npm - @sylphx/sdk - Versions diffs - 0.3.7 → 0.4.0 - Mend

@sylphx/sdk 0.3.7 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -19946,6 +19946,16 @@ declare class SylphxError extends Error {
     static isRateLimited(err: unknown): err is SylphxError & {
         code: 'TOO_MANY_REQUESTS';
     };
+    /**
+     * Check if error is an account lockout error (too many failed login attempts).
+     * When true, `error.data?.lockoutUntil` contains the ISO 8601 timestamp when the lockout expires.
+     */
+    static isAccountLocked(err: unknown): err is SylphxError & {
+        code: 'TOO_MANY_REQUESTS';
+        data: {
+            lockoutUntil: string | null;
+        };
+    };
     /**
      * Check if error is a quota exceeded error (plan limit reached)
      */
@@ -21353,11 +21363,16 @@ interface RegisterInput {
 }
 /**
  * Org context claims present in org-scoped tokens.
+ *
+ * After switch-org, the JWT includes `org_permissions` — a flat array of
+ * resolved RBAC permission keys for the member in that org.
  */
 interface OrgTokenPayload {
     org_id: string;
     org_slug: string;
     org_role: string;
+    /** RBAC: resolved permission keys (e.g. ["org:members:read", "payroll:approve"]) */
+    org_permissions?: string[];
 }
 /**
  * Invite a user request payload.
@@ -23788,6 +23803,350 @@ declare function canManageSettings(membership: OrganizationMembership | null): b
  */
 declare function canDeleteOrganization(membership: OrganizationMembership | null): boolean;
+/**
+ * Permission Functions
+ *
+ * Pure functions for permission management — no hidden state.
+ * Each function takes config as the first parameter.
+ *
+ * Uses REST API at /permissions/* for project-scoped operations.
+ * Uses REST API at /orgs/{orgId}/members/{memberId}/permissions for member checks.
+ *
+ * Types are self-contained (not dependent on generated OpenAPI spec) because
+ * the RBAC routes were added after the last spec generation.
+ */
+/**
+ * A permission definition within a project.
+ *
+ * Permissions are the atomic building blocks of RBAC roles.
+ * They use colon-separated keys (e.g. "org:members:read", "payroll:approve").
+ */
+interface Permission {
+    /** Prefixed permission ID (e.g. "perm_xxx") */
+    id: string;
+    /** Unique key within the project (e.g. "org:members:read") */
+    key: string;
+    /** Human-readable name */
+    name: string;
+    /** Optional description */
+    description: string | null;
+    /** Whether this is a system-defined permission (immutable) */
+    isSystem: boolean;
+    /** ISO 8601 creation timestamp */
+    createdAt: string;
+}
+/**
+ * Input for creating a custom permission.
+ */
+interface CreatePermissionInput {
+    /** Unique key — colon-separated lowercase segments (e.g. "org:leave:approve") */
+    key: string;
+    /** Human-readable name */
+    name: string;
+    /** Optional description */
+    description?: string;
+}
+/**
+ * Resolved permissions for a member, including their assigned role.
+ */
+interface MemberPermissionsResult {
+    /** Prefixed user ID of the member */
+    memberId: string;
+    /** Assigned role (null if no role assigned) */
+    role: {
+        key: string;
+        name: string;
+    } | null;
+    /** Flattened, deduplicated permission keys from all assigned roles */
+    permissions: string[];
+}
+/**
+ * List all permissions for the current project.
+ *
+ * Returns both system-defined and custom permissions.
+ * Requires a secret key (server-side only).
+ *
+ * @example
+ * ```typescript
+ * const { permissions } = await listPermissions(config)
+ * console.log(permissions.map(p => p.key))
+ * // ['org:members:read', 'org:members:manage', 'payroll:view', ...]
+ * ```
+ */
+declare function listPermissions(config: SylphxConfig): Promise<{
+    permissions: Permission[];
+}>;
+/**
+ * Create a custom permission for the project.
+ *
+ * Permission keys must be colon-separated lowercase segments
+ * (e.g. "org:leave:approve", "payroll:run").
+ * Requires a secret key (server-side only).
+ *
+ * @example
+ * ```typescript
+ * const { permission } = await createPermission(config, {
+ *   key: 'payroll:approve',
+ *   name: 'Approve Payroll',
+ *   description: 'Can approve payroll runs for the organization',
+ * })
+ * ```
+ */
+declare function createPermission(config: SylphxConfig, input: CreatePermissionInput): Promise<{
+    permission: Permission;
+}>;
+/**
+ * Delete a custom permission by key.
+ *
+ * System permissions cannot be deleted.
+ * Role-permission assignments are removed automatically via cascading delete.
+ * Requires a secret key (server-side only).
+ *
+ * @example
+ * ```typescript
+ * const { success } = await deletePermission(config, 'payroll:approve')
+ * ```
+ */
+declare function deletePermission(config: SylphxConfig, permissionKey: string): Promise<{
+    success: boolean;
+}>;
+/**
+ * Get a member's resolved permissions within an organization.
+ *
+ * Returns the flattened, deduplicated set of permission keys from all
+ * roles assigned to the member. Also returns their current role info.
+ * Requires the caller to be a member of the same organization.
+ *
+ * @example
+ * ```typescript
+ * const result = await getMemberPermissions(config, 'my-org', 'usr_abc123')
+ * console.log(result.permissions)
+ * // ['org:members:read', 'payroll:view', 'payroll:approve']
+ * console.log(result.role)
+ * // { key: 'hr_manager', name: 'HR Manager' }
+ * ```
+ */
+declare function getMemberPermissions(config: SylphxConfig, orgIdOrSlug: string, memberId: string): Promise<MemberPermissionsResult>;
+/**
+ * Check if a permission set includes a specific permission.
+ *
+ * Pure function — no API call. Use with permissions from JWT claims
+ * (org_permissions) or from getMemberPermissions().
+ *
+ * @example
+ * ```typescript
+ * const permissions = ['org:members:read', 'payroll:view']
+ * hasPermission(permissions, 'payroll:view')    // true
+ * hasPermission(permissions, 'payroll:approve') // false
+ * ```
+ */
+declare function hasPermission(permissions: string[], required: string): boolean;
+/**
+ * Check if a permission set includes ANY of the required permissions.
+ *
+ * Pure function — no API call. Returns true if at least one of the
+ * required permissions is present.
+ *
+ * @example
+ * ```typescript
+ * const permissions = ['org:members:read', 'payroll:view']
+ * hasAnyPermission(permissions, ['payroll:view', 'payroll:approve']) // true
+ * hasAnyPermission(permissions, ['admin:full', 'super:admin'])       // false
+ * ```
+ */
+declare function hasAnyPermission(permissions: string[], required: string[]): boolean;
+/**
+ * Check if a permission set includes ALL of the required permissions.
+ *
+ * Pure function — no API call. Returns true only if every required
+ * permission is present.
+ *
+ * @example
+ * ```typescript
+ * const permissions = ['org:members:read', 'payroll:view', 'payroll:approve']
+ * hasAllPermissions(permissions, ['payroll:view', 'payroll:approve']) // true
+ * hasAllPermissions(permissions, ['payroll:view', 'admin:full'])      // false
+ * ```
+ */
+declare function hasAllPermissions(permissions: string[], required: string[]): boolean;
+/**
+ * Role Functions
+ *
+ * Pure functions for role management — no hidden state.
+ * Each function takes config as the first parameter.
+ *
+ * Uses REST API at /roles/* for project-scoped operations.
+ * Uses REST API at /orgs/{orgId}/members/{memberId}/assign-role for assignment.
+ *
+ * Types are self-contained (not dependent on generated OpenAPI spec) because
+ * the RBAC routes were added after the last spec generation.
+ */
+/**
+ * A role definition within a project.
+ *
+ * Roles bundle permissions into named groups that can be assigned to
+ * organization members (e.g. "HR Manager", "Payroll Admin").
+ */
+interface Role {
+    /** Prefixed role ID (e.g. "role_xxx") */
+    id: string;
+    /** Unique key within the project (e.g. "hr_manager") */
+    key: string;
+    /** Human-readable name */
+    name: string;
+    /** Optional description */
+    description: string | null;
+    /** Whether this is a system-defined role (metadata immutable) */
+    isSystem: boolean;
+    /** Whether this role is automatically assigned to new org members */
+    isDefault: boolean;
+    /** Display order (lower = higher priority) */
+    sortOrder: number;
+    /** Permission keys assigned to this role */
+    permissions: string[];
+    /** ISO 8601 creation timestamp */
+    createdAt: string;
+    /** ISO 8601 update timestamp (present on roles route response) */
+    updatedAt?: string;
+}
+/**
+ * Input for creating a custom role.
+ */
+interface CreateRoleInput {
+    /** Unique key — lowercase alphanumeric with underscores (e.g. "hr_manager") */
+    key: string;
+    /** Human-readable name */
+    name: string;
+    /** Optional description */
+    description?: string;
+    /** Permission keys to assign to this role */
+    permissions?: string[];
+    /** Whether to auto-assign to new org members */
+    isDefault?: boolean;
+    /** Display order (lower = higher priority) */
+    sortOrder?: number;
+}
+/**
+ * Input for updating an existing role.
+ *
+ * System role metadata (name, description) is immutable, but their
+ * permissions can be changed.
+ */
+interface UpdateRoleInput {
+    /** Human-readable name (ignored for system roles) */
+    name?: string;
+    /** Description (ignored for system roles) */
+    description?: string | null;
+    /** Permission keys to assign (replaces existing) */
+    permissions?: string[];
+    /** Whether to auto-assign to new org members */
+    isDefault?: boolean;
+    /** Display order */
+    sortOrder?: number;
+}
+/**
+ * List all roles for the current project.
+ *
+ * Returns both system-defined and custom roles, each with their
+ * assigned permission keys. Requires a secret key (server-side only).
+ *
+ * @example
+ * ```typescript
+ * const { roles } = await listRoles(config)
+ * for (const role of roles) {
+ *   console.log(`${role.name}: ${role.permissions.join(', ')}`)
+ * }
+ * ```
+ */
+declare function listRoles(config: SylphxConfig): Promise<{
+    roles: Role[];
+}>;
+/**
+ * Get a single role by key, including its assigned permission keys.
+ *
+ * Requires a secret key (server-side only).
+ *
+ * @example
+ * ```typescript
+ * const { role } = await getRole(config, 'hr_manager')
+ * console.log(role.permissions)
+ * // ['org:members:read', 'payroll:view', 'payroll:approve']
+ * ```
+ */
+declare function getRole(config: SylphxConfig, roleKey: string): Promise<{
+    role: Role;
+}>;
+/**
+ * Create a custom role with optional permission assignments.
+ *
+ * Role keys must be lowercase alphanumeric with underscores
+ * (e.g. "hr_manager", "payroll_admin").
+ * Requires a secret key (server-side only).
+ *
+ * @example
+ * ```typescript
+ * const { role } = await createRole(config, {
+ *   key: 'hr_manager',
+ *   name: 'HR Manager',
+ *   description: 'Can manage employees and approve leave',
+ *   permissions: ['org:members:read', 'leave:approve', 'payroll:view'],
+ * })
+ * ```
+ */
+declare function createRole(config: SylphxConfig, input: CreateRoleInput): Promise<{
+    role: Role;
+}>;
+/**
+ * Update a role's metadata and/or permission assignments.
+ *
+ * System role metadata (name, description) is immutable, but their
+ * permissions can be changed. Passing `permissions` replaces the
+ * entire permission set for the role.
+ * Requires a secret key (server-side only).
+ *
+ * @example
+ * ```typescript
+ * const { role } = await updateRole(config, 'hr_manager', {
+ *   permissions: ['org:members:read', 'org:members:manage', 'leave:approve'],
+ * })
+ * ```
+ */
+declare function updateRole(config: SylphxConfig, roleKey: string, input: UpdateRoleInput): Promise<{
+    role: Role;
+}>;
+/**
+ * Delete a custom role by key.
+ *
+ * System roles cannot be deleted. Roles with active member assignments
+ * cannot be deleted — reassign members first.
+ * Requires a secret key (server-side only).
+ *
+ * @example
+ * ```typescript
+ * const { success } = await deleteRole(config, 'hr_manager')
+ * ```
+ */
+declare function deleteRole(config: SylphxConfig, roleKey: string): Promise<{
+    success: boolean;
+}>;
+/**
+ * Assign an RBAC role to an organization member.
+ *
+ * Replaces any existing role assignment (single-role mode).
+ * Requires admin access to the organization.
+ *
+ * @example
+ * ```typescript
+ * const { success } = await assignMemberRole(config, 'my-org', 'usr_abc123', 'hr_manager')
+ * ```
+ */
+declare function assignMemberRole(config: SylphxConfig, orgIdOrSlug: string, memberId: string, roleKey: string): Promise<{
+    success: boolean;
+}>;
 /**
  * Secrets SDK
  *
@@ -25786,4 +26145,4 @@ declare const WorkersClient: {
     }): Promise<WorkerResult>;
 };
-export { ACHIEVEMENT_TIER_CONFIG, type AIListModelsOptions, type AIListModelsResponse, type AIMessage, type AIMessageRole, type AIModel, type AIModelInfo, type AIModelsResponse, type AIProvider, type AIRateLimitInfo, type AIRateLimitResponse, type AIRequestType, type AIStreamChunk, type AITool, type AIToolCall, type AIUsageResponse, type AIUsageStats, type AccessTokenPayload, type AchievementCategory, type AchievementCriteria, type AchievementCriterion, type AchievementDefinition, type AchievementTier, type AchievementType, type AchievementUnlockEvent, type AdminUser, AuthenticationError, AuthorizationError, type BalanceResponse, type BatchEvent, type BatchIndexInput, type BatchIndexResult, type Breadcrumb, type BuildLog, type BuildLogHistoryResponse, type CaptureExceptionRequest, type CaptureMessageRequest, type ChatCompletionInput, type ChatCompletionResponse, type ChatInput, type ChatMessage, type ChatResult, type ChatStreamChunk, type CheckoutRequest, type CheckoutResponse, type CircuitBreakerConfig, CircuitBreakerOpenError, type CircuitState, type CommandResult, type ConsentCategory, type ConsentHistoryEntry, type ConsentHistoryResult, type ConsentPurposeDefaults, type ConsentType, type ContentPart, type CreateOrgInput, type CriteriaOperator, type CronInput, type CronSchedule, type DatabaseConnectionInfo, type DatabaseStatus, type DatabaseStatusInfo, type DebugCategory, type DeduplicationConfig, type DeleteDocumentInput, type DeployHistoryResponse, type DeployInfo, type DeployStatus, type DynamicRestClient, ERROR_CODE_STATUS, type EmbedInput, type EmbedResult, type EmbeddingInput, type EmbeddingResponse, type LeaderboardEntry as EngagementLeaderboardEntry, type LeaderboardResult as EngagementLeaderboardResult, type EnvVar, type ErrorCode, type ErrorResponse, type ExceptionFrame, type ExceptionValue, type ExecOptions, type FacetsResponse, type FileInfo, type FileUploadOptions, type FlagContext, type FlagResult, type GetConsentHistoryInput, type GetConsentsInput, type GetFacetsInput, type GetSecretInput, type GetSecretResult, type GetSecretsInput, type GetSecretsResult, type IdentifyInput, type IndexDocumentInput, type IndexDocumentResult, type InviteMemberInput, type InviteUserRequest, type InviteUserResponse, type KvExpireRequest, type KvHgetRequest, type KvHgetallRequest, type KvHsetRequest, type KvIncrRequest, type KvLpushRequest, type KvLrangeRequest, type KvMgetRequest, type KvMsetRequest, type KvRateLimitRequest, type KvRateLimitResult, type KvScanOptions, type KvScanResult, type KvSetOptions, type KvSetRequest, type KvZMember, type KvZaddRequest, type KvZrangeRequest, type LeaderboardAggregation, type LeaderboardDefinition, type LeaderboardEntry$1 as LeaderboardEntry, type LeaderboardOptions, type LeaderboardQueryOptions, type LeaderboardResetPeriod, type LeaderboardResult$1 as LeaderboardResult, type LeaderboardSortDirection, type LinkAnonymousConsentsInput, type ListScheduledEmailsOptions, type ListSecretKeysInput, type ListUsersOptions, type ListUsersResult, type ListWorkersOptions, type ListWorkersResult, type LoginHistoryEntry, type LoginRequest, type LoginResponse, type MeResponse, type MonitoringResponse, type MonitoringSeverity, type NativeStepContext, type NativeTaskDefinition, type TaskRunStatus as NativeTaskRunStatus, NetworkError, NotFoundError, type OrgRole, type OrgTokenPayload, type Organization, type OrganizationInvitation, type OrganizationMember, type OrganizationMembership, type PageInput, type PaginatedResponse, type PaginationInput, type ParsedKey, type Plan, type PortalRequest, type PortalResponse, type PushNotification, type PushNotificationPayload, type PushServiceWorkerConfig, type PushSubscription, RETRYABLE_CODES, RateLimitError, type RealtimeEmitRequest, type RealtimeEmitResponse, type RealtimeHistoryRequest, type RealtimeHistoryResponse, type RecordActivityInput, type RecordActivityResult, type RedeemReferralInput, type RedeemResult, type ReferralCode, type ReferralStats, type RegisterInput, type RegisterRequest, type RegisterResponse, type RestClient, type RestClientConfig, type RestDynamicConfig, type paths as RestPaths, type RetryConfig, type RevokeTokenOptions, type RollbackDeployRequest, type RunWorkerOptions, SandboxClient, type SandboxFile, type SandboxOptions, type ScheduleEmailOptions, type ScheduledEmail, type ScheduledEmailStats, type ScheduledEmailsResult, type SearchInput, type SearchResponse, type SearchResultItem, type SearchStatsResult, type SearchType, type SecretKeyInfo, type SecuritySettings, type SendEmailOptions, type SendResult, type SendTemplatedEmailOptions, type SendToUserOptions, type SessionResult, type SetConsentsInput, type SetEnvVarRequest, type SignedUrlOptions, type SignedUrlResult, StepCompleteSignal, StepSleepSignal, type StreakDefinition, type StreakFrequency, type StreakState, type StreamMessage, type SubmitScoreInput, type SubmitScoreResult, type Subscription, type SuccessResponse, type SylphxConfig, type SylphxConfigInput, SylphxError, type SylphxErrorCode, type SylphxErrorOptions, type TaskInput, type TaskResult, type TaskStatus, type TextCompletionInput, type TextCompletionResponse, TimeoutError, type TokenIntrospectionResult, type TokenResponse, type Tool, type ToolCall, type TrackClickInput, type TrackInput, type TriggerDeployRequest, type TwoFactorVerifyRequest, type UpdateOrgInput, type UploadProgressEvent, type UploadResult, type UpsertDocumentInput, type UpsertDocumentResult, type UsageResponse, type User, type UserAchievement, type UserConsent, type UserProfile, ValidationError, type VisionInput, type WebhookConfig, type WebhookConfigUpdate, type WebhookDeliveriesResult, type WebhookDelivery, type WebhookStats, WorkerHandle, type WorkerLogsResult, type WorkerResourceSpec, type WorkerResult, type WorkerRun, type WorkerStatus, type WorkerVolumeMount, WorkersClient, acceptAllConsents, acceptOrganizationInvitation, batchIndex, canDeleteOrganization, canManageMembers, canManageSettings, cancelScheduledEmail, cancelTask, captureException, captureExceptionRaw, captureMessage, chat, chatStream, checkFlag, complete, createCheckout, createConfig, createCron, createDynamicRestClient, createOrganization, createPortalSession, createRestClient, createServiceWorkerScript, createStepContext, createTasksHandler, createTracker, debugError, debugLog, debugTimer, debugWarn, declineOptionalConsents, deleteCron, deleteDocument, deleteEnvVar, deleteFile, deleteOrganization, deleteUser, disableDebug, embed, enableDebug, exponentialBackoff, extendedSignUp, forgotPassword, generateAnonymousId, getAchievement, getAchievementPoints, getAchievements, getAllFlags, getAllSecrets, getAllStreaks, getBillingBalance, getBillingUsage, getBuildLogHistory, getCircuitBreakerState, getConsentHistory, getConsentTypes, getDatabaseConnectionString, getDatabaseStatus, getDebugMode, getDeployHistory, getDeployStatus, getErrorCode, getErrorMessage, getFacets, getFileInfo, getFileUrl, getFlagPayload, getFlags, getLeaderboard, getMyReferralCode, getOrganization, getOrganizationInvitations, getOrganizationMembers, getOrganizations, getPlans, getPushPreferences, getRealtimeHistory, getReferralLeaderboard, getReferralStats, getRestErrorMessage, getScheduledEmail, getScheduledEmailStats, getSearchStats, getSecret, getSecrets, getSession, getSignedUrl, getStreak, getSubscription, getTask, getUser, getUserByEmail, getUserConsents, getUserLeaderboardRank, getVariant, getWebhookConfig, getWebhookDeliveries, getWebhookDelivery, getWebhookStats, hasConsent, hasError, hasRole, hasSecret, identify, incrementAchievementProgress, indexDocument, initPushServiceWorker, installGlobalDebugHelpers, introspectToken, inviteOrganizationMember, inviteUser, isEmailConfigured, isEnabled, isRetryableError, isSylphxError, kvDelete, kvExists, kvExpire, kvGet, kvGetJSON, kvHget, kvHgetall, kvHset, kvIncr, kvLpush, kvLrange, kvMget, kvMset, kvRateLimit, kvScan, kvSet, kvSetJSON, kvZadd, kvZrange, leaveOrganization, linkAnonymousConsents, listEnvVars, listScheduledEmails, listSecretKeys, listTasks, listUsers, page, parseKey, pauseCron, realtimeEmit, recordStreakActivity, recoverStreak, redeemReferralCode, refreshToken, regenerateReferralCode, registerPush, registerPushServiceWorker, removeOrganizationMember, replayWebhookDelivery, rescheduleEmail, resetCircuitBreaker, resetDebugModeCache, resetPassword, resumeCron, revokeAllTokens, revokeOrganizationInvitation, revokeToken, rollbackDeploy, scheduleEmail, scheduleTask, search, sendEmail, sendEmailToUser, sendPush, sendTemplatedEmail, setConsents, setEnvVar, signIn, signOut, signUp, streamToString, submitScore, suspendUser, switchOrg, toSylphxError, track, trackBatch, trackClick, triggerDeploy, unlockAchievement, unregisterPush, updateOrganization, updateOrganizationMemberRole, updatePushPreferences, updateUser, updateUserMetadata, updateWebhookConfig, uploadAvatar, uploadFile, upsertDocument, verifyEmail, verifySignature as verifyTaskSignature, verifyTwoFactor, withToken };
+export { ACHIEVEMENT_TIER_CONFIG, type AIListModelsOptions, type AIListModelsResponse, type AIMessage, type AIMessageRole, type AIModel, type AIModelInfo, type AIModelsResponse, type AIProvider, type AIRateLimitInfo, type AIRateLimitResponse, type AIRequestType, type AIStreamChunk, type AITool, type AIToolCall, type AIUsageResponse, type AIUsageStats, type AccessTokenPayload, type AchievementCategory, type AchievementCriteria, type AchievementCriterion, type AchievementDefinition, type AchievementTier, type AchievementType, type AchievementUnlockEvent, type AdminUser, AuthenticationError, AuthorizationError, type BalanceResponse, type BatchEvent, type BatchIndexInput, type BatchIndexResult, type Breadcrumb, type BuildLog, type BuildLogHistoryResponse, type CaptureExceptionRequest, type CaptureMessageRequest, type ChatCompletionInput, type ChatCompletionResponse, type ChatInput, type ChatMessage, type ChatResult, type ChatStreamChunk, type CheckoutRequest, type CheckoutResponse, type CircuitBreakerConfig, CircuitBreakerOpenError, type CircuitState, type CommandResult, type ConsentCategory, type ConsentHistoryEntry, type ConsentHistoryResult, type ConsentPurposeDefaults, type ConsentType, type ContentPart, type CreateOrgInput, type CreatePermissionInput, type CreateRoleInput, type CriteriaOperator, type CronInput, type CronSchedule, type DatabaseConnectionInfo, type DatabaseStatus, type DatabaseStatusInfo, type DebugCategory, type DeduplicationConfig, type DeleteDocumentInput, type DeployHistoryResponse, type DeployInfo, type DeployStatus, type DynamicRestClient, ERROR_CODE_STATUS, type EmbedInput, type EmbedResult, type EmbeddingInput, type EmbeddingResponse, type LeaderboardEntry as EngagementLeaderboardEntry, type LeaderboardResult as EngagementLeaderboardResult, type EnvVar, type ErrorCode, type ErrorResponse, type ExceptionFrame, type ExceptionValue, type ExecOptions, type FacetsResponse, type FileInfo, type FileUploadOptions, type FlagContext, type FlagResult, type GetConsentHistoryInput, type GetConsentsInput, type GetFacetsInput, type GetSecretInput, type GetSecretResult, type GetSecretsInput, type GetSecretsResult, type IdentifyInput, type IndexDocumentInput, type IndexDocumentResult, type InviteMemberInput, type InviteUserRequest, type InviteUserResponse, type KvExpireRequest, type KvHgetRequest, type KvHgetallRequest, type KvHsetRequest, type KvIncrRequest, type KvLpushRequest, type KvLrangeRequest, type KvMgetRequest, type KvMsetRequest, type KvRateLimitRequest, type KvRateLimitResult, type KvScanOptions, type KvScanResult, type KvSetOptions, type KvSetRequest, type KvZMember, type KvZaddRequest, type KvZrangeRequest, type LeaderboardAggregation, type LeaderboardDefinition, type LeaderboardEntry$1 as LeaderboardEntry, type LeaderboardOptions, type LeaderboardQueryOptions, type LeaderboardResetPeriod, type LeaderboardResult$1 as LeaderboardResult, type LeaderboardSortDirection, type LinkAnonymousConsentsInput, type ListScheduledEmailsOptions, type ListSecretKeysInput, type ListUsersOptions, type ListUsersResult, type ListWorkersOptions, type ListWorkersResult, type LoginHistoryEntry, type LoginRequest, type LoginResponse, type MeResponse, type MemberPermissionsResult, type MonitoringResponse, type MonitoringSeverity, type NativeStepContext, type NativeTaskDefinition, type TaskRunStatus as NativeTaskRunStatus, NetworkError, NotFoundError, type OrgRole, type OrgTokenPayload, type Organization, type OrganizationInvitation, type OrganizationMember, type OrganizationMembership, type PageInput, type PaginatedResponse, type PaginationInput, type ParsedKey, type Permission, type Plan, type PortalRequest, type PortalResponse, type PushNotification, type PushNotificationPayload, type PushServiceWorkerConfig, type PushSubscription, RETRYABLE_CODES, RateLimitError, type RealtimeEmitRequest, type RealtimeEmitResponse, type RealtimeHistoryRequest, type RealtimeHistoryResponse, type RecordActivityInput, type RecordActivityResult, type RedeemReferralInput, type RedeemResult, type ReferralCode, type ReferralStats, type RegisterInput, type RegisterRequest, type RegisterResponse, type RestClient, type RestClientConfig, type RestDynamicConfig, type paths as RestPaths, type RetryConfig, type RevokeTokenOptions, type Role, type RollbackDeployRequest, type RunWorkerOptions, SandboxClient, type SandboxFile, type SandboxOptions, type ScheduleEmailOptions, type ScheduledEmail, type ScheduledEmailStats, type ScheduledEmailsResult, type SearchInput, type SearchResponse, type SearchResultItem, type SearchStatsResult, type SearchType, type SecretKeyInfo, type SecuritySettings, type SendEmailOptions, type SendResult, type SendTemplatedEmailOptions, type SendToUserOptions, type SessionResult, type SetConsentsInput, type SetEnvVarRequest, type SignedUrlOptions, type SignedUrlResult, StepCompleteSignal, StepSleepSignal, type StreakDefinition, type StreakFrequency, type StreakState, type StreamMessage, type SubmitScoreInput, type SubmitScoreResult, type Subscription, type SuccessResponse, type SylphxConfig, type SylphxConfigInput, SylphxError, type SylphxErrorCode, type SylphxErrorOptions, type TaskInput, type TaskResult, type TaskStatus, type TextCompletionInput, type TextCompletionResponse, TimeoutError, type TokenIntrospectionResult, type TokenResponse, type Tool, type ToolCall, type TrackClickInput, type TrackInput, type TriggerDeployRequest, type TwoFactorVerifyRequest, type UpdateOrgInput, type UpdateRoleInput, type UploadProgressEvent, type UploadResult, type UpsertDocumentInput, type UpsertDocumentResult, type UsageResponse, type User, type UserAchievement, type UserConsent, type UserProfile, ValidationError, type VisionInput, type WebhookConfig, type WebhookConfigUpdate, type WebhookDeliveriesResult, type WebhookDelivery, type WebhookStats, WorkerHandle, type WorkerLogsResult, type WorkerResourceSpec, type WorkerResult, type WorkerRun, type WorkerStatus, type WorkerVolumeMount, WorkersClient, acceptAllConsents, acceptOrganizationInvitation, assignMemberRole, batchIndex, canDeleteOrganization, canManageMembers, canManageSettings, cancelScheduledEmail, cancelTask, captureException, captureExceptionRaw, captureMessage, chat, chatStream, checkFlag, complete, createCheckout, createConfig, createCron, createDynamicRestClient, createOrganization, createPermission, createPortalSession, createRestClient, createRole, createServiceWorkerScript, createStepContext, createTasksHandler, createTracker, debugError, debugLog, debugTimer, debugWarn, declineOptionalConsents, deleteCron, deleteDocument, deleteEnvVar, deleteFile, deleteOrganization, deletePermission, deleteRole, deleteUser, disableDebug, embed, enableDebug, exponentialBackoff, extendedSignUp, forgotPassword, generateAnonymousId, getAchievement, getAchievementPoints, getAchievements, getAllFlags, getAllSecrets, getAllStreaks, getBillingBalance, getBillingUsage, getBuildLogHistory, getCircuitBreakerState, getConsentHistory, getConsentTypes, getDatabaseConnectionString, getDatabaseStatus, getDebugMode, getDeployHistory, getDeployStatus, getErrorCode, getErrorMessage, getFacets, getFileInfo, getFileUrl, getFlagPayload, getFlags, getLeaderboard, getMemberPermissions, getMyReferralCode, getOrganization, getOrganizationInvitations, getOrganizationMembers, getOrganizations, getPlans, getPushPreferences, getRealtimeHistory, getReferralLeaderboard, getReferralStats, getRestErrorMessage, getRole, getScheduledEmail, getScheduledEmailStats, getSearchStats, getSecret, getSecrets, getSession, getSignedUrl, getStreak, getSubscription, getTask, getUser, getUserByEmail, getUserConsents, getUserLeaderboardRank, getVariant, getWebhookConfig, getWebhookDeliveries, getWebhookDelivery, getWebhookStats, hasAllPermissions, hasAnyPermission, hasConsent, hasError, hasPermission, hasRole, hasSecret, identify, incrementAchievementProgress, indexDocument, initPushServiceWorker, installGlobalDebugHelpers, introspectToken, inviteOrganizationMember, inviteUser, isEmailConfigured, isEnabled, isRetryableError, isSylphxError, kvDelete, kvExists, kvExpire, kvGet, kvGetJSON, kvHget, kvHgetall, kvHset, kvIncr, kvLpush, kvLrange, kvMget, kvMset, kvRateLimit, kvScan, kvSet, kvSetJSON, kvZadd, kvZrange, leaveOrganization, linkAnonymousConsents, listEnvVars, listPermissions, listRoles, listScheduledEmails, listSecretKeys, listTasks, listUsers, page, parseKey, pauseCron, realtimeEmit, recordStreakActivity, recoverStreak, redeemReferralCode, refreshToken, regenerateReferralCode, registerPush, registerPushServiceWorker, removeOrganizationMember, replayWebhookDelivery, rescheduleEmail, resetCircuitBreaker, resetDebugModeCache, resetPassword, resumeCron, revokeAllTokens, revokeOrganizationInvitation, revokeToken, rollbackDeploy, scheduleEmail, scheduleTask, search, sendEmail, sendEmailToUser, sendPush, sendTemplatedEmail, setConsents, setEnvVar, signIn, signOut, signUp, streamToString, submitScore, suspendUser, switchOrg, toSylphxError, track, trackBatch, trackClick, triggerDeploy, unlockAchievement, unregisterPush, updateOrganization, updateOrganizationMemberRole, updatePushPreferences, updateRole, updateUser, updateUserMetadata, updateWebhookConfig, uploadAvatar, uploadFile, upsertDocument, verifyEmail, verifySignature as verifyTaskSignature, verifyTwoFactor, withToken };

package/dist/index.js CHANGED Viewed

@@ -49,6 +49,7 @@ __export(index_exports, {
   WorkersClient: () => WorkersClient,
   acceptAllConsents: () => acceptAllConsents,
   acceptOrganizationInvitation: () => acceptOrganizationInvitation,
+  assignMemberRole: () => assignMemberRole,
   batchIndex: () => batchIndex,
   canDeleteOrganization: () => canDeleteOrganization,
   canManageMembers: () => canManageMembers,
@@ -67,8 +68,10 @@ __export(index_exports, {
   createCron: () => createCron,
   createDynamicRestClient: () => createDynamicRestClient,
   createOrganization: () => createOrganization,
+  createPermission: () => createPermission,
   createPortalSession: () => createPortalSession,
   createRestClient: () => createRestClient,
+  createRole: () => createRole,
   createServiceWorkerScript: () => createServiceWorkerScript,
   createStepContext: () => createStepContext,
   createTasksHandler: () => createTasksHandler,
@@ -83,6 +86,8 @@ __export(index_exports, {
   deleteEnvVar: () => deleteEnvVar,
   deleteFile: () => deleteFile,
   deleteOrganization: () => deleteOrganization,
+  deletePermission: () => deletePermission,
+  deleteRole: () => deleteRole,
   deleteUser: () => deleteUser,
   disableDebug: () => disableDebug,
   embed: () => embed,
@@ -116,6 +121,7 @@ __export(index_exports, {
   getFlagPayload: () => getFlagPayload,
   getFlags: () => getFlags,
   getLeaderboard: () => getLeaderboard,
+  getMemberPermissions: () => getMemberPermissions,
   getMyReferralCode: () => getMyReferralCode,
   getOrganization: () => getOrganization,
   getOrganizationInvitations: () => getOrganizationInvitations,
@@ -127,6 +133,7 @@ __export(index_exports, {
   getReferralLeaderboard: () => getReferralLeaderboard,
   getReferralStats: () => getReferralStats,
   getRestErrorMessage: () => getRestErrorMessage,
+  getRole: () => getRole,
   getScheduledEmail: () => getScheduledEmail,
   getScheduledEmailStats: () => getScheduledEmailStats,
   getSearchStats: () => getSearchStats,
@@ -146,8 +153,11 @@ __export(index_exports, {
   getWebhookDeliveries: () => getWebhookDeliveries,
   getWebhookDelivery: () => getWebhookDelivery,
   getWebhookStats: () => getWebhookStats,
+  hasAllPermissions: () => hasAllPermissions,
+  hasAnyPermission: () => hasAnyPermission,
   hasConsent: () => hasConsent,
   hasError: () => hasError,
+  hasPermission: () => hasPermission,
   hasRole: () => hasRole,
   hasSecret: () => hasSecret,
   identify: () => identify,
@@ -184,6 +194,8 @@ __export(index_exports, {
   leaveOrganization: () => leaveOrganization,
   linkAnonymousConsents: () => linkAnonymousConsents,
   listEnvVars: () => listEnvVars,
+  listPermissions: () => listPermissions,
+  listRoles: () => listRoles,
   listScheduledEmails: () => listScheduledEmails,
   listSecretKeys: () => listSecretKeys,
   listTasks: () => listTasks,
@@ -236,6 +248,7 @@ __export(index_exports, {
   updateOrganization: () => updateOrganization,
   updateOrganizationMemberRole: () => updateOrganizationMemberRole,
   updatePushPreferences: () => updatePushPreferences,
+  updateRole: () => updateRole,
   updateUser: () => updateUser,
   updateUserMetadata: () => updateUserMetadata,
   updateWebhookConfig: () => updateWebhookConfig,
@@ -354,6 +367,13 @@ var SylphxError = class _SylphxError extends Error {
   static isRateLimited(err) {
     return err instanceof _SylphxError && err.code === "TOO_MANY_REQUESTS";
   }
+  /**
+   * Check if error is an account lockout error (too many failed login attempts).
+   * When true, `error.data?.lockoutUntil` contains the ISO 8601 timestamp when the lockout expires.
+   */
+  static isAccountLocked(err) {
+    return err instanceof _SylphxError && err.code === "TOO_MANY_REQUESTS" && err.data?.code === "ACCOUNT_LOCKED";
+  }
   /**
    * Check if error is a quota exceeded error (plan limit reached)
    */
@@ -2936,6 +2956,86 @@ function canDeleteOrganization(membership) {
   return hasRole(membership, "super_admin");
 }
+// src/permissions.ts
+async function listPermissions(config) {
+  return callApi(config, "/permissions");
+}
+async function createPermission(config, input) {
+  return callApi(config, "/permissions", {
+    method: "POST",
+    body: input
+  });
+}
+async function deletePermission(config, permissionKey) {
+  return callApi(config, `/permissions/${permissionKey}`, {
+    method: "DELETE"
+  });
+}
+async function getMemberPermissions(config, orgIdOrSlug, memberId) {
+  return callApi(
+    config,
+    `/orgs/${orgIdOrSlug}/members/${memberId}/permissions`
+  );
+}
+function hasPermission(permissions, required) {
+  return permissions.includes(required);
+}
+function hasAnyPermission(permissions, required) {
+  return required.some((perm) => permissions.includes(perm));
+}
+function hasAllPermissions(permissions, required) {
+  return required.every((perm) => permissions.includes(perm));
+}
+// src/roles.ts
+async function listRoles(config) {
+  return callApi(config, "/roles");
+}
+async function getRole(config, roleKey) {
+  return callApi(config, `/roles/${roleKey}`);
+}
+async function createRole(config, input) {
+  const body = {
+    key: input.key,
+    name: input.name
+  };
+  if (input.description !== void 0) body.description = input.description;
+  if (input.permissions !== void 0) body.permissionKeys = input.permissions;
+  if (input.isDefault !== void 0) body.isDefault = input.isDefault;
+  if (input.sortOrder !== void 0) body.sortOrder = input.sortOrder;
+  return callApi(config, "/roles", {
+    method: "POST",
+    body
+  });
+}
+async function updateRole(config, roleKey, input) {
+  const body = {};
+  if (input.name !== void 0) body.name = input.name;
+  if (input.description !== void 0) body.description = input.description;
+  if (input.permissions !== void 0) body.permissionKeys = input.permissions;
+  if (input.isDefault !== void 0) body.isDefault = input.isDefault;
+  if (input.sortOrder !== void 0) body.sortOrder = input.sortOrder;
+  return callApi(config, `/roles/${roleKey}`, {
+    method: "PUT",
+    body
+  });
+}
+async function deleteRole(config, roleKey) {
+  return callApi(config, `/roles/${roleKey}`, {
+    method: "DELETE"
+  });
+}
+async function assignMemberRole(config, orgIdOrSlug, memberId, roleKey) {
+  return callApi(
+    config,
+    `/orgs/${orgIdOrSlug}/members/${memberId}/assign-role`,
+    {
+      method: "PUT",
+      body: { roleKey }
+    }
+  );
+}
 // src/secrets.ts
 async function getSecret(config, input) {
   return callApi(config, "/secrets/get", {
@@ -3784,6 +3884,7 @@ function sleep2(ms) {
   WorkersClient,
   acceptAllConsents,
   acceptOrganizationInvitation,
+  assignMemberRole,
   batchIndex,
   canDeleteOrganization,
   canManageMembers,
@@ -3802,8 +3903,10 @@ function sleep2(ms) {
   createCron,
   createDynamicRestClient,
   createOrganization,
+  createPermission,
   createPortalSession,
   createRestClient,
+  createRole,
   createServiceWorkerScript,
   createStepContext,
   createTasksHandler,
@@ -3818,6 +3921,8 @@ function sleep2(ms) {
   deleteEnvVar,
   deleteFile,
   deleteOrganization,
+  deletePermission,
+  deleteRole,
   deleteUser,
   disableDebug,
   embed,
@@ -3851,6 +3956,7 @@ function sleep2(ms) {
   getFlagPayload,
   getFlags,
   getLeaderboard,
+  getMemberPermissions,
   getMyReferralCode,
   getOrganization,
   getOrganizationInvitations,
@@ -3862,6 +3968,7 @@ function sleep2(ms) {
   getReferralLeaderboard,
   getReferralStats,
   getRestErrorMessage,
+  getRole,
   getScheduledEmail,
   getScheduledEmailStats,
   getSearchStats,
@@ -3881,8 +3988,11 @@ function sleep2(ms) {
   getWebhookDeliveries,
   getWebhookDelivery,
   getWebhookStats,
+  hasAllPermissions,
+  hasAnyPermission,
   hasConsent,
   hasError,
+  hasPermission,
   hasRole,
   hasSecret,
   identify,
@@ -3919,6 +4029,8 @@ function sleep2(ms) {
   leaveOrganization,
   linkAnonymousConsents,
   listEnvVars,
+  listPermissions,
+  listRoles,
   listScheduledEmails,
   listSecretKeys,
   listTasks,
@@ -3971,6 +4083,7 @@ function sleep2(ms) {
   updateOrganization,
   updateOrganizationMemberRole,
   updatePushPreferences,
+  updateRole,
   updateUser,
   updateUserMetadata,
   updateWebhookConfig,