npm - @sylphx/management - Versions diffs - 0.1.0 → 0.2.0 - Mend

@sylphx/management 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (259) hide show

package/CHANGELOG.md +88 -0
package/LICENSE +21 -0
package/README.md +157 -101
package/dist/admin.d.ts +141 -0
package/dist/admin.d.ts.map +1 -0
package/dist/admin.js +96 -0
package/dist/adminBootstrap.d.ts +46 -0
package/dist/adminBootstrap.d.ts.map +1 -0
package/dist/adminBootstrap.js +33 -0
package/dist/adminBuilds.d.ts +72 -0
package/dist/adminBuilds.d.ts.map +1 -0
package/dist/adminBuilds.js +29 -0
package/dist/adminEnvServices.d.ts +41 -0
package/dist/adminEnvServices.d.ts.map +1 -0
package/dist/adminEnvServices.js +22 -0
package/dist/adminRateLimits.d.ts +61 -0
package/dist/adminRateLimits.d.ts.map +1 -0
package/dist/adminRateLimits.js +44 -0
package/dist/adminReconcile.d.ts +45 -0
package/dist/adminReconcile.d.ts.map +1 -0
package/dist/adminReconcile.js +20 -0
package/dist/adminResources.d.ts +97 -0
package/dist/adminResources.d.ts.map +1 -0
package/dist/adminResources.js +40 -0
package/dist/adminSecrets.d.ts +60 -0
package/dist/adminSecrets.d.ts.map +1 -0
package/dist/adminSecrets.js +43 -0
package/dist/adminTenants.d.ts +41 -0
package/dist/adminTenants.d.ts.map +1 -0
package/dist/adminTenants.js +29 -0
package/dist/ai.d.ts +148 -0
package/dist/ai.d.ts.map +1 -0
package/dist/ai.js +29 -0
package/dist/analytics.d.ts +49 -0
package/dist/analytics.d.ts.map +1 -0
package/dist/analytics.js +23 -0
package/dist/auth.d.ts +39 -0
package/dist/auth.d.ts.map +1 -0
package/dist/auth.js +27 -0
package/dist/authSettings.d.ts +71 -0
package/dist/authSettings.d.ts.map +1 -0
package/dist/authSettings.js +39 -0
package/dist/backups.d.ts +66 -0
package/dist/backups.d.ts.map +1 -0
package/dist/backups.js +32 -0
package/dist/billing.d.ts +105 -0
package/dist/billing.d.ts.map +1 -0
package/dist/billing.js +42 -0
package/dist/billingSettings.d.ts +78 -0
package/dist/billingSettings.d.ts.map +1 -0
package/dist/billingSettings.js +54 -0
package/dist/branchDatabases.d.ts +53 -0
package/dist/branchDatabases.d.ts.map +1 -0
package/dist/branchDatabases.js +38 -0
package/dist/certs.d.ts +63 -0
package/dist/certs.d.ts.map +1 -0
package/dist/certs.js +28 -0
package/dist/ciSettings.d.ts +77 -0
package/dist/ciSettings.d.ts.map +1 -0
package/dist/ciSettings.js +41 -0
package/dist/client.d.ts +36 -38
package/dist/client.d.ts.map +1 -1
package/dist/client.js +32 -90
package/dist/consent.d.ts +111 -0
package/dist/consent.d.ts.map +1 -0
package/dist/consent.js +35 -0
package/dist/databases.d.ts +17 -0
package/dist/databases.d.ts.map +1 -0
package/dist/databases.js +32 -0
package/dist/deployments.d.ts +22 -0
package/dist/deployments.d.ts.map +1 -0
package/dist/deployments.js +39 -0
package/dist/domains.d.ts +26 -0
package/dist/domains.d.ts.map +1 -0
package/dist/domains.js +39 -0
package/dist/edgeDeployments.d.ts +43 -0
package/dist/edgeDeployments.d.ts.map +1 -0
package/dist/edgeDeployments.js +32 -0
package/dist/email.d.ts +45 -0
package/dist/email.d.ts.map +1 -0
package/dist/email.js +21 -0
package/dist/engagement.d.ts +100 -0
package/dist/engagement.d.ts.map +1 -0
package/dist/engagement.js +28 -0
package/dist/envVars.d.ts +17 -0
package/dist/envVars.d.ts.map +1 -0
package/dist/envVars.js +34 -0
package/dist/environments.d.ts +41 -0
package/dist/environments.d.ts.map +1 -0
package/dist/environments.js +54 -0
package/dist/errors.d.ts +8 -3
package/dist/errors.d.ts.map +1 -1
package/dist/errors.js +8 -2
package/dist/experiments.d.ts +80 -0
package/dist/experiments.d.ts.map +1 -0
package/dist/experiments.js +23 -0
package/dist/flags.d.ts +85 -0
package/dist/flags.d.ts.map +1 -0
package/dist/flags.js +25 -0
package/dist/functions.d.ts +39 -0
package/dist/functions.d.ts.map +1 -0
package/dist/functions.js +40 -0
package/dist/github.d.ts +33 -0
package/dist/github.d.ts.map +1 -0
package/dist/github.js +22 -0
package/dist/http.d.ts +28 -0
package/dist/http.d.ts.map +1 -0
package/dist/http.js +71 -0
package/dist/index.d.ts +85 -20
package/dist/index.d.ts.map +1 -1
package/dist/index.js +86 -20
package/dist/kv.d.ts +66 -0
package/dist/kv.d.ts.map +1 -0
package/dist/kv.js +36 -0
package/dist/logs.d.ts +14 -0
package/dist/logs.d.ts.map +1 -0
package/dist/logs.js +17 -0
package/dist/management.d.ts +55 -0
package/dist/management.d.ts.map +1 -0
package/dist/management.js +31 -0
package/dist/monitoring.d.ts +65 -0
package/dist/monitoring.d.ts.map +1 -0
package/dist/monitoring.js +29 -0
package/dist/newsletter.d.ts +279 -0
package/dist/newsletter.d.ts.map +1 -0
package/dist/newsletter.js +98 -0
package/dist/notifications.d.ts +30 -0
package/dist/notifications.d.ts.map +1 -0
package/dist/notifications.js +19 -0
package/dist/oidc.d.ts +46 -0
package/dist/oidc.d.ts.map +1 -0
package/dist/oidc.js +25 -0
package/dist/organizations.d.ts +24 -0
package/dist/organizations.d.ts.map +1 -0
package/dist/organizations.js +42 -0
package/dist/plans.d.ts +66 -0
package/dist/plans.d.ts.map +1 -0
package/dist/plans.js +42 -0
package/dist/privacy.d.ts +138 -0
package/dist/privacy.d.ts.map +1 -0
package/dist/privacy.js +41 -0
package/dist/projects.d.ts +14 -0
package/dist/projects.d.ts.map +1 -0
package/dist/projects.js +22 -0
package/dist/realtime.d.ts +33 -0
package/dist/realtime.d.ts.map +1 -0
package/dist/realtime.js +19 -0
package/dist/referrals.d.ts +100 -0
package/dist/referrals.d.ts.map +1 -0
package/dist/referrals.js +33 -0
package/dist/refresh.d.ts +44 -0
package/dist/refresh.d.ts.map +1 -0
package/dist/refresh.js +33 -0
package/dist/remoteConfig.d.ts +15 -0
package/dist/remoteConfig.d.ts.map +1 -0
package/dist/remoteConfig.js +35 -0
package/dist/resourceBindings.d.ts +19 -0
package/dist/resourceBindings.d.ts.map +1 -0
package/dist/resourceBindings.js +24 -0
package/dist/runners.d.ts +60 -0
package/dist/runners.d.ts.map +1 -0
package/dist/runners.js +17 -0
package/dist/saml.d.ts +44 -0
package/dist/saml.d.ts.map +1 -0
package/dist/saml.js +77 -0
package/dist/sandboxes.d.ts +15 -0
package/dist/sandboxes.d.ts.map +1 -0
package/dist/sandboxes.js +18 -0
package/dist/search.d.ts +66 -0
package/dist/search.d.ts.map +1 -0
package/dist/search.js +29 -0
package/dist/secrets.d.ts +50 -0
package/dist/secrets.d.ts.map +1 -0
package/dist/secrets.js +61 -0
package/dist/security.d.ts +58 -0
package/dist/security.d.ts.map +1 -0
package/dist/security.js +49 -0
package/dist/serviceTokenRequests.d.ts +71 -0
package/dist/serviceTokenRequests.d.ts.map +1 -0
package/dist/serviceTokenRequests.js +43 -0
package/dist/serviceTokens.d.ts +65 -0
package/dist/serviceTokens.d.ts.map +1 -0
package/dist/serviceTokens.js +22 -0
package/dist/services.d.ts +10 -0
package/dist/services.d.ts.map +1 -0
package/dist/services.js +15 -0
package/dist/sessionReplay.d.ts +116 -0
package/dist/sessionReplay.d.ts.map +1 -0
package/dist/sessionReplay.js +29 -0
package/dist/storage.d.ts +12 -0
package/dist/storage.d.ts.map +1 -0
package/dist/storage.js +10 -0
package/dist/tasks.d.ts +29 -0
package/dist/tasks.d.ts.map +1 -0
package/dist/tasks.js +29 -0
package/dist/types.d.ts +59 -155
package/dist/types.d.ts.map +1 -1
package/dist/types.js +17 -3
package/dist/user.d.ts +99 -0
package/dist/user.d.ts.map +1 -0
package/dist/user.js +58 -0
package/dist/users.d.ts +9 -0
package/dist/users.d.ts.map +1 -0
package/dist/users.js +11 -0
package/dist/volumes.d.ts +16 -0
package/dist/volumes.d.ts.map +1 -0
package/dist/volumes.js +9 -0
package/dist/webhooks.d.ts +77 -0
package/dist/webhooks.d.ts.map +1 -0
package/dist/webhooks.js +27 -0
package/package.json +194 -5
package/dist/request.d.ts +0 -5
package/dist/request.d.ts.map +0 -1
package/dist/request.js +0 -1
package/dist/resources/config.d.ts +0 -30
package/dist/resources/config.d.ts.map +0 -1
package/dist/resources/config.js +0 -62
package/dist/resources/databases.d.ts +0 -26
package/dist/resources/databases.d.ts.map +0 -1
package/dist/resources/databases.js +0 -29
package/dist/resources/deployments.d.ts +0 -24
package/dist/resources/deployments.d.ts.map +0 -1
package/dist/resources/deployments.js +0 -30
package/dist/resources/domains.d.ts +0 -30
package/dist/resources/domains.d.ts.map +0 -1
package/dist/resources/domains.js +0 -46
package/dist/resources/env-vars.d.ts +0 -19
package/dist/resources/env-vars.d.ts.map +0 -1
package/dist/resources/env-vars.js +0 -30
package/dist/resources/environments.d.ts +0 -16
package/dist/resources/environments.d.ts.map +0 -1
package/dist/resources/environments.js +0 -24
package/dist/resources/logs.d.ts +0 -13
package/dist/resources/logs.d.ts.map +0 -1
package/dist/resources/logs.js +0 -20
package/dist/resources/org.d.ts +0 -15
package/dist/resources/org.d.ts.map +0 -1
package/dist/resources/org.js +0 -25
package/dist/resources/projects.d.ts +0 -19
package/dist/resources/projects.d.ts.map +0 -1
package/dist/resources/projects.js +0 -19
package/dist/resources/resources.d.ts +0 -26
package/dist/resources/resources.d.ts.map +0 -1
package/dist/resources/resources.js +0 -32
package/dist/resources/services.d.ts +0 -21
package/dist/resources/services.d.ts.map +0 -1
package/dist/resources/services.js +0 -30
package/dist/resources/storage.d.ts +0 -21
package/dist/resources/storage.d.ts.map +0 -1
package/dist/resources/storage.js +0 -25
package/dist/resources/tasks.d.ts +0 -42
package/dist/resources/tasks.d.ts.map +0 -1
package/dist/resources/tasks.js +0 -49
package/dist/resources/user.d.ts +0 -9
package/dist/resources/user.d.ts.map +0 -1
package/dist/resources/user.js +0 -10
package/dist/resources/volumes.d.ts +0 -20
package/dist/resources/volumes.d.ts.map +0 -1
package/dist/resources/volumes.js +0 -19

package/dist/admin.js ADDED Viewed

@@ -0,0 +1,96 @@
+/**
+ * Platform-admin (superuser) surface — quotas, audit logs, invitations,
+ * JWT key rotation, plan governance. Consumed by the internal Console
+ * "Admin" sections; ordinary operators do not call these.
+ *
+ * Mirrors `apps/api/src/server/platform/routes/admin/**`. Paths are
+ * sourced from `@sylphx/contract` admin-* endpoint modules.
+ */
+import { adminAuditEndpoints, adminInvitationsEndpoints, adminJwtKeysEndpoints, adminProjectsEndpoints, adminQuotasEndpoints, adminUsersEndpoints, } from '@sylphx/contract';
+import { interpolatePath, request } from './http.js';
+export const getProjectQuotas = (client, projectId) => {
+    const { method, path } = adminQuotasEndpoints.getProjectQuotas;
+    return request(client, method, interpolatePath(path, { projectId }));
+};
+export const getQuotaStats = (client, projectId) => {
+    const { method, path } = adminQuotasEndpoints.getQuotaStats;
+    return request(client, method, interpolatePath(path, { projectId }));
+};
+export const getQuotaAlerts = (client, projectId) => {
+    const { method, path } = adminQuotasEndpoints.getQuotaAlerts;
+    return request(client, method, interpolatePath(path, { projectId }));
+};
+export const updateProjectQuotas = (client, projectId, body) => {
+    const { method, path } = adminQuotasEndpoints.updateQuota;
+    return request(client, method, interpolatePath(path, { projectId }), { body });
+};
+export const acknowledgeQuotaAlert = (client, alertId) => {
+    const { method, path } = adminQuotasEndpoints.acknowledgeAlert;
+    return request(client, method, interpolatePath(path, { alertId }));
+};
+export const getAuditLogs = (client, query) => {
+    const { method, path } = adminAuditEndpoints.logs;
+    return request(client, method, path, query ? { query } : {});
+};
+export const getAuditActivity = (client) => {
+    const { method, path } = adminAuditEndpoints.activity;
+    return request(client, method, path);
+};
+export const listInvitations = (client) => {
+    const { method, path } = adminInvitationsEndpoints.list;
+    return request(client, method, path);
+};
+export const createInvitation = (client, body) => {
+    const { method, path } = adminInvitationsEndpoints.create;
+    return request(client, method, path, { body });
+};
+export const revokeInvitation = (client, id) => {
+    const { method, path } = adminInvitationsEndpoints.revoke;
+    return request(client, method, interpolatePath(path, { id }));
+};
+export const resendInvitation = (client, id) => {
+    const { method, path } = adminInvitationsEndpoints.resend;
+    return request(client, method, interpolatePath(path, { id }));
+};
+export const listJwtKeys = (client) => {
+    const { method, path } = adminJwtKeysEndpoints.list;
+    return request(client, method, path);
+};
+export const rotateJwtKeys = (client) => {
+    const { method, path } = adminJwtKeysEndpoints.rotate;
+    return request(client, method, path);
+};
+export const retireJwtKey = (client, keyId) => {
+    const { method, path } = adminJwtKeysEndpoints.forceRetire;
+    return request(client, method, interpolatePath(path, { keyId }));
+};
+// ─── Admin project migration (multi-region) ────────────────────────────────
+/**
+ * Trigger a project migration between regions. Phase 4b Matrix-2 gap.
+ * Underlying endpoint on the platform API is
+ * `POST /admin/projects/:id/migrate` — the SDK wraps it directly rather
+ * than going through `adminProjectsEndpoints` because migration is its
+ * own operational concern (drain → cut-over → warm-up).
+ */
+export const migrateProject = (client, projectId, body) => request(client, 'POST', `/admin/projects/${encodeURIComponent(projectId)}/migrate`, { body });
+/**
+ * Regenerate an environment's deploy / API key. Already exposed on
+ * `adminProjectsEndpoints.regenerateKey`; surfaced here under the `admin`
+ * namespace so Console wiring is one-stop.
+ */
+export const regenerateEnvironmentKey = (client, environmentId) => {
+    const { method, path } = adminProjectsEndpoints.regenerateSecretKey;
+    return request(client, method, interpolatePath(path, { environmentId }));
+};
+export const listUsers = (client) => {
+    const { method, path } = adminUsersEndpoints.search;
+    return request(client, method, path);
+};
+export const getUser = (client, userId) => {
+    const { method, path } = adminUsersEndpoints.get;
+    return request(client, method, interpolatePath(path, { userId }));
+};
+export const updateUserRole = (client, userId, body) => {
+    const { method, path } = adminUsersEndpoints.updateRole;
+    return request(client, method, interpolatePath(path, { userId }), { body });
+};

package/dist/adminBootstrap.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * `@sylphx/management/adminBootstrap` — reset the Appwrite-pattern bootstrap window.
+ *
+ * Mirrors `POST /admin/reset-bootstrap-window` in
+ * `apps/api/src/server/platform/routes/admin/bootstrap.ts` (ADR-089 §2.7
+ * Phase 7 Commit B).
+ *
+ * Auth: **platform super-admin session** (cookie). Deliberately NOT a
+ * service-token surface — see the route file's header for rationale.
+ *
+ * Typical use:
+ *
+ *   sylphx admin reset-bootstrap-window
+ *
+ * dispatches here via `requireAuthEffect` + `withAuthedSdk`. Once this
+ * call returns, the operator has ~10 minutes to point the new admin at
+ * `POST /v1/auth/bootstrap-signup` with the `X-Sylphx-Project-Id: platform`
+ * header; after that the window closes itself and the endpoint 404s.
+ */
+import type { Client } from './client.js';
+/**
+ * Confirmation returned by {@link resetWindow}.
+ *
+ * `ttlSeconds` mirrors `BOOTSTRAP_WINDOW_TTL_SECONDS` on the server
+ * (`packages/core/src/lib/bootstrap-window.ts`). Carried on the wire so
+ * CLI output can show an accurate countdown without hard-coding the
+ * value client-side.
+ */
+export interface ResetBootstrapWindowResult {
+    /** Always `true` when the endpoint returns 200. */
+    readonly opened: boolean;
+    /** Seconds until the window closes again. */
+    readonly ttlSeconds: number;
+    /** Operator-facing next-step instruction. */
+    readonly message: string;
+}
+/**
+ * Re-open the bootstrap window for 10 minutes.
+ *
+ * Authenticates as the caller's platform super-admin session. The
+ * server emits an `admin_action` audit event + a
+ * `sylphx_bootstrap_window_reset_total` metric tick for every
+ * invocation, so this call is never silent.
+ */
+export declare const resetWindow: (client: Client) => Promise<ResetBootstrapWindowResult>;
+//# sourceMappingURL=adminBootstrap.d.ts.map

package/dist/adminBootstrap.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"adminBootstrap.d.ts","sourceRoot":"","sources":["../src/adminBootstrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC;;;;;;;GAOG;AACH,MAAM,WAAW,0BAA0B;IAC1C,mDAAmD;IACnD,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAA;IACxB,6CAA6C;IAC7C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,6CAA6C;IAC7C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;CACxB;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,WAAW,GAAI,QAAQ,MAAM,KAAG,OAAO,CAAC,0BAA0B,CAG9E,CAAA"}

package/dist/adminBootstrap.js ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * `@sylphx/management/adminBootstrap` — reset the Appwrite-pattern bootstrap window.
+ *
+ * Mirrors `POST /admin/reset-bootstrap-window` in
+ * `apps/api/src/server/platform/routes/admin/bootstrap.ts` (ADR-089 §2.7
+ * Phase 7 Commit B).
+ *
+ * Auth: **platform super-admin session** (cookie). Deliberately NOT a
+ * service-token surface — see the route file's header for rationale.
+ *
+ * Typical use:
+ *
+ *   sylphx admin reset-bootstrap-window
+ *
+ * dispatches here via `requireAuthEffect` + `withAuthedSdk`. Once this
+ * call returns, the operator has ~10 minutes to point the new admin at
+ * `POST /v1/auth/bootstrap-signup` with the `X-Sylphx-Project-Id: platform`
+ * header; after that the window closes itself and the endpoint 404s.
+ */
+import { adminBootstrapEndpoints } from '@sylphx/contract';
+import { request } from './http.js';
+/**
+ * Re-open the bootstrap window for 10 minutes.
+ *
+ * Authenticates as the caller's platform super-admin session. The
+ * server emits an `admin_action` audit event + a
+ * `sylphx_bootstrap_window_reset_total` metric tick for every
+ * invocation, so this call is never silent.
+ */
+export const resetWindow = (client) => {
+    const { method, path } = adminBootstrapEndpoints.resetWindow;
+    return request(client, method, path, { body: {} });
+};

package/dist/adminBuilds.d.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * `@sylphx/management/adminBuilds` — operator recovery for stuck builds.
+ *
+ * Mirrors `POST /admin/builds/reap` in
+ * `apps/api/src/server/platform/routes/admin/builds.ts`. Replaces the raw
+ * `UPDATE build_records SET status='failed' …` historically run from psql
+ * per `docs/runbooks/build-records-stuck-in-building.md`.
+ *
+ * Typical use: an on-call engineer mints a service token scoped to
+ * `platform:builds:reap`, points the CLI (`sylphx admin builds reap`) at
+ * the cluster, and the CLI calls `reap()` here. CI / cron / dashboards
+ * call this SDK directly.
+ *
+ * The API does NOT touch `build_records` rows whose `started_at IS NULL`
+ * (a different failure mode — queue starvation).
+ */
+import type { Client } from './client.js';
+export interface ReapBuildsInput {
+    /**
+     * Window grammar `^[0-9]+(s|m|h|d)$`. Examples: `30m`, `2h`, `1d`. Rows
+     * whose `started_at < NOW() - olderThan` are in the candidate set.
+     */
+    readonly olderThan: string;
+    /**
+     * When true, returns the candidate set without mutating anything.
+     * `reason` becomes optional in this mode.
+     */
+    readonly dryRun?: boolean;
+    /**
+     * Required on the write path (min 3 chars). Goes verbatim into the
+     * audit row + into each reaped row's `failure_reason` column (prefixed
+     * `admin reap: `). Surfaced to the affected customer in Console.
+     */
+    readonly reason?: string;
+    /**
+     * OPS-7 fold-in. When provided, restricts the candidate set to rows
+     * whose `image_digest = <digest>` AND additionally NULLs the column on
+     * each reaped row. Format: `sha256:<64hex>`.
+     */
+    readonly imageDigest?: string;
+}
+export interface ReapBuildsRecord {
+    /** TypeID (`bld_xxx`). */
+    readonly id: string;
+    /** TypeID (`proj_xxx`). */
+    readonly projectId: string;
+    /** TypeID (`env_xxx`). */
+    readonly envId: string;
+    /** ISO-8601. */
+    readonly startedAt: string;
+    /** Wall-clock age at reap time. Floored to whole seconds. */
+    readonly ageSeconds: number;
+}
+export interface ReapBuildsResult {
+    /** Echo of the request flag. */
+    readonly dryRun: boolean;
+    /** Rows transitioned (`0` on dry-run). */
+    readonly reaped: number;
+    /** Rows whose stale `image_digest` was additionally cleared. */
+    readonly digestCleared: number;
+    /** Up to 1000 rows from the candidate set / write set. */
+    readonly records: ReadonlyArray<ReapBuildsRecord>;
+}
+/**
+ * Reap stuck `build_records` rows older than `input.olderThan`. Single
+ * UPDATE statement on the write path; SELECT only on `dryRun=true`.
+ *
+ * Idempotent: re-running with the same window flips zero rows because the
+ * first call already moved them out of `'building'`.
+ */
+export declare const reap: (client: Client, input: ReapBuildsInput) => Promise<ReapBuildsResult>;
+//# sourceMappingURL=adminBuilds.d.ts.map

package/dist/adminBuilds.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"adminBuilds.d.ts","sourceRoot":"","sources":["../src/adminBuilds.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC,MAAM,WAAW,eAAe;IAC/B;;;OAGG;IACH,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B;;;OAGG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAA;IACzB;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IACxB;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED,MAAM,WAAW,gBAAgB;IAChC,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB,2BAA2B;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,0BAA0B;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,gBAAgB;IAChB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,6DAA6D;IAC7D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;CAC3B;AAED,MAAM,WAAW,gBAAgB;IAChC,gCAAgC;IAChC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAA;IACxB,0CAA0C;IAC1C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,gEAAgE;IAChE,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAA;IAC9B,0DAA0D;IAC1D,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAA;CACjD;AAED;;;;;;GAMG;AACH,eAAO,MAAM,IAAI,GAAI,QAAQ,MAAM,EAAE,OAAO,eAAe,KAAG,OAAO,CAAC,gBAAgB,CAGrF,CAAA"}

package/dist/adminBuilds.js ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * `@sylphx/management/adminBuilds` — operator recovery for stuck builds.
+ *
+ * Mirrors `POST /admin/builds/reap` in
+ * `apps/api/src/server/platform/routes/admin/builds.ts`. Replaces the raw
+ * `UPDATE build_records SET status='failed' …` historically run from psql
+ * per `docs/runbooks/build-records-stuck-in-building.md`.
+ *
+ * Typical use: an on-call engineer mints a service token scoped to
+ * `platform:builds:reap`, points the CLI (`sylphx admin builds reap`) at
+ * the cluster, and the CLI calls `reap()` here. CI / cron / dashboards
+ * call this SDK directly.
+ *
+ * The API does NOT touch `build_records` rows whose `started_at IS NULL`
+ * (a different failure mode — queue starvation).
+ */
+import { adminBuildsEndpoints } from '@sylphx/contract';
+import { request } from './http.js';
+/**
+ * Reap stuck `build_records` rows older than `input.olderThan`. Single
+ * UPDATE statement on the write path; SELECT only on `dryRun=true`.
+ *
+ * Idempotent: re-running with the same window flips zero rows because the
+ * first call already moved them out of `'building'`.
+ */
+export const reap = (client, input) => {
+    const { method, path } = adminBuildsEndpoints.reap;
+    return request(client, method, path, { body: input });
+};

package/dist/adminEnvServices.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * `@sylphx/management/adminEnvServices` — operator repoint of env-service
+ * desired-image pointers (OPS-4).
+ *
+ * Mirrors `POST /admin/env-services/repoint` in
+ * `apps/api/src/server/platform/routes/admin/env-services.ts`. Replaces
+ * the raw `UPDATE environment_services …` historically run from psql
+ * per `docs/how-to/customer-image-gc-outreach.md`.
+ */
+import type { Client } from './client.js';
+export interface RepointEnvServiceInput {
+    /** TypeID (`env_*`) of the target environment. */
+    readonly envId: string;
+    /** Service name within the project (`project_services.name`). */
+    readonly service: string;
+    /** Image digest to repoint to. Format: `sha256:<64hex>`. */
+    readonly digest: string;
+    /** Audit narrative. Min 3 chars. */
+    readonly reason: string;
+}
+export interface RepointEnvServiceResult {
+    /** TypeID (`esvc_*`) of the env_service that was re-pointed. */
+    readonly envServiceId: string;
+    /** Image digest the env_service was previously pointing to (null on first repoint). */
+    readonly previousDigest: string | null;
+    /** Echo of the request `digest`. */
+    readonly newDigest: string;
+    /** TypeID (`dpl_*`) of the deployments row that carries the new pointer. */
+    readonly deploymentId: string;
+    /** `true` iff an existing deployments row was reused instead of inserted. */
+    readonly reused: boolean;
+}
+/**
+ * Repoint an env_service to a specific image digest. The artifact MUST
+ * already exist for `(serviceId, digest)`; the endpoint never mints
+ * artifacts. Returns 404 on any of: env not found, service name not in
+ * project, env_service not attached, artifact missing. Returns 409 if
+ * the env_service is in a terminal lifecycle state.
+ */
+export declare const repoint: (client: Client, input: RepointEnvServiceInput) => Promise<RepointEnvServiceResult>;
+//# sourceMappingURL=adminEnvServices.d.ts.map

package/dist/adminEnvServices.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"adminEnvServices.d.ts","sourceRoot":"","sources":["../src/adminEnvServices.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC,MAAM,WAAW,sBAAsB;IACtC,kDAAkD;IAClD,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,iEAAiE;IACjE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;IACxB,4DAA4D;IAC5D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,oCAAoC;IACpC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,uBAAuB;IACvC,gEAAgE;IAChE,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAC7B,uFAAuF;IACvF,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAA;IACtC,oCAAoC;IACpC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,4EAA4E;IAC5E,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAC7B,6EAA6E;IAC7E,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAA;CACxB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,OAAO,GACnB,QAAQ,MAAM,EACd,OAAO,sBAAsB,KAC3B,OAAO,CAAC,uBAAuB,CAGjC,CAAA"}

package/dist/adminEnvServices.js ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * `@sylphx/management/adminEnvServices` — operator repoint of env-service
+ * desired-image pointers (OPS-4).
+ *
+ * Mirrors `POST /admin/env-services/repoint` in
+ * `apps/api/src/server/platform/routes/admin/env-services.ts`. Replaces
+ * the raw `UPDATE environment_services …` historically run from psql
+ * per `docs/how-to/customer-image-gc-outreach.md`.
+ */
+import { adminEnvServicesEndpoints } from '@sylphx/contract';
+import { request } from './http.js';
+/**
+ * Repoint an env_service to a specific image digest. The artifact MUST
+ * already exist for `(serviceId, digest)`; the endpoint never mints
+ * artifacts. Returns 404 on any of: env not found, service name not in
+ * project, env_service not attached, artifact missing. Returns 409 if
+ * the env_service is in a terminal lifecycle state.
+ */
+export const repoint = (client, input) => {
+    const { method, path } = adminEnvServicesEndpoints.repoint;
+    return request(client, method, path, { body: input });
+};

package/dist/adminRateLimits.d.ts ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * `@sylphx/management/adminRateLimits` — operator-driven tuning of
+ * per-credential-type rate-limit multipliers (Production-Ready audit M-3).
+ *
+ * Mirrors `/admin/rate-limits/*` in
+ * `apps/api/src/server/platform/routes/admin/rate-limits.ts`.
+ *
+ * Auth: service token + scope `platform:ratelimits:write`. Super-admin
+ * sessions also pass through `requireScopes` (their `scopes` are `null`),
+ * but the preferred path is a programmatic step in an Ops runbook.
+ *
+ * Typical use:
+ *
+ *   sylphx admin rate-limits list
+ *   sylphx admin rate-limits set --type public --multiplier 0.05 \
+ *     --reason "credential-enumeration alert"
+ *
+ * dispatches here via `requireAuthEffect` + `withAuthedSdk`. The endpoint
+ * upserts the row + triggers `invalidateAndReload()` on the enforcement
+ * layer so the new value is live within seconds.
+ */
+import type { Client } from './client.js';
+/** Credential-type literal — mirrors `AdminRateLimitCredentialType` in the contract. */
+export type AdminRateLimitCredentialType = 'public' | 'secret' | 'service' | 'session' | 'spiffe' | 'unknown';
+export interface AdminRateLimitMultiplierStatus {
+    readonly credentialType: AdminRateLimitCredentialType;
+    readonly multiplier: number;
+    readonly exempt: boolean;
+    readonly notes: string | null;
+    readonly lastUpdatedAt: string | null;
+}
+export interface ListMultipliersResult {
+    readonly multipliers: ReadonlyArray<AdminRateLimitMultiplierStatus>;
+}
+export interface SetMultiplierInput {
+    readonly credentialType: AdminRateLimitCredentialType;
+    readonly multiplier: number;
+    readonly exempt?: boolean;
+    readonly reason: string;
+}
+export interface SetMultiplierResult {
+    readonly updated: AdminRateLimitMultiplierStatus;
+    readonly auditLogId: string | null;
+    readonly message: string;
+}
+/**
+ * List the per-credential-type multipliers currently applied to every
+ * `RateLimitPresets` base limit. Returns one row per credential type from
+ * the closed enumeration (`public`, `secret`, `service`, `session`,
+ * `spiffe`, `unknown`); rows missing in the DB fall back to the live
+ * in-memory cache so the dashboard never sees a hole.
+ */
+export declare const list: (client: Client) => Promise<ListMultipliersResult>;
+/**
+ * Upsert the multiplier (or exempt flag) for a single credential type.
+ * `reason` is required (≥3 chars) and recorded on the audit log. The
+ * server fires `invalidateAndReload()` immediately after the write so the
+ * new value is live within seconds — no 5-minute wait.
+ */
+export declare const set: (client: Client, body: SetMultiplierInput) => Promise<SetMultiplierResult>;
+//# sourceMappingURL=adminRateLimits.d.ts.map

package/dist/adminRateLimits.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"adminRateLimits.d.ts","sourceRoot":"","sources":["../src/adminRateLimits.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC,wFAAwF;AACxF,MAAM,MAAM,4BAA4B,GACrC,QAAQ,GACR,QAAQ,GACR,SAAS,GACT,SAAS,GACT,QAAQ,GACR,SAAS,CAAA;AAEZ,MAAM,WAAW,8BAA8B;IAC9C,QAAQ,CAAC,cAAc,EAAE,4BAA4B,CAAA;IACrD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAA;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAA;CACrC;AAED,MAAM,WAAW,qBAAqB;IACrC,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,8BAA8B,CAAC,CAAA;CACnE;AAED,MAAM,WAAW,kBAAkB;IAClC,QAAQ,CAAC,cAAc,EAAE,4BAA4B,CAAA;IACrD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,mBAAmB;IACnC,QAAQ,CAAC,OAAO,EAAE,8BAA8B,CAAA;IAChD,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;IAClC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;CACxB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,IAAI,GAAI,QAAQ,MAAM,KAAG,OAAO,CAAC,qBAAqB,CAGlE,CAAA;AAED;;;;;GAKG;AACH,eAAO,MAAM,GAAG,GAAI,QAAQ,MAAM,EAAE,MAAM,kBAAkB,KAAG,OAAO,CAAC,mBAAmB,CAGzF,CAAA"}

package/dist/adminRateLimits.js ADDED Viewed

@@ -0,0 +1,44 @@
+/**
+ * `@sylphx/management/adminRateLimits` — operator-driven tuning of
+ * per-credential-type rate-limit multipliers (Production-Ready audit M-3).
+ *
+ * Mirrors `/admin/rate-limits/*` in
+ * `apps/api/src/server/platform/routes/admin/rate-limits.ts`.
+ *
+ * Auth: service token + scope `platform:ratelimits:write`. Super-admin
+ * sessions also pass through `requireScopes` (their `scopes` are `null`),
+ * but the preferred path is a programmatic step in an Ops runbook.
+ *
+ * Typical use:
+ *
+ *   sylphx admin rate-limits list
+ *   sylphx admin rate-limits set --type public --multiplier 0.05 \
+ *     --reason "credential-enumeration alert"
+ *
+ * dispatches here via `requireAuthEffect` + `withAuthedSdk`. The endpoint
+ * upserts the row + triggers `invalidateAndReload()` on the enforcement
+ * layer so the new value is live within seconds.
+ */
+import { adminRateLimitsEndpoints } from '@sylphx/contract';
+import { request } from './http.js';
+/**
+ * List the per-credential-type multipliers currently applied to every
+ * `RateLimitPresets` base limit. Returns one row per credential type from
+ * the closed enumeration (`public`, `secret`, `service`, `session`,
+ * `spiffe`, `unknown`); rows missing in the DB fall back to the live
+ * in-memory cache so the dashboard never sees a hole.
+ */
+export const list = (client) => {
+    const { method, path } = adminRateLimitsEndpoints.listStrategies;
+    return request(client, method, path, {});
+};
+/**
+ * Upsert the multiplier (or exempt flag) for a single credential type.
+ * `reason` is required (≥3 chars) and recorded on the audit log. The
+ * server fires `invalidateAndReload()` immediately after the write so the
+ * new value is live within seconds — no 5-minute wait.
+ */
+export const set = (client, body) => {
+    const { method, path } = adminRateLimitsEndpoints.setStrategy;
+    return request(client, method, path, { body });
+};

package/dist/adminReconcile.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+/**
+ * `@sylphx/management/adminReconcile` — operator reset of `reconcile_status`.
+ *
+ * Mirrors `POST /admin/reconcile/reset` in
+ * `apps/api/src/server/platform/routes/admin/reconcile.ts`. Replaces the
+ * raw `UPDATE … SET reconcile_status = 'pending'` historically run from
+ * psql per `docs/how-to/reconciler-cleanup-semantic.md`.
+ */
+import type { Client } from './client.js';
+export type ReconcileKind = 'service' | 'environment';
+export type ReconcileTarget = 'pending' | 'synced';
+export interface ResetReconcileInput {
+    /** `service` → `environment_services` row; `environment` → `project_environments` row. */
+    readonly kind: ReconcileKind;
+    /** TypeID — `esvc_*` for `service`, `env_*` for `environment`. */
+    readonly id: string;
+    /**
+     * Target `reconcile_status`.
+     *
+     *   - `pending` — re-arm the reconciler (also bumps `generation`).
+     *   - `synced`  — mark complete after out-of-band verification.
+     */
+    readonly to: ReconcileTarget;
+    /** Audit narrative. Min 3 chars. */
+    readonly reason: string;
+}
+export interface ResetReconcileResult {
+    readonly kind: ReconcileKind;
+    /** TypeID. */
+    readonly id: string;
+    /** `reconcile_status` value the row carried just before the UPDATE landed. */
+    readonly previousStatus: string;
+    /** Final `reconcile_status` (matches `to`). */
+    readonly newStatus: ReconcileTarget;
+    /** `true` iff the endpoint additionally incremented `generation`. */
+    readonly generationBumped: boolean;
+}
+/**
+ * Reset reconcile_status on a service or environment row. Refuses
+ * `terminating`/`terminated` source states (use force-delete via OPS-3
+ * instead) and refuses illegal transitions per the route file's
+ * transition table.
+ */
+export declare const reset: (client: Client, input: ResetReconcileInput) => Promise<ResetReconcileResult>;
+//# sourceMappingURL=adminReconcile.d.ts.map

package/dist/adminReconcile.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"adminReconcile.d.ts","sourceRoot":"","sources":["../src/adminReconcile.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,aAAa,CAAA;AACrD,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,QAAQ,CAAA;AAElD,MAAM,WAAW,mBAAmB;IACnC,0FAA0F;IAC1F,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAA;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,EAAE,eAAe,CAAA;IAC5B,oCAAoC;IACpC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,oBAAoB;IACpC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAA;IAC5B,cAAc;IACd,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB,8EAA8E;IAC9E,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,+CAA+C;IAC/C,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAA;IACnC,qEAAqE;IACrE,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAA;CAClC;AAED;;;;;GAKG;AACH,eAAO,MAAM,KAAK,GACjB,QAAQ,MAAM,EACd,OAAO,mBAAmB,KACxB,OAAO,CAAC,oBAAoB,CAG9B,CAAA"}

package/dist/adminReconcile.js ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * `@sylphx/management/adminReconcile` — operator reset of `reconcile_status`.
+ *
+ * Mirrors `POST /admin/reconcile/reset` in
+ * `apps/api/src/server/platform/routes/admin/reconcile.ts`. Replaces the
+ * raw `UPDATE … SET reconcile_status = 'pending'` historically run from
+ * psql per `docs/how-to/reconciler-cleanup-semantic.md`.
+ */
+import { adminReconcileEndpoints } from '@sylphx/contract';
+import { request } from './http.js';
+/**
+ * Reset reconcile_status on a service or environment row. Refuses
+ * `terminating`/`terminated` source states (use force-delete via OPS-3
+ * instead) and refuses illegal transitions per the route file's
+ * transition table.
+ */
+export const reset = (client, input) => {
+    const { method, path } = adminReconcileEndpoints.reset;
+    return request(client, method, path, { body: input });
+};

package/dist/adminResources.d.ts ADDED Viewed

@@ -0,0 +1,97 @@
+/**
+ * `@sylphx/management/adminResources` — operator recovery for stuck resources.
+ *
+ * Mirrors `DELETE /admin/resources/:id` in
+ * `apps/api/src/server/platform/routes/admin/resources.ts`. Replaces the
+ * raw `DELETE FROM managed_resources WHERE id=...` historically run from
+ * psql per `docs/how-to/teardown-failure.md`.
+ *
+ * Typical use: an on-call engineer mints a service token scoped to
+ * `platform:resources:forcedelete`, points the CLI
+ * (`sylphx admin resources force-delete <id>`) at the cluster, and the
+ * CLI calls `forceDelete()` here. CI / cron / dashboards call this SDK
+ * directly.
+ */
+import type { Client } from './client.js';
+export interface ForceDeleteResourceInput {
+    /**
+     * Required. Goes verbatim into the audit row. Min 3 chars.
+     */
+    readonly reason: string;
+    /**
+     * When `true`, also tears down polymorphic dependents
+     * (`project_resource_bindings` rows; the FK-cascading
+     * `project_platform_resources` row is removed automatically and
+     * counted in `dependentsDeleted`). Default `false`.
+     */
+    readonly cascade?: boolean;
+    /**
+     * Escape hatch for rows whose `reconcile_status` is NOT `terminating`.
+     * Default `false`. The endpoint refuses the row otherwise — the
+     * reconciler should drive normal teardown; only rows already in
+     * `terminating` are valid candidates.
+     */
+    readonly reallyForce?: boolean;
+}
+export interface ForceDeleteResourceResult {
+    /** TypeID (`res_xxx`). */
+    readonly id: string;
+    /** `reconcile_status` value the row carried just before the DELETE landed. */
+    readonly previousStatus: string;
+    /** Echo of the request flag. */
+    readonly cascade: boolean;
+    /** Echo of the request flag. */
+    readonly reallyForce: boolean;
+    /** Count of polymorphic dependents removed (always 0 when cascade=false). */
+    readonly dependentsDeleted: number;
+}
+/**
+ * Force-delete a stuck `managed_resources` row. Refuses the call when
+ * `reconcile_status !== 'terminating'` unless `reallyForce=true`. Returns
+ * 404 when the row does not exist; 409 on the wrong-status path.
+ */
+export declare const forceDelete: (client: Client, id: string, input: ForceDeleteResourceInput) => Promise<ForceDeleteResourceResult>;
+export interface ResealResourcesInput {
+    /**
+     * The active KEK ID the operator believes the platform is serving with.
+     * The endpoint refuses with 409 if the live ring's `activeKeyId` does
+     * not match — protecting against split-brain rotations where two
+     * operators race.
+     */
+    readonly keyId: string;
+    /**
+     * Reserved for future per-row scoping. Today the registry walks all
+     * rows under retired keys; the filter is logged as ignored.
+     */
+    readonly filter?: {
+        readonly projectId?: string;
+        readonly envId?: string;
+    };
+}
+export interface ResealResourcesFieldResult {
+    readonly fieldName: string;
+    readonly rowsSeen: number;
+    readonly rowsRotated: number;
+    readonly rowsFailed: number;
+    readonly failures: ReadonlyArray<{
+        readonly id: string;
+        readonly reason: string;
+    }>;
+}
+export interface ResealResourcesResult {
+    /** The active KEK id the server is serving with (echo of input on success). */
+    readonly activeKeyId: string;
+    /** Total rows rewritten across all fields. */
+    readonly totalRotated: number;
+    /** Total rows that failed to rotate (per-row failures, not pass-level). */
+    readonly totalFailed: number;
+    /** Per-field rotation breakdown. Mirrors `RotationFieldResult`. */
+    readonly fields: ReadonlyArray<ResealResourcesFieldResult>;
+}
+/**
+ * Walk the canonical rotation registry and re-encrypt every row whose
+ * envelope is not under the active KEK. Idempotent: re-running after
+ * convergence rewrites zero rows. Returns 409 on `keyId` mismatch.
+ */
+export declare const reseal: (client: Client, input: ResealResourcesInput) => Promise<ResealResourcesResult>;
+//# sourceMappingURL=adminResources.d.ts.map

package/dist/adminResources.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"adminResources.d.ts","sourceRoot":"","sources":["../src/adminResources.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC,MAAM,WAAW,wBAAwB;IACxC;;OAEG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB;;;;;OAKG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAA;IAC1B;;;;;OAKG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAA;CAC9B;AAED,MAAM,WAAW,yBAAyB;IACzC,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB,8EAA8E;IAC9E,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,gCAAgC;IAChC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAA;IACzB,gCAAgC;IAChC,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAA;IAC7B,6EAA6E;IAC7E,QAAQ,CAAC,iBAAiB,EAAE,MAAM,CAAA;CAClC;AAED;;;;GAIG;AACH,eAAO,MAAM,WAAW,GACvB,QAAQ,MAAM,EACd,IAAI,MAAM,EACV,OAAO,wBAAwB,KAC7B,OAAO,CAAC,yBAAyB,CAOnC,CAAA;AAID,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB;;;OAGG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE;QACjB,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAA;QAC3B,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KACvB,CAAA;CACD;AAED,MAAM,WAAW,0BAA0B;IAC1C,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC;QAChC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;QACnB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;KACvB,CAAC,CAAA;CACF;AAED,MAAM,WAAW,qBAAqB;IACrC,+EAA+E;IAC/E,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,8CAA8C;IAC9C,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAC7B,2EAA2E;IAC3E,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,mEAAmE;IACnE,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,0BAA0B,CAAC,CAAA;CAC1D;AAED;;;;GAIG;AACH,eAAO,MAAM,MAAM,GAClB,QAAQ,MAAM,EACd,OAAO,oBAAoB,KACzB,OAAO,CAAC,qBAAqB,CAG/B,CAAA"}