@xemahq/credential-broker-internal-api-client 0.1.0

package/LICENSE

@@ -0,0 +1 @@
+Copyright (c) 2026 Xema. All rights reserved.

package/README.md

@@ -0,0 +1,62 @@
+<!-- Generated by @xemahq/api-client-generator. Do not edit by hand. -->
+<p align="center">
+<svg width="680" height="120" viewBox="0 0 680 120" fill="none" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="@xemahq/credential-broker-internal-api-client">
+  <rect width="680" height="120" rx="14" fill="#0B1020"/>
+  <g transform="translate(28,34)">
+    <path d="M26 0 L52 15 L52 45 L26 60 L0 45 L0 15 Z" fill="#14B8A6" opacity="0.18"/>
+    <path d="M26 12 L41 21 L41 39 L26 48 L11 39 L11 21 Z" fill="#14B8A6"/>
+  </g>
+  <text x="92" y="52" font-family="ui-monospace,SFMono-Regular,Menlo,monospace" font-size="22" fill="#F8FAFC" font-weight="700">@xemahq/credential-broker-internal-api-client</text>
+  <text x="92" y="80" font-family="ui-sans-serif,system-ui,sans-serif" font-size="15" fill="#94A3B8">Typed, generated internal HTTP client for the Credential Broker API.</text>
+  <text x="652" y="105" text-anchor="end" font-family="ui-sans-serif,system-ui,sans-serif" font-size="12" fill="#475569">xema.dev</text>
+</svg>
+</p>
+
+<p align="center">
+  <a href="https://xema.dev">Website</a> &middot;
+  <a href="https://www.npmjs.com/package/@xemahq/credential-broker-internal-api-client">npm</a>
+</p>
+
+<p align="center">
+  <img alt="npm" src="https://img.shields.io/npm/v/%40xemahq%2Fcredential-broker-internal-api-client?color=2563eb&label=npm">
+  <img alt="license" src="https://img.shields.io/npm/l/%40xemahq%2Fcredential-broker-internal-api-client?color=10b981">
+  <img alt="types" src="https://img.shields.io/npm/types/%40xemahq%2Fcredential-broker-internal-api-client?color=3178c6">
+</p>
+
+# @xemahq/credential-broker-internal-api-client
+
+> Typed, generated internal HTTP client for the Credential Broker API.
+
+## Overview
+
+Auto-generated TypeScript client for the **Credential Broker API**. It exports typed
+request functions and response models that mirror the service's OpenAPI surface,
+so callers get end-to-end type safety without hand-writing HTTP calls. This
+package is produced by `@xemahq/api-client-generator` and regenerated whenever
+the service's API changes — do not edit it by hand.
+
+## When to use it
+
+- Use it from any TypeScript service or app that calls the Credential Broker API over HTTP.
+- You get compile-time types for every endpoint and payload; regenerate to pick
+  up API changes rather than editing the client.
+
+## Installation
+
+```bash
+pnpm add @xemahq/credential-broker-internal-api-client
+```
+
+## Usage
+
+```ts
+// Every endpoint function and response model is exported from the package root.
+import * as client from '@xemahq/credential-broker-internal-api-client';
+```
+
+Call the typed endpoint functions; request and response shapes are fully typed
+from the service's OpenAPI spec.
+
+## License
+
+Proprietary — &copy; Xema. All rights reserved. — [xema.dev](https://xema.dev)

package/dist/custom-fetch.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Configurable fetch wrapper for Orval-generated clients.
+ *
+ * Consumers must call `configureClient()` before using any endpoint function.
+ * The baseUrl is prepended to the relative paths generated by Orval.
+ */
+export interface ClientConfig {
+    /** Static base URL (e.g. 'http://localhost:3140') — no trailing slash. */
+    baseUrl?: string;
+    /** Per-request base-URL resolver (service-registry-safe). */
+    baseUrlResolver?: () => string | Promise<string>;
+    /** Optional async callback to get an auth token. */
+    getAuthToken?: () => Promise<string>;
+    /** Optional callback returning headers to inject on every request. */
+    getHeaders?: () => Record<string, string> | Promise<Record<string, string>>;
+    /** Optional callback invoked on 401 before a single retry. */
+    onUnauthorized?: () => Promise<void>;
+    /** Maximum retry attempts for transient failures (default: 3). */
+    maxRetries?: number;
+}
+export declare class ClientError extends Error {
+    readonly status: number;
+    readonly url: string;
+    readonly body: unknown;
+    constructor(status: number, url: string, body: unknown);
+}
+export declare function configureClient(config: ClientConfig): void;
+export declare function getClientConfig(): ClientConfig;
+export declare const customFetch: <T>(url: string, options: RequestInit) => Promise<T>;
+export default customFetch;

package/dist/custom-fetch.js

@@ -0,0 +1,132 @@
+"use strict";
+/**
+ * Configurable fetch wrapper for Orval-generated clients.
+ *
+ * Consumers must call `configureClient()` before using any endpoint function.
+ * The baseUrl is prepended to the relative paths generated by Orval.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.customFetch = exports.ClientError = void 0;
+exports.configureClient = configureClient;
+exports.getClientConfig = getClientConfig;
+class ClientError extends Error {
+    status;
+    url;
+    body;
+    constructor(status, url, body) {
+        super(`HTTP ${status} from ${url}`);
+        this.status = status;
+        this.url = url;
+        this.body = body;
+        this.name = 'ClientError';
+    }
+}
+exports.ClientError = ClientError;
+let clientConfig = null;
+function configureClient(config) {
+    clientConfig = config;
+}
+function getClientConfig() {
+    if (!clientConfig) {
+        throw new Error('Client not configured. Call configureClient({ baseUrl }) before using endpoint functions.');
+    }
+    return clientConfig;
+}
+const RETRYABLE_STATUSES = [429, 502, 503, 504];
+async function buildHeaders(config, callerHeaders) {
+    const headers = new Headers(callerHeaders);
+    if (config.getHeaders) {
+        const globalHeaders = await Promise.resolve(config.getHeaders());
+        for (const [key, value] of Object.entries(globalHeaders)) {
+            if (!headers.has(key)) {
+                headers.set(key, value);
+            }
+        }
+    }
+    if (config.getAuthToken && !headers.has('Authorization')) {
+        const token = await config.getAuthToken();
+        headers.set('Authorization', `Bearer ${token}`);
+    }
+    return headers;
+}
+const customFetch = async (url, options) => {
+    const config = getClientConfig();
+    const base = config.baseUrlResolver
+        ? await config.baseUrlResolver()
+        : config.baseUrl;
+    if (base === undefined) {
+        throw new Error('Client not configured: set baseUrl or baseUrlResolver via configureClient().');
+    }
+    const fullUrl = `${base}${url}`;
+    const maxRetries = config.maxRetries ?? 3;
+    const headers = await buildHeaders(config, options.headers);
+    const requestInit = { ...options, headers };
+    let delay = 1000;
+    let lastError;
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+        try {
+            const response = await fetch(fullUrl, requestInit);
+            if (response.status === 401 && config.onUnauthorized && attempt === 0) {
+                await config.onUnauthorized();
+                const refreshedHeaders = await buildHeaders(config, options.headers);
+                const retryResponse = await fetch(fullUrl, { ...options, headers: refreshedHeaders });
+                const retryBody = await parseBody(retryResponse);
+                if (retryResponse.status >= 400) {
+                    throw new ClientError(retryResponse.status, fullUrl, retryBody);
+                }
+                return retryBody;
+            }
+            if (!RETRYABLE_STATUSES.includes(response.status) || attempt >= maxRetries) {
+                const body = await parseBody(response);
+                if (response.status >= 400) {
+                    throw new ClientError(response.status, fullUrl, body);
+                }
+                return body;
+            }
+            const retryAfter = parseRetryAfter(response.headers.get('Retry-After'));
+            const waitMs = retryAfter ?? addJitter(delay);
+            await sleep(waitMs);
+            delay = Math.min(delay * 2, 30_000);
+        }
+        catch (error) {
+            if (error instanceof ClientError)
+                throw error;
+            lastError = error instanceof Error ? error : new Error(String(error));
+            if (attempt >= maxRetries)
+                throw lastError;
+            const waitMs = addJitter(delay);
+            await sleep(waitMs);
+            delay = Math.min(delay * 2, 30_000);
+        }
+    }
+    throw lastError ?? new Error(`All retries exhausted for ${fullUrl}`);
+};
+exports.customFetch = customFetch;
+async function parseBody(response) {
+    const contentType = response.headers.get('content-type');
+    if (contentType?.includes('application/json')) {
+        return response.json();
+    }
+    if (response.status === 204) {
+        return undefined;
+    }
+    return response.text();
+}
+function parseRetryAfter(value) {
+    if (!value)
+        return undefined;
+    const seconds = Number(value);
+    if (!isNaN(seconds) && seconds >= 0)
+        return seconds * 1000;
+    const date = new Date(value);
+    if (!isNaN(date.getTime()))
+        return Math.max(0, date.getTime() - Date.now());
+    return undefined;
+}
+function addJitter(delay) {
+    return delay + (Math.random() * 2 - 1) * delay * 0.25;
+}
+function sleep(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+exports.default = exports.customFetch;

package/dist/endpoints/credential-bindings/credential-bindings.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+import type { CreateCredentialBindingDto, CreateDelegationDto, CredentialBindingDtoDataArrayEnvelope, CredentialBindingDtoDataEnvelope, CredentialBindingsControllerListParams, DelegationGrantDtoDataArrayEnvelope, DelegationGrantDtoDataEnvelope, ResolveCredentialDto, ResolveForJobDto, ResolvedEnvelopeDtoDataEnvelope, RotateCredentialBindingDto, UpdateCredentialBindingDto } from '../../models';
+/**
+ * @summary Create a credential binding (secret → custody).
+ */
+export declare const getCredentialBindingsControllerCreateUrl: () => string;
+export declare const credentialBindingsControllerCreate: (createCredentialBindingDto: CreateCredentialBindingDto, options?: RequestInit) => Promise<CredentialBindingDtoDataEnvelope>;
+/**
+ * @summary List credential bindings for an org (and project).
+ */
+export declare const getCredentialBindingsControllerListUrl: (params: CredentialBindingsControllerListParams) => string;
+export declare const credentialBindingsControllerList: (params: CredentialBindingsControllerListParams, options?: RequestInit) => Promise<CredentialBindingDtoDataArrayEnvelope>;
+/**
+ * @summary Runner-plane resolve. Verifies the JobToken and returns a sealed sidecar envelope.
+ */
+export declare const getCredentialBindingsControllerResolveForJobUrl: () => string;
+export declare const credentialBindingsControllerResolveForJob: (resolveForJobDto: ResolveForJobDto, options?: RequestInit) => Promise<ResolvedEnvelopeDtoDataEnvelope>;
+/**
+ * @summary Get a credential binding by id.
+ */
+export declare const getCredentialBindingsControllerGetByIdUrl: (id: string) => string;
+export declare const credentialBindingsControllerGetById: (id: string, options?: RequestInit) => Promise<CredentialBindingDtoDataEnvelope>;
+/**
+ * @summary Update the non-secret facets of a binding.
+ */
+export declare const getCredentialBindingsControllerUpdateUrl: (id: string) => string;
+export declare const credentialBindingsControllerUpdate: (id: string, updateCredentialBindingDto: UpdateCredentialBindingDto, options?: RequestInit) => Promise<CredentialBindingDtoDataEnvelope>;
+/**
+ * @summary Revoke a binding and delete its custody secret.
+ */
+export declare const getCredentialBindingsControllerRevokeUrl: (id: string) => string;
+export declare const credentialBindingsControllerRevoke: (id: string, options?: RequestInit) => Promise<void>;
+/**
+ * @summary Rotate the secret behind a binding.
+ */
+export declare const getCredentialBindingsControllerRotateUrl: (id: string) => string;
+export declare const credentialBindingsControllerRotate: (id: string, rotateCredentialBindingDto: RotateCredentialBindingDto, options?: RequestInit) => Promise<CredentialBindingDtoDataEnvelope>;
+/**
+ * @summary Resolve a binding into a sealed envelope for the executing gateway.
+ */
+export declare const getCredentialBindingsControllerResolveUrl: (id: string) => string;
+export declare const credentialBindingsControllerResolve: (id: string, resolveCredentialDto: ResolveCredentialDto, options?: RequestInit) => Promise<ResolvedEnvelopeDtoDataEnvelope>;
+/**
+ * @summary Delegate a binding to a grantee subject.
+ */
+export declare const getCredentialBindingsControllerCreateDelegationUrl: (id: string) => string;
+export declare const credentialBindingsControllerCreateDelegation: (id: string, createDelegationDto: CreateDelegationDto, options?: RequestInit) => Promise<DelegationGrantDtoDataEnvelope>;
+/**
+ * @summary List live delegations for a binding.
+ */
+export declare const getCredentialBindingsControllerListDelegationsUrl: (id: string) => string;
+export declare const credentialBindingsControllerListDelegations: (id: string, options?: RequestInit) => Promise<DelegationGrantDtoDataArrayEnvelope>;
+/**
+ * @summary Revoke a delegation.
+ */
+export declare const getCredentialBindingsControllerRevokeDelegationUrl: (id: string, delegationId: string) => string;
+export declare const credentialBindingsControllerRevokeDelegation: (id: string, delegationId: string, options?: RequestInit) => Promise<void>;

package/dist/endpoints/credential-bindings/credential-bindings.js

@@ -0,0 +1,189 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.credentialBindingsControllerRevokeDelegation = exports.getCredentialBindingsControllerRevokeDelegationUrl = exports.credentialBindingsControllerListDelegations = exports.getCredentialBindingsControllerListDelegationsUrl = exports.credentialBindingsControllerCreateDelegation = exports.getCredentialBindingsControllerCreateDelegationUrl = exports.credentialBindingsControllerResolve = exports.getCredentialBindingsControllerResolveUrl = exports.credentialBindingsControllerRotate = exports.getCredentialBindingsControllerRotateUrl = exports.credentialBindingsControllerRevoke = exports.getCredentialBindingsControllerRevokeUrl = exports.credentialBindingsControllerUpdate = exports.getCredentialBindingsControllerUpdateUrl = exports.credentialBindingsControllerGetById = exports.getCredentialBindingsControllerGetByIdUrl = exports.credentialBindingsControllerResolveForJob = exports.getCredentialBindingsControllerResolveForJobUrl = exports.credentialBindingsControllerList = exports.getCredentialBindingsControllerListUrl = exports.credentialBindingsControllerCreate = exports.getCredentialBindingsControllerCreateUrl = void 0;
+const custom_fetch_1 = require("../../custom-fetch");
+/**
+ * @summary Create a credential binding (secret → custody).
+ */
+const getCredentialBindingsControllerCreateUrl = () => {
+    return `/credential-bindings`;
+};
+exports.getCredentialBindingsControllerCreateUrl = getCredentialBindingsControllerCreateUrl;
+const credentialBindingsControllerCreate = async (createCredentialBindingDto, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerCreateUrl)(), {
+        ...options,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', ...options?.headers },
+        body: JSON.stringify(createCredentialBindingDto)
+    });
+};
+exports.credentialBindingsControllerCreate = credentialBindingsControllerCreate;
+/**
+ * @summary List credential bindings for an org (and project).
+ */
+const getCredentialBindingsControllerListUrl = (params) => {
+    const normalizedParams = new URLSearchParams();
+    Object.entries(params || {}).forEach(([key, value]) => {
+        if (value === undefined)
+            return;
+        if (value === null) {
+            normalizedParams.append(key, 'null');
+            return;
+        }
+        if (Array.isArray(value)) {
+            for (const item of value) {
+                if (item === undefined || item === null)
+                    continue;
+                normalizedParams.append(key, item.toString());
+            }
+            return;
+        }
+        normalizedParams.append(key, value.toString());
+    });
+    const stringifiedParams = normalizedParams.toString();
+    return stringifiedParams.length > 0 ? `/credential-bindings?${stringifiedParams}` : `/credential-bindings`;
+};
+exports.getCredentialBindingsControllerListUrl = getCredentialBindingsControllerListUrl;
+const credentialBindingsControllerList = async (params, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerListUrl)(params), {
+        ...options,
+        method: 'GET'
+    });
+};
+exports.credentialBindingsControllerList = credentialBindingsControllerList;
+/**
+ * @summary Runner-plane resolve. Verifies the JobToken and returns a sealed sidecar envelope.
+ */
+const getCredentialBindingsControllerResolveForJobUrl = () => {
+    return `/credential-bindings/resolve-for-job`;
+};
+exports.getCredentialBindingsControllerResolveForJobUrl = getCredentialBindingsControllerResolveForJobUrl;
+const credentialBindingsControllerResolveForJob = async (resolveForJobDto, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerResolveForJobUrl)(), {
+        ...options,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', ...options?.headers },
+        body: JSON.stringify(resolveForJobDto)
+    });
+};
+exports.credentialBindingsControllerResolveForJob = credentialBindingsControllerResolveForJob;
+/**
+ * @summary Get a credential binding by id.
+ */
+const getCredentialBindingsControllerGetByIdUrl = (id) => {
+    return `/credential-bindings/${id}`;
+};
+exports.getCredentialBindingsControllerGetByIdUrl = getCredentialBindingsControllerGetByIdUrl;
+const credentialBindingsControllerGetById = async (id, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerGetByIdUrl)(id), {
+        ...options,
+        method: 'GET'
+    });
+};
+exports.credentialBindingsControllerGetById = credentialBindingsControllerGetById;
+/**
+ * @summary Update the non-secret facets of a binding.
+ */
+const getCredentialBindingsControllerUpdateUrl = (id) => {
+    return `/credential-bindings/${id}`;
+};
+exports.getCredentialBindingsControllerUpdateUrl = getCredentialBindingsControllerUpdateUrl;
+const credentialBindingsControllerUpdate = async (id, updateCredentialBindingDto, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerUpdateUrl)(id), {
+        ...options,
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json', ...options?.headers },
+        body: JSON.stringify(updateCredentialBindingDto)
+    });
+};
+exports.credentialBindingsControllerUpdate = credentialBindingsControllerUpdate;
+/**
+ * @summary Revoke a binding and delete its custody secret.
+ */
+const getCredentialBindingsControllerRevokeUrl = (id) => {
+    return `/credential-bindings/${id}`;
+};
+exports.getCredentialBindingsControllerRevokeUrl = getCredentialBindingsControllerRevokeUrl;
+const credentialBindingsControllerRevoke = async (id, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerRevokeUrl)(id), {
+        ...options,
+        method: 'DELETE'
+    });
+};
+exports.credentialBindingsControllerRevoke = credentialBindingsControllerRevoke;
+/**
+ * @summary Rotate the secret behind a binding.
+ */
+const getCredentialBindingsControllerRotateUrl = (id) => {
+    return `/credential-bindings/${id}/rotate`;
+};
+exports.getCredentialBindingsControllerRotateUrl = getCredentialBindingsControllerRotateUrl;
+const credentialBindingsControllerRotate = async (id, rotateCredentialBindingDto, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerRotateUrl)(id), {
+        ...options,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', ...options?.headers },
+        body: JSON.stringify(rotateCredentialBindingDto)
+    });
+};
+exports.credentialBindingsControllerRotate = credentialBindingsControllerRotate;
+/**
+ * @summary Resolve a binding into a sealed envelope for the executing gateway.
+ */
+const getCredentialBindingsControllerResolveUrl = (id) => {
+    return `/credential-bindings/${id}/resolve`;
+};
+exports.getCredentialBindingsControllerResolveUrl = getCredentialBindingsControllerResolveUrl;
+const credentialBindingsControllerResolve = async (id, resolveCredentialDto, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerResolveUrl)(id), {
+        ...options,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', ...options?.headers },
+        body: JSON.stringify(resolveCredentialDto)
+    });
+};
+exports.credentialBindingsControllerResolve = credentialBindingsControllerResolve;
+/**
+ * @summary Delegate a binding to a grantee subject.
+ */
+const getCredentialBindingsControllerCreateDelegationUrl = (id) => {
+    return `/credential-bindings/${id}/delegations`;
+};
+exports.getCredentialBindingsControllerCreateDelegationUrl = getCredentialBindingsControllerCreateDelegationUrl;
+const credentialBindingsControllerCreateDelegation = async (id, createDelegationDto, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerCreateDelegationUrl)(id), {
+        ...options,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', ...options?.headers },
+        body: JSON.stringify(createDelegationDto)
+    });
+};
+exports.credentialBindingsControllerCreateDelegation = credentialBindingsControllerCreateDelegation;
+/**
+ * @summary List live delegations for a binding.
+ */
+const getCredentialBindingsControllerListDelegationsUrl = (id) => {
+    return `/credential-bindings/${id}/delegations`;
+};
+exports.getCredentialBindingsControllerListDelegationsUrl = getCredentialBindingsControllerListDelegationsUrl;
+const credentialBindingsControllerListDelegations = async (id, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerListDelegationsUrl)(id), {
+        ...options,
+        method: 'GET'
+    });
+};
+exports.credentialBindingsControllerListDelegations = credentialBindingsControllerListDelegations;
+/**
+ * @summary Revoke a delegation.
+ */
+const getCredentialBindingsControllerRevokeDelegationUrl = (id, delegationId) => {
+    return `/credential-bindings/${id}/delegations/${delegationId}`;
+};
+exports.getCredentialBindingsControllerRevokeDelegationUrl = getCredentialBindingsControllerRevokeDelegationUrl;
+const credentialBindingsControllerRevokeDelegation = async (id, delegationId, options) => {
+    return (0, custom_fetch_1.customFetch)((0, exports.getCredentialBindingsControllerRevokeDelegationUrl)(id, delegationId), {
+        ...options,
+        method: 'DELETE'
+    });
+};
+exports.credentialBindingsControllerRevokeDelegation = credentialBindingsControllerRevokeDelegation;

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export { configureClient, getClientConfig, ClientError, customFetch, type ClientConfig } from './custom-fetch';
+export * from './models';
+export * from './endpoints/credential-bindings/credential-bindings';

package/dist/index.js

@@ -0,0 +1,25 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.customFetch = exports.ClientError = exports.getClientConfig = exports.configureClient = void 0;
+// Auto-generated by @xemahq/api-client-generator — do not edit manually.
+var custom_fetch_1 = require("./custom-fetch");
+Object.defineProperty(exports, "configureClient", { enumerable: true, get: function () { return custom_fetch_1.configureClient; } });
+Object.defineProperty(exports, "getClientConfig", { enumerable: true, get: function () { return custom_fetch_1.getClientConfig; } });
+Object.defineProperty(exports, "ClientError", { enumerable: true, get: function () { return custom_fetch_1.ClientError; } });
+Object.defineProperty(exports, "customFetch", { enumerable: true, get: function () { return custom_fetch_1.customFetch; } });
+__exportStar(require("./models"), exports);
+__exportStar(require("./endpoints/credential-bindings/credential-bindings"), exports);

package/dist/models/actorRefDto.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+export interface ActorRefDto {
+    /** Subject kind of this delegation link. */
+    kind: string;
+    /** Subject id/ref of this delegation link. */
+    id: string;
+}

package/dist/models/actorRefDto.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/createCredentialBindingDto.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+import type { CreateCredentialBindingDtoOauthConfig } from './createCredentialBindingDtoOauthConfig';
+import type { CredentialAuthType } from './credentialAuthType';
+import type { CredentialScopeTier } from './credentialScopeTier';
+export interface CreateCredentialBindingDto {
+    orgId: string;
+    /** @nullable */
+    projectId?: string | null;
+    /** @nullable */
+    environment?: string | null;
+    /** External provider slug (e.g. github, slack). */
+    provider: string;
+    authType: CredentialAuthType;
+    ownerSubjectKind: string;
+    ownerSubjectRef: string;
+    scopeTier: CredentialScopeTier;
+    /** The secret material. Written to custody and discarded — NEVER persisted in the broker DB. For oauth2 pass a JSON string `{accessToken,refreshToken,expiresAt}`. */
+    secretValue: string;
+    /**
+       * Non-secret OAuth2 metadata (tokenUrl, clientId, scopes). The refresh token lives in custody, not here.
+       * @nullable
+       */
+    oauthConfig?: CreateCredentialBindingDtoOauthConfig;
+    /**
+       * Header name for api_key injection (e.g. X-Api-Key).
+       * @nullable
+       */
+    headerName?: string | null;
+    allowedCapabilities: string[];
+    allowedActions: string[];
+    allowedResources: string[];
+}

package/dist/models/createCredentialBindingDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/createCredentialBindingDtoOauthConfig.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+/**
+ * Non-secret OAuth2 metadata (tokenUrl, clientId, scopes). The refresh token lives in custody, not here.
+ * @nullable
+ */
+export type CreateCredentialBindingDtoOauthConfig = {
+    [key: string]: unknown;
+} | null;

package/dist/models/createCredentialBindingDtoOauthConfig.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/createDelegationDto.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+export interface CreateDelegationDto {
+    granteeSubjectKind: string;
+    granteeSubjectRef: string;
+    grantorSubjectKind: string;
+    grantorSubjectRef: string;
+    allowedCapabilities: string[];
+    /**
+       * ISO-8601 expiry.
+       * @nullable
+       */
+    expiresAt?: string | null;
+}

package/dist/models/createDelegationDto.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/credentialAuthType.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+export type CredentialAuthType = typeof CredentialAuthType[keyof typeof CredentialAuthType];
+export declare const CredentialAuthType: {
+    readonly none: "none";
+    readonly bearer: "bearer";
+    readonly api_key: "api_key";
+    readonly basic: "basic";
+    readonly oauth2: "oauth2";
+    readonly app_install: "app_install";
+    readonly iam_role: "iam_role";
+};

package/dist/models/credentialAuthType.js

@@ -0,0 +1,19 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CredentialAuthType = void 0;
+exports.CredentialAuthType = {
+    none: 'none',
+    bearer: 'bearer',
+    api_key: 'api_key',
+    basic: 'basic',
+    oauth2: 'oauth2',
+    app_install: 'app_install',
+    iam_role: 'iam_role',
+};

package/dist/models/credentialBindingDto.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+import type { CredentialAuthType } from './credentialAuthType';
+import type { CredentialBindingDtoOauthConfig } from './credentialBindingDtoOauthConfig';
+import type { CredentialScopeTier } from './credentialScopeTier';
+export interface CredentialBindingDto {
+    id: string;
+    orgId: string;
+    /** @nullable */
+    projectId?: string | null;
+    /** @nullable */
+    environment?: string | null;
+    provider: string;
+    authType: CredentialAuthType;
+    ownerSubjectKind: string;
+    ownerSubjectRef: string;
+    scopeTier: CredentialScopeTier;
+    /** Which custody backend holds the secret. */
+    custodyBackend: string;
+    /** @nullable */
+    oauthConfig?: CredentialBindingDtoOauthConfig;
+    /** @nullable */
+    headerName?: string | null;
+    allowedCapabilities: string[];
+    allowedActions: string[];
+    allowedResources: string[];
+    createdAt: string;
+    updatedAt: string;
+    /** @nullable */
+    revokedAt?: string | null;
+}

package/dist/models/credentialBindingDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/credentialBindingDtoDataArrayEnvelope.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+import type { CredentialBindingDto } from './credentialBindingDto';
+export interface CredentialBindingDtoDataArrayEnvelope {
+    data: CredentialBindingDto[];
+}

package/dist/models/credentialBindingDtoDataArrayEnvelope.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/credentialBindingDtoDataEnvelope.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+import type { CredentialBindingDto } from './credentialBindingDto';
+export interface CredentialBindingDtoDataEnvelope {
+    data: CredentialBindingDto;
+}

package/dist/models/credentialBindingDtoDataEnvelope.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/credentialBindingDtoOauthConfig.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+/**
+ * @nullable
+ */
+export type CredentialBindingDtoOauthConfig = {
+    [key: string]: unknown;
+} | null;

package/dist/models/credentialBindingDtoOauthConfig.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/credentialBindingsControllerListParams.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+export type CredentialBindingsControllerListParams = {
+    orgId: string;
+    projectId: string;
+};

package/dist/models/credentialBindingsControllerListParams.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/credentialScopeTier.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+export type CredentialScopeTier = typeof CredentialScopeTier[keyof typeof CredentialScopeTier];
+export declare const CredentialScopeTier: {
+    readonly org: "org";
+    readonly project: "project";
+    readonly user: "user";
+};

package/dist/models/credentialScopeTier.js

@@ -0,0 +1,15 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CredentialScopeTier = void 0;
+exports.CredentialScopeTier = {
+    org: 'org',
+    project: 'project',
+    user: 'user',
+};

package/dist/models/delegationGrantDto.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+export interface DelegationGrantDto {
+    id: string;
+    bindingId: string;
+    granteeSubjectKind: string;
+    granteeSubjectRef: string;
+    grantorSubjectKind: string;
+    grantorSubjectRef: string;
+    allowedCapabilities: string[];
+    createdAt: string;
+    /** @nullable */
+    expiresAt?: string | null;
+    /** @nullable */
+    revokedAt?: string | null;
+}

package/dist/models/delegationGrantDto.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/delegationGrantDtoDataArrayEnvelope.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+import type { DelegationGrantDto } from './delegationGrantDto';
+export interface DelegationGrantDtoDataArrayEnvelope {
+    data: DelegationGrantDto[];
+}

package/dist/models/delegationGrantDtoDataArrayEnvelope.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/delegationGrantDtoDataEnvelope.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+import type { DelegationGrantDto } from './delegationGrantDto';
+export interface DelegationGrantDtoDataEnvelope {
+    data: DelegationGrantDto;
+}

package/dist/models/delegationGrantDtoDataEnvelope.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/index.d.ts

@@ -0,0 +1,21 @@
+export * from './actorRefDto';
+export * from './createCredentialBindingDto';
+export * from './createCredentialBindingDtoOauthConfig';
+export * from './createDelegationDto';
+export * from './credentialAuthType';
+export * from './credentialBindingDto';
+export * from './credentialBindingDtoDataArrayEnvelope';
+export * from './credentialBindingDtoDataEnvelope';
+export * from './credentialBindingDtoOauthConfig';
+export * from './credentialBindingsControllerListParams';
+export * from './credentialScopeTier';
+export * from './delegationGrantDto';
+export * from './delegationGrantDtoDataArrayEnvelope';
+export * from './delegationGrantDtoDataEnvelope';
+export * from './resolveCredentialDto';
+export * from './resolveForJobDto';
+export * from './resolvedEnvelopeDto';
+export * from './resolvedEnvelopeDtoDataEnvelope';
+export * from './rotateCredentialBindingDto';
+export * from './updateCredentialBindingDto';
+export * from './updateCredentialBindingDtoOauthConfig';

package/dist/models/index.js

@@ -0,0 +1,38 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+// Auto-generated by tooling/codegen/regenerate-models-barrel.js — do not edit manually.
+__exportStar(require("./actorRefDto"), exports);
+__exportStar(require("./createCredentialBindingDto"), exports);
+__exportStar(require("./createCredentialBindingDtoOauthConfig"), exports);
+__exportStar(require("./createDelegationDto"), exports);
+__exportStar(require("./credentialAuthType"), exports);
+__exportStar(require("./credentialBindingDto"), exports);
+__exportStar(require("./credentialBindingDtoDataArrayEnvelope"), exports);
+__exportStar(require("./credentialBindingDtoDataEnvelope"), exports);
+__exportStar(require("./credentialBindingDtoOauthConfig"), exports);
+__exportStar(require("./credentialBindingsControllerListParams"), exports);
+__exportStar(require("./credentialScopeTier"), exports);
+__exportStar(require("./delegationGrantDto"), exports);
+__exportStar(require("./delegationGrantDtoDataArrayEnvelope"), exports);
+__exportStar(require("./delegationGrantDtoDataEnvelope"), exports);
+__exportStar(require("./resolveCredentialDto"), exports);
+__exportStar(require("./resolveForJobDto"), exports);
+__exportStar(require("./resolvedEnvelopeDto"), exports);
+__exportStar(require("./resolvedEnvelopeDtoDataEnvelope"), exports);
+__exportStar(require("./rotateCredentialBindingDto"), exports);
+__exportStar(require("./updateCredentialBindingDto"), exports);
+__exportStar(require("./updateCredentialBindingDtoOauthConfig"), exports);

package/dist/models/resolveCredentialDto.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+import type { ActorRefDto } from './actorRefDto';
+export interface ResolveCredentialDto {
+    /** The single party permitted to unseal — the executing gateway/runner id. Becomes the JWE audience. */
+    audience: string;
+    /** Hash of the invocation input. Bound into the envelope; the gateway re-derives + cross-checks it so a captured envelope cannot be replayed against a different request. */
+    inputHash: string;
+    /** Correlation id stitching this resolve into the audit trail. */
+    correlationId: string;
+    subjectKind: string;
+    subjectRef: string;
+    /** RFC 8693 delegation chain, outermost-acting-first. May be empty. */
+    actorChain: ActorRefDto[];
+    /** Canonical capability ref being invoked. */
+    capability: string;
+    /** @nullable */
+    resource?: string | null;
+    /**
+       * Requested TTL (seconds). Clamped to 1..60; default 60.
+       * @nullable
+       */
+    ttlSeconds?: number | null;
+}

package/dist/models/resolveCredentialDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/resolveForJobDto.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+export interface ResolveForJobDto {
+    /** The runner JobToken (kernel-server signed JWT). */
+    jobToken: string;
+    /** Opaque binding id the job is permitted to resolve. */
+    credentialBindingId: string;
+    /** The runner instance id — becomes the envelope audience. */
+    runnerId: string;
+    /** Correlation id for the audit trail. */
+    correlationId: string;
+}

package/dist/models/resolveForJobDto.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/resolvedEnvelopeDto.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+export interface ResolvedEnvelopeDto {
+    /** The sealed JWE the gateway/runner unseals. */
+    sealedEnvelope: string;
+    /** The audience the envelope was minted for. */
+    audience: string;
+    bindingId: string;
+    /** Envelope expiry (ISO-8601). */
+    expiresAt: string;
+}

package/dist/models/resolvedEnvelopeDto.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/resolvedEnvelopeDtoDataEnvelope.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+import type { ResolvedEnvelopeDto } from './resolvedEnvelopeDto';
+export interface ResolvedEnvelopeDtoDataEnvelope {
+    data: ResolvedEnvelopeDto;
+}

package/dist/models/resolvedEnvelopeDtoDataEnvelope.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/rotateCredentialBindingDto.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+export interface RotateCredentialBindingDto {
+    /** The new secret material. Written to custody (bumping its version) and discarded — never persisted in the broker DB. */
+    secretValue: string;
+}

package/dist/models/rotateCredentialBindingDto.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/updateCredentialBindingDto.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+import type { UpdateCredentialBindingDtoOauthConfig } from './updateCredentialBindingDtoOauthConfig';
+export interface UpdateCredentialBindingDto {
+    /** @nullable */
+    environment?: string | null;
+    /** @nullable */
+    oauthConfig?: UpdateCredentialBindingDtoOauthConfig;
+    /** @nullable */
+    headerName?: string | null;
+    allowedCapabilities?: string[];
+    allowedActions?: string[];
+    allowedResources?: string[];
+}

package/dist/models/updateCredentialBindingDto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/models/updateCredentialBindingDtoOauthConfig.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+/**
+ * @nullable
+ */
+export type UpdateCredentialBindingDtoOauthConfig = {
+    [key: string]: unknown;
+} | null;

package/dist/models/updateCredentialBindingDtoOauthConfig.js

@@ -0,0 +1,9 @@
+"use strict";
+/**
+ * Generated by orval v8.6.2 🍺
+ * Do not edit manually.
+ * Credential Broker API
+ * External-credential custody + sealed injection. The single place external secrets resolve; the LLM never sees them.
+ * OpenAPI spec version: 0.1.0
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "@xemahq/credential-broker-internal-api-client",
+  "version": "0.1.0",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "registry": "https://npm.pkg.github.com"
+  },
+  "devDependencies": {
+    "typescript": "5.9.3"
+  },
+  "xema": {
+    "kind": "api-client",
+    "surface": "internal",
+    "service": "credential-broker-api",
+    "biome": "integration-platform",
+    "target": "server",
+    "generator": "@xemahq/api-client-generator@0.1.1",
+    "source": "openapi.internal.json"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json"
+  }
+}