npm - cleargate - Versions diffs - 0.1.0-alpha.1 - Mend

cleargate 0.1.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/README.md +3 -0
package/dist/admin-api/index.cjs +359 -0
package/dist/admin-api/index.cjs.map +1 -0
package/dist/admin-api/index.d.cts +135 -0
package/dist/admin-api/index.d.ts +135 -0
package/dist/admin-api/index.js +313 -0
package/dist/admin-api/index.js.map +1 -0
package/dist/auth/factory.cjs +198 -0
package/dist/auth/factory.cjs.map +1 -0
package/dist/auth/factory.d.cts +10 -0
package/dist/auth/factory.d.ts +10 -0
package/dist/auth/factory.js +8 -0
package/dist/auth/factory.js.map +1 -0
package/dist/auth/require-token.cjs +40 -0
package/dist/auth/require-token.cjs.map +1 -0
package/dist/auth/require-token.d.cts +11 -0
package/dist/auth/require-token.d.ts +11 -0
package/dist/auth/require-token.js +16 -0
package/dist/auth/require-token.js.map +1 -0
package/dist/auth/token-store.cjs +20 -0
package/dist/auth/token-store.cjs.map +1 -0
package/dist/auth/token-store.d.cts +26 -0
package/dist/auth/token-store.d.ts +26 -0
package/dist/auth/token-store.js +2 -0
package/dist/auth/token-store.js.map +1 -0
package/dist/chunk-4V4QABOJ.js +165 -0
package/dist/chunk-4V4QABOJ.js.map +1 -0
package/dist/cli.cjs +459 -0
package/dist/cli.cjs.map +1 -0
package/dist/cli.d.cts +2 -0
package/dist/cli.d.ts +2 -0
package/dist/cli.js +280 -0
package/dist/cli.js.map +1 -0
package/package.json +50 -0

package/README.md ADDED Viewed

@@ -0,0 +1,3 @@
+# @cleargate/cli
+Scoped CLI package for the ClearGate platform; connects AI agent teams to the ClearGate MCP server via the `cleargate` binary. Full documentation ships in the sprint DoD.

package/dist/admin-api/index.cjs ADDED Viewed

@@ -0,0 +1,359 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/admin-api/index.ts
+var admin_api_exports = {};
+__export(admin_api_exports, {
+  AdminApiError: () => AdminApiError,
+  AdminAuthFileSchema: () => AdminAuthFileSchema,
+  ErrorBodySchema: () => ErrorBodySchema,
+  InviteCreatedSchema: () => InviteCreatedSchema,
+  MemberSchema: () => MemberSchema,
+  ProjectSchema: () => ProjectSchema,
+  TokenIssuedSchema: () => TokenIssuedSchema,
+  TokenMetaSchema: () => TokenMetaSchema,
+  createAdminApiClient: () => createAdminApiClient,
+  loadAdminAuth: () => loadAdminAuth,
+  redactSensitive: () => redactSensitive
+});
+module.exports = __toCommonJS(admin_api_exports);
+// src/admin-api/errors.ts
+var AdminApiError = class extends Error {
+  constructor(kind, status, details, message) {
+    super(message);
+    this.kind = kind;
+    this.status = status;
+    this.details = details;
+    this.name = "AdminApiError";
+  }
+  kind;
+  status;
+  details;
+};
+// src/admin-api/responses.ts
+var import_zod = require("zod");
+var ProjectSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  name: import_zod.z.string(),
+  created_by: import_zod.z.string(),
+  created_at: import_zod.z.string(),
+  deleted_at: import_zod.z.string().nullable()
+}).strict();
+var MemberSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  project_id: import_zod.z.string(),
+  email: import_zod.z.string(),
+  role: import_zod.z.string(),
+  display_name: import_zod.z.string().nullable().optional(),
+  created_at: import_zod.z.string(),
+  status: import_zod.z.enum(["pending", "active"])
+}).strict();
+var InviteCreatedSchema = import_zod.z.object({
+  member: MemberSchema,
+  invite_url: import_zod.z.string(),
+  invite_token: import_zod.z.string(),
+  invite_expires_in: import_zod.z.number().int()
+}).strict();
+var TokenMetaSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  member_id: import_zod.z.string(),
+  name: import_zod.z.string(),
+  created_at: import_zod.z.string(),
+  expires_at: import_zod.z.string().nullable().optional(),
+  last_used_at: import_zod.z.string().nullable().optional(),
+  revoked_at: import_zod.z.string().nullable().optional()
+}).strict();
+var TokenIssuedSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  member_id: import_zod.z.string(),
+  name: import_zod.z.string(),
+  created_at: import_zod.z.string(),
+  expires_at: import_zod.z.string().nullable().optional(),
+  last_used_at: import_zod.z.string().nullable().optional(),
+  revoked_at: import_zod.z.string().nullable().optional(),
+  token: import_zod.z.string()
+}).strict();
+var ErrorBodySchema = import_zod.z.object({
+  error: import_zod.z.string(),
+  details: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).optional()
+}).strict();
+// src/admin-api/redact.ts
+var SENSITIVE_KEYS = /* @__PURE__ */ new Set(["token", "refresh_token", "invite_token"]);
+function redactSensitive(obj) {
+  if (Array.isArray(obj)) {
+    return obj.map((item) => redactSensitive(item));
+  }
+  if (obj !== null && typeof obj === "object") {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      if (SENSITIVE_KEYS.has(key)) {
+        result[key] = "<redacted>";
+      } else {
+        result[key] = redactSensitive(value);
+      }
+    }
+    return result;
+  }
+  return obj;
+}
+// src/admin-api/client.ts
+function defaultWarn(msg) {
+  process.stderr.write(msg + "\n");
+}
+var AdminApiClientImpl = class {
+  baseUrl;
+  token;
+  fetchFn;
+  warn;
+  userAgent;
+  constructor(opts) {
+    this.baseUrl = opts.baseUrl.replace(/\/$/, "");
+    this.token = opts.token;
+    this.fetchFn = opts.fetch ?? globalThis.fetch;
+    this.warn = opts.warn ?? defaultWarn;
+    this.userAgent = opts.userAgent ?? `cleargate`;
+  }
+  debugLog(method, path2, status, body) {
+    if (process.env["CLEARGATE_LOG_LEVEL"] === "debug") {
+      const redacted = redactSensitive(body);
+      this.warn(`[admin-api] ${method} ${path2} \u2192 ${status} ${JSON.stringify(redacted)}`);
+    }
+  }
+  async request(method, urlPath, body) {
+    const url = `${this.baseUrl}/admin-api/v1${urlPath}`;
+    const headers = {
+      Authorization: `Bearer ${this.token}`,
+      "User-Agent": this.userAgent,
+      Accept: "application/json"
+    };
+    if (body !== void 0) {
+      headers["Content-Type"] = "application/json";
+    }
+    let response;
+    try {
+      response = await this.fetchFn(url, {
+        method,
+        headers,
+        body: body !== void 0 ? JSON.stringify(body) : void 0
+      });
+    } catch (err) {
+      throw new AdminApiError(
+        "network",
+        null,
+        err,
+        `cannot reach ${this.baseUrl} (${err instanceof Error ? err.message : String(err)})`
+      );
+    }
+    let responseBody = null;
+    const contentType = response.headers.get("content-type") ?? "";
+    if (contentType.includes("application/json")) {
+      try {
+        responseBody = await response.json();
+      } catch {
+        responseBody = null;
+      }
+    }
+    this.debugLog(method, urlPath, response.status, responseBody);
+    if (!response.ok) {
+      const errBody = responseBody;
+      if (response.status === 401) {
+        throw new AdminApiError("auth", 401, responseBody, "Admin token rejected.");
+      }
+      if (response.status === 403) {
+        throw new AdminApiError("forbidden", 403, responseBody, "Token is not admin-role.");
+      }
+      if (response.status === 404) {
+        throw new AdminApiError("not_found", 404, responseBody, "Not found.");
+      }
+      if (response.status === 400 || response.status === 409) {
+        throw new AdminApiError(
+          "invalid_request",
+          response.status,
+          errBody?.details ?? responseBody,
+          `Invalid request: ${errBody?.error ?? "unknown"}`
+        );
+      }
+      if (response.status >= 500) {
+        throw new AdminApiError(
+          "server",
+          response.status,
+          responseBody,
+          `Server error ${response.status}.`
+        );
+      }
+      throw new AdminApiError(
+        "server",
+        response.status,
+        responseBody,
+        `Unexpected status ${response.status}.`
+      );
+    }
+    return responseBody;
+  }
+  async createProject(input) {
+    const raw = await this.request("POST", "/projects", { name: input.name });
+    const parsed = ProjectSchema.safeParse(raw);
+    if (!parsed.success) {
+      throw new AdminApiError(
+        "response_shape",
+        null,
+        parsed.error,
+        "Server returned unexpected response shape (CLI may be out of date)."
+      );
+    }
+    return parsed.data;
+  }
+  async inviteMember(input) {
+    const body = {
+      email: input.email,
+      role: input.role
+    };
+    if (input.displayName !== void 0) {
+      body["display_name"] = input.displayName;
+    }
+    const raw = await this.request(
+      "POST",
+      `/projects/${input.projectId}/members`,
+      body
+    );
+    const parsed = InviteCreatedSchema.safeParse(raw);
+    if (!parsed.success) {
+      throw new AdminApiError(
+        "response_shape",
+        null,
+        parsed.error,
+        "Server returned unexpected response shape (CLI may be out of date)."
+      );
+    }
+    return parsed.data;
+  }
+  async issueToken(input) {
+    const body = {
+      member_id: input.memberId,
+      name: input.name
+    };
+    if (input.expiresAt !== void 0) {
+      body["expires_at"] = input.expiresAt;
+    }
+    const raw = await this.request(
+      "POST",
+      `/projects/${input.projectId}/tokens`,
+      body
+    );
+    const parsed = TokenIssuedSchema.safeParse(raw);
+    if (!parsed.success) {
+      throw new AdminApiError(
+        "response_shape",
+        null,
+        parsed.error,
+        "Server returned unexpected response shape (CLI may be out of date)."
+      );
+    }
+    return parsed.data;
+  }
+  async revokeToken(input) {
+    await this.request("DELETE", `/tokens/${input.tokenId}`, void 0);
+  }
+};
+function createAdminApiClient(opts) {
+  return new AdminApiClientImpl(opts);
+}
+// src/admin-api/admin-auth.ts
+var fs = __toESM(require("fs"), 1);
+var os = __toESM(require("os"), 1);
+var path = __toESM(require("path"), 1);
+var import_zod2 = require("zod");
+var AdminAuthFileSchema = import_zod2.z.object({
+  version: import_zod2.z.literal(1),
+  token: import_zod2.z.string().min(1)
+}).strict();
+var MISSING_TOKEN_ERROR = "No admin token. Set CLEARGATE_ADMIN_TOKEN or write ~/.cleargate/admin-auth.json (chmod 600). See README \xA7admin-jwt.";
+function loadAdminAuth(opts) {
+  const env = opts?.env ?? process.env;
+  const warn = opts?.warn ?? ((msg) => process.stderr.write(msg + "\n"));
+  const envToken = env["CLEARGATE_ADMIN_TOKEN"];
+  if (envToken) {
+    return { token: envToken, source: "env" };
+  }
+  const homedirFn = opts?.homedir ?? os.homedir;
+  const filePath = opts?.filePath ?? path.join(homedirFn(), ".cleargate", "admin-auth.json");
+  let raw;
+  try {
+    raw = fs.readFileSync(filePath, "utf8");
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+      throw new Error(MISSING_TOKEN_ERROR);
+    }
+    throw new Error(`Failed to read admin-auth file at ${filePath}: ${String(err)}`);
+  }
+  try {
+    const stat = fs.statSync(filePath);
+    const mode = stat.mode & 511;
+    if (mode & 63) {
+      warn(
+        `cleargate-admin: warning: ${filePath} is group/world readable (mode ${mode.toString(8).padStart(3, "0")}). Run: chmod 600 ${filePath}`
+      );
+    }
+  } catch {
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error(`Failed to parse admin-auth file at ${filePath}: invalid JSON`);
+  }
+  const result = AdminAuthFileSchema.safeParse(parsed);
+  if (!result.success) {
+    throw new Error(
+      `Invalid admin-auth file at ${filePath}: ${result.error.message}`
+    );
+  }
+  return { token: result.data.token, source: "file" };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AdminApiError,
+  AdminAuthFileSchema,
+  ErrorBodySchema,
+  InviteCreatedSchema,
+  MemberSchema,
+  ProjectSchema,
+  TokenIssuedSchema,
+  TokenMetaSchema,
+  createAdminApiClient,
+  loadAdminAuth,
+  redactSensitive
+});
+//# sourceMappingURL=index.cjs.map

package/dist/admin-api/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/admin-api/index.ts","../../src/admin-api/errors.ts","../../src/admin-api/responses.ts","../../src/admin-api/redact.ts","../../src/admin-api/client.ts","../../src/admin-api/admin-auth.ts"],"sourcesContent":["/**\n * Barrel export for admin-api module.\n * Consumed by cleargate-admin commands via cleargate/admin-api.\n */\nexport * from './client.js';\nexport * from './errors.js';\nexport * from './redact.js';\nexport * from './responses.js';\nexport * from './admin-auth.js';\n","/**\n * Typed error class for all admin API failures.\n * kind → exit code mapping lives in mcp/scripts/commands/_render-error.ts\n */\nexport class AdminApiError extends Error {\n constructor(\n public readonly kind:\n | 'network'\n | 'auth'\n | 'forbidden'\n | 'not_found'\n | 'invalid_request'\n | 'server'\n | 'response_shape',\n public readonly status: number | null,\n public readonly details: unknown,\n message: string,\n ) {\n super(message);\n this.name = 'AdminApiError';\n }\n}\n","/**\n * Vendored Zod response schemas — hand-authored from\n * mcp/src/admin-api/__snapshots__/openapi.test.ts.snap\n *\n * Snapshot drift is detected by cleargate-cli/test/admin-api/snapshot-drift.test.ts,\n * which reads the snapshot file at runtime and asserts field-set equality.\n */\nimport { z } from 'zod';\n\nexport const ProjectSchema = z\n .object({\n id: z.string(),\n name: z.string(),\n created_by: z.string(),\n created_at: z.string(),\n deleted_at: z.string().nullable(),\n })\n .strict();\n\nexport type Project = z.infer<typeof ProjectSchema>;\n\nexport const MemberSchema = z\n .object({\n id: z.string(),\n project_id: z.string(),\n email: z.string(),\n role: z.string(),\n display_name: z.string().nullable().optional(),\n created_at: z.string(),\n status: z.enum(['pending', 'active']),\n })\n .strict();\n\nexport type Member = z.infer<typeof MemberSchema>;\n\nexport const InviteCreatedSchema = z\n .object({\n member: MemberSchema,\n invite_url: z.string(),\n invite_token: z.string(),\n invite_expires_in: z.number().int(),\n })\n .strict();\n\nexport type InviteCreated = z.infer<typeof InviteCreatedSchema>;\n\nexport const TokenMetaSchema = z\n .object({\n id: z.string(),\n member_id: z.string(),\n name: z.string(),\n created_at: z.string(),\n expires_at: z.string().nullable().optional(),\n last_used_at: z.string().nullable().optional(),\n revoked_at: z.string().nullable().optional(),\n })\n .strict();\n\nexport type TokenMeta = z.infer<typeof TokenMetaSchema>;\n\n// TokenIssued = TokenMeta + plaintext token field (returned exactly once)\nexport const TokenIssuedSchema = z\n .object({\n id: z.string(),\n member_id: z.string(),\n name: z.string(),\n created_at: z.string(),\n expires_at: z.string().nullable().optional(),\n last_used_at: z.string().nullable().optional(),\n revoked_at: z.string().nullable().optional(),\n token: z.string(),\n })\n .strict();\n\nexport type TokenIssued = z.infer<typeof TokenIssuedSchema>;\n\nexport const ErrorBodySchema = z\n .object({\n error: z.string(),\n details: z.record(z.string(), z.unknown()).optional(),\n })\n .strict();\n\nexport type ErrorBody = z.infer<typeof ErrorBodySchema>;\n","/**\n * Recursively replaces sensitive key values with '<redacted>'.\n * Used in debug log paths — never in success output.\n * Keys stripped: token, refresh_token, invite_token\n */\nconst SENSITIVE_KEYS = new Set(['token', 'refresh_token', 'invite_token']);\n\nexport function redactSensitive(obj: unknown): unknown {\n if (Array.isArray(obj)) {\n return obj.map((item) => redactSensitive(item));\n }\n if (obj !== null && typeof obj === 'object') {\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (SENSITIVE_KEYS.has(key)) {\n result[key] = '<redacted>';\n } else {\n result[key] = redactSensitive(value);\n }\n }\n return result;\n }\n return obj;\n}\n","/**\n * AdminApiClient — typed HTTP client for the ClearGate admin API.\n *\n * Key implementation notes:\n * - CLI method args are camelCase; wire bodies are snake_case (converted internally)\n * - DELETE requests MUST omit Content-Type (Fastify 5 FST_ERR_CTP_EMPTY_JSON_BODY)\n * - All 2xx responses are validated through vendored Zod schemas\n * - Errors map to AdminApiError with kind → exit code table in D6\n */\nimport { AdminApiError } from './errors.js';\nimport {\n ProjectSchema,\n InviteCreatedSchema,\n TokenIssuedSchema,\n type Project,\n type InviteCreated,\n type TokenIssued,\n} from './responses.js';\nimport { redactSensitive } from './redact.js';\n\nexport interface AdminApiClientOptions {\n baseUrl: string;\n token: string;\n fetch?: typeof globalThis.fetch;\n warn?: (msg: string) => void;\n userAgent?: string;\n}\n\nexport interface AdminApiClient {\n createProject(input: { name: string }): Promise<Project>;\n inviteMember(input: {\n projectId: string;\n email: string;\n role: 'user' | 'service';\n displayName?: string;\n }): Promise<InviteCreated>;\n issueToken(input: {\n projectId: string;\n memberId: string;\n name: string;\n expiresAt?: string;\n }): Promise<TokenIssued>;\n revokeToken(input: { tokenId: string }): Promise<void>;\n}\n\nfunction defaultWarn(msg: string): void {\n process.stderr.write(msg + '\\n');\n}\n\nclass AdminApiClientImpl implements AdminApiClient {\n private readonly baseUrl: string;\n private readonly token: string;\n private readonly fetchFn: typeof globalThis.fetch;\n private readonly warn: (msg: string) => void;\n private readonly userAgent: string;\n\n constructor(opts: AdminApiClientOptions) {\n this.baseUrl = opts.baseUrl.replace(/\\/$/, '');\n this.token = opts.token;\n this.fetchFn = opts.fetch ?? globalThis.fetch;\n this.warn = opts.warn ?? defaultWarn;\n this.userAgent = opts.userAgent ?? `cleargate`;\n }\n\n private debugLog(method: string, path: string, status: number, body: unknown): void {\n if (process.env['CLEARGATE_LOG_LEVEL'] === 'debug') {\n const redacted = redactSensitive(body);\n this.warn(`[admin-api] ${method} ${path} → ${status} ${JSON.stringify(redacted)}`);\n }\n }\n\n private async request<T>(\n method: string,\n urlPath: string,\n body?: Record<string, unknown>,\n ): Promise<T> {\n const url = `${this.baseUrl}/admin-api/v1${urlPath}`;\n const headers: Record<string, string> = {\n Authorization: `Bearer ${this.token}`,\n 'User-Agent': this.userAgent,\n Accept: 'application/json',\n };\n\n // CRITICAL: omit Content-Type on requests without body (DELETE)\n // Fastify 5 throws FST_ERR_CTP_EMPTY_JSON_BODY if Content-Type is set with empty body\n if (body !== undefined) {\n headers['Content-Type'] = 'application/json';\n }\n\n let response: Response;\n try {\n response = await this.fetchFn(url, {\n method,\n headers,\n body: body !== undefined ? JSON.stringify(body) : undefined,\n });\n } catch (err) {\n throw new AdminApiError(\n 'network',\n null,\n err,\n `cannot reach ${this.baseUrl} (${err instanceof Error ? err.message : String(err)})`,\n );\n }\n\n // Parse response body when present\n let responseBody: unknown = null;\n const contentType = response.headers.get('content-type') ?? '';\n if (contentType.includes('application/json')) {\n try {\n responseBody = await response.json();\n } catch {\n responseBody = null;\n }\n }\n\n this.debugLog(method, urlPath, response.status, responseBody);\n\n // Map HTTP status to AdminApiError kinds\n if (!response.ok) {\n const errBody = responseBody as { error?: string; details?: unknown } | null;\n if (response.status === 401) {\n throw new AdminApiError('auth', 401, responseBody, 'Admin token rejected.');\n }\n if (response.status === 403) {\n throw new AdminApiError('forbidden', 403, responseBody, 'Token is not admin-role.');\n }\n if (response.status === 404) {\n throw new AdminApiError('not_found', 404, responseBody, 'Not found.');\n }\n if (response.status === 400 || response.status === 409) {\n throw new AdminApiError(\n 'invalid_request',\n response.status,\n errBody?.details ?? responseBody,\n `Invalid request: ${errBody?.error ?? 'unknown'}`,\n );\n }\n if (response.status >= 500) {\n throw new AdminApiError(\n 'server',\n response.status,\n responseBody,\n `Server error ${response.status}.`,\n );\n }\n throw new AdminApiError(\n 'server',\n response.status,\n responseBody,\n `Unexpected status ${response.status}.`,\n );\n }\n\n return responseBody as T;\n }\n\n async createProject(input: { name: string }): Promise<Project> {\n const raw = await this.request<unknown>('POST', '/projects', { name: input.name });\n const parsed = ProjectSchema.safeParse(raw);\n if (!parsed.success) {\n throw new AdminApiError(\n 'response_shape',\n null,\n parsed.error,\n 'Server returned unexpected response shape (CLI may be out of date).',\n );\n }\n return parsed.data;\n }\n\n async inviteMember(input: {\n projectId: string;\n email: string;\n role: 'user' | 'service';\n displayName?: string;\n }): Promise<InviteCreated> {\n const body: Record<string, unknown> = {\n email: input.email,\n role: input.role,\n };\n if (input.displayName !== undefined) {\n body['display_name'] = input.displayName;\n }\n const raw = await this.request<unknown>(\n 'POST',\n `/projects/${input.projectId}/members`,\n body,\n );\n const parsed = InviteCreatedSchema.safeParse(raw);\n if (!parsed.success) {\n // Try MemberSchema in case the server returned a member-only response\n throw new AdminApiError(\n 'response_shape',\n null,\n parsed.error,\n 'Server returned unexpected response shape (CLI may be out of date).',\n );\n }\n return parsed.data;\n }\n\n async issueToken(input: {\n projectId: string;\n memberId: string;\n name: string;\n expiresAt?: string;\n }): Promise<TokenIssued> {\n const body: Record<string, unknown> = {\n member_id: input.memberId,\n name: input.name,\n };\n if (input.expiresAt !== undefined) {\n body['expires_at'] = input.expiresAt;\n }\n const raw = await this.request<unknown>(\n 'POST',\n `/projects/${input.projectId}/tokens`,\n body,\n );\n const parsed = TokenIssuedSchema.safeParse(raw);\n if (!parsed.success) {\n throw new AdminApiError(\n 'response_shape',\n null,\n parsed.error,\n 'Server returned unexpected response shape (CLI may be out of date).',\n );\n }\n return parsed.data;\n }\n\n async revokeToken(input: { tokenId: string }): Promise<void> {\n // No body — Content-Type must be omitted (Fastify 5 CTP quirk)\n await this.request<unknown>('DELETE', `/tokens/${input.tokenId}`, undefined);\n }\n}\n\nexport function createAdminApiClient(opts: AdminApiClientOptions): AdminApiClient {\n return new AdminApiClientImpl(opts);\n}\n","/**\n * Loads an admin JWT for use with cleargate-admin CLI commands.\n *\n * Load order:\n * 1. CLEARGATE_ADMIN_TOKEN env var (wins immediately — file is not read)\n * 2. ~/.cleargate/admin-auth.json (shape: { version: 1, token: string })\n *\n * DISTINCT from FileTokenStore: that file holds user profile → refresh-token maps.\n * This file holds a single admin JWT acquired out-of-band via dev-issue-token.\n */\nimport * as fs from 'node:fs';\nimport * as os from 'node:os';\nimport * as path from 'node:path';\nimport { z } from 'zod';\n\nexport const AdminAuthFileSchema = z\n .object({\n version: z.literal(1),\n token: z.string().min(1),\n })\n .strict();\n\nexport interface LoadAdminAuthOptions {\n env?: NodeJS.ProcessEnv;\n filePath?: string;\n homedir?: () => string;\n warn?: (msg: string) => void;\n}\n\nexport interface AdminAuth {\n token: string;\n source: 'env' | 'file';\n}\n\nconst MISSING_TOKEN_ERROR =\n 'No admin token. Set CLEARGATE_ADMIN_TOKEN or write ~/.cleargate/admin-auth.json (chmod 600). See README §admin-jwt.';\n\nexport function loadAdminAuth(opts?: LoadAdminAuthOptions): AdminAuth {\n const env = opts?.env ?? process.env;\n const warn = opts?.warn ?? ((msg: string) => process.stderr.write(msg + '\\n'));\n\n // Env wins — file is not read at all when env is set\n const envToken = env['CLEARGATE_ADMIN_TOKEN'];\n if (envToken) {\n return { token: envToken, source: 'env' };\n }\n\n // Resolve file path\n const homedirFn = opts?.homedir ?? os.homedir;\n const filePath =\n opts?.filePath ?? path.join(homedirFn(), '.cleargate', 'admin-auth.json');\n\n // Try file\n let raw: string;\n try {\n raw = fs.readFileSync(filePath, 'utf8');\n } catch (err) {\n if (err instanceof Error && 'code' in err && (err as NodeJS.ErrnoException).code === 'ENOENT') {\n throw new Error(MISSING_TOKEN_ERROR);\n }\n throw new Error(`Failed to read admin-auth file at ${filePath}: ${String(err)}`);\n }\n\n // Check file permissions (warn if too permissive)\n try {\n const stat = fs.statSync(filePath);\n const mode = stat.mode & 0o777;\n if (mode & 0o077) {\n warn(\n `cleargate-admin: warning: ${filePath} is group/world readable (mode ${(mode).toString(8).padStart(3, '0')}). Run: chmod 600 ${filePath}`,\n );\n }\n } catch {\n // If we can't stat the file, ignore — the read already succeeded\n }\n\n // Parse JSON\n let parsed: unknown;\n try {\n parsed = JSON.parse(raw);\n } catch {\n throw new Error(`Failed to parse admin-auth file at ${filePath}: invalid JSON`);\n }\n\n // Validate with strict schema\n const result = AdminAuthFileSchema.safeParse(parsed);\n if (!result.success) {\n throw new Error(\n `Invalid admin-auth file at ${filePath}: ${result.error.message}`,\n );\n }\n\n return { token: result.data.token, source: 'file' };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACIO,IAAM,gBAAN,cAA4B,MAAM;AAAA,EACvC,YACkB,MAQA,QACA,SAChB,SACA;AACA,UAAM,OAAO;AAZG;AAQA;AACA;AAIhB,SAAK,OAAO;AAAA,EACd;AAAA,EAdkB;AAAA,EAQA;AAAA,EACA;AAMpB;;;ACdA,iBAAkB;AAEX,IAAM,gBAAgB,aAC1B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,MAAM,aAAE,OAAO;AAAA,EACf,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO,EAAE,SAAS;AAClC,CAAC,EACA,OAAO;AAIH,IAAM,eAAe,aACzB,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,YAAY,aAAE,OAAO;AAAA,EACrB,OAAO,aAAE,OAAO;AAAA,EAChB,MAAM,aAAE,OAAO;AAAA,EACf,cAAc,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,aAAE,OAAO;AAAA,EACrB,QAAQ,aAAE,KAAK,CAAC,WAAW,QAAQ,CAAC;AACtC,CAAC,EACA,OAAO;AAIH,IAAM,sBAAsB,aAChC,OAAO;AAAA,EACN,QAAQ;AAAA,EACR,YAAY,aAAE,OAAO;AAAA,EACrB,cAAc,aAAE,OAAO;AAAA,EACvB,mBAAmB,aAAE,OAAO,EAAE,IAAI;AACpC,CAAC,EACA,OAAO;AAIH,IAAM,kBAAkB,aAC5B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,WAAW,aAAE,OAAO;AAAA,EACpB,MAAM,aAAE,OAAO;AAAA,EACf,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,cAAc,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC7C,CAAC,EACA,OAAO;AAKH,IAAM,oBAAoB,aAC9B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,WAAW,aAAE,OAAO;AAAA,EACpB,MAAM,aAAE,OAAO;AAAA,EACf,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,cAAc,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,OAAO,aAAE,OAAO;AAClB,CAAC,EACA,OAAO;AAIH,IAAM,kBAAkB,aAC5B,OAAO;AAAA,EACN,OAAO,aAAE,OAAO;AAAA,EAChB,SAAS,aAAE,OAAO,aAAE,OAAO,GAAG,aAAE,QAAQ,CAAC,EAAE,SAAS;AACtD,CAAC,EACA,OAAO;;;AC5EV,IAAM,iBAAiB,oBAAI,IAAI,CAAC,SAAS,iBAAiB,cAAc,CAAC;AAElE,SAAS,gBAAgB,KAAuB;AACrD,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,IAAI,IAAI,CAAC,SAAS,gBAAgB,IAAI,CAAC;AAAA,EAChD;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,SAAkC,CAAC;AACzC,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,GAA8B,GAAG;AACzE,UAAI,eAAe,IAAI,GAAG,GAAG;AAC3B,eAAO,GAAG,IAAI;AAAA,MAChB,OAAO;AACL,eAAO,GAAG,IAAI,gBAAgB,KAAK;AAAA,MACrC;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;;;ACsBA,SAAS,YAAY,KAAmB;AACtC,UAAQ,OAAO,MAAM,MAAM,IAAI;AACjC;AAEA,IAAM,qBAAN,MAAmD;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,MAA6B;AACvC,SAAK,UAAU,KAAK,QAAQ,QAAQ,OAAO,EAAE;AAC7C,SAAK,QAAQ,KAAK;AAClB,SAAK,UAAU,KAAK,SAAS,WAAW;AACxC,SAAK,OAAO,KAAK,QAAQ;AACzB,SAAK,YAAY,KAAK,aAAa;AAAA,EACrC;AAAA,EAEQ,SAAS,QAAgBA,OAAc,QAAgB,MAAqB;AAClF,QAAI,QAAQ,IAAI,qBAAqB,MAAM,SAAS;AAClD,YAAM,WAAW,gBAAgB,IAAI;AACrC,WAAK,KAAK,eAAe,MAAM,IAAIA,KAAI,WAAM,MAAM,IAAI,KAAK,UAAU,QAAQ,CAAC,EAAE;AAAA,IACnF;AAAA,EACF;AAAA,EAEA,MAAc,QACZ,QACA,SACA,MACY;AACZ,UAAM,MAAM,GAAG,KAAK,OAAO,gBAAgB,OAAO;AAClD,UAAM,UAAkC;AAAA,MACtC,eAAe,UAAU,KAAK,KAAK;AAAA,MACnC,cAAc,KAAK;AAAA,MACnB,QAAQ;AAAA,IACV;AAIA,QAAI,SAAS,QAAW;AACtB,cAAQ,cAAc,IAAI;AAAA,IAC5B;AAEA,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM,KAAK,QAAQ,KAAK;AAAA,QACjC;AAAA,QACA;AAAA,QACA,MAAM,SAAS,SAAY,KAAK,UAAU,IAAI,IAAI;AAAA,MACpD,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,QACA,gBAAgB,KAAK,OAAO,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MACnF;AAAA,IACF;AAGA,QAAI,eAAwB;AAC5B,UAAM,cAAc,SAAS,QAAQ,IAAI,cAAc,KAAK;AAC5D,QAAI,YAAY,SAAS,kBAAkB,GAAG;AAC5C,UAAI;AACF,uBAAe,MAAM,SAAS,KAAK;AAAA,MACrC,QAAQ;AACN,uBAAe;AAAA,MACjB;AAAA,IACF;AAEA,SAAK,SAAS,QAAQ,SAAS,SAAS,QAAQ,YAAY;AAG5D,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,UAAU;AAChB,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,QAAQ,KAAK,cAAc,uBAAuB;AAAA,MAC5E;AACA,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,aAAa,KAAK,cAAc,0BAA0B;AAAA,MACpF;AACA,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,aAAa,KAAK,cAAc,YAAY;AAAA,MACtE;AACA,UAAI,SAAS,WAAW,OAAO,SAAS,WAAW,KAAK;AACtD,cAAM,IAAI;AAAA,UACR;AAAA,UACA,SAAS;AAAA,UACT,SAAS,WAAW;AAAA,UACpB,oBAAoB,SAAS,SAAS,SAAS;AAAA,QACjD;AAAA,MACF;AACA,UAAI,SAAS,UAAU,KAAK;AAC1B,cAAM,IAAI;AAAA,UACR;AAAA,UACA,SAAS;AAAA,UACT;AAAA,UACA,gBAAgB,SAAS,MAAM;AAAA,QACjC;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR;AAAA,QACA,SAAS;AAAA,QACT;AAAA,QACA,qBAAqB,SAAS,MAAM;AAAA,MACtC;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,cAAc,OAA2C;AAC7D,UAAM,MAAM,MAAM,KAAK,QAAiB,QAAQ,aAAa,EAAE,MAAM,MAAM,KAAK,CAAC;AACjF,UAAM,SAAS,cAAc,UAAU,GAAG;AAC1C,QAAI,CAAC,OAAO,SAAS;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,aAAa,OAKQ;AACzB,UAAM,OAAgC;AAAA,MACpC,OAAO,MAAM;AAAA,MACb,MAAM,MAAM;AAAA,IACd;AACA,QAAI,MAAM,gBAAgB,QAAW;AACnC,WAAK,cAAc,IAAI,MAAM;AAAA,IAC/B;AACA,UAAM,MAAM,MAAM,KAAK;AAAA,MACrB;AAAA,MACA,aAAa,MAAM,SAAS;AAAA,MAC5B;AAAA,IACF;AACA,UAAM,SAAS,oBAAoB,UAAU,GAAG;AAChD,QAAI,CAAC,OAAO,SAAS;AAEnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,WAAW,OAKQ;AACvB,UAAM,OAAgC;AAAA,MACpC,WAAW,MAAM;AAAA,MACjB,MAAM,MAAM;AAAA,IACd;AACA,QAAI,MAAM,cAAc,QAAW;AACjC,WAAK,YAAY,IAAI,MAAM;AAAA,IAC7B;AACA,UAAM,MAAM,MAAM,KAAK;AAAA,MACrB;AAAA,MACA,aAAa,MAAM,SAAS;AAAA,MAC5B;AAAA,IACF;AACA,UAAM,SAAS,kBAAkB,UAAU,GAAG;AAC9C,QAAI,CAAC,OAAO,SAAS;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,YAAY,OAA2C;AAE3D,UAAM,KAAK,QAAiB,UAAU,WAAW,MAAM,OAAO,IAAI,MAAS;AAAA,EAC7E;AACF;AAEO,SAAS,qBAAqB,MAA6C;AAChF,SAAO,IAAI,mBAAmB,IAAI;AACpC;;;ACtOA,SAAoB;AACpB,SAAoB;AACpB,WAAsB;AACtB,IAAAC,cAAkB;AAEX,IAAM,sBAAsB,cAChC,OAAO;AAAA,EACN,SAAS,cAAE,QAAQ,CAAC;AAAA,EACpB,OAAO,cAAE,OAAO,EAAE,IAAI,CAAC;AACzB,CAAC,EACA,OAAO;AAcV,IAAM,sBACJ;AAEK,SAAS,cAAc,MAAwC;AACpE,QAAM,MAAM,MAAM,OAAO,QAAQ;AACjC,QAAM,OAAO,MAAM,SAAS,CAAC,QAAgB,QAAQ,OAAO,MAAM,MAAM,IAAI;AAG5E,QAAM,WAAW,IAAI,uBAAuB;AAC5C,MAAI,UAAU;AACZ,WAAO,EAAE,OAAO,UAAU,QAAQ,MAAM;AAAA,EAC1C;AAGA,QAAM,YAAY,MAAM,WAAc;AACtC,QAAM,WACJ,MAAM,YAAiB,UAAK,UAAU,GAAG,cAAc,iBAAiB;AAG1E,MAAI;AACJ,MAAI;AACF,UAAS,gBAAa,UAAU,MAAM;AAAA,EACxC,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,UAAU,OAAQ,IAA8B,SAAS,UAAU;AAC7F,YAAM,IAAI,MAAM,mBAAmB;AAAA,IACrC;AACA,UAAM,IAAI,MAAM,qCAAqC,QAAQ,KAAK,OAAO,GAAG,CAAC,EAAE;AAAA,EACjF;AAGA,MAAI;AACF,UAAM,OAAU,YAAS,QAAQ;AACjC,UAAM,OAAO,KAAK,OAAO;AACzB,QAAI,OAAO,IAAO;AAChB;AAAA,QACE,6BAA6B,QAAQ,kCAAmC,KAAM,SAAS,CAAC,EAAE,SAAS,GAAG,GAAG,CAAC,qBAAqB,QAAQ;AAAA,MACzI;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAGA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,UAAM,IAAI,MAAM,sCAAsC,QAAQ,gBAAgB;AAAA,EAChF;AAGA,QAAM,SAAS,oBAAoB,UAAU,MAAM;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,UAAM,IAAI;AAAA,MACR,8BAA8B,QAAQ,KAAK,OAAO,MAAM,OAAO;AAAA,IACjE;AAAA,EACF;AAEA,SAAO,EAAE,OAAO,OAAO,KAAK,OAAO,QAAQ,OAAO;AACpD;","names":["path","import_zod"]}

package/dist/admin-api/index.d.cts ADDED Viewed

@@ -0,0 +1,135 @@
+import { z } from 'zod';
+/**
+ * Vendored Zod response schemas — hand-authored from
+ * mcp/src/admin-api/__snapshots__/openapi.test.ts.snap
+ *
+ * Snapshot drift is detected by cleargate-cli/test/admin-api/snapshot-drift.test.ts,
+ * which reads the snapshot file at runtime and asserts field-set equality.
+ */
+declare const ProjectSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    created_by: z.ZodString;
+    created_at: z.ZodString;
+    deleted_at: z.ZodNullable<z.ZodString>;
+}, z.core.$strict>;
+type Project = z.infer<typeof ProjectSchema>;
+declare const MemberSchema: z.ZodObject<{
+    id: z.ZodString;
+    project_id: z.ZodString;
+    email: z.ZodString;
+    role: z.ZodString;
+    display_name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    created_at: z.ZodString;
+    status: z.ZodEnum<{
+        pending: "pending";
+        active: "active";
+    }>;
+}, z.core.$strict>;
+type Member = z.infer<typeof MemberSchema>;
+declare const InviteCreatedSchema: z.ZodObject<{
+    member: z.ZodObject<{
+        id: z.ZodString;
+        project_id: z.ZodString;
+        email: z.ZodString;
+        role: z.ZodString;
+        display_name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        created_at: z.ZodString;
+        status: z.ZodEnum<{
+            pending: "pending";
+            active: "active";
+        }>;
+    }, z.core.$strict>;
+    invite_url: z.ZodString;
+    invite_token: z.ZodString;
+    invite_expires_in: z.ZodNumber;
+}, z.core.$strict>;
+type InviteCreated = z.infer<typeof InviteCreatedSchema>;
+declare const TokenMetaSchema: z.ZodObject<{
+    id: z.ZodString;
+    member_id: z.ZodString;
+    name: z.ZodString;
+    created_at: z.ZodString;
+    expires_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    last_used_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    revoked_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+}, z.core.$strict>;
+type TokenMeta = z.infer<typeof TokenMetaSchema>;
+declare const TokenIssuedSchema: z.ZodObject<{
+    id: z.ZodString;
+    member_id: z.ZodString;
+    name: z.ZodString;
+    created_at: z.ZodString;
+    expires_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    last_used_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    revoked_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    token: z.ZodString;
+}, z.core.$strict>;
+type TokenIssued = z.infer<typeof TokenIssuedSchema>;
+declare const ErrorBodySchema: z.ZodObject<{
+    error: z.ZodString;
+    details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strict>;
+type ErrorBody = z.infer<typeof ErrorBodySchema>;
+interface AdminApiClientOptions {
+    baseUrl: string;
+    token: string;
+    fetch?: typeof globalThis.fetch;
+    warn?: (msg: string) => void;
+    userAgent?: string;
+}
+interface AdminApiClient {
+    createProject(input: {
+        name: string;
+    }): Promise<Project>;
+    inviteMember(input: {
+        projectId: string;
+        email: string;
+        role: 'user' | 'service';
+        displayName?: string;
+    }): Promise<InviteCreated>;
+    issueToken(input: {
+        projectId: string;
+        memberId: string;
+        name: string;
+        expiresAt?: string;
+    }): Promise<TokenIssued>;
+    revokeToken(input: {
+        tokenId: string;
+    }): Promise<void>;
+}
+declare function createAdminApiClient(opts: AdminApiClientOptions): AdminApiClient;
+/**
+ * Typed error class for all admin API failures.
+ * kind → exit code mapping lives in mcp/scripts/commands/_render-error.ts
+ */
+declare class AdminApiError extends Error {
+    readonly kind: 'network' | 'auth' | 'forbidden' | 'not_found' | 'invalid_request' | 'server' | 'response_shape';
+    readonly status: number | null;
+    readonly details: unknown;
+    constructor(kind: 'network' | 'auth' | 'forbidden' | 'not_found' | 'invalid_request' | 'server' | 'response_shape', status: number | null, details: unknown, message: string);
+}
+declare function redactSensitive(obj: unknown): unknown;
+declare const AdminAuthFileSchema: z.ZodObject<{
+    version: z.ZodLiteral<1>;
+    token: z.ZodString;
+}, z.core.$strict>;
+interface LoadAdminAuthOptions {
+    env?: NodeJS.ProcessEnv;
+    filePath?: string;
+    homedir?: () => string;
+    warn?: (msg: string) => void;
+}
+interface AdminAuth {
+    token: string;
+    source: 'env' | 'file';
+}
+declare function loadAdminAuth(opts?: LoadAdminAuthOptions): AdminAuth;
+export { type AdminApiClient, type AdminApiClientOptions, AdminApiError, type AdminAuth, AdminAuthFileSchema, type ErrorBody, ErrorBodySchema, type InviteCreated, InviteCreatedSchema, type LoadAdminAuthOptions, type Member, MemberSchema, type Project, ProjectSchema, type TokenIssued, TokenIssuedSchema, type TokenMeta, TokenMetaSchema, createAdminApiClient, loadAdminAuth, redactSensitive };

package/dist/admin-api/index.d.ts ADDED Viewed

@@ -0,0 +1,135 @@
+import { z } from 'zod';
+/**
+ * Vendored Zod response schemas — hand-authored from
+ * mcp/src/admin-api/__snapshots__/openapi.test.ts.snap
+ *
+ * Snapshot drift is detected by cleargate-cli/test/admin-api/snapshot-drift.test.ts,
+ * which reads the snapshot file at runtime and asserts field-set equality.
+ */
+declare const ProjectSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    created_by: z.ZodString;
+    created_at: z.ZodString;
+    deleted_at: z.ZodNullable<z.ZodString>;
+}, z.core.$strict>;
+type Project = z.infer<typeof ProjectSchema>;
+declare const MemberSchema: z.ZodObject<{
+    id: z.ZodString;
+    project_id: z.ZodString;
+    email: z.ZodString;
+    role: z.ZodString;
+    display_name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    created_at: z.ZodString;
+    status: z.ZodEnum<{
+        pending: "pending";
+        active: "active";
+    }>;
+}, z.core.$strict>;
+type Member = z.infer<typeof MemberSchema>;
+declare const InviteCreatedSchema: z.ZodObject<{
+    member: z.ZodObject<{
+        id: z.ZodString;
+        project_id: z.ZodString;
+        email: z.ZodString;
+        role: z.ZodString;
+        display_name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        created_at: z.ZodString;
+        status: z.ZodEnum<{
+            pending: "pending";
+            active: "active";
+        }>;
+    }, z.core.$strict>;
+    invite_url: z.ZodString;
+    invite_token: z.ZodString;
+    invite_expires_in: z.ZodNumber;
+}, z.core.$strict>;
+type InviteCreated = z.infer<typeof InviteCreatedSchema>;
+declare const TokenMetaSchema: z.ZodObject<{
+    id: z.ZodString;
+    member_id: z.ZodString;
+    name: z.ZodString;
+    created_at: z.ZodString;
+    expires_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    last_used_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    revoked_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+}, z.core.$strict>;
+type TokenMeta = z.infer<typeof TokenMetaSchema>;
+declare const TokenIssuedSchema: z.ZodObject<{
+    id: z.ZodString;
+    member_id: z.ZodString;
+    name: z.ZodString;
+    created_at: z.ZodString;
+    expires_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    last_used_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    revoked_at: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    token: z.ZodString;
+}, z.core.$strict>;
+type TokenIssued = z.infer<typeof TokenIssuedSchema>;
+declare const ErrorBodySchema: z.ZodObject<{
+    error: z.ZodString;
+    details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strict>;
+type ErrorBody = z.infer<typeof ErrorBodySchema>;
+interface AdminApiClientOptions {
+    baseUrl: string;
+    token: string;
+    fetch?: typeof globalThis.fetch;
+    warn?: (msg: string) => void;
+    userAgent?: string;
+}
+interface AdminApiClient {
+    createProject(input: {
+        name: string;
+    }): Promise<Project>;
+    inviteMember(input: {
+        projectId: string;
+        email: string;
+        role: 'user' | 'service';
+        displayName?: string;
+    }): Promise<InviteCreated>;
+    issueToken(input: {
+        projectId: string;
+        memberId: string;
+        name: string;
+        expiresAt?: string;
+    }): Promise<TokenIssued>;
+    revokeToken(input: {
+        tokenId: string;
+    }): Promise<void>;
+}
+declare function createAdminApiClient(opts: AdminApiClientOptions): AdminApiClient;
+/**
+ * Typed error class for all admin API failures.
+ * kind → exit code mapping lives in mcp/scripts/commands/_render-error.ts
+ */
+declare class AdminApiError extends Error {
+    readonly kind: 'network' | 'auth' | 'forbidden' | 'not_found' | 'invalid_request' | 'server' | 'response_shape';
+    readonly status: number | null;
+    readonly details: unknown;
+    constructor(kind: 'network' | 'auth' | 'forbidden' | 'not_found' | 'invalid_request' | 'server' | 'response_shape', status: number | null, details: unknown, message: string);
+}
+declare function redactSensitive(obj: unknown): unknown;
+declare const AdminAuthFileSchema: z.ZodObject<{
+    version: z.ZodLiteral<1>;
+    token: z.ZodString;
+}, z.core.$strict>;
+interface LoadAdminAuthOptions {
+    env?: NodeJS.ProcessEnv;
+    filePath?: string;
+    homedir?: () => string;
+    warn?: (msg: string) => void;
+}
+interface AdminAuth {
+    token: string;
+    source: 'env' | 'file';
+}
+declare function loadAdminAuth(opts?: LoadAdminAuthOptions): AdminAuth;
+export { type AdminApiClient, type AdminApiClientOptions, AdminApiError, type AdminAuth, AdminAuthFileSchema, type ErrorBody, ErrorBodySchema, type InviteCreated, InviteCreatedSchema, type LoadAdminAuthOptions, type Member, MemberSchema, type Project, ProjectSchema, type TokenIssued, TokenIssuedSchema, type TokenMeta, TokenMetaSchema, createAdminApiClient, loadAdminAuth, redactSensitive };