@sylphx/contract 0.2.0 → 0.3.0

package/dist/endpoints/admin-projects.d.ts

@@ -5,7 +5,7 @@
  * Production mount: `/admin/projects/*`.
  */
 export declare const adminProjectsEndpoints: {
-    readonly list: import("../endpoint.js").Endpoint<"GET", "/admin/projects/", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+    readonly list: import("../endpoint.js").Endpoint<"GET", "/operator/projects/", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         limit: import("effect/Schema").optional<typeof import("effect/Schema").String>;
         offset: import("effect/Schema").optional<typeof import("effect/Schema").String>;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
@@ -21,7 +21,7 @@ export declare const adminProjectsEndpoints: {
         limit: typeof import("effect/Schema").Number;
         offset: typeof import("effect/Schema").Number;
     }>>;
-    readonly get: import("../endpoint.js").Endpoint<"GET", "/admin/projects/:id", import("effect/Schema").Struct<{
+    readonly get: import("../endpoint.js").Endpoint<"GET", "/operator/projects/:id", import("effect/Schema").Struct<{
         id: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         id: typeof import("effect/Schema").String;
@@ -59,7 +59,7 @@ export declare const adminProjectsEndpoints: {
             errorMessage: import("effect/Schema").NullOr<typeof import("effect/Schema").String>;
         }>>;
     }>>;
-    readonly create: import("../endpoint.js").Endpoint<"POST", "/admin/projects/", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+    readonly create: import("../endpoint.js").Endpoint<"POST", "/operator/projects/", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         name: typeof import("effect/Schema").String;
         slug: typeof import("effect/Schema").String;
         domains: import("effect/Schema").Array$<typeof import("effect/Schema").String>;
@@ -82,7 +82,7 @@ export declare const adminProjectsEndpoints: {
             }>>;
         }>;
     }>>;
-    readonly update: import("../endpoint.js").Endpoint<"PATCH", "/admin/projects/:id", import("effect/Schema").Struct<{
+    readonly update: import("../endpoint.js").Endpoint<"PATCH", "/operator/projects/:id", import("effect/Schema").Struct<{
         id: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         name: import("effect/Schema").optional<typeof import("effect/Schema").String>;
@@ -98,13 +98,13 @@ export declare const adminProjectsEndpoints: {
         slug: typeof import("effect/Schema").String;
         buildMachineType: import("effect/Schema").Literal<["standard", "large", "xlarge"]>;
     }>>;
-    readonly delete: import("../endpoint.js").Endpoint<"DELETE", "/admin/projects/:id", import("effect/Schema").Struct<{
+    readonly delete: import("../endpoint.js").Endpoint<"DELETE", "/operator/projects/:id", import("effect/Schema").Struct<{
         id: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         id: typeof import("effect/Schema").String;
         name: typeof import("effect/Schema").String;
     }>>;
-    readonly regenerateSecretKey: import("../endpoint.js").Endpoint<"POST", "/admin/projects/environments/:environmentId/regenerate-key", import("effect/Schema").Struct<{
+    readonly regenerateSecretKey: import("../endpoint.js").Endpoint<"POST", "/operator/projects/environments/:environmentId/regenerate-key", import("effect/Schema").Struct<{
         environmentId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         environmentId: typeof import("effect/Schema").String;
@@ -112,7 +112,36 @@ export declare const adminProjectsEndpoints: {
         secretKey: typeof import("effect/Schema").String;
         publicKey: typeof import("effect/Schema").String;
     }>>;
-    readonly platformResources: import("../endpoint.js").Endpoint<"GET", "/admin/projects/:id/platform-resources", import("effect/Schema").Struct<{
+    readonly rotateEnvironmentCredentials: import("../endpoint.js").Endpoint<"POST", "/operator/projects/environments/:environmentId/credentials/rotate", import("effect/Schema").Struct<{
+        environmentId: typeof import("effect/Schema").String;
+    }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+        reason: import("effect/Schema").filter<import("effect/Schema").filter<typeof import("effect/Schema").String>>;
+        syncDeploymentSecret: import("effect/Schema").optional<typeof import("effect/Schema").Boolean>;
+    }>, import("effect/Schema").Struct<{
+        environmentId: typeof import("effect/Schema").String;
+        envType: import("effect/Schema").Literal<["development", "staging", "production"]>;
+        secretKey: typeof import("effect/Schema").String;
+        publicKey: typeof import("effect/Schema").String;
+        syncedDeploymentSecret: typeof import("effect/Schema").Boolean;
+        queued: typeof import("effect/Schema").Boolean;
+        generation: typeof import("effect/Schema").Number;
+    }>>;
+    readonly rotateEnvironmentCredentialsBySlug: import("../endpoint.js").Endpoint<"POST", "/operator/projects/by-slug/:projectSlug/environments/:environmentName/credentials/rotate", import("effect/Schema").Struct<{
+        projectSlug: typeof import("effect/Schema").String;
+        environmentName: typeof import("effect/Schema").String;
+    }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+        reason: import("effect/Schema").filter<import("effect/Schema").filter<typeof import("effect/Schema").String>>;
+        syncDeploymentSecret: import("effect/Schema").optional<typeof import("effect/Schema").Boolean>;
+    }>, import("effect/Schema").Struct<{
+        environmentId: typeof import("effect/Schema").String;
+        envType: import("effect/Schema").Literal<["development", "staging", "production"]>;
+        secretKey: typeof import("effect/Schema").String;
+        publicKey: typeof import("effect/Schema").String;
+        syncedDeploymentSecret: typeof import("effect/Schema").Boolean;
+        queued: typeof import("effect/Schema").Boolean;
+        generation: typeof import("effect/Schema").Number;
+    }>>;
+    readonly platformResources: import("../endpoint.js").Endpoint<"GET", "/operator/projects/:id/platform-resources", import("effect/Schema").Struct<{
         id: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Array$<import("effect/Schema").Struct<{
         role: typeof import("effect/Schema").String;

package/dist/endpoints/admin-projects.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin-projects.d.ts","sourceRoot":"","sources":["../../src/endpoints/admin-projects.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAkBH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiEzB,CAAA"}
+{"version":3,"file":"admin-projects.d.ts","sourceRoot":"","sources":["../../src/endpoints/admin-projects.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAqBH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgGzB,CAAA"}

package/dist/endpoints/admin-projects.js

@@ -5,69 +5,98 @@
  * Production mount: `/admin/projects/*`.
  */
 import { defineEndpoint } from '../endpoint.js';
-import { AdminCreateProjectInput, AdminCreateProjectResult, AdminDeleteProjectResult, AdminEnvironmentIdParams, AdminGetProjectResult, AdminListProjectsQuery, AdminListProjectsResult, AdminPlatformResourcesResult, AdminProjectIdParams, AdminRegenerateSecretKeyResult, AdminUpdateProjectInput, AdminUpdateProjectResult, } from '../schemas/admin-projects.js';
+import { AdminCreateProjectInput, AdminCreateProjectResult, AdminDeleteProjectResult, AdminEnvironmentIdParams, AdminEnvironmentSlugParams, AdminGetProjectResult, AdminListProjectsQuery, AdminListProjectsResult, AdminPlatformResourcesResult, AdminProjectIdParams, AdminRegenerateSecretKeyResult, AdminRotateEnvironmentCredentialsInput, AdminRotateEnvironmentCredentialsResult, AdminUpdateProjectInput, AdminUpdateProjectResult, } from '../schemas/admin-projects.js';
 export const adminProjectsEndpoints = {
     list: defineEndpoint({
         method: 'GET',
-        path: '/admin/projects/',
+        path: '/operator/projects/',
         query: AdminListProjectsQuery,
         response: AdminListProjectsResult,
-        plane: 'admin',
+        plane: 'management',
         summary: "List apps for the user's organization",
         tags: ['admin-projects'],
     }),
     get: defineEndpoint({
         method: 'GET',
-        path: '/admin/projects/:id',
+        path: '/operator/projects/:id',
         params: AdminProjectIdParams,
         response: AdminGetProjectResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Get app by ID or slug (org-scoped)',
         tags: ['admin-projects'],
     }),
     create: defineEndpoint({
         method: 'POST',
-        path: '/admin/projects/',
+        path: '/operator/projects/',
         body: AdminCreateProjectInput,
         response: AdminCreateProjectResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Create app with default dev + production environments',
         tags: ['admin-projects'],
     }),
     update: defineEndpoint({
         method: 'PATCH',
-        path: '/admin/projects/:id',
+        path: '/operator/projects/:id',
         params: AdminProjectIdParams,
         body: AdminUpdateProjectInput,
         response: AdminUpdateProjectResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Update app settings',
         tags: ['admin-projects'],
     }),
     delete: defineEndpoint({
         method: 'DELETE',
-        path: '/admin/projects/:id',
+        path: '/operator/projects/:id',
         params: AdminProjectIdParams,
         response: AdminDeleteProjectResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Soft delete app (super_admin only)',
         tags: ['admin-projects'],
     }),
     regenerateSecretKey: defineEndpoint({
         method: 'POST',
-        path: '/admin/projects/environments/:environmentId/regenerate-key',
+        path: '/operator/projects/environments/:environmentId/regenerate-key',
         params: AdminEnvironmentIdParams,
         response: AdminRegenerateSecretKeyResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Regenerate environment secret key (super_admin only)',
         tags: ['admin-projects'],
     }),
+    rotateEnvironmentCredentials: defineEndpoint({
+        method: 'POST',
+        path: '/operator/projects/environments/:environmentId/credentials/rotate',
+        params: AdminEnvironmentIdParams,
+        body: AdminRotateEnvironmentCredentialsInput,
+        response: AdminRotateEnvironmentCredentialsResult,
+        plane: 'management',
+        summary: 'Rotate environment BaaS credentials and optionally sync deployed app secret',
+        description: 'Operator-only credential rotation for an environment. Generates a new ' +
+            '`sk_*`/`pk_*` pair, stores only the secret hash on the environment, ' +
+            'optionally writes the raw secret once into the environment shared ' +
+            '`SYLPHX_SECRET_KEY` app secret, emits audit, and queues reconciliation. ' +
+            'Requires a service token carrying `platform:admin` and `platform:secrets:rotate`.',
+        tags: ['admin-projects'],
+    }),
+    rotateEnvironmentCredentialsBySlug: defineEndpoint({
+        method: 'POST',
+        path: '/operator/projects/by-slug/:projectSlug/environments/:environmentName/credentials/rotate',
+        params: AdminEnvironmentSlugParams,
+        body: AdminRotateEnvironmentCredentialsInput,
+        response: AdminRotateEnvironmentCredentialsResult,
+        plane: 'management',
+        summary: 'Rotate environment BaaS credentials by project slug and environment name',
+        description: 'Operator-only credential rotation for a named environment on a project slug. ' +
+            'This is the human/operator selector variant of the TypeID route; it does not ' +
+            'accept raw UUIDs. Requires a service token carrying `platform:admin` and ' +
+            '`platform:secrets:rotate`.',
+        tags: ['admin-projects'],
+    }),
     platformResources: defineEndpoint({
         method: 'GET',
-        path: '/admin/projects/:id/platform-resources',
+        path: '/operator/projects/:id/platform-resources',
         params: AdminProjectIdParams,
         response: AdminPlatformResourcesResult,
-        plane: 'admin',
+        plane: 'management',
         summary: "List project's hidden BaaS resource bindings (ADR-047)",
         tags: ['admin-projects'],
     }),

package/dist/endpoints/admin-quotas.d.ts

@@ -5,7 +5,7 @@
  * Production mount: `/admin/quotas/*`.
  */
 export declare const adminQuotasEndpoints: {
-    readonly getProjectQuotas: import("../endpoint.js").Endpoint<"GET", "/admin/quotas/projects/:projectId/quotas", import("effect/Schema").Struct<{
+    readonly getProjectQuotas: import("../endpoint.js").Endpoint<"GET", "/operator/quotas/projects/:projectId/quotas", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
@@ -26,7 +26,7 @@ export declare const adminQuotasEndpoints: {
         overallStatus: import("effect/Schema").Literal<["ok", "warning", "critical", "exceeded", "blocked"]>;
         unacknowledgedAlertsCount: typeof import("effect/Schema").Number;
     }>>;
-    readonly getQuotaStats: import("../endpoint.js").Endpoint<"GET", "/admin/quotas/projects/:projectId/quotas/stats", import("effect/Schema").Struct<{
+    readonly getQuotaStats: import("../endpoint.js").Endpoint<"GET", "/operator/quotas/projects/:projectId/quotas/stats", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         atLimit: typeof import("effect/Schema").Number;
@@ -35,7 +35,7 @@ export declare const adminQuotasEndpoints: {
         ok: typeof import("effect/Schema").Number;
         total: typeof import("effect/Schema").Number;
     }>>;
-    readonly getQuotaAlerts: import("../endpoint.js").Endpoint<"GET", "/admin/quotas/projects/:projectId/quotas/alerts", import("effect/Schema").Struct<{
+    readonly getQuotaAlerts: import("../endpoint.js").Endpoint<"GET", "/operator/quotas/projects/:projectId/quotas/alerts", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Struct<{
         acknowledged: import("effect/Schema").optional<typeof import("effect/Schema").String>;
@@ -54,7 +54,7 @@ export declare const adminQuotasEndpoints: {
             acknowledgedAt: import("effect/Schema").NullOr<typeof import("effect/Schema").String>;
         }>>;
     }>>;
-    readonly getQuotaHistory: import("../endpoint.js").Endpoint<"GET", "/admin/quotas/projects/:projectId/quotas/history", import("effect/Schema").Struct<{
+    readonly getQuotaHistory: import("../endpoint.js").Endpoint<"GET", "/operator/quotas/projects/:projectId/quotas/history", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Struct<{
         service: typeof import("effect/Schema").String;
@@ -66,7 +66,7 @@ export declare const adminQuotasEndpoints: {
             value: typeof import("effect/Schema").Number;
         }>>;
     }>>;
-    readonly updateQuota: import("../endpoint.js").Endpoint<"PATCH", "/admin/quotas/projects/:projectId/quotas", import("effect/Schema").Struct<{
+    readonly updateQuota: import("../endpoint.js").Endpoint<"PATCH", "/operator/quotas/projects/:projectId/quotas", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         service: typeof import("effect/Schema").String;
@@ -88,7 +88,7 @@ export declare const adminQuotasEndpoints: {
             isActive: typeof import("effect/Schema").Boolean;
         }>;
     }>>;
-    readonly acknowledgeAlert: import("../endpoint.js").Endpoint<"POST", "/admin/quotas/alerts/:alertId/acknowledge", import("effect/Schema").Struct<{
+    readonly acknowledgeAlert: import("../endpoint.js").Endpoint<"POST", "/operator/quotas/alerts/:alertId/acknowledge", import("effect/Schema").Struct<{
         alertId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         success: typeof import("effect/Schema").Boolean;

package/dist/endpoints/admin-quotas.js

@@ -9,58 +9,58 @@ import { AdminAcknowledgeAlertResult, AdminAlertIdParams, AdminGetProjectQuotasR
 export const adminQuotasEndpoints = {
     getProjectQuotas: defineEndpoint({
         method: 'GET',
-        path: '/admin/quotas/projects/:projectId/quotas',
+        path: '/operator/quotas/projects/:projectId/quotas',
         params: AdminQuotasProjectParams,
         response: AdminGetProjectQuotasResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Get all quotas for a project with current usage',
         tags: ['admin-quotas'],
     }),
     getQuotaStats: defineEndpoint({
         method: 'GET',
-        path: '/admin/quotas/projects/:projectId/quotas/stats',
+        path: '/operator/quotas/projects/:projectId/quotas/stats',
         params: AdminQuotasProjectParams,
         response: AdminGetQuotaStatsResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Quota status count breakdown',
         tags: ['admin-quotas'],
     }),
     getQuotaAlerts: defineEndpoint({
         method: 'GET',
-        path: '/admin/quotas/projects/:projectId/quotas/alerts',
+        path: '/operator/quotas/projects/:projectId/quotas/alerts',
         params: AdminQuotasProjectParams,
         query: AdminGetQuotaAlertsQuery,
         response: AdminGetQuotaAlertsResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'List quota alerts with optional ack filter',
         tags: ['admin-quotas'],
     }),
     getQuotaHistory: defineEndpoint({
         method: 'GET',
-        path: '/admin/quotas/projects/:projectId/quotas/history',
+        path: '/operator/quotas/projects/:projectId/quotas/history',
         params: AdminQuotasProjectParams,
         query: AdminGetQuotaHistoryQuery,
         response: AdminGetQuotaHistoryResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Daily usage history for one service/metric pair',
         tags: ['admin-quotas'],
     }),
     updateQuota: defineEndpoint({
         method: 'PATCH',
-        path: '/admin/quotas/projects/:projectId/quotas',
+        path: '/operator/quotas/projects/:projectId/quotas',
         params: AdminQuotasProjectParams,
         body: AdminUpdateQuotaInput,
         response: AdminUpdateQuotaResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Update quota settings for one service/metric',
         tags: ['admin-quotas'],
     }),
     acknowledgeAlert: defineEndpoint({
         method: 'POST',
-        path: '/admin/quotas/alerts/:alertId/acknowledge',
+        path: '/operator/quotas/alerts/:alertId/acknowledge',
         params: AdminAlertIdParams,
         response: AdminAcknowledgeAlertResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Acknowledge a quota alert',
         tags: ['admin-quotas'],
     }),

package/dist/endpoints/admin-rate-limits.d.ts

@@ -21,7 +21,7 @@
  * @see `packages/core/src/lib/security/rate-limit-credential-multipliers.ts`
  */
 export declare const adminRateLimitsEndpoints: {
-    readonly listStrategies: import("../endpoint.js").Endpoint<"GET", "/admin/rate-limits/strategies", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+    readonly listStrategies: import("../endpoint.js").Endpoint<"GET", "/operator/rate-limits/strategies", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         multipliers: import("effect/Schema").Array$<import("effect/Schema").Struct<{
             credentialType: import("effect/Schema").Literal<["public", "secret", "service", "session", "spiffe", "unknown"]>;
             multiplier: typeof import("effect/Schema").Number;
@@ -30,7 +30,7 @@ export declare const adminRateLimitsEndpoints: {
             lastUpdatedAt: import("effect/Schema").NullOr<typeof import("effect/Schema").String>;
         }>>;
     }>>;
-    readonly setStrategy: import("../endpoint.js").Endpoint<"POST", "/admin/rate-limits/strategies", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+    readonly setStrategy: import("../endpoint.js").Endpoint<"POST", "/operator/rate-limits/strategies", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         credentialType: import("effect/Schema").Literal<["public", "secret", "service", "session", "spiffe", "unknown"]>;
         multiplier: import("effect/Schema").filter<import("effect/Schema").filter<typeof import("effect/Schema").Number>>;
         exempt: import("effect/Schema").optional<typeof import("effect/Schema").Boolean>;

package/dist/endpoints/admin-rate-limits.js

@@ -25,9 +25,9 @@ import { AdminListRateLimitMultipliersResult, AdminSetRateLimitMultiplierInput,
 export const adminRateLimitsEndpoints = {
     listStrategies: defineEndpoint({
         method: 'GET',
-        path: '/admin/rate-limits/strategies',
+        path: '/operator/rate-limits/strategies',
         response: AdminListRateLimitMultipliersResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'List the per-credential-type rate-limit multipliers currently applied to every preset',
         description: 'Returns one row per credential type (`public`, `secret`, `service`, ' +
             '`session`, `spiffe`, `unknown`) with its multiplier, exempt flag, ' +
@@ -39,10 +39,10 @@ export const adminRateLimitsEndpoints = {
     }),
     setStrategy: defineEndpoint({
         method: 'POST',
-        path: '/admin/rate-limits/strategies',
+        path: '/operator/rate-limits/strategies',
         body: AdminSetRateLimitMultiplierInput,
         response: AdminSetRateLimitMultiplierResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Upsert the multiplier (or exempt flag) for a single credential type',
         description: 'Writes the row for `credentialType` and fires `invalidateAndReload()` ' +
             'on the enforcement layer so the new value is live within seconds — no ' +

package/dist/endpoints/admin-reconcile.d.ts

@@ -12,7 +12,7 @@
  * Plane: `admin`.
  */
 export declare const adminReconcileEndpoints: {
-    readonly reset: import("../endpoint.js").Endpoint<"POST", "/admin/reconcile/reset", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+    readonly reset: import("../endpoint.js").Endpoint<"POST", "/operator/reconcile/reset", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         kind: import("effect/Schema").Union<[import("effect/Schema").Literal<["service"]>, import("effect/Schema").Literal<["environment"]>]>;
         id: import("effect/Schema").filter<typeof import("effect/Schema").String>;
         to: import("effect/Schema").Union<[import("effect/Schema").Literal<["pending"]>, import("effect/Schema").Literal<["synced"]>]>;

package/dist/endpoints/admin-reconcile.js

@@ -16,10 +16,10 @@ import { AdminReconcileResetInput, AdminReconcileResetResult } from '../schemas/
 export const adminReconcileEndpoints = {
     reset: defineEndpoint({
         method: 'POST',
-        path: '/admin/reconcile/reset',
+        path: '/operator/reconcile/reset',
         body: AdminReconcileResetInput,
         response: AdminReconcileResetResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Reset reconcile_status on a service or environment row',
         description: 'Validates that the source state permits the target transition and ' +
             'rejects `terminating`/`terminated` rows (use force-delete instead). ' +

package/dist/endpoints/admin-resources.d.ts

@@ -13,7 +13,7 @@
  * Plane: `admin`.
  */
 export declare const adminResourcesEndpoints: {
-    readonly forceDelete: import("../endpoint.js").Endpoint<"DELETE", "/admin/resources/:id", import("effect/Schema").Struct<{
+    readonly forceDelete: import("../endpoint.js").Endpoint<"DELETE", "/operator/resources/:id", import("effect/Schema").Struct<{
         id: import("effect/Schema").filter<typeof import("effect/Schema").String>;
     }>, import("effect/Schema").Struct<{
         reason: import("effect/Schema").filter<import("effect/Schema").filter<typeof import("effect/Schema").String>>;
@@ -26,7 +26,7 @@ export declare const adminResourcesEndpoints: {
         reallyForce: typeof import("effect/Schema").Boolean;
         dependentsDeleted: typeof import("effect/Schema").Number;
     }>>;
-    readonly reseal: import("../endpoint.js").Endpoint<"POST", "/admin/resources/reseal", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+    readonly reseal: import("../endpoint.js").Endpoint<"POST", "/operator/resources/reseal", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         keyId: import("effect/Schema").filter<import("effect/Schema").filter<import("effect/Schema").filter<typeof import("effect/Schema").String>>>;
         filter: import("effect/Schema").optional<import("effect/Schema").Struct<{
             projectId: import("effect/Schema").optional<typeof import("effect/Schema").String>;

package/dist/endpoints/admin-resources.js

@@ -17,11 +17,11 @@ import { AdminResourceForceDeleteQuery, AdminResourceForceDeleteResult, AdminRes
 export const adminResourcesEndpoints = {
     forceDelete: defineEndpoint({
         method: 'DELETE',
-        path: '/admin/resources/:id',
+        path: '/operator/resources/:id',
         params: AdminResourceIdParams,
         query: AdminResourceForceDeleteQuery,
         response: AdminResourceForceDeleteResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Force-delete a stuck `managed_resources` row',
         description: 'Hard-deletes the row and (when `cascade=true`) its dependent rows. ' +
             'Refuses the call when `reconcile_status` is not `terminating` unless ' +
@@ -33,10 +33,10 @@ export const adminResourcesEndpoints = {
     }),
     reseal: defineEndpoint({
         method: 'POST',
-        path: '/admin/resources/reseal',
+        path: '/operator/resources/reseal',
         body: AdminResourceResealInput,
         response: AdminResourceResealResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Re-encrypt every encrypted column under the active KEK',
         description: 'Walks the canonical rotation registry (environment_secrets, ' +
             'environment_secret_versions, projects.webhook_secret_encrypted, ' +

package/dist/endpoints/admin-secrets.d.ts

@@ -10,7 +10,7 @@
  * step (`docs/runbooks/secret-rotation.md`).
  */
 export declare const adminSecretsEndpoints: {
-    readonly list: import("../endpoint.js").Endpoint<"GET", "/admin/secrets", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+    readonly list: import("../endpoint.js").Endpoint<"GET", "/operator/secrets", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         secrets: import("effect/Schema").Array$<import("effect/Schema").Struct<{
             type: import("effect/Schema").Literal<["break-glass", "encryption-key", "jwt-signing"]>;
             lastRotatedAt: import("effect/Schema").NullOr<typeof import("effect/Schema").String>;
@@ -20,7 +20,7 @@ export declare const adminSecretsEndpoints: {
             clusterSecretRef: typeof import("effect/Schema").String;
         }>>;
     }>>;
-    readonly rotate: import("../endpoint.js").Endpoint<"POST", "/admin/secrets/rotate", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+    readonly rotate: import("../endpoint.js").Endpoint<"POST", "/operator/secrets/rotate", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         type: import("effect/Schema").Literal<["break-glass", "encryption-key", "jwt-signing"]>;
         dryRun: import("effect/Schema").optional<typeof import("effect/Schema").Boolean>;
         reason: import("effect/Schema").optional<typeof import("effect/Schema").String>;

package/dist/endpoints/admin-secrets.js

@@ -14,18 +14,18 @@ import { AdminListSecretsResult, AdminRotateSecretInput, AdminRotateSecretResult
 export const adminSecretsEndpoints = {
     list: defineEndpoint({
         method: 'GET',
-        path: '/admin/secrets',
+        path: '/operator/secrets',
         response: AdminListSecretsResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'List rotatable platform secrets with last-rotation age + overdue flag (drives `sylphx_secret_age_days`)',
         tags: ['admin-secrets'],
     }),
     rotate: defineEndpoint({
         method: 'POST',
-        path: '/admin/secrets/rotate',
+        path: '/operator/secrets/rotate',
         body: AdminRotateSecretInput,
         response: AdminRotateSecretResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Record a secret-rotation event for compliance + emit the audit row. ' +
             'Pass dryRun=true to inspect status without writing.',
         tags: ['admin-secrets'],

package/dist/endpoints/admin-services.d.ts

@@ -14,7 +14,7 @@
  * `platform:services:read`).
  */
 export declare const adminServicesEndpoints: {
-    readonly imageStatus: import("../endpoint.js").Endpoint<"GET", "/admin/services/image-status", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+    readonly imageStatus: import("../endpoint.js").Endpoint<"GET", "/operator/services/image-status", import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
         services: import("effect/Schema").Array$<import("effect/Schema").Struct<{
             name: typeof import("effect/Schema").String;
             dbRef: import("effect/Schema").NullOr<typeof import("effect/Schema").String>;

package/dist/endpoints/admin-services.js

@@ -18,9 +18,9 @@ import { AdminServiceImageStatusResult } from '../schemas/admin-services.js';
 export const adminServicesEndpoints = {
     imageStatus: defineEndpoint({
         method: 'GET',
-        path: '/admin/services/image-status',
+        path: '/operator/services/image-status',
         response: AdminServiceImageStatusResult,
-        plane: 'admin',
+        plane: 'management',
         summary: 'Per-Platform-service image SSOT vs live K8s drift report',
         description: 'Returns one row per Platform service (controller, api, runtime, ' +
             'web, exec-server, storage-gateway, storage-worker) reporting both ' +

package/dist/endpoints/admin-tasks.d.ts

@@ -5,7 +5,7 @@
  * Production mount: `/admin/tasks/*`.
  */
 export declare const adminTasksEndpoints: {
-    readonly listTasks: import("../endpoint.js").Endpoint<"GET", "/admin/tasks/projects/:projectId/tasks", import("effect/Schema").Struct<{
+    readonly listTasks: import("../endpoint.js").Endpoint<"GET", "/operator/tasks/projects/:projectId/tasks", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Struct<{
         page: import("effect/Schema").optional<typeof import("effect/Schema").String>;
@@ -53,7 +53,7 @@ export declare const adminTasksEndpoints: {
             totalPages: typeof import("effect/Schema").Number;
         }>;
     }>>;
-    readonly listJobsCursor: import("../endpoint.js").Endpoint<"GET", "/admin/tasks/projects/:projectId/jobs/cursor", import("effect/Schema").Struct<{
+    readonly listJobsCursor: import("../endpoint.js").Endpoint<"GET", "/operator/tasks/projects/:projectId/jobs/cursor", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Struct<{
         cursor: import("effect/Schema").optional<typeof import("effect/Schema").String>;
@@ -84,7 +84,7 @@ export declare const adminTasksEndpoints: {
         hasMore: typeof import("effect/Schema").Boolean;
         total: typeof import("effect/Schema").Number;
     }>>;
-    readonly cancelJob: import("../endpoint.js").Endpoint<"POST", "/admin/tasks/projects/:projectId/jobs/:jobId/cancel", import("effect/Schema").Struct<{
+    readonly cancelJob: import("../endpoint.js").Endpoint<"POST", "/operator/tasks/projects/:projectId/jobs/:jobId/cancel", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
         jobId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
@@ -121,7 +121,7 @@ export declare const adminTasksEndpoints: {
             createdAt: typeof import("effect/Schema").String;
         }>>;
     }>>;
-    readonly listDLQEntries: import("../endpoint.js").Endpoint<"GET", "/admin/tasks/projects/:projectId/dlq", import("effect/Schema").Struct<{
+    readonly listDLQEntries: import("../endpoint.js").Endpoint<"GET", "/operator/tasks/projects/:projectId/dlq", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Struct<{
         page: import("effect/Schema").optional<typeof import("effect/Schema").String>;
@@ -148,7 +148,7 @@ export declare const adminTasksEndpoints: {
             totalPages: typeof import("effect/Schema").Number;
         }>;
     }>>;
-    readonly retryDLQEntry: import("../endpoint.js").Endpoint<"POST", "/admin/tasks/projects/:projectId/dlq/:entryId/retry", import("effect/Schema").Struct<{
+    readonly retryDLQEntry: import("../endpoint.js").Endpoint<"POST", "/operator/tasks/projects/:projectId/dlq/:entryId/retry", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
         entryId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
@@ -165,7 +165,7 @@ export declare const adminTasksEndpoints: {
             createdAt: typeof import("effect/Schema").String;
         }>;
     }>>;
-    readonly resolveDLQEntry: import("../endpoint.js").Endpoint<"POST", "/admin/tasks/projects/:projectId/dlq/:entryId/resolve", import("effect/Schema").Struct<{
+    readonly resolveDLQEntry: import("../endpoint.js").Endpoint<"POST", "/operator/tasks/projects/:projectId/dlq/:entryId/resolve", import("effect/Schema").Struct<{
         projectId: typeof import("effect/Schema").String;
         entryId: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{