@sylphx/contract 0.2.1 → 0.4.0

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @sylphx/contract
 
+## 0.4.0
+
+### Minor Changes
+
+- [#469](https://github.com/SylphxAI/platform/pull/469) [`ba02c04`](https://github.com/SylphxAI/platform/commit/ba02c0412712dc8a5f19d17c16707eb5ae11ec47) Thanks [@shtse8](https://github.com/shtse8)! - Replace the legacy storage upload-token surface with ADR-100 storage uploads v2: upload sessions, multipart resume, file actions, soft-delete/restore, signed URLs, copy, and version restore are now contract-first with no legacy alias envelopes.
+
+## 0.3.0
+
+### Minor Changes
+
+- [`03dbd29`](https://github.com/SylphxAI/platform/commit/03dbd2986024fa650378e10958890d6ac063f516) Thanks [@shtse8](https://github.com/shtse8)! - Add a privacy-preserving public auth resend-verification contract and SDK helper.
+
 ## 0.2.0
 
 ### Minor Changes

package/dist/endpoint.d.ts

@@ -46,6 +46,12 @@ export interface Endpoint<Method extends HttpMethod = HttpMethod, Path extends s
      * that customers never consume (super-admin platform administration).
      */
     readonly plane?: 'management' | 'baas' | 'admin';
+    /**
+     * OpenAPI security requirements. Omit for the default bearerAuth contract;
+     * use an empty array for deliberately public endpoints such as sign-in and
+     * email verification resend.
+     */
+    readonly security?: readonly string[];
     /** LLM-targeted description emitted as `x-agent-hint` (OpenAPI 4 forward-compat). */
     readonly agentHint?: string;
 }

package/dist/endpoint.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"endpoint.d.ts","sourceRoot":"","sources":["../src/endpoint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAEpC,qDAAqD;AACrD,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAA;AAEpE;;;;;;;;GAQG;AACH,MAAM,WAAW,QAAQ,CACxB,MAAM,SAAS,UAAU,GAAG,UAAU,EACtC,IAAI,SAAS,MAAM,GAAG,MAAM,EAE5B,MAAM,SAAS,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,SAAS,GAAG,GAAG,EAE/D,KAAK,SAAS,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,SAAS,GAAG,GAAG,EAE9D,IAAI,SAAS,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,SAAS,GAAG,GAAG,EAE7D,QAAQ,SAAS,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC;IAEhF,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAA;IACnB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAA;IACtB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,CAAA;IACpB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAA;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAA;IACtE,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;IACjC;;;;;;;;;OASG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,YAAY,GAAG,MAAM,GAAG,OAAO,CAAA;IAChD,qFAAqF;IACrF,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAC3B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,SAAS,UAAU,EACzB,IAAI,SAAS,MAAM,EACnB,MAAM,SAAS,MAAM,CAAC,MAAM,CAAC,YAAY,GAAG,SAAS,EACrD,KAAK,SAAS,MAAM,CAAC,MAAM,CAAC,YAAY,GAAG,SAAS,EACpD,IAAI,SAAS,MAAM,CAAC,MAAM,CAAC,YAAY,GAAG,SAAS,EACnD,QAAQ,SAAS,MAAM,CAAC,MAAM,CAAC,YAAY,EAE3C,UAAU,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,CAAC,KAC7D,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,CAAa,CAAA;AAEpE;;;;;;;GAOG;AACH,MAAM,WAAW,aAAa;IAC7B,QAAQ,EAAE,GAAG,EAAE,MAAM,GAAG,QAAQ,GAAG,aAAa,CAAA;CAChD"}
+{"version":3,"file":"endpoint.d.ts","sourceRoot":"","sources":["../src/endpoint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAEpC,qDAAqD;AACrD,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,OAAO,GAAG,QAAQ,CAAA;AAEpE;;;;;;;;GAQG;AACH,MAAM,WAAW,QAAQ,CACxB,MAAM,SAAS,UAAU,GAAG,UAAU,EACtC,IAAI,SAAS,MAAM,GAAG,MAAM,EAE5B,MAAM,SAAS,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,SAAS,GAAG,GAAG,EAE/D,KAAK,SAAS,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,SAAS,GAAG,GAAG,EAE9D,IAAI,SAAS,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,SAAS,GAAG,GAAG,EAE7D,QAAQ,SAAS,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,EAAE,KAAK,CAAC;IAEhF,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAA;IACnB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAA;IACtB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,CAAA;IACpB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAA;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAA;IACtE,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;IACjC;;;;;;;;;OASG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,YAAY,GAAG,MAAM,GAAG,OAAO,CAAA;IAChD;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;IACrC,qFAAqF;IACrF,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAC3B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,SAAS,UAAU,EACzB,IAAI,SAAS,MAAM,EACnB,MAAM,SAAS,MAAM,CAAC,MAAM,CAAC,YAAY,GAAG,SAAS,EACrD,KAAK,SAAS,MAAM,CAAC,MAAM,CAAC,YAAY,GAAG,SAAS,EACpD,IAAI,SAAS,MAAM,CAAC,MAAM,CAAC,YAAY,GAAG,SAAS,EACnD,QAAQ,SAAS,MAAM,CAAC,MAAM,CAAC,YAAY,EAE3C,UAAU,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,CAAC,KAC7D,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,CAAa,CAAA;AAEpE;;;;;;;GAOG;AACH,MAAM,WAAW,aAAa;IAC7B,QAAQ,EAAE,GAAG,EAAE,MAAM,GAAG,QAAQ,GAAG,aAAa,CAAA;CAChD"}

package/dist/endpoints/admin-projects.d.ts

@@ -112,6 +112,35 @@ export declare const adminProjectsEndpoints: {
         secretKey: typeof import("effect/Schema").String;
         publicKey: typeof import("effect/Schema").String;
     }>>;
+    readonly rotateEnvironmentCredentials: import("../endpoint.js").Endpoint<"POST", "/operator/projects/environments/:environmentId/credentials/rotate", import("effect/Schema").Struct<{
+        environmentId: typeof import("effect/Schema").String;
+    }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+        reason: import("effect/Schema").filter<import("effect/Schema").filter<typeof import("effect/Schema").String>>;
+        syncDeploymentSecret: import("effect/Schema").optional<typeof import("effect/Schema").Boolean>;
+    }>, import("effect/Schema").Struct<{
+        environmentId: typeof import("effect/Schema").String;
+        envType: import("effect/Schema").Literal<["development", "staging", "production"]>;
+        secretKey: typeof import("effect/Schema").String;
+        publicKey: typeof import("effect/Schema").String;
+        syncedDeploymentSecret: typeof import("effect/Schema").Boolean;
+        queued: typeof import("effect/Schema").Boolean;
+        generation: typeof import("effect/Schema").Number;
+    }>>;
+    readonly rotateEnvironmentCredentialsBySlug: import("../endpoint.js").Endpoint<"POST", "/operator/projects/by-slug/:projectSlug/environments/:environmentName/credentials/rotate", import("effect/Schema").Struct<{
+        projectSlug: typeof import("effect/Schema").String;
+        environmentName: typeof import("effect/Schema").String;
+    }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Struct<{
+        reason: import("effect/Schema").filter<import("effect/Schema").filter<typeof import("effect/Schema").String>>;
+        syncDeploymentSecret: import("effect/Schema").optional<typeof import("effect/Schema").Boolean>;
+    }>, import("effect/Schema").Struct<{
+        environmentId: typeof import("effect/Schema").String;
+        envType: import("effect/Schema").Literal<["development", "staging", "production"]>;
+        secretKey: typeof import("effect/Schema").String;
+        publicKey: typeof import("effect/Schema").String;
+        syncedDeploymentSecret: typeof import("effect/Schema").Boolean;
+        queued: typeof import("effect/Schema").Boolean;
+        generation: typeof import("effect/Schema").Number;
+    }>>;
     readonly platformResources: import("../endpoint.js").Endpoint<"GET", "/operator/projects/:id/platform-resources", import("effect/Schema").Struct<{
         id: typeof import("effect/Schema").String;
     }>, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Schema.AnyNoContext | undefined, import("effect/Schema").Array$<import("effect/Schema").Struct<{

package/dist/endpoints/admin-projects.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin-projects.d.ts","sourceRoot":"","sources":["../../src/endpoints/admin-projects.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAkBH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiEzB,CAAA"}
+{"version":3,"file":"admin-projects.d.ts","sourceRoot":"","sources":["../../src/endpoints/admin-projects.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAqBH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgGzB,CAAA"}

package/dist/endpoints/admin-projects.js

@@ -5,7 +5,7 @@
  * Production mount: `/admin/projects/*`.
  */
 import { defineEndpoint } from '../endpoint.js';
-import { AdminCreateProjectInput, AdminCreateProjectResult, AdminDeleteProjectResult, AdminEnvironmentIdParams, AdminGetProjectResult, AdminListProjectsQuery, AdminListProjectsResult, AdminPlatformResourcesResult, AdminProjectIdParams, AdminRegenerateSecretKeyResult, AdminUpdateProjectInput, AdminUpdateProjectResult, } from '../schemas/admin-projects.js';
+import { AdminCreateProjectInput, AdminCreateProjectResult, AdminDeleteProjectResult, AdminEnvironmentIdParams, AdminEnvironmentSlugParams, AdminGetProjectResult, AdminListProjectsQuery, AdminListProjectsResult, AdminPlatformResourcesResult, AdminProjectIdParams, AdminRegenerateSecretKeyResult, AdminRotateEnvironmentCredentialsInput, AdminRotateEnvironmentCredentialsResult, AdminUpdateProjectInput, AdminUpdateProjectResult, } from '../schemas/admin-projects.js';
 export const adminProjectsEndpoints = {
     list: defineEndpoint({
         method: 'GET',
@@ -62,6 +62,35 @@ export const adminProjectsEndpoints = {
         summary: 'Regenerate environment secret key (super_admin only)',
         tags: ['admin-projects'],
     }),
+    rotateEnvironmentCredentials: defineEndpoint({
+        method: 'POST',
+        path: '/operator/projects/environments/:environmentId/credentials/rotate',
+        params: AdminEnvironmentIdParams,
+        body: AdminRotateEnvironmentCredentialsInput,
+        response: AdminRotateEnvironmentCredentialsResult,
+        plane: 'management',
+        summary: 'Rotate environment BaaS credentials and optionally sync deployed app secret',
+        description: 'Operator-only credential rotation for an environment. Generates a new ' +
+            '`sk_*`/`pk_*` pair, stores only the secret hash on the environment, ' +
+            'optionally writes the raw secret once into the environment shared ' +
+            '`SYLPHX_SECRET_KEY` app secret, emits audit, and queues reconciliation. ' +
+            'Requires a service token carrying `platform:admin` and `platform:secrets:rotate`.',
+        tags: ['admin-projects'],
+    }),
+    rotateEnvironmentCredentialsBySlug: defineEndpoint({
+        method: 'POST',
+        path: '/operator/projects/by-slug/:projectSlug/environments/:environmentName/credentials/rotate',
+        params: AdminEnvironmentSlugParams,
+        body: AdminRotateEnvironmentCredentialsInput,
+        response: AdminRotateEnvironmentCredentialsResult,
+        plane: 'management',
+        summary: 'Rotate environment BaaS credentials by project slug and environment name',
+        description: 'Operator-only credential rotation for a named environment on a project slug. ' +
+            'This is the human/operator selector variant of the TypeID route; it does not ' +
+            'accept raw UUIDs. Requires a service token carrying `platform:admin` and ' +
+            '`platform:secrets:rotate`.',
+        tags: ['admin-projects'],
+    }),
     platformResources: defineEndpoint({
         method: 'GET',
         path: '/operator/projects/:id/platform-resources',

package/dist/endpoints/auth.d.ts

@@ -29,6 +29,12 @@ export declare const authEndpoints: {
         email: typeof Schema.String;
         emailVerified: typeof Schema.Boolean;
     }>>;
+    readonly resendEmailVerification: import("../endpoint.js").Endpoint<"POST", "/auth/resend-verification", Schema.Schema.AnyNoContext | undefined, Schema.Schema.AnyNoContext | undefined, Schema.Struct<{
+        email: Schema.filter<typeof Schema.String>;
+    }>, Schema.Struct<{
+        success: Schema.Literal<[true]>;
+        message: typeof Schema.String;
+    }>>;
     readonly signOut: import("../endpoint.js").Endpoint<"POST", "/auth/logout", Schema.Schema.AnyNoContext | undefined, Schema.Schema.AnyNoContext | undefined, Schema.Schema.AnyNoContext | undefined, Schema.Struct<{
         success: typeof Schema.Boolean;
     }>>;
@@ -41,6 +47,47 @@ export declare const authEndpoints: {
             emailVerified: typeof Schema.Boolean;
         }>>;
     }>>;
+    readonly getPrincipal: import("../endpoint.js").Endpoint<"GET", "/auth/principal", Schema.Schema.AnyNoContext | undefined, Schema.Schema.AnyNoContext | undefined, Schema.Schema.AnyNoContext | undefined, Schema.Union<[Schema.Struct<{
+        principalType: Schema.Literal<["user"]>;
+        user: Schema.Struct<{
+            id: Schema.brand<Schema.filter<typeof Schema.String>, "UserId">;
+            email: typeof Schema.String;
+            name: Schema.NullOr<typeof Schema.String>;
+        }>;
+        orgs: Schema.Array$<Schema.Struct<{
+            id: Schema.brand<Schema.filter<typeof Schema.String>, "OrgId">;
+            slug: typeof Schema.String;
+            name: typeof Schema.String;
+            email: Schema.optional<Schema.NullOr<typeof Schema.String>>;
+            billingEmail: Schema.optional<Schema.NullOr<typeof Schema.String>>;
+            logoUrl: Schema.optional<Schema.NullOr<typeof Schema.String>>;
+            metadata: Schema.optional<Schema.NullOr<Schema.Record$<typeof Schema.String, typeof Schema.Unknown>>>;
+            createdAt: Schema.optional<typeof Schema.String>;
+        }>>;
+    }>, Schema.Struct<{
+        principalType: Schema.Literal<["service_token"]>;
+        serviceToken: Schema.Struct<{
+            id: typeof Schema.String;
+            name: typeof Schema.String;
+            tokenType: Schema.Literal<["service", "oidc"]>;
+            tokenPrefix: Schema.NullOr<typeof Schema.String>;
+            orgId: typeof Schema.String;
+            projectId: Schema.NullOr<typeof Schema.String>;
+            environmentId: Schema.NullOr<typeof Schema.String>;
+            scopes: Schema.Array$<typeof Schema.String>;
+            expiresAt: Schema.NullOr<typeof Schema.String>;
+        }>;
+        org: Schema.Struct<{
+            id: Schema.brand<Schema.filter<typeof Schema.String>, "OrgId">;
+            slug: typeof Schema.String;
+            name: typeof Schema.String;
+            email: Schema.optional<Schema.NullOr<typeof Schema.String>>;
+            billingEmail: Schema.optional<Schema.NullOr<typeof Schema.String>>;
+            logoUrl: Schema.optional<Schema.NullOr<typeof Schema.String>>;
+            metadata: Schema.optional<Schema.NullOr<Schema.Record$<typeof Schema.String, typeof Schema.Unknown>>>;
+            createdAt: Schema.optional<typeof Schema.String>;
+        }>;
+    }>]>>;
     readonly deviceInit: import("../endpoint.js").Endpoint<"POST", "/auth/device", Schema.Schema.AnyNoContext | undefined, Schema.Schema.AnyNoContext | undefined, Schema.Struct<{
         client_id: typeof Schema.String;
         scope: Schema.optional<Schema.Array$<typeof Schema.String>>;

package/dist/endpoints/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/endpoints/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAoC/B,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyMhB,CAAA"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/endpoints/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAuC/B,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2NhB,CAAA"}

package/dist/endpoints/auth.js

@@ -9,7 +9,7 @@
  */
 import { Schema } from 'effect';
 import { defineEndpoint } from '../endpoint.js';
-import { AuthUserDeleteRequest, AuthUserDeleteResponse, AuthUserExportResponse, DeviceApproveRequest, DeviceApproveResponse, DeviceDenyRequest, DeviceDenyResponse, DeviceInitRequest, DeviceInitResponse, DevicePollResponse, OAuthIntrospectRequest, OAuthIntrospectResponse, OAuthRevokeRequest, OAuthRevokeResponse, PlatformPasswordChangeRequest, PlatformPasswordChangeResponse, PlatformPasswordSetRequest, PlatformPasswordSetResponse, PlatformPasswordStatusResponse, PlatformSessionRenameRequest, PlatformSessionRenameResponse, PlatformSessionRevokeAllResponse, PlatformSessionRevokeOtherResponse, PlatformSessionRevokeRequest, PlatformSessionRevokeResponse, PlatformSessionsListResponse, SessionResult, SignInInput, SignInResult, SignUpInput, SignUpResult, } from '../schemas/auth.js';
+import { AuthenticatedPrincipal, AuthUserDeleteRequest, AuthUserDeleteResponse, AuthUserExportResponse, DeviceApproveRequest, DeviceApproveResponse, DeviceDenyRequest, DeviceDenyResponse, DeviceInitRequest, DeviceInitResponse, DevicePollResponse, OAuthIntrospectRequest, OAuthIntrospectResponse, OAuthRevokeRequest, OAuthRevokeResponse, PlatformPasswordChangeRequest, PlatformPasswordChangeResponse, PlatformPasswordSetRequest, PlatformPasswordSetResponse, PlatformPasswordStatusResponse, PlatformSessionRenameRequest, PlatformSessionRenameResponse, PlatformSessionRevokeAllResponse, PlatformSessionRevokeOtherResponse, PlatformSessionRevokeRequest, PlatformSessionRevokeResponse, PlatformSessionsListResponse, ResendEmailVerificationRequest, ResendEmailVerificationResponse, SessionResult, SignInInput, SignInResult, SignUpInput, SignUpResult, } from '../schemas/auth.js';
 export const authEndpoints = {
     signIn: defineEndpoint({
         method: 'POST',
@@ -18,6 +18,7 @@ export const authEndpoints = {
         response: SignInResult,
         summary: 'Sign in with email + password (may return 2FA challenge)',
         tags: ['auth'],
+        security: [],
     }),
     signUp: defineEndpoint({
         method: 'POST',
@@ -26,6 +27,16 @@ export const authEndpoints = {
         response: SignUpResult,
         summary: 'Register a new user with email + password',
         tags: ['auth'],
+        security: [],
+    }),
+    resendEmailVerification: defineEndpoint({
+        method: 'POST',
+        path: '/auth/resend-verification',
+        body: ResendEmailVerificationRequest,
+        response: ResendEmailVerificationResponse,
+        summary: 'Resend a privacy-preserving email verification link',
+        tags: ['auth'],
+        security: [],
     }),
     signOut: defineEndpoint({
         method: 'POST',
@@ -41,6 +52,13 @@ export const authEndpoints = {
         summary: 'Get the current authenticated session (null when absent)',
         tags: ['auth'],
     }),
+    getPrincipal: defineEndpoint({
+        method: 'GET',
+        path: '/auth/principal',
+        response: AuthenticatedPrincipal,
+        summary: 'Get the current authenticated user or service-token principal',
+        tags: ['auth', 'principal'],
+    }),
     deviceInit: defineEndpoint({
         method: 'POST',
         path: '/auth/device',

package/dist/endpoints/branch-databases.d.ts

@@ -8,68 +8,67 @@
  * environment. The `:id` params correspond to `projects.id` and
  * `project_environments.id` (the preview env's environment row).
  *
- * See `docs/design/branch-db-per-preview.md` for the full design — this file
- * is the scaffolded contract; actual CNPG provisioning lands in the
- * controller (ops follow-up).
+ * See `docs/design/branch-db-per-preview.md` for the full design. The
+ * controller owns CNPG provisioning and teardown.
  */
 import { Schema } from 'effect';
 export declare const branchDatabasesEndpoints: {
     readonly list: import("../endpoint.js").Endpoint<"GET", "/projects/:id/preview-envs/branch-dbs", Schema.Struct<{
-        id: typeof Schema.String;
+        id: Schema.brand<Schema.filter<typeof Schema.String>, "ProjectId">;
     }>, Schema.Schema.AnyNoContext | undefined, Schema.Schema.AnyNoContext | undefined, Schema.Struct<{
         branches: Schema.Array$<Schema.Struct<{
-            id: typeof Schema.String;
-            projectId: typeof Schema.String;
-            envId: typeof Schema.String;
-            sourceDbId: typeof Schema.String;
+            id: Schema.brand<Schema.filter<typeof Schema.String>, "BranchDatabaseId">;
+            projectId: Schema.brand<Schema.filter<typeof Schema.String>, "ProjectId">;
+            envId: Schema.brand<Schema.filter<typeof Schema.String>, "EnvironmentId">;
+            sourceDbId: Schema.brand<Schema.filter<typeof Schema.String>, "ResourceId">;
             cnpgClusterName: Schema.NullOr<typeof Schema.String>;
             connectionString: Schema.NullOr<typeof Schema.String>;
             dataMode: Schema.Literal<["none", "last-1d", "last-7d", "all"]>;
-            status: Schema.Literal<["provisioning", "ready", "destroyed", "degraded"]>;
+            status: Schema.Literal<["provisioning", "ready", "destroying", "destroyed", "degraded"]>;
             createdAt: typeof Schema.String;
             destroyedAt: Schema.NullOr<typeof Schema.String>;
         }>>;
     }>>;
     readonly create: import("../endpoint.js").Endpoint<"POST", "/projects/:id/preview-envs/:envId/branch-db", Schema.Struct<{
-        id: typeof Schema.String;
-        envId: typeof Schema.String;
+        id: Schema.brand<Schema.filter<typeof Schema.String>, "ProjectId">;
+        envId: Schema.brand<Schema.filter<typeof Schema.String>, "EnvironmentId">;
     }>, Schema.Schema.AnyNoContext | undefined, Schema.Struct<{
-        previewEnvId: typeof Schema.String;
+        previewEnvId: Schema.brand<Schema.filter<typeof Schema.String>, "EnvironmentId">;
         withData: Schema.optional<Schema.Literal<["none", "last-1d", "last-7d", "all"]>>;
     }>, Schema.Struct<{
-        id: typeof Schema.String;
-        projectId: typeof Schema.String;
-        envId: typeof Schema.String;
-        sourceDbId: typeof Schema.String;
+        id: Schema.brand<Schema.filter<typeof Schema.String>, "BranchDatabaseId">;
+        projectId: Schema.brand<Schema.filter<typeof Schema.String>, "ProjectId">;
+        envId: Schema.brand<Schema.filter<typeof Schema.String>, "EnvironmentId">;
+        sourceDbId: Schema.brand<Schema.filter<typeof Schema.String>, "ResourceId">;
         cnpgClusterName: Schema.NullOr<typeof Schema.String>;
         connectionString: Schema.NullOr<typeof Schema.String>;
         dataMode: Schema.Literal<["none", "last-1d", "last-7d", "all"]>;
-        status: Schema.Literal<["provisioning", "ready", "destroyed", "degraded"]>;
+        status: Schema.Literal<["provisioning", "ready", "destroying", "destroyed", "degraded"]>;
         createdAt: typeof Schema.String;
         destroyedAt: Schema.NullOr<typeof Schema.String>;
     }>>;
     readonly get: import("../endpoint.js").Endpoint<"GET", "/projects/:id/preview-envs/:envId/branch-db", Schema.Struct<{
-        id: typeof Schema.String;
-        envId: typeof Schema.String;
+        id: Schema.brand<Schema.filter<typeof Schema.String>, "ProjectId">;
+        envId: Schema.brand<Schema.filter<typeof Schema.String>, "EnvironmentId">;
     }>, Schema.Schema.AnyNoContext | undefined, Schema.Schema.AnyNoContext | undefined, Schema.Struct<{
-        id: typeof Schema.String;
-        projectId: typeof Schema.String;
-        envId: typeof Schema.String;
-        sourceDbId: typeof Schema.String;
+        id: Schema.brand<Schema.filter<typeof Schema.String>, "BranchDatabaseId">;
+        projectId: Schema.brand<Schema.filter<typeof Schema.String>, "ProjectId">;
+        envId: Schema.brand<Schema.filter<typeof Schema.String>, "EnvironmentId">;
+        sourceDbId: Schema.brand<Schema.filter<typeof Schema.String>, "ResourceId">;
         cnpgClusterName: Schema.NullOr<typeof Schema.String>;
         connectionString: Schema.NullOr<typeof Schema.String>;
         dataMode: Schema.Literal<["none", "last-1d", "last-7d", "all"]>;
-        status: Schema.Literal<["provisioning", "ready", "destroyed", "degraded"]>;
+        status: Schema.Literal<["provisioning", "ready", "destroying", "destroyed", "degraded"]>;
         createdAt: typeof Schema.String;
         destroyedAt: Schema.NullOr<typeof Schema.String>;
     }>>;
     readonly destroy: import("../endpoint.js").Endpoint<"DELETE", "/projects/:id/preview-envs/:envId/branch-db", Schema.Struct<{
-        id: typeof Schema.String;
-        envId: typeof Schema.String;
+        id: Schema.brand<Schema.filter<typeof Schema.String>, "ProjectId">;
+        envId: Schema.brand<Schema.filter<typeof Schema.String>, "EnvironmentId">;
     }>, Schema.Schema.AnyNoContext | undefined, Schema.Schema.AnyNoContext | undefined, Schema.Struct<{
         success: typeof Schema.Boolean;
-        branchId: typeof Schema.String;
-        status: Schema.Literal<["provisioning", "ready", "destroyed", "degraded"]>;
+        branchId: Schema.brand<Schema.filter<typeof Schema.String>, "BranchDatabaseId">;
+        status: Schema.Literal<["provisioning", "ready", "destroying", "destroyed", "degraded"]>;
     }>>;
 };
 //# sourceMappingURL=branch-databases.d.ts.map

package/dist/endpoints/branch-databases.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"branch-databases.d.ts","sourceRoot":"","sources":["../../src/endpoints/branch-databases.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAiB/B,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuC3B,CAAA"}
+{"version":3,"file":"branch-databases.d.ts","sourceRoot":"","sources":["../../src/endpoints/branch-databases.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAkB/B,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAuC3B,CAAA"}

package/dist/endpoints/branch-databases.js

@@ -8,18 +8,18 @@
  * environment. The `:id` params correspond to `projects.id` and
  * `project_environments.id` (the preview env's environment row).
  *
- * See `docs/design/branch-db-per-preview.md` for the full design — this file
- * is the scaffolded contract; actual CNPG provisioning lands in the
- * controller (ops follow-up).
+ * See `docs/design/branch-db-per-preview.md` for the full design. The
+ * controller owns CNPG provisioning and teardown.
  */
 import { Schema } from 'effect';
 import { defineEndpoint } from '../endpoint.js';
 import { BranchDatabase, CreateBranchDatabaseInput, DestroyBranchDatabaseResult, GetBranchDatabaseResult, ListBranchDatabasesResult, } from '../schemas/branch-database.js';
+import { EnvironmentId, ProjectId } from '../schemas/ids.js';
 const ProjectEnvPath = Schema.Struct({
-    id: Schema.String,
-    envId: Schema.String,
+    id: ProjectId,
+    envId: EnvironmentId,
 });
-const ProjectIdPath = Schema.Struct({ id: Schema.String });
+const ProjectIdPath = Schema.Struct({ id: ProjectId });
 export const branchDatabasesEndpoints = {
     list: defineEndpoint({
         method: 'GET',
@@ -55,7 +55,7 @@ export const branchDatabasesEndpoints = {
         params: ProjectEnvPath,
         response: DestroyBranchDatabaseResult,
         plane: 'management',
-        summary: 'Destroy a branch database (tombstones the row; reclaims PVCs)',
+        summary: 'Schedule branch database teardown (controller reclaims PVCs asynchronously)',
         tags: ['branch-databases'],
     }),
 };