npm - @sylphx/contract - Versions diffs - 0.2.0 - Mend

@sylphx/contract 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (571) hide show

package/CHANGELOG.md +44 -0
package/LICENSE +21 -0
package/README.md +164 -0
package/dist/endpoint.d.ts +65 -0
package/dist/endpoint.d.ts.map +1 -0
package/dist/endpoint.js +22 -0
package/dist/endpoints/admin-ai-playground.d.ts +93 -0
package/dist/endpoints/admin-ai-playground.d.ts.map +1 -0
package/dist/endpoints/admin-ai-playground.js +37 -0
package/dist/endpoints/admin-anomalies.d.ts +108 -0
package/dist/endpoints/admin-anomalies.d.ts.map +1 -0
package/dist/endpoints/admin-anomalies.js +72 -0
package/dist/endpoints/admin-apm.d.ts +102 -0
package/dist/endpoints/admin-apm.d.ts.map +1 -0
package/dist/endpoints/admin-apm.js +70 -0
package/dist/endpoints/admin-audit.d.ts +714 -0
package/dist/endpoints/admin-audit.d.ts.map +1 -0
package/dist/endpoints/admin-audit.js +494 -0
package/dist/endpoints/admin-billing.d.ts +82 -0
package/dist/endpoints/admin-billing.d.ts.map +1 -0
package/dist/endpoints/admin-billing.js +190 -0
package/dist/endpoints/admin-bootstrap.d.ts +16 -0
package/dist/endpoints/admin-bootstrap.d.ts.map +1 -0
package/dist/endpoints/admin-bootstrap.js +28 -0
package/dist/endpoints/admin-broadcasts.d.ts +105 -0
package/dist/endpoints/admin-broadcasts.d.ts.map +1 -0
package/dist/endpoints/admin-broadcasts.js +60 -0
package/dist/endpoints/admin-builds.d.ts +33 -0
package/dist/endpoints/admin-builds.d.ts.map +1 -0
package/dist/endpoints/admin-builds.js +36 -0
package/dist/endpoints/admin-config.d.ts +180 -0
package/dist/endpoints/admin-config.d.ts.map +1 -0
package/dist/endpoints/admin-config.js +108 -0
package/dist/endpoints/admin-consent.d.ts +123 -0
package/dist/endpoints/admin-consent.d.ts.map +1 -0
package/dist/endpoints/admin-consent.js +126 -0
package/dist/endpoints/admin-env-services.d.ts +28 -0
package/dist/endpoints/admin-env-services.d.ts.map +1 -0
package/dist/endpoints/admin-env-services.js +35 -0
package/dist/endpoints/admin-impersonation.d.ts +105 -0
package/dist/endpoints/admin-impersonation.d.ts.map +1 -0
package/dist/endpoints/admin-impersonation.js +88 -0
package/dist/endpoints/admin-invitations.d.ts +73 -0
package/dist/endpoints/admin-invitations.d.ts.map +1 -0
package/dist/endpoints/admin-invitations.js +55 -0
package/dist/endpoints/admin-jwt-keys.d.ts +75 -0
package/dist/endpoints/admin-jwt-keys.d.ts.map +1 -0
package/dist/endpoints/admin-jwt-keys.js +63 -0
package/dist/endpoints/admin-logs.d.ts +109 -0
package/dist/endpoints/admin-logs.d.ts.map +1 -0
package/dist/endpoints/admin-logs.js +78 -0
package/dist/endpoints/admin-plans.d.ts +63 -0
package/dist/endpoints/admin-plans.d.ts.map +1 -0
package/dist/endpoints/admin-plans.js +47 -0
package/dist/endpoints/admin-project-users.d.ts +148 -0
package/dist/endpoints/admin-project-users.d.ts.map +1 -0
package/dist/endpoints/admin-project-users.js +89 -0
package/dist/endpoints/admin-projects.d.ts +124 -0
package/dist/endpoints/admin-projects.d.ts.map +1 -0
package/dist/endpoints/admin-projects.js +74 -0
package/dist/endpoints/admin-quotas.d.ts +98 -0
package/dist/endpoints/admin-quotas.d.ts.map +1 -0
package/dist/endpoints/admin-quotas.js +67 -0
package/dist/endpoints/admin-rate-limits.d.ts +50 -0
package/dist/endpoints/admin-rate-limits.d.ts.map +1 -0
package/dist/endpoints/admin-rate-limits.js +53 -0
package/dist/endpoints/admin-reconcile.d.ts +28 -0
package/dist/endpoints/admin-reconcile.d.ts.map +1 -0
package/dist/endpoints/admin-reconcile.js +33 -0
package/dist/endpoints/admin-resources.d.ts +51 -0
package/dist/endpoints/admin-resources.d.ts.map +1 -0
package/dist/endpoints/admin-resources.js +53 -0
package/dist/endpoints/admin-secrets.d.ts +41 -0
package/dist/endpoints/admin-secrets.d.ts.map +1 -0
package/dist/endpoints/admin-secrets.js +33 -0
package/dist/endpoints/admin-services.d.ts +29 -0
package/dist/endpoints/admin-services.d.ts.map +1 -0
package/dist/endpoints/admin-services.js +35 -0
package/dist/endpoints/admin-tasks.d.ts +186 -0
package/dist/endpoints/admin-tasks.d.ts.map +1 -0
package/dist/endpoints/admin-tasks.js +67 -0
package/dist/endpoints/admin-tenants.d.ts +26 -0
package/dist/endpoints/admin-tenants.d.ts.map +1 -0
package/dist/endpoints/admin-tenants.js +30 -0
package/dist/endpoints/admin-traces.d.ts +124 -0
package/dist/endpoints/admin-traces.d.ts.map +1 -0
package/dist/endpoints/admin-traces.js +59 -0
package/dist/endpoints/admin-users.d.ts +106 -0
package/dist/endpoints/admin-users.d.ts.map +1 -0
package/dist/endpoints/admin-users.js +83 -0
package/dist/endpoints/admin-webhook-signature-versions.d.ts +59 -0
package/dist/endpoints/admin-webhook-signature-versions.d.ts.map +1 -0
package/dist/endpoints/admin-webhook-signature-versions.js +57 -0
package/dist/endpoints/ai-admin.d.ts +30 -0
package/dist/endpoints/ai-admin.d.ts.map +1 -0
package/dist/endpoints/ai-admin.js +59 -0
package/dist/endpoints/analytics-admin.d.ts +279 -0
package/dist/endpoints/analytics-admin.d.ts.map +1 -0
package/dist/endpoints/analytics-admin.js +308 -0
package/dist/endpoints/analytics.d.ts +58 -0
package/dist/endpoints/analytics.d.ts.map +1 -0
package/dist/endpoints/analytics.js +43 -0
package/dist/endpoints/audit-chain.d.ts +49 -0
package/dist/endpoints/audit-chain.d.ts.map +1 -0
package/dist/endpoints/audit-chain.js +29 -0
package/dist/endpoints/audit.d.ts +50 -0
package/dist/endpoints/audit.d.ts.map +1 -0
package/dist/endpoints/audit.js +30 -0
package/dist/endpoints/auth-admin.d.ts +65 -0
package/dist/endpoints/auth-admin.d.ts.map +1 -0
package/dist/endpoints/auth-admin.js +55 -0
package/dist/endpoints/auth.d.ts +157 -0
package/dist/endpoints/auth.d.ts.map +1 -0
package/dist/endpoints/auth.js +214 -0
package/dist/endpoints/backups.d.ts +51 -0
package/dist/endpoints/backups.d.ts.map +1 -0
package/dist/endpoints/backups.js +47 -0
package/dist/endpoints/billing-console.d.ts +294 -0
package/dist/endpoints/billing-console.d.ts.map +1 -0
package/dist/endpoints/billing-console.js +167 -0
package/dist/endpoints/billing-settings.d.ts +107 -0
package/dist/endpoints/billing-settings.d.ts.map +1 -0
package/dist/endpoints/billing-settings.js +117 -0
package/dist/endpoints/branch-databases.d.ts +75 -0
package/dist/endpoints/branch-databases.d.ts.map +1 -0
package/dist/endpoints/branch-databases.js +61 -0
package/dist/endpoints/challenge.d.ts +62 -0
package/dist/endpoints/challenge.d.ts.map +1 -0
package/dist/endpoints/challenge.js +52 -0
package/dist/endpoints/ci-settings.d.ts +89 -0
package/dist/endpoints/ci-settings.d.ts.map +1 -0
package/dist/endpoints/ci-settings.js +78 -0
package/dist/endpoints/consent-admin.d.ts +134 -0
package/dist/endpoints/consent-admin.d.ts.map +1 -0
package/dist/endpoints/consent-admin.js +83 -0
package/dist/endpoints/databases.d.ts +251 -0
package/dist/endpoints/databases.d.ts.map +1 -0
package/dist/endpoints/databases.js +150 -0
package/dist/endpoints/deployments.d.ts +280 -0
package/dist/endpoints/deployments.d.ts.map +1 -0
package/dist/endpoints/deployments.js +205 -0
package/dist/endpoints/domains.d.ts +356 -0
package/dist/endpoints/domains.d.ts.map +1 -0
package/dist/endpoints/domains.js +149 -0
package/dist/endpoints/edge-deployments.d.ts +92 -0
package/dist/endpoints/edge-deployments.d.ts.map +1 -0
package/dist/endpoints/edge-deployments.js +58 -0
package/dist/endpoints/email-admin.d.ts +415 -0
package/dist/endpoints/email-admin.d.ts.map +1 -0
package/dist/endpoints/email-admin.js +253 -0
package/dist/endpoints/email.d.ts +37 -0
package/dist/endpoints/email.d.ts.map +1 -0
package/dist/endpoints/email.js +42 -0
package/dist/endpoints/engagement-admin.d.ts +98 -0
package/dist/endpoints/engagement-admin.d.ts.map +1 -0
package/dist/endpoints/engagement-admin.js +64 -0
package/dist/endpoints/env-vars.d.ts +66 -0
package/dist/endpoints/env-vars.d.ts.map +1 -0
package/dist/endpoints/env-vars.js +47 -0
package/dist/endpoints/environments.d.ts +456 -0
package/dist/endpoints/environments.d.ts.map +1 -0
package/dist/endpoints/environments.js +237 -0
package/dist/endpoints/experiments.d.ts +500 -0
package/dist/endpoints/experiments.d.ts.map +1 -0
package/dist/endpoints/experiments.js +93 -0
package/dist/endpoints/flags-admin.d.ts +74 -0
package/dist/endpoints/flags-admin.d.ts.map +1 -0
package/dist/endpoints/flags-admin.js +84 -0
package/dist/endpoints/flags.d.ts +23 -0
package/dist/endpoints/flags.d.ts.map +1 -0
package/dist/endpoints/flags.js +17 -0
package/dist/endpoints/github.d.ts +30 -0
package/dist/endpoints/github.d.ts.map +1 -0
package/dist/endpoints/github.js +37 -0
package/dist/endpoints/image-opt.d.ts +43 -0
package/dist/endpoints/image-opt.d.ts.map +1 -0
package/dist/endpoints/image-opt.js +44 -0
package/dist/endpoints/kv-admin.d.ts +58 -0
package/dist/endpoints/kv-admin.d.ts.map +1 -0
package/dist/endpoints/kv-admin.js +69 -0
package/dist/endpoints/kv.d.ts +63 -0
package/dist/endpoints/kv.d.ts.map +1 -0
package/dist/endpoints/kv.js +82 -0
package/dist/endpoints/monitoring-admin.d.ts +204 -0
package/dist/endpoints/monitoring-admin.d.ts.map +1 -0
package/dist/endpoints/monitoring-admin.js +119 -0
package/dist/endpoints/monitoring.d.ts +63 -0
package/dist/endpoints/monitoring.d.ts.map +1 -0
package/dist/endpoints/monitoring.js +27 -0
package/dist/endpoints/newsletter.d.ts +366 -0
package/dist/endpoints/newsletter.d.ts.map +1 -0
package/dist/endpoints/newsletter.js +232 -0
package/dist/endpoints/notifications-admin.d.ts +268 -0
package/dist/endpoints/notifications-admin.d.ts.map +1 -0
package/dist/endpoints/notifications-admin.js +172 -0
package/dist/endpoints/notifications.d.ts +225 -0
package/dist/endpoints/notifications.d.ts.map +1 -0
package/dist/endpoints/notifications.js +150 -0
package/dist/endpoints/oidc.d.ts +67 -0
package/dist/endpoints/oidc.d.ts.map +1 -0
package/dist/endpoints/oidc.js +49 -0
package/dist/endpoints/organizations.d.ts +702 -0
package/dist/endpoints/organizations.d.ts.map +1 -0
package/dist/endpoints/organizations.js +460 -0
package/dist/endpoints/plans.d.ts +136 -0
package/dist/endpoints/plans.d.ts.map +1 -0
package/dist/endpoints/plans.js +83 -0
package/dist/endpoints/privacy.d.ts +131 -0
package/dist/endpoints/privacy.d.ts.map +1 -0
package/dist/endpoints/privacy.js +98 -0
package/dist/endpoints/project-manifest.d.ts +1044 -0
package/dist/endpoints/project-manifest.d.ts.map +1 -0
package/dist/endpoints/project-manifest.js +59 -0
package/dist/endpoints/projects.d.ts +187 -0
package/dist/endpoints/projects.d.ts.map +1 -0
package/dist/endpoints/projects.js +58 -0
package/dist/endpoints/rate-limits.d.ts +83 -0
package/dist/endpoints/rate-limits.d.ts.map +1 -0
package/dist/endpoints/rate-limits.js +54 -0
package/dist/endpoints/realtime-admin.d.ts +42 -0
package/dist/endpoints/realtime-admin.d.ts.map +1 -0
package/dist/endpoints/realtime-admin.js +50 -0
package/dist/endpoints/realtime.d.ts +35 -0
package/dist/endpoints/realtime.d.ts.map +1 -0
package/dist/endpoints/realtime.js +39 -0
package/dist/endpoints/referrals-admin.d.ts +118 -0
package/dist/endpoints/referrals-admin.d.ts.map +1 -0
package/dist/endpoints/referrals-admin.js +59 -0
package/dist/endpoints/refresh.d.ts +19 -0
package/dist/endpoints/refresh.d.ts.map +1 -0
package/dist/endpoints/refresh.js +25 -0
package/dist/endpoints/regions.d.ts +41 -0
package/dist/endpoints/regions.d.ts.map +1 -0
package/dist/endpoints/regions.js +43 -0
package/dist/endpoints/runners.d.ts +55 -0
package/dist/endpoints/runners.d.ts.map +1 -0
package/dist/endpoints/runners.js +45 -0
package/dist/endpoints/saml.d.ts +147 -0
package/dist/endpoints/saml.d.ts.map +1 -0
package/dist/endpoints/saml.js +106 -0
package/dist/endpoints/search.d.ts +62 -0
package/dist/endpoints/search.d.ts.map +1 -0
package/dist/endpoints/search.js +40 -0
package/dist/endpoints/secrets.d.ts +95 -0
package/dist/endpoints/secrets.d.ts.map +1 -0
package/dist/endpoints/secrets.js +81 -0
package/dist/endpoints/security.d.ts +231 -0
package/dist/endpoints/security.d.ts.map +1 -0
package/dist/endpoints/security.js +291 -0
package/dist/endpoints/service-tokens.d.ts +392 -0
package/dist/endpoints/service-tokens.d.ts.map +1 -0
package/dist/endpoints/service-tokens.js +125 -0
package/dist/endpoints/session-replay.d.ts +142 -0
package/dist/endpoints/session-replay.d.ts.map +1 -0
package/dist/endpoints/session-replay.js +53 -0
package/dist/endpoints/storage-admin.d.ts +96 -0
package/dist/endpoints/storage-admin.d.ts.map +1 -0
package/dist/endpoints/storage-admin.js +113 -0
package/dist/endpoints/storage.d.ts +167 -0
package/dist/endpoints/storage.d.ts.map +1 -0
package/dist/endpoints/storage.js +117 -0
package/dist/endpoints/tasks.d.ts +141 -0
package/dist/endpoints/tasks.d.ts.map +1 -0
package/dist/endpoints/tasks.js +97 -0
package/dist/endpoints/users.d.ts +103 -0
package/dist/endpoints/users.d.ts.map +1 -0
package/dist/endpoints/users.js +98 -0
package/dist/endpoints/webhooks.d.ts +201 -0
package/dist/endpoints/webhooks.d.ts.map +1 -0
package/dist/endpoints/webhooks.js +120 -0
package/dist/errors.d.ts +153 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +73 -0
package/dist/index.d.ts +12303 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +390 -0
package/dist/schemas/_primitives.d.ts +37 -0
package/dist/schemas/_primitives.d.ts.map +1 -0
package/dist/schemas/_primitives.js +38 -0
package/dist/schemas/admin-ai-playground.d.ts +128 -0
package/dist/schemas/admin-ai-playground.d.ts.map +1 -0
package/dist/schemas/admin-ai-playground.js +84 -0
package/dist/schemas/admin-anomalies.d.ts +131 -0
package/dist/schemas/admin-anomalies.d.ts.map +1 -0
package/dist/schemas/admin-anomalies.js +106 -0
package/dist/schemas/admin-apm.d.ts +151 -0
package/dist/schemas/admin-apm.d.ts.map +1 -0
package/dist/schemas/admin-apm.js +96 -0
package/dist/schemas/admin-audit.d.ts +625 -0
package/dist/schemas/admin-audit.d.ts.map +1 -0
package/dist/schemas/admin-audit.js +508 -0
package/dist/schemas/admin-billing.d.ts +73 -0
package/dist/schemas/admin-billing.d.ts.map +1 -0
package/dist/schemas/admin-billing.js +60 -0
package/dist/schemas/admin-bootstrap.d.ts +32 -0
package/dist/schemas/admin-bootstrap.d.ts.map +1 -0
package/dist/schemas/admin-bootstrap.js +37 -0
package/dist/schemas/admin-broadcasts.d.ts +181 -0
package/dist/schemas/admin-broadcasts.d.ts.map +1 -0
package/dist/schemas/admin-broadcasts.js +93 -0
package/dist/schemas/admin-builds.d.ts +108 -0
package/dist/schemas/admin-builds.d.ts.map +1 -0
package/dist/schemas/admin-builds.js +127 -0
package/dist/schemas/admin-config.d.ts +248 -0
package/dist/schemas/admin-config.d.ts.map +1 -0
package/dist/schemas/admin-config.js +145 -0
package/dist/schemas/admin-consent.d.ts +129 -0
package/dist/schemas/admin-consent.d.ts.map +1 -0
package/dist/schemas/admin-consent.js +76 -0
package/dist/schemas/admin-env-services.d.ts +63 -0
package/dist/schemas/admin-env-services.d.ts.map +1 -0
package/dist/schemas/admin-env-services.js +81 -0
package/dist/schemas/admin-impersonation.d.ts +150 -0
package/dist/schemas/admin-impersonation.d.ts.map +1 -0
package/dist/schemas/admin-impersonation.js +114 -0
package/dist/schemas/admin-invitations.d.ts +119 -0
package/dist/schemas/admin-invitations.d.ts.map +1 -0
package/dist/schemas/admin-invitations.js +80 -0
package/dist/schemas/admin-jwt-keys.d.ts +130 -0
package/dist/schemas/admin-jwt-keys.d.ts.map +1 -0
package/dist/schemas/admin-jwt-keys.js +83 -0
package/dist/schemas/admin-logs.d.ts +170 -0
package/dist/schemas/admin-logs.d.ts.map +1 -0
package/dist/schemas/admin-logs.js +108 -0
package/dist/schemas/admin-plans.d.ts +92 -0
package/dist/schemas/admin-plans.d.ts.map +1 -0
package/dist/schemas/admin-plans.js +62 -0
package/dist/schemas/admin-project-users.d.ts +183 -0
package/dist/schemas/admin-project-users.d.ts.map +1 -0
package/dist/schemas/admin-project-users.js +108 -0
package/dist/schemas/admin-projects.d.ts +237 -0
package/dist/schemas/admin-projects.d.ts.map +1 -0
package/dist/schemas/admin-projects.js +129 -0
package/dist/schemas/admin-quotas.d.ts +161 -0
package/dist/schemas/admin-quotas.d.ts.map +1 -0
package/dist/schemas/admin-quotas.js +107 -0
package/dist/schemas/admin-rate-limits.d.ts +90 -0
package/dist/schemas/admin-rate-limits.d.ts.map +1 -0
package/dist/schemas/admin-rate-limits.js +72 -0
package/dist/schemas/admin-reconcile.d.ts +89 -0
package/dist/schemas/admin-reconcile.d.ts.map +1 -0
package/dist/schemas/admin-reconcile.js +86 -0
package/dist/schemas/admin-resources.d.ts +129 -0
package/dist/schemas/admin-resources.d.ts.map +1 -0
package/dist/schemas/admin-resources.js +143 -0
package/dist/schemas/admin-secrets.d.ts +113 -0
package/dist/schemas/admin-secrets.d.ts.map +1 -0
package/dist/schemas/admin-secrets.js +94 -0
package/dist/schemas/admin-services.d.ts +71 -0
package/dist/schemas/admin-services.d.ts.map +1 -0
package/dist/schemas/admin-services.js +61 -0
package/dist/schemas/admin-tasks.d.ts +239 -0
package/dist/schemas/admin-tasks.d.ts.map +1 -0
package/dist/schemas/admin-tasks.js +103 -0
package/dist/schemas/admin-tenants.d.ts +45 -0
package/dist/schemas/admin-tenants.d.ts.map +1 -0
package/dist/schemas/admin-tenants.js +54 -0
package/dist/schemas/admin-traces.d.ts +203 -0
package/dist/schemas/admin-traces.d.ts.map +1 -0
package/dist/schemas/admin-traces.js +128 -0
package/dist/schemas/admin-users.d.ts +158 -0
package/dist/schemas/admin-users.d.ts.map +1 -0
package/dist/schemas/admin-users.js +110 -0
package/dist/schemas/admin-webhook-signature-versions.d.ts +103 -0
package/dist/schemas/admin-webhook-signature-versions.d.ts.map +1 -0
package/dist/schemas/admin-webhook-signature-versions.js +73 -0
package/dist/schemas/ai-admin.d.ts +39 -0
package/dist/schemas/ai-admin.d.ts.map +1 -0
package/dist/schemas/ai-admin.js +29 -0
package/dist/schemas/ai.d.ts +120 -0
package/dist/schemas/ai.d.ts.map +1 -0
package/dist/schemas/ai.js +84 -0
package/dist/schemas/analytics-admin.d.ts +104 -0
package/dist/schemas/analytics-admin.d.ts.map +1 -0
package/dist/schemas/analytics-admin.js +61 -0
package/dist/schemas/analytics.d.ts +118 -0
package/dist/schemas/analytics.d.ts.map +1 -0
package/dist/schemas/analytics.js +80 -0
package/dist/schemas/audit-chain.d.ts +81 -0
package/dist/schemas/audit-chain.d.ts.map +1 -0
package/dist/schemas/audit-chain.js +62 -0
package/dist/schemas/auth-admin.d.ts +55 -0
package/dist/schemas/auth-admin.d.ts.map +1 -0
package/dist/schemas/auth-admin.js +48 -0
package/dist/schemas/auth.d.ts +865 -0
package/dist/schemas/auth.d.ts.map +1 -0
package/dist/schemas/auth.js +815 -0
package/dist/schemas/backups.d.ts +70 -0
package/dist/schemas/backups.d.ts.map +1 -0
package/dist/schemas/backups.js +38 -0
package/dist/schemas/billing-console.d.ts +414 -0
package/dist/schemas/billing-console.d.ts.map +1 -0
package/dist/schemas/billing-console.js +298 -0
package/dist/schemas/billing-settings.d.ts +156 -0
package/dist/schemas/billing-settings.d.ts.map +1 -0
package/dist/schemas/billing-settings.js +119 -0
package/dist/schemas/billing.d.ts +211 -0
package/dist/schemas/billing.d.ts.map +1 -0
package/dist/schemas/billing.js +147 -0
package/dist/schemas/branch-database.d.ts +98 -0
package/dist/schemas/branch-database.d.ts.map +1 -0
package/dist/schemas/branch-database.js +68 -0
package/dist/schemas/challenge.d.ts +104 -0
package/dist/schemas/challenge.d.ts.map +1 -0
package/dist/schemas/challenge.js +74 -0
package/dist/schemas/ci-settings.d.ts +122 -0
package/dist/schemas/ci-settings.d.ts.map +1 -0
package/dist/schemas/ci-settings.js +65 -0
package/dist/schemas/consent-admin.d.ts +187 -0
package/dist/schemas/consent-admin.d.ts.map +1 -0
package/dist/schemas/consent-admin.js +114 -0
package/dist/schemas/consent.d.ts +78 -0
package/dist/schemas/consent.d.ts.map +1 -0
package/dist/schemas/consent.js +68 -0
package/dist/schemas/database.d.ts +104 -0
package/dist/schemas/database.d.ts.map +1 -0
package/dist/schemas/database.js +89 -0
package/dist/schemas/deployment.d.ts +386 -0
package/dist/schemas/deployment.d.ts.map +1 -0
package/dist/schemas/deployment.js +282 -0
package/dist/schemas/domain.d.ts +148 -0
package/dist/schemas/domain.d.ts.map +1 -0
package/dist/schemas/domain.js +86 -0
package/dist/schemas/edge-deployments.d.ts +140 -0
package/dist/schemas/edge-deployments.d.ts.map +1 -0
package/dist/schemas/edge-deployments.js +87 -0
package/dist/schemas/email-admin.d.ts +384 -0
package/dist/schemas/email-admin.d.ts.map +1 -0
package/dist/schemas/email-admin.js +313 -0
package/dist/schemas/email.d.ts +46 -0
package/dist/schemas/email.d.ts.map +1 -0
package/dist/schemas/email.js +34 -0
package/dist/schemas/engagement-admin.d.ts +148 -0
package/dist/schemas/engagement-admin.d.ts.map +1 -0
package/dist/schemas/engagement-admin.js +107 -0
package/dist/schemas/env-var.d.ts +68 -0
package/dist/schemas/env-var.d.ts.map +1 -0
package/dist/schemas/env-var.js +52 -0
package/dist/schemas/environment.d.ts +392 -0
package/dist/schemas/environment.d.ts.map +1 -0
package/dist/schemas/environment.js +211 -0
package/dist/schemas/experiments.d.ts +540 -0
package/dist/schemas/experiments.d.ts.map +1 -0
package/dist/schemas/experiments.js +150 -0
package/dist/schemas/flags-admin.d.ts +112 -0
package/dist/schemas/flags-admin.d.ts.map +1 -0
package/dist/schemas/flags-admin.js +84 -0
package/dist/schemas/flags.d.ts +43 -0
package/dist/schemas/flags.d.ts.map +1 -0
package/dist/schemas/flags.js +27 -0
package/dist/schemas/github.d.ts +34 -0
package/dist/schemas/github.d.ts.map +1 -0
package/dist/schemas/github.js +24 -0
package/dist/schemas/ids.d.ts +39 -0
package/dist/schemas/ids.d.ts.map +1 -0
package/dist/schemas/ids.js +26 -0
package/dist/schemas/image-opt.d.ts +70 -0
package/dist/schemas/image-opt.d.ts.map +1 -0
package/dist/schemas/image-opt.js +68 -0
package/dist/schemas/kv-admin.d.ts +60 -0
package/dist/schemas/kv-admin.d.ts.map +1 -0
package/dist/schemas/kv-admin.js +43 -0
package/dist/schemas/kv.d.ts +79 -0
package/dist/schemas/kv.d.ts.map +1 -0
package/dist/schemas/kv.js +54 -0
package/dist/schemas/monitoring-admin.d.ts +314 -0
package/dist/schemas/monitoring-admin.d.ts.map +1 -0
package/dist/schemas/monitoring-admin.js +196 -0
package/dist/schemas/monitoring.d.ts +143 -0
package/dist/schemas/monitoring.d.ts.map +1 -0
package/dist/schemas/monitoring.js +96 -0
package/dist/schemas/newsletter.d.ts +366 -0
package/dist/schemas/newsletter.d.ts.map +1 -0
package/dist/schemas/newsletter.js +245 -0
package/dist/schemas/notifications-admin.d.ts +337 -0
package/dist/schemas/notifications-admin.d.ts.map +1 -0
package/dist/schemas/notifications-admin.js +261 -0
package/dist/schemas/notifications.d.ts +312 -0
package/dist/schemas/notifications.d.ts.map +1 -0
package/dist/schemas/notifications.js +235 -0
package/dist/schemas/oidc.d.ts +74 -0
package/dist/schemas/oidc.d.ts.map +1 -0
package/dist/schemas/oidc.js +46 -0
package/dist/schemas/organization-billing.d.ts +165 -0
package/dist/schemas/organization-billing.d.ts.map +1 -0
package/dist/schemas/organization-billing.js +156 -0
package/dist/schemas/organization-project-users.d.ts +126 -0
package/dist/schemas/organization-project-users.d.ts.map +1 -0
package/dist/schemas/organization-project-users.js +88 -0
package/dist/schemas/organization-projects.d.ts +129 -0
package/dist/schemas/organization-projects.d.ts.map +1 -0
package/dist/schemas/organization-projects.js +119 -0
package/dist/schemas/organization-referrals.d.ts +129 -0
package/dist/schemas/organization-referrals.d.ts.map +1 -0
package/dist/schemas/organization-referrals.js +126 -0
package/dist/schemas/organization-team.d.ts +123 -0
package/dist/schemas/organization-team.d.ts.map +1 -0
package/dist/schemas/organization-team.js +119 -0
package/dist/schemas/organization.d.ts +210 -0
package/dist/schemas/organization.d.ts.map +1 -0
package/dist/schemas/organization.js +169 -0
package/dist/schemas/plans.d.ts +211 -0
package/dist/schemas/plans.d.ts.map +1 -0
package/dist/schemas/plans.js +131 -0
package/dist/schemas/privacy.d.ts +174 -0
package/dist/schemas/privacy.d.ts.map +1 -0
package/dist/schemas/privacy.js +132 -0
package/dist/schemas/project-manifest.d.ts +1421 -0
package/dist/schemas/project-manifest.d.ts.map +1 -0
package/dist/schemas/project-manifest.js +318 -0
package/dist/schemas/project.d.ts +132 -0
package/dist/schemas/project.d.ts.map +1 -0
package/dist/schemas/project.js +76 -0
package/dist/schemas/realtime-admin.d.ts +51 -0
package/dist/schemas/realtime-admin.d.ts.map +1 -0
package/dist/schemas/realtime-admin.js +29 -0
package/dist/schemas/realtime.d.ts +46 -0
package/dist/schemas/realtime.d.ts.map +1 -0
package/dist/schemas/realtime.js +32 -0
package/dist/schemas/referrals-admin.d.ts +166 -0
package/dist/schemas/referrals-admin.d.ts.map +1 -0
package/dist/schemas/referrals-admin.js +123 -0
package/dist/schemas/referrals.d.ts +148 -0
package/dist/schemas/referrals.d.ts.map +1 -0
package/dist/schemas/referrals.js +102 -0
package/dist/schemas/refresh.d.ts +29 -0
package/dist/schemas/refresh.d.ts.map +1 -0
package/dist/schemas/refresh.js +18 -0
package/dist/schemas/region.d.ts +118 -0
package/dist/schemas/region.d.ts.map +1 -0
package/dist/schemas/region.js +86 -0
package/dist/schemas/resources.d.ts +345 -0
package/dist/schemas/resources.d.ts.map +1 -0
package/dist/schemas/resources.js +220 -0
package/dist/schemas/runners.d.ts +93 -0
package/dist/schemas/runners.d.ts.map +1 -0
package/dist/schemas/runners.js +49 -0
package/dist/schemas/saml.d.ts +254 -0
package/dist/schemas/saml.d.ts.map +1 -0
package/dist/schemas/saml.js +159 -0
package/dist/schemas/search.d.ts +96 -0
package/dist/schemas/search.d.ts.map +1 -0
package/dist/schemas/search.js +57 -0
package/dist/schemas/secret.d.ts +101 -0
package/dist/schemas/secret.d.ts.map +1 -0
package/dist/schemas/secret.js +79 -0
package/dist/schemas/security.d.ts +345 -0
package/dist/schemas/security.d.ts.map +1 -0
package/dist/schemas/security.js +248 -0
package/dist/schemas/service-tokens.d.ts +342 -0
package/dist/schemas/service-tokens.d.ts.map +1 -0
package/dist/schemas/service-tokens.js +101 -0
package/dist/schemas/session-replay.d.ts +285 -0
package/dist/schemas/session-replay.d.ts.map +1 -0
package/dist/schemas/session-replay.js +145 -0
package/dist/schemas/storage-admin.d.ts +351 -0
package/dist/schemas/storage-admin.d.ts.map +1 -0
package/dist/schemas/storage-admin.js +197 -0
package/dist/schemas/storage.d.ts +257 -0
package/dist/schemas/storage.d.ts.map +1 -0
package/dist/schemas/storage.js +173 -0
package/dist/schemas/tasks.d.ts +178 -0
package/dist/schemas/tasks.d.ts.map +1 -0
package/dist/schemas/tasks.js +102 -0
package/dist/schemas/user.d.ts +103 -0
package/dist/schemas/user.d.ts.map +1 -0
package/dist/schemas/user.js +79 -0
package/dist/schemas/webhooks.d.ts +259 -0
package/dist/schemas/webhooks.d.ts.map +1 -0
package/dist/schemas/webhooks.js +198 -0
package/package.json +154 -0

package/dist/schemas/auth.js ADDED Viewed

@@ -0,0 +1,815 @@
+/**
+ * Auth — BaaS plane primitives. Matches `@sylphx/sdk` `auth.ts` public
+ * surface (sign-in, sign-up, session, 2FA).
+ *
+ * Two layers coexist here (ADR-084):
+ *
+ * 1. **Lean primitives** (`SignInInput`, `SignUpInput`, `SessionResult`) —
+ *    the minimal shape a generic OAuth/OIDC consumer needs. Stable;
+ *    brand-safe; closed.
+ *
+ * 2. **SDK wire shapes** (`LoginRequest`, `LoginResponse`, `RegisterRequest`,
+ *    `RegisterResponse`, `AuthTokensResponse`, `TwoFactorVerifyRequest`,
+ *    `UserFullProfile`) — richer request/response envelopes the REST API
+ *    actually returns. Mirror the OpenAPI schema previously consumed from
+ *    `@sylphx/sdk/src/generated/api.d.ts`. Declared as plain `Struct`s with
+ *    unbranded `Schema.String` ids so the SDK (which hands ids straight to
+ *    URL builders, cookies, etc.) can accept them without casts.
+ */
+import { Schema } from 'effect';
+import { UserId } from './ids.js';
+/** Tokens issued by `/auth/login` / `/auth/token`. */
+export const AuthTokens = Schema.Struct({
+    accessToken: Schema.String,
+    refreshToken: Schema.optional(Schema.String),
+    tokenType: Schema.optional(Schema.String),
+    expiresIn: Schema.optional(Schema.Number),
+});
+export const SessionUser = Schema.Struct({
+    id: UserId,
+    email: Schema.String,
+    name: Schema.NullOr(Schema.String),
+    image: Schema.NullOr(Schema.String),
+    emailVerified: Schema.Boolean,
+});
+export const SignInInput = Schema.Struct({
+    email: Schema.String,
+    password: Schema.String,
+});
+/** Success path issues tokens; 2FA path redirects via `requiresTwoFactor`. */
+export const SignInResult = Schema.Struct({
+    requiresTwoFactor: Schema.optional(Schema.Boolean),
+    userId: Schema.optional(UserId),
+    accessToken: Schema.optional(Schema.String),
+    refreshToken: Schema.optional(Schema.String),
+    tokenType: Schema.optional(Schema.String),
+    expiresIn: Schema.optional(Schema.Number),
+});
+export const SignUpInput = Schema.Struct({
+    email: Schema.String,
+    password: Schema.String,
+    name: Schema.optional(Schema.String),
+});
+export const SignUpResult = Schema.Struct({
+    userId: UserId,
+    email: Schema.String,
+    emailVerified: Schema.Boolean,
+});
+export const SessionResult = Schema.Struct({
+    user: Schema.NullOr(SessionUser),
+});
+// ── SDK wire shapes ────────────────────────────────────────────────────────
+//
+// These mirror the OpenAPI component schemas the REST API emits. Ids are
+// plain strings (not `UserId`) because SDK callers pass them through to
+// `URL`, cookies, and storage primitives that don't understand branded
+// types — see `@sylphx/sdk/src/auth.ts` notes on the contract/SDK id-brand
+// divide.
+/** Minimal user returned inside login/token/register envelopes. */
+export const AuthUser = Schema.Struct({
+    id: Schema.String,
+    email: Schema.String,
+    name: Schema.NullOr(Schema.String),
+    image: Schema.optional(Schema.NullOr(Schema.String)),
+    emailVerified: Schema.optional(Schema.Boolean),
+    role: Schema.optional(Schema.String),
+    createdAt: Schema.optional(Schema.String),
+});
+/** `POST /auth/login` request body. */
+export const LoginRequest = Schema.Struct({
+    email: Schema.String,
+    password: Schema.String,
+});
+/**
+ * `POST /auth/login` response — discriminated on `requiresTwoFactor`.
+ *
+ * - `true`: caller must finish the 2FA flow via `POST /auth/verify-2fa`
+ *   using the returned `userId`.
+ * - `false` / absent: tokens + user profile are returned directly.
+ */
+export const LoginResponse = Schema.Union(Schema.Struct({
+    requiresTwoFactor: Schema.Literal(true),
+    userId: Schema.String,
+    email: Schema.optional(Schema.String),
+}), Schema.Struct({
+    requiresTwoFactor: Schema.optional(Schema.Literal(false)),
+    accessToken: Schema.String,
+    refreshToken: Schema.optional(Schema.String),
+    expiresIn: Schema.optional(Schema.Number),
+    user: Schema.optional(AuthUser),
+}));
+/**
+ * `POST /auth/register` request body — a superset of `SignUpInput` that
+ * accepts caller metadata and an optional invitation token.
+ */
+export const RegisterRequest = Schema.Struct({
+    email: Schema.String,
+    password: Schema.String,
+    name: Schema.optional(Schema.String),
+    metadata: Schema.optional(Schema.Record({ key: Schema.String, value: Schema.Unknown })),
+    invitationToken: Schema.optional(Schema.String),
+});
+/** `POST /auth/register` response — email-verification envelope. */
+export const RegisterResponse = Schema.Struct({
+    requiresVerification: Schema.optional(Schema.Boolean),
+    message: Schema.optional(Schema.String),
+    user: Schema.Struct({
+        id: Schema.String,
+        email: Schema.String,
+        name: Schema.NullOr(Schema.String),
+    }),
+});
+/**
+ * Token-issuing response shared by `/auth/token`, `/auth/verify-2fa`,
+ * `/auth/switch-org`. `user` is surfaced for SDK convenience (hydrating the
+ * local session immediately after issuance).
+ */
+export const AuthTokensResponse = Schema.Struct({
+    accessToken: Schema.String,
+    refreshToken: Schema.String,
+    expiresIn: Schema.optional(Schema.Number),
+    tokenType: Schema.optional(Schema.String),
+    user: Schema.optional(AuthUser),
+});
+/**
+ * `POST /auth/verify-2fa` request body.
+ *
+ * The OpenAPI spec lists `code` only (post-login flow where the server has
+ * the user bound to the challenge session). The SDK uses an extended shape
+ * including `userId` for the stateless public flow — both are accepted.
+ */
+export const TwoFactorVerifyRequest = Schema.Struct({
+    userId: Schema.optional(Schema.String),
+    code: Schema.String,
+});
+/** `GET /auth/me` response — full profile with verification + timestamps. */
+export const UserFullProfile = Schema.Struct({
+    id: Schema.String,
+    email: Schema.String,
+    name: Schema.NullOr(Schema.String),
+    image: Schema.NullOr(Schema.String),
+    emailVerified: Schema.optional(Schema.Boolean),
+    createdAt: Schema.optional(Schema.String),
+});
+// ─── OAuth Device Flow (RFC 8628) ──────────────────────────────────────────
+//
+// The RFC-8628 device authorization grant is the *client-agnostic*
+// bootstrap surface BaaS issues to any headless client (CLI, TV apps,
+// IoT). ADR-089 Phase 2a hoists the CLI device flow out of the
+// Platform-layer bypass and into the BaaS `/v1/auth/device/*` surface
+// where every consumer — customer and Platform-as-customer alike —
+// speaks the same RFC-shaped protocol.
+//
+// Phase 5.1 will layer RFC 6749 + 7662 + 8414 on top (PKCE, token,
+// revoke, introspect, metadata); Phase 2a ships the four device-flow
+// endpoints that the CLI requires to dogfood.
+/**
+ * `POST /auth/device` request body — initiate a device authorization
+ * grant per RFC 8628 §3.1.
+ */
+export const DeviceInitRequest = Schema.Struct({
+    /**
+     * Client identifier — must match a well-known client registered on
+     * the BaaS plane. Phase 2a hard-codes `sylphx-cli` as the only
+     * allow-listed value; Phase 5.1 replaces the allow-list with the
+     * `oauth_clients` DB registry (ADR-086).
+     */
+    client_id: Schema.String,
+    /**
+     * Space- or array-delimited OAuth scopes the client is requesting.
+     * Phase 2a accepts any scope shape; Phase 5.1 will validate against
+     * the client's registered scope set.
+     */
+    scope: Schema.optional(Schema.Array(Schema.String)),
+});
+/**
+ * `POST /auth/device` response — grant issued per RFC 8628 §3.2.
+ *
+ * `device_code` is the CLI's private reference (opaque bearer);
+ * `user_code` is the short human-readable code the user enters on the
+ * verification page.
+ */
+export const DeviceInitResponse = Schema.Struct({
+    device_code: Schema.String,
+    user_code: Schema.String,
+    verification_uri: Schema.String,
+    verification_uri_complete: Schema.String,
+    expires_in: Schema.Number,
+    interval: Schema.Number,
+});
+/**
+ * `GET /auth/device/poll?device_code=…` response.
+ *
+ * Mirrors the RFC 8628 §3.5 polling token-endpoint response but in a
+ * single envelope so the SDK can discriminate on `status` without
+ * needing a second round-trip to the RFC 6749 token endpoint. Phase
+ * 5.1 will add a strict RFC 6749 `/oauth/token` endpoint that callers
+ * MAY hit instead when they prefer the canonical shape.
+ */
+export const DevicePollResponse = Schema.Union(Schema.Struct({ status: Schema.Literal('pending') }), Schema.Struct({
+    status: Schema.Literal('approved'),
+    access_token: Schema.String,
+    refresh_token: Schema.String,
+    token_type: Schema.Literal('Bearer'),
+    expires_in: Schema.Number,
+    refresh_expires_at: Schema.String,
+}), Schema.Struct({ status: Schema.Literal('denied') }), Schema.Struct({ status: Schema.Literal('expired') }));
+/**
+ * `POST /auth/device/approve` request body — browser leg, user-facing.
+ *
+ * Called from the Console's verification page after the user clicks
+ * Authorize. Cookie-session auth identifies the approving user;
+ * `user_code` is the short public code the user typed / confirmed on
+ * the verification page.
+ */
+export const DeviceApproveRequest = Schema.Struct({
+    user_code: Schema.String,
+});
+/**
+ * `POST /auth/device/approve` response — confirmation envelope.
+ * The CLI picks up the tokens on its next `/auth/device/poll` call.
+ */
+export const DeviceApproveResponse = Schema.Struct({
+    success: Schema.Literal(true),
+});
+/**
+ * `POST /auth/device/deny` request body — same shape as approve.
+ */
+export const DeviceDenyRequest = Schema.Struct({
+    user_code: Schema.String,
+});
+/**
+ * `POST /auth/device/deny` response.
+ */
+export const DeviceDenyResponse = Schema.Struct({
+    success: Schema.Literal(true),
+});
+// ─── OAuth /oauth/token (ADR-089 Phase 5.1b + 5.1c) ───────────────────────────
+//
+// RFC 6749 §3.2 token endpoint — the unified mint surface for every
+// Platform-issued access/refresh bearer. Phase 5.1b shipped the
+// authorization_code + refresh_token grants; Phase 5.1c extends the
+// dispatcher with device_code (RFC 8628 §3.4) + client_credentials
+// (RFC 6749 §4.4). The contract schemas here model the wire shape but the
+// runtime still parses bodies as `Record<string, string>` for forward
+// compatibility — unknown grant-type fields MUST not fail the dispatcher
+// before the client auth check runs.
+/**
+ * `authorization_code` grant body — RFC 6749 §4.1.3 + RFC 7636.
+ */
+export const OAuthTokenAuthorizationCodeRequest = Schema.Struct({
+    grant_type: Schema.Literal('authorization_code'),
+    code: Schema.String,
+    redirect_uri: Schema.String,
+    client_id: Schema.String,
+    client_secret: Schema.optional(Schema.String),
+    code_verifier: Schema.String,
+});
+/**
+ * `refresh_token` grant body — RFC 6749 §6. Rotation is mandatory on the
+ * server side; clients simply present their current refresh_token.
+ */
+export const OAuthTokenRefreshRequest = Schema.Struct({
+    grant_type: Schema.Literal('refresh_token'),
+    refresh_token: Schema.String,
+    client_id: Schema.String,
+    client_secret: Schema.optional(Schema.String),
+    scope: Schema.optional(Schema.String),
+});
+/**
+ * `device_code` grant body — RFC 8628 §3.4. Client auth is registry-driven;
+ * public clients present `client_id` only, confidential clients add
+ * `client_secret`.
+ */
+export const OAuthTokenDeviceCodeRequest = Schema.Struct({
+    grant_type: Schema.Literal('urn:ietf:params:oauth:grant-type:device_code'),
+    device_code: Schema.String,
+    client_id: Schema.String,
+    client_secret: Schema.optional(Schema.String),
+});
+/**
+ * `client_credentials` grant body — RFC 6749 §4.4. Confidential clients
+ * only; `client_secret` is mandatory.
+ */
+export const OAuthTokenClientCredentialsRequest = Schema.Struct({
+    grant_type: Schema.Literal('client_credentials'),
+    client_id: Schema.String,
+    client_secret: Schema.String,
+    scope: Schema.optional(Schema.String),
+});
+/**
+ * Union of every token-endpoint request shape. Discriminated by
+ * `grant_type` — new grants join the union, never replace an existing
+ * variant. Rejected grant types return an RFC 6749 §5.2 error envelope
+ * with `error='unsupported_grant_type'`.
+ */
+export const OAuthTokenRequest = Schema.Union(OAuthTokenAuthorizationCodeRequest, OAuthTokenRefreshRequest, OAuthTokenDeviceCodeRequest, OAuthTokenClientCredentialsRequest);
+/**
+ * Successful `/oauth/token` response carrying access + refresh token pair.
+ * Used by `authorization_code`, `refresh_token`, and `device_code` grants.
+ */
+export const OAuthTokenResponse = Schema.Struct({
+    access_token: Schema.String,
+    token_type: Schema.Literal('Bearer'),
+    expires_in: Schema.Number,
+    refresh_token: Schema.String,
+    scope: Schema.String,
+});
+/**
+ * `client_credentials` success response — RFC 6749 §4.4.3 forbids refresh
+ * tokens on this grant, so the envelope is deliberately narrower.
+ */
+export const OAuthClientCredentialsResponse = Schema.Struct({
+    access_token: Schema.String,
+    token_type: Schema.Literal('Bearer'),
+    expires_in: Schema.Number,
+    scope: Schema.String,
+});
+/**
+ * RFC 6749 §5.2 error codes + RFC 8628 §3.5 polling codes. One closed
+ * enumeration — SDK callers pattern-match on this value to choose the
+ * next action (retry / abort / re-auth).
+ */
+export const OAuthTokenErrorCode = Schema.Literal(
+// RFC 6749 §5.2
+'invalid_request', 'invalid_client', 'invalid_grant', 'unauthorized_client', 'unsupported_grant_type', 'invalid_scope',
+// RFC 8628 §3.5 — device_code grant only.
+'authorization_pending', 'slow_down', 'access_denied', 'expired_token');
+/**
+ * RFC 6749 §5.2 error envelope. Surfaced with HTTP 400 (or 401 when a
+ * Basic auth header was presented with bad credentials).
+ */
+export const OAuthTokenErrorResponse = Schema.Struct({
+    error: OAuthTokenErrorCode,
+    error_description: Schema.optional(Schema.String),
+    error_uri: Schema.optional(Schema.String),
+});
+// ─── OAuth /oauth/revoke (RFC 7009, ADR-089 Phase 5.1d) ────────────────────
+//
+// Revocation is deliberately uniform across access + refresh tokens on the
+// wire — the server disambiguates by `token_type_hint` OR by probing both
+// stores. The response is always 200 with an empty body per §2.2; error
+// envelopes (`OAuthTokenErrorResponse`) apply only on client-auth /
+// malformed-request paths.
+/**
+ * `/oauth/revoke` request body — RFC 7009 §2.1.
+ */
+export const OAuthRevokeRequest = Schema.Struct({
+    token: Schema.String,
+    token_type_hint: Schema.optional(Schema.Literal('access_token', 'refresh_token')),
+    client_id: Schema.String,
+    client_secret: Schema.optional(Schema.String),
+});
+/**
+ * `/oauth/revoke` success response — per §2.2 an empty body. Modelled as
+ * an empty struct so the SDK has a typed `void`-equivalent to await.
+ */
+export const OAuthRevokeResponse = Schema.Struct({});
+// ─── OAuth /oauth/introspect (RFC 7662, ADR-089 Phase 5.1d) ────────────────
+//
+// Introspection returns either the full active-token envelope OR the
+// `{ active: false }` sentinel. RFC 7662 §2.2 requires `active` to be
+// present on every response; all other fields are optional. The schema
+// reflects that — every claim is `optional` so a strict parser cannot
+// reject the inactive sentinel.
+/**
+ * `/oauth/introspect` request body — RFC 7662 §2.1. Same auth model as
+ * `/oauth/revoke` (client_id + optional client_secret, or Basic header).
+ */
+export const OAuthIntrospectRequest = Schema.Struct({
+    token: Schema.String,
+    token_type_hint: Schema.optional(Schema.Literal('access_token', 'refresh_token')),
+    client_id: Schema.String,
+    client_secret: Schema.optional(Schema.String),
+});
+/**
+ * `/oauth/introspect` response — RFC 7662 §2.2. Only `active` is required.
+ * Inactive responses carry ONLY `{ active: false }` per §4; populated
+ * responses echo the token's claims (scope, client_id, username, etc.).
+ */
+export const OAuthIntrospectResponse = Schema.Struct({
+    active: Schema.Boolean,
+    scope: Schema.optional(Schema.String),
+    client_id: Schema.optional(Schema.String),
+    username: Schema.optional(Schema.String),
+    token_type: Schema.optional(Schema.Literal('Bearer')),
+    exp: Schema.optional(Schema.Number),
+    iat: Schema.optional(Schema.Number),
+    nbf: Schema.optional(Schema.Number),
+    sub: Schema.optional(Schema.String),
+    aud: Schema.optional(Schema.Union(Schema.String, Schema.Array(Schema.String))),
+    iss: Schema.optional(Schema.String),
+    jti: Schema.optional(Schema.String),
+});
+// ─── Platform Sessions (ADR-089 Phase 2b) ──────────────────────────────────
+//
+// Session management for the Platform plane (Console / CLI operators).
+// These schemas back the `/auth/platform-sessions/*` endpoints in
+// `apps/runtime` that Phase 2b migrates off the Platform bypass (previously
+// served by `apps/api/.../security/sessions.ts` + `user.ts` imports of
+// `@sylphx/core/features/auth/lib/sessions`).
+//
+// Shapes deliberately mirror the Platform-side `SecuritySession` /
+// `GetSessionsResult` / `RevokeOtherSessionsResult` etc. in
+// `packages/contract/src/schemas/security.ts` so the SDK swap is a
+// zero-diff pass-through on the Platform side.
+/**
+ * A single platform-plane session row as surfaced to the client.
+ *
+ * `id` is the prefixed TypeID (`sess_*`) — the BaaS route encodes the
+ * underlying UUID on the way out. Consumers must pass this back
+ * verbatim on the revoke/rename endpoints; the BaaS side accepts both
+ * forms via `parseIdOrError` but the canonical wire representation is
+ * prefixed.
+ */
+export const PlatformSession = Schema.Struct({
+    id: Schema.String,
+    name: Schema.NullOr(Schema.String),
+    ipAddress: Schema.NullOr(Schema.String),
+    userAgent: Schema.NullOr(Schema.String),
+    createdAt: Schema.String,
+    lastActiveAt: Schema.NullOr(Schema.String),
+    isCurrent: Schema.Boolean,
+});
+/**
+ * `GET /auth/platform-sessions` — list envelope.
+ *
+ * Ordering: most-recently-active first (descending `lastActiveAt`).
+ * Matches the pre-existing Platform `GetSessionsResult` shape so the
+ * migration is a drop-in on the caller side.
+ */
+export const PlatformSessionsListResponse = Schema.Struct({
+    sessions: Schema.Array(PlatformSession),
+});
+/**
+ * `POST /auth/platform-sessions/revoke` — revoke one session.
+ *
+ * `sessionId` accepts either the prefixed TypeID (`sess_*`, preferred)
+ * or the raw UUID — the BaaS side normalises via `parseIdOrError`.
+ */
+export const PlatformSessionRevokeRequest = Schema.Struct({
+    sessionId: Schema.String,
+});
+export const PlatformSessionRevokeResponse = Schema.Struct({
+    success: Schema.Literal(true),
+});
+/**
+ * `POST /auth/platform-sessions/revoke-other` — revoke every session
+ * except the one presenting the current access token.
+ *
+ * When the token carries no `sid` claim (pure-Bearer CLI/CI flows),
+ * every session for the user is revoked — equivalent to `revoke-all`.
+ */
+export const PlatformSessionRevokeOtherResponse = Schema.Struct({
+    revokedCount: Schema.Number,
+});
+/**
+ * `POST /auth/platform-sessions/revoke-all` — revoke every session for
+ * the user, including the caller's own. Used by "sign me out
+ * everywhere" after a password change or a compromise scare.
+ */
+export const PlatformSessionRevokeAllResponse = Schema.Struct({
+    success: Schema.Literal(true),
+    count: Schema.Number,
+});
+/**
+ * `POST /auth/platform-sessions/rename` — update the user-visible
+ * device label on a session row.
+ */
+export const PlatformSessionRenameRequest = Schema.Struct({
+    sessionId: Schema.String,
+    name: Schema.String,
+});
+export const PlatformSessionRenameResponse = Schema.Struct({
+    success: Schema.Literal(true),
+});
+// ─── Platform Password (ADR-089 Phase 2c) ──────────────────────────────────
+//
+// Password management for the Platform plane (Console / CLI operators).
+// These schemas back the `/auth/platform-password/*` endpoints in
+// `apps/runtime` that Phase 2c migrates off the Platform bypass (previously
+// served by `apps/api/.../security/password.ts` + `user.ts` imports of
+// `@sylphx/core/features/auth/lib/password`).
+//
+// Shapes deliberately mirror the Platform-side `PasswordStatusResult` /
+// `SetPasswordInput` / `ChangePasswordInput` in the contract's
+// `schemas/security.ts` + `schemas/user.ts` so the SDK swap is a
+// zero-diff pass-through on the Platform side. All primitive-hash work
+// (bcrypt/argon2/scrypt) lives inside the BaaS route — Platform callers
+// never touch the primitives directly (ADR-089 §5 S1–S4).
+/**
+ * `GET /auth/platform-password/status` — whether the authenticated user
+ * has a password set. OAuth-only users return `{ hasPassword: false }`.
+ */
+export const PlatformPasswordStatusResponse = Schema.Struct({
+    hasPassword: Schema.Boolean,
+});
+/**
+ * `POST /auth/platform-password/set` — initial password for users that
+ * don't have one (signed up via OAuth, never set a local password).
+ *
+ * BaaS enforces the 8-char minimum and the have-i-been-pwned breach check
+ * server-side; Platform callers just forward the plaintext.
+ */
+export const PlatformPasswordSetRequest = Schema.Struct({
+    password: Schema.String,
+});
+export const PlatformPasswordSetResponse = Schema.Struct({
+    success: Schema.Literal(true),
+});
+/**
+ * `POST /auth/platform-password/change` — change an existing password.
+ *
+ * `currentPassword` verification happens server-side via
+ * `verifyPasswordEffect`; a mismatch returns 401 UNAUTHORIZED. Users
+ * that are OAuth-only (no `passwordHash`) receive a 400 so the UI can
+ * redirect them to `set`.
+ */
+export const PlatformPasswordChangeRequest = Schema.Struct({
+    currentPassword: Schema.String,
+    newPassword: Schema.String,
+});
+export const PlatformPasswordChangeResponse = Schema.Struct({
+    success: Schema.Literal(true),
+});
+// ─── Platform User Data (ADR-089 Phase 2d) ─────────────────────────────────
+//
+// GDPR operations for the Platform plane (Console / CLI operators).
+// These schemas back the `/auth/platform-user/*` endpoints in
+// `apps/runtime` that Phase 2d migrates off the Platform bypass
+// (previously served by `apps/api/.../user.ts` reaching directly into
+// `@sylphx/core/lib/auth/index` for `exportUserData` + `deleteUserData`).
+//
+// Shapes deliberately mirror `UserDataExport` / `DeleteAccountResult` in
+// `schemas/user.ts` so the SDK swap is a zero-diff pass-through on the
+// Platform side. All cascading erasure work (per-project BaaS DBs,
+// Stripe cleanup, S3 blob deletion, audit anonymisation) lives inside
+// the BaaS route — Platform callers never touch the underlying stores
+// directly, per ADR-089 Principle 2.
+/**
+ * `GET /auth/platform-user/export` — GDPR data-portability envelope.
+ *
+ * Deliberately permissive — the export contains per-project data that
+ * varies by customer provisioning (storage files, project memberships,
+ * subscription rows). Platform callers pass the whole record through
+ * to the user verbatim; the Console renders it as a JSON download.
+ */
+export const AuthUserExportResponse = Schema.Record({
+    key: Schema.String,
+    value: Schema.Unknown,
+});
+/**
+ * `DELETE /auth/platform-user/account` — GDPR right-to-erasure request.
+ *
+ * `reason` is optional operator context (`user_request` / `admin_action`
+ * / `account_violation`); the BaaS route defaults to `user_request`.
+ * Production hardening (WebAuthn step-up challenge) lands in Phase 5.11 —
+ * see the handler TODO.
+ */
+export const AuthUserDeleteRequest = Schema.Struct({
+    reason: Schema.optional(Schema.String),
+});
+/**
+ * `DELETE /auth/platform-user/account` response.
+ *
+ * `deletedData` is the string list of resource kinds actually erased
+ * (sessions, oauthAccounts, projectUsers, storageFiles, …). Mirrors the
+ * `UserDeletionResult.deletedData` surface from the core helper but
+ * flattened to a string array — the per-kind counts are audit-log
+ * payload only.
+ */
+export const AuthUserDeleteResponse = Schema.Struct({
+    success: Schema.Boolean,
+    deletedData: Schema.Array(Schema.String),
+});
+// ─── Platform Audit Query (ADR-089 Phase 5.3b) ─────────────────────────────
+//
+// Scope-filtered reader for the tamper-evident audit-log chain introduced
+// by Phase 5.3 foundation. Backs the `/audit/query` endpoint in
+// `apps/runtime/src/server/runtime/routes/audit.ts` (renamed out of
+// `/auth/platform-audit/*` by Phase Σ1 SoC rename).
+//
+// Scope enforcement (server-side — `audit` handler in runtime):
+//   - `super_admin` / `admin`  → all scopes, all rows.
+//   - project admin           → `project-ops` + `app-events` for projects
+//                                 they admin (org-level role check).
+//   - regular user            → `project-ops` for projects they're a member
+//                                 of, OR their own `app-events`.
+//   - scope escalation        → 403 `audit_scope_forbidden`.
+//
+// Cursor is opaque, HMAC-signed: base64({ lastTs, lastId }) + sig. Clients
+// MUST treat it as a black box — the shape is NOT a wire contract and can
+// change without a version bump.
+/** Scope taxonomy — matches `audit_logs.scope` CHECK on the DB side. */
+export const AuditScopeLiteral = Schema.Literal('platform-ops', 'project-ops', 'app-events');
+/**
+ * `GET /audit/query` — filter envelope. All fields optional
+ * except `limit` (default 100, max 500). `from` / `to` are ISO-8601 UTC;
+ * `cursor` paginates; `scope` narrows to one plane (caller role must
+ * include it — see scope enforcement notes above).
+ */
+export const PlatformAuditQueryRequest = Schema.Struct({
+    scope: Schema.optional(AuditScopeLiteral),
+    actor: Schema.optional(Schema.String),
+    resourceType: Schema.optional(Schema.String),
+    resourceId: Schema.optional(Schema.String),
+    action: Schema.optional(Schema.String),
+    from: Schema.optional(Schema.String),
+    to: Schema.optional(Schema.String),
+    cursor: Schema.optional(Schema.String),
+    limit: Schema.optional(Schema.Number),
+});
+/** One audit row as surfaced to the query client. Hashes are hex-encoded. */
+export const PlatformAuditEvent = Schema.Struct({
+    id: Schema.String,
+    ts: Schema.String,
+    scope: AuditScopeLiteral,
+    actor: Schema.NullOr(Schema.String),
+    user: Schema.NullOr(Schema.String),
+    orgId: Schema.NullOr(Schema.String),
+    projectId: Schema.NullOr(Schema.String),
+    resourceType: Schema.String,
+    resourceId: Schema.NullOr(Schema.String),
+    action: Schema.String,
+    metadata: Schema.NullOr(Schema.Record({ key: Schema.String, value: Schema.Unknown })),
+    prevHashHex: Schema.NullOr(Schema.String),
+    rowHashHex: Schema.NullOr(Schema.String),
+});
+/**
+ * Response envelope — paginated events + chain-verification flag.
+ *
+ * `chainVerified` is `true` when every returned row's `prev_hash` equals
+ * the preceding row's `row_hash` (rows returned in chain order). It MAY
+ * be `false` when a range query skips a row (rare; not corruption) —
+ * the field is advisory for the client, the ground-truth verifier is
+ * `scripts/check-audit-hash-chain.ts --nightly`.
+ */
+export const PlatformAuditQueryResponse = Schema.Struct({
+    events: Schema.Array(PlatformAuditEvent),
+    nextCursor: Schema.NullOr(Schema.String),
+    chainVerified: Schema.Boolean,
+});
+// ─── Platform Rate-Limit API (ADR-089 Phase 5.2) ───────────────────────────
+//
+// BaaS surface that lets operators inspect live rate-limit counter state and
+// manage per-(scope, scope_id, namespace) strategy overrides without a code
+// deploy. Enforcement reads the override table through the resolver with a
+// 60s in-process cache; upserts/deletes invalidate the cache in-band and
+// the next read sees the new config. Missing overrides fall through to the
+// hard-coded `RateLimitPresets` defaults in `@sylphx/core`.
+//
+// Scope enforcement (server-side — `authPlatformRateLimits` handler):
+//   - super_admin / admin → all scopes.
+//   - project admin       → `project` + their project_id only.
+//   - regular user        → `user` + their own user id only.
+//   - scope escalation    → 403 `rate_limit_scope_forbidden`.
+/** Scope taxonomy — mirrors `RATE_LIMIT_SCOPES` in the Drizzle schema. */
+export const RateLimitScopeLiteral = Schema.Literal('global', 'project', 'user');
+/** Strategy taxonomy — mirrors `RATE_LIMIT_STRATEGIES`. */
+export const RateLimitStrategyLiteral = Schema.Literal('token-bucket', 'sliding-window', 'fixed-window');
+const NamespaceString = Schema.String.pipe(Schema.pattern(/^[a-zA-Z][a-zA-Z0-9_-]{0,63}$/));
+export const PlatformRateLimitStatusRequest = Schema.Struct({
+    scope: Schema.optional(RateLimitScopeLiteral),
+    scope_id: Schema.optional(Schema.String),
+    namespace: Schema.optional(NamespaceString),
+});
+export const PlatformRateLimitStatusRow = Schema.Struct({
+    namespace: Schema.String,
+    scope: RateLimitScopeLiteral,
+    scopeId: Schema.NullOr(Schema.String),
+    strategy: RateLimitStrategyLiteral,
+    limit: Schema.Number,
+    windowSeconds: Schema.Number,
+    burst: Schema.NullOr(Schema.Number),
+    source: Schema.Literal('default', 'global', 'project', 'user'),
+});
+export const PlatformRateLimitStatusResponse = Schema.Struct({
+    rows: Schema.Array(PlatformRateLimitStatusRow),
+});
+export const PlatformRateLimitStrategiesListRequest = Schema.Struct({
+    scope: Schema.optional(RateLimitScopeLiteral),
+    scope_id: Schema.optional(Schema.String),
+});
+export const PlatformRateLimitStrategyRow = Schema.Struct({
+    id: Schema.String,
+    scope: RateLimitScopeLiteral,
+    scopeId: Schema.NullOr(Schema.String),
+    namespace: Schema.String,
+    strategy: RateLimitStrategyLiteral,
+    limitCount: Schema.Number,
+    windowSeconds: Schema.Number,
+    burstCount: Schema.NullOr(Schema.Number),
+    updatedAt: Schema.String,
+    updatedBy: Schema.NullOr(Schema.String),
+});
+export const PlatformRateLimitStrategiesListResponse = Schema.Struct({
+    strategies: Schema.Array(PlatformRateLimitStrategyRow),
+});
+export const PlatformRateLimitNamespaceParams = Schema.Struct({
+    namespace: NamespaceString,
+});
+export const PlatformRateLimitStrategyUpsertRequest = Schema.Struct({
+    scope: RateLimitScopeLiteral,
+    scope_id: Schema.optional(Schema.String),
+    strategy: RateLimitStrategyLiteral,
+    limit: Schema.Number,
+    windowSeconds: Schema.Number,
+    burst: Schema.optional(Schema.NullOr(Schema.Number)),
+});
+export const PlatformRateLimitStrategyUpsertResponse = Schema.Struct({
+    strategy: PlatformRateLimitStrategyRow,
+});
+export const PlatformRateLimitStrategyDeleteRequest = Schema.Struct({
+    scope: RateLimitScopeLiteral,
+    scope_id: Schema.optional(Schema.String),
+});
+export const PlatformRateLimitStrategyDeleteResponse = Schema.Struct({
+    deleted: Schema.Boolean,
+});
+// ============================================================================
+// Passkey-Primary Signup — ADR-089 Phase 5.11 / P14 + S26
+// ============================================================================
+/**
+ * Passkey signup-challenge request. `orgId` binds the ceremony to an org
+ * for policy enforcement (device-bound + AAGUID allow-list). Omit for
+ * personal signups.
+ */
+export const PasskeySignupChallengeRequest = Schema.Struct({
+    email: Schema.String,
+    displayName: Schema.optional(Schema.String),
+    orgId: Schema.optional(Schema.String),
+});
+/**
+ * WebAuthn registration options + platform-issued `userHandle`. Caller
+ * feeds these to `navigator.credentials.create({ publicKey: options })`
+ * and echoes `userHandle` back to /signup-verify.
+ */
+export const PasskeySignupChallengeResponse = Schema.Struct({
+    challenge: Schema.String,
+    rp: Schema.Struct({
+        name: Schema.String,
+        id: Schema.optional(Schema.String),
+    }),
+    user: Schema.Struct({
+        id: Schema.String,
+        name: Schema.String,
+        displayName: Schema.String,
+    }),
+    pubKeyCredParams: Schema.Array(Schema.Struct({ type: Schema.Literal('public-key'), alg: Schema.Number })),
+    timeout: Schema.optional(Schema.Number),
+    attestation: Schema.optional(Schema.String),
+    authenticatorSelection: Schema.optional(Schema.Struct({
+        authenticatorAttachment: Schema.optional(Schema.Literal('platform', 'cross-platform')),
+        residentKey: Schema.optional(Schema.Literal('discouraged', 'preferred', 'required')),
+        userVerification: Schema.optional(Schema.Literal('discouraged', 'preferred', 'required')),
+    })),
+    userHandle: Schema.String,
+});
+export const PasskeySignupVerifyRequest = Schema.Struct({
+    email: Schema.String,
+    userHandle: Schema.String,
+    credential: Schema.Unknown, // RegistrationResponseJSON — shape varies by browser
+    deviceName: Schema.optional(Schema.String),
+});
+export const PasskeySignupVerifyResponse = Schema.Struct({
+    accessToken: Schema.String,
+    refreshToken: Schema.String,
+    expiresIn: Schema.Number,
+    user: Schema.Struct({
+        id: Schema.String,
+        email: Schema.String,
+        name: Schema.NullOr(Schema.String),
+        role: Schema.String,
+    }),
+    passkey: Schema.Struct({
+        id: Schema.String,
+        authenticatorAttachment: Schema.NullOr(Schema.Literal('platform', 'cross-platform')),
+        backupState: Schema.NullOr(Schema.Boolean),
+        aaguid: Schema.NullOr(Schema.String),
+    }),
+});
+export const PasskeyPolicyViolationResponse = Schema.Struct({
+    error: Schema.Literal('policy_violation'),
+    code: Schema.Literal('device_bound_required', 'aaguid_not_allowed'),
+    message: Schema.String,
+});
+export const PrimaryAuthMethodResponse = Schema.Struct({
+    userId: Schema.String,
+    primaryAuthMethod: Schema.Literal('passkey', 'password'),
+});
+// ============================================================================
+// Org Auth Policy — ADR-089 Phase 5.11 / S26
+// ============================================================================
+export const OrgAuthPolicy = Schema.Struct({
+    orgId: Schema.String,
+    requirePasskeyForSignup: Schema.Boolean,
+    requireDeviceBoundPasskeys: Schema.Boolean,
+    allowedAaguids: Schema.Array(Schema.String),
+    updatedAt: Schema.String,
+    updatedBy: Schema.NullOr(Schema.String),
+});
+export const OrgAuthPolicyUpdateRequest = Schema.Struct({
+    requirePasskeyForSignup: Schema.optional(Schema.Boolean),
+    requireDeviceBoundPasskeys: Schema.optional(Schema.Boolean),
+    allowedAaguids: Schema.optional(Schema.Array(Schema.String)),
+});