@sylphx/sdk 0.11.0 → 0.11.1

package/dist/index.d.ts

@@ -1,4 +1,5 @@
-import { SdkBillingPlan, SdkBillingSubscription, BillingCheckoutRequest, BillingCheckoutResponse, BillingPortalRequest, BillingPortalResponse, BillingBalanceResponse, BillingUsageResponse, SdkConsentType, UserConsent as UserConsent$1, AIModel as AIModel$1, GetModelsResponse, GetRateLimitResponse, GetUsageResponse, ReferralLeaderboardEntry, ReferralRewardDefaults as ReferralRewardDefaults$1, WebhookDelivery as WebhookDelivery$1, DeviceApproveRequest, DeviceApproveResponse, DeviceDenyRequest, DeviceDenyResponse, DeviceInitResponse, DeviceInitRequest, DevicePollResponse, LoginRequest as LoginRequest$1, LoginResponse as LoginResponse$1, UserFullProfile as UserFullProfile$1, LogoutInput, PlatformPasswordChangeRequest, PlatformPasswordChangeResponse, PlatformPasswordSetRequest, PlatformPasswordSetResponse, PlatformPasswordStatusResponse, RefreshTokenInput, RefreshTokenResult, PlatformSessionRenameRequest, PlatformSessionRenameResponse, PlatformSessionRevokeAllResponse, PlatformSessionRevokeRequest, PlatformSessionRevokeOtherResponse, PlatformSessionRevokeResponse, PlatformSessionsListResponse, AuthUserDeleteRequest, AuthUserDeleteResponse, AuthUserExportResponse, RegisterRequest as RegisterRequest$1, RegisterResponse as RegisterResponse$1, ResendEmailVerificationRequest as ResendEmailVerificationRequest$1, ResendEmailVerificationResponse as ResendEmailVerificationResponse$1, AuthTokensResponse, TwoFactorVerifyRequest as TwoFactorVerifyRequest$1, OAuthIntrospectResponse, PlatformAuditQueryRequest, PlatformAuditQueryResponse, PlatformRateLimitStatusRequest, PlatformRateLimitStatusResponse, PlatformRateLimitStrategiesListRequest, PlatformRateLimitStrategiesListResponse, PlatformRateLimitStrategyDeleteRequest, PlatformRateLimitStrategyDeleteResponse, PlatformRateLimitStrategyUpsertRequest, PlatformRateLimitStrategyUpsertResponse, File as File$1, UploadId, FileId, TakedownFileRequest, TakedownFileResult, FileVersion, FileVersionId, CreateOrgInput as CreateOrgInput$1, InviteMemberInput as InviteMemberInput$1, OrgSdkRole, OrgInvitation, OrgMember, MembershipInfo, Organization, UpdateOrgInput as UpdateOrgInput$1, UserOrganizationMembership, UserOrganizationsResponse, MachineSize } from '@sylphx/contract';
+export { DEFAULT_MACHINE_SIZE, MACHINE_CONFIGS, MACHINE_MAX_INSTANCES, MACHINE_RESOURCE_REQUIREMENTS, MACHINE_SIZES, MachineConfig, MachineResourceRequirements, MachineTierResources, isMachineSize, parseMachineSize, resolveMachineConfig, resolveMachineMaxInstances, resolveMachineResources, resolveMachineTierResources, toPublicMachineSize } from '@sylphx/contract/compute';
+import { SdkBillingPlan, SdkBillingSubscription, BillingCheckoutRequest, BillingCheckoutResponse, BillingPortalRequest, BillingPortalResponse, BillingBalanceResponse, BillingUsageResponse, SdkConsentType, UserConsent as UserConsent$1, AIModel as AIModel$1, GetModelsResponse, GetRateLimitResponse, GetUsageResponse, ReferralLeaderboardEntry, ReferralRewardDefaults as ReferralRewardDefaults$1, WebhookDelivery as WebhookDelivery$1, OAuthTokenResponse, OAuthTokenErrorResponse, OAuthClientCredentialsResponse, LogoutInput, RefreshTokenInput, RefreshTokenResult, OAuthIntrospectResponse, PlatformPasswordChangeRequest, PlatformPasswordChangeResponse, PlatformPasswordSetRequest, PlatformPasswordSetResponse, PlatformPasswordStatusResponse, PlatformSessionRenameRequest, PlatformSessionRenameResponse, PlatformSessionRevokeAllResponse, PlatformSessionRevokeRequest, PlatformSessionRevokeOtherResponse, PlatformSessionRevokeResponse, PlatformSessionsListResponse, AuthUserDeleteRequest, AuthUserDeleteResponse, AuthUserExportResponse, DeviceApproveRequest, DeviceApproveResponse, DeviceDenyRequest, DeviceDenyResponse, DeviceInitResponse, DeviceInitRequest, DevicePollResponse, LoginRequest as LoginRequest$1, LoginResponse as LoginResponse$1, UserFullProfile as UserFullProfile$1, RegisterRequest as RegisterRequest$1, RegisterResponse as RegisterResponse$1, ResendEmailVerificationRequest as ResendEmailVerificationRequest$1, ResendEmailVerificationResponse as ResendEmailVerificationResponse$1, AuthTokensResponse, TwoFactorVerifyRequest as TwoFactorVerifyRequest$1, PlatformAuditQueryRequest, PlatformAuditQueryResponse, PlatformRateLimitStatusRequest, PlatformRateLimitStatusResponse, PlatformRateLimitStrategiesListRequest, PlatformRateLimitStrategiesListResponse, PlatformRateLimitStrategyDeleteRequest, PlatformRateLimitStrategyDeleteResponse, PlatformRateLimitStrategyUpsertRequest, PlatformRateLimitStrategyUpsertResponse, File as File$1, UploadId, FileId, TakedownFileRequest, TakedownFileResult, FileVersion, FileVersionId, CreateOrgInput as CreateOrgInput$1, InviteMemberInput as InviteMemberInput$1, OrgSdkRole, OrgInvitation, OrgMember, MembershipInfo, Organization, UpdateOrgInput as UpdateOrgInput$1, UserOrganizationMembership, UserOrganizationsResponse, MachineSize } from '@sylphx/contract';
 export { BillingBalanceResponse as BalanceResponse, BillingCheckoutRequest as CheckoutRequest, BillingCheckoutResponse as CheckoutResponse, FileId, FileVersion, FileVersionId, FileVisibility, Organization, BillingPortalRequest as PortalRequest, BillingPortalResponse as PortalResponse, SignedUrlDisposition, File as StorageFile, UploadId, BillingUsageResponse as UsageResponse } from '@sylphx/contract';
 
 /**
@@ -76,10 +77,80 @@ interface PlatformRealtimeDeleteChannelResult {
 }
 
 /**
- * Sylphx Connection URL Parser — SDK Self-Contained Copy
+ * Database Pricing Configuration (SSOT)
+ *
+ * All database billing constants centralized here.
+ * Used by billing calculations, usage tracking, and cost display.
+ *
+ * Pricing Strategy:
+ * - Self-hosted infra on AX162-R: flat ~$270/month
+ * - Competitive pricing with 75-99% margins
+ *
+ * Customer Prices (updated for self-hosted, 2026-02):
+ * - Compute: $0.08/hour (25% below Neon $0.106/hr)
+ * - Storage: $0.25/GB-month (29% below Neon $0.35/GB)
+ * - Transfer: $0.09/GB (matches Supabase)
+ */
+/** Price per compute hour in microdollars ($0.08/hour = 80,000 microdollars) */
+declare const COMPUTE_PRICE_PER_HOUR_MICRODOLLARS = 80000;
+/** Free compute hours per month (platform free tier) */
+declare const FREE_COMPUTE_HOURS = 3;
+/** Price per GB-month in microdollars ($0.25/GB-month = 250,000 microdollars) */
+declare const STORAGE_PRICE_PER_GB_MONTH_MICRODOLLARS = 250000;
+/** Free storage in GB (256 MB) */
+declare const FREE_STORAGE_GB = 0.25;
+/** Price per GB data transfer ($0.09/GB = 90,000 microdollars) */
+declare const TRANSFER_PRICE_PER_GB_MICRODOLLARS = 90000;
+/** KV free storage in GB (256 MB) */
+declare const KV_FREE_STORAGE_GB = 0.25;
+/** Hours per month (AWS/GCP standard for billing) */
+declare const HOURS_PER_MONTH = 730;
+
+/**
+ * Referrals Configuration (SSOT)
+ *
+ * Single source of truth for referral system configuration.
+ * Used by: referral router, SDK referral endpoints
+ */
+/** Default points awarded per successful referral */
+declare const DEFAULT_POINTS_REWARD = 100;
+/** Number of months the referral discount is valid */
+declare const DISCOUNT_DURATION_MONTHS = 3;
+/** Default discount percentage */
+declare const DISCOUNT_PERCENT = 20;
+/** Premium trial days from referral */
+declare const PREMIUM_TRIAL_DAYS = 7;
+/**
+ * Generate a cryptographically secure referral code
+ *
+ * Uses crypto.getRandomValues for uniform random bytes (0-255).
+ * Since REFERRAL_CODE_CHARS has exactly 32 characters and 256 / 32 = 8,
+ * byte % 32 produces perfectly uniform distribution with zero modulo bias.
+ *
+ * Entropy: 8 chars * log2(32) = 40 bits (~1.1 trillion possible codes)
+ *
+ * Format: 8 uppercase alphanumeric characters (excluding ambiguous: 0, O, I, L, 1)
+ */
+declare function generateReferralCode(): string;
+
+declare function getErrorMessage$1(error: unknown, fallback?: string): string;
+interface ErrorDetails$1 {
+    message: string;
+    code?: string;
+    name?: string;
+    stack?: string;
+    status?: number;
+    cause?: unknown;
+}
+declare function getErrorDetails$1(error: unknown, fallbackMessage?: string): ErrorDetails$1;
+
+/**
+ * Sylphx Connection URL — Single Source of Truth (ADR-123)
  *
  * Implements the canonical connection string format defined in ADR-055 §5.
- * This is a self-contained copy for SDK package independence (no app imports).
+ * This module is the SDK-owned SSOT per ADR-123 (SDK/application boundary).
+ * Consuming applications MUST import from `@sylphx/sdk` rather than duplicating
+ * this logic.
  *
  * Hosted format:
  *   sylphx://{credential}@{tenant-slug}.api.sylphx.com[:port][/v{version}]
@@ -117,10 +188,38 @@ interface ParsedConnectionUrl {
     /** Ready-to-use SDK base URL, always HTTPS (e.g. `https://bold-river-a1b2c3.api.sylphx.com/v1`) */
     readonly apiBaseUrl: string;
 }
+interface BuildConnectionUrlInput {
+    /** Credential — must match the credential format regex */
+    readonly credential: string;
+    /** Resource slug — validated DNS label */
+    readonly slug: string;
+    /** SDK API domain suffix; defaults to `api.sylphx.com`. Use `sylphx.dev` for dev. */
+    readonly domain?: string;
+    /** API version suffix, e.g. `v1`. Defaults to `v1`. Pass empty string to omit. */
+    readonly version?: string;
+}
+/**
+ * Credential format — opaque token with type, env, optional project ref, and
+ * hex payload. Ref-scoped credentials are emitted by Platform app-env injection;
+ * legacy credentials without the ref remain valid for existing deploys.
+ */
+declare const CREDENTIAL_REGEX: RegExp;
 declare class InvalidConnectionUrlError extends Error {
     readonly code: "INVALID_CONNECTION_URL";
     constructor(message: string);
 }
+/**
+ * Build a canonical Sylphx connection URL.
+ *
+ * Throws `InvalidConnectionUrlError` if any component is malformed.
+ */
+declare function buildConnectionUrl(input: BuildConnectionUrlInput): string;
+/**
+ * Parse a Sylphx connection URL into its structured components.
+ *
+ * Throws `InvalidConnectionUrlError` on any structural problem.
+ */
+declare function parseConnectionUrl(url: string): ParsedConnectionUrl;
 
 /**
  * SDK Configuration — ADR-055 Connection URL API
@@ -260,6 +359,666 @@ type SylphxConfigInput = string | SylphxClientInput;
  */
 declare const createConfig: typeof createClient;
 
+/**
+ * CSV utilities for browser and server SDK consumers.
+ */
+/**
+ * Escape a CSV field to handle commas, quotes, and newlines.
+ *
+ * Handles null/undefined by returning an empty field. Wraps values containing
+ * RFC 4180 special characters in double quotes and escapes internal quotes.
+ */
+declare function escapeCsvField(value: string | null | undefined): string;
+
+/**
+ * Formatting Utilities
+ *
+ * Shared formatting functions for consistent display across the project.
+ */
+/**
+ * Calculate percentage with consistent rounding.
+ * SSOT for all success rate, completion rate calculations.
+ *
+ * @param count - The numerator (e.g., successful count)
+ * @param total - The denominator (e.g., total count)
+ * @param decimals - Number of decimal places (default: 2)
+ * @returns Percentage value (0-100)
+ *
+ * @example
+ * ```ts
+ * calculatePercentage(75, 100) // 75
+ * calculatePercentage(1, 3)    // 33.33
+ * calculatePercentage(0, 0)    // 100 (safe division)
+ * ```
+ */
+declare function calculatePercentage(count: number, total: number, decimals?: number): number;
+/**
+ * Format microdollars to currency string
+ * @param microdollars Amount in microdollars (1 dollar = 1,000,000 microdollars)
+ * @param options Intl.NumberFormat options
+ */
+declare function formatMicrodollars(microdollars: number, options?: Intl.NumberFormatOptions): string;
+/**
+ * Format cents to currency string
+ * @param cents Amount in cents (100 cents = 1 dollar)
+ *
+ * @example
+ * ```ts
+ * formatCents(1999)  // "$19.99"
+ * formatCents(100)   // "$1.00"
+ * ```
+ */
+declare function formatCents(cents: number): string;
+/**
+ * Format dollars to currency string with optional compact notation
+ * @param amount Amount in dollars
+ * @param compact Use compact notation for large amounts (default: false)
+ *
+ * @example
+ * ```ts
+ * formatCurrency(1999.99)              // "$1,999.99"
+ * formatCurrency(1999.99, true)        // "$2.0K"
+ * formatCurrency(1999.99, { currency: 'EUR' }) // "€1,999.99"
+ * formatCurrency(1999.99, { compact: true })   // "$2.0K"
+ * ```
+ *
+ * Second argument accepts either a bare `boolean` (back-compat for
+ * the historical `compact` flag) or an options object with
+ * `{ currency, compact }`. The options form is required for any UI
+ * surface that displays multi-currency amounts (billing, invoices,
+ * usage statements) — previously two local copies of this function
+ * lived in `billing-management.tsx` to work around the missing
+ * currency parameter.
+ */
+declare function formatCurrency(amount: number, optsOrCompact?: boolean | {
+    compact?: boolean;
+    currency?: string;
+    decimals?: number;
+}): string;
+/**
+ * Format percentage with sign for trend display
+ * @param value Percentage value (not multiplied by 100)
+ *
+ * @example
+ * ```ts
+ * formatPercent(12.5)   // "+12.5%"
+ * formatPercent(-5.2)   // "-5.2%"
+ * formatPercent(0)      // "+0.0%"
+ * ```
+ */
+declare function formatPercent(value: number): string;
+/**
+ * Format number with abbreviated suffix (K, M, B) or compact notation
+ * @param num Number to format
+ * @param compact Use Intl compact notation (default: false, uses K/M/B suffix)
+ *
+ * @example
+ * ```ts
+ * formatNumber(1234)           // "1,234"
+ * formatNumber(1234567)        // "1.2M"
+ * formatNumber(1234, true)     // "1.2K" (Intl compact)
+ * ```
+ */
+declare function formatNumber(num: number, compact?: boolean): string;
+/**
+ * Format duration in milliseconds to human-readable string.
+ * SSOT for latency display in traces, performance, and monitoring.
+ *
+ * @param ms Duration in milliseconds
+ * @returns Formatted string (e.g., "<1ms", "42ms", "1.23s")
+ *
+ * @example
+ * ```ts
+ * formatDuration(0.5)    // "<1ms"
+ * formatDuration(42)     // "42ms"
+ * formatDuration(1500)   // "1.50s"
+ * ```
+ */
+declare function formatDuration(ms: number): string;
+/**
+ * Format bytes to human-readable string
+ * @param bytes Number of bytes
+ * @param decimals Number of decimal places (default: 1)
+ */
+declare function formatBytes(bytes: number | null | undefined, decimals?: number): string;
+/** Badge variant type for consistency */
+type BadgeVariant = 'default' | 'secondary' | 'success' | 'warning' | 'error' | 'outline';
+/**
+ * Get billing status badge variant.
+ * Pure function — no side effects, deterministic output.
+ *
+ * @param status Billing account status
+ * @returns Badge variant for display
+ */
+declare function getBillingStatusVariant(status: string): BadgeVariant;
+/**
+ * Get invoice status badge variant.
+ * Pure function — no side effects, deterministic output.
+ *
+ * @param status Invoice status
+ * @returns Badge variant for display
+ */
+declare function getInvoiceStatusVariant(status: string): BadgeVariant;
+/**
+ * Format date for display
+ * @param date Date to format (null returns fallback)
+ * @param options Intl.DateTimeFormat options
+ * @param fallback Value to return when date is null (default: '-')
+ */
+declare function formatDate(date: Date | string | null, options?: Intl.DateTimeFormatOptions, fallback?: string): string;
+/**
+ * Format date with time for display
+ * @param date Date to format (null returns fallback)
+ * @param options Override options
+ * @param fallback Value to return when date is null (default: '-')
+ */
+declare function formatDateTime(date: Date | string | null, options?: Intl.DateTimeFormatOptions, fallback?: string): string;
+/**
+ * Format relative time (e.g., "2 hours ago")
+ *
+ * Uses native Intl.RelativeTimeFormat for proper localization.
+ *
+ * @param date Date to format (null returns 'Never')
+ */
+declare function formatRelativeTime(date: Date | string | null): string;
+/**
+ * Format relative time in compact form (e.g., "2h ago", "3d ago").
+ * SSOT for dense UI contexts: tables, feeds, badges.
+ *
+ * Uses short suffixes (s/m/h/d/w) instead of Intl.RelativeTimeFormat words.
+ * For prose contexts, use {@link formatRelativeTime} instead.
+ *
+ * @param date Date to format (null returns 'Never')
+ *
+ * @example
+ * ```ts
+ * formatRelativeTimeShort(new Date())               // "Just now"
+ * formatRelativeTimeShort('2024-01-01T00:00:00Z')   // "3d ago"
+ * formatRelativeTimeShort(null)                      // "Never"
+ * ```
+ */
+declare function formatRelativeTimeShort(date: Date | string | null): string;
+/**
+ * Format month and year (e.g., "January 2024")
+ * SSOT for billing period display, invoice headers.
+ * @param date Date to format (null returns fallback)
+ * @param fallback Value to return when date is null
+ */
+declare function formatMonthYear(date: Date | string | null, fallback?: string): string;
+/**
+ * Format time only (e.g., "2:30 PM")
+ * SSOT for log timestamps, activity feeds.
+ * @param date Date to format (null returns fallback)
+ * @param fallback Value to return when date is null
+ */
+declare function formatTime(date: Date | string | null, fallback?: string): string;
+
+/**
+ * Safely parse a JSON string, returning a fallback value on failure instead of throwing.
+ *
+ * Use this when malformed input is a normal (non-exceptional) case — e.g. parsing
+ * user-provided data, localStorage values, or Redis cache entries where the caller
+ * simply wants a default on failure.
+ *
+ * For cases where parse failure is truly exceptional and the caller needs to handle
+ * the error explicitly, use a standard try-catch with proper logging instead.
+ */
+declare function safeJsonParse<T = unknown>(input: string, fallback?: T): T | null;
+
+/**
+ * Utility Functions
+ */
+/**
+ * Get the base URL for API requests
+ *
+ * Use cases:
+ * - getBaseUrl(): For relative URLs in browser, absolute in SSR (tRPC, API calls)
+ * - getBaseUrl('origin'): For absolute URLs that need the actual origin (auth, sharing)
+ *
+ * Priority: NEXT_PUBLIC_APP_URL > localhost
+ */
+declare function getBaseUrl(mode?: 'relative' | 'origin'): string;
+/**
+ * Escape HTML special characters to prevent XSS
+ *
+ * Uses single-pass regex replacement for efficiency.
+ */
+declare function escapeHtml(str: string): string;
+/**
+ * Generate a URL-friendly slug from text
+ *
+ * @param text - Text to convert to slug
+ * @param maxLength - Optional maximum length (default: no limit)
+ * @returns Lowercase slug with hyphens
+ *
+ * @example
+ * generateSlug('My Awesome App') // 'my-awesome-app'
+ * generateSlug('Hello   World!') // 'hello-world'
+ * generateSlug('My Org Name', 48) // 'my-org-name' (max 48 chars)
+ */
+declare function generateSlug(text: string, maxLength?: number): string;
+
+/**
+ * User Agent Parsing Utilities
+ *
+ * Extracts browser, OS, and device type from user agent strings.
+ * Simple implementation - no external dependencies.
+ */
+interface ParsedUserAgent {
+    browser: string | null;
+    os: string | null;
+    deviceType: 'desktop' | 'mobile' | 'tablet' | null;
+}
+/**
+ * Parse a user agent string to extract browser, OS, and device type.
+ * Returns null values if unable to determine.
+ */
+declare function parseUserAgent(ua: string): ParsedUserAgent;
+
+/**
+ * Authentication Configuration (SSOT)
+ *
+ * Single source of truth for authentication-related constants.
+ * Used by: validation schemas, auth forms, password policies
+ */
+/** Minimum password length */
+declare const MIN_PASSWORD_LENGTH = 8;
+/** Maximum password length */
+declare const MAX_PASSWORD_LENGTH = 128;
+/** Password requirements for display in UI */
+declare const PASSWORD_REQUIREMENTS: {
+    readonly minLength: 8;
+    readonly maxLength: 128;
+    readonly description: "Must be at least 8 characters";
+    readonly placeholder: "Min. 8 characters";
+};
+
+/**
+ * Billing Configuration (SSOT)
+ *
+ * Single source of truth for billing-related configuration.
+ * Used by: billing pages, usage tracking, invoicing
+ */
+/** Bytes per gigabyte — use instead of hardcoding 1024*1024*1024 */
+declare const BYTES_PER_GB: number;
+/** Microdollars per cent ($0.01 = 10,000 microdollars) */
+declare const MICRODOLLARS_PER_CENT = 10000;
+/** Invoice payment due after billing period ends (days) */
+declare const INVOICE_DUE_DAYS = 15;
+/**
+ * Billing metrics per service
+ * These are user-facing metric names (NOT technical terms like 'commands')
+ */
+declare const SERVICE_METRICS: {
+    readonly kv: {
+        readonly operations: "operations";
+        readonly storage: "storage";
+    };
+    readonly realtime: {
+        readonly messages: "messages";
+        readonly connections: "connections";
+    };
+    readonly ai: {
+        readonly tokens: "tokens";
+    };
+    readonly email: {
+        readonly emails: "emails";
+        readonly marketingEmails: "marketing_emails";
+    };
+    readonly notifications: {
+        readonly sends: "sends";
+    };
+    readonly analytics: {
+        readonly events: "events";
+        readonly forwarding: "forwarding";
+    };
+    readonly storage: {
+        readonly capacity: "capacity";
+        readonly uploads: "uploads";
+        readonly egress: "egress";
+    };
+    readonly auth: {
+        readonly mau: "mau";
+    };
+    readonly flags: {
+        readonly evaluations: "evaluations";
+    };
+    readonly consent: {
+        readonly records: "records";
+    };
+    readonly referrals: {
+        readonly conversions: "conversions";
+    };
+    readonly engagement: {
+        readonly operations: "operations";
+    };
+    readonly billing: {
+        readonly subscriptions: "subscriptions";
+        readonly usageRecords: "usage_records";
+    };
+    readonly search: {
+        readonly documents: "documents";
+        readonly searches: "searches";
+    };
+    readonly webhooks: {
+        readonly deliveries: "deliveries";
+    };
+    readonly monitoring: {
+        readonly errors: "errors";
+    };
+    readonly jobs: {
+        readonly invocations: "invocations";
+        readonly cronSchedules: "cron_schedules";
+    };
+    readonly database: {
+        readonly computeSeconds: "compute_seconds";
+        readonly storage: "storage";
+        readonly dataTransferBytes: "data_transfer_bytes";
+    };
+    readonly deploy: {
+        readonly buildMinutes: "build_minutes";
+    };
+};
+/** Active vCPU rate: $0.024/hr = $0.0004/min = 400 microdollars/min (ADR-034) */
+declare const COMPUTE_VCPU_ACTIVE_RATE_MICRODOLLARS = 400;
+/** Idle vCPU rate: $0.003/hr = $0.00005/min = 50 microdollars/min — 1/8 of active (ADR-034) */
+declare const COMPUTE_VCPU_IDLE_RATE_MICRODOLLARS = 50;
+/** RAM rate: $0.010/GB-hr = $0.000167/GB-min = 167 microdollars/GB-min (ADR-034) */
+declare const COMPUTE_RAM_RATE_MICRODOLLARS = 167;
+/** Build minute prices by machine type in microdollars per minute (ADR-034) */
+declare const BUILD_MINUTE_PRICES: Record<string, number>;
+/** Build minute size multipliers for quota tracking (ADR-034) */
+declare const BUILD_SIZE_MULTIPLIERS: Record<string, number>;
+/** Build minutes included per month by plan tier (ADR-034) */
+declare const BUILD_MINUTES_INCLUDED: Record<string, number>;
+/**
+ * @deprecated Use BUILD_MINUTE_PRICES.standard instead (ADR-034).
+ * Kept for backward compatibility with existing billing pipelines.
+ *
+ * CI compute-minute price in microdollars.
+ * Now references the standard build machine rate from ADR-034.
+ */
+declare const CI_BUILD_MINUTE_PRICE_MICRODOLLARS: number;
+/**
+ * @deprecated Use BUILD_MINUTES_INCLUDED[plan] instead (ADR-034).
+ * Kept for backward compatibility. Maps to the `team` tier as the
+ * previous default (2,000 free minutes).
+ */
+declare const CI_FREE_MINUTES_PER_MONTH: number;
+/**
+ * Size multipliers for CI compute-minute accounting (legacy GitHub labels).
+ *
+ * Keys are **GitHub Actions runner labels** (not build machine type names).
+ * These labels arrive on workflow_job webhooks and are stored as-is in
+ * githubCiJobs.resourceClass. The billing pipeline maps them to multipliers
+ * here; the build pipeline maps them to BuildMachineType via
+ * normalizeBuildMachineType() in build-machine.ts.
+ *
+ * @see BUILD_SIZE_MULTIPLIERS for canonical build machine multipliers (ADR-034).
+ */
+declare const CI_SIZE_MULTIPLIERS: Record<string, number>;
+/** macOS runner per-size multipliers (ADR-035: per-tier billing) */
+declare const CI_MACOS_SIZE_MULTIPLIERS: Record<string, number>;
+/** @deprecated Use CI_MACOS_SIZE_MULTIPLIERS[size] instead. */
+declare const CI_MACOS_MULTIPLIER: number;
+type ServiceMetrics = typeof SERVICE_METRICS;
+type KvMetric = keyof typeof SERVICE_METRICS.kv;
+type RealtimeMetric = keyof typeof SERVICE_METRICS.realtime;
+/** Credit expiry period in months */
+declare const CREDIT_EXPIRY_MONTHS = 12;
+/** Maximum payment retry attempts before suspending account */
+declare const MAX_PAYMENT_ATTEMPTS = 3;
+/** Roles that can access billing pages */
+declare const BILLING_ALLOWED_ROLES: readonly ["super_admin", "admin", "billing"];
+type BillingAllowedRole = (typeof BILLING_ALLOWED_ROLES)[number];
+/** Check if a role has billing access */
+declare function hasBillingAccess(role: string): boolean;
+
+/**
+ * Console SDK Key Utilities
+ *
+ * The Platform Console is Customer Zero — it uses the exact same key format
+ * as every other customer: pk_{env}_{ref}_{hex} / sk_{env}_{ref}_{hex}.
+ *
+ * No special key construction. No legacy app_* format. No special lookup paths.
+ *
+ * Keys are set via environment variables, just like any customer app:
+ *   NEXT_PUBLIC_SYLPHX_KEY   = pk_prod_nlbaz63pd2gz_97ef4f90c48e7378b0f00a1e2cb8c15e
+ *   SYLPHX_SECRET_KEY        = sk_prod_nlbaz63pd2gz_edea406b7988099f5826c143b0f6bd94...
+ */
+/** Console project slug — must match bootstrap.ts PLATFORM_CONSOLE_APP.slug */
+declare const CONSOLE_APP_SLUG = "sylphx-console";
+/**
+ * Determine environment prefix from build/runtime environment.
+ * Used by sdk-cookies.ts for cookie naming until it migrates to SDK-native getCookieNames().
+ * NOTE: still actively consumed by sdk-cookies.ts and sdk-login.ts — remove only after
+ * those modules parse the env prefix from NEXT_PUBLIC_SYLPHX_KEY directly.
+ */
+declare function getEnvPrefix(): 'dev' | 'stg' | 'prod';
+
+/**
+ * Platform Plan Tiers — SSOT
+ *
+ * Defines the Sylphx Platform plan tier system (ADR-034).
+ * NOTE: This is for *platform* plans (what the organization pays Sylphx for).
+ *       It is separate from `plans` (which are in-app subscription products
+ *       that customers create for their own end-users).
+ *
+ * All prices in cents (USD). Credits in microdollars (1 USD = 1,000,000 µ$).
+ *
+ * ADR-034 tiers: Free → Pro ($20/mo) → Team ($20/user/mo) → Enterprise (custom)
+ * The 'starter' tier is deprecated but kept in the type union for backward
+ * compatibility with existing database rows and API consumers.
+ */
+/**
+ * Platform plan identifiers.
+ * 'starter' is deprecated (ADR-034) — retained for backward compat with existing records.
+ */
+type PlatformPlanId = 'free' | 'starter' | 'pro' | 'team' | 'enterprise';
+type BuildMachineTier = 'standard' | 'large' | 'xlarge';
+interface PlatformPlanLimits {
+    /** Max projects across all environments */
+    maxProjects: number | null;
+    /** Max organization members */
+    maxMembers: number | null;
+    /** Max custom domains */
+    maxCustomDomains: number | null;
+    /** Max concurrent CI runners */
+    maxConcurrentRunners: number | null;
+    /** Max concurrent macOS CI runners */
+    maxMacosRunners: number | null;
+    /** Max managed databases */
+    maxDatabases: number | null;
+    /** CI job max duration in seconds */
+    ciMaxJobDurationSeconds: number;
+    /** API rate limit (requests per minute) */
+    apiRateLimitPerMin: number;
+    /** Audit log retention in days (0 = off) */
+    auditLogDays: number;
+    /** Max replicas per service (null = custom/negotiated) */
+    maxReplicas: number | null;
+    /** Included build minutes per billing period */
+    includedBuildMinutes: number;
+    /** Included outbound bandwidth in GB per billing period */
+    includedBandwidthGb: number;
+    /** Log retention in days */
+    logRetentionDays: number;
+    /** Build machine tier determining build speed */
+    buildMachineTier: BuildMachineTier;
+}
+interface PlatformPlanFeatures {
+    /** Custom domain support */
+    customDomains: boolean;
+    /** SSO / SAML support */
+    sso: boolean;
+    /** Priority CI queue */
+    priorityCi: boolean;
+    /** macOS CI runners */
+    macosCi: boolean;
+    /** Shared / Priority / Dedicated */
+    support: 'community' | 'email' | 'priority' | 'dedicated';
+    /** SLA uptime guarantee string (e.g. '99.9%') */
+    sla: string | null;
+    /** Role-based access control */
+    rbac: boolean;
+    /** Advanced analytics / insights */
+    advancedAnalytics: boolean;
+    /** White-label branding removal */
+    whiteLabel: boolean;
+}
+interface PlatformPlanDefinition {
+    id: PlatformPlanId;
+    name: string;
+    /** Monthly price in cents (0 = free, null = custom) */
+    priceMonthly: number | null;
+    /** Annual price in cents, ~20% discount (null = custom or N/A) */
+    priceAnnual: number | null;
+    /** Included platform compute credits per billing period (microdollars) */
+    includedCreditsMicrodollars: number;
+    /** Whether price is per seat (per member) — Team plan */
+    perSeat?: boolean;
+    features: PlatformPlanFeatures;
+    limits: PlatformPlanLimits;
+    /** Marketing bullet points for pricing cards */
+    highlights: string[];
+    /** Optional badge label (e.g. "Most Popular") */
+    badge?: string;
+    /** CTA button text */
+    cta: string;
+    /** Whether this is a custom/enterprise plan with contact sales flow */
+    isCustom?: boolean;
+    /**
+     * Deprecated plan — no longer available for new subscriptions.
+     * Existing subscribers are grandfathered until they change plans.
+     */
+    deprecated?: boolean;
+}
+declare const PLATFORM_PLANS: Record<PlatformPlanId, PlatformPlanDefinition>;
+/** Active (non-deprecated) plan IDs for display in pricing UI */
+declare const PLATFORM_PLAN_ORDER: PlatformPlanId[];
+/**
+ * Full plan order including deprecated tiers.
+ * Useful for admin screens and migration tooling that must handle legacy plans.
+ */
+declare const PLATFORM_PLAN_ORDER_ALL: PlatformPlanId[];
+/** Check whether a plan is deprecated and should not be offered to new subscribers */
+declare function isPlanDeprecated(planId: PlatformPlanId): boolean;
+/** Get only active (non-deprecated) plan definitions, in display order */
+declare function getActivePlans(): PlatformPlanDefinition[];
+/** Convert microdollars to human-readable dollar string (e.g. "$5") */
+declare function microsToDollars(microdollars: number): string;
+/** Convert cents to human-readable dollar string (e.g. "$19") */
+declare function centsToDollars(cents: number): string;
+/** Get monthly price display string */
+declare function getPlanMonthlyPrice(plan: PlatformPlanDefinition, annual?: boolean): string;
+
+/**
+ * Instance Type Catalog — SSOT
+ *
+ * Defines the compute instance types available for Sylphx platform workloads.
+ * Each instance type maps to Kubernetes resource requests/limits for kata-clh
+ * (Cloud Hypervisor) microVMs, along with billing rates and plan eligibility.
+ *
+ * Rates are in microdollars (1 USD = 1,000,000 µ$) per minute.
+ *
+ * Memory overcommit (ADR-028): CLH uses demand paging (mmap without MAP_POPULATE).
+ * Host physical RAM is allocated on-demand as guest pages are touched, NOT pre-allocated
+ * at VM boot. Verified 2026-03-30: a pod with limits=4Gi only consumed +8Mi host RAM
+ * when idle. Memory requests are set to 50% of limits (2x overcommit) for efficient
+ * scheduler bin-packing. CPU requests are 25% of limits (4x overcommit).
+ *
+ * ADR-034 T-shirt sizing: canonical names are xs/sm/md/lg/xl/2xl/4xl.
+ * Legacy names (starter-1x, standard-1x, etc.) are kept as aliases for backward
+ * compatibility with existing database values and API consumers.
+ */
+
+type InstanceTypeId = 'xs' | 'sm' | 'md' | 'lg' | 'xl' | '2xl' | '4xl' | 'starter-1x' | 'standard-1x' | 'standard-2x' | 'performance-m' | 'performance-l' | 'performance-xl';
+interface InstanceTypeDefinition {
+    id: InstanceTypeId;
+    name: string;
+    /** Kubernetes CPU limit (e.g. '2000m') */
+    cpuLimit: string;
+    /** Kubernetes memory limit (e.g. '8Gi') */
+    memoryLimit: string;
+    /** Kubernetes CPU request (e.g. '500m') */
+    cpuRequest: string;
+    /** Kubernetes memory request (50% of limit — CLH demand paging, ADR-028) */
+    memoryRequest: string;
+    /** Billing vCPU count for metering denormalization */
+    vcpus: number;
+    /** Billing memory in MiB for metering denormalization */
+    memoryMib: number;
+    /** Rate per vCPU per minute in microdollars */
+    vcpuMinuteRateMicrodollars: number;
+    /** Rate per GiB per minute in microdollars */
+    gbMinuteRateMicrodollars: number;
+    /** Platform plans that may provision this instance type */
+    allowedPlans: PlatformPlanId[];
+    /**
+     * Maximum KEDA ScaledObject replica count for this instance type tier.
+     * Caps the ScaledObject maxReplicaCount to prevent runaway scaling
+     * on smaller tiers. Users can set a lower per-service max via scalingConfig.max,
+     * but never exceed this ceiling.
+     */
+    maxReplicas: number;
+    /** Marketing bullet points for instance type cards */
+    highlights: string[];
+    /** Whether this instance type is deprecated (legacy name) */
+    deprecated?: boolean;
+}
+/**
+ * Maps legacy instance type names to their canonical T-shirt size equivalents (ADR-034).
+ *
+ * Database values and API consumers may still use old names — this mapping lets
+ * resolveInstanceType() transparently return the canonical definition without
+ * requiring a data migration.
+ */
+declare const INSTANCE_TYPE_ALIASES: Record<string, string>;
+/**
+ * Resolve a potentially-aliased instance type ID to its canonical T-shirt size.
+ * Returns the input unchanged if it is already canonical or unknown.
+ *
+ * Use for display/UI and when accepting user input for NEW configurations.
+ * Do NOT use in runtime paths (billing, K8s reconciler) — both old and new names
+ * exist in INSTANCE_TYPES with their original specs, so direct lookup is correct
+ * and avoids changing billing/resource behavior for existing services.
+ */
+declare function resolveCanonicalInstanceType(id: string): string;
+declare const INSTANCE_TYPES: Record<InstanceTypeId, InstanceTypeDefinition>;
+/** Ordered list of canonical instance type IDs for display (smallest to largest) */
+declare const INSTANCE_TYPE_ORDER: InstanceTypeId[];
+/**
+ * @deprecated Use INSTANCE_TYPE_ORDER instead.
+ * Ordered list of legacy instance type IDs — kept for backward compat.
+ */
+declare const LEGACY_INSTANCE_TYPE_ORDER: InstanceTypeId[];
+/** Get the default instance type for a given platform plan */
+declare function getDefaultInstanceType(plan: PlatformPlanId): InstanceTypeId;
+/** Get all canonical (non-deprecated) instance types available for a given platform plan, in display order */
+declare function getAvailableInstanceTypes(plan: PlatformPlanId): InstanceTypeDefinition[];
+/** Resolve Kubernetes resource spec for a given instance type (accepts aliases) */
+declare function resolveResources(id: InstanceTypeId): {
+    requests: {
+        cpu: string;
+        memory: string;
+    };
+    limits: {
+        cpu: string;
+        memory: string;
+    };
+};
+/** Resolve the KEDA ScaledObject maxReplicaCount ceiling for a given instance type */
+declare function resolveMaxReplicas(id: InstanceTypeId): number;
+/** Default KEDA maxReplicaCount when no instance type is resolved (legacy/unmanaged services) */
+declare const DEFAULT_MAX_REPLICAS = 10;
+/** Type guard: check if an arbitrary string is a valid InstanceTypeId (including legacy aliases) */
+declare function isValidInstanceType(id: string): id is InstanceTypeId;
+/** Validate that an instance type exists and is permitted for the given plan */
+declare function validateInstanceTypeForPlan(id: string, plan: PlatformPlanId): {
+    valid: boolean;
+    error?: string;
+};
+
 /**
  * SDK Debug Mode
  *
@@ -874,11 +1633,22 @@ declare function isRetryableError(error: unknown): boolean;
 /**
  * Extract error message from any error type
  */
-declare function getErrorMessage(error: unknown): string;
+declare function getErrorMessage(error: unknown, fallback?: string): string;
 /**
  * Get error code from any error type
  */
 declare function getErrorCode(error: unknown): SylphxErrorCode;
+interface ErrorDetails {
+    readonly message: string;
+    readonly code?: string;
+    readonly name?: string;
+    readonly stack?: string;
+    readonly status?: number;
+    readonly cause?: unknown;
+}
+declare function getErrorDetails(error: unknown, fallbackMessage?: string): ErrorDetails;
+declare function getSafeErrorMessage(error: unknown, fallback?: string): string;
+declare function isChallengeRequired(err: unknown): boolean;
 /**
  * Convert any error to SylphxError
  */
@@ -1810,438 +2580,479 @@ interface PaginatedResponse<T> {
 }
 
 /**
- * Auth Functions
- *
- * Pure functions for authentication - no hidden state.
- * Each function takes config as the first parameter.
- *
- * Uses REST API at /api/sdk/auth/* for all operations.
+ * DPoP — Demonstration of Proof-of-Possession (RFC 9449 / ADR-089 Phase 5.1e).
  *
- * Types are re-exported from `@sylphx/contract` (ADR-084). The contract is
- * the single source of truth for every wire shape — this module only adds
- * SDK-specific ergonomics (User brand swap, introspection result, invite
- * envelopes, org-token claims).
+ * Client-side helpers for sender-constrained access tokens. Built on
+ * `crypto.subtle` with no runtime dependencies.
  */
+declare const dpop: {
+    /**
+     * Generate a fresh ES256 key pair. Private key is non-extractable
+     * (`extractable: false`) so it can be stored but never serialised.
+     */
+    readonly generateKeyPair: () => Promise<{
+        readonly privateKey: CryptoKey;
+        readonly publicKey: CryptoKey;
+        readonly thumbprint: string;
+    }>;
+    /**
+     * Sign a DPoP proof JWT. When `accessToken` is provided, the proof
+     * includes `ath = base64url(sha256(accessToken))` so the resource
+     * server can bind the proof to the token being presented.
+     */
+    readonly generateProof: (opts: {
+        readonly privateKey: CryptoKey;
+        readonly publicKey: CryptoKey;
+        readonly method: string;
+        readonly uri: string;
+        readonly accessToken?: string;
+        readonly nonce?: string;
+    }) => Promise<string>;
+};
 
-type LoginRequest = LoginRequest$1;
-type LoginResponse = LoginResponse$1;
-type RegisterRequest = RegisterRequest$1;
-type RegisterResponse = RegisterResponse$1;
-type ResendEmailVerificationRequest = ResendEmailVerificationRequest$1;
-type ResendEmailVerificationResponse = ResendEmailVerificationResponse$1;
 /**
- * Token response — contract's `AuthTokensResponse.user` (optional `AuthUser`)
- * is re-mapped to the SDK's broader `User` type so legacy callers keep the
- * familiar brand. `AuthUser` and `User` are structurally identical, but
- * the SDK surface has wider reach (cookies, middleware, React hooks) and
- * renaming is out of scope for ADR-084 cleanup.
+ * OAuth token endpoint contract helpers.
+ *
+ * Keeps RFC 6749/8628 request encoding, success decoding, and error decoding
+ * type-bound to `@sylphx/contract` while using SDK-local runtime guards so the
+ * published Promise SDK does not import Effect internals.
  */
-type TokenResponse = Omit<AuthTokensResponse, 'user'> & {
-    user: User;
+
+type OAuthTokenResult = OAuthTokenResponse;
+type OAuthClientCredentialsResult = OAuthClientCredentialsResponse;
+type OAuthTokenEndpointError = OAuthTokenErrorResponse['error'];
+type OAuthPollError = OAuthTokenEndpointError | 'oauth_error';
+type OAuthPollResult = {
+    readonly ok: true;
+    readonly tokens: OAuthTokenResult;
+} | {
+    readonly ok: false;
+    readonly error: OAuthPollError;
+    readonly status: number;
 };
-type TwoFactorVerifyRequest = TwoFactorVerifyRequest$1;
+
 /**
- * `GET /auth/me` — contract's `UserFullProfile` already includes the
- * optional `emailVerified` flag the backend returns, so the SDK can just
- * alias the contract type directly.
+ * Platform refresh-token rotation and logout SDK namespace.
  */
-type MeResponse = UserFullProfile$1;
+
+type PlatformRefreshInput = RefreshTokenInput;
+type PlatformRefreshResult = RefreshTokenResult;
+type PlatformLogoutInput = LogoutInput;
+declare const platformAuth: {
+    readonly refresh: (opts: {
+        readonly baseUrl: string;
+        readonly refreshToken: string;
+        readonly userAgent?: string;
+        /**
+         * Path prefix between `baseUrl` and the resource path. Defaults
+         * to `/api/v1` for back-compat with the admin-override host
+         * (`sylphx.com`). Pass `/v1` when targeting the canonical host
+         * (`api.sylphx.com`) per Rule 17.
+         */
+        readonly urlPrefix?: string;
+    }) => Promise<PlatformRefreshResult>;
+    readonly logout: (opts: {
+        readonly baseUrl: string;
+        readonly refreshToken: string;
+        readonly userAgent?: string;
+        /** See `refresh.urlPrefix`. */
+        readonly urlPrefix?: string;
+    }) => Promise<void>;
+};
+
 /**
- * Token introspection result (RFC 7662)
+ * Platform impersonation SDK namespace.
+ *
+ * Covers the ADR-089 Phase 3b legacy helpers and Phase 5.9 WebAuthn
+ * step-up + target-consent workflow.
  */
-interface TokenIntrospectionResult {
-    /** Whether the token is active/valid */
-    active: boolean;
-    /** Token type (access_token or refresh_token) */
-    token_type?: 'access_token' | 'refresh_token';
-    /** User ID */
-    sub?: string;
-    /** User email */
-    email?: string;
-    /** User name */
-    name?: string;
-    /** App ID */
-    client_id?: string;
-    /** Audience */
-    aud?: string;
-    /** Issuer */
-    iss?: string;
-    /** Expiration time (Unix timestamp) */
-    exp?: number;
-    /** Issued at time (Unix timestamp) */
-    iat?: number;
-    /** User role */
-    role?: string;
-    /** Email verification status */
-    email_verified?: boolean;
+interface ImpersonationStartResult {
+    readonly success: true;
+    readonly token: string;
+    readonly sessionId: string;
+    readonly expiresAt: string;
 }
-/**
- * Token revocation options
- */
-interface RevokeTokenOptions {
-    /** Revoke all tokens for a user in this app */
-    revokeAll?: boolean;
-    /** User ID (required when revoking all) */
-    userId?: string;
+interface ImpersonationEndResult {
+    readonly success: boolean;
+    readonly sessionsEnded: number;
 }
-interface SessionResult {
-    user: {
-        id: string;
-        email: string;
-        name: string | null;
-        image: string | null;
-        emailVerified: boolean;
-    } | null;
+interface ImpersonationInfo {
+    readonly isImpersonation: true;
+    readonly adminUserId: string;
+    readonly adminEmail: string;
+    readonly adminName: string | null;
+    readonly impersonatedAt: string;
 }
-/**
- * Extended registration input with metadata and invitation token support.
- * Use extendedSignUp() when you need to pass metadata or an invitation token.
- */
-interface RegisterInput {
-    email: string;
-    password: string;
-    name?: string;
-    metadata?: Record<string, unknown>;
-    invitationToken?: string;
+interface ImpersonationActive {
+    readonly sessionId: string;
+    readonly adminUserId: string;
+    readonly adminEmail: string;
+    readonly adminName: string | null;
+    readonly targetUserId: string;
+    readonly targetEmail: string;
+    readonly targetName: string | null;
+    readonly impersonatedAt: string;
+    readonly lastActiveAt: string;
 }
-/**
- * Org context claims present in org-scoped tokens (after switch-org).
- *
- * The JWT carries the role key only. Permissions are resolved server-side
- * via cached role→permissions lookup (WorkOS pattern). This keeps
- * tokens small and ensures permission changes take effect without token refresh.
- */
-interface OrgTokenPayload {
-    org_id: string;
-    org_slug: string;
-    /** RBAC role key (e.g. "hr_manager", "admin"). Permissions resolved server-side. */
-    org_role: string;
+interface ImpersonationStartChallengeInput {
+    readonly baseUrl: string;
+    readonly accessToken: string;
+    readonly targetUserId: string;
+    readonly reason: string;
+    readonly userAgent?: string;
 }
-interface OrgScopedTokenResponse {
-    /** Org-scoped access token. */
-    token: string;
-    /** Org-scoped access token, matching the SDK's token naming convention. */
-    accessToken: string;
-    /** Token lifetime in seconds, when provided by the runtime. */
-    expiresIn?: number;
-    /** Bearer token type, when provided by the runtime. */
-    tokenType?: string;
-    /** User envelope returned by the runtime for session hydration. */
-    user?: User;
+interface ImpersonationChallenge {
+    readonly requestId: string;
+    readonly challengeKey: string;
+    readonly webauthnOptions: {
+        readonly challenge: string;
+        readonly rpId?: string;
+        readonly allowCredentials: ReadonlyArray<{
+            readonly id: string;
+            readonly type: 'public-key';
+            readonly transports?: readonly string[];
+        }>;
+        readonly userVerification: 'required';
+        readonly timeout: number;
+    };
 }
-/**
- * Invite a user request payload.
- */
-interface InviteUserRequest {
-    email: string;
-    metadata?: Record<string, unknown>;
-    redirectUrl?: string;
+interface ImpersonationStartStepupInput {
+    readonly baseUrl: string;
+    readonly accessToken: string;
+    readonly requestId: string;
+    readonly challengeKey: string;
+    readonly assertion: unknown;
+    readonly emergencyBypass?: boolean;
+    readonly userAgent?: string;
 }
-/**
- * Response from inviteUser.
- */
-interface InviteUserResponse {
-    invitationToken: string;
-    expiresAt: string;
+type ImpersonationStartStepupResult = {
+    readonly branch: 'emergency';
+    readonly requestId: string;
+    readonly token: string;
+    readonly sessionId: string;
+    readonly expiresAt: string;
+} | {
+    readonly branch: 'awaiting-consent';
+    readonly requestId: string;
+    readonly consentDeadline: string;
+};
+type ImpersonationConsentDecision = 'approve' | 'deny';
+type ImpersonationConsentResponse = {
+    readonly branch: 'approved';
+    readonly requestId: string;
+    readonly token: string;
+    readonly sessionId: string;
+    readonly expiresAt: string;
+} | {
+    readonly branch: 'denied';
+    readonly requestId: string;
+};
+interface ImpersonationRequestRow {
+    readonly id: string;
+    readonly operatorId: string;
+    readonly targetUserId: string;
+    readonly reason: string;
+    readonly status: 'awaiting-stepup' | 'awaiting-consent' | 'active' | 'denied' | 'expired' | 'ended' | 'revoked';
+    readonly emergencyBypass: boolean;
+    readonly sessionId: string | null;
+    readonly consentDeadline: string | null;
+    readonly startedAt: string | null;
+    readonly endedAt: string | null;
+    readonly createdAt: string;
 }
+declare const impersonation: {
+    readonly start: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly targetUserId: string;
+        readonly ipAddress?: string;
+        readonly userAgent?: string;
+    }) => Promise<ImpersonationStartResult>;
+    readonly end: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly sessionId?: string;
+        readonly userAgent?: string;
+    }) => Promise<ImpersonationEndResult>;
+    readonly info: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly sessionId: string;
+        readonly userAgent?: string;
+    }) => Promise<ImpersonationInfo | null>;
+    readonly active: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly userAgent?: string;
+    }) => Promise<readonly ImpersonationActive[]>;
+    readonly startChallenge: (opts: ImpersonationStartChallengeInput) => Promise<ImpersonationChallenge>;
+    readonly startStepup: (opts: ImpersonationStartStepupInput) => Promise<ImpersonationStartStepupResult>;
+    readonly respondConsent: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly requestId: string;
+        readonly decision: ImpersonationConsentDecision;
+        readonly userAgent?: string;
+    }) => Promise<ImpersonationConsentResponse>;
+    readonly listRequests: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly filter?: {
+            readonly operatorId?: string;
+            readonly targetUserId?: string;
+            readonly status?: ImpersonationRequestRow["status"];
+            readonly limit?: number;
+        };
+        readonly userAgent?: string;
+    }) => Promise<readonly ImpersonationRequestRow[]>;
+    readonly endSession: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
+        readonly requestId: string;
+        readonly userAgent?: string;
+    }) => Promise<{
+        success: true;
+        requestId: string;
+        sessionId: string | null;
+    }>;
+};
+
 /**
- * Sign in with email and password
- *
- * @example
- * ```typescript
- * const result = await signIn(config, { email: 'user@example.com', password: 'secret' })
- * if (result.requiresTwoFactor) {
- *   // Handle 2FA flow
- * } else {
- *   // Save tokens
- *   const authenticatedConfig = withToken(config, result.accessToken!)
- * }
- * ```
- */
-declare function signIn(config: SylphxConfig, input: LoginRequest): Promise<LoginResponse>;
-/**
- * Sign up with email and password
- *
- * @example
- * ```typescript
- * const result = await signUp(config, {
- *   email: 'user@example.com',
- *   password: 'secret',
- *   name: 'John Doe',
- * })
- * // User needs to verify email
- * ```
- */
-declare function signUp(config: SylphxConfig, input: RegisterRequest): Promise<RegisterResponse>;
-/**
- * Sign out (revoke tokens)
- *
- * @example
- * ```typescript
- * await signOut(config)
- * ```
- */
-declare function signOut(config: SylphxConfig): Promise<void>;
-/**
- * Refresh access token
- *
- * @example
- * ```typescript
- * const tokens = await refreshToken(config, refreshTokenString)
- * const newConfig = withToken(config, tokens.accessToken)
- * ```
- */
-declare function refreshToken(config: SylphxConfig, token: string): Promise<TokenResponse>;
-/**
- * Verify email with token
- *
- * @example
- * ```typescript
- * await verifyEmail(config, token)
- * ```
- */
-declare function verifyEmail(config: SylphxConfig, token: string): Promise<void>;
-/**
- * Request password reset email
- *
- * @example
- * ```typescript
- * await forgotPassword(config, 'user@example.com', {
- *   redirectUrl: 'https://app.example.com/reset-password'
- * })
- * ```
- */
-declare function forgotPassword(config: SylphxConfig, email: string, options?: {
-    redirectUrl?: string;
-}): Promise<void>;
-/**
- * Request a verification email resend.
- *
- * The Platform response is intentionally privacy-preserving: it never
- * indicates whether the email exists or is already verified.
- *
- * @example
- * ```typescript
- * await resendVerificationEmail(config, 'user@example.com')
- * ```
- */
-declare function resendVerificationEmail(config: SylphxConfig, email: string): Promise<void>;
-/**
- * Reset password with token
- *
- * @example
- * ```typescript
- * await resetPassword(config, { token, password: 'newpassword' })
- * ```
- */
-declare function resetPassword(config: SylphxConfig, input: {
-    token: string;
-    password: string;
-}): Promise<void>;
-/**
- * Get current session (requires authenticated config)
- *
- * @example
- * ```typescript
- * const session = await getSession(authenticatedConfig)
- * if (session.user) {
- *   console.log(`Logged in as ${session.user.email}`)
- * }
- * ```
- */
-declare function getSession(config: SylphxConfig): Promise<SessionResult>;
-/**
- * Verify 2FA code (when signIn returns requiresTwoFactor: true)
- *
- * @example
- * ```typescript
- * const result = await signIn(config, credentials)
- * if (result.requiresTwoFactor) {
- *   const tokens = await verifyTwoFactor(config, result.userId!, code)
- * }
- * ```
- */
-declare function verifyTwoFactor(config: SylphxConfig, userId: string, code: string): Promise<TokenResponse>;
-/**
- * Introspect a token to check its validity (RFC 7662)
- *
- * Use this to verify token status without decoding. Essential for:
- * - Checking if a token has been revoked
- * - Validating tokens at the edge
- * - Security-critical operations
- *
- * @example
- * ```typescript
- * const result = await introspectToken(config, accessToken)
- * if (!result.active) {
- *   // Token is invalid, revoked, or expired
- *   await refreshTokens()
- * }
- * ```
- */
-declare function introspectToken(config: SylphxConfig, token: string, tokenTypeHint?: 'access_token' | 'refresh_token'): Promise<TokenIntrospectionResult>;
-/**
- * Revoke a token (RFC 7009)
- *
- * Use cases:
- * - Sign out user from specific device
- * - Security response to compromised token
- * - User-initiated session termination
- *
- * @example
- * ```typescript
- * // Revoke single refresh token
- * await revokeToken(config, refreshToken)
+ * Platform JWT verification and cookie-session resolution.
  *
- * // Revoke all tokens for a user (logout everywhere)
- * await revokeToken(config, '', { revokeAll: true, userId: 'user-123' })
- * ```
+ * This module owns the SDK's hot-path Platform auth helpers: cached JWKS
+ * verification for bearer tokens and cached cookie-based user resolution.
  */
-declare function revokeToken(config: SylphxConfig, token: string, options?: RevokeTokenOptions): Promise<void>;
 /**
- * Revoke all tokens for a user (logout from all devices)
- *
- * Convenience wrapper around revokeToken with revokeAll option.
- *
- * @example
- * ```typescript
- * // After password change, revoke all sessions
- * await revokeAllTokens(config, userId)
- * ```
+ * Reset the platform-JWKS cache. Tests should call this between cases
+ * to avoid state bleed. Production code relies on the TTL-based
+ * expiry.
  */
-declare function revokeAllTokens(config: SylphxConfig, userId: string): Promise<void>;
+declare function resetPlatformJwksCache(): void;
+interface PlatformAccessTokenClaims {
+    readonly sub: string;
+    readonly pid?: string;
+    readonly email: string;
+    readonly name?: string;
+    readonly picture?: string;
+    readonly email_verified: boolean;
+    readonly app_id: string;
+    readonly role: string;
+    readonly org_id?: string;
+    readonly org_slug?: string;
+    readonly org_role?: string;
+    readonly iat?: number;
+    readonly exp?: number;
+    /**
+     * RFC 7800 confirmation claim — present when the token is sender-
+     * constrained. Today we emit this for DPoP-bound tokens (RFC 9449)
+     * where `cnf.jkt` is the SHA-256 thumbprint of the client's DPoP
+     * public key.
+     *
+     * Resource servers (e.g. apps/api Management plane) that want to
+     * enforce DPoP MUST:
+     *   1. Look up `oauth_clients.dpop_bound_access_tokens` on the
+     *      issuing client to know whether DPoP is required.
+     *   2. If required AND `cnf.jkt` is absent, reject 401.
+     *   3. If `cnf.jkt` is present, verify the inbound `DPoP` header's
+     *      proof JWT and assert its public-key thumbprint matches `jkt`.
+     *
+     * Pre-Wave-5.3 this field was stripped from `verifyAccessToken`'s
+     * return value, making resource-side enforcement impossible without
+     * decoding the JWT a second time. Exposing it preserves the wire
+     * format and unlocks the resource-server DPoP middleware.
+     */
+    readonly cnf?: {
+        readonly jkt?: string;
+    };
+}
 /**
- * Sign up with extended input (metadata + invitation token support).
- *
- * Use this instead of signUp() when you need to:
- * - Pass metadata on registration (e.g., org context, role, referral info)
- * - Register with an invitation token
+ * `verifyAccessToken` — local JWT verification against cached JWKS.
  *
- * @example
- * ```typescript
- * const result = await extendedSignUp(config, {
- *   email: 'user@example.com',
- *   password: 'secret',
- *   name: 'John Doe',
- *   metadata: { orgId: 'org-123', role: 'employee' },
- *   invitationToken: 'inv_...',
- * })
- * ```
- */
-declare function extendedSignUp(config: SylphxConfig, input: RegisterInput): Promise<RegisterResponse>;
-/**
- * Invite a user to sign up for this project.
- * Server-side only (requires secretKey).
- * Sends an email invitation; user signs up via signUp() or extendedSignUp() with the invitation token.
+ * Designed for the Platform API's hot-path auth middleware: JWKS is
+ * fetched once per process (1h TTL), signature/iss/aud/exp
+ * verification is local `jose` — no per-request HTTPS hop.
  *
  * @example
  * ```typescript
- * const invite = await inviteUser(config, {
- *   email: 'newemployee@company.com',
- *   metadata: { role: 'employee', orgId: 'org-123' },
- *   redirectUrl: 'https://app.example.com/signup',
+ * const claims = await auth.verifyAccessToken(bearer, {
+ *   baseUrl: 'https://your-app.api.sylphx.com/v1',
+ *   audience: 'platform',
  * })
- * console.log(invite.invitationToken, invite.expiresAt)
  * ```
  */
-declare function inviteUser(config: SylphxConfig, input: InviteUserRequest): Promise<InviteUserResponse>;
-/**
- * Exchange current user token for an org-scoped token.
- * The returned access_token JWT includes org_id, org_slug, org_role claims.
- *
- * @example
- * const { token } = await getOrgScopedToken(withToken(config, currentToken), 'org_xxx')
- */
-declare function getOrgScopedToken(config: SylphxConfig, orgId: string): Promise<OrgScopedTokenResponse>;
-/**
- * @deprecated Use getOrgScopedToken(config, orgId). Kept as the shorter
- * organization switch alias for existing SDK callers.
- */
-declare function switchOrg(config: SylphxConfig, orgId: string): Promise<OrgScopedTokenResponse>;
-type DeviceInitInput = DeviceInitRequest;
-type DeviceGrant = DeviceInitResponse;
-type DevicePollResult = DevicePollResponse;
-type DeviceApproveInput = DeviceApproveRequest;
-type DeviceApproveResult = DeviceApproveResponse;
-type DeviceDenyInput = DeviceDenyRequest;
-type DeviceDenyResult = DeviceDenyResponse;
+declare function verifyAccessToken(token: string, opts: {
+    readonly baseUrl: string;
+    readonly audience: string;
+}): Promise<PlatformAccessTokenClaims>;
+interface PlatformUserRecord {
+    readonly id: string;
+    readonly email: string;
+    readonly name: string | null;
+    readonly image: string | null;
+    readonly emailVerified: boolean;
+    readonly role: string;
+    readonly twoFactorEnabled: boolean;
+}
+interface PlatformUserResolution {
+    readonly user: PlatformUserRecord;
+    readonly sessionId: string;
+}
+declare function resetPlatformCookieCache(): void;
 /**
- * `device` namespace — RFC 8628 device authorization grant.
- *
- * Used by headless clients (CLI, TV apps, IoT) to authorise via a
- * companion browser instead of reading credentials from env vars.
+ * `cookies` namespace — Platform cookie / session resolution for the
+ * Platform API's hot-path auth middleware (ADR-089 Phase 3b).
  */
-declare const device: {
+declare const cookies: {
     /**
-     * Start a device authorization grant.
+     * Resolve a platform user from a forwarded `Cookie:` header.
      *
-     * Returns a `DeviceGrant` with `verification_uri_complete` (open this
-     * in the user's browser) and `device_code` (use for polling).
+     * Delegates to BaaS `/auth/platform-sessions/whoami`. Caches each
+     * unique cookie string for 30s to avoid hammering BaaS on every
+     * SSR request.
      *
      * @example
      * ```typescript
-     * const grant = await device.init({
+     * const result = await auth.cookies.resolvePlatformUser({
      *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   clientId: 'sylphx-cli',
-     *   scope: ['org:read', 'project:*'],
+     *   cookieHeader: req.headers.get('cookie') ?? '',
      * })
-     * openBrowser(grant.verification_uri_complete)
+     * if (!result) // unauthenticated
      * ```
      */
-    readonly init: (opts: {
+    readonly resolvePlatformUser: (opts: {
         readonly baseUrl: string;
-        readonly clientId: string;
-        readonly scope?: readonly string[];
+        readonly cookieHeader: string;
         readonly userAgent?: string;
-    }) => Promise<DeviceGrant>;
+    }) => Promise<PlatformUserResolution | null>;
+};
+
+/**
+ * Platform OAuth namespace.
+ *
+ * Backs `auth.oauth.*` while keeping OAuth AS protocol handling out of the
+ * monolithic auth module. Public exports are re-exported from `auth.ts`.
+ */
+
+type OAuthIntrospectResult = OAuthIntrospectResponse;
+interface MintAccessTokenClaims {
+    readonly sub: string;
+    readonly email: string;
+    readonly name?: string;
+    readonly email_verified: boolean;
+    readonly app_id: string;
+    readonly role: string;
+    readonly org_id?: string;
+    readonly org_slug?: string;
+    readonly org_role?: string;
+    readonly picture?: string;
+    readonly pid?: string;
+}
+interface MintAccessTokenResult {
+    readonly accessToken: string;
+    readonly expiresIn: number;
+}
+interface OAuthClientCallOpts {
+    readonly baseUrl: string;
+    readonly clientId: string;
+    readonly clientSecret?: string;
+    readonly token: string;
+    readonly tokenTypeHint?: 'access_token' | 'refresh_token';
+    readonly userAgent?: string;
+}
+/**
+ * `oauth` namespace — Platform OAuth operations backed by BaaS.
+ *
+ * Phase 3b adds `mintAccessToken` for the refresh handler migration;
+ * Phase 5.1 layered in full authorization-server verbs
+ * (`/oauth/token`, `/oauth/revoke`, `/oauth/introspect`).
+ */
+declare const oauth: {
     /**
-     * Poll a pending grant. Returns `status: 'pending' | 'approved' |
-     * 'denied' | 'expired'`. On `approved`, the result carries the OAuth
-     * pair (access_token + refresh_token).
+     * Mint a platform-audience access token from supplied claims.
      *
-     * Callers MUST respect the `interval` returned by `init()` — polling
-     * faster than that may return 429 slow_down (RFC 8628 §5.5).
+     * Service-to-service call — authenticated via
+     * `SYLPHX_INTERNAL_TOKEN` shared secret until ADR-068's
+     * SPIFFE SVID mTLS platform-auth flip makes workload identity the
+     * only accepted internal caller credential.
      */
-    readonly poll: (opts: {
+    readonly mintAccessToken: (opts: {
+        readonly baseUrl: string;
+        readonly internalToken: string;
+        readonly claims: MintAccessTokenClaims;
+        readonly userAgent?: string;
+    }) => Promise<MintAccessTokenResult>;
+    readonly exchangeAuthorizationCode: (opts: {
+        readonly baseUrl: string;
+        readonly clientId: string;
+        readonly clientSecret?: string;
+        readonly code: string;
+        readonly redirectUri: string;
+        readonly codeVerifier: string;
+    }) => Promise<OAuthTokenResult>;
+    readonly refreshAccessToken: (opts: {
+        readonly baseUrl: string;
+        readonly clientId: string;
+        readonly clientSecret?: string;
+        readonly refreshToken: string;
+        readonly scope?: string;
+    }) => Promise<OAuthTokenResult>;
+    readonly pollDeviceToken: (opts: {
         readonly baseUrl: string;
+        readonly clientId: string;
         readonly deviceCode: string;
+    }) => Promise<OAuthPollResult>;
+    readonly clientCredentialsToken: (opts: {
+        readonly baseUrl: string;
+        readonly clientId: string;
+        readonly clientSecret: string;
+        readonly scope?: string;
+    }) => Promise<OAuthClientCredentialsResult>;
+    readonly revokeToken: (opts: OAuthClientCallOpts) => Promise<void>;
+    readonly introspectToken: (opts: OAuthClientCallOpts) => Promise<OAuthIntrospectResult>;
+};
+
+/**
+ * Platform password management SDK namespace.
+ *
+ * Backed by `/auth/platform-password/*` on the BaaS runtime. Crypto
+ * primitives and breach checks stay server-side; callers only pass tokens
+ * and plaintext password inputs over the established HTTPS boundary.
+ */
+
+type PlatformPasswordStatusResult = PlatformPasswordStatusResponse;
+type PlatformPasswordSetInput = PlatformPasswordSetRequest;
+type PlatformPasswordSetResult = PlatformPasswordSetResponse;
+type PlatformPasswordChangeInput = PlatformPasswordChangeRequest;
+type PlatformPasswordChangeResult = PlatformPasswordChangeResponse;
+declare const password: {
+    readonly status: (opts: {
+        readonly baseUrl: string;
+        readonly accessToken: string;
         readonly userAgent?: string;
-    }) => Promise<DevicePollResult>;
-    /**
-     * Browser leg — the approving user confirms the grant.
-     *
-     * Requires a valid platform-issued access token (`Authorization:
-     * Bearer <accessToken>`) proving the user is logged in on the
-     * Console. Typically called by the Console's `/device` verification
-     * page server-side, forwarding the user's session JWT.
-     */
-    readonly approve: (opts: {
+    }) => Promise<PlatformPasswordStatusResult>;
+    readonly set: (opts: {
         readonly baseUrl: string;
-        readonly userCode: string;
         readonly accessToken: string;
+        readonly password: string;
         readonly userAgent?: string;
-    }) => Promise<DeviceApproveResult>;
-    /**
-     * Browser leg — the user declines the grant.
-     *
-     * Requires a valid platform-issued access token just like `approve`.
-     */
-    readonly deny: (opts: {
+    }) => Promise<PlatformPasswordSetResult>;
+    readonly change: (opts: {
         readonly baseUrl: string;
-        readonly userCode: string;
         readonly accessToken: string;
+        readonly currentPassword: string;
+        readonly newPassword: string;
         readonly userAgent?: string;
-    }) => Promise<DeviceDenyResult>;
+    }) => Promise<PlatformPasswordChangeResult>;
 };
-type OAuthIntrospectResult = OAuthIntrospectResponse;
-interface OAuthClientCallOpts {
-    readonly baseUrl: string;
-    readonly clientId: string;
-    readonly clientSecret?: string;
-    readonly token: string;
-    readonly tokenTypeHint?: 'access_token' | 'refresh_token';
-    readonly userAgent?: string;
-}
+
+/**
+ * Platform session management SDK namespace.
+ *
+ * Backed by `/auth/platform-sessions/*` on the BaaS runtime. These helpers
+ * accept platform-audience access tokens, not project `pk_`/`sk_` credentials.
+ */
+
 type PlatformSessionsListResult = PlatformSessionsListResponse;
 type PlatformSessionRevokeInput = PlatformSessionRevokeRequest;
 type PlatformSessionRevokeResult = PlatformSessionRevokeResponse;
@@ -2249,110 +3060,28 @@ type PlatformSessionRevokeOtherResult = PlatformSessionRevokeOtherResponse;
 type PlatformSessionRevokeAllResult = PlatformSessionRevokeAllResponse;
 type PlatformSessionRenameInput = PlatformSessionRenameRequest;
 type PlatformSessionRenameResult = PlatformSessionRenameResponse;
-/**
- * `sessions` namespace — Platform-plane (Console / CLI) session
- * management. Backed by `/auth/platform-sessions/*` on the BaaS
- * runtime (ADR-089 Phase 2b). See module header for the full rationale.
- */
 declare const sessions: {
-    /**
-     * List every active platform session for the authenticated user.
-     *
-     * Ordering: most-recently-active first.
-     *
-     * @example
-     * ```typescript
-     * const { sessions } = await auth.sessions.list({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   accessToken: platformJwt,
-     * })
-     * ```
-     */
     readonly list: (opts: {
         readonly baseUrl: string;
         readonly accessToken: string;
         readonly userAgent?: string;
     }) => Promise<PlatformSessionsListResult>;
-    /**
-     * Revoke a specific platform session by id.
-     *
-     * `sessionId` accepts either the prefixed TypeID (`sess_*`) or the
-     * raw UUID — the BaaS side normalises via `parseIdOrError`.
-     *
-     * @example
-     * ```typescript
-     * await auth.sessions.revoke({
-     *   baseUrl,
-     *   accessToken,
-     *   sessionId: 'sess_01hxyz...',
-     * })
-     * ```
-     */
     readonly revoke: (opts: {
         readonly baseUrl: string;
         readonly accessToken: string;
         readonly sessionId: string;
         readonly userAgent?: string;
     }) => Promise<PlatformSessionRevokeResult>;
-    /**
-     * Revoke every platform session except the one presenting the
-     * current access token. Used by "sign me out of all other devices".
-     *
-     * When the caller's JWT has no `sid` claim (pure-Bearer CLI/CI
-     * flows), this degenerates to `revokeAll` — every session is
-     * wiped — because there's no "current" row to keep.
-     *
-     * @example
-     * ```typescript
-     * const { revokedCount } = await auth.sessions.revokeOther({
-     *   baseUrl,
-     *   accessToken,
-     * })
-     * ```
-     */
     readonly revokeOther: (opts: {
         readonly baseUrl: string;
         readonly accessToken: string;
         readonly userAgent?: string;
     }) => Promise<PlatformSessionRevokeOtherResult>;
-    /**
-     * Revoke every platform session for the user, including the
-     * caller's own. Used by "sign me out everywhere" — after a
-     * password change, a compromise scare, or GDPR-style erasure.
-     *
-     * The response includes the count of sessions that were
-     * revoked so the caller can surface it in a toast or audit UI.
-     *
-     * @example
-     * ```typescript
-     * const { count } = await auth.sessions.revokeAll({
-     *   baseUrl,
-     *   accessToken,
-     * })
-     * ```
-     */
     readonly revokeAll: (opts: {
         readonly baseUrl: string;
         readonly accessToken: string;
         readonly userAgent?: string;
     }) => Promise<PlatformSessionRevokeAllResult>;
-    /**
-     * Rename a platform session (device label).
-     *
-     * `sessionId` accepts either the prefixed TypeID or the raw UUID;
-     * `name` is a user-supplied string (≤100 chars) surfaced in the
-     * "Active sessions" Console UI.
-     *
-     * @example
-     * ```typescript
-     * await auth.sessions.rename({
-     *   baseUrl,
-     *   accessToken,
-     *   sessionId,
-     *   name: 'MacBook (work)',
-     * })
-     * ```
-     */
     readonly rename: (opts: {
         readonly baseUrl: string;
         readonly accessToken: string;
@@ -2361,148 +3090,14 @@ declare const sessions: {
         readonly userAgent?: string;
     }) => Promise<PlatformSessionRenameResult>;
 };
-type PlatformRefreshInput = RefreshTokenInput;
-type PlatformRefreshResult = RefreshTokenResult;
-type PlatformLogoutInput = LogoutInput;
-/**
- * `platformAuth` namespace — Platform-plane refresh-token + logout
- * operations for CLI / Console operators. Body-authenticated via the
- * presented refresh token (no cookie, no Bearer).
- */
-declare const platformAuth: {
-    /**
-     * Rotate a Platform refresh token. The presented token is consumed
-     * single-use; the response carries a fresh access JWT plus the
-     * rotated refresh token that supersedes it.
-     *
-     * On reuse-detection / expiry the server returns 401 — the SDK
-     * preserves the upstream message so callers can pattern-match
-     * `"reuse"` per RFC 6819 §5.2.2.3 and scrub local credentials.
-     *
-     * @example
-     * ```typescript
-     * const tokens = await auth.platformAuth.refresh({
-     *   baseUrl: 'https://sylphx.com',
-     *   refreshToken: stored.refreshToken,
-     * })
-     * ```
-     */
-    readonly refresh: (opts: {
-        readonly baseUrl: string;
-        readonly refreshToken: string;
-        readonly userAgent?: string;
-        /**
-         * Path prefix between `baseUrl` and the resource path. Defaults
-         * to `/api/v1` for back-compat with the admin-override host
-         * (`sylphx.com`). Pass `/v1` when targeting the canonical host
-         * (`api.sylphx.com`) per Rule 17.
-         */
-        readonly urlPrefix?: string;
-    }) => Promise<PlatformRefreshResult>;
-    /**
-     * Revoke a Platform refresh token (logout). Server-side revocation
-     * failure is the caller's call to surface — local-credential cleanup
-     * is the CLI's responsibility (logout must succeed offline).
-     *
-     * @example
-     * ```typescript
-     * await auth.platformAuth.logout({
-     *   baseUrl: 'https://sylphx.com',
-     *   refreshToken: stored.refreshToken,
-     * })
-     * ```
-     */
-    readonly logout: (opts: {
-        readonly baseUrl: string;
-        readonly refreshToken: string;
-        readonly userAgent?: string;
-        /** See `refresh.urlPrefix`. */
-        readonly urlPrefix?: string;
-    }) => Promise<void>;
-};
-type PlatformPasswordStatusResult = PlatformPasswordStatusResponse;
-type PlatformPasswordSetInput = PlatformPasswordSetRequest;
-type PlatformPasswordSetResult = PlatformPasswordSetResponse;
-type PlatformPasswordChangeInput = PlatformPasswordChangeRequest;
-type PlatformPasswordChangeResult = PlatformPasswordChangeResponse;
+
 /**
- * `password` namespace — Platform-plane (Console / CLI) password
- * management. Backed by `/auth/platform-password/*` on the BaaS
- * runtime (ADR-089 Phase 2c). See module header for the full rationale.
+ * Platform user GDPR export and erasure SDK namespace.
+ *
+ * These helpers are backed by `/auth/platform-user/*` on the BaaS runtime
+ * and keep account data operations separate from generic auth/session helpers.
  */
-declare const password: {
-    /**
-     * Check whether the authenticated platform user has a password set.
-     *
-     * Returns `{ hasPassword: true }` for users that signed up with
-     * email+password (or later called `set`), `{ hasPassword: false }`
-     * for OAuth-only users (e.g. signed up via Google/GitHub).
-     *
-     * @example
-     * ```typescript
-     * const { hasPassword } = await auth.password.status({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   accessToken: platformJwt,
-     * })
-     * ```
-     */
-    readonly status: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly userAgent?: string;
-    }) => Promise<PlatformPasswordStatusResult>;
-    /**
-     * Set an initial password for an OAuth-only user.
-     *
-     * Fails with 400 if the user already has a password (use `change`
-     * instead), if the password is <8 characters, or if HIBP reports
-     * the password as breached. BaaS invalidates every other session
-     * for the user (keeping the caller's current one) after a
-     * successful set.
-     *
-     * @example
-     * ```typescript
-     * await auth.password.set({
-     *   baseUrl,
-     *   accessToken,
-     *   password: 'correct-horse-battery-staple',
-     * })
-     * ```
-     */
-    readonly set: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly password: string;
-        readonly userAgent?: string;
-    }) => Promise<PlatformPasswordSetResult>;
-    /**
-     * Change an existing password.
-     *
-     * Verifies `currentPassword` server-side; a mismatch returns 401.
-     * OAuth-only users (no existing password) get 400 — use `set`
-     * instead. New password must be ≥8 characters and must not be in
-     * HIBP's breach database. BaaS invalidates every other session
-     * for the user (keeping the caller's current one) after a
-     * successful change.
-     *
-     * @example
-     * ```typescript
-     * await auth.password.change({
-     *   baseUrl,
-     *   accessToken,
-     *   currentPassword: 'old-plaintext',
-     *   newPassword: 'new-plaintext',
-     * })
-     * ```
-     */
-    readonly change: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly currentPassword: string;
-        readonly newPassword: string;
-        readonly userAgent?: string;
-    }) => Promise<PlatformPasswordChangeResult>;
-};
+
 type PlatformUserExportResult = AuthUserExportResponse;
 type PlatformUserDeleteInput = AuthUserDeleteRequest;
 type PlatformUserDeleteResult = AuthUserDeleteResponse;
@@ -2520,15 +3115,6 @@ declare const user: {
      * row, sessions, OAuth accounts, login history, security alerts,
      * organization memberships, subscriptions, per-project memberships,
      * and storage file metadata. Shape varies with customer provisioning.
-     *
-     * @example
-     * ```typescript
-     * const data = await auth.user.exportData({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   accessToken: platformJwt,
-     * })
-     * downloadAsJson(data, 'my-sylphx-data.json')
-     * ```
      */
     readonly exportData: (opts: {
         readonly baseUrl: string;
@@ -2539,29 +3125,7 @@ declare const user: {
      * Permanently delete the authenticated user's account (GDPR Article
      * 17 — right to erasure). Cascades through every provisioned project
      * DB, cancels Stripe subscriptions, deletes S3 blobs, and anonymises
-     * billing transactions. Emits a `user.deleted` event so downstream
-     * systems can clean up their own state.
-     *
-     * Returns `{ success: true, deletedData: [...] }` on success where
-     * `deletedData` lists the resource kinds that were erased.
-     *
-     * @remarks
-     * This operation is irreversible. Production callers SHOULD require
-     * a challenge step (2FA / password confirm / WebAuthn) before
-     * invoking this — the BaaS route does NOT perform challenge
-     * verification in Phase 2d. ADR-089 Phase 5.11 lands passkey-primary
-     * with WebAuthn-required step-up and will add the check at the
-     * BaaS boundary.
-     *
-     * @example
-     * ```typescript
-     * const result = await auth.user.deleteAccount({
-     *   baseUrl,
-     *   accessToken,
-     *   reason: 'user_request',
-     * })
-     * if (result.success) signOutAndRedirect('/goodbye')
-     * ```
+     * billing transactions.
      */
     readonly deleteAccount: (opts: {
         readonly baseUrl: string;
@@ -2570,37 +3134,15 @@ declare const user: {
         readonly userAgent?: string;
     }) => Promise<PlatformUserDeleteResult>;
     /**
-     * Async GDPR Article 20 export job API (ADR-089 Phase 5.5).
-     *
-     * `user.exportData` above is the Phase 2d synchronous shortcut —
-     * kept for backward compat but production callers SHOULD prefer the
-     * async flow: large users routinely exceed a single HTTP deadline
-     * during enumeration.
-     *
-     * Typical flow:
-     *
-     * ```ts
-     * const job = await auth.user.exports.initiate({ baseUrl, accessToken })
-     * // Poll until terminal:
-     * while (true) {
-     *   const cur = await auth.user.exports.status({ baseUrl, accessToken, id: job.id })
-     *   if (cur.status === 'complete') break
-     *   if (cur.status === 'failed') throw new Error(cur.errorMessage ?? 'export failed')
-     *   await new Promise(r => setTimeout(r, 2000))
-     * }
-     * const blob = await auth.user.exports.download({ baseUrl, accessToken, id: job.id })
-     * saveAs(blob, 'sylphx-export.json')
-     * ```
+     * Async GDPR Article 20 export job API (ADR-089 Phase 5.5).
      *
-     * Rate limit: 1 `initiate` per 24h per user. Polling + downloading
-     * are NOT rate-limited through that bucket (they're cheap reads).
+     * `user.exportData` is the Phase 2d synchronous shortcut; production
+     * callers should prefer the async flow for large accounts.
      */
     readonly exports: {
         /**
-         * Kick off an export job. Returns the job row in `pending` status
-         * with a 202-Accepted semantic — the HTTP layer has accepted the
-         * request but the payload is not yet materialized. Poll
-         * `status({ id })` until `status === 'complete'`.
+         * Kick off an export job. Poll `status({ id })` until
+         * `status === 'complete'`.
          */
         readonly initiate: (opts: {
             readonly baseUrl: string;
@@ -2610,9 +3152,6 @@ declare const user: {
         }) => Promise<DataExportJob>;
         /**
          * Read the current state of an in-flight or completed export job.
-         * Returns 404 (via thrown `SylphxError`) if the job id is unknown
-         * OR owned by a different user — cross-user probes can't
-         * distinguish the two.
          */
         readonly status: (opts: {
             readonly baseUrl: string;
@@ -2622,12 +3161,8 @@ declare const user: {
         }) => Promise<DataExportJob>;
         /**
          * Download the completed export payload. The BaaS route returns a
-         * 302 to a freshly-signed object-storage URL; we follow the redirect
-         * (standard `fetch` default) and resolve to the raw `Blob`.
-         *
-         * The integrity headers `X-Sylphx-Export-Sha256` + `X-Sylphx-Export-Size`
-         * are available on the final response — CLI consumers SHOULD verify
-         * the SHA-256 client-side before handing the archive to the user.
+         * 302 to a freshly-signed object-storage URL; `fetch` follows it
+         * and resolves to the raw `Blob`.
          */
         readonly download: (opts: {
             readonly baseUrl: string;
@@ -2642,11 +3177,8 @@ declare const user: {
     };
 };
 /**
- * Wire shape of a data-export job. `status` progresses through
- * pending → running → (complete|failed); terminal rows carry `completedAt`,
- * complete rows additionally carry `sizeBytes` + `sha256`, failed rows
- * carry `errorMessage`. `downloadUrl` is always null in this projection
- * — use `user.exports.download()` to obtain a freshly-signed URL.
+ * Wire shape of a data-export job. `status` progresses through pending,
+ * running, complete, or failed.
  */
 interface DataExportJob {
     readonly id: string;
@@ -2659,600 +3191,430 @@ interface DataExportJob {
     readonly sha256: string | null;
     readonly errorMessage: string | null;
 }
+
 /**
- * Reset the platform-JWKS cache. Tests should call this between cases
- * to avoid state bleed. Production code relies on the TTL-based
- * expiry.
+ * Auth Functions
+ *
+ * Pure functions for authentication - no hidden state.
+ * Each function takes config as the first parameter.
+ *
+ * Uses REST API at /api/sdk/auth/* for all operations.
+ *
+ * Types are re-exported from `@sylphx/contract` (ADR-084). The contract is
+ * the single source of truth for every wire shape — this module only adds
+ * SDK-specific ergonomics (User brand swap, introspection result, invite
+ * envelopes, org-token claims).
  */
-declare function resetPlatformJwksCache(): void;
-interface PlatformAccessTokenClaims {
-    readonly sub: string;
-    readonly pid?: string;
-    readonly email: string;
-    readonly name?: string;
-    readonly picture?: string;
-    readonly email_verified: boolean;
-    readonly app_id: string;
-    readonly role: string;
-    readonly org_id?: string;
-    readonly org_slug?: string;
-    readonly org_role?: string;
-    readonly iat?: number;
-    readonly exp?: number;
-    /**
-     * RFC 7800 confirmation claim — present when the token is sender-
-     * constrained. Today we emit this for DPoP-bound tokens (RFC 9449)
-     * where `cnf.jkt` is the SHA-256 thumbprint of the client's DPoP
-     * public key.
-     *
-     * Resource servers (e.g. apps/api Management plane) that want to
-     * enforce DPoP MUST:
-     *   1. Look up `oauth_clients.dpop_bound_access_tokens` on the
-     *      issuing client to know whether DPoP is required.
-     *   2. If required AND `cnf.jkt` is absent, reject 401.
-     *   3. If `cnf.jkt` is present, verify the inbound `DPoP` header's
-     *      proof JWT and assert its public-key thumbprint matches `jkt`.
-     *
-     * Pre-Wave-5.3 this field was stripped from `verifyAccessToken`'s
-     * return value, making resource-side enforcement impossible without
-     * decoding the JWT a second time. Exposing it preserves the wire
-     * format and unlocks the resource-server DPoP middleware.
-     */
-    readonly cnf?: {
-        readonly jkt?: string;
-    };
+
+type LoginRequest = LoginRequest$1;
+type LoginResponse = LoginResponse$1;
+type RegisterRequest = RegisterRequest$1;
+type RegisterResponse = RegisterResponse$1;
+type ResendEmailVerificationRequest = ResendEmailVerificationRequest$1;
+type ResendEmailVerificationResponse = ResendEmailVerificationResponse$1;
+/**
+ * Token response — contract's `AuthTokensResponse.user` (optional `AuthUser`)
+ * is re-mapped to the SDK's broader `User` type so legacy callers keep the
+ * familiar brand. `AuthUser` and `User` are structurally identical, but
+ * the SDK surface has wider reach (cookies, middleware, React hooks) and
+ * renaming is out of scope for ADR-084 cleanup.
+ */
+type TokenResponse = Omit<AuthTokensResponse, 'user'> & {
+    user: User;
+};
+type TwoFactorVerifyRequest = TwoFactorVerifyRequest$1;
+/**
+ * `GET /auth/me` — contract's `UserFullProfile` already includes the
+ * optional `emailVerified` flag the backend returns, so the SDK can just
+ * alias the contract type directly.
+ */
+type MeResponse = UserFullProfile$1;
+/**
+ * Token introspection result (RFC 7662)
+ */
+interface TokenIntrospectionResult {
+    /** Whether the token is active/valid */
+    active: boolean;
+    /** Token type (access_token or refresh_token) */
+    token_type?: 'access_token' | 'refresh_token';
+    /** User ID */
+    sub?: string;
+    /** User email */
+    email?: string;
+    /** User name */
+    name?: string;
+    /** App ID */
+    client_id?: string;
+    /** Audience */
+    aud?: string;
+    /** Issuer */
+    iss?: string;
+    /** Expiration time (Unix timestamp) */
+    exp?: number;
+    /** Issued at time (Unix timestamp) */
+    iat?: number;
+    /** User role */
+    role?: string;
+    /** Email verification status */
+    email_verified?: boolean;
+}
+/**
+ * Token revocation options
+ */
+interface RevokeTokenOptions {
+    /** Revoke all tokens for a user in this app */
+    revokeAll?: boolean;
+    /** User ID (required when revoking all) */
+    userId?: string;
+}
+interface SessionResult {
+    user: {
+        id: string;
+        email: string;
+        name: string | null;
+        image: string | null;
+        emailVerified: boolean;
+    } | null;
+}
+/**
+ * Extended registration input with metadata and invitation token support.
+ * Use extendedSignUp() when you need to pass metadata or an invitation token.
+ */
+interface RegisterInput {
+    email: string;
+    password: string;
+    name?: string;
+    metadata?: Record<string, unknown>;
+    invitationToken?: string;
+}
+/**
+ * Org context claims present in org-scoped tokens (after switch-org).
+ *
+ * The JWT carries the role key only. Permissions are resolved server-side
+ * via cached role→permissions lookup (WorkOS pattern). This keeps
+ * tokens small and ensures permission changes take effect without token refresh.
+ */
+interface OrgTokenPayload {
+    org_id: string;
+    org_slug: string;
+    /** RBAC role key (e.g. "hr_manager", "admin"). Permissions resolved server-side. */
+    org_role: string;
+}
+interface OrgScopedTokenResponse {
+    /** Org-scoped access token. */
+    token: string;
+    /** Org-scoped access token, matching the SDK's token naming convention. */
+    accessToken: string;
+    /** Token lifetime in seconds, when provided by the runtime. */
+    expiresIn?: number;
+    /** Bearer token type, when provided by the runtime. */
+    tokenType?: string;
+    /** User envelope returned by the runtime for session hydration. */
+    user?: User;
+}
+/**
+ * Invite a user request payload.
+ */
+interface InviteUserRequest {
+    email: string;
+    metadata?: Record<string, unknown>;
+    redirectUrl?: string;
+}
+/**
+ * Response from inviteUser.
+ */
+interface InviteUserResponse {
+    invitationToken: string;
+    expiresAt: string;
 }
 /**
- * `verifyAccessToken` — local JWT verification against cached JWKS.
+ * Sign in with email and password
+ *
+ * @example
+ * ```typescript
+ * const result = await signIn(config, { email: 'user@example.com', password: 'secret' })
+ * if (result.requiresTwoFactor) {
+ *   // Handle 2FA flow
+ * } else {
+ *   // Save tokens
+ *   const authenticatedConfig = withToken(config, result.accessToken!)
+ * }
+ * ```
+ */
+declare function signIn(config: SylphxConfig, input: LoginRequest): Promise<LoginResponse>;
+/**
+ * Sign up with email and password
+ *
+ * @example
+ * ```typescript
+ * const result = await signUp(config, {
+ *   email: 'user@example.com',
+ *   password: 'secret',
+ *   name: 'John Doe',
+ * })
+ * // User needs to verify email
+ * ```
+ */
+declare function signUp(config: SylphxConfig, input: RegisterRequest): Promise<RegisterResponse>;
+/**
+ * Sign out (revoke tokens)
+ *
+ * @example
+ * ```typescript
+ * await signOut(config)
+ * ```
+ */
+declare function signOut(config: SylphxConfig): Promise<void>;
+/**
+ * Refresh access token
+ *
+ * @example
+ * ```typescript
+ * const tokens = await refreshToken(config, refreshTokenString)
+ * const newConfig = withToken(config, tokens.accessToken)
+ * ```
+ */
+declare function refreshToken(config: SylphxConfig, token: string): Promise<TokenResponse>;
+/**
+ * Verify email with token
+ *
+ * @example
+ * ```typescript
+ * await verifyEmail(config, token)
+ * ```
+ */
+declare function verifyEmail(config: SylphxConfig, token: string): Promise<void>;
+/**
+ * Request password reset email
+ *
+ * @example
+ * ```typescript
+ * await forgotPassword(config, 'user@example.com', {
+ *   redirectUrl: 'https://app.example.com/reset-password'
+ * })
+ * ```
+ */
+declare function forgotPassword(config: SylphxConfig, email: string, options?: {
+    redirectUrl?: string;
+}): Promise<void>;
+/**
+ * Request a verification email resend.
+ *
+ * The Platform response is intentionally privacy-preserving: it never
+ * indicates whether the email exists or is already verified.
+ *
+ * @example
+ * ```typescript
+ * await resendVerificationEmail(config, 'user@example.com')
+ * ```
+ */
+declare function resendVerificationEmail(config: SylphxConfig, email: string): Promise<void>;
+/**
+ * Reset password with token
  *
- * Designed for the Platform API's hot-path auth middleware: JWKS is
- * fetched once per process (1h TTL), signature/iss/aud/exp
- * verification is local `jose` — no per-request HTTPS hop.
+ * @example
+ * ```typescript
+ * await resetPassword(config, { token, password: 'newpassword' })
+ * ```
+ */
+declare function resetPassword(config: SylphxConfig, input: {
+    token: string;
+    password: string;
+}): Promise<void>;
+/**
+ * Get current session (requires authenticated config)
  *
  * @example
  * ```typescript
- * const claims = await auth.verifyAccessToken(bearer, {
- *   baseUrl: 'https://your-app.api.sylphx.com/v1',
- *   audience: 'platform',
- * })
+ * const session = await getSession(authenticatedConfig)
+ * if (session.user) {
+ *   console.log(`Logged in as ${session.user.email}`)
+ * }
  * ```
  */
-declare function verifyAccessToken(token: string, opts: {
-    readonly baseUrl: string;
-    readonly audience: string;
-}): Promise<PlatformAccessTokenClaims>;
-interface PlatformUserRecord {
-    readonly id: string;
-    readonly email: string;
-    readonly name: string | null;
-    readonly image: string | null;
-    readonly emailVerified: boolean;
-    readonly role: string;
-    readonly twoFactorEnabled: boolean;
-}
-interface PlatformUserResolution {
-    readonly user: PlatformUserRecord;
-    readonly sessionId: string;
-}
-declare function resetPlatformCookieCache(): void;
+declare function getSession(config: SylphxConfig): Promise<SessionResult>;
 /**
- * `cookies` namespace — Platform cookie / session resolution for the
- * Platform API's hot-path auth middleware (ADR-089 Phase 3b).
+ * Verify 2FA code (when signIn returns requiresTwoFactor: true)
+ *
+ * @example
+ * ```typescript
+ * const result = await signIn(config, credentials)
+ * if (result.requiresTwoFactor) {
+ *   const tokens = await verifyTwoFactor(config, result.userId!, code)
+ * }
+ * ```
  */
-declare const cookies: {
-    /**
-     * Resolve a platform user from a forwarded `Cookie:` header.
-     *
-     * Delegates to BaaS `/auth/platform-sessions/whoami`. Caches each
-     * unique cookie string for 30s to avoid hammering BaaS on every
-     * SSR request.
-     *
-     * @example
-     * ```typescript
-     * const result = await auth.cookies.resolvePlatformUser({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   cookieHeader: req.headers.get('cookie') ?? '',
-     * })
-     * if (!result) // unauthenticated
-     * ```
-     */
-    readonly resolvePlatformUser: (opts: {
-        readonly baseUrl: string;
-        readonly cookieHeader: string;
-        readonly userAgent?: string;
-    }) => Promise<PlatformUserResolution | null>;
-};
-interface MintAccessTokenClaims {
-    readonly sub: string;
-    readonly email: string;
-    readonly name?: string;
-    readonly email_verified: boolean;
-    readonly app_id: string;
-    readonly role: string;
-    readonly org_id?: string;
-    readonly org_slug?: string;
-    readonly org_role?: string;
-    readonly picture?: string;
-    readonly pid?: string;
-}
-interface MintAccessTokenResult {
-    readonly accessToken: string;
-    readonly expiresIn: number;
-}
+declare function verifyTwoFactor(config: SylphxConfig, userId: string, code: string): Promise<TokenResponse>;
 /**
- * `oauth` namespace — Platform OAuth operations backed by BaaS.
+ * Introspect a token to check its validity (RFC 7662)
  *
- * Phase 3b adds `mintAccessToken` for the refresh handler migration;
- * Phase 5.1 layered in full authorization-server verbs
- * (`/oauth/token`, `/oauth/revoke`, `/oauth/introspect`).
+ * Use this to verify token status without decoding. Essential for:
+ * - Checking if a token has been revoked
+ * - Validating tokens at the edge
+ * - Security-critical operations
  *
- * TODO(ADR-084-wave-5): migrate `exchangeAuthorizationCode` +
- * `refreshAccessToken` off raw `fetch` onto the `@sylphx/contract` schema
- * pipeline. The OAuth endpoints are new (not migrations of existing
- * `@hono/zod-openapi` routes), so they can land contract-first without
- * rippling into the other 62 hand-written SDK modules the baseline
- * tracks. Blocked on Wave 5 scoping (contract-package OAuth schemas
- * need to model the RFC 6749 error envelope + PKCE/DPoP binding — see
- * packages/contract/src/endpoints/auth.ts for the existing auth-domain
- * precedent). Until then, these two methods stay on explicit fetch().
+ * @example
+ * ```typescript
+ * const result = await introspectToken(config, accessToken)
+ * if (!result.active) {
+ *   // Token is invalid, revoked, or expired
+ *   await refreshTokens()
+ * }
+ * ```
  */
-declare const oauth: {
-    /**
-     * Mint a platform-audience access token from supplied claims.
-     *
-     * Service-to-service call — authenticated via
-     * `SYLPHX_INTERNAL_TOKEN` shared secret. Phase 6 will migrate this
-     * to SPIFFE SVID mTLS (ADR-068).
-     *
-     * TODO: Phase 6 — prefer SPIFFE SVID over shared-secret auth.
-     *
-     * @example
-     * ```typescript
-     * const { accessToken, expiresIn } = await auth.oauth.mintAccessToken({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   internalToken: process.env.SYLPHX_INTERNAL_TOKEN!,
-     *   claims: { sub: user.id, email: user.email, app_id: 'platform', role: 'member', email_verified: true },
-     * })
-     * ```
-     */
-    readonly mintAccessToken: (opts: {
-        readonly baseUrl: string;
-        readonly internalToken: string;
-        readonly claims: MintAccessTokenClaims;
-        readonly userAgent?: string;
-    }) => Promise<MintAccessTokenResult>;
-    /**
-     * Exchange an OAuth 2.0 authorization_code for an access + refresh token
-     * pair (ADR-089 Phase 5.1b — RFC 6749 §4.1.3). PKCE S256 mandatory per
-     * OAuth 2.1 baseline.
-     *
-     * @example
-     * ```typescript
-     * const { verifier, challenge } = await generatePkce()
-     * // user redirected to /oauth/authorize?...&code_challenge=<challenge>
-     * // ...user approves, browser hits your redirect_uri with ?code=<code>
-     * const tokens = await auth.oauth.exchangeAuthorizationCode({
-     *   baseUrl: 'https://api.sylphx.com/v1',
-     *   clientId: 'sylphx-console',
-     *   clientSecret: process.env.CONSOLE_CLIENT_SECRET,
-     *   code,
-     *   redirectUri: 'https://console.sylphx.com/auth/callback',
-     *   codeVerifier: verifier,
-     * })
-     * ```
-     */
-    readonly exchangeAuthorizationCode: (opts: {
-        readonly baseUrl: string;
-        readonly clientId: string;
-        readonly clientSecret?: string;
-        readonly code: string;
-        readonly redirectUri: string;
-        readonly codeVerifier: string;
-    }) => Promise<OAuthTokenResult>;
-    /**
-     * Refresh a platform access token using a refresh_token
-     * (ADR-089 Phase 5.1b — RFC 6749 §6). Rotation is mandatory — the
-     * presented refresh token is consumed and a new one returned.
-     *
-     * @example
-     * ```typescript
-     * const tokens = await auth.oauth.refreshAccessToken({
-     *   baseUrl: 'https://api.sylphx.com/v1',
-     *   clientId: 'sylphx-console',
-     *   clientSecret: process.env.CONSOLE_CLIENT_SECRET,
-     *   refreshToken: stored.refresh_token,
-     * })
-     * ```
-     */
-    readonly refreshAccessToken: (opts: {
-        readonly baseUrl: string;
-        readonly clientId: string;
-        readonly clientSecret?: string;
-        readonly refreshToken: string;
-        readonly scope?: string;
-    }) => Promise<OAuthTokenResult>;
-    /**
-     * Poll the OAuth token endpoint for a device-code grant (ADR-089 Phase
-     * 5.1c — RFC 8628 §3.4). The preferred way to exchange an approved
-     * device grant for tokens — returns an RFC 6749 error envelope on the
-     * `{pending, slow_down, denied, expired}` states so callers can
-     * distinguish precisely without parsing Phase 2a's `/auth/device/poll`
-     * status string.
-     *
-     * Returns `{ ok: true, tokens }` on success or `{ ok: false, error }`
-     * for every RFC-defined polling outcome. Callers MUST honour the
-     * polling `interval` returned by `/auth/device` — polling faster yields
-     * `{ ok: false, error: 'slow_down' }`.
-     *
-     * @example
-     * ```typescript
-     * while (true) {
-     *   await sleep(interval * 1000)
-     *   const r = await auth.oauth.pollDeviceToken({
-     *     baseUrl: 'https://api.sylphx.com/v1',
-     *     clientId: 'sylphx-cli',
-     *     deviceCode,
-     *   })
-     *   if (r.ok) return r.tokens
-     *   if (r.error === 'authorization_pending' || r.error === 'slow_down') continue
-     *   throw new Error(r.error) // access_denied | expired_token
-     * }
-     * ```
-     */
-    readonly pollDeviceToken: (opts: {
-        readonly baseUrl: string;
-        readonly clientId: string;
-        readonly deviceCode: string;
-    }) => Promise<OAuthPollResult>;
-    /**
-     * Mint a service-principal access token via the `client_credentials`
-     * grant (ADR-089 Phase 5.1c — RFC 6749 §4.4). Requires a confidential
-     * client (public clients cannot use this grant). No refresh token is
-     * issued per §4.4.3 — callers re-run this exchange on expiry.
-     *
-     * Typical use: CI integrations, server-to-server automation that has
-     * no human owner and cannot run a device flow.
-     *
-     * @example
-     * ```typescript
-     * const { access_token } = await auth.oauth.clientCredentialsToken({
-     *   baseUrl: 'https://api.sylphx.com/v1',
-     *   clientId: process.env.SYLPHX_CLIENT_ID!,
-     *   clientSecret: process.env.SYLPHX_CLIENT_SECRET!,
-     *   scope: 'tenants:provision',
-     * })
-     * ```
-     */
-    readonly clientCredentialsToken: (opts: {
-        readonly baseUrl: string;
-        readonly clientId: string;
-        readonly clientSecret: string;
-        readonly scope?: string;
-    }) => Promise<OAuthClientCredentialsResult>;
-    /**
-     * Revoke an OAuth access or refresh token (RFC 7009 — ADR-089 Phase 5.1d).
-     *
-     * Per §2.2 this always resolves successfully — the server returns 200
-     * whether the token existed, was already revoked, or belonged to a
-     * different client. Only true protocol-level failures (malformed
-     * request, bad client credentials) throw.
-     *
-     * @example
-     * ```typescript
-     * await auth.oauth.revokeToken({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   clientId: 'sylphx-cli',
-     *   token: refreshToken,
-     *   tokenTypeHint: 'refresh_token',
-     * })
-     * ```
-     */
-    readonly revokeToken: (opts: OAuthClientCallOpts) => Promise<void>;
-    /**
-     * Introspect an OAuth access or refresh token (RFC 7662 — ADR-089 Phase 5.1d).
-     *
-     * Returns `{ active: false }` for expired / revoked / unknown /
-     * not-owned tokens (without revealing which); `{ active: true, ... }`
-     * with full claims for live ones. Only protocol-level failures
-     * (4xx on the revocation envelope itself) throw.
-     *
-     * @example
-     * ```typescript
-     * const result = await auth.oauth.introspectToken({
-     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
-     *   clientId: 'gateway',
-     *   clientSecret: process.env.GATEWAY_SECRET,
-     *   token: accessToken,
-     * })
-     * if (!result.active) throw new Error('token not accepted')
-     * ```
-     */
-    readonly introspectToken: (opts: OAuthClientCallOpts) => Promise<OAuthIntrospectResult>;
-};
+declare function introspectToken(config: SylphxConfig, token: string, tokenTypeHint?: 'access_token' | 'refresh_token'): Promise<TokenIntrospectionResult>;
+/**
+ * Revoke a token (RFC 7009)
+ *
+ * Use cases:
+ * - Sign out user from specific device
+ * - Security response to compromised token
+ * - User-initiated session termination
+ *
+ * @example
+ * ```typescript
+ * // Revoke single refresh token
+ * await revokeToken(config, refreshToken)
+ *
+ * // Revoke all tokens for a user (logout everywhere)
+ * await revokeToken(config, '', { revokeAll: true, userId: 'user-123' })
+ * ```
+ */
+declare function revokeToken(config: SylphxConfig, token: string, options?: RevokeTokenOptions): Promise<void>;
+/**
+ * Revoke all tokens for a user (logout from all devices)
+ *
+ * Convenience wrapper around revokeToken with revokeAll option.
+ *
+ * @example
+ * ```typescript
+ * // After password change, revoke all sessions
+ * await revokeAllTokens(config, userId)
+ * ```
+ */
+declare function revokeAllTokens(config: SylphxConfig, userId: string): Promise<void>;
+/**
+ * Sign up with extended input (metadata + invitation token support).
+ *
+ * Use this instead of signUp() when you need to:
+ * - Pass metadata on registration (e.g., org context, role, referral info)
+ * - Register with an invitation token
+ *
+ * @example
+ * ```typescript
+ * const result = await extendedSignUp(config, {
+ *   email: 'user@example.com',
+ *   password: 'secret',
+ *   name: 'John Doe',
+ *   metadata: { orgId: 'org-123', role: 'employee' },
+ *   invitationToken: 'inv_...',
+ * })
+ * ```
+ */
+declare function extendedSignUp(config: SylphxConfig, input: RegisterInput): Promise<RegisterResponse>;
 /**
- * `dpop` namespace — client-side helpers for RFC 9449 sender-constrained
- * tokens. Built on `crypto.subtle` (no new npm deps).
+ * Invite a user to sign up for this project.
+ * Server-side only (requires secretKey).
+ * Sends an email invitation; user signs up via signUp() or extendedSignUp() with the invitation token.
  *
  * @example
  * ```typescript
- * // At login:
- * const kp = await dpop.generateKeyPair()
- * // Exchange device code at /oauth/token, attaching proof:
- * const tokenProof = await dpop.generateProof({
- *   privateKey: kp.privateKey,
- *   publicKey:  kp.publicKey,
- *   method: 'POST',
- *   uri: 'https://api.sylphx.com/v1/oauth/token',
- * })
- * // later, calling a resource:
- * const resProof = await dpop.generateProof({
- *   privateKey: kp.privateKey,
- *   publicKey:  kp.publicKey,
- *   method: 'GET',
- *   uri: 'https://api.sylphx.com/v1/me',
- *   accessToken,
- * })
- * fetch('/v1/me', {
- *   headers: { Authorization: `DPoP ${accessToken}`, DPoP: resProof },
+ * const invite = await inviteUser(config, {
+ *   email: 'newemployee@company.com',
+ *   metadata: { role: 'employee', orgId: 'org-123' },
+ *   redirectUrl: 'https://app.example.com/signup',
  * })
+ * console.log(invite.invitationToken, invite.expiresAt)
  * ```
  */
-declare const dpop: {
-    /**
-     * Generate a fresh ES256 key pair. Private key is non-extractable
-     * (`extractable: false`) so it can be stored but never serialised —
-     * the only legal operation is `sign`. Clients that need to
-     * hibernate the keypair across restarts must use a host-provided
-     * secure store (Keychain, Credential Manager, IndexedDB + CryptoKey
-     * wrapping).
-     */
-    readonly generateKeyPair: () => Promise<{
-        readonly privateKey: CryptoKey;
-        readonly publicKey: CryptoKey;
-        readonly thumbprint: string;
-    }>;
-    /**
-     * Sign a DPoP proof JWT. When `accessToken` is provided, the proof
-     * includes `ath = base64url(sha256(accessToken))` so the resource
-     * server can bind the proof to the token being presented (RFC 9449
-     * §4.3 step 11).
-     */
-    readonly generateProof: (opts: {
-        readonly privateKey: CryptoKey;
-        readonly publicKey: CryptoKey;
-        readonly method: string;
-        readonly uri: string;
-        readonly accessToken?: string;
-        readonly nonce?: string;
-    }) => Promise<string>;
-};
-interface OAuthTokenResult {
-    readonly access_token: string;
-    readonly token_type: 'Bearer';
-    readonly expires_in: number;
-    readonly refresh_token: string;
-    readonly scope: string;
-}
+declare function inviteUser(config: SylphxConfig, input: InviteUserRequest): Promise<InviteUserResponse>;
 /**
- * client_credentials token response (RFC 6749 §4.4.3). Distinct from
- * {@link OAuthTokenResult} because §4.4.3 forbids issuing a refresh
- * token — callers re-run the grant on expiry rather than rotating.
+ * Exchange current user token for an org-scoped token.
+ * The returned access_token JWT includes org_id, org_slug, org_role claims.
+ *
+ * @example
+ * const { token } = await getOrgScopedToken(withToken(config, currentToken), 'org_xxx')
  */
-interface OAuthClientCredentialsResult {
-    readonly access_token: string;
-    readonly token_type: 'Bearer';
-    readonly expires_in: number;
-    readonly scope: string;
-}
+declare function getOrgScopedToken(config: SylphxConfig, orgId: string): Promise<OrgScopedTokenResponse>;
 /**
- * RFC 8628 §3.5 polling outcomes surfaced by {@link oauth.pollDeviceToken}.
- * Callers pattern-match on `error` to choose the next action:
- *   - `authorization_pending` + `slow_down` — keep polling (respect interval).
- *   - `access_denied`   — user declined; abort.
- *   - `expired_token`   — grant timed out; re-run `/auth/device`.
- *   - others            — unexpected; surface to the user.
+ * @deprecated Use getOrgScopedToken(config, orgId). Kept as the shorter
+ * organization switch alias for existing SDK callers.
  */
-type OAuthPollError = 'authorization_pending' | 'slow_down' | 'access_denied' | 'expired_token' | 'invalid_grant' | 'invalid_client' | 'invalid_request' | 'unauthorized_client' | 'oauth_error';
-type OAuthPollResult = {
-    readonly ok: true;
-    readonly tokens: OAuthTokenResult;
-} | {
-    readonly ok: false;
-    readonly error: OAuthPollError;
-    readonly status: number;
-};
-interface ImpersonationStartResult {
-    readonly success: true;
-    readonly token: string;
-    readonly sessionId: string;
-    readonly expiresAt: string;
-}
-interface ImpersonationEndResult {
-    readonly success: boolean;
-    readonly sessionsEnded: number;
-}
-interface ImpersonationInfo {
-    readonly isImpersonation: true;
-    readonly adminUserId: string;
-    readonly adminEmail: string;
-    readonly adminName: string | null;
-    readonly impersonatedAt: string;
-}
-interface ImpersonationActive {
-    readonly sessionId: string;
-    readonly adminUserId: string;
-    readonly adminEmail: string;
-    readonly adminName: string | null;
-    readonly targetUserId: string;
-    readonly targetEmail: string;
-    readonly targetName: string | null;
-    readonly impersonatedAt: string;
-    readonly lastActiveAt: string;
-}
-interface ImpersonationStartChallengeInput {
-    readonly baseUrl: string;
-    readonly accessToken: string;
-    readonly targetUserId: string;
-    readonly reason: string;
-    readonly userAgent?: string;
-}
-interface ImpersonationChallenge {
-    readonly requestId: string;
-    readonly challengeKey: string;
-    readonly webauthnOptions: {
-        readonly challenge: string;
-        readonly rpId?: string;
-        readonly allowCredentials: ReadonlyArray<{
-            readonly id: string;
-            readonly type: 'public-key';
-            readonly transports?: readonly string[];
-        }>;
-        readonly userVerification: 'required';
-        readonly timeout: number;
-    };
-}
-interface ImpersonationStartStepupInput {
-    readonly baseUrl: string;
-    readonly accessToken: string;
-    readonly requestId: string;
-    readonly challengeKey: string;
-    readonly assertion: unknown;
-    readonly emergencyBypass?: boolean;
-    readonly userAgent?: string;
-}
-type ImpersonationStartStepupResult = {
-    readonly branch: 'emergency';
-    readonly requestId: string;
-    readonly token: string;
-    readonly sessionId: string;
-    readonly expiresAt: string;
-} | {
-    readonly branch: 'awaiting-consent';
-    readonly requestId: string;
-    readonly consentDeadline: string;
-};
-type ImpersonationConsentDecision = 'approve' | 'deny';
-type ImpersonationConsentResponse = {
-    readonly branch: 'approved';
-    readonly requestId: string;
-    readonly token: string;
-    readonly sessionId: string;
-    readonly expiresAt: string;
-} | {
-    readonly branch: 'denied';
-    readonly requestId: string;
-};
-interface ImpersonationRequestRow {
-    readonly id: string;
-    readonly operatorId: string;
-    readonly targetUserId: string;
-    readonly reason: string;
-    readonly status: 'awaiting-stepup' | 'awaiting-consent' | 'active' | 'denied' | 'expired' | 'ended' | 'revoked';
-    readonly emergencyBypass: boolean;
-    readonly sessionId: string | null;
-    readonly consentDeadline: string | null;
-    readonly startedAt: string | null;
-    readonly endedAt: string | null;
-    readonly createdAt: string;
-}
+declare function switchOrg(config: SylphxConfig, orgId: string): Promise<OrgScopedTokenResponse>;
+type DeviceInitInput = DeviceInitRequest;
+type DeviceGrant = DeviceInitResponse;
+type DevicePollResult = DevicePollResponse;
+type DeviceApproveInput = DeviceApproveRequest;
+type DeviceApproveResult = DeviceApproveResponse;
+type DeviceDenyInput = DeviceDenyRequest;
+type DeviceDenyResult = DeviceDenyResponse;
 /**
- * `impersonation` namespace — admin user impersonation for the
- * Platform plane. Phase 3b shipped the minimal one-shot surface
- * (`start/end/info/active`); Phase 5.9 layers on WebAuthn step-up
- * (ADR-089 P15 / S27), target-user consent, notification SLO, and
- * CAEP integration via the new `startChallenge` + `startStepup` +
- * `respondConsent` + `listRequests` + `endSession` methods.
- *
- * Migration from Phase 3b → 5.9:
- *   - Old `start({targetUserId})` → new two-step flow:
- *       1. `startChallenge({targetUserId, reason})` returns WebAuthn
- *          options + challengeKey.
- *       2. `startStepup({requestId, challengeKey, assertion})` verifies
- *          the passkey and either mints the session (emergency bypass)
- *          or transitions to awaiting-consent.
- *       3. Target calls `respondConsent(id, 'approve' | 'deny')`.
- *   - Old `end({sessionId})` still works (legacy). New
- *     `endSession(requestId)` preferred for sessions tracked via
- *     `impersonation_requests`.
+ * `device` namespace — RFC 8628 device authorization grant.
+ *
+ * Used by headless clients (CLI, TV apps, IoT) to authorise via a
+ * companion browser instead of reading credentials from env vars.
  */
-declare const impersonation: {
-    readonly start: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly targetUserId: string;
-        readonly ipAddress?: string;
-        readonly userAgent?: string;
-    }) => Promise<ImpersonationStartResult>;
-    readonly end: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly sessionId?: string;
-        readonly userAgent?: string;
-    }) => Promise<ImpersonationEndResult>;
-    readonly info: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly sessionId: string;
-        readonly userAgent?: string;
-    }) => Promise<ImpersonationInfo | null>;
-    readonly active: (opts: {
-        readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly userAgent?: string;
-    }) => Promise<readonly ImpersonationActive[]>;
-    /**
-     * Phase 5.9 step 1 of 2 — request a WebAuthn assertion challenge.
-     * Returns the pending-request id plus options ready for
-     * `navigator.credentials.get(...)`. Caller is expected to post the
-     * resulting assertion to {@link impersonation.startStepup}.
-     */
-    readonly startChallenge: (opts: ImpersonationStartChallengeInput) => Promise<ImpersonationChallenge>;
+declare const device: {
     /**
-     * Phase 5.9 step 2 of 2 — complete the WebAuthn step-up. Returns
-     * either the active session (emergency bypass) or the
-     * consent deadline (regular flow). Phase 3b `start` is superseded
-     * by this method; old callers should migrate to
-     * `startChallenge` → `startStepup`.
+     * Start a device authorization grant.
+     *
+     * Returns a `DeviceGrant` with `verification_uri_complete` (open this
+     * in the user's browser) and `device_code` (use for polling).
+     *
+     * @example
+     * ```typescript
+     * const grant = await device.init({
+     *   baseUrl: 'https://your-app.api.sylphx.com/v1',
+     *   clientId: 'sylphx-cli',
+     *   scope: ['org:read', 'project:*'],
+     * })
+     * openBrowser(grant.verification_uri_complete)
+     * ```
      */
-    readonly startStepup: (opts: ImpersonationStartStepupInput) => Promise<ImpersonationStartStepupResult>;
+    readonly init: (opts: {
+        readonly baseUrl: string;
+        readonly clientId: string;
+        readonly scope?: readonly string[];
+        readonly userAgent?: string;
+    }) => Promise<DeviceGrant>;
     /**
-     * Target user's consent decision. Approve mints the session token;
-     * deny transitions the request to `denied`.
+     * Poll a pending grant. Returns `status: 'pending' | 'approved' |
+     * 'denied' | 'expired'`. On `approved`, the result carries the OAuth
+     * pair (access_token + refresh_token).
+     *
+     * Callers MUST respect the `interval` returned by `init()` — polling
+     * faster than that may return 429 slow_down (RFC 8628 §5.5).
      */
-    readonly respondConsent: (opts: {
+    readonly poll: (opts: {
         readonly baseUrl: string;
-        readonly accessToken: string;
-        readonly requestId: string;
-        readonly decision: ImpersonationConsentDecision;
+        readonly deviceCode: string;
         readonly userAgent?: string;
-    }) => Promise<ImpersonationConsentResponse>;
-    /** List impersonation requests. Non-super_admin sees only their own. */
-    readonly listRequests: (opts: {
+    }) => Promise<DevicePollResult>;
+    /**
+     * Browser leg — the approving user confirms the grant.
+     *
+     * Requires a valid platform-issued access token (`Authorization:
+     * Bearer <accessToken>`) proving the user is logged in on the
+     * Console. Typically called by the Console's `/device` verification
+     * page server-side, forwarding the user's session JWT.
+     */
+    readonly approve: (opts: {
         readonly baseUrl: string;
+        readonly userCode: string;
         readonly accessToken: string;
-        readonly filter?: {
-            readonly operatorId?: string;
-            readonly targetUserId?: string;
-            readonly status?: ImpersonationRequestRow["status"];
-            readonly limit?: number;
-        };
         readonly userAgent?: string;
-    }) => Promise<readonly ImpersonationRequestRow[]>;
+    }) => Promise<DeviceApproveResult>;
     /**
-     * End an active impersonation session by request id. Emits a CAEP
-     * `session-revoked` event via the Phase 5.Z outbox so every in-flight
-     * verifier invalidates the token within ≤1s.
+     * Browser leg — the user declines the grant.
+     *
+     * Requires a valid platform-issued access token just like `approve`.
      */
-    readonly endSession: (opts: {
+    readonly deny: (opts: {
         readonly baseUrl: string;
+        readonly userCode: string;
         readonly accessToken: string;
-        readonly requestId: string;
         readonly userAgent?: string;
-    }) => Promise<{
-        success: true;
-        requestId: string;
-        sessionId: string | null;
-    }>;
+    }) => Promise<DeviceDenyResult>;
 };
 
 /**
@@ -9309,4 +9671,4 @@ declare const functions: {
     };
 };
 
-export { ACHIEVEMENT_TIER_CONFIG, type AIListModelsOptions, type AIListModelsResponse, type AIMessage, type AIMessageRole, type AIModel, type AIModelInfo, type AIModelsResponse, type AIProvider, type AIRateLimitInfo, type AIRateLimitResponse, type AIRequestType, type AIStreamChunk, type AITool, type AIToolCall, type AIUsageResponse, type AIUsageStats, type AccessTokenPayload, type AchievementCategory, type AchievementCriteria, type AchievementCriterion, type AchievementDefinition, type AchievementTier, type AchievementType, type AchievementUnlockEvent, type AdminUser, type AuditQueryFilter, type AuditQueryResult, AuthenticationError, AuthorizationError, type BackupCodesResult, type BatchEvent, type BatchIndexInput, type BatchIndexResult, type Breadcrumb, type BuildLog, type BuildLogHistoryResponse, type CaptureExceptionRequest, type CaptureMessageRequest, type ChallengeMethod, type ChallengeType, type ChallengeVerifyInput, type ChallengeVerifyResult, type ChatCompletionInput, type ChatCompletionResponse, type ChatInput, type ChatMessage, type ChatResult, type ChatStreamChunk, type CircuitBreakerConfig, CircuitBreakerOpenError, type CircuitState, type CommandResult, type ConsentCategory, type ConsentHistoryEntry, type ConsentHistoryResult, type ConsentPurposeDefaults, type ConsentType, type ContentPart, type CopyFileOptions, type CreateOrgInput, type CreatePermissionInput, type CreatePromoInput, type CreateRoleInput, type CreateRunOptions, type CreateTriggerOptions, type CriteriaOperator, type CronInput, type CronSchedule, type CronSource, type DatabaseConnectionInfo, type DatabaseStatus, type DatabaseStatusInfo, type DebugCategory, type DeduplicationConfig, type DeleteAccountResult, type DeleteDocumentInput, type DeployHistoryResponse, type DeployInfo, type DeployStatus, type DeviceApproveInput, type DeviceApproveResult, type DeviceDenyInput, type DeviceDenyResult, type DeviceGrant, type DeviceInitInput, type DevicePollResult, type DynamicRestClient, ERROR_CODE_STATUS, type EmailChangeInput, type EmailConfirmInput, type EmbedInput, type EmbedResult, type EmbeddingInput, type EmbeddingResponse, type LeaderboardEntry as EngagementLeaderboardEntry, type LeaderboardResult as EngagementLeaderboardResult, type EnvVar, type ErrorCode, type ErrorResponse, type EventSource, type ExceptionFrame, type ExceptionValue, type ExecEvent, type ExecOptions, type ExecResult, type FacetsResponse, type FileEvent, type FlagContext, type FlagResult, type GetConsentHistoryInput, type GetConsentsInput, type GetFacetsInput, type GetSecretInput, type GetSecretResult, type GetSecretsInput, type GetSecretsResult, type HttpTarget, type IdentifyInput, type ImpersonationActive, type ImpersonationEndResult, type ImpersonationInfo, type ImpersonationStartResult, type IndexDocumentInput, type IndexDocumentResult, type IngestLogsResult, InvalidConnectionUrlError, type InviteMemberInput, type InviteUserRequest, type InviteUserResponse, type KvExpireRequest, type KvHgetRequest, type KvHgetallRequest, type KvHsetRequest, type KvIncrRequest, type KvLpushRequest, type KvLrangeRequest, type KvMgetRequest, type KvMsetRequest, type KvRateLimitRequest, type KvRateLimitResult, type KvScanOptions, type KvScanResult, type KvSetOptions, type KvSetRequest, type KvZMember, type KvZaddRequest, type KvZrangeRequest, type LeaderboardAggregation, type LeaderboardDefinition, type LeaderboardEntry$1 as LeaderboardEntry, type LeaderboardOptions, type LeaderboardQueryOptions, type LeaderboardResetPeriod, type LeaderboardResult$1 as LeaderboardResult, type LeaderboardSortDirection, type LinkAnonymousConsentsInput, type ListFilesOptions, type ListPromosOptions, type ListPromosResult, type ListRedemptionsOptions, type ListRedemptionsResult, type ListRunsOptions, type ListRunsResult, type ListScheduledEmailsOptions, type ListSecretKeysInput, type ListTriggersResult, type ListUsersOptions, type ListUsersResult, type LogEntry, type LogLevel, type LoginHistoryEntry, type LoginRequest, type LoginResponse, type MeResponse, type MemberPermissionsResult, type MintAccessTokenClaims, type MintAccessTokenResult, type MonitoringResponse, type MonitoringSeverity, type NativeStepContext, type NativeTaskDefinition, type TaskRunStatus as NativeTaskRunStatus, NetworkError, NotFoundError, type OAuthAuthorizeInput, type OAuthAuthorizeResult, type OAuthCodeExchangeInput, type OAuthProvider, type OAuthProvidersResult, type OidcDiscoveryDocument, type OidcUserInfoResponse, type OrgRole, type OrgScopedTokenResponse, type OrgTokenPayload, type OrganizationInvitation, type OrganizationMember, type OrganizationMembership, type OrganizationsListResult, type PageInput, type PaginatedResponse, type PaginationInput, type ParsedConnectionUrl, type PasskeyRegistrationInput, type PasskeyRegistrationOptions, type PasskeySummary, type PasskeysList, type PasswordSetInput, type Permission, type PkceMethod, type Plan, type PlatformAccessTokenClaims, type PlatformFunctionsDownloadBundleResult, type PlatformLogoutInput, type PlatformPasswordChangeInput, type PlatformPasswordChangeResult, type PlatformPasswordSetInput, type PlatformPasswordSetResult, type PlatformPasswordStatusResult, type PlatformRealtimeChannel, type PlatformRealtimeCreateChannelResult, type PlatformRealtimeDeleteChannelResult, type PlatformRealtimeListChannelsResult, type PlatformRealtimeStatusResult, type PlatformRefreshInput, type PlatformRefreshResult, type PlatformSessionRenameInput, type PlatformSessionRenameResult, type PlatformSessionRevokeAllResult, type PlatformSessionRevokeInput, type PlatformSessionRevokeOtherResult, type PlatformSessionRevokeResult, type PlatformSessionsListResult, type PlatformUserDeleteInput, type PlatformUserDeleteResult, type PlatformUserExportResult, type PlatformUserRecord, type PlatformUserResolution, type ProcessEvent, type ProcessInfo, type ProcessStartOptions, type ProcessSummary, type ProjectMetadata, type PromoCode, type PromoRedemption, type PromoStatus, type PromoType, type PromoValidationPreview, type PublishEventResult, type PushCampaign, type PushCampaignStats, type PushCampaignVariant, type PushNotification, type PushNotificationPayload, type PushSegment, type PushSegmentFilter, type PushServiceWorkerConfig, type PushSubscription, type QueryLogsOptions, type QueryLogsResult, RETRYABLE_CODES, RateLimitError, type RateLimitStatusFilter, type RateLimitStatusResult, type RateLimitStrategiesFilter, type RateLimitStrategiesResult, type RateLimitStrategyDeleteInput, type RateLimitStrategyDeleteResult, type RateLimitStrategyUpsertInput, type RateLimitStrategyUpsertResult, type RealtimeEmitRequest, type RealtimeEmitResponse, type RealtimeHistoryRequest, type RealtimeHistoryResponse, type RecordActivityInput, type RecordActivityResult, type RedeemPromoInput, type RedeemPromoResult, type RedeemReferralInput, type RedeemResult, type ReferralCode, type ReferralStats, type RegisterInput, type RegisterRequest, type RegisterResponse, type ResendEmailVerificationRequest, type ResendEmailVerificationResponse, type RestClient, type RestClientConfig, type RestDynamicConfig, type RetryConfig, type RevokeTokenOptions, type Role, type RollbackDeployRequest, type Run, RunHandle, type RunLogsResult, type RunMachineSize, type RunResult, type RunStatus, type RunTarget, type RunVolumeMount, type CreateRunOptions as RunWorkerOptions, RunsClient, SandboxClient, type SandboxFile, SandboxFiles, type SandboxMachineSize, type SandboxOptions, SandboxProcesses, type SandboxRecord, SandboxWatch, type ScheduleEmailOptions, type ScheduledEmail, type ScheduledEmailStats, type ScheduledEmailsResult, type SearchInput, type SearchResponse, type SearchResultItem, type SearchStatsResult, type SearchType, type SecretKeyInfo, type SecurityAlert, type SecurityAlertsList, type SecurityScoreResult, type SecuritySettings, type SendEmailOptions, type SendResult, type SendTemplatedEmailOptions, type SendToUserOptions, type SessionResult, type SetConsentsInput, type SetEnvVarRequest, type SignedUrlOptions, StepCompleteSignal, StepSleepSignal, type StoredLogEntry, type StreakDefinition, type StreakFrequency, type StreakState, type StreamMessage, type SubmitScoreInput, type SubmitScoreResult, type Subscription, type SuccessResponse, type SylphxClientInput, type SylphxConfig, type SylphxConfigInput, SylphxError, type SylphxErrorCode, type SylphxErrorOptions, type TaskInput, type TaskResult, type TaskStatus, type TaskTarget, type TextCompletionInput, type TextCompletionResponse, TimeoutError, type TokenIntrospectionResult, type TokenResponse, type Tool, type ToolCall, type TrackClickInput, type TrackInput, type Trigger, type TriggerDeployRequest, type TriggerRunMachineSize, type TriggerSource, type TriggerSourceType, type TriggerStatus, type TriggerTarget, type TriggerTargetType, TriggersClient, type TwoFactorEnableResult, type TwoFactorSetupResult, type TwoFactorVerifyRequest, type UpdateOrgInput, type UpdatePromoInput, type UpdateRoleInput, type UpdateTriggerOptions, type UploadCreateOptions, type UploadProgressEvent, type UpsertDocumentInput, type UpsertDocumentResult, type User, type UserAchievement, type UserConsent, type UserDataExport, type UserFullProfile, type UserOrganization, type UserProfile, type UserSecuritySettings, type UserSession, type UserSessionsList, type UserUpdateProfileInput, type ValidatePromoInput, type ValidatePromoResult, ValidationError, type VisionInput, type WatchEntry, type WatchOptions, type WebhookConfig, type WebhookConfigUpdate, type WebhookDeliveriesResult, type WebhookDelivery, type WebhookStats, RunHandle as WorkerHandle, type RunLogsResult as WorkerLogsResult, type RunResult as WorkerResult, type Run as WorkerRun, type RunStatus as WorkerStatus, type RunVolumeMount as WorkerVolumeMount, WorkersClient, acceptAllConsents, acceptOrganizationInvitation, assignMemberRole, audit, authorizeOAuth, batchIndex, canDeleteOrganization, canManageMembers, canManageSettings, cancelScheduledEmail, cancelTask, captureException, captureExceptionRaw, captureMessage, chat, chatStream, checkFlag, complete, confirmEmailChange, cookies, createCheckout, createClient, createConfig, createCron, createDynamicRestClient, createOrganization, createPermission, createPortalSession, createPromo, createRestClient, createRole, createServerClient, createServiceWorkerScript, createStepContext, createTasksHandler, createTracker, debugError, debugLog, debugTimer, debugWarn, declineOptionalConsents, deleteCron, deleteDocument, deleteEnvVar, deleteOrganization, deletePasskey, deletePermission, deletePromo, deleteRole, deleteUser, deleteUserAccount, device, disableDebug, disableTwoFactor, disconnectOAuthProvider, dpop, embed, enableDebug, exchangeOAuthCode, exponentialBackoff, exportUserData, extendedSignUp, forgotPassword, functions, generateAnonymousId, generatePkce, getAchievement, getAchievementPoints, getAchievements, getAllFlags, getAllSecrets, getAllStreaks, getBackupCodes, getBillingBalance, getBillingUsage, getBuildLogHistory, getCircuitBreakerState, getConsentHistory, getConsentTypes, getDatabaseConnectionString, getDatabaseStatus, getDebugMode, getDeployHistory, getDeployStatus, getErrorCode, getErrorMessage, getFacets, getFlagPayload, getFlags, getLeaderboard, getMemberPermissions, getMyReferralCode, getOidcDiscoveryDocument, getOrgScopedToken, getOrganization, getOrganizationInvitations, getOrganizationMembers, getOrganizations, getPlans, getProjectMetadata, getPromo, getPushPreferences, getRealtimeHistory, getReferralLeaderboard, getReferralStats, getRestErrorMessage, getRole, getScheduledEmail, getScheduledEmailStats, getSearchStats, getSecret, getSecrets, getSecurityScore, getSession, getStreak, getSubscription, getTask, getUser, getUserByEmail, getUserConsents, getUserLeaderboardRank, getUserProfile, getUserSecurity, getVariant, getWebhookConfig, getWebhookDeliveries, getWebhookDelivery, getWebhookStats, hasAllPermissions, hasAnyPermission, hasConsent, hasError, hasPermission, hasRole, hasSecret, identify, impersonation, incrementAchievementProgress, indexDocument, ingestLogs, initPushServiceWorker, installGlobalDebugHelpers, introspectToken, inviteOrganizationMember, inviteUser, isEmailConfigured, isEnabled, isRetryableError, isSylphxError, kvDelete, kvExists, kvExpire, kvGet, kvGetJSON, kvHget, kvHgetall, kvHset, kvIncr, kvLpush, kvLrange, kvMget, kvMset, kvRateLimit, kvScan, kvSet, kvSetJSON, kvZadd, kvZrange, leaveOrganization, linkAnonymousConsents, listEnvVars, listOAuthProviders, listOrganizations, listPasskeys, listPermissions, listPromoRedemptions, listPromos, listRoles, listScheduledEmails, listSecretKeys, listSecurityAlerts, listTasks, listUserSessions, listUsers, markAllSecurityAlertsRead, markSecurityAlertRead, oauth, page, parseOAuthCallback, password, pauseCron, platformAuth, campaigns as pushCampaigns, segments as pushSegments, queryLogs, rateLimits, realtime, realtimeEmit, recordStreakActivity, recoverStreak, redeemPromo, redeemReferralCode, refreshToken, regenerateBackupCodes, regenerateReferralCode, registerPush, registerPushServiceWorker, removeOrganizationMember, renamePasskey, renameUserSession, replayWebhookDelivery, requestEmailChange, rescheduleEmail, resendVerificationEmail, resetCircuitBreaker, resetDebugModeCache, resetPassword, resetPlatformCookieCache, resetPlatformJwksCache, resumeCron, revokeAllTokens, revokeOrganizationInvitation, revokeToken, revokeUserSession, rollbackDeploy, scheduleEmail, scheduleTask, search, sendEmail, sendEmailToUser, sendPush, sendTemplatedEmail, sessions, setConsents, setEnvVar, setPassword, setupTwoFactor, signIn, signOut, signUp, startPasskeyRegistration, storage, streamToString, submitScore, suspendUser, switchOrg, toSylphxError, track, trackBatch, trackClick, triggerDeploy, unlockAchievement, unregisterPush, updateOrganization, updateOrganizationMemberRole, updatePromo, updatePushPreferences, updateRole, updateUser, updateUserMetadata, updateUserProfile, updateWebhookConfig, upsertDocument, user, userInfo, validatePromo, verifyAccessToken, verifyChallenge, verifyEmail, verifyPasskeyRegistration, verifySignature as verifyTaskSignature, verifyTwoFactor, verifyTwoFactorEnable, withToken };
+export { ACHIEVEMENT_TIER_CONFIG, type AIListModelsOptions, type AIListModelsResponse, type AIMessage, type AIMessageRole, type AIModel, type AIModelInfo, type AIModelsResponse, type AIProvider, type AIRateLimitInfo, type AIRateLimitResponse, type AIRequestType, type AIStreamChunk, type AITool, type AIToolCall, type AIUsageResponse, type AIUsageStats, type AccessTokenPayload, type AchievementCategory, type AchievementCriteria, type AchievementCriterion, type AchievementDefinition, type AchievementTier, type AchievementType, type AchievementUnlockEvent, type AdminUser, type AuditQueryFilter, type AuditQueryResult, AuthenticationError, AuthorizationError, BILLING_ALLOWED_ROLES, BUILD_MINUTES_INCLUDED, BUILD_MINUTE_PRICES, BUILD_SIZE_MULTIPLIERS, BYTES_PER_GB, type BackupCodesResult, type BatchEvent, type BatchIndexInput, type BatchIndexResult, type BillingAllowedRole, type Breadcrumb, type BuildConnectionUrlInput, type BuildLog, type BuildLogHistoryResponse, type BuildMachineTier, CI_BUILD_MINUTE_PRICE_MICRODOLLARS, CI_FREE_MINUTES_PER_MONTH, CI_MACOS_MULTIPLIER, CI_MACOS_SIZE_MULTIPLIERS, CI_SIZE_MULTIPLIERS, COMPUTE_PRICE_PER_HOUR_MICRODOLLARS, COMPUTE_RAM_RATE_MICRODOLLARS, COMPUTE_VCPU_ACTIVE_RATE_MICRODOLLARS, COMPUTE_VCPU_IDLE_RATE_MICRODOLLARS, CONSOLE_APP_SLUG, CREDENTIAL_REGEX, CREDIT_EXPIRY_MONTHS, type CaptureExceptionRequest, type CaptureMessageRequest, type ChallengeMethod, type ChallengeType, type ChallengeVerifyInput, type ChallengeVerifyResult, type ChatCompletionInput, type ChatCompletionResponse, type ChatInput, type ChatMessage, type ChatResult, type ChatStreamChunk, type CircuitBreakerConfig, CircuitBreakerOpenError, type CircuitState, type CommandResult, type ConnectionCredentialType, type ConnectionEnv, type ConsentCategory, type ConsentHistoryEntry, type ConsentHistoryResult, type ConsentPurposeDefaults, type ConsentType, type ContentPart, type CopyFileOptions, type CreateOrgInput, type CreatePermissionInput, type CreatePromoInput, type CreateRoleInput, type CreateRunOptions, type CreateTriggerOptions, type CriteriaOperator, type CronInput, type CronSchedule, type CronSource, DEFAULT_MAX_REPLICAS, DEFAULT_POINTS_REWARD, DISCOUNT_DURATION_MONTHS, DISCOUNT_PERCENT, type DatabaseConnectionInfo, type DatabaseStatus, type DatabaseStatusInfo, type DebugCategory, type DeduplicationConfig, type DeleteAccountResult, type DeleteDocumentInput, type DeployHistoryResponse, type DeployInfo, type DeployStatus, type DeviceApproveInput, type DeviceApproveResult, type DeviceDenyInput, type DeviceDenyResult, type DeviceGrant, type DeviceInitInput, type DevicePollResult, type DynamicRestClient, ERROR_CODE_STATUS, type EmailChangeInput, type EmailConfirmInput, type EmbedInput, type EmbedResult, type EmbeddingInput, type EmbeddingResponse, type LeaderboardEntry as EngagementLeaderboardEntry, type LeaderboardResult as EngagementLeaderboardResult, type EnvVar, type ErrorCode, type ErrorResponse, type EventSource, type ExceptionFrame, type ExceptionValue, type ExecEvent, type ExecOptions, type ExecResult, type ErrorDetails$1 as ExtractedErrorDetails, FREE_COMPUTE_HOURS, FREE_STORAGE_GB, type FacetsResponse, type FileEvent, type FlagContext, type FlagResult, type GetConsentHistoryInput, type GetConsentsInput, type GetFacetsInput, type GetSecretInput, type GetSecretResult, type GetSecretsInput, type GetSecretsResult, HOURS_PER_MONTH, type HttpTarget, INSTANCE_TYPES, INSTANCE_TYPE_ALIASES, INSTANCE_TYPE_ORDER, INVOICE_DUE_DAYS, type IdentifyInput, type ImpersonationActive, type ImpersonationEndResult, type ImpersonationInfo, type ImpersonationStartResult, type IndexDocumentInput, type IndexDocumentResult, type IngestLogsResult, type InstanceTypeDefinition, type InstanceTypeId, InvalidConnectionUrlError, type InviteMemberInput, type InviteUserRequest, type InviteUserResponse, KV_FREE_STORAGE_GB, type KvExpireRequest, type KvHgetRequest, type KvHgetallRequest, type KvHsetRequest, type KvIncrRequest, type KvLpushRequest, type KvLrangeRequest, type KvMetric, type KvMgetRequest, type KvMsetRequest, type KvRateLimitRequest, type KvRateLimitResult, type KvScanOptions, type KvScanResult, type KvSetOptions, type KvSetRequest, type KvZMember, type KvZaddRequest, type KvZrangeRequest, LEGACY_INSTANCE_TYPE_ORDER, type LeaderboardAggregation, type LeaderboardDefinition, type LeaderboardEntry$1 as LeaderboardEntry, type LeaderboardOptions, type LeaderboardQueryOptions, type LeaderboardResetPeriod, type LeaderboardResult$1 as LeaderboardResult, type LeaderboardSortDirection, type LinkAnonymousConsentsInput, type ListFilesOptions, type ListPromosOptions, type ListPromosResult, type ListRedemptionsOptions, type ListRedemptionsResult, type ListRunsOptions, type ListRunsResult, type ListScheduledEmailsOptions, type ListSecretKeysInput, type ListTriggersResult, type ListUsersOptions, type ListUsersResult, type LogEntry, type LogLevel, type LoginHistoryEntry, type LoginRequest, type LoginResponse, MAX_PASSWORD_LENGTH, MAX_PAYMENT_ATTEMPTS, MICRODOLLARS_PER_CENT, MIN_PASSWORD_LENGTH, type MeResponse, type MemberPermissionsResult, type MintAccessTokenClaims, type MintAccessTokenResult, type MonitoringResponse, type MonitoringSeverity, type NativeStepContext, type NativeTaskDefinition, type TaskRunStatus as NativeTaskRunStatus, NetworkError, NotFoundError, type OAuthAuthorizeInput, type OAuthAuthorizeResult, type OAuthCodeExchangeInput, type OAuthProvider, type OAuthProvidersResult, type OidcDiscoveryDocument, type OidcUserInfoResponse, type OrgRole, type OrgScopedTokenResponse, type OrgTokenPayload, type OrganizationInvitation, type OrganizationMember, type OrganizationMembership, type OrganizationsListResult, PASSWORD_REQUIREMENTS, PLATFORM_PLANS, PLATFORM_PLAN_ORDER, PLATFORM_PLAN_ORDER_ALL, PREMIUM_TRIAL_DAYS, type PageInput, type PaginatedResponse, type PaginationInput, type ParsedConnectionUrl, type ParsedUserAgent, type PasskeyRegistrationInput, type PasskeyRegistrationOptions, type PasskeySummary, type PasskeysList, type PasswordSetInput, type Permission, type PkceMethod, type Plan, type PlatformAccessTokenClaims, type PlatformFunctionsDownloadBundleResult, type PlatformLogoutInput, type PlatformPasswordChangeInput, type PlatformPasswordChangeResult, type PlatformPasswordSetInput, type PlatformPasswordSetResult, type PlatformPasswordStatusResult, type PlatformPlanDefinition, type PlatformPlanFeatures, type PlatformPlanId, type PlatformPlanLimits, type PlatformRealtimeChannel, type PlatformRealtimeCreateChannelResult, type PlatformRealtimeDeleteChannelResult, type PlatformRealtimeListChannelsResult, type PlatformRealtimeStatusResult, type PlatformRefreshInput, type PlatformRefreshResult, type PlatformSessionRenameInput, type PlatformSessionRenameResult, type PlatformSessionRevokeAllResult, type PlatformSessionRevokeInput, type PlatformSessionRevokeOtherResult, type PlatformSessionRevokeResult, type PlatformSessionsListResult, type PlatformUserDeleteInput, type PlatformUserDeleteResult, type PlatformUserExportResult, type PlatformUserRecord, type PlatformUserResolution, type ProcessEvent, type ProcessInfo, type ProcessStartOptions, type ProcessSummary, type ProjectMetadata, type PromoCode, type PromoRedemption, type PromoStatus, type PromoType, type PromoValidationPreview, type PublishEventResult, type PushCampaign, type PushCampaignStats, type PushCampaignVariant, type PushNotification, type PushNotificationPayload, type PushSegment, type PushSegmentFilter, type PushServiceWorkerConfig, type PushSubscription, type QueryLogsOptions, type QueryLogsResult, RETRYABLE_CODES, RateLimitError, type RateLimitStatusFilter, type RateLimitStatusResult, type RateLimitStrategiesFilter, type RateLimitStrategiesResult, type RateLimitStrategyDeleteInput, type RateLimitStrategyDeleteResult, type RateLimitStrategyUpsertInput, type RateLimitStrategyUpsertResult, type RealtimeEmitRequest, type RealtimeEmitResponse, type RealtimeHistoryRequest, type RealtimeHistoryResponse, type RealtimeMetric, type RecordActivityInput, type RecordActivityResult, type RedeemPromoInput, type RedeemPromoResult, type RedeemReferralInput, type RedeemResult, type ReferralCode, type ReferralStats, type RegisterInput, type RegisterRequest, type RegisterResponse, type ResendEmailVerificationRequest, type ResendEmailVerificationResponse, type RestClient, type RestClientConfig, type RestDynamicConfig, type RetryConfig, type RevokeTokenOptions, type Role, type RollbackDeployRequest, type Run, RunHandle, type RunLogsResult, type RunMachineSize, type RunResult, type RunStatus, type RunTarget, type RunVolumeMount, type CreateRunOptions as RunWorkerOptions, RunsClient, SERVICE_METRICS, STORAGE_PRICE_PER_GB_MONTH_MICRODOLLARS, SandboxClient, type SandboxFile, SandboxFiles, type SandboxMachineSize, type SandboxOptions, SandboxProcesses, type SandboxRecord, SandboxWatch, type ScheduleEmailOptions, type ScheduledEmail, type ScheduledEmailStats, type ScheduledEmailsResult, type SearchInput, type SearchResponse, type SearchResultItem, type SearchStatsResult, type SearchType, type SecretKeyInfo, type SecurityAlert, type SecurityAlertsList, type SecurityScoreResult, type SecuritySettings, type SendEmailOptions, type SendResult, type SendTemplatedEmailOptions, type SendToUserOptions, type ServiceMetrics, type SessionResult, type SetConsentsInput, type SetEnvVarRequest, type SignedUrlOptions, StepCompleteSignal, StepSleepSignal, type StoredLogEntry, type StreakDefinition, type StreakFrequency, type StreakState, type StreamMessage, type SubmitScoreInput, type SubmitScoreResult, type Subscription, type SuccessResponse, type SylphxClientInput, type SylphxConfig, type SylphxConfigInput, SylphxError, type SylphxErrorCode, type SylphxErrorOptions, TRANSFER_PRICE_PER_GB_MICRODOLLARS, type TaskInput, type TaskResult, type TaskStatus, type TaskTarget, type TextCompletionInput, type TextCompletionResponse, TimeoutError, type TokenIntrospectionResult, type TokenResponse, type Tool, type ToolCall, type TrackClickInput, type TrackInput, type Trigger, type TriggerDeployRequest, type TriggerRunMachineSize, type TriggerSource, type TriggerSourceType, type TriggerStatus, type TriggerTarget, type TriggerTargetType, TriggersClient, type TwoFactorEnableResult, type TwoFactorSetupResult, type TwoFactorVerifyRequest, type UpdateOrgInput, type UpdatePromoInput, type UpdateRoleInput, type UpdateTriggerOptions, type UploadCreateOptions, type UploadProgressEvent, type UpsertDocumentInput, type UpsertDocumentResult, type User, type UserAchievement, type UserConsent, type UserDataExport, type UserFullProfile, type UserOrganization, type UserProfile, type UserSecuritySettings, type UserSession, type UserSessionsList, type UserUpdateProfileInput, type ValidatePromoInput, type ValidatePromoResult, ValidationError, type VisionInput, type WatchEntry, type WatchOptions, type WebhookConfig, type WebhookConfigUpdate, type WebhookDeliveriesResult, type WebhookDelivery, type WebhookStats, RunHandle as WorkerHandle, type RunLogsResult as WorkerLogsResult, type RunResult as WorkerResult, type Run as WorkerRun, type RunStatus as WorkerStatus, type RunVolumeMount as WorkerVolumeMount, WorkersClient, acceptAllConsents, acceptOrganizationInvitation, assignMemberRole, audit, authorizeOAuth, batchIndex, buildConnectionUrl, calculatePercentage, canDeleteOrganization, canManageMembers, canManageSettings, cancelScheduledEmail, cancelTask, captureException, captureExceptionRaw, captureMessage, centsToDollars, chat, chatStream, checkFlag, complete, confirmEmailChange, cookies, createCheckout, createClient, createConfig, createCron, createDynamicRestClient, createOrganization, createPermission, createPortalSession, createPromo, createRestClient, createRole, createServerClient, createServiceWorkerScript, createStepContext, createTasksHandler, createTracker, debugError, debugLog, debugTimer, debugWarn, declineOptionalConsents, deleteCron, deleteDocument, deleteEnvVar, deleteOrganization, deletePasskey, deletePermission, deletePromo, deleteRole, deleteUser, deleteUserAccount, device, disableDebug, disableTwoFactor, disconnectOAuthProvider, dpop, embed, enableDebug, escapeCsvField, escapeHtml, exchangeOAuthCode, exponentialBackoff, exportUserData, extendedSignUp, getErrorDetails$1 as extractErrorDetails, getErrorMessage$1 as extractErrorMessage, forgotPassword, formatBytes, formatCents, formatCurrency, formatDate, formatDateTime, formatDuration, formatMicrodollars, formatMonthYear, formatNumber, formatPercent, formatRelativeTime, formatRelativeTimeShort, formatTime, functions, generateAnonymousId, generatePkce, generateReferralCode, generateSlug, getAchievement, getAchievementPoints, getAchievements, getActivePlans, getAllFlags, getAllSecrets, getAllStreaks, getAvailableInstanceTypes, getBackupCodes, getBaseUrl, getBillingBalance, getBillingStatusVariant, getBillingUsage, getBuildLogHistory, getCircuitBreakerState, getConsentHistory, getConsentTypes, getDatabaseConnectionString, getDatabaseStatus, getDebugMode, getDefaultInstanceType, getDeployHistory, getDeployStatus, getEnvPrefix, getErrorCode, getErrorDetails, getErrorMessage, getFacets, getFlagPayload, getFlags, getInvoiceStatusVariant, getLeaderboard, getMemberPermissions, getMyReferralCode, getOidcDiscoveryDocument, getOrgScopedToken, getOrganization, getOrganizationInvitations, getOrganizationMembers, getOrganizations, getPlanMonthlyPrice, getPlans, getProjectMetadata, getPromo, getPushPreferences, getRealtimeHistory, getReferralLeaderboard, getReferralStats, getRestErrorMessage, getRole, getSafeErrorMessage, getScheduledEmail, getScheduledEmailStats, getSearchStats, getSecret, getSecrets, getSecurityScore, getSession, getStreak, getSubscription, getTask, getUser, getUserByEmail, getUserConsents, getUserLeaderboardRank, getUserProfile, getUserSecurity, getVariant, getWebhookConfig, getWebhookDeliveries, getWebhookDelivery, getWebhookStats, hasAllPermissions, hasAnyPermission, hasBillingAccess, hasConsent, hasError, hasPermission, hasRole, hasSecret, identify, impersonation, incrementAchievementProgress, indexDocument, ingestLogs, initPushServiceWorker, installGlobalDebugHelpers, introspectToken, inviteOrganizationMember, inviteUser, isChallengeRequired, isEmailConfigured, isEnabled, isPlanDeprecated, isRetryableError, isSylphxError, isValidInstanceType, kvDelete, kvExists, kvExpire, kvGet, kvGetJSON, kvHget, kvHgetall, kvHset, kvIncr, kvLpush, kvLrange, kvMget, kvMset, kvRateLimit, kvScan, kvSet, kvSetJSON, kvZadd, kvZrange, leaveOrganization, linkAnonymousConsents, listEnvVars, listOAuthProviders, listOrganizations, listPasskeys, listPermissions, listPromoRedemptions, listPromos, listRoles, listScheduledEmails, listSecretKeys, listSecurityAlerts, listTasks, listUserSessions, listUsers, markAllSecurityAlertsRead, markSecurityAlertRead, microsToDollars, oauth, page, parseConnectionUrl, parseOAuthCallback, parseUserAgent, password, pauseCron, platformAuth, campaigns as pushCampaigns, segments as pushSegments, queryLogs, rateLimits, realtime, realtimeEmit, recordStreakActivity, recoverStreak, redeemPromo, redeemReferralCode, refreshToken, regenerateBackupCodes, regenerateReferralCode, registerPush, registerPushServiceWorker, removeOrganizationMember, renamePasskey, renameUserSession, replayWebhookDelivery, requestEmailChange, rescheduleEmail, resendVerificationEmail, resetCircuitBreaker, resetDebugModeCache, resetPassword, resetPlatformCookieCache, resetPlatformJwksCache, resolveCanonicalInstanceType, resolveMaxReplicas, resolveResources, resumeCron, revokeAllTokens, revokeOrganizationInvitation, revokeToken, revokeUserSession, rollbackDeploy, safeJsonParse, scheduleEmail, scheduleTask, search, sendEmail, sendEmailToUser, sendPush, sendTemplatedEmail, sessions, setConsents, setEnvVar, setPassword, setupTwoFactor, signIn, signOut, signUp, startPasskeyRegistration, storage, streamToString, submitScore, suspendUser, switchOrg, toSylphxError, track, trackBatch, trackClick, triggerDeploy, unlockAchievement, unregisterPush, updateOrganization, updateOrganizationMemberRole, updatePromo, updatePushPreferences, updateRole, updateUser, updateUserMetadata, updateUserProfile, updateWebhookConfig, upsertDocument, user, userInfo, validateInstanceTypeForPlan, validatePromo, verifyAccessToken, verifyChallenge, verifyEmail, verifyPasskeyRegistration, verifySignature as verifyTaskSignature, verifyTwoFactor, verifyTwoFactorEnable, withToken };