@sylphx/management 0.1.0 → 0.2.1

package/dist/admin.js

@@ -0,0 +1,123 @@
+/**
+ * Platform-admin (superuser) surface — quotas, audit logs, invitations,
+ * JWT key rotation, plan governance. Consumed by the internal Console
+ * "Admin" sections; ordinary operators do not call these.
+ *
+ * Mirrors `apps/api/src/server/platform/routes/admin/**`. Paths are
+ * sourced from `@sylphx/contract` admin-* endpoint modules.
+ */
+import { adminAuditEndpoints, adminInvitationsEndpoints, adminJwtKeysEndpoints, adminProjectsEndpoints, adminQuotasEndpoints, adminUsersEndpoints, } from '@sylphx/contract';
+import { interpolatePath, request } from './http.js';
+export const getProjectQuotas = (client, projectId) => {
+    const { method, path } = adminQuotasEndpoints.getProjectQuotas;
+    return request(client, method, interpolatePath(path, { projectId }));
+};
+export const getQuotaStats = (client, projectId) => {
+    const { method, path } = adminQuotasEndpoints.getQuotaStats;
+    return request(client, method, interpolatePath(path, { projectId }));
+};
+export const getQuotaAlerts = (client, projectId) => {
+    const { method, path } = adminQuotasEndpoints.getQuotaAlerts;
+    return request(client, method, interpolatePath(path, { projectId }));
+};
+export const updateProjectQuotas = (client, projectId, body) => {
+    const { method, path } = adminQuotasEndpoints.updateQuota;
+    return request(client, method, interpolatePath(path, { projectId }), { body });
+};
+export const acknowledgeQuotaAlert = (client, alertId) => {
+    const { method, path } = adminQuotasEndpoints.acknowledgeAlert;
+    return request(client, method, interpolatePath(path, { alertId }));
+};
+export const getAuditLogs = (client, query) => {
+    const { method, path } = adminAuditEndpoints.logs;
+    return request(client, method, path, query ? { query } : {});
+};
+export const getAuditActivity = (client) => {
+    const { method, path } = adminAuditEndpoints.activity;
+    return request(client, method, path);
+};
+export const listInvitations = (client) => {
+    const { method, path } = adminInvitationsEndpoints.list;
+    return request(client, method, path);
+};
+export const createInvitation = (client, body) => {
+    const { method, path } = adminInvitationsEndpoints.create;
+    return request(client, method, path, { body });
+};
+export const revokeInvitation = (client, id) => {
+    const { method, path } = adminInvitationsEndpoints.revoke;
+    return request(client, method, interpolatePath(path, { id }));
+};
+export const resendInvitation = (client, id) => {
+    const { method, path } = adminInvitationsEndpoints.resend;
+    return request(client, method, interpolatePath(path, { id }));
+};
+export const listJwtKeys = (client) => {
+    const { method, path } = adminJwtKeysEndpoints.list;
+    return request(client, method, path);
+};
+export const rotateJwtKeys = (client) => {
+    const { method, path } = adminJwtKeysEndpoints.rotate;
+    return request(client, method, path);
+};
+export const retireJwtKey = (client, keyId) => {
+    const { method, path } = adminJwtKeysEndpoints.forceRetire;
+    return request(client, method, interpolatePath(path, { keyId }));
+};
+// ─── Admin project migration (multi-region) ────────────────────────────────
+/**
+ * Trigger a project migration between regions. Phase 4b Matrix-2 gap.
+ * Underlying endpoint on the platform API is
+ * `POST /operator/projects/:id/migrate` — the SDK wraps it directly rather
+ * than going through `adminProjectsEndpoints` because migration is its
+ * own operational concern (drain → cut-over → warm-up).
+ */
+export const migrateProject = (client, projectId, body) => request(client, 'POST', `/operator/projects/${encodeURIComponent(projectId)}/migrate`, { body });
+/**
+ * Regenerate an environment's deploy / API key. Already exposed on
+ * `adminProjectsEndpoints.regenerateKey`; surfaced here under the `admin`
+ * namespace so Console wiring is one-stop.
+ */
+export const regenerateEnvironmentKey = (client, environmentId) => {
+    const { method, path } = adminProjectsEndpoints.regenerateSecretKey;
+    return request(client, method, interpolatePath(path, { environmentId }));
+};
+export const listUsers = (client) => {
+    const { method, path } = adminUsersEndpoints.search;
+    return request(client, method, path);
+};
+export const getUser = (client, userId) => {
+    const { method, path } = adminUsersEndpoints.get;
+    return request(client, method, interpolatePath(path, { userId }));
+};
+export const updateUserRole = (client, userId, body) => {
+    const { method, path } = adminUsersEndpoints.updateRole;
+    return request(client, method, interpolatePath(path, { userId }), { body });
+};
+/**
+ * L-15 (2026-05-02): manually verify a user's email. Super-admin only on the
+ * platform tenant. The Management API endpoint exists at
+ * `POST /admin/users/users/:userId/verify-email`; the SDK helper was the
+ * missing piece blocking operators from validating the new-user E2E flow
+ * without (a) a real email inbox or (b) a forbidden direct DB UPDATE.
+ */
+export const verifyUserEmail = (client, userId) => {
+    const { method, path } = adminUsersEndpoints.verifyEmail;
+    return request(client, method, interpolatePath(path, { userId }));
+};
+/**
+ * L-15 (2026-05-02): soft-delete a platform user. Super-admin only;
+ * cannot delete oneself. Existing sessions are revoked first.
+ */
+export const deleteUser = (client, userId) => {
+    const { method, path } = adminUsersEndpoints.delete;
+    return request(client, method, interpolatePath(path, { userId }));
+};
+/**
+ * L-15 (2026-05-02): revoke ALL sessions for a user (force re-login).
+ * Super-admin only.
+ */
+export const revokeUserSessions = (client, userId) => {
+    const { method, path } = adminUsersEndpoints.revokeSessions;
+    return request(client, method, interpolatePath(path, { userId }));
+};

package/dist/adminBootstrap.d.ts

@@ -0,0 +1,46 @@
+/**
+ * `@sylphx/management/adminBootstrap` — reset the Appwrite-pattern bootstrap window.
+ *
+ * Mirrors `POST /admin/reset-bootstrap-window` in
+ * `apps/api/src/server/platform/routes/admin/bootstrap.ts` (ADR-089 §2.7
+ * Phase 7 Commit B).
+ *
+ * Auth: **platform super-admin session** (cookie). Deliberately NOT a
+ * service-token surface — see the route file's header for rationale.
+ *
+ * Typical use:
+ *
+ *   sylphx admin reset-bootstrap-window
+ *
+ * dispatches here via `requireAuthEffect` + `withAuthedSdk`. Once this
+ * call returns, the operator has ~10 minutes to point the new admin at
+ * `POST /v1/auth/bootstrap-signup` with the `X-Sylphx-Project-Id: platform`
+ * header; after that the window closes itself and the endpoint 404s.
+ */
+import type { Client } from './client.js';
+/**
+ * Confirmation returned by {@link resetWindow}.
+ *
+ * `ttlSeconds` mirrors `BOOTSTRAP_WINDOW_TTL_SECONDS` on the server
+ * (`packages/core/src/lib/bootstrap-window.ts`). Carried on the wire so
+ * CLI output can show an accurate countdown without hard-coding the
+ * value client-side.
+ */
+export interface ResetBootstrapWindowResult {
+    /** Always `true` when the endpoint returns 200. */
+    readonly opened: boolean;
+    /** Seconds until the window closes again. */
+    readonly ttlSeconds: number;
+    /** Operator-facing next-step instruction. */
+    readonly message: string;
+}
+/**
+ * Re-open the bootstrap window for 10 minutes.
+ *
+ * Authenticates as the caller's platform super-admin session. The
+ * server emits an `admin_action` audit event + a
+ * `sylphx_bootstrap_window_reset_total` metric tick for every
+ * invocation, so this call is never silent.
+ */
+export declare const resetWindow: (client: Client) => Promise<ResetBootstrapWindowResult>;
+//# sourceMappingURL=adminBootstrap.d.ts.map

package/dist/adminBootstrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adminBootstrap.d.ts","sourceRoot":"","sources":["../src/adminBootstrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC;;;;;;;GAOG;AACH,MAAM,WAAW,0BAA0B;IAC1C,mDAAmD;IACnD,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAA;IACxB,6CAA6C;IAC7C,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,6CAA6C;IAC7C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;CACxB;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,WAAW,GAAI,QAAQ,MAAM,KAAG,OAAO,CAAC,0BAA0B,CAG9E,CAAA"}

package/dist/adminBootstrap.js

@@ -0,0 +1,33 @@
+/**
+ * `@sylphx/management/adminBootstrap` — reset the Appwrite-pattern bootstrap window.
+ *
+ * Mirrors `POST /admin/reset-bootstrap-window` in
+ * `apps/api/src/server/platform/routes/admin/bootstrap.ts` (ADR-089 §2.7
+ * Phase 7 Commit B).
+ *
+ * Auth: **platform super-admin session** (cookie). Deliberately NOT a
+ * service-token surface — see the route file's header for rationale.
+ *
+ * Typical use:
+ *
+ *   sylphx admin reset-bootstrap-window
+ *
+ * dispatches here via `requireAuthEffect` + `withAuthedSdk`. Once this
+ * call returns, the operator has ~10 minutes to point the new admin at
+ * `POST /v1/auth/bootstrap-signup` with the `X-Sylphx-Project-Id: platform`
+ * header; after that the window closes itself and the endpoint 404s.
+ */
+import { adminBootstrapEndpoints } from '@sylphx/contract';
+import { request } from './http.js';
+/**
+ * Re-open the bootstrap window for 10 minutes.
+ *
+ * Authenticates as the caller's platform super-admin session. The
+ * server emits an `admin_action` audit event + a
+ * `sylphx_bootstrap_window_reset_total` metric tick for every
+ * invocation, so this call is never silent.
+ */
+export const resetWindow = (client) => {
+    const { method, path } = adminBootstrapEndpoints.resetWindow;
+    return request(client, method, path, { body: {} });
+};

package/dist/adminBuilds.d.ts

@@ -0,0 +1,72 @@
+/**
+ * `@sylphx/management/adminBuilds` — operator recovery for stuck builds.
+ *
+ * Mirrors `POST /admin/builds/reap` in
+ * `apps/api/src/server/platform/routes/admin/builds.ts`. Replaces the raw
+ * `UPDATE build_records SET status='failed' …` historically run from psql
+ * per `docs/runbooks/build-records-stuck-in-building.md`.
+ *
+ * Typical use: an on-call engineer mints a service token scoped to
+ * `platform:builds:reap`, points the CLI (`sylphx admin builds reap`) at
+ * the cluster, and the CLI calls `reap()` here. CI / cron / dashboards
+ * call this SDK directly.
+ *
+ * The API does NOT touch `build_records` rows whose `started_at IS NULL`
+ * (a different failure mode — queue starvation).
+ */
+import type { Client } from './client.js';
+export interface ReapBuildsInput {
+    /**
+     * Window grammar `^[0-9]+(s|m|h|d)$`. Examples: `30m`, `2h`, `1d`. Rows
+     * whose `started_at < NOW() - olderThan` are in the candidate set.
+     */
+    readonly olderThan: string;
+    /**
+     * When true, returns the candidate set without mutating anything.
+     * `reason` becomes optional in this mode.
+     */
+    readonly dryRun?: boolean;
+    /**
+     * Required on the write path (min 3 chars). Goes verbatim into the
+     * audit row + into each reaped row's `failure_reason` column (prefixed
+     * `admin reap: `). Surfaced to the affected customer in Console.
+     */
+    readonly reason?: string;
+    /**
+     * OPS-7 fold-in. When provided, restricts the candidate set to rows
+     * whose `image_digest = <digest>` AND additionally NULLs the column on
+     * each reaped row. Format: `sha256:<64hex>`.
+     */
+    readonly imageDigest?: string;
+}
+export interface ReapBuildsRecord {
+    /** TypeID (`bld_xxx`). */
+    readonly id: string;
+    /** TypeID (`proj_xxx`). */
+    readonly projectId: string;
+    /** TypeID (`env_xxx`). */
+    readonly envId: string;
+    /** ISO-8601. */
+    readonly startedAt: string;
+    /** Wall-clock age at reap time. Floored to whole seconds. */
+    readonly ageSeconds: number;
+}
+export interface ReapBuildsResult {
+    /** Echo of the request flag. */
+    readonly dryRun: boolean;
+    /** Rows transitioned (`0` on dry-run). */
+    readonly reaped: number;
+    /** Rows whose stale `image_digest` was additionally cleared. */
+    readonly digestCleared: number;
+    /** Up to 1000 rows from the candidate set / write set. */
+    readonly records: ReadonlyArray<ReapBuildsRecord>;
+}
+/**
+ * Reap stuck `build_records` rows older than `input.olderThan`. Single
+ * UPDATE statement on the write path; SELECT only on `dryRun=true`.
+ *
+ * Idempotent: re-running with the same window flips zero rows because the
+ * first call already moved them out of `'building'`.
+ */
+export declare const reap: (client: Client, input: ReapBuildsInput) => Promise<ReapBuildsResult>;
+//# sourceMappingURL=adminBuilds.d.ts.map

package/dist/adminBuilds.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adminBuilds.d.ts","sourceRoot":"","sources":["../src/adminBuilds.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC,MAAM,WAAW,eAAe;IAC/B;;;OAGG;IACH,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B;;;OAGG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAA;IACzB;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IACxB;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;CAC7B;AAED,MAAM,WAAW,gBAAgB;IAChC,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB,2BAA2B;IAC3B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,0BAA0B;IAC1B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,gBAAgB;IAChB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,6DAA6D;IAC7D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;CAC3B;AAED,MAAM,WAAW,gBAAgB;IAChC,gCAAgC;IAChC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAA;IACxB,0CAA0C;IAC1C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,gEAAgE;IAChE,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAA;IAC9B,0DAA0D;IAC1D,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAA;CACjD;AAED;;;;;;GAMG;AACH,eAAO,MAAM,IAAI,GAAI,QAAQ,MAAM,EAAE,OAAO,eAAe,KAAG,OAAO,CAAC,gBAAgB,CAGrF,CAAA"}

package/dist/adminBuilds.js

@@ -0,0 +1,29 @@
+/**
+ * `@sylphx/management/adminBuilds` — operator recovery for stuck builds.
+ *
+ * Mirrors `POST /admin/builds/reap` in
+ * `apps/api/src/server/platform/routes/admin/builds.ts`. Replaces the raw
+ * `UPDATE build_records SET status='failed' …` historically run from psql
+ * per `docs/runbooks/build-records-stuck-in-building.md`.
+ *
+ * Typical use: an on-call engineer mints a service token scoped to
+ * `platform:builds:reap`, points the CLI (`sylphx admin builds reap`) at
+ * the cluster, and the CLI calls `reap()` here. CI / cron / dashboards
+ * call this SDK directly.
+ *
+ * The API does NOT touch `build_records` rows whose `started_at IS NULL`
+ * (a different failure mode — queue starvation).
+ */
+import { adminBuildsEndpoints } from '@sylphx/contract';
+import { request } from './http.js';
+/**
+ * Reap stuck `build_records` rows older than `input.olderThan`. Single
+ * UPDATE statement on the write path; SELECT only on `dryRun=true`.
+ *
+ * Idempotent: re-running with the same window flips zero rows because the
+ * first call already moved them out of `'building'`.
+ */
+export const reap = (client, input) => {
+    const { method, path } = adminBuildsEndpoints.reap;
+    return request(client, method, path, { body: input });
+};

package/dist/adminEnvServices.d.ts

@@ -0,0 +1,41 @@
+/**
+ * `@sylphx/management/adminEnvServices` — operator repoint of env-service
+ * desired-image pointers (OPS-4).
+ *
+ * Mirrors `POST /admin/env-services/repoint` in
+ * `apps/api/src/server/platform/routes/admin/env-services.ts`. Replaces
+ * the raw `UPDATE environment_services …` historically run from psql
+ * per `docs/how-to/customer-image-gc-outreach.md`.
+ */
+import type { Client } from './client.js';
+export interface RepointEnvServiceInput {
+    /** TypeID (`env_*`) of the target environment. */
+    readonly envId: string;
+    /** Service name within the project (`project_services.name`). */
+    readonly service: string;
+    /** Image digest to repoint to. Format: `sha256:<64hex>`. */
+    readonly digest: string;
+    /** Audit narrative. Min 3 chars. */
+    readonly reason: string;
+}
+export interface RepointEnvServiceResult {
+    /** TypeID (`esvc_*`) of the env_service that was re-pointed. */
+    readonly envServiceId: string;
+    /** Image digest the env_service was previously pointing to (null on first repoint). */
+    readonly previousDigest: string | null;
+    /** Echo of the request `digest`. */
+    readonly newDigest: string;
+    /** TypeID (`dpl_*`) of the deployments row that carries the new pointer. */
+    readonly deploymentId: string;
+    /** `true` iff an existing deployments row was reused instead of inserted. */
+    readonly reused: boolean;
+}
+/**
+ * Repoint an env_service to a specific image digest. The artifact MUST
+ * already exist for `(serviceId, digest)`; the endpoint never mints
+ * artifacts. Returns 404 on any of: env not found, service name not in
+ * project, env_service not attached, artifact missing. Returns 409 if
+ * the env_service is in a terminal lifecycle state.
+ */
+export declare const repoint: (client: Client, input: RepointEnvServiceInput) => Promise<RepointEnvServiceResult>;
+//# sourceMappingURL=adminEnvServices.d.ts.map

package/dist/adminEnvServices.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adminEnvServices.d.ts","sourceRoot":"","sources":["../src/adminEnvServices.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC,MAAM,WAAW,sBAAsB;IACtC,kDAAkD;IAClD,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAA;IACtB,iEAAiE;IACjE,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;IACxB,4DAA4D;IAC5D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,oCAAoC;IACpC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,uBAAuB;IACvC,gEAAgE;IAChE,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAC7B,uFAAuF;IACvF,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAA;IACtC,oCAAoC;IACpC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,4EAA4E;IAC5E,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAC7B,6EAA6E;IAC7E,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAA;CACxB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,OAAO,GACnB,QAAQ,MAAM,EACd,OAAO,sBAAsB,KAC3B,OAAO,CAAC,uBAAuB,CAGjC,CAAA"}

package/dist/adminEnvServices.js

@@ -0,0 +1,22 @@
+/**
+ * `@sylphx/management/adminEnvServices` — operator repoint of env-service
+ * desired-image pointers (OPS-4).
+ *
+ * Mirrors `POST /admin/env-services/repoint` in
+ * `apps/api/src/server/platform/routes/admin/env-services.ts`. Replaces
+ * the raw `UPDATE environment_services …` historically run from psql
+ * per `docs/how-to/customer-image-gc-outreach.md`.
+ */
+import { adminEnvServicesEndpoints } from '@sylphx/contract';
+import { request } from './http.js';
+/**
+ * Repoint an env_service to a specific image digest. The artifact MUST
+ * already exist for `(serviceId, digest)`; the endpoint never mints
+ * artifacts. Returns 404 on any of: env not found, service name not in
+ * project, env_service not attached, artifact missing. Returns 409 if
+ * the env_service is in a terminal lifecycle state.
+ */
+export const repoint = (client, input) => {
+    const { method, path } = adminEnvServicesEndpoints.repoint;
+    return request(client, method, path, { body: input });
+};

package/dist/adminRateLimits.d.ts

@@ -0,0 +1,61 @@
+/**
+ * `@sylphx/management/adminRateLimits` — operator-driven tuning of
+ * per-credential-type rate-limit multipliers (Production-Ready audit M-3).
+ *
+ * Mirrors `/admin/rate-limits/*` in
+ * `apps/api/src/server/platform/routes/admin/rate-limits.ts`.
+ *
+ * Auth: service token + scope `platform:ratelimits:write`. Super-admin
+ * sessions also pass through `requireScopes` (their `scopes` are `null`),
+ * but the preferred path is a programmatic step in an Ops runbook.
+ *
+ * Typical use:
+ *
+ *   sylphx admin rate-limits list
+ *   sylphx admin rate-limits set --type public --multiplier 0.05 \
+ *     --reason "credential-enumeration alert"
+ *
+ * dispatches here via `requireAuthEffect` + `withAuthedSdk`. The endpoint
+ * upserts the row + triggers `invalidateAndReload()` on the enforcement
+ * layer so the new value is live within seconds.
+ */
+import type { Client } from './client.js';
+/** Credential-type literal — mirrors `AdminRateLimitCredentialType` in the contract. */
+export type AdminRateLimitCredentialType = 'public' | 'secret' | 'service' | 'session' | 'spiffe' | 'unknown';
+export interface AdminRateLimitMultiplierStatus {
+    readonly credentialType: AdminRateLimitCredentialType;
+    readonly multiplier: number;
+    readonly exempt: boolean;
+    readonly notes: string | null;
+    readonly lastUpdatedAt: string | null;
+}
+export interface ListMultipliersResult {
+    readonly multipliers: ReadonlyArray<AdminRateLimitMultiplierStatus>;
+}
+export interface SetMultiplierInput {
+    readonly credentialType: AdminRateLimitCredentialType;
+    readonly multiplier: number;
+    readonly exempt?: boolean;
+    readonly reason: string;
+}
+export interface SetMultiplierResult {
+    readonly updated: AdminRateLimitMultiplierStatus;
+    readonly auditLogId: string | null;
+    readonly message: string;
+}
+/**
+ * List the per-credential-type multipliers currently applied to every
+ * `RateLimitPresets` base limit. Returns one row per credential type from
+ * the closed enumeration (`public`, `secret`, `service`, `session`,
+ * `spiffe`, `unknown`); rows missing in the DB fall back to the live
+ * in-memory cache so the dashboard never sees a hole.
+ */
+export declare const list: (client: Client) => Promise<ListMultipliersResult>;
+/**
+ * Upsert the multiplier (or exempt flag) for a single credential type.
+ * `reason` is required (≥3 chars) and recorded on the audit log. The
+ * server fires `invalidateAndReload()` immediately after the write so the
+ * new value is live within seconds — no 5-minute wait.
+ */
+export declare const set: (client: Client, body: SetMultiplierInput) => Promise<SetMultiplierResult>;
+//# sourceMappingURL=adminRateLimits.d.ts.map

package/dist/adminRateLimits.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adminRateLimits.d.ts","sourceRoot":"","sources":["../src/adminRateLimits.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC,wFAAwF;AACxF,MAAM,MAAM,4BAA4B,GACrC,QAAQ,GACR,QAAQ,GACR,SAAS,GACT,SAAS,GACT,QAAQ,GACR,SAAS,CAAA;AAEZ,MAAM,WAAW,8BAA8B;IAC9C,QAAQ,CAAC,cAAc,EAAE,4BAA4B,CAAA;IACrD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAA;IACxB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAA;CACrC;AAED,MAAM,WAAW,qBAAqB;IACrC,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,8BAA8B,CAAC,CAAA;CACnE;AAED,MAAM,WAAW,kBAAkB;IAClC,QAAQ,CAAC,cAAc,EAAE,4BAA4B,CAAA;IACrD,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAA;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,mBAAmB;IACnC,QAAQ,CAAC,OAAO,EAAE,8BAA8B,CAAA;IAChD,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;IAClC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;CACxB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,IAAI,GAAI,QAAQ,MAAM,KAAG,OAAO,CAAC,qBAAqB,CAGlE,CAAA;AAED;;;;;GAKG;AACH,eAAO,MAAM,GAAG,GAAI,QAAQ,MAAM,EAAE,MAAM,kBAAkB,KAAG,OAAO,CAAC,mBAAmB,CAGzF,CAAA"}

package/dist/adminRateLimits.js

@@ -0,0 +1,44 @@
+/**
+ * `@sylphx/management/adminRateLimits` — operator-driven tuning of
+ * per-credential-type rate-limit multipliers (Production-Ready audit M-3).
+ *
+ * Mirrors `/admin/rate-limits/*` in
+ * `apps/api/src/server/platform/routes/admin/rate-limits.ts`.
+ *
+ * Auth: service token + scope `platform:ratelimits:write`. Super-admin
+ * sessions also pass through `requireScopes` (their `scopes` are `null`),
+ * but the preferred path is a programmatic step in an Ops runbook.
+ *
+ * Typical use:
+ *
+ *   sylphx admin rate-limits list
+ *   sylphx admin rate-limits set --type public --multiplier 0.05 \
+ *     --reason "credential-enumeration alert"
+ *
+ * dispatches here via `requireAuthEffect` + `withAuthedSdk`. The endpoint
+ * upserts the row + triggers `invalidateAndReload()` on the enforcement
+ * layer so the new value is live within seconds.
+ */
+import { adminRateLimitsEndpoints } from '@sylphx/contract';
+import { request } from './http.js';
+/**
+ * List the per-credential-type multipliers currently applied to every
+ * `RateLimitPresets` base limit. Returns one row per credential type from
+ * the closed enumeration (`public`, `secret`, `service`, `session`,
+ * `spiffe`, `unknown`); rows missing in the DB fall back to the live
+ * in-memory cache so the dashboard never sees a hole.
+ */
+export const list = (client) => {
+    const { method, path } = adminRateLimitsEndpoints.listStrategies;
+    return request(client, method, path, {});
+};
+/**
+ * Upsert the multiplier (or exempt flag) for a single credential type.
+ * `reason` is required (≥3 chars) and recorded on the audit log. The
+ * server fires `invalidateAndReload()` immediately after the write so the
+ * new value is live within seconds — no 5-minute wait.
+ */
+export const set = (client, body) => {
+    const { method, path } = adminRateLimitsEndpoints.setStrategy;
+    return request(client, method, path, { body });
+};

package/dist/adminReconcile.d.ts

@@ -0,0 +1,45 @@
+/**
+ * `@sylphx/management/adminReconcile` — operator reset of `reconcile_status`.
+ *
+ * Mirrors `POST /admin/reconcile/reset` in
+ * `apps/api/src/server/platform/routes/admin/reconcile.ts`. Replaces the
+ * raw `UPDATE … SET reconcile_status = 'pending'` historically run from
+ * psql per `docs/how-to/reconciler-cleanup-semantic.md`.
+ */
+import type { Client } from './client.js';
+export type ReconcileKind = 'service' | 'environment';
+export type ReconcileTarget = 'pending' | 'synced';
+export interface ResetReconcileInput {
+    /** `service` → `environment_services` row; `environment` → `project_environments` row. */
+    readonly kind: ReconcileKind;
+    /** TypeID — `esvc_*` for `service`, `env_*` for `environment`. */
+    readonly id: string;
+    /**
+     * Target `reconcile_status`.
+     *
+     *   - `pending` — re-arm the reconciler (also bumps `generation`).
+     *   - `synced`  — mark complete after out-of-band verification.
+     */
+    readonly to: ReconcileTarget;
+    /** Audit narrative. Min 3 chars. */
+    readonly reason: string;
+}
+export interface ResetReconcileResult {
+    readonly kind: ReconcileKind;
+    /** TypeID. */
+    readonly id: string;
+    /** `reconcile_status` value the row carried just before the UPDATE landed. */
+    readonly previousStatus: string;
+    /** Final `reconcile_status` (matches `to`). */
+    readonly newStatus: ReconcileTarget;
+    /** `true` iff the endpoint additionally incremented `generation`. */
+    readonly generationBumped: boolean;
+}
+/**
+ * Reset reconcile_status on a service or environment row. Refuses
+ * `terminating`/`terminated` source states (use force-delete via OPS-3
+ * instead) and refuses illegal transitions per the route file's
+ * transition table.
+ */
+export declare const reset: (client: Client, input: ResetReconcileInput) => Promise<ResetReconcileResult>;
+//# sourceMappingURL=adminReconcile.d.ts.map

package/dist/adminReconcile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adminReconcile.d.ts","sourceRoot":"","sources":["../src/adminReconcile.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGzC,MAAM,MAAM,aAAa,GAAG,SAAS,GAAG,aAAa,CAAA;AACrD,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,QAAQ,CAAA;AAElD,MAAM,WAAW,mBAAmB;IACnC,0FAA0F;IAC1F,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAA;IAC5B,kEAAkE;IAClE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB;;;;;OAKG;IACH,QAAQ,CAAC,EAAE,EAAE,eAAe,CAAA;IAC5B,oCAAoC;IACpC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CACvB;AAED,MAAM,WAAW,oBAAoB;IACpC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAA;IAC5B,cAAc;IACd,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB,8EAA8E;IAC9E,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,+CAA+C;IAC/C,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAA;IACnC,qEAAqE;IACrE,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAA;CAClC;AAED;;;;;GAKG;AACH,eAAO,MAAM,KAAK,GACjB,QAAQ,MAAM,EACd,OAAO,mBAAmB,KACxB,OAAO,CAAC,oBAAoB,CAG9B,CAAA"}

package/dist/adminReconcile.js

@@ -0,0 +1,20 @@
+/**
+ * `@sylphx/management/adminReconcile` — operator reset of `reconcile_status`.
+ *
+ * Mirrors `POST /admin/reconcile/reset` in
+ * `apps/api/src/server/platform/routes/admin/reconcile.ts`. Replaces the
+ * raw `UPDATE … SET reconcile_status = 'pending'` historically run from
+ * psql per `docs/how-to/reconciler-cleanup-semantic.md`.
+ */
+import { adminReconcileEndpoints } from '@sylphx/contract';
+import { request } from './http.js';
+/**
+ * Reset reconcile_status on a service or environment row. Refuses
+ * `terminating`/`terminated` source states (use force-delete via OPS-3
+ * instead) and refuses illegal transitions per the route file's
+ * transition table.
+ */
+export const reset = (client, input) => {
+    const { method, path } = adminReconcileEndpoints.reset;
+    return request(client, method, path, { body: input });
+};

package/dist/adminResources.d.ts

@@ -0,0 +1,97 @@
+/**
+ * `@sylphx/management/adminResources` — operator recovery for stuck resources.
+ *
+ * Mirrors `DELETE /admin/resources/:id` in
+ * `apps/api/src/server/platform/routes/admin/resources.ts`. Replaces the
+ * raw `DELETE FROM managed_resources WHERE id=...` historically run from
+ * psql per `docs/how-to/teardown-failure.md`.
+ *
+ * Typical use: an on-call engineer mints a service token scoped to
+ * `platform:resources:forcedelete`, points the CLI
+ * (`sylphx admin resources force-delete <id>`) at the cluster, and the
+ * CLI calls `forceDelete()` here. CI / cron / dashboards call this SDK
+ * directly.
+ */
+import type { Client } from './client.js';
+export interface ForceDeleteResourceInput {
+    /**
+     * Required. Goes verbatim into the audit row. Min 3 chars.
+     */
+    readonly reason: string;
+    /**
+     * When `true`, also tears down polymorphic dependents
+     * (`project_resource_bindings` rows; the FK-cascading
+     * `project_platform_resources` row is removed automatically and
+     * counted in `dependentsDeleted`). Default `false`.
+     */
+    readonly cascade?: boolean;
+    /**
+     * Escape hatch for rows whose `reconcile_status` is NOT `terminating`.
+     * Default `false`. The endpoint refuses the row otherwise — the
+     * reconciler should drive normal teardown; only rows already in
+     * `terminating` are valid candidates.
+     */
+    readonly reallyForce?: boolean;
+}
+export interface ForceDeleteResourceResult {
+    /** TypeID (`res_xxx`). */
+    readonly id: string;
+    /** `reconcile_status` value the row carried just before the DELETE landed. */
+    readonly previousStatus: string;
+    /** Echo of the request flag. */
+    readonly cascade: boolean;
+    /** Echo of the request flag. */
+    readonly reallyForce: boolean;
+    /** Count of polymorphic dependents removed (always 0 when cascade=false). */
+    readonly dependentsDeleted: number;
+}
+/**
+ * Force-delete a stuck `managed_resources` row. Refuses the call when
+ * `reconcile_status !== 'terminating'` unless `reallyForce=true`. Returns
+ * 404 when the row does not exist; 409 on the wrong-status path.
+ */
+export declare const forceDelete: (client: Client, id: string, input: ForceDeleteResourceInput) => Promise<ForceDeleteResourceResult>;
+export interface ResealResourcesInput {
+    /**
+     * The active KEK ID the operator believes the platform is serving with.
+     * The endpoint refuses with 409 if the live ring's `activeKeyId` does
+     * not match — protecting against split-brain rotations where two
+     * operators race.
+     */
+    readonly keyId: string;
+    /**
+     * Reserved for future per-row scoping. Today the registry walks all
+     * rows under retired keys; the filter is logged as ignored.
+     */
+    readonly filter?: {
+        readonly projectId?: string;
+        readonly envId?: string;
+    };
+}
+export interface ResealResourcesFieldResult {
+    readonly fieldName: string;
+    readonly rowsSeen: number;
+    readonly rowsRotated: number;
+    readonly rowsFailed: number;
+    readonly failures: ReadonlyArray<{
+        readonly id: string;
+        readonly reason: string;
+    }>;
+}
+export interface ResealResourcesResult {
+    /** The active KEK id the server is serving with (echo of input on success). */
+    readonly activeKeyId: string;
+    /** Total rows rewritten across all fields. */
+    readonly totalRotated: number;
+    /** Total rows that failed to rotate (per-row failures, not pass-level). */
+    readonly totalFailed: number;
+    /** Per-field rotation breakdown. Mirrors `RotationFieldResult`. */
+    readonly fields: ReadonlyArray<ResealResourcesFieldResult>;
+}
+/**
+ * Walk the canonical rotation registry and re-encrypt every row whose
+ * envelope is not under the active KEK. Idempotent: re-running after
+ * convergence rewrites zero rows. Returns 409 on `keyId` mismatch.
+ */
+export declare const reseal: (client: Client, input: ResealResourcesInput) => Promise<ResealResourcesResult>;
+//# sourceMappingURL=adminResources.d.ts.map