@xemahq/authorization-internal-api-client 0.1.0

package/dist/endpoints/teams/teams.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { AddTeamMemberDto, CreateTeamDto, TeamDto, TeamDtoDataArrayEnvelope, TeamMembershipDto, TeamMembershipDtoDataArrayEnvelope, TeamsControllerListParams, UpdateTeamDto } from '../../models';
+/**
+ * @summary Create a team
+ */
+export declare const getTeamsControllerCreateUrl: () => string;
+export declare const teamsControllerCreate: (createTeamDto: CreateTeamDto, options?: RequestInit) => Promise<TeamDto>;
+/**
+ * @summary List teams in an org
+ */
+export declare const getTeamsControllerListUrl: (params: TeamsControllerListParams) => string;
+export declare const teamsControllerList: (params: TeamsControllerListParams, options?: RequestInit) => Promise<TeamDtoDataArrayEnvelope>;
+/**
+ * @summary Get a team by id
+ */
+export declare const getTeamsControllerGetByIdUrl: (id: string) => string;
+export declare const teamsControllerGetById: (id: string, options?: RequestInit) => Promise<TeamDto>;
+/**
+ * @summary Update a team (rename, re-describe, re-parent)
+ */
+export declare const getTeamsControllerUpdateUrl: (id: string) => string;
+export declare const teamsControllerUpdate: (id: string, updateTeamDto: UpdateTeamDto, options?: RequestInit) => Promise<TeamDto>;
+/**
+ * @summary Delete a team (cascades memberships + assignments)
+ */
+export declare const getTeamsControllerDeleteUrl: (id: string) => string;
+export declare const teamsControllerDelete: (id: string, options?: RequestInit) => Promise<void>;
+/**
+ * @summary List a team’s direct members
+ */
+export declare const getTeamsControllerListMembersUrl: (id: string) => string;
+export declare const teamsControllerListMembers: (id: string, options?: RequestInit) => Promise<TeamMembershipDtoDataArrayEnvelope>;
+/**
+ * @summary Add a subject (user/agent/service/app/external) to a team
+ */
+export declare const getTeamsControllerAddMemberUrl: (id: string) => string;
+export declare const teamsControllerAddMember: (id: string, addTeamMemberDto: AddTeamMemberDto, options?: RequestInit) => Promise<TeamMembershipDto>;
+/**
+ * @summary Remove a member from a team
+ */
+export declare const getTeamsControllerRemoveMemberUrl: (id: string, membershipId: string) => string;
+export declare const teamsControllerRemoveMember: (id: string, membershipId: string, options?: RequestInit) => Promise<void>;

package/dist/endpoints/teams/teams.js

@@ -0,0 +1,141 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.teamsControllerRemoveMember = exports.getTeamsControllerRemoveMemberUrl = exports.teamsControllerAddMember = exports.getTeamsControllerAddMemberUrl = exports.teamsControllerListMembers = exports.getTeamsControllerListMembersUrl = exports.teamsControllerDelete = exports.getTeamsControllerDeleteUrl = exports.teamsControllerUpdate = exports.getTeamsControllerUpdateUrl = exports.teamsControllerGetById = exports.getTeamsControllerGetByIdUrl = exports.teamsControllerList = exports.getTeamsControllerListUrl = exports.teamsControllerCreate = exports.getTeamsControllerCreateUrl = void 0;
+const custom_fetch_1 = require("../../custom-fetch");
+/**
+ * @summary Create a team
+ */
+const getTeamsControllerCreateUrl = () => {
+    return `/teams`;
+};
+exports.getTeamsControllerCreateUrl = getTeamsControllerCreateUrl;
+const teamsControllerCreate = async (createTeamDto, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getTeamsControllerCreateUrl)(), {
+        ...options,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', ...options?.headers },
+        body: JSON.stringify(createTeamDto)
+    });
+};
+exports.teamsControllerCreate = teamsControllerCreate;
+/**
+ * @summary List teams in an org
+ */
+const getTeamsControllerListUrl = (params) => {
+    const normalizedParams = new URLSearchParams();
+    Object.entries(params || {}).forEach(([key, value]) => {
+        if (value === undefined)
+            return;
+        if (value === null) {
+            normalizedParams.append(key, 'null');
+            return;
+        }
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item === undefined || item === null)
+                    continue;
+                normalizedParams.append(key, item.toString());
+            }
+            return;
+        }
+        normalizedParams.append(key, value.toString());
+    });
+    const stringifiedParams = normalizedParams.toString();
+    return stringifiedParams.length > 0 ? `/teams?${stringifiedParams}` : `/teams`;
+};
+exports.getTeamsControllerListUrl = getTeamsControllerListUrl;
+const teamsControllerList = async (params, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getTeamsControllerListUrl)(params), {
+        ...options,
+        method: 'GET'
+    });
+};
+exports.teamsControllerList = teamsControllerList;
+/**
+ * @summary Get a team by id
+ */
+const getTeamsControllerGetByIdUrl = (id) => {
+    return `/teams/${id}`;
+};
+exports.getTeamsControllerGetByIdUrl = getTeamsControllerGetByIdUrl;
+const teamsControllerGetById = async (id, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getTeamsControllerGetByIdUrl)(id), {
+        ...options,
+        method: 'GET'
+    });
+};
+exports.teamsControllerGetById = teamsControllerGetById;
+/**
+ * @summary Update a team (rename, re-describe, re-parent)
+ */
+const getTeamsControllerUpdateUrl = (id) => {
+    return `/teams/${id}`;
+};
+exports.getTeamsControllerUpdateUrl = getTeamsControllerUpdateUrl;
+const teamsControllerUpdate = async (id, updateTeamDto, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getTeamsControllerUpdateUrl)(id), {
+        ...options,
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json', ...options?.headers },
+        body: JSON.stringify(updateTeamDto)
+    });
+};
+exports.teamsControllerUpdate = teamsControllerUpdate;
+/**
+ * @summary Delete a team (cascades memberships + assignments)
+ */
+const getTeamsControllerDeleteUrl = (id) => {
+    return `/teams/${id}`;
+};
+exports.getTeamsControllerDeleteUrl = getTeamsControllerDeleteUrl;
+const teamsControllerDelete = async (id, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getTeamsControllerDeleteUrl)(id), {
+        ...options,
+        method: 'DELETE'
+    });
+};
+exports.teamsControllerDelete = teamsControllerDelete;
+/**
+ * @summary List a team’s direct members
+ */
+const getTeamsControllerListMembersUrl = (id) => {
+    return `/teams/${id}/members`;
+};
+exports.getTeamsControllerListMembersUrl = getTeamsControllerListMembersUrl;
+const teamsControllerListMembers = async (id, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getTeamsControllerListMembersUrl)(id), {
+        ...options,
+        method: 'GET'
+    });
+};
+exports.teamsControllerListMembers = teamsControllerListMembers;
+/**
+ * @summary Add a subject (user/agent/service/app/external) to a team
+ */
+const getTeamsControllerAddMemberUrl = (id) => {
+    return `/teams/${id}/members`;
+};
+exports.getTeamsControllerAddMemberUrl = getTeamsControllerAddMemberUrl;
+const teamsControllerAddMember = async (id, addTeamMemberDto, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getTeamsControllerAddMemberUrl)(id), {
+        ...options,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', ...options?.headers },
+        body: JSON.stringify(addTeamMemberDto)
+    });
+};
+exports.teamsControllerAddMember = teamsControllerAddMember;
+/**
+ * @summary Remove a member from a team
+ */
+const getTeamsControllerRemoveMemberUrl = (id, membershipId) => {
+    return `/teams/${id}/members/${membershipId}`;
+};
+exports.getTeamsControllerRemoveMemberUrl = getTeamsControllerRemoveMemberUrl;
+const teamsControllerRemoveMember = async (id, membershipId, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getTeamsControllerRemoveMemberUrl)(id, membershipId), {
+        ...options,
+        method: 'DELETE'
+    });
+};
+exports.teamsControllerRemoveMember = teamsControllerRemoveMember;

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { configureClient, getClientConfig, ClientError, customFetch, type ClientConfig } from './custom-fetch';
+export * from './models';
+export * from './endpoints/authorization/authorization';
+export * from './endpoints/credential-defaults/credential-defaults';
+export * from './endpoints/environments/environments';
+export * from './endpoints/grants/grants';
+export * from './endpoints/profiles/profiles';
+export * from './endpoints/relationships/relationships';
+export * from './endpoints/roles/roles';
+export * from './endpoints/teams/teams';

package/dist/index.js

@@ -0,0 +1,32 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.customFetch = exports.ClientError = exports.getClientConfig = exports.configureClient = void 0;
+// Auto-generated by @xemahq/api-client-generator — do not edit manually.
+var custom_fetch_1 = require("./custom-fetch");
+Object.defineProperty(exports, "configureClient", { enumerable: true, get: function () { return custom_fetch_1.configureClient; } });
+Object.defineProperty(exports, "getClientConfig", { enumerable: true, get: function () { return custom_fetch_1.getClientConfig; } });
+Object.defineProperty(exports, "ClientError", { enumerable: true, get: function () { return custom_fetch_1.ClientError; } });
+Object.defineProperty(exports, "customFetch", { enumerable: true, get: function () { return custom_fetch_1.customFetch; } });
+__exportStar(require("./models"), exports);
+__exportStar(require("./endpoints/authorization/authorization"), exports);
+__exportStar(require("./endpoints/credential-defaults/credential-defaults"), exports);
+__exportStar(require("./endpoints/environments/environments"), exports);
+__exportStar(require("./endpoints/grants/grants"), exports);
+__exportStar(require("./endpoints/profiles/profiles"), exports);
+__exportStar(require("./endpoints/relationships/relationships"), exports);
+__exportStar(require("./endpoints/roles/roles"), exports);
+__exportStar(require("./endpoints/teams/teams"), exports);

package/dist/models/addRoleGrantDto.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { GrantConstraintsDto } from './grantConstraintsDto';
+export interface AddRoleGrantDto {
+    /** Canonical CapabilityRef from `@xemahq/kernel-contracts/capability`. */
+    capability: string;
+    resourceGlob?: string;
+    /** Built-in environment slug. */
+    environment: string;
+    constraints?: GrantConstraintsDto;
+    requiresApproval?: boolean;
+}

package/dist/models/addRoleGrantDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/addTeamMemberDto.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { SubjectKind } from './subjectKind';
+export interface AddTeamMemberDto {
+    subjectKind: SubjectKind;
+    subjectRef: string;
+}

package/dist/models/addTeamMemberDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/assignRoleDto.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { SubjectKind } from './subjectKind';
+export interface AssignRoleDto {
+    /** The org this assignment is scoped to. For a custom role it must equal the role’s org; for a built-in role (system sentinel) it is the real consuming org. */
+    orgId: string;
+    subjectKind?: SubjectKind;
+    subjectRef?: string;
+    /** Assign the role to every member of this team. */
+    teamId?: string;
+}

package/dist/models/assignRoleDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/authorizationCheckRequestDto.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { SubjectRefDto } from './subjectRefDto';
+export interface AuthorizationCheckRequestDto {
+    /** Organization identifier. Scopes the grant lookup to the tenant. */
+    orgId: string;
+    /** Canonical CapabilityRef `<domain>:<resource>.<verb>@<major>` from `@xemahq/kernel-contracts/capability`. */
+    capability: string;
+    subject: SubjectRefDto;
+    /** ExecutionEnvironmentRef in `environment:<slug>` format (e.g. `"environment:project"`). The service parses the prefix and checks the slug against the ExecutionEnvironmentKind enum. */
+    environment: string;
+    /** XVFS resource ref the capability targets (optional in Phase 3). */
+    resource?: string;
+    /** Audience policy slug; Phase 3 ignores this dimension. */
+    audience?: string;
+    /** Caller-supplied correlation id surfaced in audit logs. */
+    correlationId?: string;
+}

package/dist/models/authorizationCheckRequestDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/authorizationCheckResponseDto.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { AuthorizationReasonDto } from './authorizationReasonDto';
+import type { AuthorizationSuggestionDto } from './authorizationSuggestionDto';
+export interface AuthorizationCheckResponseDto {
+    allowed: boolean;
+    /** Identifier of the `CapabilityGrant` row that matched (allow only). */
+    grantId?: string;
+    reasons: AuthorizationReasonDto[];
+    suggestions: AuthorizationSuggestionDto[];
+}

package/dist/models/authorizationCheckResponseDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/authorizationDecisionCode.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type AuthorizationDecisionCode = typeof AuthorizationDecisionCode[keyof typeof AuthorizationDecisionCode];
+export declare const AuthorizationDecisionCode: {
+    readonly MATCHED_GRANT: "MATCHED_GRANT";
+    readonly NO_GRANT_FOUND: "NO_GRANT_FOUND";
+    readonly GRANT_REVOKED: "GRANT_REVOKED";
+    readonly CAPABILITY_DENIED_BY_ZONE: "CAPABILITY_DENIED_BY_ZONE";
+    readonly CAPABILITY_REQUIRES_APPROVAL: "CAPABILITY_REQUIRES_APPROVAL";
+};

package/dist/models/authorizationDecisionCode.js

@@ -0,0 +1,17 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationDecisionCode = void 0;
+exports.AuthorizationDecisionCode = {
+    MATCHED_GRANT: 'MATCHED_GRANT',
+    NO_GRANT_FOUND: 'NO_GRANT_FOUND',
+    GRANT_REVOKED: 'GRANT_REVOKED',
+    CAPABILITY_DENIED_BY_ZONE: 'CAPABILITY_DENIED_BY_ZONE',
+    CAPABILITY_REQUIRES_APPROVAL: 'CAPABILITY_REQUIRES_APPROVAL',
+};

package/dist/models/authorizationReasonDto.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { AuthorizationDecisionCode } from './authorizationDecisionCode';
+export interface AuthorizationReasonDto {
+    code: AuthorizationDecisionCode;
+    detail: string;
+}

package/dist/models/authorizationReasonDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/authorizationSuggestionDto.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { AuthorizationSuggestionKind } from './authorizationSuggestionKind';
+export interface AuthorizationSuggestionDto {
+    kind: AuthorizationSuggestionKind;
+    capability?: string;
+    environment?: string;
+    resource?: string;
+    /** For `switch-environment`: the environment the request was sent with (denied). For other kinds, undefined. */
+    from?: string;
+    /** For `switch-environment`: a environment the caller already holds a matching grant in. For other kinds, undefined. */
+    to?: string;
+}

package/dist/models/authorizationSuggestionDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/authorizationSuggestionKind.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type AuthorizationSuggestionKind = typeof AuthorizationSuggestionKind[keyof typeof AuthorizationSuggestionKind];
+export declare const AuthorizationSuggestionKind: {
+    readonly 'request-grant': "request-grant";
+    readonly 'switch-environment': "switch-environment";
+    readonly 'request-approval': "request-approval";
+};

package/dist/models/authorizationSuggestionKind.js

@@ -0,0 +1,15 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationSuggestionKind = void 0;
+exports.AuthorizationSuggestionKind = {
+    'request-grant': 'request-grant',
+    'switch-environment': 'switch-environment',
+    'request-approval': 'request-approval',
+};

package/dist/models/biomePermissionProfile.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+/**
+ * Profile template that materialised this row, if any.
+ */
+export type BiomePermissionProfile = typeof BiomePermissionProfile[keyof typeof BiomePermissionProfile];
+export declare const BiomePermissionProfile: {
+    readonly 'read-only-assistant': "read-only-assistant";
+    readonly 'support-chatbot': "support-chatbot";
+    readonly 'internal-agent': "internal-agent";
+    readonly 'workflow-runner': "workflow-runner";
+    readonly 'connector-bridge': "connector-bridge";
+    readonly 'power-user-developer': "power-user-developer";
+    readonly 'org-admin-tool': "org-admin-tool";
+    readonly 'sandbox-only': "sandbox-only";
+    readonly unrestricted: "unrestricted";
+};

package/dist/models/biomePermissionProfile.js

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BiomePermissionProfile = void 0;
+exports.BiomePermissionProfile = {
+    'read-only-assistant': 'read-only-assistant',
+    'support-chatbot': 'support-chatbot',
+    'internal-agent': 'internal-agent',
+    'workflow-runner': 'workflow-runner',
+    'connector-bridge': 'connector-bridge',
+    'power-user-developer': 'power-user-developer',
+    'org-admin-tool': 'org-admin-tool',
+    'sandbox-only': 'sandbox-only',
+    unrestricted: 'unrestricted',
+};

package/dist/models/biomeTrustTier.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type BiomeTrustTier = typeof BiomeTrustTier[keyof typeof BiomeTrustTier];
+export declare const BiomeTrustTier: {
+    readonly official: "official";
+    readonly verified: "verified";
+    readonly community: "community";
+    readonly untrusted: "untrusted";
+};

package/dist/models/biomeTrustTier.js

@@ -0,0 +1,16 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BiomeTrustTier = void 0;
+exports.BiomeTrustTier = {
+    official: 'official',
+    verified: 'verified',
+    community: 'community',
+    untrusted: 'untrusted',
+};

package/dist/models/callerKind.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type CallerKind = typeof CallerKind[keyof typeof CallerKind];
+export declare const CallerKind: {
+    readonly web: "web";
+    readonly api: "api";
+    readonly agent: "agent";
+    readonly workflow: "workflow";
+    readonly shell: "shell";
+    readonly scheduler: "scheduler";
+};

package/dist/models/callerKind.js

@@ -0,0 +1,18 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CallerKind = void 0;
+exports.CallerKind = {
+    web: 'web',
+    api: 'api',
+    agent: 'agent',
+    workflow: 'workflow',
+    shell: 'shell',
+    scheduler: 'scheduler',
+};

package/dist/models/capabilityGrantDto.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { BiomePermissionProfile } from './biomePermissionProfile';
+import type { GrantConstraintsDto } from './grantConstraintsDto';
+import type { SubjectKind } from './subjectKind';
+export interface CapabilityGrantDto {
+    id: string;
+    /** Organization identifier this grant is scoped to. */
+    orgId: string;
+    subjectKind: SubjectKind;
+    subjectRef: string;
+    capability: string;
+    resourceGlob: string;
+    environment: string;
+    constraints?: GrantConstraintsDto | null;
+    requiresApproval: boolean;
+    profile?: BiomePermissionProfile | null;
+    /**
+       * Opaque credential-binding pointer (plan §W4.1). EXPLICIT tier of the credential ladder; null when this grant carries no explicit binding.
+       * @nullable
+       */
+    credentialBindingId?: string | null;
+    createdAt: string;
+    updatedAt: string;
+    /** @nullable */
+    revokedAt?: string | null;
+}

package/dist/models/capabilityGrantDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/capabilityGrantRelation.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type CapabilityGrantRelation = typeof CapabilityGrantRelation[keyof typeof CapabilityGrantRelation];
+export declare const CapabilityGrantRelation: {
+    readonly granted_to: "granted_to";
+    readonly granted_pending_approval: "granted_pending_approval";
+};

package/dist/models/capabilityGrantRelation.js

@@ -0,0 +1,14 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CapabilityGrantRelation = void 0;
+exports.CapabilityGrantRelation = {
+    granted_to: 'granted_to',
+    granted_pending_approval: 'granted_pending_approval',
+};