@xemahq/authorization-internal-api-client 0.1.0

package/dist/models/policyDecisionDto.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { CredentialPrecedenceSource } from './credentialPrecedenceSource';
+import type { PolicyDecisionKind } from './policyDecisionKind';
+import type { PolicyObligationDto } from './policyObligationDto';
+import type { PolicyRouteHintDto } from './policyRouteHintDto';
+export interface PolicyDecisionDto {
+    kind: PolicyDecisionKind;
+    /** Stable wire-code denial reason from the OPA bundle / authorization-api decision matrix. Free-form here; closed by the bundle. Surfaced verbatim in audit + capability-router error envelopes. */
+    reason?: string;
+    obligations?: PolicyObligationDto[];
+    routeHints?: PolicyRouteHintDto;
+    /** Credential binding the executing gateway MUST use to resolve the external credential for this invocation (plan §W4 / Pillar 3.2). Present ONLY on an `allow` for a capability that declares an `externalServiceRef`. Opaque id — never a secret; the broker re-validates it before reading custody. */
+    credentialBindingId?: string;
+    /** Which precedence tier supplied `credentialBindingId` (explicit grant > capability default > project default > org default). Populated iff `credentialBindingId` is present. */
+    credentialPrecedenceApplied?: CredentialPrecedenceSource;
+}

package/dist/models/policyDecisionDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/policyDecisionKind.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type PolicyDecisionKind = typeof PolicyDecisionKind[keyof typeof PolicyDecisionKind];
+export declare const PolicyDecisionKind: {
+    readonly allow: "allow";
+    readonly deny: "deny";
+    readonly needs_approval: "needs_approval";
+};

package/dist/models/policyDecisionKind.js

@@ -0,0 +1,15 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyDecisionKind = void 0;
+exports.PolicyDecisionKind = {
+    allow: 'allow',
+    deny: 'deny',
+    needs_approval: 'needs_approval',
+};

package/dist/models/policyEnvironmentDto.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export interface PolicyEnvironmentDto {
+    /** environment:<slug> ref string. */
+    id: string;
+    /** Closed kernel enum value covered by ExecutionEnvironmentKind. */
+    kind: string;
+}

package/dist/models/policyEnvironmentDto.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/policyObligationDto.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { DataClassification } from './dataClassification';
+import type { DataResidency } from './dataResidency';
+import type { PolicyObligationKind } from './policyObligationKind';
+import type { RunnerKind } from './runnerKind';
+export interface PolicyObligationDto {
+    kind: PolicyObligationKind;
+    runnerKind?: RunnerKind;
+    approverRole?: string;
+    maxDurationSeconds?: number;
+    maxCostUsd?: number;
+    maxClassification?: DataClassification;
+    residency?: DataResidency;
+}

package/dist/models/policyObligationDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/policyObligationKind.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type PolicyObligationKind = typeof PolicyObligationKind[keyof typeof PolicyObligationKind];
+export declare const PolicyObligationKind: {
+    readonly audit: "audit";
+    readonly 'redact-secrets': "redact-secrets";
+    readonly 'require-runner-kind': "require-runner-kind";
+    readonly 'require-human-approval': "require-human-approval";
+    readonly 'max-duration-seconds': "max-duration-seconds";
+    readonly 'max-cost-usd': "max-cost-usd";
+    readonly 'restrict-output-classification': "restrict-output-classification";
+    readonly 'data-residency': "data-residency";
+};

package/dist/models/policyObligationKind.js

@@ -0,0 +1,20 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyObligationKind = void 0;
+exports.PolicyObligationKind = {
+    audit: 'audit',
+    'redact-secrets': 'redact-secrets',
+    'require-runner-kind': 'require-runner-kind',
+    'require-human-approval': 'require-human-approval',
+    'max-duration-seconds': 'max-duration-seconds',
+    'max-cost-usd': 'max-cost-usd',
+    'restrict-output-classification': 'restrict-output-classification',
+    'data-residency': 'data-residency',
+};

package/dist/models/policyResourceDto.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { DataClassification } from './dataClassification';
+export interface PolicyResourceDto {
+    ref: string;
+    classification: DataClassification;
+}

package/dist/models/policyResourceDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/policyRouteHintDto.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { PolicyRouteHintDtoRequiredRunnerLabels } from './policyRouteHintDtoRequiredRunnerLabels';
+import type { RunnerKind } from './runnerKind';
+export interface PolicyRouteHintDto {
+    requiredRunnerLabels?: PolicyRouteHintDtoRequiredRunnerLabels;
+    preferredRunnerKind?: RunnerKind;
+    requiredRegion?: string;
+    requireCustomerEdge?: boolean;
+}

package/dist/models/policyRouteHintDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/policyRouteHintDtoRequiredRunnerLabels.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type PolicyRouteHintDtoRequiredRunnerLabels = {
+    [key: string]: string;
+};

package/dist/models/policyRouteHintDtoRequiredRunnerLabels.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/policySpaceRefDto.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { SpaceKind } from './spaceKind';
+export interface PolicySpaceRefDto {
+    tier: SpaceKind;
+    orgId?: string;
+    projectId?: string;
+    appId?: string;
+    sessionId?: string;
+    biomeId?: string;
+    userId?: string;
+    path?: string;
+}

package/dist/models/policySpaceRefDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/policySubjectRefDto.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { PolicyActingForDto } from './policyActingForDto';
+import type { SubjectKind } from './subjectKind';
+export interface PolicySubjectRefDto {
+    kind: SubjectKind;
+    id: string;
+    roles?: string[];
+    actingFor?: PolicyActingForDto;
+}

package/dist/models/policySubjectRefDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/profilePolicyTemplateDto.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { BiomePermissionProfile } from './biomePermissionProfile';
+import type { ProfilePolicyTemplateDtoNotes } from './profilePolicyTemplateDtoNotes';
+export interface ProfilePolicyTemplateDto {
+    id: string;
+    profile: BiomePermissionProfile;
+    /** Built-in environment slugs. */
+    defaultEnvironments: string[];
+    defaultRequiresApproval: boolean;
+    /** @nullable */
+    notes?: ProfilePolicyTemplateDtoNotes;
+    createdAt: string;
+    updatedAt: string;
+}

package/dist/models/profilePolicyTemplateDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/profilePolicyTemplateDtoNotes.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+/**
+ * @nullable
+ */
+export type ProfilePolicyTemplateDtoNotes = {
+    [key: string]: unknown;
+} | null;

package/dist/models/profilePolicyTemplateDtoNotes.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/relationshipsControllerListParams.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { CapabilityGrantRelation } from './capabilityGrantRelation';
+import type { SubjectKind } from './subjectKind';
+export type RelationshipsControllerListParams = {
+    /**
+     * Filter to relationships within a single organization.
+     */
+    orgId?: string;
+    /**
+     * Filter by subject kind (the user-type half of the tuple).
+     */
+    subjectKind?: SubjectKind;
+    /**
+     * Filter by subject ref (the user-id half of the tuple).
+     */
+    subjectRef?: string;
+    /**
+     * Filter by the canonical CapabilityRef the object encodes.
+     */
+    capability?: string;
+    /**
+     * Filter by the environment slug the capability object is scoped to.
+     */
+    environment?: string;
+    /**
+     * Filter by relation (`granted_to` | `granted_pending_approval`).
+     */
+    relation?: CapabilityGrantRelation;
+    /**
+     * @minimum 1
+     * @maximum 200
+     */
+    limit?: number;
+    /**
+     * @minimum 0
+     */
+    offset?: number;
+};

package/dist/models/relationshipsControllerListParams.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/roleAssignmentDto.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { SubjectKind } from './subjectKind';
+export interface RoleAssignmentDto {
+    id: string;
+    roleId: string;
+    orgId: string;
+    subjectKind?: SubjectKind | null;
+    /** @nullable */
+    subjectRef?: string | null;
+    /** @nullable */
+    teamId?: string | null;
+    createdAt: string;
+}

package/dist/models/roleAssignmentDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/roleAssignmentDtoDataArrayEnvelope.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { RoleAssignmentDto } from './roleAssignmentDto';
+export interface RoleAssignmentDtoDataArrayEnvelope {
+    data: RoleAssignmentDto[];
+}

package/dist/models/roleAssignmentDtoDataArrayEnvelope.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/roleAssignmentDtoSubjectRef.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+/**
+ * @nullable
+ */
+export type RoleAssignmentDtoSubjectRef = {
+    [key: string]: unknown;
+} | null;

package/dist/models/roleAssignmentDtoSubjectRef.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/roleAssignmentDtoTeamId.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+/**
+ * @nullable
+ */
+export type RoleAssignmentDtoTeamId = {
+    [key: string]: unknown;
+} | null;

package/dist/models/roleAssignmentDtoTeamId.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/roleDto.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export interface RoleDto {
+    id: string;
+    orgId: string;
+    slug: string;
+    displayName: string;
+    /** @nullable */
+    description?: string | null;
+    /** Kernel-seeded built-in role (immutable from the UI). */
+    isBuiltIn: boolean;
+    createdAt: string;
+    updatedAt: string;
+}

package/dist/models/roleDto.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/roleDtoDataArrayEnvelope.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { RoleDto } from './roleDto';
+export interface RoleDtoDataArrayEnvelope {
+    data: RoleDto[];
+}

package/dist/models/roleDtoDataArrayEnvelope.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/roleDtoDescription.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+/**
+ * @nullable
+ */
+export type RoleDtoDescription = {
+    [key: string]: unknown;
+} | null;

package/dist/models/roleDtoDescription.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/roleGrantDto.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { GrantConstraintsDto } from './grantConstraintsDto';
+export interface RoleGrantDto {
+    id: string;
+    roleId: string;
+    capability: string;
+    resourceGlob: string;
+    environment: string;
+    constraints?: GrantConstraintsDto | null;
+    requiresApproval: boolean;
+    createdAt: string;
+}

package/dist/models/roleGrantDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/roleGrantDtoDataArrayEnvelope.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+import type { RoleGrantDto } from './roleGrantDto';
+export interface RoleGrantDtoDataArrayEnvelope {
+    data: RoleGrantDto[];
+}

package/dist/models/roleGrantDtoDataArrayEnvelope.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/rolesControllerListParams.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type RolesControllerListParams = {
+    orgId: string;
+    /**
+     * Include kernel-seeded built-in roles (default true).
+     */
+    includeBuiltIn?: boolean;
+};

package/dist/models/rolesControllerListParams.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/runnerKind.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type RunnerKind = typeof RunnerKind[keyof typeof RunnerKind];
+export declare const RunnerKind: {
+    readonly local: "local";
+    readonly cloud: "cloud";
+    readonly 'customer-edge': "customer-edge";
+    readonly gpu: "gpu";
+    readonly sandbox: "sandbox";
+    readonly ci: "ci";
+    readonly 'mcp-external': "mcp-external";
+};

package/dist/models/runnerKind.js

@@ -0,0 +1,19 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RunnerKind = void 0;
+exports.RunnerKind = {
+    local: 'local',
+    cloud: 'cloud',
+    'customer-edge': 'customer-edge',
+    gpu: 'gpu',
+    sandbox: 'sandbox',
+    ci: 'ci',
+    'mcp-external': 'mcp-external',
+};

package/dist/models/spaceKind.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Authorization API
+ * Authorization API extract (generated for client codegen).
+ * OpenAPI spec version: 0.1.0
+ */
+export type SpaceKind = typeof SpaceKind[keyof typeof SpaceKind];
+export declare const SpaceKind: {
+    readonly system: "system";
+    readonly org: "org";
+    readonly project: "project";
+    readonly app: "app";
+    readonly session: "session";
+    readonly biome: "biome";
+    readonly user: "user";
+};