npm - @sylphx/contract - Versions diffs - 0.2.0 - Mend

@sylphx/contract 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (571) hide show

package/CHANGELOG.md +44 -0
package/LICENSE +21 -0
package/README.md +164 -0
package/dist/endpoint.d.ts +65 -0
package/dist/endpoint.d.ts.map +1 -0
package/dist/endpoint.js +22 -0
package/dist/endpoints/admin-ai-playground.d.ts +93 -0
package/dist/endpoints/admin-ai-playground.d.ts.map +1 -0
package/dist/endpoints/admin-ai-playground.js +37 -0
package/dist/endpoints/admin-anomalies.d.ts +108 -0
package/dist/endpoints/admin-anomalies.d.ts.map +1 -0
package/dist/endpoints/admin-anomalies.js +72 -0
package/dist/endpoints/admin-apm.d.ts +102 -0
package/dist/endpoints/admin-apm.d.ts.map +1 -0
package/dist/endpoints/admin-apm.js +70 -0
package/dist/endpoints/admin-audit.d.ts +714 -0
package/dist/endpoints/admin-audit.d.ts.map +1 -0
package/dist/endpoints/admin-audit.js +494 -0
package/dist/endpoints/admin-billing.d.ts +82 -0
package/dist/endpoints/admin-billing.d.ts.map +1 -0
package/dist/endpoints/admin-billing.js +190 -0
package/dist/endpoints/admin-bootstrap.d.ts +16 -0
package/dist/endpoints/admin-bootstrap.d.ts.map +1 -0
package/dist/endpoints/admin-bootstrap.js +28 -0
package/dist/endpoints/admin-broadcasts.d.ts +105 -0
package/dist/endpoints/admin-broadcasts.d.ts.map +1 -0
package/dist/endpoints/admin-broadcasts.js +60 -0
package/dist/endpoints/admin-builds.d.ts +33 -0
package/dist/endpoints/admin-builds.d.ts.map +1 -0
package/dist/endpoints/admin-builds.js +36 -0
package/dist/endpoints/admin-config.d.ts +180 -0
package/dist/endpoints/admin-config.d.ts.map +1 -0
package/dist/endpoints/admin-config.js +108 -0
package/dist/endpoints/admin-consent.d.ts +123 -0
package/dist/endpoints/admin-consent.d.ts.map +1 -0
package/dist/endpoints/admin-consent.js +126 -0
package/dist/endpoints/admin-env-services.d.ts +28 -0
package/dist/endpoints/admin-env-services.d.ts.map +1 -0
package/dist/endpoints/admin-env-services.js +35 -0
package/dist/endpoints/admin-impersonation.d.ts +105 -0
package/dist/endpoints/admin-impersonation.d.ts.map +1 -0
package/dist/endpoints/admin-impersonation.js +88 -0
package/dist/endpoints/admin-invitations.d.ts +73 -0
package/dist/endpoints/admin-invitations.d.ts.map +1 -0
package/dist/endpoints/admin-invitations.js +55 -0
package/dist/endpoints/admin-jwt-keys.d.ts +75 -0
package/dist/endpoints/admin-jwt-keys.d.ts.map +1 -0
package/dist/endpoints/admin-jwt-keys.js +63 -0
package/dist/endpoints/admin-logs.d.ts +109 -0
package/dist/endpoints/admin-logs.d.ts.map +1 -0
package/dist/endpoints/admin-logs.js +78 -0
package/dist/endpoints/admin-plans.d.ts +63 -0
package/dist/endpoints/admin-plans.d.ts.map +1 -0
package/dist/endpoints/admin-plans.js +47 -0
package/dist/endpoints/admin-project-users.d.ts +148 -0
package/dist/endpoints/admin-project-users.d.ts.map +1 -0
package/dist/endpoints/admin-project-users.js +89 -0
package/dist/endpoints/admin-projects.d.ts +124 -0
package/dist/endpoints/admin-projects.d.ts.map +1 -0
package/dist/endpoints/admin-projects.js +74 -0
package/dist/endpoints/admin-quotas.d.ts +98 -0
package/dist/endpoints/admin-quotas.d.ts.map +1 -0
package/dist/endpoints/admin-quotas.js +67 -0
package/dist/endpoints/admin-rate-limits.d.ts +50 -0
package/dist/endpoints/admin-rate-limits.d.ts.map +1 -0
package/dist/endpoints/admin-rate-limits.js +53 -0
package/dist/endpoints/admin-reconcile.d.ts +28 -0
package/dist/endpoints/admin-reconcile.d.ts.map +1 -0
package/dist/endpoints/admin-reconcile.js +33 -0
package/dist/endpoints/admin-resources.d.ts +51 -0
package/dist/endpoints/admin-resources.d.ts.map +1 -0
package/dist/endpoints/admin-resources.js +53 -0
package/dist/endpoints/admin-secrets.d.ts +41 -0
package/dist/endpoints/admin-secrets.d.ts.map +1 -0
package/dist/endpoints/admin-secrets.js +33 -0
package/dist/endpoints/admin-services.d.ts +29 -0
package/dist/endpoints/admin-services.d.ts.map +1 -0
package/dist/endpoints/admin-services.js +35 -0
package/dist/endpoints/admin-tasks.d.ts +186 -0
package/dist/endpoints/admin-tasks.d.ts.map +1 -0
package/dist/endpoints/admin-tasks.js +67 -0
package/dist/endpoints/admin-tenants.d.ts +26 -0
package/dist/endpoints/admin-tenants.d.ts.map +1 -0
package/dist/endpoints/admin-tenants.js +30 -0
package/dist/endpoints/admin-traces.d.ts +124 -0
package/dist/endpoints/admin-traces.d.ts.map +1 -0
package/dist/endpoints/admin-traces.js +59 -0
package/dist/endpoints/admin-users.d.ts +106 -0
package/dist/endpoints/admin-users.d.ts.map +1 -0
package/dist/endpoints/admin-users.js +83 -0
package/dist/endpoints/admin-webhook-signature-versions.d.ts +59 -0
package/dist/endpoints/admin-webhook-signature-versions.d.ts.map +1 -0
package/dist/endpoints/admin-webhook-signature-versions.js +57 -0
package/dist/endpoints/ai-admin.d.ts +30 -0
package/dist/endpoints/ai-admin.d.ts.map +1 -0
package/dist/endpoints/ai-admin.js +59 -0
package/dist/endpoints/analytics-admin.d.ts +279 -0
package/dist/endpoints/analytics-admin.d.ts.map +1 -0
package/dist/endpoints/analytics-admin.js +308 -0
package/dist/endpoints/analytics.d.ts +58 -0
package/dist/endpoints/analytics.d.ts.map +1 -0
package/dist/endpoints/analytics.js +43 -0
package/dist/endpoints/audit-chain.d.ts +49 -0
package/dist/endpoints/audit-chain.d.ts.map +1 -0
package/dist/endpoints/audit-chain.js +29 -0
package/dist/endpoints/audit.d.ts +50 -0
package/dist/endpoints/audit.d.ts.map +1 -0
package/dist/endpoints/audit.js +30 -0
package/dist/endpoints/auth-admin.d.ts +65 -0
package/dist/endpoints/auth-admin.d.ts.map +1 -0
package/dist/endpoints/auth-admin.js +55 -0
package/dist/endpoints/auth.d.ts +157 -0
package/dist/endpoints/auth.d.ts.map +1 -0
package/dist/endpoints/auth.js +214 -0
package/dist/endpoints/backups.d.ts +51 -0
package/dist/endpoints/backups.d.ts.map +1 -0
package/dist/endpoints/backups.js +47 -0
package/dist/endpoints/billing-console.d.ts +294 -0
package/dist/endpoints/billing-console.d.ts.map +1 -0
package/dist/endpoints/billing-console.js +167 -0
package/dist/endpoints/billing-settings.d.ts +107 -0
package/dist/endpoints/billing-settings.d.ts.map +1 -0
package/dist/endpoints/billing-settings.js +117 -0
package/dist/endpoints/branch-databases.d.ts +75 -0
package/dist/endpoints/branch-databases.d.ts.map +1 -0
package/dist/endpoints/branch-databases.js +61 -0
package/dist/endpoints/challenge.d.ts +62 -0
package/dist/endpoints/challenge.d.ts.map +1 -0
package/dist/endpoints/challenge.js +52 -0
package/dist/endpoints/ci-settings.d.ts +89 -0
package/dist/endpoints/ci-settings.d.ts.map +1 -0
package/dist/endpoints/ci-settings.js +78 -0
package/dist/endpoints/consent-admin.d.ts +134 -0
package/dist/endpoints/consent-admin.d.ts.map +1 -0
package/dist/endpoints/consent-admin.js +83 -0
package/dist/endpoints/databases.d.ts +251 -0
package/dist/endpoints/databases.d.ts.map +1 -0
package/dist/endpoints/databases.js +150 -0
package/dist/endpoints/deployments.d.ts +280 -0
package/dist/endpoints/deployments.d.ts.map +1 -0
package/dist/endpoints/deployments.js +205 -0
package/dist/endpoints/domains.d.ts +356 -0
package/dist/endpoints/domains.d.ts.map +1 -0
package/dist/endpoints/domains.js +149 -0
package/dist/endpoints/edge-deployments.d.ts +92 -0
package/dist/endpoints/edge-deployments.d.ts.map +1 -0
package/dist/endpoints/edge-deployments.js +58 -0
package/dist/endpoints/email-admin.d.ts +415 -0
package/dist/endpoints/email-admin.d.ts.map +1 -0
package/dist/endpoints/email-admin.js +253 -0
package/dist/endpoints/email.d.ts +37 -0
package/dist/endpoints/email.d.ts.map +1 -0
package/dist/endpoints/email.js +42 -0
package/dist/endpoints/engagement-admin.d.ts +98 -0
package/dist/endpoints/engagement-admin.d.ts.map +1 -0
package/dist/endpoints/engagement-admin.js +64 -0
package/dist/endpoints/env-vars.d.ts +66 -0
package/dist/endpoints/env-vars.d.ts.map +1 -0
package/dist/endpoints/env-vars.js +47 -0
package/dist/endpoints/environments.d.ts +456 -0
package/dist/endpoints/environments.d.ts.map +1 -0
package/dist/endpoints/environments.js +237 -0
package/dist/endpoints/experiments.d.ts +500 -0
package/dist/endpoints/experiments.d.ts.map +1 -0
package/dist/endpoints/experiments.js +93 -0
package/dist/endpoints/flags-admin.d.ts +74 -0
package/dist/endpoints/flags-admin.d.ts.map +1 -0
package/dist/endpoints/flags-admin.js +84 -0
package/dist/endpoints/flags.d.ts +23 -0
package/dist/endpoints/flags.d.ts.map +1 -0
package/dist/endpoints/flags.js +17 -0
package/dist/endpoints/github.d.ts +30 -0
package/dist/endpoints/github.d.ts.map +1 -0
package/dist/endpoints/github.js +37 -0
package/dist/endpoints/image-opt.d.ts +43 -0
package/dist/endpoints/image-opt.d.ts.map +1 -0
package/dist/endpoints/image-opt.js +44 -0
package/dist/endpoints/kv-admin.d.ts +58 -0
package/dist/endpoints/kv-admin.d.ts.map +1 -0
package/dist/endpoints/kv-admin.js +69 -0
package/dist/endpoints/kv.d.ts +63 -0
package/dist/endpoints/kv.d.ts.map +1 -0
package/dist/endpoints/kv.js +82 -0
package/dist/endpoints/monitoring-admin.d.ts +204 -0
package/dist/endpoints/monitoring-admin.d.ts.map +1 -0
package/dist/endpoints/monitoring-admin.js +119 -0
package/dist/endpoints/monitoring.d.ts +63 -0
package/dist/endpoints/monitoring.d.ts.map +1 -0
package/dist/endpoints/monitoring.js +27 -0
package/dist/endpoints/newsletter.d.ts +366 -0
package/dist/endpoints/newsletter.d.ts.map +1 -0
package/dist/endpoints/newsletter.js +232 -0
package/dist/endpoints/notifications-admin.d.ts +268 -0
package/dist/endpoints/notifications-admin.d.ts.map +1 -0
package/dist/endpoints/notifications-admin.js +172 -0
package/dist/endpoints/notifications.d.ts +225 -0
package/dist/endpoints/notifications.d.ts.map +1 -0
package/dist/endpoints/notifications.js +150 -0
package/dist/endpoints/oidc.d.ts +67 -0
package/dist/endpoints/oidc.d.ts.map +1 -0
package/dist/endpoints/oidc.js +49 -0
package/dist/endpoints/organizations.d.ts +702 -0
package/dist/endpoints/organizations.d.ts.map +1 -0
package/dist/endpoints/organizations.js +460 -0
package/dist/endpoints/plans.d.ts +136 -0
package/dist/endpoints/plans.d.ts.map +1 -0
package/dist/endpoints/plans.js +83 -0
package/dist/endpoints/privacy.d.ts +131 -0
package/dist/endpoints/privacy.d.ts.map +1 -0
package/dist/endpoints/privacy.js +98 -0
package/dist/endpoints/project-manifest.d.ts +1044 -0
package/dist/endpoints/project-manifest.d.ts.map +1 -0
package/dist/endpoints/project-manifest.js +59 -0
package/dist/endpoints/projects.d.ts +187 -0
package/dist/endpoints/projects.d.ts.map +1 -0
package/dist/endpoints/projects.js +58 -0
package/dist/endpoints/rate-limits.d.ts +83 -0
package/dist/endpoints/rate-limits.d.ts.map +1 -0
package/dist/endpoints/rate-limits.js +54 -0
package/dist/endpoints/realtime-admin.d.ts +42 -0
package/dist/endpoints/realtime-admin.d.ts.map +1 -0
package/dist/endpoints/realtime-admin.js +50 -0
package/dist/endpoints/realtime.d.ts +35 -0
package/dist/endpoints/realtime.d.ts.map +1 -0
package/dist/endpoints/realtime.js +39 -0
package/dist/endpoints/referrals-admin.d.ts +118 -0
package/dist/endpoints/referrals-admin.d.ts.map +1 -0
package/dist/endpoints/referrals-admin.js +59 -0
package/dist/endpoints/refresh.d.ts +19 -0
package/dist/endpoints/refresh.d.ts.map +1 -0
package/dist/endpoints/refresh.js +25 -0
package/dist/endpoints/regions.d.ts +41 -0
package/dist/endpoints/regions.d.ts.map +1 -0
package/dist/endpoints/regions.js +43 -0
package/dist/endpoints/runners.d.ts +55 -0
package/dist/endpoints/runners.d.ts.map +1 -0
package/dist/endpoints/runners.js +45 -0
package/dist/endpoints/saml.d.ts +147 -0
package/dist/endpoints/saml.d.ts.map +1 -0
package/dist/endpoints/saml.js +106 -0
package/dist/endpoints/search.d.ts +62 -0
package/dist/endpoints/search.d.ts.map +1 -0
package/dist/endpoints/search.js +40 -0
package/dist/endpoints/secrets.d.ts +95 -0
package/dist/endpoints/secrets.d.ts.map +1 -0
package/dist/endpoints/secrets.js +81 -0
package/dist/endpoints/security.d.ts +231 -0
package/dist/endpoints/security.d.ts.map +1 -0
package/dist/endpoints/security.js +291 -0
package/dist/endpoints/service-tokens.d.ts +392 -0
package/dist/endpoints/service-tokens.d.ts.map +1 -0
package/dist/endpoints/service-tokens.js +125 -0
package/dist/endpoints/session-replay.d.ts +142 -0
package/dist/endpoints/session-replay.d.ts.map +1 -0
package/dist/endpoints/session-replay.js +53 -0
package/dist/endpoints/storage-admin.d.ts +96 -0
package/dist/endpoints/storage-admin.d.ts.map +1 -0
package/dist/endpoints/storage-admin.js +113 -0
package/dist/endpoints/storage.d.ts +167 -0
package/dist/endpoints/storage.d.ts.map +1 -0
package/dist/endpoints/storage.js +117 -0
package/dist/endpoints/tasks.d.ts +141 -0
package/dist/endpoints/tasks.d.ts.map +1 -0
package/dist/endpoints/tasks.js +97 -0
package/dist/endpoints/users.d.ts +103 -0
package/dist/endpoints/users.d.ts.map +1 -0
package/dist/endpoints/users.js +98 -0
package/dist/endpoints/webhooks.d.ts +201 -0
package/dist/endpoints/webhooks.d.ts.map +1 -0
package/dist/endpoints/webhooks.js +120 -0
package/dist/errors.d.ts +153 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +73 -0
package/dist/index.d.ts +12303 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +390 -0
package/dist/schemas/_primitives.d.ts +37 -0
package/dist/schemas/_primitives.d.ts.map +1 -0
package/dist/schemas/_primitives.js +38 -0
package/dist/schemas/admin-ai-playground.d.ts +128 -0
package/dist/schemas/admin-ai-playground.d.ts.map +1 -0
package/dist/schemas/admin-ai-playground.js +84 -0
package/dist/schemas/admin-anomalies.d.ts +131 -0
package/dist/schemas/admin-anomalies.d.ts.map +1 -0
package/dist/schemas/admin-anomalies.js +106 -0
package/dist/schemas/admin-apm.d.ts +151 -0
package/dist/schemas/admin-apm.d.ts.map +1 -0
package/dist/schemas/admin-apm.js +96 -0
package/dist/schemas/admin-audit.d.ts +625 -0
package/dist/schemas/admin-audit.d.ts.map +1 -0
package/dist/schemas/admin-audit.js +508 -0
package/dist/schemas/admin-billing.d.ts +73 -0
package/dist/schemas/admin-billing.d.ts.map +1 -0
package/dist/schemas/admin-billing.js +60 -0
package/dist/schemas/admin-bootstrap.d.ts +32 -0
package/dist/schemas/admin-bootstrap.d.ts.map +1 -0
package/dist/schemas/admin-bootstrap.js +37 -0
package/dist/schemas/admin-broadcasts.d.ts +181 -0
package/dist/schemas/admin-broadcasts.d.ts.map +1 -0
package/dist/schemas/admin-broadcasts.js +93 -0
package/dist/schemas/admin-builds.d.ts +108 -0
package/dist/schemas/admin-builds.d.ts.map +1 -0
package/dist/schemas/admin-builds.js +127 -0
package/dist/schemas/admin-config.d.ts +248 -0
package/dist/schemas/admin-config.d.ts.map +1 -0
package/dist/schemas/admin-config.js +145 -0
package/dist/schemas/admin-consent.d.ts +129 -0
package/dist/schemas/admin-consent.d.ts.map +1 -0
package/dist/schemas/admin-consent.js +76 -0
package/dist/schemas/admin-env-services.d.ts +63 -0
package/dist/schemas/admin-env-services.d.ts.map +1 -0
package/dist/schemas/admin-env-services.js +81 -0
package/dist/schemas/admin-impersonation.d.ts +150 -0
package/dist/schemas/admin-impersonation.d.ts.map +1 -0
package/dist/schemas/admin-impersonation.js +114 -0
package/dist/schemas/admin-invitations.d.ts +119 -0
package/dist/schemas/admin-invitations.d.ts.map +1 -0
package/dist/schemas/admin-invitations.js +80 -0
package/dist/schemas/admin-jwt-keys.d.ts +130 -0
package/dist/schemas/admin-jwt-keys.d.ts.map +1 -0
package/dist/schemas/admin-jwt-keys.js +83 -0
package/dist/schemas/admin-logs.d.ts +170 -0
package/dist/schemas/admin-logs.d.ts.map +1 -0
package/dist/schemas/admin-logs.js +108 -0
package/dist/schemas/admin-plans.d.ts +92 -0
package/dist/schemas/admin-plans.d.ts.map +1 -0
package/dist/schemas/admin-plans.js +62 -0
package/dist/schemas/admin-project-users.d.ts +183 -0
package/dist/schemas/admin-project-users.d.ts.map +1 -0
package/dist/schemas/admin-project-users.js +108 -0
package/dist/schemas/admin-projects.d.ts +237 -0
package/dist/schemas/admin-projects.d.ts.map +1 -0
package/dist/schemas/admin-projects.js +129 -0
package/dist/schemas/admin-quotas.d.ts +161 -0
package/dist/schemas/admin-quotas.d.ts.map +1 -0
package/dist/schemas/admin-quotas.js +107 -0
package/dist/schemas/admin-rate-limits.d.ts +90 -0
package/dist/schemas/admin-rate-limits.d.ts.map +1 -0
package/dist/schemas/admin-rate-limits.js +72 -0
package/dist/schemas/admin-reconcile.d.ts +89 -0
package/dist/schemas/admin-reconcile.d.ts.map +1 -0
package/dist/schemas/admin-reconcile.js +86 -0
package/dist/schemas/admin-resources.d.ts +129 -0
package/dist/schemas/admin-resources.d.ts.map +1 -0
package/dist/schemas/admin-resources.js +143 -0
package/dist/schemas/admin-secrets.d.ts +113 -0
package/dist/schemas/admin-secrets.d.ts.map +1 -0
package/dist/schemas/admin-secrets.js +94 -0
package/dist/schemas/admin-services.d.ts +71 -0
package/dist/schemas/admin-services.d.ts.map +1 -0
package/dist/schemas/admin-services.js +61 -0
package/dist/schemas/admin-tasks.d.ts +239 -0
package/dist/schemas/admin-tasks.d.ts.map +1 -0
package/dist/schemas/admin-tasks.js +103 -0
package/dist/schemas/admin-tenants.d.ts +45 -0
package/dist/schemas/admin-tenants.d.ts.map +1 -0
package/dist/schemas/admin-tenants.js +54 -0
package/dist/schemas/admin-traces.d.ts +203 -0
package/dist/schemas/admin-traces.d.ts.map +1 -0
package/dist/schemas/admin-traces.js +128 -0
package/dist/schemas/admin-users.d.ts +158 -0
package/dist/schemas/admin-users.d.ts.map +1 -0
package/dist/schemas/admin-users.js +110 -0
package/dist/schemas/admin-webhook-signature-versions.d.ts +103 -0
package/dist/schemas/admin-webhook-signature-versions.d.ts.map +1 -0
package/dist/schemas/admin-webhook-signature-versions.js +73 -0
package/dist/schemas/ai-admin.d.ts +39 -0
package/dist/schemas/ai-admin.d.ts.map +1 -0
package/dist/schemas/ai-admin.js +29 -0
package/dist/schemas/ai.d.ts +120 -0
package/dist/schemas/ai.d.ts.map +1 -0
package/dist/schemas/ai.js +84 -0
package/dist/schemas/analytics-admin.d.ts +104 -0
package/dist/schemas/analytics-admin.d.ts.map +1 -0
package/dist/schemas/analytics-admin.js +61 -0
package/dist/schemas/analytics.d.ts +118 -0
package/dist/schemas/analytics.d.ts.map +1 -0
package/dist/schemas/analytics.js +80 -0
package/dist/schemas/audit-chain.d.ts +81 -0
package/dist/schemas/audit-chain.d.ts.map +1 -0
package/dist/schemas/audit-chain.js +62 -0
package/dist/schemas/auth-admin.d.ts +55 -0
package/dist/schemas/auth-admin.d.ts.map +1 -0
package/dist/schemas/auth-admin.js +48 -0
package/dist/schemas/auth.d.ts +865 -0
package/dist/schemas/auth.d.ts.map +1 -0
package/dist/schemas/auth.js +815 -0
package/dist/schemas/backups.d.ts +70 -0
package/dist/schemas/backups.d.ts.map +1 -0
package/dist/schemas/backups.js +38 -0
package/dist/schemas/billing-console.d.ts +414 -0
package/dist/schemas/billing-console.d.ts.map +1 -0
package/dist/schemas/billing-console.js +298 -0
package/dist/schemas/billing-settings.d.ts +156 -0
package/dist/schemas/billing-settings.d.ts.map +1 -0
package/dist/schemas/billing-settings.js +119 -0
package/dist/schemas/billing.d.ts +211 -0
package/dist/schemas/billing.d.ts.map +1 -0
package/dist/schemas/billing.js +147 -0
package/dist/schemas/branch-database.d.ts +98 -0
package/dist/schemas/branch-database.d.ts.map +1 -0
package/dist/schemas/branch-database.js +68 -0
package/dist/schemas/challenge.d.ts +104 -0
package/dist/schemas/challenge.d.ts.map +1 -0
package/dist/schemas/challenge.js +74 -0
package/dist/schemas/ci-settings.d.ts +122 -0
package/dist/schemas/ci-settings.d.ts.map +1 -0
package/dist/schemas/ci-settings.js +65 -0
package/dist/schemas/consent-admin.d.ts +187 -0
package/dist/schemas/consent-admin.d.ts.map +1 -0
package/dist/schemas/consent-admin.js +114 -0
package/dist/schemas/consent.d.ts +78 -0
package/dist/schemas/consent.d.ts.map +1 -0
package/dist/schemas/consent.js +68 -0
package/dist/schemas/database.d.ts +104 -0
package/dist/schemas/database.d.ts.map +1 -0
package/dist/schemas/database.js +89 -0
package/dist/schemas/deployment.d.ts +386 -0
package/dist/schemas/deployment.d.ts.map +1 -0
package/dist/schemas/deployment.js +282 -0
package/dist/schemas/domain.d.ts +148 -0
package/dist/schemas/domain.d.ts.map +1 -0
package/dist/schemas/domain.js +86 -0
package/dist/schemas/edge-deployments.d.ts +140 -0
package/dist/schemas/edge-deployments.d.ts.map +1 -0
package/dist/schemas/edge-deployments.js +87 -0
package/dist/schemas/email-admin.d.ts +384 -0
package/dist/schemas/email-admin.d.ts.map +1 -0
package/dist/schemas/email-admin.js +313 -0
package/dist/schemas/email.d.ts +46 -0
package/dist/schemas/email.d.ts.map +1 -0
package/dist/schemas/email.js +34 -0
package/dist/schemas/engagement-admin.d.ts +148 -0
package/dist/schemas/engagement-admin.d.ts.map +1 -0
package/dist/schemas/engagement-admin.js +107 -0
package/dist/schemas/env-var.d.ts +68 -0
package/dist/schemas/env-var.d.ts.map +1 -0
package/dist/schemas/env-var.js +52 -0
package/dist/schemas/environment.d.ts +392 -0
package/dist/schemas/environment.d.ts.map +1 -0
package/dist/schemas/environment.js +211 -0
package/dist/schemas/experiments.d.ts +540 -0
package/dist/schemas/experiments.d.ts.map +1 -0
package/dist/schemas/experiments.js +150 -0
package/dist/schemas/flags-admin.d.ts +112 -0
package/dist/schemas/flags-admin.d.ts.map +1 -0
package/dist/schemas/flags-admin.js +84 -0
package/dist/schemas/flags.d.ts +43 -0
package/dist/schemas/flags.d.ts.map +1 -0
package/dist/schemas/flags.js +27 -0
package/dist/schemas/github.d.ts +34 -0
package/dist/schemas/github.d.ts.map +1 -0
package/dist/schemas/github.js +24 -0
package/dist/schemas/ids.d.ts +39 -0
package/dist/schemas/ids.d.ts.map +1 -0
package/dist/schemas/ids.js +26 -0
package/dist/schemas/image-opt.d.ts +70 -0
package/dist/schemas/image-opt.d.ts.map +1 -0
package/dist/schemas/image-opt.js +68 -0
package/dist/schemas/kv-admin.d.ts +60 -0
package/dist/schemas/kv-admin.d.ts.map +1 -0
package/dist/schemas/kv-admin.js +43 -0
package/dist/schemas/kv.d.ts +79 -0
package/dist/schemas/kv.d.ts.map +1 -0
package/dist/schemas/kv.js +54 -0
package/dist/schemas/monitoring-admin.d.ts +314 -0
package/dist/schemas/monitoring-admin.d.ts.map +1 -0
package/dist/schemas/monitoring-admin.js +196 -0
package/dist/schemas/monitoring.d.ts +143 -0
package/dist/schemas/monitoring.d.ts.map +1 -0
package/dist/schemas/monitoring.js +96 -0
package/dist/schemas/newsletter.d.ts +366 -0
package/dist/schemas/newsletter.d.ts.map +1 -0
package/dist/schemas/newsletter.js +245 -0
package/dist/schemas/notifications-admin.d.ts +337 -0
package/dist/schemas/notifications-admin.d.ts.map +1 -0
package/dist/schemas/notifications-admin.js +261 -0
package/dist/schemas/notifications.d.ts +312 -0
package/dist/schemas/notifications.d.ts.map +1 -0
package/dist/schemas/notifications.js +235 -0
package/dist/schemas/oidc.d.ts +74 -0
package/dist/schemas/oidc.d.ts.map +1 -0
package/dist/schemas/oidc.js +46 -0
package/dist/schemas/organization-billing.d.ts +165 -0
package/dist/schemas/organization-billing.d.ts.map +1 -0
package/dist/schemas/organization-billing.js +156 -0
package/dist/schemas/organization-project-users.d.ts +126 -0
package/dist/schemas/organization-project-users.d.ts.map +1 -0
package/dist/schemas/organization-project-users.js +88 -0
package/dist/schemas/organization-projects.d.ts +129 -0
package/dist/schemas/organization-projects.d.ts.map +1 -0
package/dist/schemas/organization-projects.js +119 -0
package/dist/schemas/organization-referrals.d.ts +129 -0
package/dist/schemas/organization-referrals.d.ts.map +1 -0
package/dist/schemas/organization-referrals.js +126 -0
package/dist/schemas/organization-team.d.ts +123 -0
package/dist/schemas/organization-team.d.ts.map +1 -0
package/dist/schemas/organization-team.js +119 -0
package/dist/schemas/organization.d.ts +210 -0
package/dist/schemas/organization.d.ts.map +1 -0
package/dist/schemas/organization.js +169 -0
package/dist/schemas/plans.d.ts +211 -0
package/dist/schemas/plans.d.ts.map +1 -0
package/dist/schemas/plans.js +131 -0
package/dist/schemas/privacy.d.ts +174 -0
package/dist/schemas/privacy.d.ts.map +1 -0
package/dist/schemas/privacy.js +132 -0
package/dist/schemas/project-manifest.d.ts +1421 -0
package/dist/schemas/project-manifest.d.ts.map +1 -0
package/dist/schemas/project-manifest.js +318 -0
package/dist/schemas/project.d.ts +132 -0
package/dist/schemas/project.d.ts.map +1 -0
package/dist/schemas/project.js +76 -0
package/dist/schemas/realtime-admin.d.ts +51 -0
package/dist/schemas/realtime-admin.d.ts.map +1 -0
package/dist/schemas/realtime-admin.js +29 -0
package/dist/schemas/realtime.d.ts +46 -0
package/dist/schemas/realtime.d.ts.map +1 -0
package/dist/schemas/realtime.js +32 -0
package/dist/schemas/referrals-admin.d.ts +166 -0
package/dist/schemas/referrals-admin.d.ts.map +1 -0
package/dist/schemas/referrals-admin.js +123 -0
package/dist/schemas/referrals.d.ts +148 -0
package/dist/schemas/referrals.d.ts.map +1 -0
package/dist/schemas/referrals.js +102 -0
package/dist/schemas/refresh.d.ts +29 -0
package/dist/schemas/refresh.d.ts.map +1 -0
package/dist/schemas/refresh.js +18 -0
package/dist/schemas/region.d.ts +118 -0
package/dist/schemas/region.d.ts.map +1 -0
package/dist/schemas/region.js +86 -0
package/dist/schemas/resources.d.ts +345 -0
package/dist/schemas/resources.d.ts.map +1 -0
package/dist/schemas/resources.js +220 -0
package/dist/schemas/runners.d.ts +93 -0
package/dist/schemas/runners.d.ts.map +1 -0
package/dist/schemas/runners.js +49 -0
package/dist/schemas/saml.d.ts +254 -0
package/dist/schemas/saml.d.ts.map +1 -0
package/dist/schemas/saml.js +159 -0
package/dist/schemas/search.d.ts +96 -0
package/dist/schemas/search.d.ts.map +1 -0
package/dist/schemas/search.js +57 -0
package/dist/schemas/secret.d.ts +101 -0
package/dist/schemas/secret.d.ts.map +1 -0
package/dist/schemas/secret.js +79 -0
package/dist/schemas/security.d.ts +345 -0
package/dist/schemas/security.d.ts.map +1 -0
package/dist/schemas/security.js +248 -0
package/dist/schemas/service-tokens.d.ts +342 -0
package/dist/schemas/service-tokens.d.ts.map +1 -0
package/dist/schemas/service-tokens.js +101 -0
package/dist/schemas/session-replay.d.ts +285 -0
package/dist/schemas/session-replay.d.ts.map +1 -0
package/dist/schemas/session-replay.js +145 -0
package/dist/schemas/storage-admin.d.ts +351 -0
package/dist/schemas/storage-admin.d.ts.map +1 -0
package/dist/schemas/storage-admin.js +197 -0
package/dist/schemas/storage.d.ts +257 -0
package/dist/schemas/storage.d.ts.map +1 -0
package/dist/schemas/storage.js +173 -0
package/dist/schemas/tasks.d.ts +178 -0
package/dist/schemas/tasks.d.ts.map +1 -0
package/dist/schemas/tasks.js +102 -0
package/dist/schemas/user.d.ts +103 -0
package/dist/schemas/user.d.ts.map +1 -0
package/dist/schemas/user.js +79 -0
package/dist/schemas/webhooks.d.ts +259 -0
package/dist/schemas/webhooks.d.ts.map +1 -0
package/dist/schemas/webhooks.js +198 -0
package/package.json +154 -0

package/dist/schemas/admin-resources.d.ts ADDED Viewed

@@ -0,0 +1,129 @@
+/**
+ * Admin Resources — operator recovery schemas (OPS-3).
+ *
+ * Mirrors `apps/api/src/server/platform/routes/admin/resources.ts`.
+ * Replaces the manual `DELETE FROM managed_resources WHERE id=...` from
+ * `docs/how-to/teardown-failure.md` (lines 113, 131) with a structured
+ * admin endpoint.
+ *
+ * Plane: `admin` (super-admin / scoped service-token only — scope
+ * `platform:resources:forcedelete`).
+ *
+ * Sibling slice OPS-2 (reseal) extends this file with its own schemas
+ * when it lands; keeping both under `admin-resources` so the audit
+ * `resourceType='managed_resource'` aligns with the surface name.
+ */
+import { Schema } from 'effect';
+/**
+ * Path param for `DELETE /admin/resources/:id`. Matches the TypeID grammar
+ * (`res_xxx`) — invalid input returns 400 at the validator boundary.
+ */
+export declare const AdminResourceIdParams: Schema.Struct<{
+    id: Schema.filter<typeof Schema.String>;
+}>;
+export type AdminResourceIdParams = typeof AdminResourceIdParams.Type;
+/**
+ * Query parameters for `DELETE /admin/resources/:id`.
+ *
+ * Semantics:
+ *
+ *   - `reason`       — required. Goes verbatim into the audit row.
+ *   - `cascade`      — when `true`, also tears down dependent rows (PITR
+ *                       restore points, project_platform_resources binding,
+ *                       project_resource_bindings rows). Default `false`.
+ *   - `reallyForce`  — escape hatch for rows whose `reconcile_status` is
+ *                       NOT `terminating`. Default `false`. The endpoint
+ *                       refuses the row otherwise (the reconciler should
+ *                       drive normal teardown — only rows already in
+ *                       `terminating` are valid candidates here).
+ */
+export declare const AdminResourceForceDeleteQuery: Schema.Struct<{
+    reason: Schema.filter<Schema.filter<typeof Schema.String>>;
+    cascade: Schema.optional<Schema.transform<Schema.Union<[Schema.Literal<["true"]>, Schema.Literal<["false"]>]>, typeof Schema.Boolean>>;
+    reallyForce: Schema.optional<Schema.transform<Schema.Union<[Schema.Literal<["true"]>, Schema.Literal<["false"]>]>, typeof Schema.Boolean>>;
+}>;
+export type AdminResourceForceDeleteQuery = typeof AdminResourceForceDeleteQuery.Type;
+/**
+ * Response envelope.
+ *
+ *   - `id`              — TypeID (`res_xxx`) of the row that was deleted.
+ *   - `previousStatus`  — `reconcile_status` value the row carried just
+ *                          before the DELETE landed. Operators use this to
+ *                          confirm the row was in `terminating` (or that
+ *                          `--really-force` was the override path).
+ *   - `cascade`         — echo of the request flag.
+ *   - `reallyForce`     — echo of the request flag.
+ *   - `dependentsDeleted` — count of dependent rows additionally removed
+ *                            when cascade was true (PITR restore points,
+ *                            platform binding, project resource bindings).
+ *                            Always 0 when cascade=false.
+ */
+export declare const AdminResourceForceDeleteResult: Schema.Struct<{
+    id: typeof Schema.String;
+    previousStatus: typeof Schema.String;
+    cascade: typeof Schema.Boolean;
+    reallyForce: typeof Schema.Boolean;
+    dependentsDeleted: typeof Schema.Number;
+}>;
+export type AdminResourceForceDeleteResult = typeof AdminResourceForceDeleteResult.Type;
+/**
+ * Body of `POST /admin/resources/reseal`.
+ *
+ *   - `keyId`  — the active KEK ID the operator believes the platform
+ *                is serving with. The endpoint refuses with 409 if the
+ *                live ring's `activeKeyId` does not match — protecting
+ *                against split-brain rotations where two operators race.
+ *   - `filter` — reserved (see `ResealFilter`). Today the endpoint walks
+ *                the canonical `buildRotationFields()` registry for ALL
+ *                rows whose envelope is not under the active key; the
+ *                filter is accepted but logged as ignored. When per-
+ *                row scoping ships, the registry adapter will honour it.
+ *
+ * Idempotent: re-running with the same `keyId` rewrites zero rows once
+ * the registry has converged.
+ */
+export declare const AdminResourceResealInput: Schema.Struct<{
+    keyId: Schema.filter<Schema.filter<Schema.filter<typeof Schema.String>>>;
+    filter: Schema.optional<Schema.Struct<{
+        projectId: Schema.optional<typeof Schema.String>;
+        envId: Schema.optional<typeof Schema.String>;
+    }>>;
+}>;
+export type AdminResourceResealInput = typeof AdminResourceResealInput.Type;
+/**
+ * Per-field result. Mirrors `RotationFieldResult` from
+ * `packages/core/src/lib/crypto/rotation.ts` so the wire format stays a
+ * faithful projection of the in-process struct.
+ */
+export declare const AdminResourceResealFieldResult: Schema.Struct<{
+    fieldName: typeof Schema.String;
+    rowsSeen: typeof Schema.Number;
+    rowsRotated: typeof Schema.Number;
+    rowsFailed: typeof Schema.Number;
+    failures: Schema.Array$<Schema.Struct<{
+        id: typeof Schema.String;
+        reason: typeof Schema.String;
+    }>>;
+}>;
+export type AdminResourceResealFieldResult = typeof AdminResourceResealFieldResult.Type;
+/**
+ * Response envelope. `activeKeyId` is the server's authoritative answer
+ * (echo of the input on success).
+ */
+export declare const AdminResourceResealResult: Schema.Struct<{
+    activeKeyId: typeof Schema.String;
+    totalRotated: typeof Schema.Number;
+    totalFailed: typeof Schema.Number;
+    fields: Schema.Array$<Schema.Struct<{
+        fieldName: typeof Schema.String;
+        rowsSeen: typeof Schema.Number;
+        rowsRotated: typeof Schema.Number;
+        rowsFailed: typeof Schema.Number;
+        failures: Schema.Array$<Schema.Struct<{
+            id: typeof Schema.String;
+            reason: typeof Schema.String;
+        }>>;
+    }>>;
+}>;
+export type AdminResourceResealResult = typeof AdminResourceResealResult.Type;
+//# sourceMappingURL=admin-resources.d.ts.map

package/dist/schemas/admin-resources.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"admin-resources.d.ts","sourceRoot":"","sources":["../../src/schemas/admin-resources.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAI/B;;;GAGG;AACH,eAAO,MAAM,qBAAqB;;EAMhC,CAAA;AACF,MAAM,MAAM,qBAAqB,GAAG,OAAO,qBAAqB,CAAC,IAAI,CAAA;AAgBrE;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,6BAA6B;;;;EAIxC,CAAA;AACF,MAAM,MAAM,6BAA6B,GAAG,OAAO,6BAA6B,CAAC,IAAI,CAAA;AAErF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,8BAA8B;;;;;;EAMzC,CAAA;AACF,MAAM,MAAM,8BAA8B,GAAG,OAAO,8BAA8B,CAAC,IAAI,CAAA;AA6BvF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,wBAAwB;;;;;;EAGnC,CAAA;AACF,MAAM,MAAM,wBAAwB,GAAG,OAAO,wBAAwB,CAAC,IAAI,CAAA;AAE3E;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;EAWzC,CAAA;AACF,MAAM,MAAM,8BAA8B,GAAG,OAAO,8BAA8B,CAAC,IAAI,CAAA;AAEvF;;;GAGG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;EAKpC,CAAA;AACF,MAAM,MAAM,yBAAyB,GAAG,OAAO,yBAAyB,CAAC,IAAI,CAAA"}

package/dist/schemas/admin-resources.js ADDED Viewed

@@ -0,0 +1,143 @@
+/**
+ * Admin Resources — operator recovery schemas (OPS-3).
+ *
+ * Mirrors `apps/api/src/server/platform/routes/admin/resources.ts`.
+ * Replaces the manual `DELETE FROM managed_resources WHERE id=...` from
+ * `docs/how-to/teardown-failure.md` (lines 113, 131) with a structured
+ * admin endpoint.
+ *
+ * Plane: `admin` (super-admin / scoped service-token only — scope
+ * `platform:resources:forcedelete`).
+ *
+ * Sibling slice OPS-2 (reseal) extends this file with its own schemas
+ * when it lands; keeping both under `admin-resources` so the audit
+ * `resourceType='managed_resource'` aligns with the surface name.
+ */
+import { Schema } from 'effect';
+// ─── Force-delete (OPS-3) ───────────────────────────────────────────────
+/**
+ * Path param for `DELETE /admin/resources/:id`. Matches the TypeID grammar
+ * (`res_xxx`) — invalid input returns 400 at the validator boundary.
+ */
+export const AdminResourceIdParams = Schema.Struct({
+    id: Schema.String.pipe(Schema.pattern(/^res_[0-9a-z]{20,30}$/i, {
+        message: () => 'id must be a TypeID with prefix `res_`',
+    })),
+});
+/**
+ * Reason string for the audit trail. Length-bounded so audit_logs.metadata
+ * stays predictable.
+ */
+const Reason = Schema.String.pipe(Schema.minLength(3), Schema.maxLength(500));
+const BoolString = Schema.Union(Schema.Literal('true'), Schema.Literal('false')).pipe(Schema.transform(Schema.Boolean, {
+    strict: true,
+    decode: (s) => s === 'true',
+    encode: (b) => (b ? 'true' : 'false'),
+}));
+/**
+ * Query parameters for `DELETE /admin/resources/:id`.
+ *
+ * Semantics:
+ *
+ *   - `reason`       — required. Goes verbatim into the audit row.
+ *   - `cascade`      — when `true`, also tears down dependent rows (PITR
+ *                       restore points, project_platform_resources binding,
+ *                       project_resource_bindings rows). Default `false`.
+ *   - `reallyForce`  — escape hatch for rows whose `reconcile_status` is
+ *                       NOT `terminating`. Default `false`. The endpoint
+ *                       refuses the row otherwise (the reconciler should
+ *                       drive normal teardown — only rows already in
+ *                       `terminating` are valid candidates here).
+ */
+export const AdminResourceForceDeleteQuery = Schema.Struct({
+    reason: Reason,
+    cascade: Schema.optional(BoolString),
+    reallyForce: Schema.optional(BoolString),
+});
+/**
+ * Response envelope.
+ *
+ *   - `id`              — TypeID (`res_xxx`) of the row that was deleted.
+ *   - `previousStatus`  — `reconcile_status` value the row carried just
+ *                          before the DELETE landed. Operators use this to
+ *                          confirm the row was in `terminating` (or that
+ *                          `--really-force` was the override path).
+ *   - `cascade`         — echo of the request flag.
+ *   - `reallyForce`     — echo of the request flag.
+ *   - `dependentsDeleted` — count of dependent rows additionally removed
+ *                            when cascade was true (PITR restore points,
+ *                            platform binding, project resource bindings).
+ *                            Always 0 when cascade=false.
+ */
+export const AdminResourceForceDeleteResult = Schema.Struct({
+    id: Schema.String,
+    previousStatus: Schema.String,
+    cascade: Schema.Boolean,
+    reallyForce: Schema.Boolean,
+    dependentsDeleted: Schema.Number,
+});
+// ─── Reseal (OPS-2) ─────────────────────────────────────────────────────
+/**
+ * Active KEK identifier grammar. Sylphx KEK ids are short opaque strings
+ * (e.g. `kek-2026-04`); we constrain to printable ASCII so the audit
+ * row stays grep-friendly and the value can't smuggle control chars
+ * into log pipelines.
+ */
+const KeyId = Schema.String.pipe(Schema.minLength(1), Schema.maxLength(64), Schema.pattern(/^[A-Za-z0-9._:-]+$/, {
+    message: () => 'keyId must match ^[A-Za-z0-9._:-]+$',
+}));
+/**
+ * Optional filter — currently unused by the rotation primitive (the
+ * canonical registry walks all rows under retired keys). Reserved for
+ * future per-project / per-env scoped rotations; accepted today so the
+ * shape stabilises before we expand the registry.
+ */
+const ResealFilter = Schema.Struct({
+    projectId: Schema.optional(Schema.String),
+    envId: Schema.optional(Schema.String),
+});
+/**
+ * Body of `POST /admin/resources/reseal`.
+ *
+ *   - `keyId`  — the active KEK ID the operator believes the platform
+ *                is serving with. The endpoint refuses with 409 if the
+ *                live ring's `activeKeyId` does not match — protecting
+ *                against split-brain rotations where two operators race.
+ *   - `filter` — reserved (see `ResealFilter`). Today the endpoint walks
+ *                the canonical `buildRotationFields()` registry for ALL
+ *                rows whose envelope is not under the active key; the
+ *                filter is accepted but logged as ignored. When per-
+ *                row scoping ships, the registry adapter will honour it.
+ *
+ * Idempotent: re-running with the same `keyId` rewrites zero rows once
+ * the registry has converged.
+ */
+export const AdminResourceResealInput = Schema.Struct({
+    keyId: KeyId,
+    filter: Schema.optional(ResealFilter),
+});
+/**
+ * Per-field result. Mirrors `RotationFieldResult` from
+ * `packages/core/src/lib/crypto/rotation.ts` so the wire format stays a
+ * faithful projection of the in-process struct.
+ */
+export const AdminResourceResealFieldResult = Schema.Struct({
+    fieldName: Schema.String,
+    rowsSeen: Schema.Number,
+    rowsRotated: Schema.Number,
+    rowsFailed: Schema.Number,
+    failures: Schema.Array(Schema.Struct({
+        id: Schema.String,
+        reason: Schema.String,
+    })),
+});
+/**
+ * Response envelope. `activeKeyId` is the server's authoritative answer
+ * (echo of the input on success).
+ */
+export const AdminResourceResealResult = Schema.Struct({
+    activeKeyId: Schema.String,
+    totalRotated: Schema.Number,
+    totalFailed: Schema.Number,
+    fields: Schema.Array(AdminResourceResealFieldResult),
+});

package/dist/schemas/admin-secrets.d.ts ADDED Viewed

@@ -0,0 +1,113 @@
+/**
+ * Admin Secrets — operator-driven secret rotation primitives.
+ *
+ * G-5: closes the production-ready audit gap on secret rotation. The
+ * Platform holds a small set of HMAC / encryption secrets in K8s Secret
+ * env-var slots (BREAK_GLASS_SECRET, PLATFORM_ENCRYPTION_KEY, …). Pre-G-5
+ * rotation was a manual two-person rule documented in
+ * `docs/runbooks/break-glass.md` §4 — not auditable, not metered, no
+ * automated reminder when a secret aged past 90 days.
+ *
+ * This endpoint surface gives operators a uniform CLI path to:
+ *   - List rotatable secrets + their last-rotation age (`--dry-run`)
+ *   - Initiate a rotation event for compliance (audit row + metric tick)
+ *
+ * The actual K8s secret value rotation is delegated to the runbook's
+ * existing two-person procedure; this endpoint is the AUDIT trail and
+ * the OBSERVABILITY anchor for `sylphx_secret_age_days`. We deliberately
+ * do NOT mint the new value server-side — minting would require holding
+ * the cluster KMS key in process memory, which is the very threat the
+ * rotation is hedging against. Operators paste the new value into the
+ * cluster Secret store; the endpoint records that it happened.
+ *
+ * Scope (`platform:secrets:rotate`) is service-token only; super-admin
+ * sessions are explicitly NOT accepted — a rotation MUST be a programmatic
+ * step in an Ops runbook, never an interactive Console click.
+ */
+import { Schema } from 'effect';
+/**
+ * The set of platform secrets that follow the Sylphx rotation cadence.
+ * Adding a new secret = adding a literal here AND a row in
+ * `secret_rotation_events` retention; CI guards both.
+ */
+export declare const AdminSecretType: Schema.Literal<["break-glass", "encryption-key", "jwt-signing"]>;
+export type AdminSecretType = typeof AdminSecretType.Type;
+export declare const AdminRotateSecretInput: Schema.Struct<{
+    /** Which secret to rotate. */
+    type: Schema.Literal<["break-glass", "encryption-key", "jwt-signing"]>;
+    /**
+     * If true, returns the rotation eligibility report WITHOUT writing an
+     * audit row or emitting the metric tick. Always-safe; used by the CLI's
+     * `--dry-run` mode and by the periodic `sylphx_secret_age_days` alert
+     * cron to read state.
+     */
+    dryRun: Schema.optional<typeof Schema.Boolean>;
+    /**
+     * Operator note explaining WHY this rotation is happening. Required on
+     * non-dry-run calls (min 3 chars). Recorded on the audit row + on the
+     * `secret_rotation_events` ledger.
+     */
+    reason: Schema.optional<typeof Schema.String>;
+}>;
+export type AdminRotateSecretInput = typeof AdminRotateSecretInput.Type;
+/**
+ * Per-secret rotation status — one row per known secret type.
+ *
+ * `lastRotatedAt` is null for a secret that has never been rotated since
+ * ledger ingest (greenfield clusters, freshly seeded `secret_rotation_events`).
+ * `ageDays` is `now() - lastRotatedAt` in days, or null when never-rotated;
+ * the alert rule fires when `ageDays > 90`.
+ */
+export declare const AdminSecretStatus: Schema.Struct<{
+    type: Schema.Literal<["break-glass", "encryption-key", "jwt-signing"]>;
+    lastRotatedAt: Schema.NullOr<typeof Schema.String>;
+    ageDays: Schema.NullOr<typeof Schema.Number>;
+    /** Operator-facing rotation cadence in days (90 today). */
+    cadenceDays: typeof Schema.Number;
+    /** True iff `ageDays > cadenceDays` (or never-rotated). */
+    overdue: typeof Schema.Boolean;
+    /** Name of the K8s Secret + key the operator must update. */
+    clusterSecretRef: typeof Schema.String;
+}>;
+export type AdminSecretStatus = typeof AdminSecretStatus.Type;
+export declare const AdminRotateSecretResult: Schema.Struct<{
+    /** True iff a real rotation event was recorded; false on dry-run. */
+    rotated: typeof Schema.Boolean;
+    /** Per-type rotation status snapshot (always populated). */
+    status: Schema.Struct<{
+        type: Schema.Literal<["break-glass", "encryption-key", "jwt-signing"]>;
+        lastRotatedAt: Schema.NullOr<typeof Schema.String>;
+        ageDays: Schema.NullOr<typeof Schema.Number>;
+        /** Operator-facing rotation cadence in days (90 today). */
+        cadenceDays: typeof Schema.Number;
+        /** True iff `ageDays > cadenceDays` (or never-rotated). */
+        overdue: typeof Schema.Boolean;
+        /** Name of the K8s Secret + key the operator must update. */
+        clusterSecretRef: typeof Schema.String;
+    }>;
+    /** ID of the audit_logs row written on a non-dry-run call. */
+    auditLogId: Schema.NullOr<typeof Schema.String>;
+    /** Operator-facing next-step instruction. */
+    message: typeof Schema.String;
+}>;
+export type AdminRotateSecretResult = typeof AdminRotateSecretResult.Type;
+/**
+ * `GET /admin/secrets` — list every secret type + its rotation status.
+ * Used by the `sylphx_secret_age_days` alert and by the Console operator
+ * dashboard's secret-rotation widget.
+ */
+export declare const AdminListSecretsResult: Schema.Struct<{
+    secrets: Schema.Array$<Schema.Struct<{
+        type: Schema.Literal<["break-glass", "encryption-key", "jwt-signing"]>;
+        lastRotatedAt: Schema.NullOr<typeof Schema.String>;
+        ageDays: Schema.NullOr<typeof Schema.Number>;
+        /** Operator-facing rotation cadence in days (90 today). */
+        cadenceDays: typeof Schema.Number;
+        /** True iff `ageDays > cadenceDays` (or never-rotated). */
+        overdue: typeof Schema.Boolean;
+        /** Name of the K8s Secret + key the operator must update. */
+        clusterSecretRef: typeof Schema.String;
+    }>>;
+}>;
+export type AdminListSecretsResult = typeof AdminListSecretsResult.Type;
+//# sourceMappingURL=admin-secrets.d.ts.map

package/dist/schemas/admin-secrets.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"admin-secrets.d.ts","sourceRoot":"","sources":["../../src/schemas/admin-secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAE/B;;;;GAIG;AACH,eAAO,MAAM,eAAe,kEAQ3B,CAAA;AACD,MAAM,MAAM,eAAe,GAAG,OAAO,eAAe,CAAC,IAAI,CAAA;AAEzD,eAAO,MAAM,sBAAsB;IAClC,8BAA8B;;IAE9B;;;;;OAKG;;IAEH;;;;OAIG;;EAEF,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,OAAO,sBAAsB,CAAC,IAAI,CAAA;AAEvE;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB;;;;IAI7B,2DAA2D;;IAE3D,2DAA2D;;IAE3D,6DAA6D;;EAE5D,CAAA;AACF,MAAM,MAAM,iBAAiB,GAAG,OAAO,iBAAiB,CAAC,IAAI,CAAA;AAE7D,eAAO,MAAM,uBAAuB;IACnC,qEAAqE;;IAErE,4DAA4D;;;;;QAZ5D,2DAA2D;;QAE3D,2DAA2D;;QAE3D,6DAA6D;;;IAU7D,8DAA8D;;IAE9D,6CAA6C;;EAE5C,CAAA;AACF,MAAM,MAAM,uBAAuB,GAAG,OAAO,uBAAuB,CAAC,IAAI,CAAA;AAEzE;;;;GAIG;AACH,eAAO,MAAM,sBAAsB;;;;;QA1BlC,2DAA2D;;QAE3D,2DAA2D;;QAE3D,6DAA6D;;;EAwB5D,CAAA;AACF,MAAM,MAAM,sBAAsB,GAAG,OAAO,sBAAsB,CAAC,IAAI,CAAA"}

package/dist/schemas/admin-secrets.js ADDED Viewed

@@ -0,0 +1,94 @@
+/**
+ * Admin Secrets — operator-driven secret rotation primitives.
+ *
+ * G-5: closes the production-ready audit gap on secret rotation. The
+ * Platform holds a small set of HMAC / encryption secrets in K8s Secret
+ * env-var slots (BREAK_GLASS_SECRET, PLATFORM_ENCRYPTION_KEY, …). Pre-G-5
+ * rotation was a manual two-person rule documented in
+ * `docs/runbooks/break-glass.md` §4 — not auditable, not metered, no
+ * automated reminder when a secret aged past 90 days.
+ *
+ * This endpoint surface gives operators a uniform CLI path to:
+ *   - List rotatable secrets + their last-rotation age (`--dry-run`)
+ *   - Initiate a rotation event for compliance (audit row + metric tick)
+ *
+ * The actual K8s secret value rotation is delegated to the runbook's
+ * existing two-person procedure; this endpoint is the AUDIT trail and
+ * the OBSERVABILITY anchor for `sylphx_secret_age_days`. We deliberately
+ * do NOT mint the new value server-side — minting would require holding
+ * the cluster KMS key in process memory, which is the very threat the
+ * rotation is hedging against. Operators paste the new value into the
+ * cluster Secret store; the endpoint records that it happened.
+ *
+ * Scope (`platform:secrets:rotate`) is service-token only; super-admin
+ * sessions are explicitly NOT accepted — a rotation MUST be a programmatic
+ * step in an Ops runbook, never an interactive Console click.
+ */
+import { Schema } from 'effect';
+/**
+ * The set of platform secrets that follow the Sylphx rotation cadence.
+ * Adding a new secret = adding a literal here AND a row in
+ * `secret_rotation_events` retention; CI guards both.
+ */
+export const AdminSecretType = Schema.Literal(
+/** HMAC key for the `/admin/break-glass` endpoint (90-day cadence). */
+'break-glass',
+/** AES-256-GCM key for at-rest encryption of secrets / webhooks. */
+'encryption-key',
+/** RSA private key family for JWT signing — superseded by the
+ *  `adminJwtKeys.rotate` namespace; included here for parity dashboards. */
+'jwt-signing');
+export const AdminRotateSecretInput = Schema.Struct({
+    /** Which secret to rotate. */
+    type: AdminSecretType,
+    /**
+     * If true, returns the rotation eligibility report WITHOUT writing an
+     * audit row or emitting the metric tick. Always-safe; used by the CLI's
+     * `--dry-run` mode and by the periodic `sylphx_secret_age_days` alert
+     * cron to read state.
+     */
+    dryRun: Schema.optional(Schema.Boolean),
+    /**
+     * Operator note explaining WHY this rotation is happening. Required on
+     * non-dry-run calls (min 3 chars). Recorded on the audit row + on the
+     * `secret_rotation_events` ledger.
+     */
+    reason: Schema.optional(Schema.String),
+});
+/**
+ * Per-secret rotation status — one row per known secret type.
+ *
+ * `lastRotatedAt` is null for a secret that has never been rotated since
+ * ledger ingest (greenfield clusters, freshly seeded `secret_rotation_events`).
+ * `ageDays` is `now() - lastRotatedAt` in days, or null when never-rotated;
+ * the alert rule fires when `ageDays > 90`.
+ */
+export const AdminSecretStatus = Schema.Struct({
+    type: AdminSecretType,
+    lastRotatedAt: Schema.NullOr(Schema.String),
+    ageDays: Schema.NullOr(Schema.Number),
+    /** Operator-facing rotation cadence in days (90 today). */
+    cadenceDays: Schema.Number,
+    /** True iff `ageDays > cadenceDays` (or never-rotated). */
+    overdue: Schema.Boolean,
+    /** Name of the K8s Secret + key the operator must update. */
+    clusterSecretRef: Schema.String,
+});
+export const AdminRotateSecretResult = Schema.Struct({
+    /** True iff a real rotation event was recorded; false on dry-run. */
+    rotated: Schema.Boolean,
+    /** Per-type rotation status snapshot (always populated). */
+    status: AdminSecretStatus,
+    /** ID of the audit_logs row written on a non-dry-run call. */
+    auditLogId: Schema.NullOr(Schema.String),
+    /** Operator-facing next-step instruction. */
+    message: Schema.String,
+});
+/**
+ * `GET /admin/secrets` — list every secret type + its rotation status.
+ * Used by the `sylphx_secret_age_days` alert and by the Console operator
+ * dashboard's secret-rotation widget.
+ */
+export const AdminListSecretsResult = Schema.Struct({
+    secrets: Schema.Array(AdminSecretStatus),
+});

package/dist/schemas/admin-services.d.ts ADDED Viewed

@@ -0,0 +1,71 @@
+/**
+ * Admin Services — operator-only image-status drift schemas (drift-watchdog).
+ *
+ * Mirrors `apps/api/src/server/platform/routes/admin/services.ts`.
+ *
+ * The drift watchdog (`infra/addons/dogfood-smoke/manifests/image-drift-cronjob.yaml`)
+ * polls this endpoint every 10 minutes. For each Platform service it
+ * compares:
+ *
+ *   - DB SSOT — `project_services.latest_image_ref` (the digest the
+ *               build pipeline says is current).
+ *   - K8s live — `deployment.spec.template.spec.containers[0].image`
+ *                (the digest actually rolling on cluster).
+ *
+ * When the two diverge for >30 minutes the probe pages on-call. Inside the
+ * 30-minute grace window drift is tolerated (legit during a rolling deploy
+ * or a fresh build that hasn't propagated yet).
+ *
+ * Plane: `admin` (super-admin / scoped service-token only — scope
+ * `platform:services:read`).
+ */
+import { Schema } from 'effect';
+/**
+ * One row of the image-status report.
+ *
+ *   - `name`         — service name within the platform project
+ *                       (e.g. `api`, `controller`, `runtime`).
+ *   - `dbRef`        — `latest_image_ref` from `project_services`.
+ *                       `null` if the service has never been built.
+ *   - `k8sRef`       — image string from the live `Deployment`.
+ *                       `null` if the deployment is missing in K8s.
+ *   - `driftMinutes` — minutes since the divergence first appeared.
+ *                       `0` when DB and K8s agree (or both null).
+ *                       `null` when one side is missing.
+ *   - `inSync`       — `true` iff `dbRef === k8sRef` AND both non-null.
+ *                       Probes alert when this is `false` past the grace
+ *                       window.
+ *   - `dbUpdatedAt`  — ISO timestamp the DB row was last touched
+ *                       (`project_services.updated_at`). Drives the
+ *                       `driftMinutes` calculation when DB is the lagger.
+ */
+export declare const AdminServiceImageStatusRow: Schema.Struct<{
+    name: typeof Schema.String;
+    dbRef: Schema.NullOr<typeof Schema.String>;
+    k8sRef: Schema.NullOr<typeof Schema.String>;
+    driftMinutes: Schema.NullOr<typeof Schema.Number>;
+    inSync: typeof Schema.Boolean;
+    dbUpdatedAt: Schema.NullOr<typeof Schema.String>;
+}>;
+export type AdminServiceImageStatusRow = typeof AdminServiceImageStatusRow.Type;
+/**
+ * Response of `GET /admin/services/image-status`.
+ *
+ * Always returns one row per Platform service (controller, api, runtime,
+ * web, exec-server, storage-gateway, storage-worker). Missing rows on
+ * either side surface as `dbRef=null` or `k8sRef=null` so the probe can
+ * still page on configuration drift, not just digest drift.
+ */
+export declare const AdminServiceImageStatusResult: Schema.Struct<{
+    services: Schema.Array$<Schema.Struct<{
+        name: typeof Schema.String;
+        dbRef: Schema.NullOr<typeof Schema.String>;
+        k8sRef: Schema.NullOr<typeof Schema.String>;
+        driftMinutes: Schema.NullOr<typeof Schema.Number>;
+        inSync: typeof Schema.Boolean;
+        dbUpdatedAt: Schema.NullOr<typeof Schema.String>;
+    }>>;
+    checkedAt: typeof Schema.String;
+}>;
+export type AdminServiceImageStatusResult = typeof AdminServiceImageStatusResult.Type;
+//# sourceMappingURL=admin-services.d.ts.map

package/dist/schemas/admin-services.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"admin-services.d.ts","sourceRoot":"","sources":["../../src/schemas/admin-services.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAE/B;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,0BAA0B;;;;;;;EAOrC,CAAA;AACF,MAAM,MAAM,0BAA0B,GAAG,OAAO,0BAA0B,CAAC,IAAI,CAAA;AAE/E;;;;;;;GAOG;AACH,eAAO,MAAM,6BAA6B;;;;;;;;;;EAGxC,CAAA;AACF,MAAM,MAAM,6BAA6B,GAAG,OAAO,6BAA6B,CAAC,IAAI,CAAA"}

package/dist/schemas/admin-services.js ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Admin Services — operator-only image-status drift schemas (drift-watchdog).
+ *
+ * Mirrors `apps/api/src/server/platform/routes/admin/services.ts`.
+ *
+ * The drift watchdog (`infra/addons/dogfood-smoke/manifests/image-drift-cronjob.yaml`)
+ * polls this endpoint every 10 minutes. For each Platform service it
+ * compares:
+ *
+ *   - DB SSOT — `project_services.latest_image_ref` (the digest the
+ *               build pipeline says is current).
+ *   - K8s live — `deployment.spec.template.spec.containers[0].image`
+ *                (the digest actually rolling on cluster).
+ *
+ * When the two diverge for >30 minutes the probe pages on-call. Inside the
+ * 30-minute grace window drift is tolerated (legit during a rolling deploy
+ * or a fresh build that hasn't propagated yet).
+ *
+ * Plane: `admin` (super-admin / scoped service-token only — scope
+ * `platform:services:read`).
+ */
+import { Schema } from 'effect';
+/**
+ * One row of the image-status report.
+ *
+ *   - `name`         — service name within the platform project
+ *                       (e.g. `api`, `controller`, `runtime`).
+ *   - `dbRef`        — `latest_image_ref` from `project_services`.
+ *                       `null` if the service has never been built.
+ *   - `k8sRef`       — image string from the live `Deployment`.
+ *                       `null` if the deployment is missing in K8s.
+ *   - `driftMinutes` — minutes since the divergence first appeared.
+ *                       `0` when DB and K8s agree (or both null).
+ *                       `null` when one side is missing.
+ *   - `inSync`       — `true` iff `dbRef === k8sRef` AND both non-null.
+ *                       Probes alert when this is `false` past the grace
+ *                       window.
+ *   - `dbUpdatedAt`  — ISO timestamp the DB row was last touched
+ *                       (`project_services.updated_at`). Drives the
+ *                       `driftMinutes` calculation when DB is the lagger.
+ */
+export const AdminServiceImageStatusRow = Schema.Struct({
+    name: Schema.String,
+    dbRef: Schema.NullOr(Schema.String),
+    k8sRef: Schema.NullOr(Schema.String),
+    driftMinutes: Schema.NullOr(Schema.Number),
+    inSync: Schema.Boolean,
+    dbUpdatedAt: Schema.NullOr(Schema.String),
+});
+/**
+ * Response of `GET /admin/services/image-status`.
+ *
+ * Always returns one row per Platform service (controller, api, runtime,
+ * web, exec-server, storage-gateway, storage-worker). Missing rows on
+ * either side surface as `dbRef=null` or `k8sRef=null` so the probe can
+ * still page on configuration drift, not just digest drift.
+ */
+export const AdminServiceImageStatusResult = Schema.Struct({
+    services: Schema.Array(AdminServiceImageStatusRow),
+    checkedAt: Schema.String,
+});