@zysec-ai/cpod-sdk 0.1.0

package/dist/client-BRW4z8Ls.d.ts

@@ -0,0 +1,1073 @@
+interface TokenBundle {
+    accessToken: string;
+    refreshToken?: string;
+}
+interface AuthOptions extends TokenBundle {
+    /**
+     * Fires when a new access token is minted (after a refresh). Use it to
+     * persist the updated bundle back to your store (localStorage, cookie,
+     * server-side cache, …). Sync or async — the SDK does not await it.
+     */
+    onTokenRefreshed?: (bundle: TokenBundle) => void;
+}
+declare class TokenManager {
+    private bundle;
+    private readonly baseUrl;
+    private readonly onRefreshed?;
+    private inflight;
+    constructor(baseUrl: string, opts: AuthOptions);
+    /** Current access token. Synchronous — no expiry check. */
+    getAccessToken(): string;
+    /**
+     * Trade refresh_token for a new access_token. Mutex-protected so a
+     * thundering-herd burst all awaits the same network round-trip. Throws
+     * if no refresh_token is set or the backend rejects the refresh —
+     * caller's responsibility to fall back to a fresh login at that point.
+     */
+    refresh(): Promise<TokenBundle>;
+    /** True iff a refresh attempt is possible (a refresh_token is set). */
+    canRefresh(): boolean;
+    /** Snapshot of the current bundle. */
+    getBundle(): TokenBundle;
+    /**
+     * Replace the bundle externally — e.g. after the host app runs its own
+     * login flow and wants the SDK to pick up the new tokens.
+     */
+    setBundle(b: TokenBundle): void;
+    private doRefresh;
+}
+
+/** Configuration for the CpodClient. */
+interface CpodConfig {
+    /**
+     * cPod access token (JWT). Use this for the simple one-token case —
+     * the SDK uses it for every call and surfaces 401s to your code.
+     *
+     * For long-lived sessions, prefer `auth` instead: it carries a refresh
+     * token and the SDK transparently swaps an expired access token without
+     * your code seeing the 401.
+     *
+     * Exactly one of `apiKey` or `auth` is required.
+     */
+    apiKey?: string;
+    /**
+     * Auth bundle for sessions that should outlive a single access token.
+     * Pass the tokens you obtained from `client.auth.login(…)` (or your own
+     * login flow). When `refreshToken` is provided, the SDK refreshes the
+     * access token transparently on 401 and fires `onTokenRefreshed` so you
+     * can persist the new bundle.
+     *
+     * Exactly one of `apiKey` or `auth` is required.
+     */
+    auth?: AuthOptions;
+    /** Base URL origin for the cPod API. Defaults to https://api.cyberpod.app. Do not include /api/v1. */
+    baseUrl?: string;
+    /** Request timeout in milliseconds. Defaults to 30000. */
+    timeout?: number;
+    /**
+     * App ID for MCP tool registration. Obtain by calling POST /api/v1/apps/register
+     * once (or read from `GET /api/v1/apps/me`). Falls back to the `CPOD_APP_ID`
+     * environment variable when omitted.
+     */
+    appId?: string;
+}
+/**
+ * Standard API response wrapper for single-resource endpoints.
+ */
+interface ApiResponse<T> {
+    data: T;
+    requestId: string;
+}
+/**
+ * Standard API response wrapper for paginated list endpoints.
+ */
+interface PaginatedResponse<T> {
+    data: T[];
+    total: number;
+    page: number;
+    pageSize: number;
+    hasMore: boolean;
+}
+/**
+ * Per-request options that override client-level defaults.
+ */
+interface RequestOptions {
+    /** AbortSignal for request cancellation. */
+    signal?: AbortSignal;
+    /** Override the request timeout in milliseconds. */
+    timeout?: number;
+    /** Additional headers to merge into the request. */
+    headers?: Record<string, string>;
+}
+/** Classification of a Person's relationship to the organization. */
+type PersonType = 'employee' | 'contractor' | 'vendor' | 'partner' | 'service_account';
+/** Lifecycle status of a Person record. */
+type PersonStatus = 'active' | 'on_leave' | 'terminated' | 'suspended';
+/** Physical or remote location for a Person. */
+interface PersonLocation {
+    /** Office site name or identifier. */
+    site?: string;
+    /** City of the location. */
+    city?: string;
+    /** ISO 3166-1 alpha-2 country code. */
+    country?: string;
+    /** True if the person works remotely. */
+    remote: boolean;
+}
+/** External identity provider binding for a Person. */
+interface PersonIdentity {
+    /** Name of the identity provider (e.g., 'okta', 'azure_ad'). */
+    provider: string;
+    /** Subject ID issued by the external identity provider. */
+    externalId: string;
+}
+/**
+ * Represents an individual human or service identity in the organization.
+ * Domain: People
+ * Schema: data-model/schemas/person.schema.json
+ */
+interface Person {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** Optional external system identifier for cross-system correlation. */
+    externalId?: string;
+    /** Primary email address. Used as the canonical identifier for login. */
+    email: string;
+    /** Human-readable display name (e.g., "Jane Doe"). */
+    displayName: string;
+    /** Given name. */
+    firstName: string;
+    /** Family name. */
+    lastName: string;
+    /** HR system employee ID, if applicable. */
+    employeeId?: string;
+    /** Classification of the person's relationship to the organization. */
+    type: PersonType;
+    /** Current lifecycle status. */
+    status: PersonStatus;
+    /** Organizational department (e.g., "Engineering", "Finance"). */
+    department?: string;
+    /** Job title. */
+    title?: string;
+    /** Physical or remote work location. */
+    location?: PersonLocation;
+    /** UUID of the person's direct manager. */
+    managerId?: string;
+    /** Bound external identity provider accounts. */
+    identities: PersonIdentity[];
+    /** ISO 8601 date when the person started at the organization. */
+    startDate?: string;
+    /** ISO 8601 date when the person's employment ended. */
+    endDate?: string;
+    /** IANA timezone identifier (e.g. 'America/New_York'). */
+    timezone?: string;
+    /** Typical working hours for this person in their local timezone. */
+    workingHours?: {
+        start: string;
+        end: string;
+    };
+    /** UUID of the CostCenter to which this person's headcount cost is attributed. */
+    costCenterId?: string;
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Input payload for creating a new Person record. */
+interface CreatePersonInput {
+    email: string;
+    displayName: string;
+    firstName: string;
+    lastName: string;
+    type: PersonType;
+    department?: string;
+    title?: string;
+    location?: PersonLocation;
+    managerId?: string;
+    employeeId?: string;
+    externalId?: string;
+}
+/** Filter options for listing Person records. */
+interface ListPeopleOptions {
+    type?: PersonType;
+    status?: PersonStatus;
+    department?: string;
+    /** Full-text search across displayName, email, and employeeId. */
+    search?: string;
+    page?: number;
+    pageSize?: number;
+}
+/** Classification of a Group's purpose or source system. */
+type GroupType = 'department' | 'team' | 'ad_group' | 'distribution_list' | 'custom';
+/** A single member record within a Group. */
+interface GroupMember {
+    /** UUID of the Person who is a member. */
+    personId: string;
+    /** Role of this person within the group (e.g., 'member', 'lead'). */
+    role: string;
+    /** ISO 8601 timestamp when this membership was established. */
+    addedAt: string;
+}
+/**
+ * Represents a collection of People, synced from AD/LDAP or managed natively.
+ * Domain: People
+ * Schema: data-model/schemas/group.schema.json
+ */
+interface Group {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** Human-readable name for the group. */
+    name: string;
+    /** Classification of the group's purpose. */
+    type: GroupType;
+    /** Optional description of the group's function. */
+    description?: string;
+    /** UUID of the Person who owns or is accountable for this group. */
+    ownerId: string;
+    /** Current members of the group. */
+    members: GroupMember[];
+    /** UUID of the parent Group, for hierarchical group structures. */
+    parentGroupId?: string;
+    /** The system that is the source of truth for this group (e.g., 'active_directory'). */
+    source: string;
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Input payload for creating a new Group. */
+interface CreateGroupInput {
+    name: string;
+    type: GroupType;
+    description?: string;
+    ownerId: string;
+    parentGroupId?: string;
+    source?: string;
+}
+/** Classification of a technology asset. */
+type AssetType = 'application' | 'saas' | 'infrastructure' | 'database' | 'network_device' | 'endpoint' | 'cloud_service' | 'api_service' | 'microservice';
+/** Lifecycle status of a TechnologyAsset. */
+type AssetStatus = 'active' | 'deprecated' | 'decommissioned' | 'planned';
+/** Deployment environment for a TechnologyAsset. */
+type AssetEnvironment = 'production' | 'staging' | 'development' | 'dr';
+/** Business criticality rating. */
+type Criticality = 'critical' | 'high' | 'medium' | 'low';
+/** Data sensitivity classification. */
+type DataClassification = 'public' | 'internal' | 'confidential' | 'restricted';
+/** Ownership reference for a TechnologyAsset. */
+interface AssetOwner {
+    /** UUID of the owning Person. */
+    personId: string;
+    /** UUID of the owning Group, if group-owned. */
+    groupId?: string;
+}
+/**
+ * Represents a software application, infrastructure component, or service managed by the organization.
+ * Domain: Technology
+ * Schema: data-model/schemas/technology-asset.schema.json
+ */
+interface TechnologyAsset {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** Canonical system name (e.g., 'salesforce-crm'). */
+    name: string;
+    /** Human-readable display name. */
+    displayName: string;
+    /** Optional description of the asset's purpose. */
+    description?: string;
+    /** Asset type classification. */
+    type: AssetType;
+    /** Functional category (e.g., 'CRM', 'SIEM', 'API Gateway'). */
+    category: string;
+    /** Vendor or manufacturer name. */
+    vendor: string;
+    /** Software version string, if applicable. */
+    version?: string;
+    /** Lifecycle status. */
+    status: AssetStatus;
+    /** Ownership reference. */
+    owner: AssetOwner;
+    /** Deployment environment classification. */
+    environment: AssetEnvironment;
+    /** Hosting model. */
+    hosting: 'cloud' | 'on_premise' | 'hybrid' | 'saas';
+    /** Cloud provider name, if cloud-hosted. */
+    cloudProvider?: string;
+    /** Cloud region, if applicable (e.g., 'us-east-1'). */
+    region?: string;
+    /** Public or internal URL of the asset. */
+    url?: string;
+    /** Flat string tags for filtering and grouping. */
+    tags: string[];
+    /** Business criticality rating. */
+    criticality: Criticality;
+    /** Highest data classification level handled by this asset. */
+    dataClassification: DataClassification;
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Input payload for creating a new TechnologyAsset. */
+interface CreateTechnologyAssetInput {
+    name: string;
+    displayName: string;
+    description?: string;
+    type: AssetType;
+    category: string;
+    vendor: string;
+    version?: string;
+    owner: AssetOwner;
+    environment: AssetEnvironment;
+    hosting: 'cloud' | 'on_premise' | 'hybrid' | 'saas';
+    cloudProvider?: string;
+    region?: string;
+    url?: string;
+    tags?: string[];
+    criticality: Criticality;
+    dataClassification: DataClassification;
+}
+/** Lifecycle status of an AccessEntitlement. */
+type EntitlementStatus = 'active' | 'expired' | 'revoked' | 'pending_approval';
+/**
+ * Represents a grant of access to a TechnologyAsset for a Person or Group.
+ * Domain: Technology
+ * Schema: data-model/schemas/access-entitlement.schema.json
+ */
+interface AccessEntitlement {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** UUID of the TechnologyAsset this entitlement grants access to. */
+    assetId: string;
+    /** UUID of the Person or Group being granted access. */
+    principalId: string;
+    /** Discriminator for the type of principal. */
+    principalType: 'person' | 'group';
+    /** The specific role or permission level granted (e.g., 'read', 'admin'). */
+    entitlementType: string;
+    /** ISO 8601 timestamp when access was granted. */
+    grantedAt: string;
+    /** UUID of the Person who authorized the grant, if applicable. */
+    grantedById?: string;
+    /** ISO 8601 timestamp when the entitlement expires. Null if it does not expire. */
+    expiresAt?: string;
+    /** The system that is the authoritative source for this entitlement (e.g., 'okta'). */
+    source: string;
+    /** Current status of the entitlement. */
+    status: EntitlementStatus;
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Input payload for granting a new AccessEntitlement. */
+interface GrantEntitlementInput {
+    assetId: string;
+    principalId: string;
+    principalType: 'person' | 'group';
+    entitlementType: string;
+    expiresAt?: string;
+}
+/** Licensing model type. */
+type LicenseType = 'perpetual' | 'subscription' | 'concurrent' | 'named_user' | 'site' | 'open_source';
+/** Lifecycle status of a SoftwareLicense. */
+type LicenseStatus = 'active' | 'expired' | 'expiring_soon' | 'terminated';
+/** License allocation compliance status. */
+type ComplianceStatus = 'compliant' | 'over_allocated' | 'under_utilized' | 'unknown';
+/** Cost details for a SoftwareLicense. */
+interface LicenseCost {
+    /** Monetary amount. */
+    amount: number;
+    /** ISO 4217 currency code (e.g., 'USD', 'EUR'). */
+    currency: string;
+    /** Billing frequency. */
+    billingCycle: 'monthly' | 'annual' | 'one_time';
+}
+/**
+ * Represents an enterprise software license agreement with seat counts and cost tracking.
+ * Domain: Licenses
+ * Schema: data-model/schemas/software-license.schema.json
+ */
+interface SoftwareLicense {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** UUID of the TechnologyAsset this license is associated with, if applicable. */
+    assetId?: string;
+    /** Software vendor name. */
+    vendor: string;
+    /** Name of the software product. */
+    productName: string;
+    /** Vendor's SKU or part number for the product. */
+    productSku: string;
+    /** Licensing model. */
+    licenseType: LicenseType;
+    /** Total number of licensed seats. Null for site or open-source licenses. */
+    totalSeats?: number;
+    /** Number of seats currently assigned. Read-only; computed from LicenseAssignment records. */
+    usedSeats: number;
+    /** Available seats remaining. Read-only; computed as totalSeats - usedSeats. */
+    availableSeats: number;
+    /** Cost breakdown. */
+    cost: LicenseCost;
+    /** ISO 8601 date when the license was purchased. */
+    purchaseDate: string;
+    /** ISO 8601 date when the license expires. Null for perpetual licenses. */
+    expiryDate?: string;
+    /** ISO 8601 date of the next renewal. */
+    renewalDate?: string;
+    /** Whether the license is set to auto-renew. */
+    autoRenew: boolean;
+    /** ID of the supplier or reseller. */
+    supplierId?: string;
+    /** Contract or purchase order reference number. */
+    contractReference?: string;
+    /** Vendor list price per seat or billing cycle before any discount. */
+    listPrice?: number;
+    /** Percentage discount negotiated off the vendor list price (0–100). */
+    negotiatedDiscount?: number;
+    /** UUID of the CostCenter that funds this license. */
+    costCenterId?: string;
+    /** UUID of the Contract that governs this license agreement. */
+    contractId?: string;
+    /** Lifecycle status. */
+    status: LicenseStatus;
+    /** Allocation compliance status. */
+    complianceStatus: ComplianceStatus;
+    /** Flat string tags for filtering. */
+    tags: string[];
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Input payload for creating a new SoftwareLicense. */
+interface CreateLicenseInput {
+    assetId?: string;
+    vendor: string;
+    productName: string;
+    productSku: string;
+    licenseType: LicenseType;
+    totalSeats?: number;
+    cost: LicenseCost;
+    purchaseDate: string;
+    expiryDate?: string;
+    renewalDate?: string;
+    autoRenew?: boolean;
+    supplierId?: string;
+    contractReference?: string;
+    tags?: string[];
+}
+/**
+ * Represents the assignment of a SoftwareLicense seat to a Person or Group.
+ * Domain: Licenses
+ * Schema: data-model/schemas/license-assignment.schema.json
+ */
+interface LicenseAssignment {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** UUID of the SoftwareLicense being assigned. */
+    licenseId: string;
+    /** UUID of the Person or Group receiving the license seat. */
+    assigneeId: string;
+    /** Discriminator for the type of assignee. */
+    assigneeType: 'person' | 'group';
+    /** UUID of the specific TechnologyAsset instance, if applicable. */
+    assetId?: string;
+    /** ISO 8601 timestamp when the assignment was made. */
+    assignedAt: string;
+    /** UUID of the Person who made the assignment. */
+    assignedById: string;
+    /** ISO 8601 timestamp when the assignment expires. Null if it does not expire. */
+    expiresAt?: string;
+    /** ISO 8601 timestamp when the assigned seat was last actively used. Null if usage has never been recorded. */
+    lastUsedAt?: string;
+    /** Current status of the assignment. */
+    status: 'active' | 'revoked' | 'expired';
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Classification of a physical hardware asset. */
+type PhysicalAssetType = 'laptop' | 'desktop' | 'server' | 'mobile' | 'tablet' | 'network_device' | 'printer' | 'other';
+/** Lifecycle status of a PhysicalAsset. */
+type PhysicalAssetStatus = 'in_use' | 'available' | 'in_repair' | 'retired' | 'lost_stolen';
+/**
+ * Represents a physical hardware device tracked by the organization.
+ * Domain: Assets
+ * Schema: data-model/schemas/physical-asset.schema.json
+ */
+interface PhysicalAsset {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** Organization's internal asset tag (barcode or RFID label). */
+    assetTag: string;
+    /** Human-readable name or label for the asset. */
+    name: string;
+    /** Hardware serial number. */
+    serialNumber?: string;
+    /** Hardware model name (e.g., 'MacBook Pro 14-inch, 2023'). */
+    model: string;
+    /** Hardware manufacturer (e.g., 'Apple', 'Dell', 'Cisco'). */
+    manufacturer: string;
+    /** Hardware type classification. */
+    type: PhysicalAssetType;
+    /** Lifecycle status. */
+    status: PhysicalAssetStatus;
+    /** Current assignment of the asset. */
+    assignedTo?: {
+        /** UUID of the Person currently using this asset. */
+        personId?: string;
+        /** Physical location description (e.g., 'HQ Floor 3, Desk 12'). */
+        location?: string;
+    };
+    /** ISO 8601 date when the asset was purchased. */
+    purchaseDate?: string;
+    /** Original purchase cost. */
+    purchaseCost?: {
+        amount: number;
+        /** ISO 4217 currency code. */
+        currency: string;
+    };
+    /** ISO 8601 date when the hardware warranty expires. */
+    warrantyExpiry?: string;
+    /** Operating system details. */
+    os?: {
+        name: string;
+        version: string;
+    };
+    /** Name of the MDM or device management system managing this asset. */
+    managedBy?: string;
+    /** ISO 8601 timestamp when the asset last checked in with its management system. */
+    lastSeenAt?: string;
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Input payload for creating a new PhysicalAsset record. */
+interface CreatePhysicalAssetInput {
+    assetTag: string;
+    name: string;
+    serialNumber?: string;
+    model: string;
+    manufacturer: string;
+    type: PhysicalAssetType;
+    status?: PhysicalAssetStatus;
+    assignedTo?: {
+        personId?: string;
+        location?: string;
+    };
+    purchaseDate?: string;
+    purchaseCost?: {
+        amount: number;
+        currency: string;
+    };
+    warrantyExpiry?: string;
+    os?: {
+        name: string;
+        version: string;
+    };
+    managedBy?: string;
+}
+/** Cloud infrastructure provider. */
+type CloudProvider = 'aws' | 'azure' | 'gcp' | 'other';
+/**
+ * Represents a discovered or managed cloud infrastructure resource.
+ * Domain: Assets
+ * Schema: data-model/schemas/cloud-resource.schema.json
+ */
+interface CloudResource {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** Native provider resource ID (e.g., AWS Resource ID, Azure Resource ID). */
+    externalId: string;
+    /** Cloud provider where this resource lives. */
+    provider: CloudProvider;
+    /** Cloud account or subscription ID. */
+    accountId: string;
+    /** Cloud region identifier (e.g., 'us-east-1', 'eastus'). */
+    region: string;
+    /** Provider-specific resource type (e.g., 'AWS::EC2::Instance', 'Microsoft.Compute/virtualMachines'). */
+    resourceType: string;
+    /** Human-readable resource name. */
+    resourceName: string;
+    /** AWS ARN, if applicable. */
+    arn?: string;
+    /** Current operational status reported by the cloud provider. */
+    status: 'running' | 'stopped' | 'terminated' | 'unknown';
+    /** UUID of the linked TechnologyAsset, if this resource is mapped to a known asset. */
+    assetId?: string;
+    /** Native cloud resource tags as key-value pairs. */
+    tags: Record<string, string>;
+    /** Cost estimate for this resource. */
+    cost?: {
+        monthlyCost: number;
+        currency: string;
+        /** ISO 8601 timestamp when the cost estimate was last updated. */
+        lastUpdated: string;
+    };
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** CVSS-aligned severity rating for a Vulnerability. */
+type VulnerabilitySeverity = 'critical' | 'high' | 'medium' | 'low' | 'informational';
+/** Remediation lifecycle status of a Vulnerability. */
+type VulnerabilityStatus = 'open' | 'in_remediation' | 'remediated' | 'accepted_risk' | 'false_positive';
+/**
+ * Represents a security vulnerability affecting a managed asset.
+ * Domain: Risk & Compliance
+ * Schema: data-model/schemas/vulnerability.schema.json
+ */
+interface Vulnerability {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** CVE identifier, if applicable (e.g., 'CVE-2024-12345'). */
+    cveId?: string;
+    /** Short, descriptive title for the vulnerability. */
+    title: string;
+    /** Detailed description of the vulnerability, its impact, and affected components. */
+    description: string;
+    /** CVSS-aligned severity rating. */
+    severity: VulnerabilitySeverity;
+    /** CVSS base score (0.0–10.0). */
+    cvssScore?: number;
+    /** CVSS vector string. */
+    cvssVector?: string;
+    /** UUID of the affected asset. */
+    affectedAssetId: string;
+    /** Domain type of the affected asset. */
+    affectedAssetType: 'technology' | 'physical' | 'cloud';
+    /** Current remediation status. */
+    status: VulnerabilityStatus;
+    /** ISO 8601 timestamp when the vulnerability was first discovered. */
+    discoveredAt: string;
+    /** ISO 8601 timestamp when remediation was confirmed. */
+    remediatedAt?: string;
+    /** ISO 8601 deadline for remediation, based on SLA policy. */
+    dueDate?: string;
+    /** UUID of the Person assigned to remediate this vulnerability. */
+    assignedTo?: string;
+    /** Scanner or source system that discovered the vulnerability (e.g., 'qualys', 'snyk'). */
+    source: string;
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Recognized compliance framework identifiers. */
+type ComplianceFramework = 'soc2' | 'iso27001' | 'nist_csf' | 'pci_dss' | 'hipaa' | 'gdpr' | 'cis' | 'custom';
+/** Implementation status of a ComplianceControl. */
+type ControlStatus = 'implemented' | 'partial' | 'not_implemented' | 'not_applicable';
+/** A piece of evidence collected to demonstrate control implementation. */
+interface ControlEvidence {
+    /** Evidence type (e.g., 'screenshot', 'policy_document', 'log_export'). */
+    type: string;
+    /** Description of the evidence and what it demonstrates. */
+    description: string;
+    /** URL to the evidence artifact, if available. */
+    url?: string;
+    /** ISO 8601 timestamp when the evidence was collected. */
+    collectedAt: string;
+}
+/**
+ * Represents a specific control requirement from a compliance framework.
+ * Domain: Risk & Compliance
+ * Schema: data-model/schemas/compliance-control.schema.json
+ */
+interface ComplianceControl {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** The compliance framework this control belongs to. */
+    framework: ComplianceFramework;
+    /** Framework-specific control identifier (e.g., 'CC6.1', 'A.9.2.1'). */
+    controlId: string;
+    /** Short title of the control requirement. */
+    title: string;
+    /** Full description of the control requirement. */
+    description: string;
+    /** Control category within the framework (e.g., 'Access Control', 'Cryptography'). */
+    category: string;
+    /** UUID of the Person responsible for this control. */
+    owner: string;
+    /** Current implementation status. */
+    status: ControlStatus;
+    /** Evidence collected to demonstrate implementation. */
+    evidence: ControlEvidence[];
+    /** ISO 8601 timestamp of the most recent assessment. */
+    lastAssessedAt?: string;
+    /** ISO 8601 timestamp of the next scheduled review. */
+    nextReviewAt?: string;
+    /** UUIDs of TechnologyAssets or other assets this control applies to. */
+    linkedAssetIds: string[];
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Risk domain category. */
+type RiskCategory = 'security' | 'operational' | 'compliance' | 'vendor' | 'data' | 'financial';
+/** Likelihood rating for a RiskItem. */
+type RiskLikelihood = 'rare' | 'unlikely' | 'possible' | 'likely' | 'almost_certain';
+/** Business impact rating for a RiskItem. */
+type RiskImpact = 'negligible' | 'minor' | 'moderate' | 'major' | 'catastrophic';
+/**
+ * Represents an identified enterprise risk tracked through the risk management lifecycle.
+ * Domain: Risk & Compliance
+ * Schema: data-model/schemas/risk-item.schema.json
+ */
+interface RiskItem {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** Short descriptive title for the risk. */
+    title: string;
+    /** Detailed description of the risk scenario and its potential impact. */
+    description: string;
+    /** Risk domain category. */
+    category: RiskCategory;
+    /** Estimated likelihood of the risk occurring. */
+    likelihood: RiskLikelihood;
+    /** Estimated business impact if the risk materializes. */
+    impact: RiskImpact;
+    /** Computed risk score (likelihood × impact matrix). Read-only. */
+    riskScore: number;
+    /** Current treatment status. */
+    status: 'open' | 'mitigating' | 'accepted' | 'closed';
+    /** UUID of the Person accountable for this risk. */
+    owner: string;
+    /** UUIDs of linked Vulnerability records that contribute to this risk. */
+    linkedVulnerabilityIds: string[];
+    /** UUIDs of ComplianceControl records relevant to this risk. */
+    linkedControlIds: string[];
+    /** Description of the planned or active mitigation strategy. */
+    mitigationPlan?: string;
+    /** ISO 8601 target date for risk closure or mitigation. */
+    dueDate?: string;
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Input payload for creating a new RiskItem. */
+interface CreateRiskInput {
+    title: string;
+    description: string;
+    category: RiskCategory;
+    likelihood: RiskLikelihood;
+    impact: RiskImpact;
+    owner: string;
+    linkedVulnerabilityIds?: string[];
+    linkedControlIds?: string[];
+    mitigationPlan?: string;
+    dueDate?: string;
+}
+/**
+ * Represents a directed relationship between any two entities in the EDM graph.
+ * Relationships power the graph traversal capabilities of the cPod platform.
+ * Domain: Common
+ * Schema: data-model/schemas/relationship.schema.json
+ */
+interface Relationship {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** UUID of the source entity. */
+    sourceId: string;
+    /** EDM entity type of the source (e.g., 'Person', 'TechnologyAsset'). */
+    sourceType: string;
+    /** UUID of the target entity. */
+    targetId: string;
+    /** EDM entity type of the target. */
+    targetType: string;
+    /** Semantic type of the relationship (e.g., 'manages', 'owns', 'depends_on'). */
+    relationshipType: string;
+    /** Arbitrary additional attributes describing the relationship. */
+    properties?: Record<string, unknown>;
+    /** Confidence score for the relationship (0.0–1.0). Higher = more certain. */
+    confidence: number;
+    /** Source system that asserted this relationship (e.g., 'active_directory', 'inferred'). */
+    source: string;
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Input payload for creating a new Relationship. */
+interface CreateRelationshipInput {
+    sourceId: string;
+    sourceType: string;
+    targetId: string;
+    targetType: string;
+    relationshipType: string;
+    properties?: Record<string, unknown>;
+    confidence?: number;
+    source?: string;
+}
+/**
+ * Well-known edge types for the cross-domain relationship spine.
+ * These cover the most common directed edges between EDM entities;
+ * `relationshipType` on {@link Relationship} remains an open string
+ * so callers can use custom values beyond this set.
+ */
+type RelationshipEdgeType = 'owns' | 'manages' | 'reports_to' | 'member_of' | 'related_to' | 'depends_on' | 'responsible_for' | 'approved_by' | 'part_of';
+/**
+ * Alias for {@link RelationshipEdgeType} — the common cross-domain edge
+ * types used by the relationship spine.
+ */
+type RelationshipType = RelationshipEdgeType;
+/**
+ * How a relationship was established.
+ * - `manual`   — explicitly created by a user or integration
+ * - `inferred` — derived by the platform (graph inference, ML, heuristics)
+ * - `imported` — bulk-loaded from an external system (HRIS, CMDB, IdP…)
+ */
+type RelationshipProvenance = 'manual' | 'inferred' | 'imported';
+/**
+ * Richer cross-domain relationship record. Extends the base {@link Relationship}
+ * with provenance, validity window, and actor attribution used by the
+ * cross-domain spine. The base type remains backward-compatible — the extra
+ * fields are all optional and only populated when the backend supports them.
+ */
+interface ExtendedRelationship extends Relationship {
+    /** UUID of the source entity (alias for `sourceId`, useful for spine queries). */
+    sourceEntityId?: string;
+    /** EDM entity type of the source (alias for `sourceType`). */
+    sourceEntityType?: string;
+    /** EDM domain of the source entity (e.g., 'people', 'technology', 'assets'). */
+    sourceEntityDomain?: string;
+    /** UUID of the target entity (alias for `targetId`). */
+    targetEntityId?: string;
+    /** EDM entity type of the target (alias for `targetType`). */
+    targetEntityType?: string;
+    /** EDM domain of the target entity. */
+    targetEntityDomain?: string;
+    /** How the relationship was established. */
+    provenance?: RelationshipProvenance;
+    /** ISO 8601 timestamp from which this relationship is considered valid. */
+    validFrom?: string;
+    /** ISO 8601 timestamp until which this relationship is considered valid. */
+    validTo?: string;
+    /** UUID of the user or system actor that created or last confirmed the edge. */
+    actorId?: string;
+    /** Human-readable explanation of why this relationship exists. */
+    explanation?: string;
+}
+/**
+ * Well-known cross-domain relationship bridges in the EDM.
+ *
+ * These formalize the 5 most common cross-domain traversals that apps need,
+ * replacing per-app query-time derivation with first-class SDK methods.
+ *
+ * @example
+ * ```ts
+ * // Traverse from a customer account to related finance records
+ * const edges = await client.relationshipsEdges.traverseBridge(
+ *   'customer_finance',
+ *   { sourceEntityId: 'acc_01HX...' }
+ * );
+ * ```
+ */
+type RelationshipBridge = 
+/** Customer accounts ↔ finance invoices/payments */
+'customer_finance'
+/** Procurement suppliers ↔ contracts ↔ GRC controls ↔ finance */
+ | 'procurement_contracts_grc_finance'
+/** Projects ↔ customer accounts (project-to-customer attribution) */
+ | 'projects_customer'
+/** Employee ↔ performance reviews ↔ learning records */
+ | 'employee_performance_learning'
+/** Generic first-class relationship (any domain ↔ any domain) */
+ | 'generic';
+/**
+ * Bridge definition — maps a bridge name to its source and target domains.
+ * Used by traverseBridge() to construct the right query.
+ */
+interface BridgeDefinition {
+    bridge: RelationshipBridge;
+    sourceDomains: string[];
+    targetDomains: string[];
+    /** Typical edge types for this bridge. */
+    edgeTypes: string[];
+}
+/**
+ * Options for traversing a relationship bridge.
+ */
+interface BridgeTraversalOptions {
+    /** Filter by source entity ID. */
+    sourceEntityId?: string;
+    /** Filter by target entity ID. */
+    targetEntityId?: string;
+    /** Filter by specific edge type within the bridge. */
+    edgeType?: string;
+    /** Page number (1-based). */
+    page?: number;
+    /** Page size. */
+    pageSize?: number;
+}
+/** Type identifier for an integrated external data source. */
+type DataSourceType = 'active_directory' | 'okta' | 'aws' | 'azure' | 'gcp' | 'servicenow' | 'jira' | 'github' | 'jamf' | 'intune' | 'qualys' | 'tenable' | 'snyk' | 'crowdstrike' | 'custom';
+/** Operational status of a DataSource integration. */
+type DataSourceStatus = 'active' | 'error' | 'paused' | 'disconnected';
+/**
+ * Represents an integrated external system that feeds data into the cPod EDM.
+ * Domain: Common
+ * Schema: data-model/schemas/data-source.schema.json
+ */
+interface DataSource {
+    /** Globally unique identifier. Read-only. */
+    id: string;
+    /** Human-readable name for this integration (e.g., 'Production Okta', 'AWS Prod Account'). */
+    name: string;
+    /** The type of system being integrated. */
+    type: DataSourceType;
+    /** Current operational status of the integration. */
+    status: DataSourceStatus;
+    /** ISO 8601 timestamp of the last successful sync. */
+    lastSyncAt?: string;
+    /** ISO 8601 timestamp of the next scheduled sync. */
+    nextSyncAt?: string;
+    /** Count of synced entities per entity type. Read-only. */
+    syncedEntities: Record<string, number>;
+    /** Integration configuration (credentials, endpoints, etc.). Values are redacted in responses. */
+    config: Record<string, unknown>;
+    /** ISO 8601 creation timestamp. Read-only. */
+    createdAt: string;
+    /** ISO 8601 last-updated timestamp. Read-only. */
+    updatedAt: string;
+}
+/** Input payload for creating a new DataSource integration. */
+interface CreateDataSourceInput {
+    name: string;
+    type: DataSourceType;
+    config: Record<string, unknown>;
+}
+/** Common pagination parameters shared by list endpoints. */
+interface PaginationOptions {
+    /** Maximum number of results to return. */
+    limit?: number;
+    /** Number of results to skip (for cursor-based pagination). */
+    offset?: number;
+}
+/** Lifecycle status of a Pod. */
+type PodStatus = 'provisioning' | 'running' | 'stopping' | 'stopped' | 'failed' | 'terminating' | 'terminated';
+/** Desired-state workload specification for a Pod. */
+interface PodSpec {
+    image: string;
+    cpu?: string;
+    memory?: string;
+    replicas?: number;
+    env?: Record<string, string>;
+    command?: string[];
+    args?: string[];
+}
+/** Named network port exposed by a Pod container. */
+interface PodPort {
+    name: string;
+    port: number;
+    protocol?: string;
+}
+/** Network configuration for a Pod. */
+interface PodNetwork {
+    ports?: PodPort[];
+    clusterIp?: string;
+    externalIp?: string;
+}
+/** Health state of a Pod. */
+interface PodHealth {
+    ready: boolean;
+    liveness?: boolean;
+}
+/** Represents a cPod workload unit. */
+interface Pod {
+    id: string;
+    workspaceId: string;
+    name: string;
+    displayName?: string;
+    spec: PodSpec;
+    status: PodStatus;
+    network?: PodNetwork;
+    health?: PodHealth;
+    labels: Record<string, string>;
+    annotations: Record<string, string>;
+    createdAt: string;
+    updatedAt: string;
+}
+/** Kind of credential. */
+type CredentialType = 'api_key' | 'service_account' | 'webhook_token' | 'virtual_llm';
+/** Lifecycle status of a Credential. */
+type CredentialStatus = 'active' | 'revoked' | 'expired';
+/** Represents an API key or service account credential. */
+interface Credential {
+    id: string;
+    organizationId: string;
+    workspaceId?: string;
+    name: string;
+    description?: string;
+    type: CredentialType;
+    status: CredentialStatus;
+    scopes: string[];
+    keyPrefix?: string;
+    expiresAt?: string;
+    lastUsedAt?: string;
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * Returned only on creation. The `secret` field is the one-time plaintext value —
+ * store it immediately; it will not be returned again.
+ */
+interface CredentialCreateResponse extends Omit<Credential, 'keyPrefix' | 'lastUsedAt'> {
+    secret: string;
+}
+/** Role of a user within an Organization. */
+type UserRole = 'owner' | 'admin' | 'member' | 'viewer';
+/** Lifecycle status of a user account. */
+type UserStatus = 'active' | 'suspended' | 'invited' | 'deactivated';
+/** User-configurable display and notification settings. */
+interface UserPreferences {
+    theme?: string;
+    timezone?: string;
+    locale?: string;
+    notificationsEnabled?: boolean;
+}
+/** Represents a cPod user's profile. */
+interface UserProfile {
+    id: string;
+    email: string;
+    displayName: string;
+    avatarUrl?: string;
+    role: UserRole;
+    status: UserStatus;
+    preferences?: UserPreferences;
+    createdAt: string;
+    updatedAt: string;
+}
+
+/**
+ * Internal HTTP client that wraps the Fetch API with authentication,
+ * timeout, and retry logic.
+ *
+ * Auth comes through a TokenManager — that's how refresh works
+ * transparently. On 401, the client asks the manager to refresh once,
+ * then retries the request with the new access token.
+ */
+declare class HttpClient {
+    private readonly baseUrl;
+    private readonly tokenManager;
+    private readonly timeoutMs;
+    constructor(config: CpodConfig);
+    /** Public accessor — apps can read or replace the bundle. */
+    get tokens(): TokenManager;
+    get<T>(path: string, opts?: RequestOptions): Promise<T>;
+    post<T>(path: string, body?: unknown, opts?: RequestOptions): Promise<T>;
+    put<T>(path: string, body?: unknown, opts?: RequestOptions): Promise<T>;
+    patch<T>(path: string, body?: unknown, opts?: RequestOptions): Promise<T>;
+    delete<T>(path: string, opts?: RequestOptions): Promise<T>;
+    private request;
+    /** Don't try to refresh the refresh endpoint itself (would loop). */
+    private isRefreshPath;
+    private backoffMs;
+}
+
+export { type PhysicalAsset as $, type AccessEntitlement as A, type BridgeDefinition as B, type CloudProvider as C, type Criticality as D, type DataClassification as E, type DataSource as F, type DataSourceStatus as G, type DataSourceType as H, type EntitlementStatus as I, type ExtendedRelationship as J, type GrantEntitlementInput as K, type Group as L, type GroupMember as M, type GroupType as N, HttpClient as O, type LicenseAssignment as P, type LicenseCost as Q, type LicenseStatus as R, type LicenseType as S, type ListPeopleOptions as T, type PaginatedResponse as U, type PaginationOptions as V, type Person as W, type PersonIdentity as X, type PersonLocation as Y, type PersonStatus as Z, type PersonType as _, type ApiResponse as a, type PhysicalAssetStatus as a0, type PhysicalAssetType as a1, type Pod as a2, type PodHealth as a3, type PodNetwork as a4, type PodSpec as a5, type PodStatus as a6, type Relationship as a7, type RelationshipBridge as a8, type RelationshipEdgeType as a9, type RelationshipProvenance as aa, type RelationshipType as ab, type RequestOptions as ac, type RiskCategory as ad, type RiskImpact as ae, type RiskItem as af, type RiskLikelihood as ag, type SoftwareLicense as ah, type TechnologyAsset as ai, type TokenBundle as aj, TokenManager as ak, type UserPreferences as al, type UserProfile as am, type UserRole as an, type UserStatus as ao, type Vulnerability as ap, type VulnerabilitySeverity as aq, type VulnerabilityStatus as ar, type AssetEnvironment as b, type AssetOwner as c, type AssetStatus as d, type AssetType as e, type AuthOptions as f, type BridgeTraversalOptions as g, type CloudResource as h, type ComplianceControl as i, type ComplianceFramework as j, type ComplianceStatus as k, type ControlEvidence as l, type ControlStatus as m, type CpodConfig as n, type CreateDataSourceInput as o, type CreateGroupInput as p, type CreateLicenseInput as q, type CreatePersonInput as r, type CreatePhysicalAssetInput as s, type CreateRelationshipInput as t, type CreateRiskInput as u, type CreateTechnologyAssetInput as v, type Credential as w, type CredentialCreateResponse as x, type CredentialStatus as y, type CredentialType as z };