0aW9uVHlwZRImCiJPV05FUl9BVFRSSUJVVElPTl9UWVBFX1VOU1BFQ0lGSUVEEAASIQodT1dORVJfQVRUUklCVVRJT05fVFlQRV9ESVJFQ1QQARIkCiBPV05FUl9BVFRSSUJVVElPTl9UWVBFX0lOSEVSSVRFRBACEh8KG09XTkVSX0FUVFJJQlVUSU9OX1RZUEVfU0VMRhADEh8KG09XTkVSX0FUVFJJQlVUSU9OX1RZUEVfTk9ORRAEQhpCGEF1dGhvcml6YXRpb25Db25maWdQcm90b2IGcHJvdG8z", [file_ai_stigmer_iam_v1_enum]);
|
|
10
10
|
/**
|
|
11
11
|
* Describes the message ai.stigmer.commons.apiresource.apiresourcekind.VisibilityConfig.
|
|
12
12
|
* Use `create(VisibilityConfigSchema)` to create a new message.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"authorization_config_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/commons/apiresource/apiresourcekind/authorization_config_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,yKAAyK;AACzK,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAE/E,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AAGzE;;GAEG;AACH,MAAM,CAAC,MAAM,wEAAwE,GAAY,aAAa,CAC5G,QAAQ,CAAC,
|
|
1
|
+
{"version":3,"file":"authorization_config_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/commons/apiresource/apiresourcekind/authorization_config_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,yKAAyK;AACzK,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAE/E,OAAO,EAAE,2BAA2B,EAAE,MAAM,4BAA4B,CAAC;AAGzE;;GAEG;AACH,MAAM,CAAC,MAAM,wEAAwE,GAAY,aAAa,CAC5G,QAAQ,CAAC,s0DAAs0D,EAAE,CAAC,2BAA2B,CAAC,CAAC,CAAC;AAyGl3D;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAiC,aAAa,CAC/E,WAAW,CAAC,wEAAwE,EAAE,CAAC,CAAC,CAAC;AAsC3F;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,wEAAwE,EAAE,CAAC,CAAC,CAAC;AAgI3F;;;GAGG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAoC,aAAa,CACrF,WAAW,CAAC,wEAAwE,EAAE,CAAC,CAAC,CAAC;AAE3F;;;;;GAKG;AACH,MAAM,CAAN,IAAY,sBAiDX;AAjDD,WAAY,sBAAsB;IAChC;;OAEG;IACH,iFAAe,CAAA;IAEf;;;;;;OAMG;IACH,2EAAY,CAAA;IAEZ;;;;;;OAMG;IACH,mFAAgB,CAAA;IAEhB;;;;;;OAMG;IACH,uEAAU,CAAA;IAEV;;;;;;OAMG;IACH,+EAAc,CAAA;IAEd;;;;;OAKG;IACH,mEAAQ,CAAA;AACV,CAAC,EAjDW,sBAAsB,KAAtB,sBAAsB,QAiDjC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAoC,aAAa,CACxF,QAAQ,CAAC,wEAAwE,EAAE,CAAC,CAAC,CAAC;AAExF;;;;;GAKG;AACH,MAAM,CAAN,IAAY,oBAwCX;AAxCD,WAAY,oBAAoB;IAC9B;;OAEG;IACH,6EAAe,CAAA;IAEf;;;;;;OAMG;IACH,mEAAU,CAAA;IAEV;;;;;;OAMG;IACH,yEAAa,CAAA;IAEb;;;;;;OAMG;IACH,+DAAQ,CAAA;IAER;;;;;OAKG;IACH,+DAAQ,CAAA;AACV,CAAC,EAxCW,oBAAoB,KAApB,oBAAoB,QAwC/B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAkC,aAAa,CACpF,QAAQ,CAAC,wEAAwE,EAAE,CAAC,CAAC,CAAC"}
|
|
@@ -117,10 +117,13 @@ export declare const ApiResourceStateOperationTypeSchema: GenEnum<ApiResourceSta
|
|
|
117
117
|
* All resources belong to an organization. Visibility determines whether
|
|
118
118
|
* users outside that organization can access the resource.
|
|
119
119
|
*
|
|
120
|
-
* The
|
|
120
|
+
* The visibility levels map to FGA tuples:
|
|
121
121
|
* - PRIVATE: no additional viewer tuples (owner-only access)
|
|
122
122
|
* - ORG: resource#viewer@organization:<org>#member tuple (all org members)
|
|
123
123
|
* - PUBLIC: resource#viewer@identity_account:* with allow_public (all users)
|
|
124
|
+
* - PLATFORM: resource#platform_viewer@identity_provider:<idp>#platform_user
|
|
125
|
+
* (all members of all organizations managed by the owning org's
|
|
126
|
+
* IdentityProvider)
|
|
124
127
|
*
|
|
125
128
|
* @generated from enum ai.stigmer.commons.apiresource.ApiResourceVisibility
|
|
126
129
|
*/
|
|
@@ -161,7 +164,32 @@ export declare enum ApiResourceVisibility {
|
|
|
161
164
|
*
|
|
162
165
|
* @generated from enum value: visibility_org = 3;
|
|
163
166
|
*/
|
|
164
|
-
visibility_org = 3
|
|
167
|
+
visibility_org = 3,
|
|
168
|
+
/**
|
|
169
|
+
* All members of all organizations managed by the owning org's
|
|
170
|
+
* IdentityProvider can access (read and execute) this resource.
|
|
171
|
+
*
|
|
172
|
+
* "Platform" here means an external platform that operates Stigmer orgs
|
|
173
|
+
* on behalf of its own customers (see ManagementMode.platform_managed) —
|
|
174
|
+
* NOT the Stigmer platform singleton used by
|
|
175
|
+
* AUTHORIZATION_SCOPE_TYPE_PLATFORM.
|
|
176
|
+
*
|
|
177
|
+
* This is the "private catalog" primitive for multi-tenant consumers:
|
|
178
|
+
* a platform (e.g. Planton) authors blueprints (agents, skills, MCP
|
|
179
|
+
* servers, workflows) in its own org and shares them with every child
|
|
180
|
+
* org it manages, without exposing them publicly. Child orgs created
|
|
181
|
+
* later gain access automatically. Instances, sessions, executions and
|
|
182
|
+
* environments are never platform-visible — each child org instantiates
|
|
183
|
+
* the shared blueprint inside its own tenant boundary.
|
|
184
|
+
*
|
|
185
|
+
* Only valid for blueprint kinds with supports_platform: true, and only
|
|
186
|
+
* when the owning org owns at least one IdentityProvider.
|
|
187
|
+
*
|
|
188
|
+
* FGA tuple: resource#platform_viewer@identity_provider:<idp>#platform_user
|
|
189
|
+
*
|
|
190
|
+
* @generated from enum value: visibility_platform = 4;
|
|
191
|
+
*/
|
|
192
|
+
visibility_platform = 4
|
|
165
193
|
}
|
|
166
194
|
/**
|
|
167
195
|
* Describes the enum ai.stigmer.commons.apiresource.ApiResourceVisibility.
|
|
@@ -5,7 +5,7 @@ import { enumDesc, fileDesc } from "@bufbuild/protobuf/codegenv1";
|
|
|
5
5
|
/**
|
|
6
6
|
* Describes the file ai/stigmer/commons/apiresource/enum.proto.
|
|
7
7
|
*/
|
|
8
|
-
export const file_ai_stigmer_commons_apiresource_enum = /*@__PURE__*/ fileDesc("
|
|
8
|
+
export const file_ai_stigmer_commons_apiresource_enum = /*@__PURE__*/ fileDesc("CilhaS9zdGlnbWVyL2NvbW1vbnMvYXBpcmVzb3VyY2UvZW51bS5wcm90bxIeYWkuc3RpZ21lci5jb21tb25zLmFwaXJlc291cmNlKnYKFEFwaVJlc291cmNlRXZlbnRUeXBlEg8KC3Vuc3BlY2lmaWVkEAASCwoHY3JlYXRlZBABEgsKB3VwZGF0ZWQQAhILCgdkZWxldGVkEAMSCwoHcmVuYW1lZBAEEhkKFXN0YWNrX291dHB1dHNfdXBkYXRlZBAFKowBCh1BcGlSZXNvdXJjZVN0YXRlT3BlcmF0aW9uVHlwZRIxCi1hcGlfcmVzb3VyY2Vfc3RhdGVfb3BlcmF0aW9uX3R5cGVfdW5zcGVjaWZpZWQQABIKCgZjcmVhdGUQARIKCgZ1cGRhdGUQAhIKCgZkZWxldGUQAxIICgRyZWFkEAQSCgoGc3RyZWFtEAUqnAEKFUFwaVJlc291cmNlVmlzaWJpbGl0eRInCiNhcGlfcmVzb3VyY2VfdmlzaWJpbGl0eV91bnNwZWNpZmllZBAAEhYKEnZpc2liaWxpdHlfcHJpdmF0ZRABEhUKEXZpc2liaWxpdHlfcHVibGljEAISEgoOdmlzaWJpbGl0eV9vcmcQAxIXChN2aXNpYmlsaXR5X3BsYXRmb3JtEARiBnByb3RvMw");
|
|
9
9
|
/**
|
|
10
10
|
* Event types produced by command controller RPCs across all API resources.
|
|
11
11
|
*
|
|
@@ -122,10 +122,13 @@ export const ApiResourceStateOperationTypeSchema = /*@__PURE__*/ enumDesc(file_a
|
|
|
122
122
|
* All resources belong to an organization. Visibility determines whether
|
|
123
123
|
* users outside that organization can access the resource.
|
|
124
124
|
*
|
|
125
|
-
* The
|
|
125
|
+
* The visibility levels map to FGA tuples:
|
|
126
126
|
* - PRIVATE: no additional viewer tuples (owner-only access)
|
|
127
127
|
* - ORG: resource#viewer@organization:<org>#member tuple (all org members)
|
|
128
128
|
* - PUBLIC: resource#viewer@identity_account:* with allow_public (all users)
|
|
129
|
+
* - PLATFORM: resource#platform_viewer@identity_provider:<idp>#platform_user
|
|
130
|
+
* (all members of all organizations managed by the owning org's
|
|
131
|
+
* IdentityProvider)
|
|
129
132
|
*
|
|
130
133
|
* @generated from enum ai.stigmer.commons.apiresource.ApiResourceVisibility
|
|
131
134
|
*/
|
|
@@ -168,6 +171,31 @@ export var ApiResourceVisibility;
|
|
|
168
171
|
* @generated from enum value: visibility_org = 3;
|
|
169
172
|
*/
|
|
170
173
|
ApiResourceVisibility[ApiResourceVisibility["visibility_org"] = 3] = "visibility_org";
|
|
174
|
+
/**
|
|
175
|
+
* All members of all organizations managed by the owning org's
|
|
176
|
+
* IdentityProvider can access (read and execute) this resource.
|
|
177
|
+
*
|
|
178
|
+
* "Platform" here means an external platform that operates Stigmer orgs
|
|
179
|
+
* on behalf of its own customers (see ManagementMode.platform_managed) —
|
|
180
|
+
* NOT the Stigmer platform singleton used by
|
|
181
|
+
* AUTHORIZATION_SCOPE_TYPE_PLATFORM.
|
|
182
|
+
*
|
|
183
|
+
* This is the "private catalog" primitive for multi-tenant consumers:
|
|
184
|
+
* a platform (e.g. Planton) authors blueprints (agents, skills, MCP
|
|
185
|
+
* servers, workflows) in its own org and shares them with every child
|
|
186
|
+
* org it manages, without exposing them publicly. Child orgs created
|
|
187
|
+
* later gain access automatically. Instances, sessions, executions and
|
|
188
|
+
* environments are never platform-visible — each child org instantiates
|
|
189
|
+
* the shared blueprint inside its own tenant boundary.
|
|
190
|
+
*
|
|
191
|
+
* Only valid for blueprint kinds with supports_platform: true, and only
|
|
192
|
+
* when the owning org owns at least one IdentityProvider.
|
|
193
|
+
*
|
|
194
|
+
* FGA tuple: resource#platform_viewer@identity_provider:<idp>#platform_user
|
|
195
|
+
*
|
|
196
|
+
* @generated from enum value: visibility_platform = 4;
|
|
197
|
+
*/
|
|
198
|
+
ApiResourceVisibility[ApiResourceVisibility["visibility_platform"] = 4] = "visibility_platform";
|
|
171
199
|
})(ApiResourceVisibility || (ApiResourceVisibility = {}));
|
|
172
200
|
/**
|
|
173
201
|
* Describes the enum ai.stigmer.commons.apiresource.ApiResourceVisibility.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enum_pb.js","sourceRoot":"","sources":["../../../../../ai/stigmer/commons/apiresource/enum_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,yHAAyH;AACzH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAElE;;GAEG;AACH,MAAM,CAAC,MAAM,wCAAwC,GAAY,aAAa,CAC5E,QAAQ,CAAC,
|
|
1
|
+
{"version":3,"file":"enum_pb.js","sourceRoot":"","sources":["../../../../../ai/stigmer/commons/apiresource/enum_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,yHAAyH;AACzH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAElE;;GAEG;AACH,MAAM,CAAC,MAAM,wCAAwC,GAAY,aAAa,CAC5E,QAAQ,CAAC,oqBAAoqB,CAAC,CAAC;AAEjrB;;;;;;;;GAQG;AACH,MAAM,CAAN,IAAY,oBA0CX;AA1CD,WAAY,oBAAoB;IAC9B;;;;OAIG;IACH,6EAAe,CAAA;IAEf;;;;OAIG;IACH,qEAAW,CAAA;IAEX;;;;OAIG;IACH,qEAAW,CAAA;IAEX;;;;OAIG;IACH,qEAAW,CAAA;IAEX;;;;OAIG;IACH,qEAAW,CAAA;IAEX;;;;OAIG;IACH,iGAAyB,CAAA;AAC3B,CAAC,EA1CW,oBAAoB,KAApB,oBAAoB,QA0C/B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAkC,aAAa,CACpF,QAAQ,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,CAAN,IAAY,6BA0CX;AA1CD,WAAY,6BAA6B;IACvC;;;;OAIG;IACH,mKAAiD,CAAA;IAEjD;;;;OAIG;IACH,qFAAU,CAAA;IAEV;;;;OAIG;IACH,qFAAU,CAAA;IAEV;;;;OAIG;IACH,qFAAU,CAAA;IAEV;;;;OAIG;IACH,iFAAQ,CAAA;IAER;;;;OAIG;IACH,qFAAU,CAAA;AACZ,CAAC,EA1CW,6BAA6B,KAA7B,6BAA6B,QA0CxC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAA2C,aAAa,CACtG,QAAQ,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC;AAExD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAN,IAAY,qBAmEX;AAnED,WAAY,qBAAqB;IAC/B;;;;;OAKG;IACH,+HAAuC,CAAA;IAEvC;;;;;;OAMG;IACH,6FAAsB,CAAA;IAEtB;;;;;;;OAOG;IACH,2FAAqB,CAAA;IAErB;;;;;;;;;;;OAWG;IACH,qFAAkB,CAAA;IAElB;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,+FAAuB,CAAA;AACzB,CAAC,EAnEW,qBAAqB,KAArB,qBAAqB,QAmEhC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAmC,aAAa,CACtF,QAAQ,CAAC,wCAAwC,EAAE,CAAC,CAAC,CAAC"}
|
|
@@ -127,17 +127,24 @@ export declare const FindApiResourcesRequestSchema: GenMessage<FindApiResourcesR
|
|
|
127
127
|
* Each controller's updateVisibility RPC accepts this shared input
|
|
128
128
|
* and returns the full updated resource.
|
|
129
129
|
*
|
|
130
|
-
* Visibility transitions trigger FGA tuple management in Cloud mode
|
|
131
|
-
*
|
|
132
|
-
*
|
|
133
|
-
* - PRIVATE
|
|
134
|
-
* - ORG
|
|
135
|
-
* -
|
|
136
|
-
* -
|
|
130
|
+
* Visibility transitions trigger FGA tuple management in Cloud mode. Each
|
|
131
|
+
* level maps to exactly one tuple shape; on a transition the tuple for the
|
|
132
|
+
* old level is removed and the tuple for the new level is created:
|
|
133
|
+
* - PRIVATE: no visibility tuple (owner + explicit grants only)
|
|
134
|
+
* - ORG: resource#viewer@organization:<org>#member
|
|
135
|
+
* - PUBLIC: resource#viewer@identity_account:* (gated by allow_public)
|
|
136
|
+
* - PLATFORM: resource#platform_viewer@identity_provider:<idp>#platform_user
|
|
137
137
|
*
|
|
138
|
-
* Not all resources support all visibility levels
|
|
139
|
-
*
|
|
140
|
-
* -
|
|
138
|
+
* Not all resources support all visibility levels — the supported set is
|
|
139
|
+
* declared per kind via VisibilityConfig in kind_meta:
|
|
140
|
+
* - Blueprints (agent, workflow, skill, mcp_server):
|
|
141
|
+
* PRIVATE, ORG, PUBLIC, or PLATFORM
|
|
142
|
+
* - Instances (agent_instance, workflow_instance):
|
|
143
|
+
* PRIVATE, ORG, or PUBLIC (never PLATFORM — tenant isolation)
|
|
144
|
+
*
|
|
145
|
+
* System-managed DEFAULT instances reject visibility updates entirely:
|
|
146
|
+
* their access structurally tracks the parent blueprint via the
|
|
147
|
+
* default_of FGA relation.
|
|
141
148
|
*
|
|
142
149
|
* @generated from message ai.stigmer.commons.apiresource.UpdateVisibilityInput
|
|
143
150
|
*/
|
|
@@ -150,9 +157,8 @@ export type UpdateVisibilityInput = Message<"ai.stigmer.commons.apiresource.Upda
|
|
|
150
157
|
resourceId: string;
|
|
151
158
|
/**
|
|
152
159
|
* The new visibility setting for the resource.
|
|
153
|
-
* Must not be unspecified (0). Valid values depend on resource kind
|
|
154
|
-
*
|
|
155
|
-
* - Instances: visibility_private (1), visibility_public (2), or visibility_org (3)
|
|
160
|
+
* Must not be unspecified (0). Valid values depend on resource kind —
|
|
161
|
+
* see the VisibilityConfig in the kind's kind_meta.
|
|
156
162
|
*
|
|
157
163
|
* @generated from field: ai.stigmer.commons.apiresource.ApiResourceVisibility visibility = 2;
|
|
158
164
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../ai/stigmer/commons/apiresource/io_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,uHAAuH;AACvH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,qEAAqE,EAAE,MAAM,2CAA2C,CAAC;AAElI,OAAO,EAAE,wCAAwC,EAAE,MAAM,cAAc,CAAC;AAExE,OAAO,EAAE,sCAAsC,EAAE,MAAM,yBAAyB,CAAC;AACjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAY,aAAa,CAC1E,QAAQ,CAAC,qoCAAqoC,EAAE,CAAC,qEAAqE,EAAE,wCAAwC,EAAE,sCAAsC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAcz0C;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAA8B,aAAa,CACzE,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AA+BzD;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAuC,aAAa,CAC3F,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AAuBzD;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAA8C,aAAa,CACzG,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AA4CzD;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwC,aAAa,CAC7F,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../ai/stigmer/commons/apiresource/io_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,uHAAuH;AACvH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,qEAAqE,EAAE,MAAM,2CAA2C,CAAC;AAElI,OAAO,EAAE,wCAAwC,EAAE,MAAM,cAAc,CAAC;AAExE,OAAO,EAAE,sCAAsC,EAAE,MAAM,yBAAyB,CAAC;AACjF,OAAO,EAAE,0BAA0B,EAAE,MAAM,yCAAyC,CAAC;AAGrF;;GAEG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAY,aAAa,CAC1E,QAAQ,CAAC,qoCAAqoC,EAAE,CAAC,qEAAqE,EAAE,wCAAwC,EAAE,sCAAsC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAcz0C;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAA8B,aAAa,CACzE,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AA+BzD;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAuC,aAAa,CAC3F,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AAuBzD;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAA8C,aAAa,CACzG,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AA4CzD;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwC,aAAa,CAC7F,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AAgDzD;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAsC,aAAa,CACzF,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC;AAkEzD;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC"}
|
|
@@ -419,6 +419,49 @@ export type CheckAuthorizationResult = Message<"ai.stigmer.iam.iampolicy.v1.Chec
|
|
|
419
419
|
* Use `create(CheckAuthorizationResultSchema)` to create a new message.
|
|
420
420
|
*/
|
|
421
421
|
export declare const CheckAuthorizationResultSchema: GenMessage<CheckAuthorizationResult>;
|
|
422
|
+
/**
|
|
423
|
+
* CheckMyPermissionInput defines input for checking whether the AUTHENTICATED
|
|
424
|
+
* CALLER has a permission on a resource.
|
|
425
|
+
*
|
|
426
|
+
* Unlike CheckAuthorizationInput, there is deliberately NO principal field:
|
|
427
|
+
* the principal is always derived server-side from the authenticated token —
|
|
428
|
+
* the only trustworthy source of caller identity. Clients cannot probe another
|
|
429
|
+
* user's permissions because the API gives them no way to name a principal.
|
|
430
|
+
*
|
|
431
|
+
* This mirrors the industry-standard self-check pattern (e.g. Kubernetes
|
|
432
|
+
* SelfSubjectAccessReview): self checks and cross-principal checks are
|
|
433
|
+
* separate API surfaces with separate trust models.
|
|
434
|
+
*
|
|
435
|
+
* @generated from message ai.stigmer.iam.iampolicy.v1.CheckMyPermissionInput
|
|
436
|
+
*/
|
|
437
|
+
export type CheckMyPermissionInput = Message<"ai.stigmer.iam.iampolicy.v1.CheckMyPermissionInput"> & {
|
|
438
|
+
/**
|
|
439
|
+
* The resource being accessed (WHAT)
|
|
440
|
+
*
|
|
441
|
+
* @generated from field: ai.stigmer.iam.iampolicy.v1.ApiResourceRef resource = 1;
|
|
442
|
+
*/
|
|
443
|
+
resource?: ApiResourceRef;
|
|
444
|
+
/**
|
|
445
|
+
* The permission to check (e.g., "can_edit", "can_grant_access").
|
|
446
|
+
*
|
|
447
|
+
* @internal
|
|
448
|
+
* This is the FGA relation checked against the resource object.
|
|
449
|
+
*
|
|
450
|
+
* @generated from field: string relation = 2;
|
|
451
|
+
*/
|
|
452
|
+
relation: string;
|
|
453
|
+
/**
|
|
454
|
+
* Optional contextual policies for "what-if" scenarios
|
|
455
|
+
*
|
|
456
|
+
* @generated from field: repeated ai.stigmer.iam.iampolicy.v1.IamPolicySpec contextual_policies = 3;
|
|
457
|
+
*/
|
|
458
|
+
contextualPolicies: IamPolicySpec[];
|
|
459
|
+
};
|
|
460
|
+
/**
|
|
461
|
+
* Describes the message ai.stigmer.iam.iampolicy.v1.CheckMyPermissionInput.
|
|
462
|
+
* Use `create(CheckMyPermissionInputSchema)` to create a new message.
|
|
463
|
+
*/
|
|
464
|
+
export declare const CheckMyPermissionInputSchema: GenMessage<CheckMyPermissionInput>;
|
|
422
465
|
/**
|
|
423
466
|
* ListAuthorizedResourceIdsInput defines input for listing resources a principal can access.
|
|
424
467
|
*
|
|
@@ -8,7 +8,7 @@ import { file_buf_validate_validate } from "../../../../../buf/validate/validate
|
|
|
8
8
|
/**
|
|
9
9
|
* Describes the file ai/stigmer/iam/iampolicy/v1/io.proto.
|
|
10
10
|
*/
|
|
11
|
-
export const file_ai_stigmer_iam_iampolicy_v1_io = /*@__PURE__*/ fileDesc("CiRhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvaW8ucHJvdG8SG2FpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MSL9AQoSQXBpUmVzb3VyY2VSZWZWaWV3EgwKBGtpbmQYASABKAkSCgoCaWQYAiABKAkSEAoIcmVsYXRpb24YAyABKAkSDAoEbmFtZRgEIAEoCRINCgVlbWFpbBgFIAEoCRIMCgRzbHVnGAYgASgJEg4KBmF2YXRhchgHIAEoCRJACgdtZW1iZXJzGAggAygLMi8uYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkFwaVJlc291cmNlUmVmVmlldxI+
|
|
11
|
+
export const file_ai_stigmer_iam_iampolicy_v1_io = /*@__PURE__*/ fileDesc("CiRhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvaW8ucHJvdG8SG2FpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MSL9AQoSQXBpUmVzb3VyY2VSZWZWaWV3EgwKBGtpbmQYASABKAkSCgoCaWQYAiABKAkSEAoIcmVsYXRpb24YAyABKAkSDAoEbmFtZRgEIAEoCRINCgVlbWFpbBgFIAEoCRIMCgRzbHVnGAYgASgJEg4KBmF2YXRhchgHIAEoCRJACgdtZW1iZXJzGAggAygLMi8uYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkFwaVJlc291cmNlUmVmVmlldxI+CgV0ZWFtcxgJIAMoCzIvLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BcGlSZXNvdXJjZVJlZlZpZXciJAoLSWFtUG9saWN5SWQSFQoFdmFsdWUYASABKAlCBrpIA8gBASKnAQoWUHJpbmNpcGFsUmVzb3VyY2VJbnB1dBJGCglwcmluY2lwYWwYASABKAsyKy5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuQXBpUmVzb3VyY2VSZWZCBrpIA8gBARJFCghyZXNvdXJjZRgCIAEoCzIrLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BcGlSZXNvdXJjZVJlZkIGukgDyAEBIqkBChdSZXNvdXJjZVByaW5jaXBhbHNJbnB1dBJFCghyZXNvdXJjZRgBIAEoCzIrLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BcGlSZXNvdXJjZVJlZkIGukgDyAEBEkcKCnByaW5jaXBhbHMYAiADKAsyKy5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuQXBpUmVzb3VyY2VSZWZCBrpIA8gBASJkChRSZXZva2VPcmdBY2Nlc3NJbnB1dBInChNpZGVudGl0eV9hY2NvdW50X2lkGAEgASgJQgq6SAfIAQFyAhABEiMKD29yZ2FuaXphdGlvbl9pZBgCIAEoCUIKukgHyAEBcgIQASJKCg9JYW1Qb2xpY2llc0xpc3QSNwoHZW50cmllcxgBIAMoCzImLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5JYW1Qb2xpY3kiewoXTGlzdFJlc291cmNlQWNjZXNzSW5wdXQSRQoIcmVzb3VyY2UYASABKAsyKy5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuQXBpUmVzb3VyY2VSZWZCBrpIA8gBARIZChFpbmNsdWRlX2luaGVyaXRlZBgCIAEoCCJeCh1SZXNvdXJjZUFjY2Vzc0J5UHJpbmNpcGFsTGlzdBI9CgdlbnRyaWVzGAEgAygLMiwuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLlByaW5jaXBhbEFjY2VzcyKMAQoPUHJpbmNpcGFsQWNjZXNzEkIKCXByaW5jaXBhbBgBIAEoCzIvLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BcGlSZXNvdXJjZVJlZlZpZXcSNQoFcm9sZXMYAiADKAsyJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuUm9sZUdyYW50IpsBCglSb2xlR3JhbnQSMwoEcm9sZRgBIAEoCzIlLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5Sb2xlSW5mbxJDCg5vd25lcl9yZXNvdXJjZRgCIAEoCzIrLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BcGlSZXNvdXJjZVJlZhIUCgxpc19pbmhlcml0ZWQYAyABKAgiVAoYUmVzb3VyY2VBY2Nlc3NCeVJvbGVMaXN0EjgKB2VudHJpZXMYASADKAsyJy5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuUm9sZUFjY2VzcyKHAQoKUm9sZUFjY2VzcxI0CgRyb2xlGAEgASgLMiYuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLlJvbGVHcmFudBJDCgpwcmluY2lwYWxzGAIgAygLMi8uYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkFwaVJlc291cmNlUmVmVmlldyJHCghSb2xlSW5mbxIKCgJpZBgBIAEoCRIMCgRjb2RlGAIgASgJEgwKBG5hbWUYAyABKAkSEwoLZGVzY3JpcHRpb24YBCABKAkiTgoWUHJpbmNpcGFsUmVzb3VyY2VSb2xlcxI0CgVyb2xlcxgBIAMoCzIlLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5Sb2xlSW5mbyKmAQoXQ2hlY2tBdXRob3JpemF0aW9uSW5wdXQSQgoGcG9saWN5GAEgASgLMiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWNCBrpIA8gBARJHChNjb250ZXh0dWFsX3BvbGljaWVzGAIgAygLMiouYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLklhbVBvbGljeVNwZWMiMQoYQ2hlY2tBdXRob3JpemF0aW9uUmVzdWx0EhUKDWlzX2F1dGhvcml6ZWQYASABKAgiyAEKFkNoZWNrTXlQZXJtaXNzaW9uSW5wdXQSRQoIcmVzb3VyY2UYASABKAsyKy5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuQXBpUmVzb3VyY2VSZWZCBrpIA8gBARIeCghyZWxhdGlvbhgCIAEoCUIMukgJyAEBcgQQARhAEkcKE2NvbnRleHR1YWxfcG9saWNpZXMYAyADKAsyKi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5U3BlYyLyAQoeTGlzdEF1dGhvcml6ZWRSZXNvdXJjZUlkc0lucHV0EkYKCXByaW5jaXBhbBgBIAEoCzIrLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5BcGlSZXNvdXJjZVJlZkIGukgDyAEBEiEKDXJlc291cmNlX2tpbmQYAiABKAlCCrpIB8gBAXICEAESHAoIcmVsYXRpb24YAyABKAlCCrpIB8gBAXICEAESRwoTY29udGV4dHVhbF9wb2xpY2llcxgEIAMoCzIqLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5JYW1Qb2xpY3lTcGVjIjEKGUF1dGhvcml6ZWRSZXNvdXJjZUlkc0xpc3QSFAoMcmVzb3VyY2VfaWRzGAEgAygJIvMBCh9MaXN0QXV0aG9yaXplZFByaW5jaXBhbElkc0lucHV0EkUKCHJlc291cmNlGAEgASgLMisuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkFwaVJlc291cmNlUmVmQga6SAPIAQESIgoOcHJpbmNpcGFsX2tpbmQYAiABKAlCCrpIB8gBAXICEAESHAoIcmVsYXRpb24YAyABKAlCCrpIB8gBAXICEAESRwoTY29udGV4dHVhbF9wb2xpY2llcxgEIAMoCzIqLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5JYW1Qb2xpY3lTcGVjIjMKGkF1dGhvcml6ZWRQcmluY2lwYWxJZHNMaXN0EhUKDXByaW5jaXBhbF9pZHMYASADKAkiWQoXR2V0UHJpbmNpcGFsc0NvdW50SW5wdXQSGgoGb3JnX2lkGAEgASgJQgq6SAfIAQFyAhABEiIKDnByaW5jaXBhbF9raW5kGAIgASgJQgq6SAfIAQFyAhABIiAKD1ByaW5jaXBhbHNDb3VudBINCgVjb3VudBgBIAEoBWIGcHJvdG8z", [file_ai_stigmer_iam_iampolicy_v1_api, file_ai_stigmer_iam_iampolicy_v1_spec, file_buf_validate_validate]);
|
|
12
12
|
/**
|
|
13
13
|
* Describes the message ai.stigmer.iam.iampolicy.v1.ApiResourceRefView.
|
|
14
14
|
* Use `create(ApiResourceRefViewSchema)` to create a new message.
|
|
@@ -89,34 +89,39 @@ export const CheckAuthorizationInputSchema = /*@__PURE__*/ messageDesc(file_ai_s
|
|
|
89
89
|
* Use `create(CheckAuthorizationResultSchema)` to create a new message.
|
|
90
90
|
*/
|
|
91
91
|
export const CheckAuthorizationResultSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io, 15);
|
|
92
|
+
/**
|
|
93
|
+
* Describes the message ai.stigmer.iam.iampolicy.v1.CheckMyPermissionInput.
|
|
94
|
+
* Use `create(CheckMyPermissionInputSchema)` to create a new message.
|
|
95
|
+
*/
|
|
96
|
+
export const CheckMyPermissionInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io, 16);
|
|
92
97
|
/**
|
|
93
98
|
* Describes the message ai.stigmer.iam.iampolicy.v1.ListAuthorizedResourceIdsInput.
|
|
94
99
|
* Use `create(ListAuthorizedResourceIdsInputSchema)` to create a new message.
|
|
95
100
|
*/
|
|
96
|
-
export const ListAuthorizedResourceIdsInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io,
|
|
101
|
+
export const ListAuthorizedResourceIdsInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io, 17);
|
|
97
102
|
/**
|
|
98
103
|
* Describes the message ai.stigmer.iam.iampolicy.v1.AuthorizedResourceIdsList.
|
|
99
104
|
* Use `create(AuthorizedResourceIdsListSchema)` to create a new message.
|
|
100
105
|
*/
|
|
101
|
-
export const AuthorizedResourceIdsListSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io,
|
|
106
|
+
export const AuthorizedResourceIdsListSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io, 18);
|
|
102
107
|
/**
|
|
103
108
|
* Describes the message ai.stigmer.iam.iampolicy.v1.ListAuthorizedPrincipalIdsInput.
|
|
104
109
|
* Use `create(ListAuthorizedPrincipalIdsInputSchema)` to create a new message.
|
|
105
110
|
*/
|
|
106
|
-
export const ListAuthorizedPrincipalIdsInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io,
|
|
111
|
+
export const ListAuthorizedPrincipalIdsInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io, 19);
|
|
107
112
|
/**
|
|
108
113
|
* Describes the message ai.stigmer.iam.iampolicy.v1.AuthorizedPrincipalIdsList.
|
|
109
114
|
* Use `create(AuthorizedPrincipalIdsListSchema)` to create a new message.
|
|
110
115
|
*/
|
|
111
|
-
export const AuthorizedPrincipalIdsListSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io,
|
|
116
|
+
export const AuthorizedPrincipalIdsListSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io, 20);
|
|
112
117
|
/**
|
|
113
118
|
* Describes the message ai.stigmer.iam.iampolicy.v1.GetPrincipalsCountInput.
|
|
114
119
|
* Use `create(GetPrincipalsCountInputSchema)` to create a new message.
|
|
115
120
|
*/
|
|
116
|
-
export const GetPrincipalsCountInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io,
|
|
121
|
+
export const GetPrincipalsCountInputSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io, 21);
|
|
117
122
|
/**
|
|
118
123
|
* Describes the message ai.stigmer.iam.iampolicy.v1.PrincipalsCount.
|
|
119
124
|
* Use `create(PrincipalsCountSchema)` to create a new message.
|
|
120
125
|
*/
|
|
121
|
-
export const PrincipalsCountSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io,
|
|
126
|
+
export const PrincipalsCountSchema = /*@__PURE__*/ messageDesc(file_ai_stigmer_iam_iampolicy_v1_io, 22);
|
|
122
127
|
//# sourceMappingURL=io_pb.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/io_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,iHAAiH;AACjH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,oCAAoC,EAAE,MAAM,aAAa,CAAC;AAEnE,OAAO,EAAE,qCAAqC,EAAE,MAAM,cAAc,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,4CAA4C,CAAC;AAGxF;;GAEG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAAY,aAAa,CACvE,QAAQ,CAAC,
|
|
1
|
+
{"version":3,"file":"io_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/io_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,iHAAiH;AACjH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAErE,OAAO,EAAE,oCAAoC,EAAE,MAAM,aAAa,CAAC;AAEnE,OAAO,EAAE,qCAAqC,EAAE,MAAM,cAAc,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,4CAA4C,CAAC;AAGxF;;GAEG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAAY,aAAa,CACvE,QAAQ,CAAC,s0HAAs0H,EAAE,CAAC,oCAAoC,EAAE,qCAAqC,EAAE,0BAA0B,CAAC,CAAC,CAAC;AA2E97H;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAmC,aAAa,CACnF,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;AAgBtD;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAA4B,aAAa,CACrE,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;AAuBtD;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAuC,aAAa,CAC3F,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;AAuBtD;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwC,aAAa,CAC7F,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;AAuBtD;;;GAGG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAqC,aAAa,CACvF,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;AAgBtD;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAgC,aAAa,CAC7E,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;AAuBtD;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwC,aAAa,CAC7F,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;AAiBtD;;;GAGG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAA8C,aAAa,CACzG,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;AAuBtD;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAgC,aAAa,CAC7E,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;AA8BtD;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAA0B,aAAa,CACjE,WAAW,CAAC,mCAAmC,EAAE,CAAC,CAAC,CAAC;AAiBtD;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAyC,aAAa,CAC/F,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAuBvD;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAA2B,aAAa,CACnE,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAqCvD;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAyB,aAAa,CAC/D,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAgBvD;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAuC,aAAa,CAC3F,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAuBvD;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwC,aAAa,CAC7F,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAgBvD;;;GAGG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAyC,aAAa,CAC/F,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AA2CvD;;;GAGG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAuC,aAAa,CAC3F,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAqCvD;;;GAGG;AACH,MAAM,CAAC,MAAM,oCAAoC,GAA+C,aAAa,CAC3G,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAgBvD;;;GAGG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAA0C,aAAa,CACjG,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAqCvD;;;GAGG;AACH,MAAM,CAAC,MAAM,qCAAqC,GAAgD,aAAa,CAC7G,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAgBvD;;;GAGG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAA2C,aAAa,CACnG,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAuBvD;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAwC,aAAa,CAC7F,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;AAgBvD;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAgC,aAAa,CAC7E,WAAW,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC"}
|
|
@@ -22,6 +22,37 @@ export declare const IamPolicyQueryController: {
|
|
|
22
22
|
readonly O: any;
|
|
23
23
|
readonly kind: any;
|
|
24
24
|
};
|
|
25
|
+
/**
|
|
26
|
+
* Check whether the AUTHENTICATED CALLER has a permission on a resource.
|
|
27
|
+
*
|
|
28
|
+
* This is the self-check RPC for clients (web console, desktop, SDKs):
|
|
29
|
+
* "Do I have permission Y on resource Z?"
|
|
30
|
+
*
|
|
31
|
+
* The principal is always derived server-side from the authenticated token.
|
|
32
|
+
* The input has no principal field by design — clients cannot name a
|
|
33
|
+
* principal, so cross-principal permission probing is structurally
|
|
34
|
+
* impossible (the Kubernetes SelfSubjectAccessReview pattern).
|
|
35
|
+
*
|
|
36
|
+
* Use Cases:
|
|
37
|
+
* - Pre-flight UI checks before showing buttons/actions
|
|
38
|
+
* - Permission-gated rendering (PermissionGate components)
|
|
39
|
+
*
|
|
40
|
+
* Input: CheckMyPermissionInput with resource, relation, and optional contextual policies
|
|
41
|
+
* Output: CheckAuthorizationResult with is_authorized boolean
|
|
42
|
+
*
|
|
43
|
+
* @internal
|
|
44
|
+
* Skips standard authorization because authorizing this RPC via IAM would
|
|
45
|
+
* recurse into IAM. Authentication is still required; the handler anchors
|
|
46
|
+
* the FGA check to the caller's identity account.
|
|
47
|
+
*
|
|
48
|
+
* @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.checkMyPermission
|
|
49
|
+
*/
|
|
50
|
+
readonly checkMyPermission: {
|
|
51
|
+
readonly name: "checkMyPermission";
|
|
52
|
+
readonly I: any;
|
|
53
|
+
readonly O: any;
|
|
54
|
+
readonly kind: any;
|
|
55
|
+
};
|
|
25
56
|
/**
|
|
26
57
|
* Check if a principal is authorized to perform a relation on a resource
|
|
27
58
|
*
|
|
@@ -31,8 +62,11 @@ export declare const IamPolicyQueryController: {
|
|
|
31
62
|
* It provides a simple boolean answer based on the complete authorization state,
|
|
32
63
|
* including existing IAM policies, inherited permissions, and group memberships.
|
|
33
64
|
*
|
|
65
|
+
* This RPC is an INTERNAL-FACING contract for the platform's own
|
|
66
|
+
* authorization pipeline (service-to-service and in-process checks).
|
|
67
|
+
* Client-facing self checks must use checkMyPermission instead.
|
|
68
|
+
*
|
|
34
69
|
* Use Cases:
|
|
35
|
-
* - Pre-flight UI checks before showing buttons/actions
|
|
36
70
|
* - API request authorization before processing operations
|
|
37
71
|
* - Service-to-service authorization
|
|
38
72
|
* - Team-based access checks
|
|
@@ -40,6 +74,11 @@ export declare const IamPolicyQueryController: {
|
|
|
40
74
|
* Input: CheckAuthorizationInput with policy spec and optional contextual policies
|
|
41
75
|
* Output: CheckAuthorizationResult with is_authorized boolean
|
|
42
76
|
*
|
|
77
|
+
* @internal
|
|
78
|
+
* Skips standard authorization to avoid IAM-authorizing-IAM recursion.
|
|
79
|
+
* The handler enforces principal trust instead: the caller must either BE
|
|
80
|
+
* the principal being checked, or be a machine (system) account.
|
|
81
|
+
*
|
|
43
82
|
* @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.checkAuthorization
|
|
44
83
|
*/
|
|
45
84
|
readonly checkAuthorization: {
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
// @generated from file ai/stigmer/iam/iampolicy/v1/query.proto (package ai.stigmer.iam.iampolicy.v1, syntax proto3)
|
|
3
3
|
/* eslint-disable */
|
|
4
4
|
// @ts-nocheck
|
|
5
|
-
import { AuthorizedPrincipalIdsList, AuthorizedResourceIdsList, CheckAuthorizationInput, CheckAuthorizationResult, GetPrincipalsCountInput, IamPolicyId, ListAuthorizedPrincipalIdsInput, ListAuthorizedResourceIdsInput, ListResourceAccessInput, PrincipalResourceInput, PrincipalResourceRoles, PrincipalsCount, ResourceAccessByPrincipalList } from "./io_pbjs";
|
|
5
|
+
import { AuthorizedPrincipalIdsList, AuthorizedResourceIdsList, CheckAuthorizationInput, CheckAuthorizationResult, CheckMyPermissionInput, GetPrincipalsCountInput, IamPolicyId, ListAuthorizedPrincipalIdsInput, ListAuthorizedResourceIdsInput, ListResourceAccessInput, PrincipalResourceInput, PrincipalResourceRoles, PrincipalsCount, ResourceAccessByPrincipalList } from "./io_pbjs";
|
|
6
6
|
import { IamPolicy } from "./api_pbjs";
|
|
7
7
|
import { MethodKind } from "@bufbuild/protobuf";
|
|
8
8
|
/**
|
|
@@ -29,6 +29,37 @@ export const IamPolicyQueryController = {
|
|
|
29
29
|
O: IamPolicy,
|
|
30
30
|
kind: MethodKind.Unary,
|
|
31
31
|
},
|
|
32
|
+
/**
|
|
33
|
+
* Check whether the AUTHENTICATED CALLER has a permission on a resource.
|
|
34
|
+
*
|
|
35
|
+
* This is the self-check RPC for clients (web console, desktop, SDKs):
|
|
36
|
+
* "Do I have permission Y on resource Z?"
|
|
37
|
+
*
|
|
38
|
+
* The principal is always derived server-side from the authenticated token.
|
|
39
|
+
* The input has no principal field by design — clients cannot name a
|
|
40
|
+
* principal, so cross-principal permission probing is structurally
|
|
41
|
+
* impossible (the Kubernetes SelfSubjectAccessReview pattern).
|
|
42
|
+
*
|
|
43
|
+
* Use Cases:
|
|
44
|
+
* - Pre-flight UI checks before showing buttons/actions
|
|
45
|
+
* - Permission-gated rendering (PermissionGate components)
|
|
46
|
+
*
|
|
47
|
+
* Input: CheckMyPermissionInput with resource, relation, and optional contextual policies
|
|
48
|
+
* Output: CheckAuthorizationResult with is_authorized boolean
|
|
49
|
+
*
|
|
50
|
+
* @internal
|
|
51
|
+
* Skips standard authorization because authorizing this RPC via IAM would
|
|
52
|
+
* recurse into IAM. Authentication is still required; the handler anchors
|
|
53
|
+
* the FGA check to the caller's identity account.
|
|
54
|
+
*
|
|
55
|
+
* @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.checkMyPermission
|
|
56
|
+
*/
|
|
57
|
+
checkMyPermission: {
|
|
58
|
+
name: "checkMyPermission",
|
|
59
|
+
I: CheckMyPermissionInput,
|
|
60
|
+
O: CheckAuthorizationResult,
|
|
61
|
+
kind: MethodKind.Unary,
|
|
62
|
+
},
|
|
32
63
|
/**
|
|
33
64
|
* Check if a principal is authorized to perform a relation on a resource
|
|
34
65
|
*
|
|
@@ -38,8 +69,11 @@ export const IamPolicyQueryController = {
|
|
|
38
69
|
* It provides a simple boolean answer based on the complete authorization state,
|
|
39
70
|
* including existing IAM policies, inherited permissions, and group memberships.
|
|
40
71
|
*
|
|
72
|
+
* This RPC is an INTERNAL-FACING contract for the platform's own
|
|
73
|
+
* authorization pipeline (service-to-service and in-process checks).
|
|
74
|
+
* Client-facing self checks must use checkMyPermission instead.
|
|
75
|
+
*
|
|
41
76
|
* Use Cases:
|
|
42
|
-
* - Pre-flight UI checks before showing buttons/actions
|
|
43
77
|
* - API request authorization before processing operations
|
|
44
78
|
* - Service-to-service authorization
|
|
45
79
|
* - Team-based access checks
|
|
@@ -47,6 +81,11 @@ export const IamPolicyQueryController = {
|
|
|
47
81
|
* Input: CheckAuthorizationInput with policy spec and optional contextual policies
|
|
48
82
|
* Output: CheckAuthorizationResult with is_authorized boolean
|
|
49
83
|
*
|
|
84
|
+
* @internal
|
|
85
|
+
* Skips standard authorization to avoid IAM-authorizing-IAM recursion.
|
|
86
|
+
* The handler enforces principal trust instead: the caller must either BE
|
|
87
|
+
* the principal being checked, or be a machine (system) account.
|
|
88
|
+
*
|
|
50
89
|
* @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.checkAuthorization
|
|
51
90
|
*/
|
|
52
91
|
checkAuthorization: {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/query_connect.ts"],"names":[],"mappings":"AAAA,4FAA4F;AAC5F,oHAAoH;AACpH,oBAAoB;AACpB,cAAc;AAEd,OAAO,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,wBAAwB,EAAE,uBAAuB,EAAE,WAAW,EAAE,+BAA+B,EAAE,8BAA8B,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,eAAe,EAAE,6BAA6B,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"query_connect.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/query_connect.ts"],"names":[],"mappings":"AAAA,4FAA4F;AAC5F,oHAAoH;AACpH,oBAAoB;AACpB,cAAc;AAEd,OAAO,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,uBAAuB,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,WAAW,EAAE,+BAA+B,EAAE,8BAA8B,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,eAAe,EAAE,6BAA6B,EAAE,MAAM,WAAW,CAAC;AAC7X,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG;IACtC,QAAQ,EAAE,sDAAsD;IAChE,OAAO,EAAE;QACP;;;;;;;;;WASG;QACH,GAAG,EAAE;YACH,IAAI,EAAE,KAAK;YACX,CAAC,EAAE,WAAW;YACd,CAAC,EAAE,SAAS;YACZ,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;WAwBG;QACH,iBAAiB,EAAE;YACjB,IAAI,EAAE,mBAAmB;YACzB,CAAC,EAAE,sBAAsB;YACzB,CAAC,EAAE,wBAAwB;YAC3B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;;;;;;;;;;;;WA2BG;QACH,kBAAkB,EAAE;YAClB,IAAI,EAAE,oBAAoB;YAC1B,CAAC,EAAE,uBAAuB;YAC1B,CAAC,EAAE,wBAAwB;YAC3B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;WAeG;QACH,yBAAyB,EAAE;YACzB,IAAI,EAAE,2BAA2B;YACjC,CAAC,EAAE,8BAA8B;YACjC,CAAC,EAAE,yBAAyB;YAC5B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;WAeG;QACH,0BAA0B,EAAE;YAC1B,IAAI,EAAE,4BAA4B;YAClC,CAAC,EAAE,+BAA+B;YAClC,CAAC,EAAE,0BAA0B;YAC7B,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;;WAgBG;QACH,6BAA6B,EAAE;YAC7B,IAAI,EAAE,+BAA+B;YACrC,CAAC,EAAE,uBAAuB;YAC1B,CAAC,EAAE,6BAA6B;YAChC,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;;WAeG;QACH,yBAAyB,EAAE;YACzB,IAAI,EAAE,2BAA2B;YACjC,CAAC,EAAE,sBAAsB;YACzB,CAAC,EAAE,sBAAsB;YACzB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;QACD;;;;;;;;;;;;;;WAcG;QACH,kBAAkB,EAAE;YAClB,IAAI,EAAE,oBAAoB;YAC1B,CAAC,EAAE,uBAAuB;YAC1B,CAAC,EAAE,eAAe;YAClB,IAAI,EAAE,UAAU,CAAC,KAAK;SACvB;KACF;CACO,CAAC"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import type { GenFile, GenService } from "@bufbuild/protobuf/codegenv1";
|
|
2
2
|
import type { IamPolicySchema } from "./api_pb.js";
|
|
3
|
-
import type { AuthorizedPrincipalIdsListSchema, AuthorizedResourceIdsListSchema, CheckAuthorizationInputSchema, CheckAuthorizationResultSchema, GetPrincipalsCountInputSchema, IamPolicyIdSchema, ListAuthorizedPrincipalIdsInputSchema, ListAuthorizedResourceIdsInputSchema, ListResourceAccessInputSchema, PrincipalResourceInputSchema, PrincipalResourceRolesSchema, PrincipalsCountSchema, ResourceAccessByPrincipalListSchema } from "./io_pb.js";
|
|
3
|
+
import type { AuthorizedPrincipalIdsListSchema, AuthorizedResourceIdsListSchema, CheckAuthorizationInputSchema, CheckAuthorizationResultSchema, CheckMyPermissionInputSchema, GetPrincipalsCountInputSchema, IamPolicyIdSchema, ListAuthorizedPrincipalIdsInputSchema, ListAuthorizedResourceIdsInputSchema, ListResourceAccessInputSchema, PrincipalResourceInputSchema, PrincipalResourceRolesSchema, PrincipalsCountSchema, ResourceAccessByPrincipalListSchema } from "./io_pb.js";
|
|
4
4
|
/**
|
|
5
5
|
* Describes the file ai/stigmer/iam/iampolicy/v1/query.proto.
|
|
6
6
|
*/
|
|
@@ -26,6 +26,36 @@ export declare const IamPolicyQueryController: GenService<{
|
|
|
26
26
|
input: typeof IamPolicyIdSchema;
|
|
27
27
|
output: typeof IamPolicySchema;
|
|
28
28
|
};
|
|
29
|
+
/**
|
|
30
|
+
* Check whether the AUTHENTICATED CALLER has a permission on a resource.
|
|
31
|
+
*
|
|
32
|
+
* This is the self-check RPC for clients (web console, desktop, SDKs):
|
|
33
|
+
* "Do I have permission Y on resource Z?"
|
|
34
|
+
*
|
|
35
|
+
* The principal is always derived server-side from the authenticated token.
|
|
36
|
+
* The input has no principal field by design — clients cannot name a
|
|
37
|
+
* principal, so cross-principal permission probing is structurally
|
|
38
|
+
* impossible (the Kubernetes SelfSubjectAccessReview pattern).
|
|
39
|
+
*
|
|
40
|
+
* Use Cases:
|
|
41
|
+
* - Pre-flight UI checks before showing buttons/actions
|
|
42
|
+
* - Permission-gated rendering (PermissionGate components)
|
|
43
|
+
*
|
|
44
|
+
* Input: CheckMyPermissionInput with resource, relation, and optional contextual policies
|
|
45
|
+
* Output: CheckAuthorizationResult with is_authorized boolean
|
|
46
|
+
*
|
|
47
|
+
* @internal
|
|
48
|
+
* Skips standard authorization because authorizing this RPC via IAM would
|
|
49
|
+
* recurse into IAM. Authentication is still required; the handler anchors
|
|
50
|
+
* the FGA check to the caller's identity account.
|
|
51
|
+
*
|
|
52
|
+
* @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.checkMyPermission
|
|
53
|
+
*/
|
|
54
|
+
checkMyPermission: {
|
|
55
|
+
methodKind: "unary";
|
|
56
|
+
input: typeof CheckMyPermissionInputSchema;
|
|
57
|
+
output: typeof CheckAuthorizationResultSchema;
|
|
58
|
+
};
|
|
29
59
|
/**
|
|
30
60
|
* Check if a principal is authorized to perform a relation on a resource
|
|
31
61
|
*
|
|
@@ -35,8 +65,11 @@ export declare const IamPolicyQueryController: GenService<{
|
|
|
35
65
|
* It provides a simple boolean answer based on the complete authorization state,
|
|
36
66
|
* including existing IAM policies, inherited permissions, and group memberships.
|
|
37
67
|
*
|
|
68
|
+
* This RPC is an INTERNAL-FACING contract for the platform's own
|
|
69
|
+
* authorization pipeline (service-to-service and in-process checks).
|
|
70
|
+
* Client-facing self checks must use checkMyPermission instead.
|
|
71
|
+
*
|
|
38
72
|
* Use Cases:
|
|
39
|
-
* - Pre-flight UI checks before showing buttons/actions
|
|
40
73
|
* - API request authorization before processing operations
|
|
41
74
|
* - Service-to-service authorization
|
|
42
75
|
* - Team-based access checks
|
|
@@ -44,6 +77,11 @@ export declare const IamPolicyQueryController: GenService<{
|
|
|
44
77
|
* Input: CheckAuthorizationInput with policy spec and optional contextual policies
|
|
45
78
|
* Output: CheckAuthorizationResult with is_authorized boolean
|
|
46
79
|
*
|
|
80
|
+
* @internal
|
|
81
|
+
* Skips standard authorization to avoid IAM-authorizing-IAM recursion.
|
|
82
|
+
* The handler enforces principal trust instead: the caller must either BE
|
|
83
|
+
* the principal being checked, or be a machine (system) account.
|
|
84
|
+
*
|
|
47
85
|
* @generated from rpc ai.stigmer.iam.iampolicy.v1.IamPolicyQueryController.checkAuthorization
|
|
48
86
|
*/
|
|
49
87
|
checkAuthorization: {
|
|
@@ -9,7 +9,7 @@ import { file_ai_stigmer_iam_iampolicy_v1_io } from "./io_pb.js";
|
|
|
9
9
|
/**
|
|
10
10
|
* Describes the file ai/stigmer/iam/iampolicy/v1/query.proto.
|
|
11
11
|
*/
|
|
12
|
-
export const file_ai_stigmer_iam_iampolicy_v1_query = /*@__PURE__*/ fileDesc("
|
|
12
|
+
export const file_ai_stigmer_iam_iampolicy_v1_query = /*@__PURE__*/ fileDesc("CidhaS9zdGlnbWVyL2lhbS9pYW1wb2xpY3kvdjEvcXVlcnkucHJvdG8SG2FpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MTLyCgoYSWFtUG9saWN5UXVlcnlDb250cm9sbGVyEoUBCgNnZXQSKC5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5SWQaJi5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuSWFtUG9saWN5IizCuBgoCAUqJHVuYXV0aG9yaXplZCB0byB2aWV3IGFjY2VzcyBwb2xpY2llcxKFAQoRY2hlY2tNeVBlcm1pc3Npb24SMy5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuQ2hlY2tNeVBlcm1pc3Npb25JbnB1dBo1LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5DaGVja0F1dGhvcml6YXRpb25SZXN1bHQiBNC4GAEShwEKEmNoZWNrQXV0aG9yaXphdGlvbhI0LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5DaGVja0F1dGhvcml6YXRpb25JbnB1dBo1LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5DaGVja0F1dGhvcml6YXRpb25SZXN1bHQiBNC4GAESxgEKGWxpc3RBdXRob3JpemVkUmVzb3VyY2VJZHMSOy5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuTGlzdEF1dGhvcml6ZWRSZXNvdXJjZUlkc0lucHV0GjYuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkF1dGhvcml6ZWRSZXNvdXJjZUlkc0xpc3QiNMK4GDAIBSosdW5hdXRob3JpemVkIHRvIHZpZXcgYXV0aG9yaXplZCByZXNvdXJjZSBpZHMSygEKGmxpc3RBdXRob3JpemVkUHJpbmNpcGFsSWRzEjwuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkxpc3RBdXRob3JpemVkUHJpbmNpcGFsSWRzSW5wdXQaNy5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuQXV0aG9yaXplZFByaW5jaXBhbElkc0xpc3QiNcK4GDEIBSotdW5hdXRob3JpemVkIHRvIHZpZXcgYXV0aG9yaXplZCBwcmluY2lwYWwgaWRzEr8BCh1saXN0UmVzb3VyY2VBY2Nlc3NCeVByaW5jaXBhbBI0LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5MaXN0UmVzb3VyY2VBY2Nlc3NJbnB1dBo6LmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5SZXNvdXJjZUFjY2Vzc0J5UHJpbmNpcGFsTGlzdCIswrgYKAgFKiR1bmF1dGhvcml6ZWQgdG8gdmlldyByZXNvdXJjZSBhY2Nlc3MSswEKGWdldFByaW5jaXBhbFJlc291cmNlUm9sZXMSMy5haS5zdGlnbWVyLmlhbS5pYW1wb2xpY3kudjEuUHJpbmNpcGFsUmVzb3VyY2VJbnB1dBozLmFpLnN0aWdtZXIuaWFtLmlhbXBvbGljeS52MS5QcmluY2lwYWxSZXNvdXJjZVJvbGVzIizCuBgoCAUqJHVuYXV0aG9yaXplZCB0byB2aWV3IHByaW5jaXBhbCByb2xlcxKnAQoSZ2V0UHJpbmNpcGFsc0NvdW50EjQuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLkdldFByaW5jaXBhbHNDb3VudElucHV0GiwuYWkuc3RpZ21lci5pYW0uaWFtcG9saWN5LnYxLlByaW5jaXBhbHNDb3VudCItwrgYKQgFKiV1bmF1dGhvcml6ZWQgdG8gdmlldyBwcmluY2lwYWxzIGNvdW50GgSg/ysKYgZwcm90bzM", [file_ai_stigmer_commons_apiresource_rpc_service_options, file_ai_stigmer_commons_rpc_method_options, file_ai_stigmer_iam_iampolicy_v1_api, file_ai_stigmer_iam_iampolicy_v1_io]);
|
|
13
13
|
/**
|
|
14
14
|
* IamPolicyQueryController handles read operations for IAM policies.
|
|
15
15
|
*
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/query_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,oHAAoH;AACpH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,wDAAwD,CAAC;AACjI,OAAO,EAAE,0CAA0C,EAAE,MAAM,2CAA2C,CAAC;AAEvG,OAAO,EAAE,oCAAoC,EAAE,MAAM,aAAa,CAAC;AAEnE,OAAO,EAAE,mCAAmC,EAAE,MAAM,YAAY,CAAC;AAEjE;;GAEG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAY,aAAa,CAC1E,QAAQ,CAAC,
|
|
1
|
+
{"version":3,"file":"query_pb.js","sourceRoot":"","sources":["../../../../../../ai/stigmer/iam/iampolicy/v1/query_pb.ts"],"names":[],"mappings":"AAAA,oFAAoF;AACpF,oHAAoH;AACpH,oBAAoB;AAGpB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AACrE,OAAO,EAAE,uDAAuD,EAAE,MAAM,wDAAwD,CAAC;AACjI,OAAO,EAAE,0CAA0C,EAAE,MAAM,2CAA2C,CAAC;AAEvG,OAAO,EAAE,oCAAoC,EAAE,MAAM,aAAa,CAAC;AAEnE,OAAO,EAAE,mCAAmC,EAAE,MAAM,YAAY,CAAC;AAEjE;;GAEG;AACH,MAAM,CAAC,MAAM,sCAAsC,GAAY,aAAa,CAC1E,QAAQ,CAAC,i7DAAi7D,EAAE,CAAC,uDAAuD,EAAE,0CAA0C,EAAE,oCAAoC,EAAE,mCAAmC,CAAC,CAAC,CAAC;AAEhnE;;;;GAIG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAwLhC,aAAa,CAChB,WAAW,CAAC,sCAAsC,EAAE,CAAC,CAAC,CAAC"}
|