@sylphx/sdk 0.10.7 → 0.11.1

package/dist/index.d.ts

@@ -1,4 +1,5 @@
-import { SdkBillingPlan, SdkBillingSubscription, BillingCheckoutRequest, BillingCheckoutResponse, BillingPortalRequest, BillingPortalResponse, BillingBalanceResponse, BillingUsageResponse, SdkConsentType, UserConsent as UserConsent$1, AIModel as AIModel$1, GetModelsResponse, GetRateLimitResponse, GetUsageResponse, ReferralLeaderboardEntry, ReferralRewardDefaults as ReferralRewardDefaults$1, WebhookDelivery as WebhookDelivery$1, DeviceApproveRequest, DeviceApproveResponse, DeviceDenyRequest, DeviceDenyResponse, DeviceInitResponse, DeviceInitRequest, DevicePollResponse, LoginRequest as LoginRequest$1, LoginResponse as LoginResponse$1, UserFullProfile as UserFullProfile$1, LogoutInput, PlatformPasswordChangeRequest, PlatformPasswordChangeResponse, PlatformPasswordSetRequest, PlatformPasswordSetResponse, PlatformPasswordStatusResponse, RefreshTokenInput, RefreshTokenResult, PlatformSessionRenameRequest, PlatformSessionRenameResponse, PlatformSessionRevokeAllResponse, PlatformSessionRevokeRequest, PlatformSessionRevokeOtherResponse, PlatformSessionRevokeResponse, PlatformSessionsListResponse, AuthUserDeleteRequest, AuthUserDeleteResponse, AuthUserExportResponse, RegisterRequest as RegisterRequest$1, RegisterResponse as RegisterResponse$1, ResendEmailVerificationRequest as ResendEmailVerificationRequest$1, ResendEmailVerificationResponse as ResendEmailVerificationResponse$1, AuthTokensResponse, TwoFactorVerifyRequest as TwoFactorVerifyRequest$1, OAuthIntrospectResponse, PlatformAuditQueryRequest, PlatformAuditQueryResponse, PlatformRateLimitStatusRequest, PlatformRateLimitStatusResponse, PlatformRateLimitStrategiesListRequest, PlatformRateLimitStrategiesListResponse, PlatformRateLimitStrategyDeleteRequest, PlatformRateLimitStrategyDeleteResponse, PlatformRateLimitStrategyUpsertRequest, PlatformRateLimitStrategyUpsertResponse, File as File$1, UploadId, FileId, TakedownFileRequest, TakedownFileResult, FileVersion, FileVersionId, CreateOrgInput as CreateOrgInput$1, InviteMemberInput as InviteMemberInput$1, OrgSdkRole, OrgInvitation, OrgMember, MembershipInfo, Organization, UpdateOrgInput as UpdateOrgInput$1, UserOrganizationMembership, UserOrganizationsResponse } from '@sylphx/contract';
+export { DEFAULT_MACHINE_SIZE, MACHINE_CONFIGS, MACHINE_MAX_INSTANCES, MACHINE_RESOURCE_REQUIREMENTS, MACHINE_SIZES, MachineConfig, MachineResourceRequirements, MachineTierResources, isMachineSize, parseMachineSize, resolveMachineConfig, resolveMachineMaxInstances, resolveMachineResources, resolveMachineTierResources, toPublicMachineSize } from '@sylphx/contract/compute';
+import { SdkBillingPlan, SdkBillingSubscription, BillingCheckoutRequest, BillingCheckoutResponse, BillingPortalRequest, BillingPortalResponse, BillingBalanceResponse, BillingUsageResponse, SdkConsentType, UserConsent as UserConsent$1, AIModel as AIModel$1, GetModelsResponse, GetRateLimitResponse, GetUsageResponse, ReferralLeaderboardEntry, ReferralRewardDefaults as ReferralRewardDefaults$1, WebhookDelivery as WebhookDelivery$1, OAuthTokenResponse, OAuthTokenErrorResponse, OAuthClientCredentialsResponse, LogoutInput, RefreshTokenInput, RefreshTokenResult, OAuthIntrospectResponse, PlatformPasswordChangeRequest, PlatformPasswordChangeResponse, PlatformPasswordSetRequest, PlatformPasswordSetResponse, PlatformPasswordStatusResponse, PlatformSessionRenameRequest, PlatformSessionRenameResponse, PlatformSessionRevokeAllResponse, PlatformSessionRevokeRequest, PlatformSessionRevokeOtherResponse, PlatformSessionRevokeResponse, PlatformSessionsListResponse, AuthUserDeleteRequest, AuthUserDeleteResponse, AuthUserExportResponse, DeviceApproveRequest, DeviceApproveResponse, DeviceDenyRequest, DeviceDenyResponse, DeviceInitResponse, DeviceInitRequest, DevicePollResponse, LoginRequest as LoginRequest$1, LoginResponse as LoginResponse$1, UserFullProfile as UserFullProfile$1, RegisterRequest as RegisterRequest$1, RegisterResponse as RegisterResponse$1, ResendEmailVerificationRequest as ResendEmailVerificationRequest$1, ResendEmailVerificationResponse as ResendEmailVerificationResponse$1, AuthTokensResponse, TwoFactorVerifyRequest as TwoFactorVerifyRequest$1, PlatformAuditQueryRequest, PlatformAuditQueryResponse, PlatformRateLimitStatusRequest, PlatformRateLimitStatusResponse, PlatformRateLimitStrategiesListRequest, PlatformRateLimitStrategiesListResponse, PlatformRateLimitStrategyDeleteRequest, PlatformRateLimitStrategyDeleteResponse, PlatformRateLimitStrategyUpsertRequest, PlatformRateLimitStrategyUpsertResponse, File as File$1, UploadId, FileId, TakedownFileRequest, TakedownFileResult, FileVersion, FileVersionId, CreateOrgInput as CreateOrgInput$1, InviteMemberInput as InviteMemberInput$1, OrgSdkRole, OrgInvitation, OrgMember, MembershipInfo, Organization, UpdateOrgInput as UpdateOrgInput$1, UserOrganizationMembership, UserOrganizationsResponse, MachineSize } from '@sylphx/contract';
 export { BillingBalanceResponse as BalanceResponse, BillingCheckoutRequest as CheckoutRequest, BillingCheckoutResponse as CheckoutResponse, FileId, FileVersion, FileVersionId, FileVisibility, Organization, BillingPortalRequest as PortalRequest, BillingPortalResponse as PortalResponse, SignedUrlDisposition, File as StorageFile, UploadId, BillingUsageResponse as UsageResponse } from '@sylphx/contract';
 
 /**
@@ -7,19 +8,19 @@ export { BillingBalanceResponse as BalanceResponse, BillingCheckoutRequest as Ch
  *
  * Function-bundle download for the Sylphx-internal edge-runtime
  * orchestrator. Unlike the sibling Platform namespaces this one
- * authenticates with a shared `internalToken` (cluster-internal secret)
+ * authenticates with a shared `internalToken` (service-internal secret)
  * rather than a platform-audience JWT, because the caller is another
  * Sylphx service (the edge-runtime that spawns V8 isolates to invoke
  * user functions) not an end user. The BaaS runtime
  * (`apps/runtime/src/server/runtime/routes/functions/admin.ts`)
- * owns the raw `@aws-sdk/client-s3` client — Platform callers
- * dogfood through this SDK surface and never touch the S3 primitive.
+ * owns the object-storage implementation — Platform callers dogfood through
+ * this SDK surface and never touch backend storage credentials.
  *
  * Phase Σ1 SoC rename: this was previously exported out of `./auth`
  * as `functions` (re-exported at the package root as `functionsInternal`)
  * and spoke to `/auth/platform-functions/*`. The server-side surface
  * moved to `/v1/functions/admin/*` (function bundle admin is a
- * cross-cutting BaaS primitive — infrastructure storage — not an auth
+ * cross-cutting BaaS primitive — function bundle storage — not an auth
  * verb); this SDK module nests the admin verbs under
  * `functions.admin.*` at the package root.
  */
@@ -39,8 +40,8 @@ interface PlatformFunctionsDownloadBundleResult {
  * `pk_`/`sk_` pair. The BaaS runtime
  * (`apps/runtime/src/server/runtime/routes/realtime/admin.ts`)
  * verifies the token against audience `'platform'`, confirms
- * `verifyProjectAccess(userId, projectId)`, and owns the Redis set
- * operations.
+ * `verifyProjectAccess(userId, projectId)`, and owns the channel
+ * registration operations.
  *
  * Phase Σ1 SoC rename: this was previously exported out of `./auth`
  * as `realtime` (re-exported at the package root as `realtimeAdmin`)
@@ -63,7 +64,6 @@ interface PlatformRealtimeChannel {
 }
 interface PlatformRealtimeStatusResult {
     readonly available: boolean;
-    readonly provider: string;
 }
 interface PlatformRealtimeListChannelsResult {
     readonly channels: readonly PlatformRealtimeChannel[];
@@ -77,10 +77,80 @@ interface PlatformRealtimeDeleteChannelResult {
 }
 
 /**
- * Sylphx Connection URL Parser — SDK Self-Contained Copy
+ * Database Pricing Configuration (SSOT)
+ *
+ * All database billing constants centralized here.
+ * Used by billing calculations, usage tracking, and cost display.
+ *
+ * Pricing Strategy:
+ * - Self-hosted infra on AX162-R: flat ~$270/month
+ * - Competitive pricing with 75-99% margins
+ *
+ * Customer Prices (updated for self-hosted, 2026-02):
+ * - Compute: $0.08/hour (25% below Neon $0.106/hr)
+ * - Storage: $0.25/GB-month (29% below Neon $0.35/GB)
+ * - Transfer: $0.09/GB (matches Supabase)
+ */
+/** Price per compute hour in microdollars ($0.08/hour = 80,000 microdollars) */
+declare const COMPUTE_PRICE_PER_HOUR_MICRODOLLARS = 80000;
+/** Free compute hours per month (platform free tier) */
+declare const FREE_COMPUTE_HOURS = 3;
+/** Price per GB-month in microdollars ($0.25/GB-month = 250,000 microdollars) */
+declare const STORAGE_PRICE_PER_GB_MONTH_MICRODOLLARS = 250000;
+/** Free storage in GB (256 MB) */
+declare const FREE_STORAGE_GB = 0.25;
+/** Price per GB data transfer ($0.09/GB = 90,000 microdollars) */
+declare const TRANSFER_PRICE_PER_GB_MICRODOLLARS = 90000;
+/** KV free storage in GB (256 MB) */
+declare const KV_FREE_STORAGE_GB = 0.25;
+/** Hours per month (AWS/GCP standard for billing) */
+declare const HOURS_PER_MONTH = 730;
+
+/**
+ * Referrals Configuration (SSOT)
+ *
+ * Single source of truth for referral system configuration.
+ * Used by: referral router, SDK referral endpoints
+ */
+/** Default points awarded per successful referral */
+declare const DEFAULT_POINTS_REWARD = 100;
+/** Number of months the referral discount is valid */
+declare const DISCOUNT_DURATION_MONTHS = 3;
+/** Default discount percentage */
+declare const DISCOUNT_PERCENT = 20;
+/** Premium trial days from referral */
+declare const PREMIUM_TRIAL_DAYS = 7;
+/**
+ * Generate a cryptographically secure referral code
+ *
+ * Uses crypto.getRandomValues for uniform random bytes (0-255).
+ * Since REFERRAL_CODE_CHARS has exactly 32 characters and 256 / 32 = 8,
+ * byte % 32 produces perfectly uniform distribution with zero modulo bias.
+ *
+ * Entropy: 8 chars * log2(32) = 40 bits (~1.1 trillion possible codes)
+ *
+ * Format: 8 uppercase alphanumeric characters (excluding ambiguous: 0, O, I, L, 1)
+ */
+declare function generateReferralCode(): string;
+
+declare function getErrorMessage$1(error: unknown, fallback?: string): string;
+interface ErrorDetails$1 {
+    message: string;
+    code?: string;
+    name?: string;
+    stack?: string;
+    status?: number;
+    cause?: unknown;
+}
+declare function getErrorDetails$1(error: unknown, fallbackMessage?: string): ErrorDetails$1;
+
+/**
+ * Sylphx Connection URL — Single Source of Truth (ADR-123)
  *
  * Implements the canonical connection string format defined in ADR-055 §5.
- * This is a self-contained copy for SDK package independence (no app imports).
+ * This module is the SDK-owned SSOT per ADR-123 (SDK/application boundary).
+ * Consuming applications MUST import from `@sylphx/sdk` rather than duplicating
+ * this logic.
  *
  * Hosted format:
  *   sylphx://{credential}@{tenant-slug}.api.sylphx.com[:port][/v{version}]
@@ -118,10 +188,38 @@ interface ParsedConnectionUrl {
     /** Ready-to-use SDK base URL, always HTTPS (e.g. `https://bold-river-a1b2c3.api.sylphx.com/v1`) */
     readonly apiBaseUrl: string;
 }
+interface BuildConnectionUrlInput {
+    /** Credential — must match the credential format regex */
+    readonly credential: string;
+    /** Resource slug — validated DNS label */
+    readonly slug: string;
+    /** SDK API domain suffix; defaults to `api.sylphx.com`. Use `sylphx.dev` for dev. */
+    readonly domain?: string;
+    /** API version suffix, e.g. `v1`. Defaults to `v1`. Pass empty string to omit. */
+    readonly version?: string;
+}
+/**
+ * Credential format — opaque token with type, env, optional project ref, and
+ * hex payload. Ref-scoped credentials are emitted by Platform app-env injection;
+ * legacy credentials without the ref remain valid for existing deploys.
+ */
+declare const CREDENTIAL_REGEX: RegExp;
 declare class InvalidConnectionUrlError extends Error {
     readonly code: "INVALID_CONNECTION_URL";
     constructor(message: string);
 }
+/**
+ * Build a canonical Sylphx connection URL.
+ *
+ * Throws `InvalidConnectionUrlError` if any component is malformed.
+ */
+declare function buildConnectionUrl(input: BuildConnectionUrlInput): string;
+/**
+ * Parse a Sylphx connection URL into its structured components.
+ *
+ * Throws `InvalidConnectionUrlError` on any structural problem.
+ */
+declare function parseConnectionUrl(url: string): ParsedConnectionUrl;
 
 /**
  * SDK Configuration — ADR-055 Connection URL API
@@ -261,6 +359,666 @@ type SylphxConfigInput = string | SylphxClientInput;
  */
 declare const createConfig: typeof createClient;
 
+/**
+ * CSV utilities for browser and server SDK consumers.
+ */
+/**
+ * Escape a CSV field to handle commas, quotes, and newlines.
+ *
+ * Handles null/undefined by returning an empty field. Wraps values containing
+ * RFC 4180 special characters in double quotes and escapes internal quotes.
+ */
+declare function escapeCsvField(value: string | null | undefined): string;
+
+/**
+ * Formatting Utilities
+ *
+ * Shared formatting functions for consistent display across the project.
+ */
+/**
+ * Calculate percentage with consistent rounding.
+ * SSOT for all success rate, completion rate calculations.
+ *
+ * @param count - The numerator (e.g., successful count)
+ * @param total - The denominator (e.g., total count)
+ * @param decimals - Number of decimal places (default: 2)
+ * @returns Percentage value (0-100)
+ *
+ * @example
+ * ```ts
+ * calculatePercentage(75, 100) // 75
+ * calculatePercentage(1, 3)    // 33.33
+ * calculatePercentage(0, 0)    // 100 (safe division)
+ * ```
+ */
+declare function calculatePercentage(count: number, total: number, decimals?: number): number;
+/**
+ * Format microdollars to currency string
+ * @param microdollars Amount in microdollars (1 dollar = 1,000,000 microdollars)
+ * @param options Intl.NumberFormat options
+ */
+declare function formatMicrodollars(microdollars: number, options?: Intl.NumberFormatOptions): string;
+/**
+ * Format cents to currency string
+ * @param cents Amount in cents (100 cents = 1 dollar)
+ *
+ * @example
+ * ```ts
+ * formatCents(1999)  // "$19.99"
+ * formatCents(100)   // "$1.00"
+ * ```
+ */
+declare function formatCents(cents: number): string;
+/**
+ * Format dollars to currency string with optional compact notation
+ * @param amount Amount in dollars
+ * @param compact Use compact notation for large amounts (default: false)
+ *
+ * @example
+ * ```ts
+ * formatCurrency(1999.99)              // "$1,999.99"
+ * formatCurrency(1999.99, true)        // "$2.0K"
+ * formatCurrency(1999.99, { currency: 'EUR' }) // "€1,999.99"
+ * formatCurrency(1999.99, { compact: true })   // "$2.0K"
+ * ```
+ *
+ * Second argument accepts either a bare `boolean` (back-compat for
+ * the historical `compact` flag) or an options object with
+ * `{ currency, compact }`. The options form is required for any UI
+ * surface that displays multi-currency amounts (billing, invoices,
+ * usage statements) — previously two local copies of this function
+ * lived in `billing-management.tsx` to work around the missing
+ * currency parameter.
+ */
+declare function formatCurrency(amount: number, optsOrCompact?: boolean | {
+    compact?: boolean;
+    currency?: string;
+    decimals?: number;
+}): string;
+/**
+ * Format percentage with sign for trend display
+ * @param value Percentage value (not multiplied by 100)
+ *
+ * @example
+ * ```ts
+ * formatPercent(12.5)   // "+12.5%"
+ * formatPercent(-5.2)   // "-5.2%"
+ * formatPercent(0)      // "+0.0%"
+ * ```
+ */
+declare function formatPercent(value: number): string;
+/**
+ * Format number with abbreviated suffix (K, M, B) or compact notation
+ * @param num Number to format
+ * @param compact Use Intl compact notation (default: false, uses K/M/B suffix)
+ *
+ * @example
+ * ```ts
+ * formatNumber(1234)           // "1,234"
+ * formatNumber(1234567)        // "1.2M"
+ * formatNumber(1234, true)     // "1.2K" (Intl compact)
+ * ```
+ */
+declare function formatNumber(num: number, compact?: boolean): string;
+/**
+ * Format duration in milliseconds to human-readable string.
+ * SSOT for latency display in traces, performance, and monitoring.
+ *
+ * @param ms Duration in milliseconds
+ * @returns Formatted string (e.g., "<1ms", "42ms", "1.23s")
+ *
+ * @example
+ * ```ts
+ * formatDuration(0.5)    // "<1ms"
+ * formatDuration(42)     // "42ms"
+ * formatDuration(1500)   // "1.50s"
+ * ```
+ */
+declare function formatDuration(ms: number): string;
+/**
+ * Format bytes to human-readable string
+ * @param bytes Number of bytes
+ * @param decimals Number of decimal places (default: 1)
+ */
+declare function formatBytes(bytes: number | null | undefined, decimals?: number): string;
+/** Badge variant type for consistency */
+type BadgeVariant = 'default' | 'secondary' | 'success' | 'warning' | 'error' | 'outline';
+/**
+ * Get billing status badge variant.
+ * Pure function — no side effects, deterministic output.
+ *
+ * @param status Billing account status
+ * @returns Badge variant for display
+ */
+declare function getBillingStatusVariant(status: string): BadgeVariant;
+/**
+ * Get invoice status badge variant.
+ * Pure function — no side effects, deterministic output.
+ *
+ * @param status Invoice status
+ * @returns Badge variant for display
+ */
+declare function getInvoiceStatusVariant(status: string): BadgeVariant;
+/**
+ * Format date for display
+ * @param date Date to format (null returns fallback)
+ * @param options Intl.DateTimeFormat options
+ * @param fallback Value to return when date is null (default: '-')
+ */
+declare function formatDate(date: Date | string | null, options?: Intl.DateTimeFormatOptions, fallback?: string): string;
+/**
+ * Format date with time for display
+ * @param date Date to format (null returns fallback)
+ * @param options Override options
+ * @param fallback Value to return when date is null (default: '-')
+ */
+declare function formatDateTime(date: Date | string | null, options?: Intl.DateTimeFormatOptions, fallback?: string): string;
+/**
+ * Format relative time (e.g., "2 hours ago")
+ *
+ * Uses native Intl.RelativeTimeFormat for proper localization.
+ *
+ * @param date Date to format (null returns 'Never')
+ */
+declare function formatRelativeTime(date: Date | string | null): string;
+/**
+ * Format relative time in compact form (e.g., "2h ago", "3d ago").
+ * SSOT for dense UI contexts: tables, feeds, badges.
+ *
+ * Uses short suffixes (s/m/h/d/w) instead of Intl.RelativeTimeFormat words.
+ * For prose contexts, use {@link formatRelativeTime} instead.
+ *
+ * @param date Date to format (null returns 'Never')
+ *
+ * @example
+ * ```ts
+ * formatRelativeTimeShort(new Date())               // "Just now"
+ * formatRelativeTimeShort('2024-01-01T00:00:00Z')   // "3d ago"
+ * formatRelativeTimeShort(null)                      // "Never"
+ * ```
+ */
+declare function formatRelativeTimeShort(date: Date | string | null): string;
+/**
+ * Format month and year (e.g., "January 2024")
+ * SSOT for billing period display, invoice headers.
+ * @param date Date to format (null returns fallback)
+ * @param fallback Value to return when date is null
+ */
+declare function formatMonthYear(date: Date | string | null, fallback?: string): string;
+/**
+ * Format time only (e.g., "2:30 PM")
+ * SSOT for log timestamps, activity feeds.
+ * @param date Date to format (null returns fallback)
+ * @param fallback Value to return when date is null
+ */
+declare function formatTime(date: Date | string | null, fallback?: string): string;
+
+/**
+ * Safely parse a JSON string, returning a fallback value on failure instead of throwing.
+ *
+ * Use this when malformed input is a normal (non-exceptional) case — e.g. parsing
+ * user-provided data, localStorage values, or Redis cache entries where the caller
+ * simply wants a default on failure.
+ *
+ * For cases where parse failure is truly exceptional and the caller needs to handle
+ * the error explicitly, use a standard try-catch with proper logging instead.
+ */
+declare function safeJsonParse<T = unknown>(input: string, fallback?: T): T | null;
+
+/**
+ * Utility Functions
+ */
+/**
+ * Get the base URL for API requests
+ *
+ * Use cases:
+ * - getBaseUrl(): For relative URLs in browser, absolute in SSR (tRPC, API calls)
+ * - getBaseUrl('origin'): For absolute URLs that need the actual origin (auth, sharing)
+ *
+ * Priority: NEXT_PUBLIC_APP_URL > localhost
+ */
+declare function getBaseUrl(mode?: 'relative' | 'origin'): string;
+/**
+ * Escape HTML special characters to prevent XSS
+ *
+ * Uses single-pass regex replacement for efficiency.
+ */
+declare function escapeHtml(str: string): string;
+/**
+ * Generate a URL-friendly slug from text
+ *
+ * @param text - Text to convert to slug
+ * @param maxLength - Optional maximum length (default: no limit)
+ * @returns Lowercase slug with hyphens
+ *
+ * @example
+ * generateSlug('My Awesome App') // 'my-awesome-app'
+ * generateSlug('Hello   World!') // 'hello-world'
+ * generateSlug('My Org Name', 48) // 'my-org-name' (max 48 chars)
+ */
+declare function generateSlug(text: string, maxLength?: number): string;
+
+/**
+ * User Agent Parsing Utilities
+ *
+ * Extracts browser, OS, and device type from user agent strings.
+ * Simple implementation - no external dependencies.
+ */
+interface ParsedUserAgent {
+    browser: string | null;
+    os: string | null;
+    deviceType: 'desktop' | 'mobile' | 'tablet' | null;
+}
+/**
+ * Parse a user agent string to extract browser, OS, and device type.
+ * Returns null values if unable to determine.
+ */
+declare function parseUserAgent(ua: string): ParsedUserAgent;
+
+/**
+ * Authentication Configuration (SSOT)
+ *
+ * Single source of truth for authentication-related constants.
+ * Used by: validation schemas, auth forms, password policies
+ */
+/** Minimum password length */
+declare const MIN_PASSWORD_LENGTH = 8;
+/** Maximum password length */
+declare const MAX_PASSWORD_LENGTH = 128;
+/** Password requirements for display in UI */
+declare const PASSWORD_REQUIREMENTS: {
+    readonly minLength: 8;
+    readonly maxLength: 128;
+    readonly description: "Must be at least 8 characters";
+    readonly placeholder: "Min. 8 characters";
+};
+
+/**
+ * Billing Configuration (SSOT)
+ *
+ * Single source of truth for billing-related configuration.
+ * Used by: billing pages, usage tracking, invoicing
+ */
+/** Bytes per gigabyte — use instead of hardcoding 1024*1024*1024 */
+declare const BYTES_PER_GB: number;
+/** Microdollars per cent ($0.01 = 10,000 microdollars) */
+declare const MICRODOLLARS_PER_CENT = 10000;
+/** Invoice payment due after billing period ends (days) */
+declare const INVOICE_DUE_DAYS = 15;
+/**
+ * Billing metrics per service
+ * These are user-facing metric names (NOT technical terms like 'commands')
+ */
+declare const SERVICE_METRICS: {
+    readonly kv: {
+        readonly operations: "operations";
+        readonly storage: "storage";
+    };
+    readonly realtime: {
+        readonly messages: "messages";
+        readonly connections: "connections";
+    };
+    readonly ai: {
+        readonly tokens: "tokens";
+    };
+    readonly email: {
+        readonly emails: "emails";
+        readonly marketingEmails: "marketing_emails";
+    };
+    readonly notifications: {
+        readonly sends: "sends";
+    };
+    readonly analytics: {
+        readonly events: "events";
+        readonly forwarding: "forwarding";
+    };
+    readonly storage: {
+        readonly capacity: "capacity";
+        readonly uploads: "uploads";
+        readonly egress: "egress";
+    };
+    readonly auth: {
+        readonly mau: "mau";
+    };
+    readonly flags: {
+        readonly evaluations: "evaluations";
+    };
+    readonly consent: {
+        readonly records: "records";
+    };
+    readonly referrals: {
+        readonly conversions: "conversions";
+    };
+    readonly engagement: {
+        readonly operations: "operations";
+    };
+    readonly billing: {
+        readonly subscriptions: "subscriptions";
+        readonly usageRecords: "usage_records";
+    };
+    readonly search: {
+        readonly documents: "documents";
+        readonly searches: "searches";
+    };
+    readonly webhooks: {
+        readonly deliveries: "deliveries";
+    };
+    readonly monitoring: {
+        readonly errors: "errors";
+    };
+    readonly jobs: {
+        readonly invocations: "invocations";
+        readonly cronSchedules: "cron_schedules";
+    };
+    readonly database: {
+        readonly computeSeconds: "compute_seconds";
+        readonly storage: "storage";
+        readonly dataTransferBytes: "data_transfer_bytes";
+    };
+    readonly deploy: {
+        readonly buildMinutes: "build_minutes";
+    };
+};
+/** Active vCPU rate: $0.024/hr = $0.0004/min = 400 microdollars/min (ADR-034) */
+declare const COMPUTE_VCPU_ACTIVE_RATE_MICRODOLLARS = 400;
+/** Idle vCPU rate: $0.003/hr = $0.00005/min = 50 microdollars/min — 1/8 of active (ADR-034) */
+declare const COMPUTE_VCPU_IDLE_RATE_MICRODOLLARS = 50;
+/** RAM rate: $0.010/GB-hr = $0.000167/GB-min = 167 microdollars/GB-min (ADR-034) */
+declare const COMPUTE_RAM_RATE_MICRODOLLARS = 167;
+/** Build minute prices by machine type in microdollars per minute (ADR-034) */
+declare const BUILD_MINUTE_PRICES: Record<string, number>;
+/** Build minute size multipliers for quota tracking (ADR-034) */
+declare const BUILD_SIZE_MULTIPLIERS: Record<string, number>;
+/** Build minutes included per month by plan tier (ADR-034) */
+declare const BUILD_MINUTES_INCLUDED: Record<string, number>;
+/**
+ * @deprecated Use BUILD_MINUTE_PRICES.standard instead (ADR-034).
+ * Kept for backward compatibility with existing billing pipelines.
+ *
+ * CI compute-minute price in microdollars.
+ * Now references the standard build machine rate from ADR-034.
+ */
+declare const CI_BUILD_MINUTE_PRICE_MICRODOLLARS: number;
+/**
+ * @deprecated Use BUILD_MINUTES_INCLUDED[plan] instead (ADR-034).
+ * Kept for backward compatibility. Maps to the `team` tier as the
+ * previous default (2,000 free minutes).
+ */
+declare const CI_FREE_MINUTES_PER_MONTH: number;
+/**
+ * Size multipliers for CI compute-minute accounting (legacy GitHub labels).
+ *
+ * Keys are **GitHub Actions runner labels** (not build machine type names).
+ * These labels arrive on workflow_job webhooks and are stored as-is in
+ * githubCiJobs.resourceClass. The billing pipeline maps them to multipliers
+ * here; the build pipeline maps them to BuildMachineType via
+ * normalizeBuildMachineType() in build-machine.ts.
+ *
+ * @see BUILD_SIZE_MULTIPLIERS for canonical build machine multipliers (ADR-034).
+ */
+declare const CI_SIZE_MULTIPLIERS: Record<string, number>;
+/** macOS runner per-size multipliers (ADR-035: per-tier billing) */
+declare const CI_MACOS_SIZE_MULTIPLIERS: Record<string, number>;
+/** @deprecated Use CI_MACOS_SIZE_MULTIPLIERS[size] instead. */
+declare const CI_MACOS_MULTIPLIER: number;
+type ServiceMetrics = typeof SERVICE_METRICS;
+type KvMetric = keyof typeof SERVICE_METRICS.kv;
+type RealtimeMetric = keyof typeof SERVICE_METRICS.realtime;
+/** Credit expiry period in months */
+declare const CREDIT_EXPIRY_MONTHS = 12;
+/** Maximum payment retry attempts before suspending account */
+declare const MAX_PAYMENT_ATTEMPTS = 3;
+/** Roles that can access billing pages */
+declare const BILLING_ALLOWED_ROLES: readonly ["super_admin", "admin", "billing"];
+type BillingAllowedRole = (typeof BILLING_ALLOWED_ROLES)[number];
+/** Check if a role has billing access */
+declare function hasBillingAccess(role: string): boolean;
+
+/**
+ * Console SDK Key Utilities
+ *
+ * The Platform Console is Customer Zero — it uses the exact same key format
+ * as every other customer: pk_{env}_{ref}_{hex} / sk_{env}_{ref}_{hex}.
+ *
+ * No special key construction. No legacy app_* format. No special lookup paths.
+ *
+ * Keys are set via environment variables, just like any customer app:
+ *   NEXT_PUBLIC_SYLPHX_KEY   = pk_prod_nlbaz63pd2gz_97ef4f90c48e7378b0f00a1e2cb8c15e
+ *   SYLPHX_SECRET_KEY        = sk_prod_nlbaz63pd2gz_edea406b7988099f5826c143b0f6bd94...
+ */
+/** Console project slug — must match bootstrap.ts PLATFORM_CONSOLE_APP.slug */
+declare const CONSOLE_APP_SLUG = "sylphx-console";
+/**
+ * Determine environment prefix from build/runtime environment.
+ * Used by sdk-cookies.ts for cookie naming until it migrates to SDK-native getCookieNames().
+ * NOTE: still actively consumed by sdk-cookies.ts and sdk-login.ts — remove only after
+ * those modules parse the env prefix from NEXT_PUBLIC_SYLPHX_KEY directly.
+ */
+declare function getEnvPrefix(): 'dev' | 'stg' | 'prod';
+
+/**
+ * Platform Plan Tiers — SSOT
+ *
+ * Defines the Sylphx Platform plan tier system (ADR-034).
+ * NOTE: This is for *platform* plans (what the organization pays Sylphx for).
+ *       It is separate from `plans` (which are in-app subscription products
+ *       that customers create for their own end-users).
+ *
+ * All prices in cents (USD). Credits in microdollars (1 USD = 1,000,000 µ$).
+ *
+ * ADR-034 tiers: Free → Pro ($20/mo) → Team ($20/user/mo) → Enterprise (custom)
+ * The 'starter' tier is deprecated but kept in the type union for backward
+ * compatibility with existing database rows and API consumers.
+ */
+/**
+ * Platform plan identifiers.
+ * 'starter' is deprecated (ADR-034) — retained for backward compat with existing records.
+ */
+type PlatformPlanId = 'free' | 'starter' | 'pro' | 'team' | 'enterprise';
+type BuildMachineTier = 'standard' | 'large' | 'xlarge';
+interface PlatformPlanLimits {
+    /** Max projects across all environments */
+    maxProjects: number | null;
+    /** Max organization members */
+    maxMembers: number | null;
+    /** Max custom domains */
+    maxCustomDomains: number | null;
+    /** Max concurrent CI runners */
+    maxConcurrentRunners: number | null;
+    /** Max concurrent macOS CI runners */
+    maxMacosRunners: number | null;
+    /** Max managed databases */
+    maxDatabases: number | null;
+    /** CI job max duration in seconds */
+    ciMaxJobDurationSeconds: number;
+    /** API rate limit (requests per minute) */
+    apiRateLimitPerMin: number;
+    /** Audit log retention in days (0 = off) */
+    auditLogDays: number;
+    /** Max replicas per service (null = custom/negotiated) */
+    maxReplicas: number | null;
+    /** Included build minutes per billing period */
+    includedBuildMinutes: number;
+    /** Included outbound bandwidth in GB per billing period */
+    includedBandwidthGb: number;
+    /** Log retention in days */
+    logRetentionDays: number;
+    /** Build machine tier determining build speed */
+    buildMachineTier: BuildMachineTier;
+}
+interface PlatformPlanFeatures {
+    /** Custom domain support */
+    customDomains: boolean;
+    /** SSO / SAML support */
+    sso: boolean;
+    /** Priority CI queue */
+    priorityCi: boolean;
+    /** macOS CI runners */
+    macosCi: boolean;
+    /** Shared / Priority / Dedicated */
+    support: 'community' | 'email' | 'priority' | 'dedicated';
+    /** SLA uptime guarantee string (e.g. '99.9%') */
+    sla: string | null;
+    /** Role-based access control */
+    rbac: boolean;
+    /** Advanced analytics / insights */
+    advancedAnalytics: boolean;
+    /** White-label branding removal */
+    whiteLabel: boolean;
+}
+interface PlatformPlanDefinition {
+    id: PlatformPlanId;
+    name: string;
+    /** Monthly price in cents (0 = free, null = custom) */
+    priceMonthly: number | null;
+    /** Annual price in cents, ~20% discount (null = custom or N/A) */
+    priceAnnual: number | null;
+    /** Included platform compute credits per billing period (microdollars) */
+    includedCreditsMicrodollars: number;
+    /** Whether price is per seat (per member) — Team plan */
+    perSeat?: boolean;
+    features: PlatformPlanFeatures;
+    limits: PlatformPlanLimits;
+    /** Marketing bullet points for pricing cards */
+    highlights: string[];
+    /** Optional badge label (e.g. "Most Popular") */
+    badge?: string;
+    /** CTA button text */
+    cta: string;
+    /** Whether this is a custom/enterprise plan with contact sales flow */
+    isCustom?: boolean;
+    /**
+     * Deprecated plan — no longer available for new subscriptions.
+     * Existing subscribers are grandfathered until they change plans.
+     */
+    deprecated?: boolean;
+}
+declare const PLATFORM_PLANS: Record<PlatformPlanId, PlatformPlanDefinition>;
+/** Active (non-deprecated) plan IDs for display in pricing UI */
+declare const PLATFORM_PLAN_ORDER: PlatformPlanId[];
+/**
+ * Full plan order including deprecated tiers.
+ * Useful for admin screens and migration tooling that must handle legacy plans.
+ */
+declare const PLATFORM_PLAN_ORDER_ALL: PlatformPlanId[];
+/** Check whether a plan is deprecated and should not be offered to new subscribers */
+declare function isPlanDeprecated(planId: PlatformPlanId): boolean;
+/** Get only active (non-deprecated) plan definitions, in display order */
+declare function getActivePlans(): PlatformPlanDefinition[];
+/** Convert microdollars to human-readable dollar string (e.g. "$5") */
+declare function microsToDollars(microdollars: number): string;
+/** Convert cents to human-readable dollar string (e.g. "$19") */
+declare function centsToDollars(cents: number): string;
+/** Get monthly price display string */
+declare function getPlanMonthlyPrice(plan: PlatformPlanDefinition, annual?: boolean): string;
+
+/**
+ * Instance Type Catalog — SSOT
+ *
+ * Defines the compute instance types available for Sylphx platform workloads.
+ * Each instance type maps to Kubernetes resource requests/limits for kata-clh
+ * (Cloud Hypervisor) microVMs, along with billing rates and plan eligibility.
+ *
+ * Rates are in microdollars (1 USD = 1,000,000 µ$) per minute.
+ *
+ * Memory overcommit (ADR-028): CLH uses demand paging (mmap without MAP_POPULATE).
+ * Host physical RAM is allocated on-demand as guest pages are touched, NOT pre-allocated
+ * at VM boot. Verified 2026-03-30: a pod with limits=4Gi only consumed +8Mi host RAM
+ * when idle. Memory requests are set to 50% of limits (2x overcommit) for efficient
+ * scheduler bin-packing. CPU requests are 25% of limits (4x overcommit).
+ *
+ * ADR-034 T-shirt sizing: canonical names are xs/sm/md/lg/xl/2xl/4xl.
+ * Legacy names (starter-1x, standard-1x, etc.) are kept as aliases for backward
+ * compatibility with existing database values and API consumers.
+ */
+
+type InstanceTypeId = 'xs' | 'sm' | 'md' | 'lg' | 'xl' | '2xl' | '4xl' | 'starter-1x' | 'standard-1x' | 'standard-2x' | 'performance-m' | 'performance-l' | 'performance-xl';
+interface InstanceTypeDefinition {
+    id: InstanceTypeId;
+    name: string;
+    /** Kubernetes CPU limit (e.g. '2000m') */
+    cpuLimit: string;
+    /** Kubernetes memory limit (e.g. '8Gi') */
+    memoryLimit: string;
+    /** Kubernetes CPU request (e.g. '500m') */
+    cpuRequest: string;
+    /** Kubernetes memory request (50% of limit — CLH demand paging, ADR-028) */
+    memoryRequest: string;
+    /** Billing vCPU count for metering denormalization */
+    vcpus: number;
+    /** Billing memory in MiB for metering denormalization */
+    memoryMib: number;
+    /** Rate per vCPU per minute in microdollars */
+    vcpuMinuteRateMicrodollars: number;
+    /** Rate per GiB per minute in microdollars */
+    gbMinuteRateMicrodollars: number;
+    /** Platform plans that may provision this instance type */
+    allowedPlans: PlatformPlanId[];
+    /**
+     * Maximum KEDA ScaledObject replica count for this instance type tier.
+     * Caps the ScaledObject maxReplicaCount to prevent runaway scaling
+     * on smaller tiers. Users can set a lower per-service max via scalingConfig.max,
+     * but never exceed this ceiling.
+     */
+    maxReplicas: number;
+    /** Marketing bullet points for instance type cards */
+    highlights: string[];
+    /** Whether this instance type is deprecated (legacy name) */
+    deprecated?: boolean;
+}
+/**
+ * Maps legacy instance type names to their canonical T-shirt size equivalents (ADR-034).
+ *
+ * Database values and API consumers may still use old names — this mapping lets
+ * resolveInstanceType() transparently return the canonical definition without
+ * requiring a data migration.
+ */
+declare const INSTANCE_TYPE_ALIASES: Record<string, string>;
+/**
+ * Resolve a potentially-aliased instance type ID to its canonical T-shirt size.
+ * Returns the input unchanged if it is already canonical or unknown.
+ *
+ * Use for display/UI and when accepting user input for NEW configurations.
+ * Do NOT use in runtime paths (billing, K8s reconciler) — both old and new names
+ * exist in INSTANCE_TYPES with their original specs, so direct lookup is correct
+ * and avoids changing billing/resource behavior for existing services.
+ */
+declare function resolveCanonicalInstanceType(id: string): string;
+declare const INSTANCE_TYPES: Record<InstanceTypeId, InstanceTypeDefinition>;
+/** Ordered list of canonical instance type IDs for display (smallest to largest) */
+declare const INSTANCE_TYPE_ORDER: InstanceTypeId[];
+/**
+ * @deprecated Use INSTANCE_TYPE_ORDER instead.
+ * Ordered list of legacy instance type IDs — kept for backward compat.
+ */
+declare const LEGACY_INSTANCE_TYPE_ORDER: InstanceTypeId[];
+/** Get the default instance type for a given platform plan */
+declare function getDefaultInstanceType(plan: PlatformPlanId): InstanceTypeId;
+/** Get all canonical (non-deprecated) instance types available for a given platform plan, in display order */
+declare function getAvailableInstanceTypes(plan: PlatformPlanId): InstanceTypeDefinition[];
+/** Resolve Kubernetes resource spec for a given instance type (accepts aliases) */
+declare function resolveResources(id: InstanceTypeId): {
+    requests: {
+        cpu: string;
+        memory: string;
+    };
+    limits: {
+        cpu: string;
+        memory: string;
+    };
+};
+/** Resolve the KEDA ScaledObject maxReplicaCount ceiling for a given instance type */
+declare function resolveMaxReplicas(id: InstanceTypeId): number;
+/** Default KEDA maxReplicaCount when no instance type is resolved (legacy/unmanaged services) */
+declare const DEFAULT_MAX_REPLICAS = 10;
+/** Type guard: check if an arbitrary string is a valid InstanceTypeId (including legacy aliases) */
+declare function isValidInstanceType(id: string): id is InstanceTypeId;
+/** Validate that an instance type exists and is permitted for the given plan */
+declare function validateInstanceTypeForPlan(id: string, plan: PlatformPlanId): {
+    valid: boolean;
+    error?: string;
+};
+
 /**
  * SDK Debug Mode
  *
@@ -875,11 +1633,22 @@ declare function isRetryableError(error: unknown): boolean;
 /**
  * Extract error message from any error type
  */
-declare function getErrorMessage(error: unknown): string;
+declare function getErrorMessage(error: unknown, fallback?: string): string;
 /**
  * Get error code from any error type
  */
 declare function getErrorCode(error: unknown): SylphxErrorCode;
+interface ErrorDetails {
+    readonly message: string;
+    readonly code?: string;
+    readonly name?: string;
+    readonly stack?: string;
+    readonly status?: number;
+    readonly cause?: unknown;
+}
+declare function getErrorDetails(error: unknown, fallbackMessage?: string): ErrorDetails;
+declare function getSafeErrorMessage(error: unknown, fallback?: string): string;
+declare function isChallengeRequired(err: unknown): boolean;
 /**
  * Convert any error to SylphxError
  */
@@ -1811,438 +2580,479 @@ interface PaginatedResponse<T> {
 }
 
 /**
- * Auth Functions
- *
- * Pure functions for authentication - no hidden state.
- * Each function takes config as the first parameter.
- *
- * Uses REST API at /api/sdk/auth/* for all operations.
+ * DPoP — Demonstration of Proof-of-Possession (RFC 9449 / ADR-089 Phase 5.1e).
  *
- * Types are re-exported from `@sylphx/contract` (ADR-084). The contract is
- * the single source of truth for every wire shape — this module only adds
- * SDK-specific ergonomics (User brand swap, introspection result, invite
- * envelopes, org-token claims).
+ * Client-side helpers for sender-constrained access tokens. Built on
+ * `crypto.subtle` with no runtime dependencies.
  */
+declare const dpop: {
+    /**
+     * Generate a fresh ES256 key pair. Private key is non-extractable
+     * (`extractable: false`) so it can be stored but never serialised.
+     */
+    readonly generateKeyPair: () => Promise<{
+        readonly privateKey: CryptoKey;
+        readonly publicKey: CryptoKey;
+        readonly thumbprint: string;
+    }>;
+    /**
+     * Sign a DPoP proof JWT. When `accessToken` is provided, the proof
+     * includes `ath = base64url(sha256(accessToken))` so the resource
+     * server can bind the proof to the token being presented.
+     */
+    readonly generateProof: (opts: {
+        readonly privateKey: CryptoKey;
+        readonly publicKey: CryptoKey;
+        readonly method: string;
+        readonly uri: string;
+        readonly accessToken?: string;
+        readonly nonce?: string;
+    }) => Promise<string>;
+};
 
-type LoginRequest = LoginRequest$1;
-type LoginResponse = LoginResponse$1;
-type RegisterRequest = RegisterRequest$1;
-type RegisterResponse = RegisterResponse$1;
-type ResendEmailVerificationRequest = ResendEmailVerificationRequest$1;
-type ResendEmailVerificationResponse = ResendEmailVerificationResponse$1;
 /**
- * Token response — contract's `AuthTokensResponse.user` (optional `AuthUser`)
- * is re-mapped to the SDK's broader `User` type so legacy callers keep the
- * familiar brand. `AuthUser` and `User` are structurally identical, but
- * the SDK surface has wider reach (cookies, middleware, React hooks) and
- * renaming is out of scope for ADR-084 cleanup.
+ * OAuth token endpoint contract helpers.
+ *
+ * Keeps RFC 6749/8628 request encoding, success decoding, and error decoding
+ * type-bound to `@sylphx/contract` while using SDK-local runtime guards so the
+ * published Promise SDK does not import Effect internals.
  */
-type TokenResponse = Omit<AuthTokensResponse, 'user'> & {
-    user: User;
+
+type OAuthTokenResult = OAuthTokenResponse;
+type OAuthClientCredentialsResult = OAuthClientCredentialsResponse;
+type OAuthTokenEndpointError = OAuthTokenErrorResponse['error'];
+type OAuthPollError = OAuthTokenEndpointError | 'oauth_error';
+type OAuthPollResult = {
+    readonly ok: true;
+    readonly tokens: OAuthTokenResult;
+} | {
+    readonly ok: false;
+    readonly error: OAuthPollError;
+    readonly status: number;
 };
-type TwoFactorVerifyRequest = TwoFactorVerifyRequest$1;
+
 /**
- * `GET /auth/me` — contract's `UserFullProfile` already includes the
- * optional `emailVerified` flag the backend returns, so the SDK can just
- * alias the contract type directly.
+ * Platform refresh-token rotation and logout SDK namespace.
  */
-type MeResponse = UserFullProfile$1;
+
+type PlatformRefreshInput = RefreshTokenInput;
+type PlatformRefreshResult = RefreshTokenResult;
+type PlatformLogoutInput = LogoutInput;
+declare const platformAuth: {
+    readonly refresh: (opts: {
+        readonly baseUrl: string;
+        readonly refreshToken: string;
+        readonly userAgent?: string;
+        /**
+         * Path prefix between `baseUrl` and the resource path. Defaults
+         * to `/api/v1` for back-compat with the admin-override host
+         * (`sylphx.com`). Pass `/v1` when targeting the canonical host
+         * (`api.sylphx.com`) per Rule 17.
+         */
+        readonly urlPrefix?: string;
+    }) => Promise<PlatformRefreshResult>;
+    readonly logout: (opts: {
+        readonly baseUrl: string;
+        readonly refreshToken: string;
+        readonly userAgent?: string;
+        /** See `refresh.urlPrefix`. */
+        readonly urlPrefix?: string;
+    }) => Promise<void>;
+};
+
 /**
- * Token introspection result (RFC 7662)
+ * Platform impersonation SDK namespace.
+ *
+ * Covers the ADR-089 Phase 3b legacy helpers and Phase 5.9 WebAuthn
+ * step-up + target-consent workflow.
  */
-interface TokenIntrospectionResult {
-    /** Whether the token is active/valid */
-    active: boolean;
-    /** Token type (access_token or refresh_token) */
-    token_type?: 'access_token' | 'refresh_token';
-    /** User ID */
-    sub?: string;
-    /** User email */
-    email?: string;
-    /** User name */
-    name?: string;
-    /** App ID */
-    client_id?: string;
-    /** Audience */
-    aud?: string;
-    /** Issuer */
-    iss?: string;
-    /** Expiration time (Unix timestamp) */
-    exp?: number;
-    /** Issued at time (Unix timestamp) */
-    iat?: number;
-    /** User role */
-    role?: string;
-    /** Email verification status */
-    email_verified?: boolean;
+interface ImpersonationStartResult {
+    readonly success: true;
+    readonly token: string;
+    readonly sessionId: string;
+    readonly expiresAt: string;
 }
-/**
- * Token revocation options
- */
-interface RevokeTokenOptions {
-    /** Revoke all tokens for a user in this app */
-    revokeAll?: boolean;
-    /** User ID (required when revoking all) */
-    userId?: string;
+interface ImpersonationEndResult {
+    readonly success: boolean;
+    readonly sessionsEnded: number;
 }
-interface SessionResult {
-    user: {
-        id: string;
-        email: string;
-        name: string | null;
-        image: string | null;
-        emailVerified: boolean;
-    } | null;
+interface ImpersonationInfo {
+    readonly isImpersonation: true;
+    readonly adminUserId: string;
+    readonly adminEmail: string;
+    readonly adminName: string | null;
+    readonly impersonatedAt: string;
 }
-/**
- * Extended registration input with metadata and invitation token support.
- * Use extendedSignUp() when you need to pass metadata or an invitation token.
- */
-interface RegisterInput {
-    email: string;
-    password: string;
-    name?: string;
-    metadata?: Record<string, unknown>;
-    invitationToken?: string;
+interface ImpersonationActive {
+    readonly sessionId: string;
+    readonly adminUserId: string;
+    readonly adminEmail: string;
+    readonly adminName: string | null;
+    readonly targetUserId: string;
+    readonly targetEmail: string;
+    readonly targetName: string | null;
+    readonly impersonatedAt: string;
+    readonly lastActiveAt: string;
 }
-/**
- * Org context claims present in org-scoped tokens (after switch-org).
- *
- * The JWT carries the role key only. Permissions are resolved server-side
- * via Redis-cached role→permissions lookup (WorkOS pattern). This keeps
- * tokens small and ensures permission changes take effect without token refresh.
- */
-interface OrgTokenPayload {
-    org_id: string;
-    org_slug: string;
-    /** RBAC role key (e.g. "hr_manager", "admin"). Permissions resolved server-side. */
-    org_role: string;
+interface ImpersonationStartChallengeInput {
+    readonly baseUrl: string;
+    readonly accessToken: string;
+    readonly targetUserId: string;
+    readonly reason: string;
+    readonly userAgent?: string;
 }
-interface OrgScopedTokenResponse {
-    /** Org-scoped access token. */
-    token: string;
-    /** Org-scoped access token, matching the SDK's token naming convention. */
-    accessToken: string;
-    /** Token lifetime in seconds, when provided by the runtime. */
-    expiresIn?: number;
-    /** Bearer token type, when provided by the runtime. */
-    tokenType?: string;
-    /** User envelope returned by the runtime for session hydration. */
-    user?: User;
+interface ImpersonationChallenge {
+    readonly requestId: string;
+    readonly challengeKey: string;
+    readonly webauthnOptions: {
+        readonly challenge: string;
+        readonly rpId?: string;
+        readonly allowCredentials: ReadonlyArray<{
+            readonly id: string;
+            readonly type: 'public-key';
+            readonly transports?: readonly string[];
+        }>;
+        readonly userVerification: 'required';
+        readonly timeout: number;
+    };
 }
-/**
- * Invite a user request payload.
- */
-interface InviteUserRequest {
-    email: string;
-    metadata?: Record<string, unknown>;
-    redirectUrl?: string;
+interface ImpersonationStartStepupInput {
+    readonly baseUrl: string;
+    readonly accessToken: string;
+    readonly requestId: string;
+    readonly challengeKey: string;
+    readonly assertion: unknown;
+    readonly emergencyBypass?: boolean;
+    readonly userAgent?: string;
+}
+type ImpersonationStartStepupResult = {
+    readonly branch: 'emergency';
+    readonly requestId: string;
+    readonly token: string;
+    readonly sessionId: string;
+    readonly expiresAt: string;
+} | {
+    readonly branch: 'awaiting-consent';
+    readonly requestId: string;
+    readonly consentDeadline: string;
+};
+type ImpersonationConsentDecision = 'approve' | 'deny';
+type ImpersonationConsentResponse = {
+    readonly branch: 'approved';
+    readonly requestId: string;
+    readonly token: string;
+    readonly sessionId: string;
+    readonly expiresAt: string;
+} | {
+    readonly branch: 'denied';
+    readonly requestId: string;
+};
+interface ImpersonationRequestRow {
+    readonly id: string;
+    readonly operatorId: string;
+    readonly targetUserId: string;
+    readonly reason: string;
+    readonly status: 'awaiting-stepup' | 'awaiting-consent' | 'active' | 'denied' | 'expired' | 'ended' | 'revoked';
+    readonly emergencyBypass: boolean;
+    readonly sessionId: string | null;
+    readonly consentDeadline: string | null;
+    readonly startedAt: string | null;
+    readonly endedAt: string | null;
+    readonly createdAt: string;
 }
+declare const impersonation: {
+    readonly start: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly targetUserId: string;
+        readonly ipAddress?: string;
+        readonly userAgent?: string;
+    }) => Promise<ImpersonationStartResult>;
+    readonly end: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly sessionId?: string;
+        readonly userAgent?: string;
+    }) => Promise<ImpersonationEndResult>;
+    readonly info: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly sessionId: string;
+        readonly userAgent?: string;
+    }) => Promise<ImpersonationInfo | null>;
+    readonly active: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly userAgent?: string;
+    }) => Promise<readonly ImpersonationActive[]>;
+    readonly startChallenge: (opts: ImpersonationStartChallengeInput) => Promise<ImpersonationChallenge>;
+    readonly startStepup: (opts: ImpersonationStartStepupInput) => Promise<ImpersonationStartStepupResult>;
+    readonly respondConsent: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly requestId: string;
+        readonly decision: ImpersonationConsentDecision;
+        readonly userAgent?: string;
+    }) => Promise<ImpersonationConsentResponse>;
+    readonly listRequests: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly filter?: {
+            readonly operatorId?: string;
+            readonly targetUserId?: string;
+            readonly status?: ImpersonationRequestRow["status"];
+            readonly limit?: number;
+        };
+        readonly userAgent?: string;
+    }) => Promise<readonly ImpersonationRequestRow[]>;
+    readonly endSession: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly requestId: string;
+        readonly userAgent?: string;
+    }) => Promise<{
+        success: true;
+        requestId: string;
+        sessionId: string | null;
+    }>;
+};
+
 /**
- * Response from inviteUser.
+ * Platform JWT verification and cookie-session resolution.
+ *
+ * This module owns the SDK's hot-path Platform auth helpers: cached JWKS
+ * verification for bearer tokens and cached cookie-based user resolution.
  */
-interface InviteUserResponse {
-    invitationToken: string;
-    expiresAt: string;
-}
 /**
- * Sign in with email and password
- *
- * @example
- * ```typescript
- * const result = await signIn(config, { email: 'user@example.com', password: 'secret' })
- * if (result.requiresTwoFactor) {
- *   // Handle 2FA flow
- * } else {
- *   // Save tokens
- *   const authenticatedConfig = withToken(config, result.accessToken!)
- * }
- * ```
+ * Reset the platform-JWKS cache. Tests should call this between cases
+ * to avoid state bleed. Production code relies on the TTL-based
+ * expiry.
  */
-declare function signIn(config: SylphxConfig, input: LoginRequest): Promise<LoginResponse>;
+declare function resetPlatformJwksCache(): void;
+interface PlatformAccessTokenClaims {
+    readonly sub: string;
+    readonly pid?: string;
+    readonly email: string;
+    readonly name?: string;
+    readonly picture?: string;
+    readonly email_verified: boolean;
+    readonly app_id: string;
+    readonly role: string;
+    readonly org_id?: string;
+    readonly org_slug?: string;
+    readonly org_role?: string;
+    readonly iat?: number;
+    readonly exp?: number;
+    /**
+     * RFC 7800 confirmation claim — present when the token is sender-
+     * constrained. Today we emit this for DPoP-bound tokens (RFC 9449)
+     * where `cnf.jkt` is the SHA-256 thumbprint of the client's DPoP
+     * public key.
+     *
+     * Resource servers (e.g. apps/api Management plane) that want to
+     * enforce DPoP MUST:
+     *   1. Look up `oauth_clients.dpop_bound_access_tokens` on the
+     *      issuing client to know whether DPoP is required.
+     *   2. If required AND `cnf.jkt` is absent, reject 401.
+     *   3. If `cnf.jkt` is present, verify the inbound `DPoP` header's
+     *      proof JWT and assert its public-key thumbprint matches `jkt`.
+     *
+     * Pre-Wave-5.3 this field was stripped from `verifyAccessToken`'s
+     * return value, making resource-side enforcement impossible without
+     * decoding the JWT a second time. Exposing it preserves the wire
+     * format and unlocks the resource-server DPoP middleware.
+     */
+    readonly cnf?: {
+        readonly jkt?: string;
+    };
+}
 /**
- * Sign up with email and password
+ * `verifyAccessToken` — local JWT verification against cached JWKS.
+ *
+ * Designed for the Platform API's hot-path auth middleware: JWKS is
+ * fetched once per process (1h TTL), signature/iss/aud/exp
+ * verification is local `jose` — no per-request HTTPS hop.
  *
  * @example
  * ```typescript
- * const result = await signUp(config, {
- *   email: 'user@example.com',
- *   password: 'secret',
- *   name: 'John Doe',
+ * const claims = await auth.verifyAccessToken(bearer, {
+ *   baseUrl: 'https://your-app.api.sylphx.com/v1',
+ *   audience: 'platform',
  * })
- * // User needs to verify email
  * ```
  */
-declare function signUp(config: SylphxConfig, input: RegisterRequest): Promise<RegisterResponse>;
+declare function verifyAccessToken(token: string, opts: {
+    readonly baseUrl: string;
+    readonly audience: string;
+}): Promise<PlatformAccessTokenClaims>;
+interface PlatformUserRecord {
+    readonly id: string;
+    readonly email: string;
+    readonly name: string | null;
+    readonly image: string | null;
+    readonly emailVerified: boolean;
+    readonly role: string;
+    readonly twoFactorEnabled: boolean;
+}
+interface PlatformUserResolution {
+    readonly user: PlatformUserRecord;
+    readonly sessionId: string;
+}
+declare function resetPlatformCookieCache(): void;
 /**
- * Sign out (revoke tokens)
- *
- * @example
- * ```typescript
- * await signOut(config)
- * ```
+ * `cookies` namespace — Platform cookie / session resolution for the
+ * Platform API's hot-path auth middleware (ADR-089 Phase 3b).
  */
-declare function signOut(config: SylphxConfig): Promise<void>;
+declare const cookies: {
+    /**
+     * Resolve a platform user from a forwarded `Cookie:` header.
+     *
+     * Delegates to BaaS `/auth/platform-sessions/whoami`. Caches each
+     * unique cookie string for 30s to avoid hammering BaaS on every
+     * SSR request.
+     *
+     * @example
+     * ```typescript
+     * const result = await auth.cookies.resolvePlatformUser({
+     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
+     *   cookieHeader: req.headers.get('cookie') ?? '',
+     * })
+     * if (!result) // unauthenticated
+     * ```
+     */
+    readonly resolvePlatformUser: (opts: {
+        readonly baseUrl: string;
+        readonly cookieHeader: string;
+        readonly userAgent?: string;
+    }) => Promise<PlatformUserResolution | null>;
+};
+
 /**
- * Refresh access token
+ * Platform OAuth namespace.
  *
- * @example
- * ```typescript
- * const tokens = await refreshToken(config, refreshTokenString)
- * const newConfig = withToken(config, tokens.accessToken)
- * ```
+ * Backs `auth.oauth.*` while keeping OAuth AS protocol handling out of the
+ * monolithic auth module. Public exports are re-exported from `auth.ts`.
  */
-declare function refreshToken(config: SylphxConfig, token: string): Promise<TokenResponse>;
+
+type OAuthIntrospectResult = OAuthIntrospectResponse;
+interface MintAccessTokenClaims {
+    readonly sub: string;
+    readonly email: string;
+    readonly name?: string;
+    readonly email_verified: boolean;
+    readonly app_id: string;
+    readonly role: string;
+    readonly org_id?: string;
+    readonly org_slug?: string;
+    readonly org_role?: string;
+    readonly picture?: string;
+    readonly pid?: string;
+}
+interface MintAccessTokenResult {
+    readonly accessToken: string;
+    readonly expiresIn: number;
+}
+interface OAuthClientCallOpts {
+    readonly baseUrl: string;
+    readonly clientId: string;
+    readonly clientSecret?: string;
+    readonly token: string;
+    readonly tokenTypeHint?: 'access_token' | 'refresh_token';
+    readonly userAgent?: string;
+}
 /**
- * Verify email with token
+ * `oauth` namespace — Platform OAuth operations backed by BaaS.
  *
- * @example
- * ```typescript
- * await verifyEmail(config, token)
- * ```
+ * Phase 3b adds `mintAccessToken` for the refresh handler migration;
+ * Phase 5.1 layered in full authorization-server verbs
+ * (`/oauth/token`, `/oauth/revoke`, `/oauth/introspect`).
  */
-declare function verifyEmail(config: SylphxConfig, token: string): Promise<void>;
+declare const oauth: {
+    /**
+     * Mint a platform-audience access token from supplied claims.
+     *
+     * Service-to-service call — authenticated via
+     * `SYLPHX_INTERNAL_TOKEN` shared secret until ADR-068's
+     * SPIFFE SVID mTLS platform-auth flip makes workload identity the
+     * only accepted internal caller credential.
+     */
+    readonly mintAccessToken: (opts: {
+        readonly baseUrl: string;
+        readonly internalToken: string;
+        readonly claims: MintAccessTokenClaims;
+        readonly userAgent?: string;
+    }) => Promise<MintAccessTokenResult>;
+    readonly exchangeAuthorizationCode: (opts: {
+        readonly baseUrl: string;
+        readonly clientId: string;
+        readonly clientSecret?: string;
+        readonly code: string;
+        readonly redirectUri: string;
+        readonly codeVerifier: string;
+    }) => Promise<OAuthTokenResult>;
+    readonly refreshAccessToken: (opts: {
+        readonly baseUrl: string;
+        readonly clientId: string;
+        readonly clientSecret?: string;
+        readonly refreshToken: string;
+        readonly scope?: string;
+    }) => Promise<OAuthTokenResult>;
+    readonly pollDeviceToken: (opts: {
+        readonly baseUrl: string;
+        readonly clientId: string;
+        readonly deviceCode: string;
+    }) => Promise<OAuthPollResult>;
+    readonly clientCredentialsToken: (opts: {
+        readonly baseUrl: string;
+        readonly clientId: string;
+        readonly clientSecret: string;
+        readonly scope?: string;
+    }) => Promise<OAuthClientCredentialsResult>;
+    readonly revokeToken: (opts: OAuthClientCallOpts) => Promise<void>;
+    readonly introspectToken: (opts: OAuthClientCallOpts) => Promise<OAuthIntrospectResult>;
+};
+
 /**
- * Request password reset email
+ * Platform password management SDK namespace.
  *
- * @example
- * ```typescript
- * await forgotPassword(config, 'user@example.com', {
- *   redirectUrl: 'https://app.example.com/reset-password'
- * })
- * ```
+ * Backed by `/auth/platform-password/*` on the BaaS runtime. Crypto
+ * primitives and breach checks stay server-side; callers only pass tokens
+ * and plaintext password inputs over the established HTTPS boundary.
  */
-declare function forgotPassword(config: SylphxConfig, email: string, options?: {
-    redirectUrl?: string;
-}): Promise<void>;
+
+type PlatformPasswordStatusResult = PlatformPasswordStatusResponse;
+type PlatformPasswordSetInput = PlatformPasswordSetRequest;
+type PlatformPasswordSetResult = PlatformPasswordSetResponse;
+type PlatformPasswordChangeInput = PlatformPasswordChangeRequest;
+type PlatformPasswordChangeResult = PlatformPasswordChangeResponse;
+declare const password: {
+    readonly status: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly userAgent?: string;
+    }) => Promise<PlatformPasswordStatusResult>;
+    readonly set: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly password: string;
+        readonly userAgent?: string;
+    }) => Promise<PlatformPasswordSetResult>;
+    readonly change: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly currentPassword: string;
+        readonly newPassword: string;
+        readonly userAgent?: string;
+    }) => Promise<PlatformPasswordChangeResult>;
+};
+
 /**
- * Request a verification email resend.
+ * Platform session management SDK namespace.
  *
- * The Platform response is intentionally privacy-preserving: it never
- * indicates whether the email exists or is already verified.
- *
- * @example
- * ```typescript
- * await resendVerificationEmail(config, 'user@example.com')
- * ```
+ * Backed by `/auth/platform-sessions/*` on the BaaS runtime. These helpers
+ * accept platform-audience access tokens, not project `pk_`/`sk_` credentials.
  */
-declare function resendVerificationEmail(config: SylphxConfig, email: string): Promise<void>;
-/**
- * Reset password with token
- *
- * @example
- * ```typescript
- * await resetPassword(config, { token, password: 'newpassword' })
- * ```
- */
-declare function resetPassword(config: SylphxConfig, input: {
-    token: string;
-    password: string;
-}): Promise<void>;
-/**
- * Get current session (requires authenticated config)
- *
- * @example
- * ```typescript
- * const session = await getSession(authenticatedConfig)
- * if (session.user) {
- *   console.log(`Logged in as ${session.user.email}`)
- * }
- * ```
- */
-declare function getSession(config: SylphxConfig): Promise<SessionResult>;
-/**
- * Verify 2FA code (when signIn returns requiresTwoFactor: true)
- *
- * @example
- * ```typescript
- * const result = await signIn(config, credentials)
- * if (result.requiresTwoFactor) {
- *   const tokens = await verifyTwoFactor(config, result.userId!, code)
- * }
- * ```
- */
-declare function verifyTwoFactor(config: SylphxConfig, userId: string, code: string): Promise<TokenResponse>;
-/**
- * Introspect a token to check its validity (RFC 7662)
- *
- * Use this to verify token status without decoding. Essential for:
- * - Checking if a token has been revoked
- * - Validating tokens at the edge
- * - Security-critical operations
- *
- * @example
- * ```typescript
- * const result = await introspectToken(config, accessToken)
- * if (!result.active) {
- *   // Token is invalid, revoked, or expired
- *   await refreshTokens()
- * }
- * ```
- */
-declare function introspectToken(config: SylphxConfig, token: string, tokenTypeHint?: 'access_token' | 'refresh_token'): Promise<TokenIntrospectionResult>;
-/**
- * Revoke a token (RFC 7009)
- *
- * Use cases:
- * - Sign out user from specific device
- * - Security response to compromised token
- * - User-initiated session termination
- *
- * @example
- * ```typescript
- * // Revoke single refresh token
- * await revokeToken(config, refreshToken)
- *
- * // Revoke all tokens for a user (logout everywhere)
- * await revokeToken(config, '', { revokeAll: true, userId: 'user-123' })
- * ```
- */
-declare function revokeToken(config: SylphxConfig, token: string, options?: RevokeTokenOptions): Promise<void>;
-/**
- * Revoke all tokens for a user (logout from all devices)
- *
- * Convenience wrapper around revokeToken with revokeAll option.
- *
- * @example
- * ```typescript
- * // After password change, revoke all sessions
- * await revokeAllTokens(config, userId)
- * ```
- */
-declare function revokeAllTokens(config: SylphxConfig, userId: string): Promise<void>;
-/**
- * Sign up with extended input (metadata + invitation token support).
- *
- * Use this instead of signUp() when you need to:
- * - Pass metadata on registration (e.g., org context, role, referral info)
- * - Register with an invitation token
- *
- * @example
- * ```typescript
- * const result = await extendedSignUp(config, {
- *   email: 'user@example.com',
- *   password: 'secret',
- *   name: 'John Doe',
- *   metadata: { orgId: 'org-123', role: 'employee' },
- *   invitationToken: 'inv_...',
- * })
- * ```
- */
-declare function extendedSignUp(config: SylphxConfig, input: RegisterInput): Promise<RegisterResponse>;
-/**
- * Invite a user to sign up for this project.
- * Server-side only (requires secretKey).
- * Sends an email invitation; user signs up via signUp() or extendedSignUp() with the invitation token.
- *
- * @example
- * ```typescript
- * const invite = await inviteUser(config, {
- *   email: 'newemployee@company.com',
- *   metadata: { role: 'employee', orgId: 'org-123' },
- *   redirectUrl: 'https://app.example.com/signup',
- * })
- * console.log(invite.invitationToken, invite.expiresAt)
- * ```
- */
-declare function inviteUser(config: SylphxConfig, input: InviteUserRequest): Promise<InviteUserResponse>;
-/**
- * Exchange current user token for an org-scoped token.
- * The returned access_token JWT includes org_id, org_slug, org_role claims.
- *
- * @example
- * const { token } = await getOrgScopedToken(withToken(config, currentToken), 'org_xxx')
- */
-declare function getOrgScopedToken(config: SylphxConfig, orgId: string): Promise<OrgScopedTokenResponse>;
-/**
- * @deprecated Use getOrgScopedToken(config, orgId). Kept as the shorter
- * organization switch alias for existing SDK callers.
- */
-declare function switchOrg(config: SylphxConfig, orgId: string): Promise<OrgScopedTokenResponse>;
-type DeviceInitInput = DeviceInitRequest;
-type DeviceGrant = DeviceInitResponse;
-type DevicePollResult = DevicePollResponse;
-type DeviceApproveInput = DeviceApproveRequest;
-type DeviceApproveResult = DeviceApproveResponse;
-type DeviceDenyInput = DeviceDenyRequest;
-type DeviceDenyResult = DeviceDenyResponse;
-/**
- * `device` namespace — RFC 8628 device authorization grant.
- *
- * Used by headless clients (CLI, TV apps, IoT) to authorise via a
- * companion browser instead of reading credentials from env vars.
- */
-declare const device: {
-    /**
-     * Start a device authorization grant.
-     *
-     * Returns a `DeviceGrant` with `verification_uri_complete` (open this
-     * in the user's browser) and `device_code` (use for polling).
-     *
-     * @example
-     * ```typescript
-     * const grant = await device.init({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   clientId: 'sylphx-cli',
-     *   scope: ['org:read', 'project:*'],
-     * })
-     * openBrowser(grant.verification_uri_complete)
-     * ```
-     */
-    readonly init: (opts: {
-        readonly baseUrl: string;
-        readonly clientId: string;
-        readonly scope?: readonly string[];
-        readonly userAgent?: string;
-    }) => Promise<DeviceGrant>;
-    /**
-     * Poll a pending grant. Returns `status: 'pending' | 'approved' |
-     * 'denied' | 'expired'`. On `approved`, the result carries the OAuth
-     * pair (access_token + refresh_token).
-     *
-     * Callers MUST respect the `interval` returned by `init()` — polling
-     * faster than that may return 429 slow_down (RFC 8628 §5.5).
-     */
-    readonly poll: (opts: {
-        readonly baseUrl: string;
-        readonly deviceCode: string;
-        readonly userAgent?: string;
-    }) => Promise<DevicePollResult>;
-    /**
-     * Browser leg — the approving user confirms the grant.
-     *
-     * Requires a valid platform-issued access token (`Authorization:
-     * Bearer <accessToken>`) proving the user is logged in on the
-     * Console. Typically called by the Console's `/device` verification
-     * page server-side, forwarding the user's session JWT.
-     */
-    readonly approve: (opts: {
-        readonly baseUrl: string;
-        readonly userCode: string;
-        readonly accessToken: string;
-        readonly userAgent?: string;
-    }) => Promise<DeviceApproveResult>;
-    /**
-     * Browser leg — the user declines the grant.
-     *
-     * Requires a valid platform-issued access token just like `approve`.
-     */
-    readonly deny: (opts: {
-        readonly baseUrl: string;
-        readonly userCode: string;
-        readonly accessToken: string;
-        readonly userAgent?: string;
-    }) => Promise<DeviceDenyResult>;
-};
-type OAuthIntrospectResult = OAuthIntrospectResponse;
-interface OAuthClientCallOpts {
-    readonly baseUrl: string;
-    readonly clientId: string;
-    readonly clientSecret?: string;
-    readonly token: string;
-    readonly tokenTypeHint?: 'access_token' | 'refresh_token';
-    readonly userAgent?: string;
-}
+
 type PlatformSessionsListResult = PlatformSessionsListResponse;
 type PlatformSessionRevokeInput = PlatformSessionRevokeRequest;
 type PlatformSessionRevokeResult = PlatformSessionRevokeResponse;
@@ -2250,110 +3060,28 @@ type PlatformSessionRevokeOtherResult = PlatformSessionRevokeOtherResponse;
 type PlatformSessionRevokeAllResult = PlatformSessionRevokeAllResponse;
 type PlatformSessionRenameInput = PlatformSessionRenameRequest;
 type PlatformSessionRenameResult = PlatformSessionRenameResponse;
-/**
- * `sessions` namespace — Platform-plane (Console / CLI) session
- * management. Backed by `/auth/platform-sessions/*` on the BaaS
- * runtime (ADR-089 Phase 2b). See module header for the full rationale.
- */
 declare const sessions: {
-    /**
-     * List every active platform session for the authenticated user.
-     *
-     * Ordering: most-recently-active first.
-     *
-     * @example
-     * ```typescript
-     * const { sessions } = await auth.sessions.list({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   accessToken: platformJwt,
-     * })
-     * ```
-     */
     readonly list: (opts: {
         readonly baseUrl: string;
         readonly accessToken: string;
         readonly userAgent?: string;
     }) => Promise<PlatformSessionsListResult>;
-    /**
-     * Revoke a specific platform session by id.
-     *
-     * `sessionId` accepts either the prefixed TypeID (`sess_*`) or the
-     * raw UUID — the BaaS side normalises via `parseIdOrError`.
-     *
-     * @example
-     * ```typescript
-     * await auth.sessions.revoke({
-     *   baseUrl,
-     *   accessToken,
-     *   sessionId: 'sess_01hxyz...',
-     * })
-     * ```
-     */
     readonly revoke: (opts: {
         readonly baseUrl: string;
         readonly accessToken: string;
         readonly sessionId: string;
         readonly userAgent?: string;
     }) => Promise<PlatformSessionRevokeResult>;
-    /**
-     * Revoke every platform session except the one presenting the
-     * current access token. Used by "sign me out of all other devices".
-     *
-     * When the caller's JWT has no `sid` claim (pure-Bearer CLI/CI
-     * flows), this degenerates to `revokeAll` — every session is
-     * wiped — because there's no "current" row to keep.
-     *
-     * @example
-     * ```typescript
-     * const { revokedCount } = await auth.sessions.revokeOther({
-     *   baseUrl,
-     *   accessToken,
-     * })
-     * ```
-     */
     readonly revokeOther: (opts: {
         readonly baseUrl: string;
         readonly accessToken: string;
         readonly userAgent?: string;
     }) => Promise<PlatformSessionRevokeOtherResult>;
-    /**
-     * Revoke every platform session for the user, including the
-     * caller's own. Used by "sign me out everywhere" — after a
-     * password change, a compromise scare, or GDPR-style erasure.
-     *
-     * The response includes the count of sessions that were
-     * revoked so the caller can surface it in a toast or audit UI.
-     *
-     * @example
-     * ```typescript
-     * const { count } = await auth.sessions.revokeAll({
-     *   baseUrl,
-     *   accessToken,
-     * })
-     * ```
-     */
     readonly revokeAll: (opts: {
         readonly baseUrl: string;
         readonly accessToken: string;
         readonly userAgent?: string;
     }) => Promise<PlatformSessionRevokeAllResult>;
-    /**
-     * Rename a platform session (device label).
-     *
-     * `sessionId` accepts either the prefixed TypeID or the raw UUID;
-     * `name` is a user-supplied string (≤100 chars) surfaced in the
-     * "Active sessions" Console UI.
-     *
-     * @example
-     * ```typescript
-     * await auth.sessions.rename({
-     *   baseUrl,
-     *   accessToken,
-     *   sessionId,
-     *   name: 'MacBook (work)',
-     * })
-     * ```
-     */
     readonly rename: (opts: {
         readonly baseUrl: string;
         readonly accessToken: string;
@@ -2362,148 +3090,14 @@ declare const sessions: {
         readonly userAgent?: string;
     }) => Promise<PlatformSessionRenameResult>;
 };
-type PlatformRefreshInput = RefreshTokenInput;
-type PlatformRefreshResult = RefreshTokenResult;
-type PlatformLogoutInput = LogoutInput;
-/**
- * `platformAuth` namespace — Platform-plane refresh-token + logout
- * operations for CLI / Console operators. Body-authenticated via the
- * presented refresh token (no cookie, no Bearer).
- */
-declare const platformAuth: {
-    /**
-     * Rotate a Platform refresh token. The presented token is consumed
-     * single-use; the response carries a fresh access JWT plus the
-     * rotated refresh token that supersedes it.
-     *
-     * On reuse-detection / expiry the server returns 401 — the SDK
-     * preserves the upstream message so callers can pattern-match
-     * `"reuse"` per RFC 6819 §5.2.2.3 and scrub local credentials.
-     *
-     * @example
-     * ```typescript
-     * const tokens = await auth.platformAuth.refresh({
-     *   baseUrl: 'https://sylphx.com',
-     *   refreshToken: stored.refreshToken,
-     * })
-     * ```
-     */
-    readonly refresh: (opts: {
-        readonly baseUrl: string;
-        readonly refreshToken: string;
-        readonly userAgent?: string;
-        /**
-         * Path prefix between `baseUrl` and the resource path. Defaults
-         * to `/api/v1` for back-compat with the admin-override host
-         * (`sylphx.com`). Pass `/v1` when targeting the canonical host
-         * (`api.sylphx.com`) per Rule 17.
-         */
-        readonly urlPrefix?: string;
-    }) => Promise<PlatformRefreshResult>;
-    /**
-     * Revoke a Platform refresh token (logout). Server-side revocation
-     * failure is the caller's call to surface — local-credential cleanup
-     * is the CLI's responsibility (logout must succeed offline).
-     *
-     * @example
-     * ```typescript
-     * await auth.platformAuth.logout({
-     *   baseUrl: 'https://sylphx.com',
-     *   refreshToken: stored.refreshToken,
-     * })
-     * ```
-     */
-    readonly logout: (opts: {
-        readonly baseUrl: string;
-        readonly refreshToken: string;
-        readonly userAgent?: string;
-        /** See `refresh.urlPrefix`. */
-        readonly urlPrefix?: string;
-    }) => Promise<void>;
-};
-type PlatformPasswordStatusResult = PlatformPasswordStatusResponse;
-type PlatformPasswordSetInput = PlatformPasswordSetRequest;
-type PlatformPasswordSetResult = PlatformPasswordSetResponse;
-type PlatformPasswordChangeInput = PlatformPasswordChangeRequest;
-type PlatformPasswordChangeResult = PlatformPasswordChangeResponse;
+
 /**
- * `password` namespace — Platform-plane (Console / CLI) password
- * management. Backed by `/auth/platform-password/*` on the BaaS
- * runtime (ADR-089 Phase 2c). See module header for the full rationale.
+ * Platform user GDPR export and erasure SDK namespace.
+ *
+ * These helpers are backed by `/auth/platform-user/*` on the BaaS runtime
+ * and keep account data operations separate from generic auth/session helpers.
  */
-declare const password: {
-    /**
-     * Check whether the authenticated platform user has a password set.
-     *
-     * Returns `{ hasPassword: true }` for users that signed up with
-     * email+password (or later called `set`), `{ hasPassword: false }`
-     * for OAuth-only users (e.g. signed up via Google/GitHub).
-     *
-     * @example
-     * ```typescript
-     * const { hasPassword } = await auth.password.status({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   accessToken: platformJwt,
-     * })
-     * ```
-     */
-    readonly status: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly userAgent?: string;
-    }) => Promise<PlatformPasswordStatusResult>;
-    /**
-     * Set an initial password for an OAuth-only user.
-     *
-     * Fails with 400 if the user already has a password (use `change`
-     * instead), if the password is <8 characters, or if HIBP reports
-     * the password as breached. BaaS invalidates every other session
-     * for the user (keeping the caller's current one) after a
-     * successful set.
-     *
-     * @example
-     * ```typescript
-     * await auth.password.set({
-     *   baseUrl,
-     *   accessToken,
-     *   password: 'correct-horse-battery-staple',
-     * })
-     * ```
-     */
-    readonly set: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly password: string;
-        readonly userAgent?: string;
-    }) => Promise<PlatformPasswordSetResult>;
-    /**
-     * Change an existing password.
-     *
-     * Verifies `currentPassword` server-side; a mismatch returns 401.
-     * OAuth-only users (no existing password) get 400 — use `set`
-     * instead. New password must be ≥8 characters and must not be in
-     * HIBP's breach database. BaaS invalidates every other session
-     * for the user (keeping the caller's current one) after a
-     * successful change.
-     *
-     * @example
-     * ```typescript
-     * await auth.password.change({
-     *   baseUrl,
-     *   accessToken,
-     *   currentPassword: 'old-plaintext',
-     *   newPassword: 'new-plaintext',
-     * })
-     * ```
-     */
-    readonly change: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly currentPassword: string;
-        readonly newPassword: string;
-        readonly userAgent?: string;
-    }) => Promise<PlatformPasswordChangeResult>;
-};
+
 type PlatformUserExportResult = AuthUserExportResponse;
 type PlatformUserDeleteInput = AuthUserDeleteRequest;
 type PlatformUserDeleteResult = AuthUserDeleteResponse;
@@ -2521,15 +3115,6 @@ declare const user: {
      * row, sessions, OAuth accounts, login history, security alerts,
      * organization memberships, subscriptions, per-project memberships,
      * and storage file metadata. Shape varies with customer provisioning.
-     *
-     * @example
-     * ```typescript
-     * const data = await auth.user.exportData({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   accessToken: platformJwt,
-     * })
-     * downloadAsJson(data, 'my-sylphx-data.json')
-     * ```
      */
     readonly exportData: (opts: {
         readonly baseUrl: string;
@@ -2540,29 +3125,7 @@ declare const user: {
      * Permanently delete the authenticated user's account (GDPR Article
      * 17 — right to erasure). Cascades through every provisioned project
      * DB, cancels Stripe subscriptions, deletes S3 blobs, and anonymises
-     * billing transactions. Emits a `user.deleted` event so downstream
-     * systems can clean up their own state.
-     *
-     * Returns `{ success: true, deletedData: [...] }` on success where
-     * `deletedData` lists the resource kinds that were erased.
-     *
-     * @remarks
-     * This operation is irreversible. Production callers SHOULD require
-     * a challenge step (2FA / password confirm / WebAuthn) before
-     * invoking this — the BaaS route does NOT perform challenge
-     * verification in Phase 2d. ADR-089 Phase 5.11 lands passkey-primary
-     * with WebAuthn-required step-up and will add the check at the
-     * BaaS boundary.
-     *
-     * @example
-     * ```typescript
-     * const result = await auth.user.deleteAccount({
-     *   baseUrl,
-     *   accessToken,
-     *   reason: 'user_request',
-     * })
-     * if (result.success) signOutAndRedirect('/goodbye')
-     * ```
+     * billing transactions.
      */
     readonly deleteAccount: (opts: {
         readonly baseUrl: string;
@@ -2573,35 +3136,13 @@ declare const user: {
     /**
      * Async GDPR Article 20 export job API (ADR-089 Phase 5.5).
      *
-     * `user.exportData` above is the Phase 2d synchronous shortcut —
-     * kept for backward compat but production callers SHOULD prefer the
-     * async flow: large users routinely exceed a single HTTP deadline
-     * during enumeration.
-     *
-     * Typical flow:
-     *
-     * ```ts
-     * const job = await auth.user.exports.initiate({ baseUrl, accessToken })
-     * // Poll until terminal:
-     * while (true) {
-     *   const cur = await auth.user.exports.status({ baseUrl, accessToken, id: job.id })
-     *   if (cur.status === 'complete') break
-     *   if (cur.status === 'failed') throw new Error(cur.errorMessage ?? 'export failed')
-     *   await new Promise(r => setTimeout(r, 2000))
-     * }
-     * const blob = await auth.user.exports.download({ baseUrl, accessToken, id: job.id })
-     * saveAs(blob, 'sylphx-export.json')
-     * ```
-     *
-     * Rate limit: 1 `initiate` per 24h per user. Polling + downloading
-     * are NOT rate-limited through that bucket (they're cheap reads).
+     * `user.exportData` is the Phase 2d synchronous shortcut; production
+     * callers should prefer the async flow for large accounts.
      */
     readonly exports: {
         /**
-         * Kick off an export job. Returns the job row in `pending` status
-         * with a 202-Accepted semantic — the HTTP layer has accepted the
-         * request but the payload is not yet materialized. Poll
-         * `status({ id })` until `status === 'complete'`.
+         * Kick off an export job. Poll `status({ id })` until
+         * `status === 'complete'`.
          */
         readonly initiate: (opts: {
             readonly baseUrl: string;
@@ -2611,9 +3152,6 @@ declare const user: {
         }) => Promise<DataExportJob>;
         /**
          * Read the current state of an in-flight or completed export job.
-         * Returns 404 (via thrown `SylphxError`) if the job id is unknown
-         * OR owned by a different user — cross-user probes can't
-         * distinguish the two.
          */
         readonly status: (opts: {
             readonly baseUrl: string;
@@ -2623,12 +3161,8 @@ declare const user: {
         }) => Promise<DataExportJob>;
         /**
          * Download the completed export payload. The BaaS route returns a
-         * 302 to a freshly-signed object-storage URL; we follow the redirect
-         * (standard `fetch` default) and resolve to the raw `Blob`.
-         *
-         * The integrity headers `X-Sylphx-Export-Sha256` + `X-Sylphx-Export-Size`
-         * are available on the final response — CLI consumers SHOULD verify
-         * the SHA-256 client-side before handing the archive to the user.
+         * 302 to a freshly-signed object-storage URL; `fetch` follows it
+         * and resolves to the raw `Blob`.
          */
         readonly download: (opts: {
             readonly baseUrl: string;
@@ -2643,617 +3177,444 @@ declare const user: {
     };
 };
 /**
- * Wire shape of a data-export job. `status` progresses through
- * pending → running → (complete|failed); terminal rows carry `completedAt`,
- * complete rows additionally carry `sizeBytes` + `sha256`, failed rows
- * carry `errorMessage`. `downloadUrl` is always null in this projection
- * — use `user.exports.download()` to obtain a freshly-signed URL.
+ * Wire shape of a data-export job. `status` progresses through pending,
+ * running, complete, or failed.
+ */
+interface DataExportJob {
+    readonly id: string;
+    readonly status: 'pending' | 'running' | 'complete' | 'failed';
+    readonly format: 'json' | 'json-ld';
+    readonly requestedAt: string;
+    readonly completedAt: string | null;
+    readonly downloadUrl: string | null;
+    readonly sizeBytes: number | null;
+    readonly sha256: string | null;
+    readonly errorMessage: string | null;
+}
+
+/**
+ * Auth Functions
+ *
+ * Pure functions for authentication - no hidden state.
+ * Each function takes config as the first parameter.
+ *
+ * Uses REST API at /api/sdk/auth/* for all operations.
+ *
+ * Types are re-exported from `@sylphx/contract` (ADR-084). The contract is
+ * the single source of truth for every wire shape — this module only adds
+ * SDK-specific ergonomics (User brand swap, introspection result, invite
+ * envelopes, org-token claims).
+ */
+
+type LoginRequest = LoginRequest$1;
+type LoginResponse = LoginResponse$1;
+type RegisterRequest = RegisterRequest$1;
+type RegisterResponse = RegisterResponse$1;
+type ResendEmailVerificationRequest = ResendEmailVerificationRequest$1;
+type ResendEmailVerificationResponse = ResendEmailVerificationResponse$1;
+/**
+ * Token response — contract's `AuthTokensResponse.user` (optional `AuthUser`)
+ * is re-mapped to the SDK's broader `User` type so legacy callers keep the
+ * familiar brand. `AuthUser` and `User` are structurally identical, but
+ * the SDK surface has wider reach (cookies, middleware, React hooks) and
+ * renaming is out of scope for ADR-084 cleanup.
+ */
+type TokenResponse = Omit<AuthTokensResponse, 'user'> & {
+    user: User;
+};
+type TwoFactorVerifyRequest = TwoFactorVerifyRequest$1;
+/**
+ * `GET /auth/me` — contract's `UserFullProfile` already includes the
+ * optional `emailVerified` flag the backend returns, so the SDK can just
+ * alias the contract type directly.
+ */
+type MeResponse = UserFullProfile$1;
+/**
+ * Token introspection result (RFC 7662)
+ */
+interface TokenIntrospectionResult {
+    /** Whether the token is active/valid */
+    active: boolean;
+    /** Token type (access_token or refresh_token) */
+    token_type?: 'access_token' | 'refresh_token';
+    /** User ID */
+    sub?: string;
+    /** User email */
+    email?: string;
+    /** User name */
+    name?: string;
+    /** App ID */
+    client_id?: string;
+    /** Audience */
+    aud?: string;
+    /** Issuer */
+    iss?: string;
+    /** Expiration time (Unix timestamp) */
+    exp?: number;
+    /** Issued at time (Unix timestamp) */
+    iat?: number;
+    /** User role */
+    role?: string;
+    /** Email verification status */
+    email_verified?: boolean;
+}
+/**
+ * Token revocation options
+ */
+interface RevokeTokenOptions {
+    /** Revoke all tokens for a user in this app */
+    revokeAll?: boolean;
+    /** User ID (required when revoking all) */
+    userId?: string;
+}
+interface SessionResult {
+    user: {
+        id: string;
+        email: string;
+        name: string | null;
+        image: string | null;
+        emailVerified: boolean;
+    } | null;
+}
+/**
+ * Extended registration input with metadata and invitation token support.
+ * Use extendedSignUp() when you need to pass metadata or an invitation token.
+ */
+interface RegisterInput {
+    email: string;
+    password: string;
+    name?: string;
+    metadata?: Record<string, unknown>;
+    invitationToken?: string;
+}
+/**
+ * Org context claims present in org-scoped tokens (after switch-org).
+ *
+ * The JWT carries the role key only. Permissions are resolved server-side
+ * via cached role→permissions lookup (WorkOS pattern). This keeps
+ * tokens small and ensures permission changes take effect without token refresh.
+ */
+interface OrgTokenPayload {
+    org_id: string;
+    org_slug: string;
+    /** RBAC role key (e.g. "hr_manager", "admin"). Permissions resolved server-side. */
+    org_role: string;
+}
+interface OrgScopedTokenResponse {
+    /** Org-scoped access token. */
+    token: string;
+    /** Org-scoped access token, matching the SDK's token naming convention. */
+    accessToken: string;
+    /** Token lifetime in seconds, when provided by the runtime. */
+    expiresIn?: number;
+    /** Bearer token type, when provided by the runtime. */
+    tokenType?: string;
+    /** User envelope returned by the runtime for session hydration. */
+    user?: User;
+}
+/**
+ * Invite a user request payload.
+ */
+interface InviteUserRequest {
+    email: string;
+    metadata?: Record<string, unknown>;
+    redirectUrl?: string;
+}
+/**
+ * Response from inviteUser.
+ */
+interface InviteUserResponse {
+    invitationToken: string;
+    expiresAt: string;
+}
+/**
+ * Sign in with email and password
+ *
+ * @example
+ * ```typescript
+ * const result = await signIn(config, { email: 'user@example.com', password: 'secret' })
+ * if (result.requiresTwoFactor) {
+ *   // Handle 2FA flow
+ * } else {
+ *   // Save tokens
+ *   const authenticatedConfig = withToken(config, result.accessToken!)
+ * }
+ * ```
+ */
+declare function signIn(config: SylphxConfig, input: LoginRequest): Promise<LoginResponse>;
+/**
+ * Sign up with email and password
+ *
+ * @example
+ * ```typescript
+ * const result = await signUp(config, {
+ *   email: 'user@example.com',
+ *   password: 'secret',
+ *   name: 'John Doe',
+ * })
+ * // User needs to verify email
+ * ```
+ */
+declare function signUp(config: SylphxConfig, input: RegisterRequest): Promise<RegisterResponse>;
+/**
+ * Sign out (revoke tokens)
+ *
+ * @example
+ * ```typescript
+ * await signOut(config)
+ * ```
+ */
+declare function signOut(config: SylphxConfig): Promise<void>;
+/**
+ * Refresh access token
+ *
+ * @example
+ * ```typescript
+ * const tokens = await refreshToken(config, refreshTokenString)
+ * const newConfig = withToken(config, tokens.accessToken)
+ * ```
+ */
+declare function refreshToken(config: SylphxConfig, token: string): Promise<TokenResponse>;
+/**
+ * Verify email with token
+ *
+ * @example
+ * ```typescript
+ * await verifyEmail(config, token)
+ * ```
+ */
+declare function verifyEmail(config: SylphxConfig, token: string): Promise<void>;
+/**
+ * Request password reset email
+ *
+ * @example
+ * ```typescript
+ * await forgotPassword(config, 'user@example.com', {
+ *   redirectUrl: 'https://app.example.com/reset-password'
+ * })
+ * ```
+ */
+declare function forgotPassword(config: SylphxConfig, email: string, options?: {
+    redirectUrl?: string;
+}): Promise<void>;
+/**
+ * Request a verification email resend.
+ *
+ * The Platform response is intentionally privacy-preserving: it never
+ * indicates whether the email exists or is already verified.
+ *
+ * @example
+ * ```typescript
+ * await resendVerificationEmail(config, 'user@example.com')
+ * ```
+ */
+declare function resendVerificationEmail(config: SylphxConfig, email: string): Promise<void>;
+/**
+ * Reset password with token
+ *
+ * @example
+ * ```typescript
+ * await resetPassword(config, { token, password: 'newpassword' })
+ * ```
+ */
+declare function resetPassword(config: SylphxConfig, input: {
+    token: string;
+    password: string;
+}): Promise<void>;
+/**
+ * Get current session (requires authenticated config)
+ *
+ * @example
+ * ```typescript
+ * const session = await getSession(authenticatedConfig)
+ * if (session.user) {
+ *   console.log(`Logged in as ${session.user.email}`)
+ * }
+ * ```
+ */
+declare function getSession(config: SylphxConfig): Promise<SessionResult>;
+/**
+ * Verify 2FA code (when signIn returns requiresTwoFactor: true)
+ *
+ * @example
+ * ```typescript
+ * const result = await signIn(config, credentials)
+ * if (result.requiresTwoFactor) {
+ *   const tokens = await verifyTwoFactor(config, result.userId!, code)
+ * }
+ * ```
+ */
+declare function verifyTwoFactor(config: SylphxConfig, userId: string, code: string): Promise<TokenResponse>;
+/**
+ * Introspect a token to check its validity (RFC 7662)
+ *
+ * Use this to verify token status without decoding. Essential for:
+ * - Checking if a token has been revoked
+ * - Validating tokens at the edge
+ * - Security-critical operations
+ *
+ * @example
+ * ```typescript
+ * const result = await introspectToken(config, accessToken)
+ * if (!result.active) {
+ *   // Token is invalid, revoked, or expired
+ *   await refreshTokens()
+ * }
+ * ```
+ */
+declare function introspectToken(config: SylphxConfig, token: string, tokenTypeHint?: 'access_token' | 'refresh_token'): Promise<TokenIntrospectionResult>;
+/**
+ * Revoke a token (RFC 7009)
+ *
+ * Use cases:
+ * - Sign out user from specific device
+ * - Security response to compromised token
+ * - User-initiated session termination
+ *
+ * @example
+ * ```typescript
+ * // Revoke single refresh token
+ * await revokeToken(config, refreshToken)
+ *
+ * // Revoke all tokens for a user (logout everywhere)
+ * await revokeToken(config, '', { revokeAll: true, userId: 'user-123' })
+ * ```
  */
-interface DataExportJob {
-    readonly id: string;
-    readonly status: 'pending' | 'running' | 'complete' | 'failed';
-    readonly format: 'json' | 'json-ld';
-    readonly requestedAt: string;
-    readonly completedAt: string | null;
-    readonly downloadUrl: string | null;
-    readonly sizeBytes: number | null;
-    readonly sha256: string | null;
-    readonly errorMessage: string | null;
-}
+declare function revokeToken(config: SylphxConfig, token: string, options?: RevokeTokenOptions): Promise<void>;
 /**
- * Reset the platform-JWKS cache. Tests should call this between cases
- * to avoid state bleed. Production code relies on the TTL-based
- * expiry.
+ * Revoke all tokens for a user (logout from all devices)
+ *
+ * Convenience wrapper around revokeToken with revokeAll option.
+ *
+ * @example
+ * ```typescript
+ * // After password change, revoke all sessions
+ * await revokeAllTokens(config, userId)
+ * ```
  */
-declare function resetPlatformJwksCache(): void;
-interface PlatformAccessTokenClaims {
-    readonly sub: string;
-    readonly pid?: string;
-    readonly email: string;
-    readonly name?: string;
-    readonly picture?: string;
-    readonly email_verified: boolean;
-    readonly app_id: string;
-    readonly role: string;
-    readonly org_id?: string;
-    readonly org_slug?: string;
-    readonly org_role?: string;
-    readonly iat?: number;
-    readonly exp?: number;
-    /**
-     * RFC 7800 confirmation claim — present when the token is sender-
-     * constrained. Today we emit this for DPoP-bound tokens (RFC 9449)
-     * where `cnf.jkt` is the SHA-256 thumbprint of the client's DPoP
-     * public key.
-     *
-     * Resource servers (e.g. apps/api Management plane) that want to
-     * enforce DPoP MUST:
-     *   1. Look up `oauth_clients.dpop_bound_access_tokens` on the
-     *      issuing client to know whether DPoP is required.
-     *   2. If required AND `cnf.jkt` is absent, reject 401.
-     *   3. If `cnf.jkt` is present, verify the inbound `DPoP` header's
-     *      proof JWT and assert its public-key thumbprint matches `jkt`.
-     *
-     * Pre-Wave-5.3 this field was stripped from `verifyAccessToken`'s
-     * return value, making resource-side enforcement impossible without
-     * decoding the JWT a second time. Exposing it preserves the wire
-     * format and unlocks the resource-server DPoP middleware.
-     */
-    readonly cnf?: {
-        readonly jkt?: string;
-    };
-}
+declare function revokeAllTokens(config: SylphxConfig, userId: string): Promise<void>;
 /**
- * `verifyAccessToken` — local JWT verification against cached JWKS.
+ * Sign up with extended input (metadata + invitation token support).
  *
- * Designed for the Platform API's hot-path auth middleware: JWKS is
- * fetched once per process (1h TTL), signature/iss/aud/exp
- * verification is local `jose` — no per-request HTTPS hop.
+ * Use this instead of signUp() when you need to:
+ * - Pass metadata on registration (e.g., org context, role, referral info)
+ * - Register with an invitation token
  *
  * @example
  * ```typescript
- * const claims = await auth.verifyAccessToken(bearer, {
- *   baseUrl: 'https://your-app.api.sylphx.com/v1',
- *   audience: 'platform',
+ * const result = await extendedSignUp(config, {
+ *   email: 'user@example.com',
+ *   password: 'secret',
+ *   name: 'John Doe',
+ *   metadata: { orgId: 'org-123', role: 'employee' },
+ *   invitationToken: 'inv_...',
  * })
  * ```
  */
-declare function verifyAccessToken(token: string, opts: {
-    readonly baseUrl: string;
-    readonly audience: string;
-}): Promise<PlatformAccessTokenClaims>;
-interface PlatformUserRecord {
-    readonly id: string;
-    readonly email: string;
-    readonly name: string | null;
-    readonly image: string | null;
-    readonly emailVerified: boolean;
-    readonly role: string;
-    readonly twoFactorEnabled: boolean;
-}
-interface PlatformUserResolution {
-    readonly user: PlatformUserRecord;
-    readonly sessionId: string;
-}
-declare function resetPlatformCookieCache(): void;
+declare function extendedSignUp(config: SylphxConfig, input: RegisterInput): Promise<RegisterResponse>;
 /**
- * `cookies` namespace — Platform cookie / session resolution for the
- * Platform API's hot-path auth middleware (ADR-089 Phase 3b).
+ * Invite a user to sign up for this project.
+ * Server-side only (requires secretKey).
+ * Sends an email invitation; user signs up via signUp() or extendedSignUp() with the invitation token.
+ *
+ * @example
+ * ```typescript
+ * const invite = await inviteUser(config, {
+ *   email: 'newemployee@company.com',
+ *   metadata: { role: 'employee', orgId: 'org-123' },
+ *   redirectUrl: 'https://app.example.com/signup',
+ * })
+ * console.log(invite.invitationToken, invite.expiresAt)
+ * ```
  */
-declare const cookies: {
-    /**
-     * Resolve a platform user from a forwarded `Cookie:` header.
-     *
-     * Delegates to BaaS `/auth/platform-sessions/whoami`. Caches each
-     * unique cookie string for 30s to avoid hammering BaaS on every
-     * SSR request.
-     *
-     * @example
-     * ```typescript
-     * const result = await auth.cookies.resolvePlatformUser({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   cookieHeader: req.headers.get('cookie') ?? '',
-     * })
-     * if (!result) // unauthenticated
-     * ```
-     */
-    readonly resolvePlatformUser: (opts: {
-        readonly baseUrl: string;
-        readonly cookieHeader: string;
-        readonly userAgent?: string;
-    }) => Promise<PlatformUserResolution | null>;
-};
-interface MintAccessTokenClaims {
-    readonly sub: string;
-    readonly email: string;
-    readonly name?: string;
-    readonly email_verified: boolean;
-    readonly app_id: string;
-    readonly role: string;
-    readonly org_id?: string;
-    readonly org_slug?: string;
-    readonly org_role?: string;
-    readonly picture?: string;
-    readonly pid?: string;
-}
-interface MintAccessTokenResult {
-    readonly accessToken: string;
-    readonly expiresIn: number;
-}
+declare function inviteUser(config: SylphxConfig, input: InviteUserRequest): Promise<InviteUserResponse>;
 /**
- * `oauth` namespace — Platform OAuth operations backed by BaaS.
- *
- * Phase 3b adds `mintAccessToken` for the refresh handler migration;
- * Phase 5.1 layered in full authorization-server verbs
- * (`/oauth/token`, `/oauth/revoke`, `/oauth/introspect`).
+ * Exchange current user token for an org-scoped token.
+ * The returned access_token JWT includes org_id, org_slug, org_role claims.
  *
- * TODO(ADR-084-wave-5): migrate `exchangeAuthorizationCode` +
- * `refreshAccessToken` off raw `fetch` onto the `@sylphx/contract` schema
- * pipeline. The OAuth endpoints are new (not migrations of existing
- * `@hono/zod-openapi` routes), so they can land contract-first without
- * rippling into the other 62 hand-written SDK modules the baseline
- * tracks. Blocked on Wave 5 scoping (contract-package OAuth schemas
- * need to model the RFC 6749 error envelope + PKCE/DPoP binding — see
- * packages/contract/src/endpoints/auth.ts for the existing auth-domain
- * precedent). Until then, these two methods stay on explicit fetch().
+ * @example
+ * const { token } = await getOrgScopedToken(withToken(config, currentToken), 'org_xxx')
  */
-declare const oauth: {
-    /**
-     * Mint a platform-audience access token from supplied claims.
-     *
-     * Service-to-service call — authenticated via
-     * `SYLPHX_INTERNAL_TOKEN` shared secret. Phase 6 will migrate this
-     * to SPIFFE SVID mTLS (ADR-068).
-     *
-     * TODO: Phase 6 — prefer SPIFFE SVID over shared-secret auth.
-     *
-     * @example
-     * ```typescript
-     * const { accessToken, expiresIn } = await auth.oauth.mintAccessToken({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   internalToken: process.env.SYLPHX_INTERNAL_TOKEN!,
-     *   claims: { sub: user.id, email: user.email, app_id: 'platform', role: 'member', email_verified: true },
-     * })
-     * ```
-     */
-    readonly mintAccessToken: (opts: {
-        readonly baseUrl: string;
-        readonly internalToken: string;
-        readonly claims: MintAccessTokenClaims;
-        readonly userAgent?: string;
-    }) => Promise<MintAccessTokenResult>;
-    /**
-     * Exchange an OAuth 2.0 authorization_code for an access + refresh token
-     * pair (ADR-089 Phase 5.1b — RFC 6749 §4.1.3). PKCE S256 mandatory per
-     * OAuth 2.1 baseline.
-     *
-     * @example
-     * ```typescript
-     * const { verifier, challenge } = await generatePkce()
-     * // user redirected to /oauth/authorize?...&code_challenge=<challenge>
-     * // ...user approves, browser hits your redirect_uri with ?code=<code>
-     * const tokens = await auth.oauth.exchangeAuthorizationCode({
-     *   baseUrl: 'https://api.sylphx.com/v1',
-     *   clientId: 'sylphx-console',
-     *   clientSecret: process.env.CONSOLE_CLIENT_SECRET,
-     *   code,
-     *   redirectUri: 'https://console.sylphx.com/auth/callback',
-     *   codeVerifier: verifier,
-     * })
-     * ```
-     */
-    readonly exchangeAuthorizationCode: (opts: {
-        readonly baseUrl: string;
-        readonly clientId: string;
-        readonly clientSecret?: string;
-        readonly code: string;
-        readonly redirectUri: string;
-        readonly codeVerifier: string;
-    }) => Promise<OAuthTokenResult>;
-    /**
-     * Refresh a platform access token using a refresh_token
-     * (ADR-089 Phase 5.1b — RFC 6749 §6). Rotation is mandatory — the
-     * presented refresh token is consumed and a new one returned.
-     *
-     * @example
-     * ```typescript
-     * const tokens = await auth.oauth.refreshAccessToken({
-     *   baseUrl: 'https://api.sylphx.com/v1',
-     *   clientId: 'sylphx-console',
-     *   clientSecret: process.env.CONSOLE_CLIENT_SECRET,
-     *   refreshToken: stored.refresh_token,
-     * })
-     * ```
-     */
-    readonly refreshAccessToken: (opts: {
-        readonly baseUrl: string;
-        readonly clientId: string;
-        readonly clientSecret?: string;
-        readonly refreshToken: string;
-        readonly scope?: string;
-    }) => Promise<OAuthTokenResult>;
-    /**
-     * Poll the OAuth token endpoint for a device-code grant (ADR-089 Phase
-     * 5.1c — RFC 8628 §3.4). The preferred way to exchange an approved
-     * device grant for tokens — returns an RFC 6749 error envelope on the
-     * `{pending, slow_down, denied, expired}` states so callers can
-     * distinguish precisely without parsing Phase 2a's `/auth/device/poll`
-     * status string.
-     *
-     * Returns `{ ok: true, tokens }` on success or `{ ok: false, error }`
-     * for every RFC-defined polling outcome. Callers MUST honour the
-     * polling `interval` returned by `/auth/device` — polling faster yields
-     * `{ ok: false, error: 'slow_down' }`.
-     *
-     * @example
-     * ```typescript
-     * while (true) {
-     *   await sleep(interval * 1000)
-     *   const r = await auth.oauth.pollDeviceToken({
-     *     baseUrl: 'https://api.sylphx.com/v1',
-     *     clientId: 'sylphx-cli',
-     *     deviceCode,
-     *   })
-     *   if (r.ok) return r.tokens
-     *   if (r.error === 'authorization_pending' || r.error === 'slow_down') continue
-     *   throw new Error(r.error) // access_denied | expired_token
-     * }
-     * ```
-     */
-    readonly pollDeviceToken: (opts: {
-        readonly baseUrl: string;
-        readonly clientId: string;
-        readonly deviceCode: string;
-    }) => Promise<OAuthPollResult>;
-    /**
-     * Mint a service-principal access token via the `client_credentials`
-     * grant (ADR-089 Phase 5.1c — RFC 6749 §4.4). Requires a confidential
-     * client (public clients cannot use this grant). No refresh token is
-     * issued per §4.4.3 — callers re-run this exchange on expiry.
-     *
-     * Typical use: CI integrations, server-to-server automation that has
-     * no human owner and cannot run a device flow.
-     *
-     * @example
-     * ```typescript
-     * const { access_token } = await auth.oauth.clientCredentialsToken({
-     *   baseUrl: 'https://api.sylphx.com/v1',
-     *   clientId: process.env.SYLPHX_CLIENT_ID!,
-     *   clientSecret: process.env.SYLPHX_CLIENT_SECRET!,
-     *   scope: 'tenants:provision',
-     * })
-     * ```
-     */
-    readonly clientCredentialsToken: (opts: {
-        readonly baseUrl: string;
-        readonly clientId: string;
-        readonly clientSecret: string;
-        readonly scope?: string;
-    }) => Promise<OAuthClientCredentialsResult>;
+declare function getOrgScopedToken(config: SylphxConfig, orgId: string): Promise<OrgScopedTokenResponse>;
+/**
+ * @deprecated Use getOrgScopedToken(config, orgId). Kept as the shorter
+ * organization switch alias for existing SDK callers.
+ */
+declare function switchOrg(config: SylphxConfig, orgId: string): Promise<OrgScopedTokenResponse>;
+type DeviceInitInput = DeviceInitRequest;
+type DeviceGrant = DeviceInitResponse;
+type DevicePollResult = DevicePollResponse;
+type DeviceApproveInput = DeviceApproveRequest;
+type DeviceApproveResult = DeviceApproveResponse;
+type DeviceDenyInput = DeviceDenyRequest;
+type DeviceDenyResult = DeviceDenyResponse;
+/**
+ * `device` namespace — RFC 8628 device authorization grant.
+ *
+ * Used by headless clients (CLI, TV apps, IoT) to authorise via a
+ * companion browser instead of reading credentials from env vars.
+ */
+declare const device: {
     /**
-     * Revoke an OAuth access or refresh token (RFC 7009 — ADR-089 Phase 5.1d).
+     * Start a device authorization grant.
      *
-     * Per §2.2 this always resolves successfully — the server returns 200
-     * whether the token existed, was already revoked, or belonged to a
-     * different client. Only true protocol-level failures (malformed
-     * request, bad client credentials) throw.
+     * Returns a `DeviceGrant` with `verification_uri_complete` (open this
+     * in the user's browser) and `device_code` (use for polling).
      *
      * @example
      * ```typescript
-     * await auth.oauth.revokeToken({
+     * const grant = await device.init({
      *   baseUrl: 'https://your-app.api.sylphx.com/v1',
      *   clientId: 'sylphx-cli',
-     *   token: refreshToken,
-     *   tokenTypeHint: 'refresh_token',
+     *   scope: ['org:read', 'project:*'],
      * })
+     * openBrowser(grant.verification_uri_complete)
      * ```
      */
-    readonly revokeToken: (opts: OAuthClientCallOpts) => Promise<void>;
+    readonly init: (opts: {
+        readonly baseUrl: string;
+        readonly clientId: string;
+        readonly scope?: readonly string[];
+        readonly userAgent?: string;
+    }) => Promise<DeviceGrant>;
     /**
-     * Introspect an OAuth access or refresh token (RFC 7662 — ADR-089 Phase 5.1d).
-     *
-     * Returns `{ active: false }` for expired / revoked / unknown /
-     * not-owned tokens (without revealing which); `{ active: true, ... }`
-     * with full claims for live ones. Only protocol-level failures
-     * (4xx on the revocation envelope itself) throw.
+     * Poll a pending grant. Returns `status: 'pending' | 'approved' |
+     * 'denied' | 'expired'`. On `approved`, the result carries the OAuth
+     * pair (access_token + refresh_token).
      *
-     * @example
-     * ```typescript
-     * const result = await auth.oauth.introspectToken({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   clientId: 'gateway',
-     *   clientSecret: process.env.GATEWAY_SECRET,
-     *   token: accessToken,
-     * })
-     * if (!result.active) throw new Error('token not accepted')
-     * ```
-     */
-    readonly introspectToken: (opts: OAuthClientCallOpts) => Promise<OAuthIntrospectResult>;
-};
-/**
- * `dpop` namespace — client-side helpers for RFC 9449 sender-constrained
- * tokens. Built on `crypto.subtle` (no new npm deps).
- *
- * @example
- * ```typescript
- * // At login:
- * const kp = await dpop.generateKeyPair()
- * // Exchange device code at /oauth/token, attaching proof:
- * const tokenProof = await dpop.generateProof({
- *   privateKey: kp.privateKey,
- *   publicKey:  kp.publicKey,
- *   method: 'POST',
- *   uri: 'https://api.sylphx.com/v1/oauth/token',
- * })
- * // later, calling a resource:
- * const resProof = await dpop.generateProof({
- *   privateKey: kp.privateKey,
- *   publicKey:  kp.publicKey,
- *   method: 'GET',
- *   uri: 'https://api.sylphx.com/v1/me',
- *   accessToken,
- * })
- * fetch('/v1/me', {
- *   headers: { Authorization: `DPoP ${accessToken}`, DPoP: resProof },
- * })
- * ```
- */
-declare const dpop: {
-    /**
-     * Generate a fresh ES256 key pair. Private key is non-extractable
-     * (`extractable: false`) so it can be stored but never serialised —
-     * the only legal operation is `sign`. Clients that need to
-     * hibernate the keypair across restarts must use a host-provided
-     * secure store (Keychain, Credential Manager, IndexedDB + CryptoKey
-     * wrapping).
-     */
-    readonly generateKeyPair: () => Promise<{
-        readonly privateKey: CryptoKey;
-        readonly publicKey: CryptoKey;
-        readonly thumbprint: string;
-    }>;
-    /**
-     * Sign a DPoP proof JWT. When `accessToken` is provided, the proof
-     * includes `ath = base64url(sha256(accessToken))` so the resource
-     * server can bind the proof to the token being presented (RFC 9449
-     * §4.3 step 11).
+     * Callers MUST respect the `interval` returned by `init()` — polling
+     * faster than that may return 429 slow_down (RFC 8628 §5.5).
      */
-    readonly generateProof: (opts: {
-        readonly privateKey: CryptoKey;
-        readonly publicKey: CryptoKey;
-        readonly method: string;
-        readonly uri: string;
-        readonly accessToken?: string;
-        readonly nonce?: string;
-    }) => Promise<string>;
-};
-interface OAuthTokenResult {
-    readonly access_token: string;
-    readonly token_type: 'Bearer';
-    readonly expires_in: number;
-    readonly refresh_token: string;
-    readonly scope: string;
-}
-/**
- * client_credentials token response (RFC 6749 §4.4.3). Distinct from
- * {@link OAuthTokenResult} because §4.4.3 forbids issuing a refresh
- * token — callers re-run the grant on expiry rather than rotating.
- */
-interface OAuthClientCredentialsResult {
-    readonly access_token: string;
-    readonly token_type: 'Bearer';
-    readonly expires_in: number;
-    readonly scope: string;
-}
-/**
- * RFC 8628 §3.5 polling outcomes surfaced by {@link oauth.pollDeviceToken}.
- * Callers pattern-match on `error` to choose the next action:
- *   - `authorization_pending` + `slow_down` — keep polling (respect interval).
- *   - `access_denied`   — user declined; abort.
- *   - `expired_token`   — grant timed out; re-run `/auth/device`.
- *   - others            — unexpected; surface to the user.
- */
-type OAuthPollError = 'authorization_pending' | 'slow_down' | 'access_denied' | 'expired_token' | 'invalid_grant' | 'invalid_client' | 'invalid_request' | 'unauthorized_client' | 'oauth_error';
-type OAuthPollResult = {
-    readonly ok: true;
-    readonly tokens: OAuthTokenResult;
-} | {
-    readonly ok: false;
-    readonly error: OAuthPollError;
-    readonly status: number;
-};
-interface ImpersonationStartResult {
-    readonly success: true;
-    readonly token: string;
-    readonly sessionId: string;
-    readonly expiresAt: string;
-}
-interface ImpersonationEndResult {
-    readonly success: boolean;
-    readonly sessionsEnded: number;
-}
-interface ImpersonationInfo {
-    readonly isImpersonation: true;
-    readonly adminUserId: string;
-    readonly adminEmail: string;
-    readonly adminName: string | null;
-    readonly impersonatedAt: string;
-}
-interface ImpersonationActive {
-    readonly sessionId: string;
-    readonly adminUserId: string;
-    readonly adminEmail: string;
-    readonly adminName: string | null;
-    readonly targetUserId: string;
-    readonly targetEmail: string;
-    readonly targetName: string | null;
-    readonly impersonatedAt: string;
-    readonly lastActiveAt: string;
-}
-interface ImpersonationStartChallengeInput {
-    readonly baseUrl: string;
-    readonly accessToken: string;
-    readonly targetUserId: string;
-    readonly reason: string;
-    readonly userAgent?: string;
-}
-interface ImpersonationChallenge {
-    readonly requestId: string;
-    readonly challengeKey: string;
-    readonly webauthnOptions: {
-        readonly challenge: string;
-        readonly rpId?: string;
-        readonly allowCredentials: ReadonlyArray<{
-            readonly id: string;
-            readonly type: 'public-key';
-            readonly transports?: readonly string[];
-        }>;
-        readonly userVerification: 'required';
-        readonly timeout: number;
-    };
-}
-interface ImpersonationStartStepupInput {
-    readonly baseUrl: string;
-    readonly accessToken: string;
-    readonly requestId: string;
-    readonly challengeKey: string;
-    readonly assertion: unknown;
-    readonly emergencyBypass?: boolean;
-    readonly userAgent?: string;
-}
-type ImpersonationStartStepupResult = {
-    readonly branch: 'emergency';
-    readonly requestId: string;
-    readonly token: string;
-    readonly sessionId: string;
-    readonly expiresAt: string;
-} | {
-    readonly branch: 'awaiting-consent';
-    readonly requestId: string;
-    readonly consentDeadline: string;
-};
-type ImpersonationConsentDecision = 'approve' | 'deny';
-type ImpersonationConsentResponse = {
-    readonly branch: 'approved';
-    readonly requestId: string;
-    readonly token: string;
-    readonly sessionId: string;
-    readonly expiresAt: string;
-} | {
-    readonly branch: 'denied';
-    readonly requestId: string;
-};
-interface ImpersonationRequestRow {
-    readonly id: string;
-    readonly operatorId: string;
-    readonly targetUserId: string;
-    readonly reason: string;
-    readonly status: 'awaiting-stepup' | 'awaiting-consent' | 'active' | 'denied' | 'expired' | 'ended' | 'revoked';
-    readonly emergencyBypass: boolean;
-    readonly sessionId: string | null;
-    readonly consentDeadline: string | null;
-    readonly startedAt: string | null;
-    readonly endedAt: string | null;
-    readonly createdAt: string;
-}
-/**
- * `impersonation` namespace — admin user impersonation for the
- * Platform plane. Phase 3b shipped the minimal one-shot surface
- * (`start/end/info/active`); Phase 5.9 layers on WebAuthn step-up
- * (ADR-089 P15 / S27), target-user consent, notification SLO, and
- * CAEP integration via the new `startChallenge` + `startStepup` +
- * `respondConsent` + `listRequests` + `endSession` methods.
- *
- * Migration from Phase 3b → 5.9:
- *   - Old `start({targetUserId})` → new two-step flow:
- *       1. `startChallenge({targetUserId, reason})` returns WebAuthn
- *          options + challengeKey.
- *       2. `startStepup({requestId, challengeKey, assertion})` verifies
- *          the passkey and either mints the session (emergency bypass)
- *          or transitions to awaiting-consent.
- *       3. Target calls `respondConsent(id, 'approve' | 'deny')`.
- *   - Old `end({sessionId})` still works (legacy). New
- *     `endSession(requestId)` preferred for sessions tracked via
- *     `impersonation_requests`.
- */
-declare const impersonation: {
-    readonly start: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly targetUserId: string;
-        readonly ipAddress?: string;
-        readonly userAgent?: string;
-    }) => Promise<ImpersonationStartResult>;
-    readonly end: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly sessionId?: string;
-        readonly userAgent?: string;
-    }) => Promise<ImpersonationEndResult>;
-    readonly info: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly sessionId: string;
-        readonly userAgent?: string;
-    }) => Promise<ImpersonationInfo | null>;
-    readonly active: (opts: {
+    readonly poll: (opts: {
         readonly baseUrl: string;
-        readonly accessToken: string;
+        readonly deviceCode: string;
         readonly userAgent?: string;
-    }) => Promise<readonly ImpersonationActive[]>;
-    /**
-     * Phase 5.9 step 1 of 2 — request a WebAuthn assertion challenge.
-     * Returns the pending-request id plus options ready for
-     * `navigator.credentials.get(...)`. Caller is expected to post the
-     * resulting assertion to {@link impersonation.startStepup}.
-     */
-    readonly startChallenge: (opts: ImpersonationStartChallengeInput) => Promise<ImpersonationChallenge>;
-    /**
-     * Phase 5.9 step 2 of 2 — complete the WebAuthn step-up. Returns
-     * either the active session (emergency bypass) or the
-     * consent deadline (regular flow). Phase 3b `start` is superseded
-     * by this method; old callers should migrate to
-     * `startChallenge` → `startStepup`.
-     */
-    readonly startStepup: (opts: ImpersonationStartStepupInput) => Promise<ImpersonationStartStepupResult>;
+    }) => Promise<DevicePollResult>;
     /**
-     * Target user's consent decision. Approve mints the session token;
-     * deny transitions the request to `denied`.
+     * Browser leg — the approving user confirms the grant.
+     *
+     * Requires a valid platform-issued access token (`Authorization:
+     * Bearer <accessToken>`) proving the user is logged in on the
+     * Console. Typically called by the Console's `/device` verification
+     * page server-side, forwarding the user's session JWT.
      */
-    readonly respondConsent: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly requestId: string;
-        readonly decision: ImpersonationConsentDecision;
-        readonly userAgent?: string;
-    }) => Promise<ImpersonationConsentResponse>;
-    /** List impersonation requests. Non-super_admin sees only their own. */
-    readonly listRequests: (opts: {
+    readonly approve: (opts: {
         readonly baseUrl: string;
+        readonly userCode: string;
         readonly accessToken: string;
-        readonly filter?: {
-            readonly operatorId?: string;
-            readonly targetUserId?: string;
-            readonly status?: ImpersonationRequestRow["status"];
-            readonly limit?: number;
-        };
         readonly userAgent?: string;
-    }) => Promise<readonly ImpersonationRequestRow[]>;
+    }) => Promise<DeviceApproveResult>;
     /**
-     * End an active impersonation session by request id. Emits a CAEP
-     * `session-revoked` event via the Phase 5.Z outbox so every in-flight
-     * verifier invalidates the token within ≤1s.
+     * Browser leg — the user declines the grant.
+     *
+     * Requires a valid platform-issued access token just like `approve`.
      */
-    readonly endSession: (opts: {
+    readonly deny: (opts: {
         readonly baseUrl: string;
+        readonly userCode: string;
         readonly accessToken: string;
-        readonly requestId: string;
         readonly userAgent?: string;
-    }) => Promise<{
-        success: true;
-        requestId: string;
-        sessionId: string | null;
-    }>;
+    }) => Promise<DeviceDenyResult>;
 };
 
 /**
@@ -3390,7 +3751,7 @@ interface StreamMessage<T = unknown> {
 /**
  * Realtime Functions
  *
- * Pure functions for real-time messaging via Redis Streams.
+ * Pure functions for real-time messaging via managed durable streams.
  * Supports channel-based pub/sub with SSE delivery to browsers.
  *
  * @example
@@ -4415,8 +4776,6 @@ interface TaskInput {
 interface TaskResult {
     /** Task ID */
     taskId: string;
-    /** QStash message ID */
-    messageId?: string;
     /** Scheduled execution time */
     scheduledFor?: string;
 }
@@ -5578,17 +5937,7 @@ type OrganizationsListResult = {
     offset: number;
 };
 type OrgRole = OrgSdkRole;
-/**
- * The contract's `CreateOrgInput` requires `{ name, slug }`; the SDK's
- * previous OpenAPI-derived shape allowed omitting `slug` (server
- * auto-generates from name) and accepted optional `email` / `metadata`.
- * Preserve the looser SDK surface with a local `Omit` + widening.
- */
-type CreateOrgInput = Omit<CreateOrgInput$1, 'slug'> & {
-    slug?: string;
-    email?: string;
-    metadata?: Record<string, unknown>;
-};
+type CreateOrgInput = CreateOrgInput$1;
 type UpdateOrgInput = UpdateOrgInput$1 & {
     metadata?: Record<string, unknown> | null;
 };
@@ -6224,11 +6573,11 @@ declare function getSecret(config: SylphxConfig, input: GetSecretInput): Promise
  * @example
  * ```typescript
  * const secrets = await getSecrets(config, {
- *   keys: ['DATABASE_URL', 'REDIS_URL', 'JWT_SECRET']
+ *   keys: ['DATABASE_URL', 'CACHE_URL', 'JWT_SECRET']
  * })
  *
  * const db = createPool(secrets.DATABASE_URL)
- * const redis = createClient(secrets.REDIS_URL)
+ * const cache = createCacheClient(secrets.CACHE_URL)
  * ```
  */
 declare function getSecrets(config: SylphxConfig, input: GetSecretsInput): Promise<GetSecretsResult>;
@@ -6814,7 +7163,7 @@ interface KvZMember {
 /**
  * KV (Key-Value Store) Functions
  *
- * Pure functions for distributed key-value storage backed by Redis.
+ * Pure functions for managed key-value storage.
  * Supports strings, hashes, lists, sorted sets, and built-in rate limiting.
  *
  * Keys are automatically namespaced per app, so no key collisions occur
@@ -7085,7 +7434,7 @@ declare function kvZrange(config: SylphxConfig, request: KvZrangeRequest): Promi
     score?: number;
 }>>;
 /**
- * Check and consume a rate limit token using Redis sliding window.
+ * Check and consume a rate limit token using the platform sliding window.
  *
  * This is a built-in rate limiter — no external service needed.
  *
@@ -7109,7 +7458,7 @@ interface KvScanOptions {
     pattern?: string;
     /** Cursor for pagination. Use '0' to start a new scan (default). */
     cursor?: string;
-    /** Hint to Redis for how many keys to return per iteration (1–1000). Default: 100. */
+    /** Hint for how many keys to return per iteration (1–1000). Default: 100. */
     count?: number;
 }
 interface KvScanResult {
@@ -7121,7 +7470,7 @@ interface KvScanResult {
     done: boolean;
 }
 /**
- * Scan keys matching a pattern using Redis SCAN (cursor-based pagination).
+ * Scan keys matching a pattern using cursor-based pagination.
  *
  * Unlike `KEYS`, SCAN is safe to use in production — it iterates incrementally.
  * Call repeatedly with the returned `nextCursor` until `done` is true.
@@ -7516,7 +7865,7 @@ declare function captureMessage(config: SylphxConfig, message: string, options?:
  *
  * ## Architecture
  *
- * POST /sandboxes → Platform provisions sandbox, waits for pod readiness,
+ * POST /sandboxes → Platform provisions sandbox, waits for runtime readiness,
  * returns { endpoint, token }. All subsequent exec/files/pty operations
  * go DIRECTLY to the sandbox exec-server — Platform is not in the data path.
  *
@@ -7535,7 +7884,7 @@ declare function captureMessage(config: SylphxConfig, message: string, options?:
  *
  * const config = createServerClient(process.env.SYLPHX_SECRET_URL!)
  *
- * // Create sandbox (Platform waits for pod ready before returning)
+ * // Create sandbox (Platform waits for the runtime before returning)
  * const sandbox = await SandboxClient.create(config)
  *
  * // Stream exec output in real-time
@@ -7557,7 +7906,7 @@ declare function captureMessage(config: SylphxConfig, message: string, options?:
  */
 
 interface SandboxOptions {
-    /** Docker image (must be in registry.sylphx.com). Omit to use env default. */
+    /** OCI image from a connected registry. Omit to use the environment default. */
     image?: string;
     /**
      * Request timeout for the create lifecycle call.
@@ -7569,17 +7918,8 @@ interface SandboxOptions {
     idleTimeoutMs?: number;
     /** Scratch storage size in GiB at /data, scoped to the sandbox lifecycle. */
     storageGi?: number;
-    /** CPU/memory resource spec */
-    resources?: {
-        requests?: {
-            cpu?: string;
-            memory?: string;
-        };
-        limits?: {
-            cpu?: string;
-            memory?: string;
-        };
-    };
+    /** Managed machine size. Defaults to `standard`. */
+    machine?: SandboxMachineSize;
     /** Environment variables injected into the sandbox container */
     env?: Record<string, string>;
     /**
@@ -7598,6 +7938,7 @@ interface SandboxOptions {
         readOnly?: boolean;
     }>;
 }
+type SandboxMachineSize = MachineSize;
 /** SSE event emitted by sandbox.exec() */
 type ExecEvent = {
     type: 'stdout';
@@ -7708,6 +8049,8 @@ interface SandboxRecord {
     id: string;
     status: 'starting' | 'running' | 'idle' | 'terminated' | 'error';
     image: string;
+    /** Managed machine size selected for this sandbox. */
+    machine: SandboxMachineSize | null;
     /** Public HTTPS endpoint: https://sbx-xxx.sandboxes.sylphx.app */
     endpoint: string | null;
     /** Per-sandbox RS256 JWT for direct exec-server authentication */
@@ -7890,14 +8233,14 @@ declare class SandboxClient {
  *
  * const config = createServerClient(process.env.SYLPHX_SECRET_URL!)
  *
- * const run = await RunsClient.create(config, {
- *   image: 'registry.sylphx.com/sylphx/my-trainer:abc123',
+ * const run = await RunsClient.run(config, {
+ *   image: 'ghcr.io/acme/my-trainer:sha-abc123',
  *   command: ['python', 'train.py', '--fold', '0'],
- *   resources: { requests: { cpu: '4', memory: '8Gi' } },
+ *   machine: 'large',
  *   timeoutSeconds: 3600,
  * })
  *
- * const result = await worker.wait()
+ * const result = await run.wait()
  * console.log(result.exitCode)   // 0
  * console.log(result.stdout)     // captured stdout
  * ```
@@ -7906,11 +8249,11 @@ declare class SandboxClient {
  * ```typescript
  * const workers = await Promise.all(
  *   folds.map((fold) =>
- *     RunsClient.create(config, {
- *       image: 'registry.sylphx.com/sylphx/trainer:abc123',
+ *     RunsClient.run(config, {
+ *       image: 'ghcr.io/acme/trainer:sha-abc123',
  *       command: ['python', 'train.py', '--fold', String(fold.id)],
  *       env: { FOLD_ID: String(fold.id), DATABASE_URL: process.env.DATABASE_URL! },
- *       resources: { requests: { cpu: '4', memory: '8Gi' } },
+ *       machine: 'large',
  *       volumeMounts: [{ volumeId: sharedCacheVolumeId, mountPath: '/cache' }],
  *       timeoutSeconds: 7200,
  *     }),
@@ -7923,8 +8266,8 @@ declare class SandboxClient {
  *
  * ## Architecture
  *
- * - Workers are isolated one-shot runs (backoffLimit: 0, no restarts)
- * - Images must be from registry.sylphx.com (scanned, private)
+ * - Workers are isolated one-shot runs with no automatic restarts
+ * - Images come from connected registries and are scanned before execution
  * - Volumes: org-level volume resources mounted into the run
  *   - single-writer for one active writer at a time
  *   - shared for concurrent runs and shared feature caches
@@ -7935,6 +8278,7 @@ declare class SandboxClient {
  */
 
 type RunStatus = 'pending' | 'running' | 'succeeded' | 'failed' | 'cancelled' | 'timeout';
+type RunMachineSize = MachineSize;
 interface RunVolumeMount {
     /** UUID of the volumeResource to mount (must belong to this org) */
     volumeId: string;
@@ -7945,25 +8289,11 @@ interface RunVolumeMount {
     /** Mount as read-only (default: false) */
     readOnly?: boolean;
 }
-interface RunResourceSpec {
-    requests?: {
-        /** CPU request (e.g. '500m', '2', '4') */
-        cpu?: string;
-        /** Memory request (e.g. '512Mi', '4Gi', '16Gi') */
-        memory?: string;
-    };
-    limits?: {
-        /** CPU limit */
-        cpu?: string;
-        /** Memory limit */
-        memory?: string;
-    };
-}
 interface CreateRunOptions {
     /**
-     * Docker image to run (must be from registry.sylphx.com).
+     * OCI image to run from a connected registry.
      *
-     * @example 'registry.sylphx.com/sylphx/my-trainer:abc123def456'
+     * @example 'ghcr.io/acme/my-trainer:sha-abc123'
      */
     image: string;
     /**
@@ -7979,10 +8309,10 @@ interface CreateRunOptions {
      */
     env?: Record<string, string>;
     /**
-     * CPU/memory resource spec.
-     * Defaults: { requests: { cpu: '500m', memory: '512Mi' }, limits: { cpu: '2', memory: '2Gi' } }
+     * Managed machine size. The platform owns CPU, memory, scheduling, and isolation details.
+     * Defaults to `standard`.
      */
-    resources?: RunResourceSpec;
+    machine?: RunMachineSize;
     /**
      * Hard timeout in seconds (default: 3600 = 1 hour, max: 86400 = 24 hours).
      * The platform terminates the run when the deadline is reached (status: 'timeout').
@@ -8005,8 +8335,8 @@ interface Run {
     command: string[];
     /** Environment variables */
     env: Record<string, string> | null;
-    /** Resource spec */
-    resources: RunResourceSpec | null;
+    /** Managed machine size selected for this run. */
+    machine: RunMachineSize | null;
     /** Hard timeout in seconds */
     timeoutSeconds: number;
     /** Volume mounts */
@@ -8021,7 +8351,7 @@ interface Run {
     errorMessage: string | null;
     /** Duration in milliseconds (only when completed) */
     durationMs: number | null;
-    /** When the worker pod started running */
+    /** When the worker runtime started */
     startedAt: string | null;
     /** When the worker completed */
     completedAt: string | null;
@@ -8085,7 +8415,7 @@ declare class RunHandle {
      *
      * @example
      * ```typescript
-     * const result = await worker.wait()
+     * const result = await run.wait()
      * if (result.exitCode !== 0) {
      *   throw new Error(`Worker failed: ${result.errorMessage ?? result.stderr}`)
      * }
@@ -8126,10 +8456,10 @@ declare class RunHandle {
  * const config = createServerClient(process.env.SYLPHX_SECRET_URL!)
  *
  * // Run a worker and wait for completion
- * const result = await RunsClient.create(config, { ... }).then(w => w.wait())
+ * const result = await RunsClient.run(config, { ... }).then((run) => run.wait())
  *
  * // Run N workers in parallel, wait for all
- * const handles = await Promise.all(folds.map(fold => RunsClient.create(config, { ... })))
+ * const handles = await Promise.all(folds.map((fold) => RunsClient.run(config, { ... })))
  * const results = await Promise.all(handles.map(h => h.wait()))
  * ```
  */
@@ -8142,13 +8472,13 @@ declare const RunsClient: {
      *
      * @example
      * ```typescript
-     * const run = await RunsClient.create(config, {
-     *   image: 'registry.sylphx.com/sylphx/trainer:abc123',
+     * const run = await RunsClient.run(config, {
+     *   image: 'ghcr.io/acme/trainer:sha-abc123',
      *   command: ['python', 'train.py', '--fold', '3'],
-     *   resources: { requests: { cpu: '4', memory: '16Gi' } },
+     *   machine: 'large',
      *   volumeMounts: [{ volumeId: cacheVolumeId, mountPath: '/cache' }],
      * })
-     * const result = await worker.wait()
+     * const result = await run.wait()
      * ```
      */
     run(config: SylphxConfig, options: CreateRunOptions): Promise<RunHandle>;
@@ -8170,20 +8500,20 @@ declare const RunsClient: {
      *
      * @example
      * ```typescript
-     * const { workers } = await RunsClient.list(config, { status: 'running' })
-     * console.log(`${workers.length} workers currently running`)
+     * const { data } = await RunsClient.list(config, { status: 'running' })
+     * console.log(`${data.length} runs currently running`)
      * ```
      */
     list(config: SylphxConfig, options?: ListRunsOptions): Promise<ListRunsResult>;
     /**
      * Spawn a worker and wait for it to complete in one call.
      *
-     * Equivalent to `(await RunsClient.create(config, options)).wait(waitOptions)`.
+     * Equivalent to `(await RunsClient.run(config, options)).wait(waitOptions)`.
      *
      * @example
      * ```typescript
      * const result = await RunsClient.runAndWait(config, {
-     *   image: 'registry.sylphx.com/sylphx/process:abc',
+     *   image: 'ghcr.io/acme/process:sha-abc123',
      *   command: ['node', 'dist/process.js'],
      * })
      * if (result.exitCode !== 0) throw new Error(result.errorMessage ?? 'worker failed')
@@ -8204,13 +8534,13 @@ declare const WorkersClient: {
      *
      * @example
      * ```typescript
-     * const run = await RunsClient.create(config, {
-     *   image: 'registry.sylphx.com/sylphx/trainer:abc123',
+     * const run = await RunsClient.run(config, {
+     *   image: 'ghcr.io/acme/trainer:sha-abc123',
      *   command: ['python', 'train.py', '--fold', '3'],
-     *   resources: { requests: { cpu: '4', memory: '16Gi' } },
+     *   machine: 'large',
      *   volumeMounts: [{ volumeId: cacheVolumeId, mountPath: '/cache' }],
      * })
-     * const result = await worker.wait()
+     * const result = await run.wait()
      * ```
      */
     run(config: SylphxConfig, options: CreateRunOptions): Promise<RunHandle>;
@@ -8232,20 +8562,20 @@ declare const WorkersClient: {
      *
      * @example
      * ```typescript
-     * const { workers } = await RunsClient.list(config, { status: 'running' })
-     * console.log(`${workers.length} workers currently running`)
+     * const { data } = await RunsClient.list(config, { status: 'running' })
+     * console.log(`${data.length} runs currently running`)
      * ```
      */
     list(config: SylphxConfig, options?: ListRunsOptions): Promise<ListRunsResult>;
     /**
      * Spawn a worker and wait for it to complete in one call.
      *
-     * Equivalent to `(await RunsClient.create(config, options)).wait(waitOptions)`.
+     * Equivalent to `(await RunsClient.run(config, options)).wait(waitOptions)`.
      *
      * @example
      * ```typescript
      * const result = await RunsClient.runAndWait(config, {
-     *   image: 'registry.sylphx.com/sylphx/process:abc',
+     *   image: 'ghcr.io/acme/process:sha-abc123',
      *   command: ['node', 'dist/process.js'],
      * })
      * if (result.exitCode !== 0) throw new Error(result.errorMessage ?? 'worker failed')
@@ -8301,6 +8631,7 @@ declare const WorkersClient: {
 type TriggerTargetType = 'task' | 'run' | 'http';
 type TriggerSourceType = 'cron' | 'event';
 type TriggerStatus = 'active' | 'paused' | 'deleted';
+type TriggerRunMachineSize = MachineSize;
 interface TaskTarget {
     type: 'task';
     taskName: string;
@@ -8318,10 +8649,7 @@ interface RunTarget {
     type: 'run';
     image: string;
     command: string[];
-    resources?: {
-        cpu?: string;
-        memory?: string;
-    };
+    machine?: TriggerRunMachineSize;
 }
 type TriggerTarget = TaskTarget | HttpTarget | RunTarget;
 interface CronSource {
@@ -9343,4 +9671,4 @@ declare const functions: {
     };
 };
 
-export { ACHIEVEMENT_TIER_CONFIG, type AIListModelsOptions, type AIListModelsResponse, type AIMessage, type AIMessageRole, type AIModel, type AIModelInfo, type AIModelsResponse, type AIProvider, type AIRateLimitInfo, type AIRateLimitResponse, type AIRequestType, type AIStreamChunk, type AITool, type AIToolCall, type AIUsageResponse, type AIUsageStats, type AccessTokenPayload, type AchievementCategory, type AchievementCriteria, type AchievementCriterion, type AchievementDefinition, type AchievementTier, type AchievementType, type AchievementUnlockEvent, type AdminUser, type AuditQueryFilter, type AuditQueryResult, AuthenticationError, AuthorizationError, type BackupCodesResult, type BatchEvent, type BatchIndexInput, type BatchIndexResult, type Breadcrumb, type BuildLog, type BuildLogHistoryResponse, type CaptureExceptionRequest, type CaptureMessageRequest, type ChallengeMethod, type ChallengeType, type ChallengeVerifyInput, type ChallengeVerifyResult, type ChatCompletionInput, type ChatCompletionResponse, type ChatInput, type ChatMessage, type ChatResult, type ChatStreamChunk, type CircuitBreakerConfig, CircuitBreakerOpenError, type CircuitState, type CommandResult, type ConsentCategory, type ConsentHistoryEntry, type ConsentHistoryResult, type ConsentPurposeDefaults, type ConsentType, type ContentPart, type CopyFileOptions, type CreateOrgInput, type CreatePermissionInput, type CreatePromoInput, type CreateRoleInput, type CreateRunOptions, type CreateTriggerOptions, type CriteriaOperator, type CronInput, type CronSchedule, type CronSource, type DatabaseConnectionInfo, type DatabaseStatus, type DatabaseStatusInfo, type DebugCategory, type DeduplicationConfig, type DeleteAccountResult, type DeleteDocumentInput, type DeployHistoryResponse, type DeployInfo, type DeployStatus, type DeviceApproveInput, type DeviceApproveResult, type DeviceDenyInput, type DeviceDenyResult, type DeviceGrant, type DeviceInitInput, type DevicePollResult, type DynamicRestClient, ERROR_CODE_STATUS, type EmailChangeInput, type EmailConfirmInput, type EmbedInput, type EmbedResult, type EmbeddingInput, type EmbeddingResponse, type LeaderboardEntry as EngagementLeaderboardEntry, type LeaderboardResult as EngagementLeaderboardResult, type EnvVar, type ErrorCode, type ErrorResponse, type EventSource, type ExceptionFrame, type ExceptionValue, type ExecEvent, type ExecOptions, type ExecResult, type FacetsResponse, type FileEvent, type FlagContext, type FlagResult, type GetConsentHistoryInput, type GetConsentsInput, type GetFacetsInput, type GetSecretInput, type GetSecretResult, type GetSecretsInput, type GetSecretsResult, type HttpTarget, type IdentifyInput, type ImpersonationActive, type ImpersonationEndResult, type ImpersonationInfo, type ImpersonationStartResult, type IndexDocumentInput, type IndexDocumentResult, type IngestLogsResult, InvalidConnectionUrlError, type InviteMemberInput, type InviteUserRequest, type InviteUserResponse, type KvExpireRequest, type KvHgetRequest, type KvHgetallRequest, type KvHsetRequest, type KvIncrRequest, type KvLpushRequest, type KvLrangeRequest, type KvMgetRequest, type KvMsetRequest, type KvRateLimitRequest, type KvRateLimitResult, type KvScanOptions, type KvScanResult, type KvSetOptions, type KvSetRequest, type KvZMember, type KvZaddRequest, type KvZrangeRequest, type LeaderboardAggregation, type LeaderboardDefinition, type LeaderboardEntry$1 as LeaderboardEntry, type LeaderboardOptions, type LeaderboardQueryOptions, type LeaderboardResetPeriod, type LeaderboardResult$1 as LeaderboardResult, type LeaderboardSortDirection, type LinkAnonymousConsentsInput, type ListFilesOptions, type ListPromosOptions, type ListPromosResult, type ListRedemptionsOptions, type ListRedemptionsResult, type ListRunsOptions, type ListRunsResult, type ListScheduledEmailsOptions, type ListSecretKeysInput, type ListTriggersResult, type ListUsersOptions, type ListUsersResult, type LogEntry, type LogLevel, type LoginHistoryEntry, type LoginRequest, type LoginResponse, type MeResponse, type MemberPermissionsResult, type MintAccessTokenClaims, type MintAccessTokenResult, type MonitoringResponse, type MonitoringSeverity, type NativeStepContext, type NativeTaskDefinition, type TaskRunStatus as NativeTaskRunStatus, NetworkError, NotFoundError, type OAuthAuthorizeInput, type OAuthAuthorizeResult, type OAuthCodeExchangeInput, type OAuthProvider, type OAuthProvidersResult, type OidcDiscoveryDocument, type OidcUserInfoResponse, type OrgRole, type OrgScopedTokenResponse, type OrgTokenPayload, type OrganizationInvitation, type OrganizationMember, type OrganizationMembership, type OrganizationsListResult, type PageInput, type PaginatedResponse, type PaginationInput, type ParsedConnectionUrl, type PasskeyRegistrationInput, type PasskeyRegistrationOptions, type PasskeySummary, type PasskeysList, type PasswordSetInput, type Permission, type PkceMethod, type Plan, type PlatformAccessTokenClaims, type PlatformFunctionsDownloadBundleResult, type PlatformLogoutInput, type PlatformPasswordChangeInput, type PlatformPasswordChangeResult, type PlatformPasswordSetInput, type PlatformPasswordSetResult, type PlatformPasswordStatusResult, type PlatformRealtimeChannel, type PlatformRealtimeCreateChannelResult, type PlatformRealtimeDeleteChannelResult, type PlatformRealtimeListChannelsResult, type PlatformRealtimeStatusResult, type PlatformRefreshInput, type PlatformRefreshResult, type PlatformSessionRenameInput, type PlatformSessionRenameResult, type PlatformSessionRevokeAllResult, type PlatformSessionRevokeInput, type PlatformSessionRevokeOtherResult, type PlatformSessionRevokeResult, type PlatformSessionsListResult, type PlatformUserDeleteInput, type PlatformUserDeleteResult, type PlatformUserExportResult, type PlatformUserRecord, type PlatformUserResolution, type ProcessEvent, type ProcessInfo, type ProcessStartOptions, type ProcessSummary, type ProjectMetadata, type PromoCode, type PromoRedemption, type PromoStatus, type PromoType, type PromoValidationPreview, type PublishEventResult, type PushCampaign, type PushCampaignStats, type PushCampaignVariant, type PushNotification, type PushNotificationPayload, type PushSegment, type PushSegmentFilter, type PushServiceWorkerConfig, type PushSubscription, type QueryLogsOptions, type QueryLogsResult, RETRYABLE_CODES, RateLimitError, type RateLimitStatusFilter, type RateLimitStatusResult, type RateLimitStrategiesFilter, type RateLimitStrategiesResult, type RateLimitStrategyDeleteInput, type RateLimitStrategyDeleteResult, type RateLimitStrategyUpsertInput, type RateLimitStrategyUpsertResult, type RealtimeEmitRequest, type RealtimeEmitResponse, type RealtimeHistoryRequest, type RealtimeHistoryResponse, type RecordActivityInput, type RecordActivityResult, type RedeemPromoInput, type RedeemPromoResult, type RedeemReferralInput, type RedeemResult, type ReferralCode, type ReferralStats, type RegisterInput, type RegisterRequest, type RegisterResponse, type ResendEmailVerificationRequest, type ResendEmailVerificationResponse, type RestClient, type RestClientConfig, type RestDynamicConfig, type RetryConfig, type RevokeTokenOptions, type Role, type RollbackDeployRequest, type Run, RunHandle, type RunLogsResult, type RunResourceSpec, type RunResult, type RunStatus, type RunTarget, type RunVolumeMount, type CreateRunOptions as RunWorkerOptions, RunsClient, SandboxClient, type SandboxFile, SandboxFiles, type SandboxOptions, SandboxProcesses, type SandboxRecord, SandboxWatch, type ScheduleEmailOptions, type ScheduledEmail, type ScheduledEmailStats, type ScheduledEmailsResult, type SearchInput, type SearchResponse, type SearchResultItem, type SearchStatsResult, type SearchType, type SecretKeyInfo, type SecurityAlert, type SecurityAlertsList, type SecurityScoreResult, type SecuritySettings, type SendEmailOptions, type SendResult, type SendTemplatedEmailOptions, type SendToUserOptions, type SessionResult, type SetConsentsInput, type SetEnvVarRequest, type SignedUrlOptions, StepCompleteSignal, StepSleepSignal, type StoredLogEntry, type StreakDefinition, type StreakFrequency, type StreakState, type StreamMessage, type SubmitScoreInput, type SubmitScoreResult, type Subscription, type SuccessResponse, type SylphxClientInput, type SylphxConfig, type SylphxConfigInput, SylphxError, type SylphxErrorCode, type SylphxErrorOptions, type TaskInput, type TaskResult, type TaskStatus, type TaskTarget, type TextCompletionInput, type TextCompletionResponse, TimeoutError, type TokenIntrospectionResult, type TokenResponse, type Tool, type ToolCall, type TrackClickInput, type TrackInput, type Trigger, type TriggerDeployRequest, type TriggerSource, type TriggerSourceType, type TriggerStatus, type TriggerTarget, type TriggerTargetType, TriggersClient, type TwoFactorEnableResult, type TwoFactorSetupResult, type TwoFactorVerifyRequest, type UpdateOrgInput, type UpdatePromoInput, type UpdateRoleInput, type UpdateTriggerOptions, type UploadCreateOptions, type UploadProgressEvent, type UpsertDocumentInput, type UpsertDocumentResult, type User, type UserAchievement, type UserConsent, type UserDataExport, type UserFullProfile, type UserOrganization, type UserProfile, type UserSecuritySettings, type UserSession, type UserSessionsList, type UserUpdateProfileInput, type ValidatePromoInput, type ValidatePromoResult, ValidationError, type VisionInput, type WatchEntry, type WatchOptions, type WebhookConfig, type WebhookConfigUpdate, type WebhookDeliveriesResult, type WebhookDelivery, type WebhookStats, RunHandle as WorkerHandle, type RunLogsResult as WorkerLogsResult, type RunResourceSpec as WorkerResourceSpec, type RunResult as WorkerResult, type Run as WorkerRun, type RunStatus as WorkerStatus, type RunVolumeMount as WorkerVolumeMount, WorkersClient, acceptAllConsents, acceptOrganizationInvitation, assignMemberRole, audit, authorizeOAuth, batchIndex, canDeleteOrganization, canManageMembers, canManageSettings, cancelScheduledEmail, cancelTask, captureException, captureExceptionRaw, captureMessage, chat, chatStream, checkFlag, complete, confirmEmailChange, cookies, createCheckout, createClient, createConfig, createCron, createDynamicRestClient, createOrganization, createPermission, createPortalSession, createPromo, createRestClient, createRole, createServerClient, createServiceWorkerScript, createStepContext, createTasksHandler, createTracker, debugError, debugLog, debugTimer, debugWarn, declineOptionalConsents, deleteCron, deleteDocument, deleteEnvVar, deleteOrganization, deletePasskey, deletePermission, deletePromo, deleteRole, deleteUser, deleteUserAccount, device, disableDebug, disableTwoFactor, disconnectOAuthProvider, dpop, embed, enableDebug, exchangeOAuthCode, exponentialBackoff, exportUserData, extendedSignUp, forgotPassword, functions, generateAnonymousId, generatePkce, getAchievement, getAchievementPoints, getAchievements, getAllFlags, getAllSecrets, getAllStreaks, getBackupCodes, getBillingBalance, getBillingUsage, getBuildLogHistory, getCircuitBreakerState, getConsentHistory, getConsentTypes, getDatabaseConnectionString, getDatabaseStatus, getDebugMode, getDeployHistory, getDeployStatus, getErrorCode, getErrorMessage, getFacets, getFlagPayload, getFlags, getLeaderboard, getMemberPermissions, getMyReferralCode, getOidcDiscoveryDocument, getOrgScopedToken, getOrganization, getOrganizationInvitations, getOrganizationMembers, getOrganizations, getPlans, getProjectMetadata, getPromo, getPushPreferences, getRealtimeHistory, getReferralLeaderboard, getReferralStats, getRestErrorMessage, getRole, getScheduledEmail, getScheduledEmailStats, getSearchStats, getSecret, getSecrets, getSecurityScore, getSession, getStreak, getSubscription, getTask, getUser, getUserByEmail, getUserConsents, getUserLeaderboardRank, getUserProfile, getUserSecurity, getVariant, getWebhookConfig, getWebhookDeliveries, getWebhookDelivery, getWebhookStats, hasAllPermissions, hasAnyPermission, hasConsent, hasError, hasPermission, hasRole, hasSecret, identify, impersonation, incrementAchievementProgress, indexDocument, ingestLogs, initPushServiceWorker, installGlobalDebugHelpers, introspectToken, inviteOrganizationMember, inviteUser, isEmailConfigured, isEnabled, isRetryableError, isSylphxError, kvDelete, kvExists, kvExpire, kvGet, kvGetJSON, kvHget, kvHgetall, kvHset, kvIncr, kvLpush, kvLrange, kvMget, kvMset, kvRateLimit, kvScan, kvSet, kvSetJSON, kvZadd, kvZrange, leaveOrganization, linkAnonymousConsents, listEnvVars, listOAuthProviders, listOrganizations, listPasskeys, listPermissions, listPromoRedemptions, listPromos, listRoles, listScheduledEmails, listSecretKeys, listSecurityAlerts, listTasks, listUserSessions, listUsers, markAllSecurityAlertsRead, markSecurityAlertRead, oauth, page, parseOAuthCallback, password, pauseCron, platformAuth, campaigns as pushCampaigns, segments as pushSegments, queryLogs, rateLimits, realtime, realtimeEmit, recordStreakActivity, recoverStreak, redeemPromo, redeemReferralCode, refreshToken, regenerateBackupCodes, regenerateReferralCode, registerPush, registerPushServiceWorker, removeOrganizationMember, renamePasskey, renameUserSession, replayWebhookDelivery, requestEmailChange, rescheduleEmail, resendVerificationEmail, resetCircuitBreaker, resetDebugModeCache, resetPassword, resetPlatformCookieCache, resetPlatformJwksCache, resumeCron, revokeAllTokens, revokeOrganizationInvitation, revokeToken, revokeUserSession, rollbackDeploy, scheduleEmail, scheduleTask, search, sendEmail, sendEmailToUser, sendPush, sendTemplatedEmail, sessions, setConsents, setEnvVar, setPassword, setupTwoFactor, signIn, signOut, signUp, startPasskeyRegistration, storage, streamToString, submitScore, suspendUser, switchOrg, toSylphxError, track, trackBatch, trackClick, triggerDeploy, unlockAchievement, unregisterPush, updateOrganization, updateOrganizationMemberRole, updatePromo, updatePushPreferences, updateRole, updateUser, updateUserMetadata, updateUserProfile, updateWebhookConfig, upsertDocument, user, userInfo, validatePromo, verifyAccessToken, verifyChallenge, verifyEmail, verifyPasskeyRegistration, verifySignature as verifyTaskSignature, verifyTwoFactor, verifyTwoFactorEnable, withToken };
+export { ACHIEVEMENT_TIER_CONFIG, type AIListModelsOptions, type AIListModelsResponse, type AIMessage, type AIMessageRole, type AIModel, type AIModelInfo, type AIModelsResponse, type AIProvider, type AIRateLimitInfo, type AIRateLimitResponse, type AIRequestType, type AIStreamChunk, type AITool, type AIToolCall, type AIUsageResponse, type AIUsageStats, type AccessTokenPayload, type AchievementCategory, type AchievementCriteria, type AchievementCriterion, type AchievementDefinition, type AchievementTier, type AchievementType, type AchievementUnlockEvent, type AdminUser, type AuditQueryFilter, type AuditQueryResult, AuthenticationError, AuthorizationError, BILLING_ALLOWED_ROLES, BUILD_MINUTES_INCLUDED, BUILD_MINUTE_PRICES, BUILD_SIZE_MULTIPLIERS, BYTES_PER_GB, type BackupCodesResult, type BatchEvent, type BatchIndexInput, type BatchIndexResult, type BillingAllowedRole, type Breadcrumb, type BuildConnectionUrlInput, type BuildLog, type BuildLogHistoryResponse, type BuildMachineTier, CI_BUILD_MINUTE_PRICE_MICRODOLLARS, CI_FREE_MINUTES_PER_MONTH, CI_MACOS_MULTIPLIER, CI_MACOS_SIZE_MULTIPLIERS, CI_SIZE_MULTIPLIERS, COMPUTE_PRICE_PER_HOUR_MICRODOLLARS, COMPUTE_RAM_RATE_MICRODOLLARS, COMPUTE_VCPU_ACTIVE_RATE_MICRODOLLARS, COMPUTE_VCPU_IDLE_RATE_MICRODOLLARS, CONSOLE_APP_SLUG, CREDENTIAL_REGEX, CREDIT_EXPIRY_MONTHS, type CaptureExceptionRequest, type CaptureMessageRequest, type ChallengeMethod, type ChallengeType, type ChallengeVerifyInput, type ChallengeVerifyResult, type ChatCompletionInput, type ChatCompletionResponse, type ChatInput, type ChatMessage, type ChatResult, type ChatStreamChunk, type CircuitBreakerConfig, CircuitBreakerOpenError, type CircuitState, type CommandResult, type ConnectionCredentialType, type ConnectionEnv, type ConsentCategory, type ConsentHistoryEntry, type ConsentHistoryResult, type ConsentPurposeDefaults, type ConsentType, type ContentPart, type CopyFileOptions, type CreateOrgInput, type CreatePermissionInput, type CreatePromoInput, type CreateRoleInput, type CreateRunOptions, type CreateTriggerOptions, type CriteriaOperator, type CronInput, type CronSchedule, type CronSource, DEFAULT_MAX_REPLICAS, DEFAULT_POINTS_REWARD, DISCOUNT_DURATION_MONTHS, DISCOUNT_PERCENT, type DatabaseConnectionInfo, type DatabaseStatus, type DatabaseStatusInfo, type DebugCategory, type DeduplicationConfig, type DeleteAccountResult, type DeleteDocumentInput, type DeployHistoryResponse, type DeployInfo, type DeployStatus, type DeviceApproveInput, type DeviceApproveResult, type DeviceDenyInput, type DeviceDenyResult, type DeviceGrant, type DeviceInitInput, type DevicePollResult, type DynamicRestClient, ERROR_CODE_STATUS, type EmailChangeInput, type EmailConfirmInput, type EmbedInput, type EmbedResult, type EmbeddingInput, type EmbeddingResponse, type LeaderboardEntry as EngagementLeaderboardEntry, type LeaderboardResult as EngagementLeaderboardResult, type EnvVar, type ErrorCode, type ErrorResponse, type EventSource, type ExceptionFrame, type ExceptionValue, type ExecEvent, type ExecOptions, type ExecResult, type ErrorDetails$1 as ExtractedErrorDetails, FREE_COMPUTE_HOURS, FREE_STORAGE_GB, type FacetsResponse, type FileEvent, type FlagContext, type FlagResult, type GetConsentHistoryInput, type GetConsentsInput, type GetFacetsInput, type GetSecretInput, type GetSecretResult, type GetSecretsInput, type GetSecretsResult, HOURS_PER_MONTH, type HttpTarget, INSTANCE_TYPES, INSTANCE_TYPE_ALIASES, INSTANCE_TYPE_ORDER, INVOICE_DUE_DAYS, type IdentifyInput, type ImpersonationActive, type ImpersonationEndResult, type ImpersonationInfo, type ImpersonationStartResult, type IndexDocumentInput, type IndexDocumentResult, type IngestLogsResult, type InstanceTypeDefinition, type InstanceTypeId, InvalidConnectionUrlError, type InviteMemberInput, type InviteUserRequest, type InviteUserResponse, KV_FREE_STORAGE_GB, type KvExpireRequest, type KvHgetRequest, type KvHgetallRequest, type KvHsetRequest, type KvIncrRequest, type KvLpushRequest, type KvLrangeRequest, type KvMetric, type KvMgetRequest, type KvMsetRequest, type KvRateLimitRequest, type KvRateLimitResult, type KvScanOptions, type KvScanResult, type KvSetOptions, type KvSetRequest, type KvZMember, type KvZaddRequest, type KvZrangeRequest, LEGACY_INSTANCE_TYPE_ORDER, type LeaderboardAggregation, type LeaderboardDefinition, type LeaderboardEntry$1 as LeaderboardEntry, type LeaderboardOptions, type LeaderboardQueryOptions, type LeaderboardResetPeriod, type LeaderboardResult$1 as LeaderboardResult, type LeaderboardSortDirection, type LinkAnonymousConsentsInput, type ListFilesOptions, type ListPromosOptions, type ListPromosResult, type ListRedemptionsOptions, type ListRedemptionsResult, type ListRunsOptions, type ListRunsResult, type ListScheduledEmailsOptions, type ListSecretKeysInput, type ListTriggersResult, type ListUsersOptions, type ListUsersResult, type LogEntry, type LogLevel, type LoginHistoryEntry, type LoginRequest, type LoginResponse, MAX_PASSWORD_LENGTH, MAX_PAYMENT_ATTEMPTS, MICRODOLLARS_PER_CENT, MIN_PASSWORD_LENGTH, type MeResponse, type MemberPermissionsResult, type MintAccessTokenClaims, type MintAccessTokenResult, type MonitoringResponse, type MonitoringSeverity, type NativeStepContext, type NativeTaskDefinition, type TaskRunStatus as NativeTaskRunStatus, NetworkError, NotFoundError, type OAuthAuthorizeInput, type OAuthAuthorizeResult, type OAuthCodeExchangeInput, type OAuthProvider, type OAuthProvidersResult, type OidcDiscoveryDocument, type OidcUserInfoResponse, type OrgRole, type OrgScopedTokenResponse, type OrgTokenPayload, type OrganizationInvitation, type OrganizationMember, type OrganizationMembership, type OrganizationsListResult, PASSWORD_REQUIREMENTS, PLATFORM_PLANS, PLATFORM_PLAN_ORDER, PLATFORM_PLAN_ORDER_ALL, PREMIUM_TRIAL_DAYS, type PageInput, type PaginatedResponse, type PaginationInput, type ParsedConnectionUrl, type ParsedUserAgent, type PasskeyRegistrationInput, type PasskeyRegistrationOptions, type PasskeySummary, type PasskeysList, type PasswordSetInput, type Permission, type PkceMethod, type Plan, type PlatformAccessTokenClaims, type PlatformFunctionsDownloadBundleResult, type PlatformLogoutInput, type PlatformPasswordChangeInput, type PlatformPasswordChangeResult, type PlatformPasswordSetInput, type PlatformPasswordSetResult, type PlatformPasswordStatusResult, type PlatformPlanDefinition, type PlatformPlanFeatures, type PlatformPlanId, type PlatformPlanLimits, type PlatformRealtimeChannel, type PlatformRealtimeCreateChannelResult, type PlatformRealtimeDeleteChannelResult, type PlatformRealtimeListChannelsResult, type PlatformRealtimeStatusResult, type PlatformRefreshInput, type PlatformRefreshResult, type PlatformSessionRenameInput, type PlatformSessionRenameResult, type PlatformSessionRevokeAllResult, type PlatformSessionRevokeInput, type PlatformSessionRevokeOtherResult, type PlatformSessionRevokeResult, type PlatformSessionsListResult, type PlatformUserDeleteInput, type PlatformUserDeleteResult, type PlatformUserExportResult, type PlatformUserRecord, type PlatformUserResolution, type ProcessEvent, type ProcessInfo, type ProcessStartOptions, type ProcessSummary, type ProjectMetadata, type PromoCode, type PromoRedemption, type PromoStatus, type PromoType, type PromoValidationPreview, type PublishEventResult, type PushCampaign, type PushCampaignStats, type PushCampaignVariant, type PushNotification, type PushNotificationPayload, type PushSegment, type PushSegmentFilter, type PushServiceWorkerConfig, type PushSubscription, type QueryLogsOptions, type QueryLogsResult, RETRYABLE_CODES, RateLimitError, type RateLimitStatusFilter, type RateLimitStatusResult, type RateLimitStrategiesFilter, type RateLimitStrategiesResult, type RateLimitStrategyDeleteInput, type RateLimitStrategyDeleteResult, type RateLimitStrategyUpsertInput, type RateLimitStrategyUpsertResult, type RealtimeEmitRequest, type RealtimeEmitResponse, type RealtimeHistoryRequest, type RealtimeHistoryResponse, type RealtimeMetric, type RecordActivityInput, type RecordActivityResult, type RedeemPromoInput, type RedeemPromoResult, type RedeemReferralInput, type RedeemResult, type ReferralCode, type ReferralStats, type RegisterInput, type RegisterRequest, type RegisterResponse, type ResendEmailVerificationRequest, type ResendEmailVerificationResponse, type RestClient, type RestClientConfig, type RestDynamicConfig, type RetryConfig, type RevokeTokenOptions, type Role, type RollbackDeployRequest, type Run, RunHandle, type RunLogsResult, type RunMachineSize, type RunResult, type RunStatus, type RunTarget, type RunVolumeMount, type CreateRunOptions as RunWorkerOptions, RunsClient, SERVICE_METRICS, STORAGE_PRICE_PER_GB_MONTH_MICRODOLLARS, SandboxClient, type SandboxFile, SandboxFiles, type SandboxMachineSize, type SandboxOptions, SandboxProcesses, type SandboxRecord, SandboxWatch, type ScheduleEmailOptions, type ScheduledEmail, type ScheduledEmailStats, type ScheduledEmailsResult, type SearchInput, type SearchResponse, type SearchResultItem, type SearchStatsResult, type SearchType, type SecretKeyInfo, type SecurityAlert, type SecurityAlertsList, type SecurityScoreResult, type SecuritySettings, type SendEmailOptions, type SendResult, type SendTemplatedEmailOptions, type SendToUserOptions, type ServiceMetrics, type SessionResult, type SetConsentsInput, type SetEnvVarRequest, type SignedUrlOptions, StepCompleteSignal, StepSleepSignal, type StoredLogEntry, type StreakDefinition, type StreakFrequency, type StreakState, type StreamMessage, type SubmitScoreInput, type SubmitScoreResult, type Subscription, type SuccessResponse, type SylphxClientInput, type SylphxConfig, type SylphxConfigInput, SylphxError, type SylphxErrorCode, type SylphxErrorOptions, TRANSFER_PRICE_PER_GB_MICRODOLLARS, type TaskInput, type TaskResult, type TaskStatus, type TaskTarget, type TextCompletionInput, type TextCompletionResponse, TimeoutError, type TokenIntrospectionResult, type TokenResponse, type Tool, type ToolCall, type TrackClickInput, type TrackInput, type Trigger, type TriggerDeployRequest, type TriggerRunMachineSize, type TriggerSource, type TriggerSourceType, type TriggerStatus, type TriggerTarget, type TriggerTargetType, TriggersClient, type TwoFactorEnableResult, type TwoFactorSetupResult, type TwoFactorVerifyRequest, type UpdateOrgInput, type UpdatePromoInput, type UpdateRoleInput, type UpdateTriggerOptions, type UploadCreateOptions, type UploadProgressEvent, type UpsertDocumentInput, type UpsertDocumentResult, type User, type UserAchievement, type UserConsent, type UserDataExport, type UserFullProfile, type UserOrganization, type UserProfile, type UserSecuritySettings, type UserSession, type UserSessionsList, type UserUpdateProfileInput, type ValidatePromoInput, type ValidatePromoResult, ValidationError, type VisionInput, type WatchEntry, type WatchOptions, type WebhookConfig, type WebhookConfigUpdate, type WebhookDeliveriesResult, type WebhookDelivery, type WebhookStats, RunHandle as WorkerHandle, type RunLogsResult as WorkerLogsResult, type RunResult as WorkerResult, type Run as WorkerRun, type RunStatus as WorkerStatus, type RunVolumeMount as WorkerVolumeMount, WorkersClient, acceptAllConsents, acceptOrganizationInvitation, assignMemberRole, audit, authorizeOAuth, batchIndex, buildConnectionUrl, calculatePercentage, canDeleteOrganization, canManageMembers, canManageSettings, cancelScheduledEmail, cancelTask, captureException, captureExceptionRaw, captureMessage, centsToDollars, chat, chatStream, checkFlag, complete, confirmEmailChange, cookies, createCheckout, createClient, createConfig, createCron, createDynamicRestClient, createOrganization, createPermission, createPortalSession, createPromo, createRestClient, createRole, createServerClient, createServiceWorkerScript, createStepContext, createTasksHandler, createTracker, debugError, debugLog, debugTimer, debugWarn, declineOptionalConsents, deleteCron, deleteDocument, deleteEnvVar, deleteOrganization, deletePasskey, deletePermission, deletePromo, deleteRole, deleteUser, deleteUserAccount, device, disableDebug, disableTwoFactor, disconnectOAuthProvider, dpop, embed, enableDebug, escapeCsvField, escapeHtml, exchangeOAuthCode, exponentialBackoff, exportUserData, extendedSignUp, getErrorDetails$1 as extractErrorDetails, getErrorMessage$1 as extractErrorMessage, forgotPassword, formatBytes, formatCents, formatCurrency, formatDate, formatDateTime, formatDuration, formatMicrodollars, formatMonthYear, formatNumber, formatPercent, formatRelativeTime, formatRelativeTimeShort, formatTime, functions, generateAnonymousId, generatePkce, generateReferralCode, generateSlug, getAchievement, getAchievementPoints, getAchievements, getActivePlans, getAllFlags, getAllSecrets, getAllStreaks, getAvailableInstanceTypes, getBackupCodes, getBaseUrl, getBillingBalance, getBillingStatusVariant, getBillingUsage, getBuildLogHistory, getCircuitBreakerState, getConsentHistory, getConsentTypes, getDatabaseConnectionString, getDatabaseStatus, getDebugMode, getDefaultInstanceType, getDeployHistory, getDeployStatus, getEnvPrefix, getErrorCode, getErrorDetails, getErrorMessage, getFacets, getFlagPayload, getFlags, getInvoiceStatusVariant, getLeaderboard, getMemberPermissions, getMyReferralCode, getOidcDiscoveryDocument, getOrgScopedToken, getOrganization, getOrganizationInvitations, getOrganizationMembers, getOrganizations, getPlanMonthlyPrice, getPlans, getProjectMetadata, getPromo, getPushPreferences, getRealtimeHistory, getReferralLeaderboard, getReferralStats, getRestErrorMessage, getRole, getSafeErrorMessage, getScheduledEmail, getScheduledEmailStats, getSearchStats, getSecret, getSecrets, getSecurityScore, getSession, getStreak, getSubscription, getTask, getUser, getUserByEmail, getUserConsents, getUserLeaderboardRank, getUserProfile, getUserSecurity, getVariant, getWebhookConfig, getWebhookDeliveries, getWebhookDelivery, getWebhookStats, hasAllPermissions, hasAnyPermission, hasBillingAccess, hasConsent, hasError, hasPermission, hasRole, hasSecret, identify, impersonation, incrementAchievementProgress, indexDocument, ingestLogs, initPushServiceWorker, installGlobalDebugHelpers, introspectToken, inviteOrganizationMember, inviteUser, isChallengeRequired, isEmailConfigured, isEnabled, isPlanDeprecated, isRetryableError, isSylphxError, isValidInstanceType, kvDelete, kvExists, kvExpire, kvGet, kvGetJSON, kvHget, kvHgetall, kvHset, kvIncr, kvLpush, kvLrange, kvMget, kvMset, kvRateLimit, kvScan, kvSet, kvSetJSON, kvZadd, kvZrange, leaveOrganization, linkAnonymousConsents, listEnvVars, listOAuthProviders, listOrganizations, listPasskeys, listPermissions, listPromoRedemptions, listPromos, listRoles, listScheduledEmails, listSecretKeys, listSecurityAlerts, listTasks, listUserSessions, listUsers, markAllSecurityAlertsRead, markSecurityAlertRead, microsToDollars, oauth, page, parseConnectionUrl, parseOAuthCallback, parseUserAgent, password, pauseCron, platformAuth, campaigns as pushCampaigns, segments as pushSegments, queryLogs, rateLimits, realtime, realtimeEmit, recordStreakActivity, recoverStreak, redeemPromo, redeemReferralCode, refreshToken, regenerateBackupCodes, regenerateReferralCode, registerPush, registerPushServiceWorker, removeOrganizationMember, renamePasskey, renameUserSession, replayWebhookDelivery, requestEmailChange, rescheduleEmail, resendVerificationEmail, resetCircuitBreaker, resetDebugModeCache, resetPassword, resetPlatformCookieCache, resetPlatformJwksCache, resolveCanonicalInstanceType, resolveMaxReplicas, resolveResources, resumeCron, revokeAllTokens, revokeOrganizationInvitation, revokeToken, revokeUserSession, rollbackDeploy, safeJsonParse, scheduleEmail, scheduleTask, search, sendEmail, sendEmailToUser, sendPush, sendTemplatedEmail, sessions, setConsents, setEnvVar, setPassword, setupTwoFactor, signIn, signOut, signUp, startPasskeyRegistration, storage, streamToString, submitScore, suspendUser, switchOrg, toSylphxError, track, trackBatch, trackClick, triggerDeploy, unlockAchievement, unregisterPush, updateOrganization, updateOrganizationMemberRole, updatePromo, updatePushPreferences, updateRole, updateUser, updateUserMetadata, updateUserProfile, updateWebhookConfig, upsertDocument, user, userInfo, validateInstanceTypeForPlan, validatePromo, verifyAccessToken, verifyChallenge, verifyEmail, verifyPasskeyRegistration, verifySignature as verifyTaskSignature, verifyTwoFactor, verifyTwoFactorEnable, withToken };