cleargate 0.2.1 → 0.4.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Sandro Suladze
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/MANIFEST.json

@@ -1,10 +1,10 @@
 {
-  "cleargate_version": "0.2.1",
-  "generated_at": "2026-04-19T18:33:06.178Z",
+  "cleargate_version": "0.4.0",
+  "generated_at": "2026-04-25T11:27:01.277Z",
   "files": [
     {
       "path": ".claude/agents/architect.md",
-      "sha256": "0e0e545198cfff827ea453195414d884aec5cb5413e07dc1396820aaa2014f97",
+      "sha256": "c9424894549b270b73c1c95145b7bb8d406cadd2057c47f8e90bf74ce1f3cda7",
       "tier": "agent",
       "overwrite_policy": "always",
       "preserve_on_uninstall": false
@@ -32,28 +32,56 @@
     },
     {
       "path": ".claude/agents/developer.md",
-      "sha256": "bd9bcd8ce222effa248ff489939a7e37aa8e151675311fc7b374533c09ef43ee",
+      "sha256": "ea54db76bcd017526f2b48e05b167cb87251273aa5fd3da6bec3013c207c72fb",
       "tier": "agent",
       "overwrite_policy": "always",
       "preserve_on_uninstall": false
     },
     {
       "path": ".claude/agents/qa.md",
-      "sha256": "9345a4f294cbc327ecc169a51446e2321b53b14917e7880f7e7b374a28ac3751",
+      "sha256": "e753d294d6060ace626878220db02a0595126bc7baa52526e5d1576b163f04d0",
       "tier": "agent",
       "overwrite_policy": "always",
       "preserve_on_uninstall": false
     },
     {
       "path": ".claude/agents/reporter.md",
-      "sha256": "a9b7e248fd1baaef7fb0c23d4ba92bc94bcd46e9261a6dabbd183477fab96359",
+      "sha256": "5819d6f932ebd25a48e6f91a2e6227726f6d4d15968622728ec22a4ed7caa622",
       "tier": "agent",
       "overwrite_policy": "always",
       "preserve_on_uninstall": false
     },
+    {
+      "path": ".claude/hooks/pending-task-sentinel.sh",
+      "sha256": "8204286b19287c490cc09014b0c87e2b2686e6bd120393b7165895d215d6b49a",
+      "tier": "hook",
+      "overwrite_policy": "always",
+      "preserve_on_uninstall": false
+    },
+    {
+      "path": ".claude/hooks/pre-commit-surface-gate.sh",
+      "sha256": "a58f3b3c3dbb615a14bf6e2355f5122e80a5cb1e8ef9442648324f3124723ee3",
+      "tier": "hook",
+      "overwrite_policy": "always",
+      "preserve_on_uninstall": false
+    },
+    {
+      "path": ".claude/hooks/pre-commit-test-ratchet.sh",
+      "sha256": "67232d9d94817e512b2d66e020605b59e9795eb4a04005edf7ea75bf9a324848",
+      "tier": "hook",
+      "overwrite_policy": "always",
+      "preserve_on_uninstall": false
+    },
+    {
+      "path": ".claude/hooks/pre-commit.sh",
+      "sha256": "90260116726bfc88191fda353d038445d5838e7cd811db67029b5555f2dbc555",
+      "tier": "hook",
+      "overwrite_policy": "always",
+      "preserve_on_uninstall": false
+    },
     {
       "path": ".claude/hooks/session-start.sh",
-      "sha256": "b851f34c8e40eb10d6dc71c8dbd29282f74afbaad7e823306a3e2a52a15fe21f",
+      "sha256": "a611286330f36e5d0bbdc5642e9409ffbfc569cc3d0b370918e973b545c50741",
       "tier": "hook",
       "overwrite_policy": "always",
       "preserve_on_uninstall": false
@@ -67,14 +95,14 @@
     },
     {
       "path": ".claude/hooks/token-ledger.sh",
-      "sha256": "918ae12960f2c657c7ad1b0b7bc95438a4339d220f75e4abf5259ecabe8a2ca3",
+      "sha256": "be2b2eaa02cc30387601285160d6fe1c90ea76b37ec6cae2b7c9537f66f22783",
       "tier": "hook",
       "overwrite_policy": "always",
       "preserve_on_uninstall": false
     },
     {
       "path": ".claude/settings.json",
-      "sha256": "1f95f5468db19ffebe75aec1c35489a26aae64eae256d246a6a88cf34581f4bb",
+      "sha256": "a6d63ac3d01592b7d2ed1af45067606d535349dc27a51740f744c2fd2592a0cb",
       "tier": "cli-config",
       "overwrite_policy": "merge-3way",
       "preserve_on_uninstall": false
@@ -95,7 +123,7 @@
     },
     {
       "path": ".cleargate/knowledge/cleargate-protocol.md",
-      "sha256": "fc67af361fbd11137404d3db1034ceb5f876cd8de0e4f90e208ef19ab89072a6",
+      "sha256": "4316444ad452e83a2c9387ad6ad96ef4e4511b1face4b30976a912c0f28866f6",
       "tier": "protocol",
       "overwrite_policy": "merge-3way",
       "preserve_on_uninstall": false
@@ -109,21 +137,21 @@
     },
     {
       "path": ".cleargate/templates/Bug.md",
-      "sha256": "9f32165a709b30bc8794ef96c6a7220ef6484b47c30fb955e1c1c8e892698bcc",
+      "sha256": "3ba6e72bd2bc01cf8d0ea06390f8ea511bef3a421a33c48de033051f844dfa0e",
       "tier": "template",
       "overwrite_policy": "merge-3way",
       "preserve_on_uninstall": false
     },
     {
       "path": ".cleargate/templates/CR.md",
-      "sha256": "55ea7a8a25c6b3d37103065dd91eb11378a78a36375d274406d376f4c35af3ef",
+      "sha256": "58ea4badb03991d119f8aa8870992a8239c8df6ad198e0d9ca04a805756e4bac",
       "tier": "template",
       "overwrite_policy": "merge-3way",
       "preserve_on_uninstall": false
     },
     {
       "path": ".cleargate/templates/epic.md",
-      "sha256": "1847f1e7cedd631d4ef2aaf7ef67745e88b2ff76389b04bad6fa1f1edf973442",
+      "sha256": "6c85e4c9602af657e6778af9009a67936c27e47331479d0c246cdf1242177c82",
       "tier": "template",
       "overwrite_policy": "merge-3way",
       "preserve_on_uninstall": false
@@ -137,21 +165,35 @@
     },
     {
       "path": ".cleargate/templates/proposal.md",
-      "sha256": "1a0822edf6f29a1f8d34e2fab1180b33a365edd92d84b3fc191f239a751ba373",
+      "sha256": "e8055dac81ecf94d01fe610e8cdaf4fa73a2f8d9953e4db90b91a20a8c81460d",
       "tier": "template",
       "overwrite_policy": "merge-3way",
       "preserve_on_uninstall": false
     },
     {
       "path": ".cleargate/templates/Sprint Plan Template.md",
-      "sha256": "6e60b697a136edb89bc19cc40caa1bec51687366b8e1b35a6554d0072736591b",
+      "sha256": "9f87539691b910193c55fb9a637975de738dda181baa7e68fc48297993389613",
+      "tier": "template",
+      "overwrite_policy": "merge-3way",
+      "preserve_on_uninstall": false
+    },
+    {
+      "path": ".cleargate/templates/sprint_context.md",
+      "sha256": "56c8c401b56d4c654dc41a19bd524f1b8860a8006cc3cd90e784d101c3d7721a",
+      "tier": "template",
+      "overwrite_policy": "merge-3way",
+      "preserve_on_uninstall": false
+    },
+    {
+      "path": ".cleargate/templates/sprint_report.md",
+      "sha256": "5f3dfdbc7a1dde26758871b358be00d543e9669ab34ca3c7ead765ee6e182bcb",
       "tier": "template",
       "overwrite_policy": "merge-3way",
       "preserve_on_uninstall": false
     },
     {
       "path": ".cleargate/templates/story.md",
-      "sha256": "6c32fcabc9332cb928ac3b8fbfe618751b0a4cb05cd0f16463c3c4e22f8a67f1",
+      "sha256": "266b7e2b0526c4fe37620baf9344521e98ee5e7363661d390ef90068798f9bfe",
       "tier": "template",
       "overwrite_policy": "merge-3way",
       "preserve_on_uninstall": false

package/dist/admin-api/index.cjs

@@ -33,12 +33,23 @@ var admin_api_exports = {};
 __export(admin_api_exports, {
   AdminApiError: () => AdminApiError,
   AdminAuthFileSchema: () => AdminAuthFileSchema,
+  AdminUserSchema: () => AdminUserSchema,
+  AdminUsersListResponseSchema: () => AdminUsersListResponseSchema,
+  AuthExchangeResponseSchema: () => AuthExchangeResponseSchema,
+  DevicePollPendingResponseSchema: () => DevicePollPendingResponseSchema,
+  DevicePollSuccessResponseSchema: () => DevicePollSuccessResponseSchema,
+  DeviceStartResponseSchema: () => DeviceStartResponseSchema,
   ErrorBodySchema: () => ErrorBodySchema,
   InviteCreatedSchema: () => InviteCreatedSchema,
+  ItemSummarySchema: () => ItemSummarySchema,
+  ItemVersionSchema: () => ItemVersionSchema,
+  ItemVersionsResponseSchema: () => ItemVersionsResponseSchema,
+  ItemsListResponseSchema: () => ItemsListResponseSchema,
   MemberSchema: () => MemberSchema,
   ProjectSchema: () => ProjectSchema,
   TokenIssuedSchema: () => TokenIssuedSchema,
   TokenMetaSchema: () => TokenMetaSchema,
+  UsersMeResponseSchema: () => UsersMeResponseSchema,
   createAdminApiClient: () => createAdminApiClient,
   loadAdminAuth: () => loadAdminAuth,
   redactSensitive: () => redactSensitive
@@ -75,7 +86,7 @@ var MemberSchema = import_zod.z.object({
   role: import_zod.z.string(),
   display_name: import_zod.z.string().nullable().optional(),
   created_at: import_zod.z.string(),
-  status: import_zod.z.enum(["pending", "active"])
+  status: import_zod.z.enum(["pending", "active", "expired"])
 }).strict();
 var InviteCreatedSchema = import_zod.z.object({
   member: MemberSchema,
@@ -102,10 +113,75 @@ var TokenIssuedSchema = import_zod.z.object({
   revoked_at: import_zod.z.string().nullable().optional(),
   token: import_zod.z.string()
 }).strict();
+var AuthExchangeResponseSchema = import_zod.z.object({
+  admin_token: import_zod.z.string(),
+  expires_at: import_zod.z.string()
+}).strict();
 var ErrorBodySchema = import_zod.z.object({
   error: import_zod.z.string(),
   details: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).optional()
 }).strict();
+var ItemSummarySchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  cleargate_id: import_zod.z.string(),
+  type: import_zod.z.string(),
+  title: import_zod.z.string(),
+  status: import_zod.z.string(),
+  remote_id: import_zod.z.string().nullable(),
+  last_pushed_at: import_zod.z.string().nullable(),
+  pushed_by_member_id: import_zod.z.string().nullable(),
+  version: import_zod.z.number().int(),
+  updated_at: import_zod.z.string(),
+  current_payload: import_zod.z.record(import_zod.z.string(), import_zod.z.unknown()).default({})
+}).strict();
+var ItemsListResponseSchema = import_zod.z.object({
+  items: import_zod.z.array(ItemSummarySchema),
+  next_cursor: import_zod.z.string().nullable()
+}).strict();
+var ItemVersionSchema = import_zod.z.object({
+  version: import_zod.z.number().int(),
+  pushed_by_member_id: import_zod.z.string().nullable(),
+  pushed_at: import_zod.z.string(),
+  status: import_zod.z.string(),
+  diff_summary: import_zod.z.string().nullable()
+}).strict();
+var ItemVersionsResponseSchema = import_zod.z.object({
+  versions: import_zod.z.array(ItemVersionSchema)
+}).strict();
+var DeviceStartResponseSchema = import_zod.z.object({
+  device_code: import_zod.z.string(),
+  user_code: import_zod.z.string(),
+  verification_uri: import_zod.z.string(),
+  expires_in: import_zod.z.number().int(),
+  interval: import_zod.z.number().int()
+}).strict();
+var DevicePollPendingResponseSchema = import_zod.z.object({
+  pending: import_zod.z.literal(true),
+  retry_after: import_zod.z.number().int().optional()
+}).strict();
+var DevicePollSuccessResponseSchema = import_zod.z.object({
+  pending: import_zod.z.literal(false),
+  admin_token: import_zod.z.string(),
+  expires_at: import_zod.z.string(),
+  admin_user_id: import_zod.z.string()
+}).strict();
+var AdminUserSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  github_handle: import_zod.z.string(),
+  github_user_id: import_zod.z.string().nullable(),
+  is_root: import_zod.z.boolean(),
+  disabled_at: import_zod.z.string().nullable(),
+  created_at: import_zod.z.string(),
+  created_by: import_zod.z.string().nullable()
+}).strict();
+var AdminUsersListResponseSchema = import_zod.z.object({
+  admin_users: import_zod.z.array(AdminUserSchema)
+}).strict();
+var UsersMeResponseSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  github_handle: import_zod.z.string(),
+  is_root: import_zod.z.boolean()
+}).strict();
 
 // src/admin-api/redact.ts
 var SENSITIVE_KEYS = /* @__PURE__ */ new Set(["token", "refresh_token", "invite_token"]);
@@ -346,12 +422,23 @@ function loadAdminAuth(opts) {
 0 && (module.exports = {
   AdminApiError,
   AdminAuthFileSchema,
+  AdminUserSchema,
+  AdminUsersListResponseSchema,
+  AuthExchangeResponseSchema,
+  DevicePollPendingResponseSchema,
+  DevicePollSuccessResponseSchema,
+  DeviceStartResponseSchema,
   ErrorBodySchema,
   InviteCreatedSchema,
+  ItemSummarySchema,
+  ItemVersionSchema,
+  ItemVersionsResponseSchema,
+  ItemsListResponseSchema,
   MemberSchema,
   ProjectSchema,
   TokenIssuedSchema,
   TokenMetaSchema,
+  UsersMeResponseSchema,
   createAdminApiClient,
   loadAdminAuth,
   redactSensitive

package/dist/admin-api/index.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/admin-api/index.ts","../../src/admin-api/errors.ts","../../src/admin-api/responses.ts","../../src/admin-api/redact.ts","../../src/admin-api/client.ts","../../src/admin-api/admin-auth.ts"],"sourcesContent":["/**\n * Barrel export for admin-api module.\n * Consumed by cleargate-admin commands via cleargate/admin-api.\n */\nexport * from './client.js';\nexport * from './errors.js';\nexport * from './redact.js';\nexport * from './responses.js';\nexport * from './admin-auth.js';\n","/**\n * Typed error class for all admin API failures.\n * kind → exit code mapping lives in mcp/scripts/commands/_render-error.ts\n */\nexport class AdminApiError extends Error {\n  constructor(\n    public readonly kind:\n      | 'network'\n      | 'auth'\n      | 'forbidden'\n      | 'not_found'\n      | 'invalid_request'\n      | 'server'\n      | 'response_shape',\n    public readonly status: number | null,\n    public readonly details: unknown,\n    message: string,\n  ) {\n    super(message);\n    this.name = 'AdminApiError';\n  }\n}\n","/**\n * Vendored Zod response schemas — hand-authored from\n * mcp/src/admin-api/__snapshots__/openapi.test.ts.snap\n *\n * Snapshot drift is detected by cleargate-cli/test/admin-api/snapshot-drift.test.ts,\n * which reads the snapshot file at runtime and asserts field-set equality.\n */\nimport { z } from 'zod';\n\nexport const ProjectSchema = z\n  .object({\n    id: z.string(),\n    name: z.string(),\n    created_by: z.string(),\n    created_at: z.string(),\n    deleted_at: z.string().nullable(),\n  })\n  .strict();\n\nexport type Project = z.infer<typeof ProjectSchema>;\n\nexport const MemberSchema = z\n  .object({\n    id: z.string(),\n    project_id: z.string(),\n    email: z.string(),\n    role: z.string(),\n    display_name: z.string().nullable().optional(),\n    created_at: z.string(),\n    status: z.enum(['pending', 'active']),\n  })\n  .strict();\n\nexport type Member = z.infer<typeof MemberSchema>;\n\nexport const InviteCreatedSchema = z\n  .object({\n    member: MemberSchema,\n    invite_url: z.string(),\n    invite_token: z.string(),\n    invite_expires_in: z.number().int(),\n  })\n  .strict();\n\nexport type InviteCreated = z.infer<typeof InviteCreatedSchema>;\n\nexport const TokenMetaSchema = z\n  .object({\n    id: z.string(),\n    member_id: z.string(),\n    name: z.string(),\n    created_at: z.string(),\n    expires_at: z.string().nullable().optional(),\n    last_used_at: z.string().nullable().optional(),\n    revoked_at: z.string().nullable().optional(),\n  })\n  .strict();\n\nexport type TokenMeta = z.infer<typeof TokenMetaSchema>;\n\n// TokenIssued = TokenMeta + plaintext token field (returned exactly once)\nexport const TokenIssuedSchema = z\n  .object({\n    id: z.string(),\n    member_id: z.string(),\n    name: z.string(),\n    created_at: z.string(),\n    expires_at: z.string().nullable().optional(),\n    last_used_at: z.string().nullable().optional(),\n    revoked_at: z.string().nullable().optional(),\n    token: z.string(),\n  })\n  .strict();\n\nexport type TokenIssued = z.infer<typeof TokenIssuedSchema>;\n\nexport const ErrorBodySchema = z\n  .object({\n    error: z.string(),\n    details: z.record(z.string(), z.unknown()).optional(),\n  })\n  .strict();\n\nexport type ErrorBody = z.infer<typeof ErrorBodySchema>;\n","/**\n * Recursively replaces sensitive key values with '<redacted>'.\n * Used in debug log paths — never in success output.\n * Keys stripped: token, refresh_token, invite_token\n */\nconst SENSITIVE_KEYS = new Set(['token', 'refresh_token', 'invite_token']);\n\nexport function redactSensitive(obj: unknown): unknown {\n  if (Array.isArray(obj)) {\n    return obj.map((item) => redactSensitive(item));\n  }\n  if (obj !== null && typeof obj === 'object') {\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (SENSITIVE_KEYS.has(key)) {\n        result[key] = '<redacted>';\n      } else {\n        result[key] = redactSensitive(value);\n      }\n    }\n    return result;\n  }\n  return obj;\n}\n","/**\n * AdminApiClient — typed HTTP client for the ClearGate admin API.\n *\n * Key implementation notes:\n * - CLI method args are camelCase; wire bodies are snake_case (converted internally)\n * - DELETE requests MUST omit Content-Type (Fastify 5 FST_ERR_CTP_EMPTY_JSON_BODY)\n * - All 2xx responses are validated through vendored Zod schemas\n * - Errors map to AdminApiError with kind → exit code table in D6\n */\nimport { AdminApiError } from './errors.js';\nimport {\n  ProjectSchema,\n  InviteCreatedSchema,\n  TokenIssuedSchema,\n  type Project,\n  type InviteCreated,\n  type TokenIssued,\n} from './responses.js';\nimport { redactSensitive } from './redact.js';\n\nexport interface AdminApiClientOptions {\n  baseUrl: string;\n  token: string;\n  fetch?: typeof globalThis.fetch;\n  warn?: (msg: string) => void;\n  userAgent?: string;\n}\n\nexport interface AdminApiClient {\n  createProject(input: { name: string }): Promise<Project>;\n  inviteMember(input: {\n    projectId: string;\n    email: string;\n    role: 'user' | 'service';\n    displayName?: string;\n  }): Promise<InviteCreated>;\n  issueToken(input: {\n    projectId: string;\n    memberId: string;\n    name: string;\n    expiresAt?: string;\n  }): Promise<TokenIssued>;\n  revokeToken(input: { tokenId: string }): Promise<void>;\n}\n\nfunction defaultWarn(msg: string): void {\n  process.stderr.write(msg + '\\n');\n}\n\nclass AdminApiClientImpl implements AdminApiClient {\n  private readonly baseUrl: string;\n  private readonly token: string;\n  private readonly fetchFn: typeof globalThis.fetch;\n  private readonly warn: (msg: string) => void;\n  private readonly userAgent: string;\n\n  constructor(opts: AdminApiClientOptions) {\n    this.baseUrl = opts.baseUrl.replace(/\\/$/, '');\n    this.token = opts.token;\n    this.fetchFn = opts.fetch ?? globalThis.fetch;\n    this.warn = opts.warn ?? defaultWarn;\n    this.userAgent = opts.userAgent ?? `cleargate`;\n  }\n\n  private debugLog(method: string, path: string, status: number, body: unknown): void {\n    if (process.env['CLEARGATE_LOG_LEVEL'] === 'debug') {\n      const redacted = redactSensitive(body);\n      this.warn(`[admin-api] ${method} ${path} → ${status} ${JSON.stringify(redacted)}`);\n    }\n  }\n\n  private async request<T>(\n    method: string,\n    urlPath: string,\n    body?: Record<string, unknown>,\n  ): Promise<T> {\n    const url = `${this.baseUrl}/admin-api/v1${urlPath}`;\n    const headers: Record<string, string> = {\n      Authorization: `Bearer ${this.token}`,\n      'User-Agent': this.userAgent,\n      Accept: 'application/json',\n    };\n\n    // CRITICAL: omit Content-Type on requests without body (DELETE)\n    // Fastify 5 throws FST_ERR_CTP_EMPTY_JSON_BODY if Content-Type is set with empty body\n    if (body !== undefined) {\n      headers['Content-Type'] = 'application/json';\n    }\n\n    let response: Response;\n    try {\n      response = await this.fetchFn(url, {\n        method,\n        headers,\n        body: body !== undefined ? JSON.stringify(body) : undefined,\n      });\n    } catch (err) {\n      throw new AdminApiError(\n        'network',\n        null,\n        err,\n        `cannot reach ${this.baseUrl} (${err instanceof Error ? err.message : String(err)})`,\n      );\n    }\n\n    // Parse response body when present\n    let responseBody: unknown = null;\n    const contentType = response.headers.get('content-type') ?? '';\n    if (contentType.includes('application/json')) {\n      try {\n        responseBody = await response.json();\n      } catch {\n        responseBody = null;\n      }\n    }\n\n    this.debugLog(method, urlPath, response.status, responseBody);\n\n    // Map HTTP status to AdminApiError kinds\n    if (!response.ok) {\n      const errBody = responseBody as { error?: string; details?: unknown } | null;\n      if (response.status === 401) {\n        throw new AdminApiError('auth', 401, responseBody, 'Admin token rejected.');\n      }\n      if (response.status === 403) {\n        throw new AdminApiError('forbidden', 403, responseBody, 'Token is not admin-role.');\n      }\n      if (response.status === 404) {\n        throw new AdminApiError('not_found', 404, responseBody, 'Not found.');\n      }\n      if (response.status === 400 || response.status === 409) {\n        throw new AdminApiError(\n          'invalid_request',\n          response.status,\n          errBody?.details ?? responseBody,\n          `Invalid request: ${errBody?.error ?? 'unknown'}`,\n        );\n      }\n      if (response.status >= 500) {\n        throw new AdminApiError(\n          'server',\n          response.status,\n          responseBody,\n          `Server error ${response.status}.`,\n        );\n      }\n      throw new AdminApiError(\n        'server',\n        response.status,\n        responseBody,\n        `Unexpected status ${response.status}.`,\n      );\n    }\n\n    return responseBody as T;\n  }\n\n  async createProject(input: { name: string }): Promise<Project> {\n    const raw = await this.request<unknown>('POST', '/projects', { name: input.name });\n    const parsed = ProjectSchema.safeParse(raw);\n    if (!parsed.success) {\n      throw new AdminApiError(\n        'response_shape',\n        null,\n        parsed.error,\n        'Server returned unexpected response shape (CLI may be out of date).',\n      );\n    }\n    return parsed.data;\n  }\n\n  async inviteMember(input: {\n    projectId: string;\n    email: string;\n    role: 'user' | 'service';\n    displayName?: string;\n  }): Promise<InviteCreated> {\n    const body: Record<string, unknown> = {\n      email: input.email,\n      role: input.role,\n    };\n    if (input.displayName !== undefined) {\n      body['display_name'] = input.displayName;\n    }\n    const raw = await this.request<unknown>(\n      'POST',\n      `/projects/${input.projectId}/members`,\n      body,\n    );\n    const parsed = InviteCreatedSchema.safeParse(raw);\n    if (!parsed.success) {\n      // Try MemberSchema in case the server returned a member-only response\n      throw new AdminApiError(\n        'response_shape',\n        null,\n        parsed.error,\n        'Server returned unexpected response shape (CLI may be out of date).',\n      );\n    }\n    return parsed.data;\n  }\n\n  async issueToken(input: {\n    projectId: string;\n    memberId: string;\n    name: string;\n    expiresAt?: string;\n  }): Promise<TokenIssued> {\n    const body: Record<string, unknown> = {\n      member_id: input.memberId,\n      name: input.name,\n    };\n    if (input.expiresAt !== undefined) {\n      body['expires_at'] = input.expiresAt;\n    }\n    const raw = await this.request<unknown>(\n      'POST',\n      `/projects/${input.projectId}/tokens`,\n      body,\n    );\n    const parsed = TokenIssuedSchema.safeParse(raw);\n    if (!parsed.success) {\n      throw new AdminApiError(\n        'response_shape',\n        null,\n        parsed.error,\n        'Server returned unexpected response shape (CLI may be out of date).',\n      );\n    }\n    return parsed.data;\n  }\n\n  async revokeToken(input: { tokenId: string }): Promise<void> {\n    // No body — Content-Type must be omitted (Fastify 5 CTP quirk)\n    await this.request<unknown>('DELETE', `/tokens/${input.tokenId}`, undefined);\n  }\n}\n\nexport function createAdminApiClient(opts: AdminApiClientOptions): AdminApiClient {\n  return new AdminApiClientImpl(opts);\n}\n","/**\n * Loads an admin JWT for use with cleargate-admin CLI commands.\n *\n * Load order:\n *  1. CLEARGATE_ADMIN_TOKEN env var (wins immediately — file is not read)\n *  2. ~/.cleargate/admin-auth.json (shape: { version: 1, token: string })\n *\n * DISTINCT from FileTokenStore: that file holds user profile → refresh-token maps.\n * This file holds a single admin JWT acquired out-of-band via dev-issue-token.\n */\nimport * as fs from 'node:fs';\nimport * as os from 'node:os';\nimport * as path from 'node:path';\nimport { z } from 'zod';\n\nexport const AdminAuthFileSchema = z\n  .object({\n    version: z.literal(1),\n    token: z.string().min(1),\n  })\n  .strict();\n\nexport interface LoadAdminAuthOptions {\n  env?: NodeJS.ProcessEnv;\n  filePath?: string;\n  homedir?: () => string;\n  warn?: (msg: string) => void;\n}\n\nexport interface AdminAuth {\n  token: string;\n  source: 'env' | 'file';\n}\n\nconst MISSING_TOKEN_ERROR =\n  'No admin token. Set CLEARGATE_ADMIN_TOKEN or write ~/.cleargate/admin-auth.json (chmod 600). See README §admin-jwt.';\n\nexport function loadAdminAuth(opts?: LoadAdminAuthOptions): AdminAuth {\n  const env = opts?.env ?? process.env;\n  const warn = opts?.warn ?? ((msg: string) => process.stderr.write(msg + '\\n'));\n\n  // Env wins — file is not read at all when env is set\n  const envToken = env['CLEARGATE_ADMIN_TOKEN'];\n  if (envToken) {\n    return { token: envToken, source: 'env' };\n  }\n\n  // Resolve file path\n  const homedirFn = opts?.homedir ?? os.homedir;\n  const filePath =\n    opts?.filePath ?? path.join(homedirFn(), '.cleargate', 'admin-auth.json');\n\n  // Try file\n  let raw: string;\n  try {\n    raw = fs.readFileSync(filePath, 'utf8');\n  } catch (err) {\n    if (err instanceof Error && 'code' in err && (err as NodeJS.ErrnoException).code === 'ENOENT') {\n      throw new Error(MISSING_TOKEN_ERROR);\n    }\n    throw new Error(`Failed to read admin-auth file at ${filePath}: ${String(err)}`);\n  }\n\n  // Check file permissions (warn if too permissive)\n  try {\n    const stat = fs.statSync(filePath);\n    const mode = stat.mode & 0o777;\n    if (mode & 0o077) {\n      warn(\n        `cleargate-admin: warning: ${filePath} is group/world readable (mode ${(mode).toString(8).padStart(3, '0')}). Run: chmod 600 ${filePath}`,\n      );\n    }\n  } catch {\n    // If we can't stat the file, ignore — the read already succeeded\n  }\n\n  // Parse JSON\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(raw);\n  } catch {\n    throw new Error(`Failed to parse admin-auth file at ${filePath}: invalid JSON`);\n  }\n\n  // Validate with strict schema\n  const result = AdminAuthFileSchema.safeParse(parsed);\n  if (!result.success) {\n    throw new Error(\n      `Invalid admin-auth file at ${filePath}: ${result.error.message}`,\n    );\n  }\n\n  return { token: result.data.token, source: 'file' };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACIO,IAAM,gBAAN,cAA4B,MAAM;AAAA,EACvC,YACkB,MAQA,QACA,SAChB,SACA;AACA,UAAM,OAAO;AAZG;AAQA;AACA;AAIhB,SAAK,OAAO;AAAA,EACd;AAAA,EAdkB;AAAA,EAQA;AAAA,EACA;AAMpB;;;ACdA,iBAAkB;AAEX,IAAM,gBAAgB,aAC1B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,MAAM,aAAE,OAAO;AAAA,EACf,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO,EAAE,SAAS;AAClC,CAAC,EACA,OAAO;AAIH,IAAM,eAAe,aACzB,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,YAAY,aAAE,OAAO;AAAA,EACrB,OAAO,aAAE,OAAO;AAAA,EAChB,MAAM,aAAE,OAAO;AAAA,EACf,cAAc,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,aAAE,OAAO;AAAA,EACrB,QAAQ,aAAE,KAAK,CAAC,WAAW,QAAQ,CAAC;AACtC,CAAC,EACA,OAAO;AAIH,IAAM,sBAAsB,aAChC,OAAO;AAAA,EACN,QAAQ;AAAA,EACR,YAAY,aAAE,OAAO;AAAA,EACrB,cAAc,aAAE,OAAO;AAAA,EACvB,mBAAmB,aAAE,OAAO,EAAE,IAAI;AACpC,CAAC,EACA,OAAO;AAIH,IAAM,kBAAkB,aAC5B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,WAAW,aAAE,OAAO;AAAA,EACpB,MAAM,aAAE,OAAO;AAAA,EACf,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,cAAc,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC7C,CAAC,EACA,OAAO;AAKH,IAAM,oBAAoB,aAC9B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,WAAW,aAAE,OAAO;AAAA,EACpB,MAAM,aAAE,OAAO;AAAA,EACf,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,cAAc,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,OAAO,aAAE,OAAO;AAClB,CAAC,EACA,OAAO;AAIH,IAAM,kBAAkB,aAC5B,OAAO;AAAA,EACN,OAAO,aAAE,OAAO;AAAA,EAChB,SAAS,aAAE,OAAO,aAAE,OAAO,GAAG,aAAE,QAAQ,CAAC,EAAE,SAAS;AACtD,CAAC,EACA,OAAO;;;AC5EV,IAAM,iBAAiB,oBAAI,IAAI,CAAC,SAAS,iBAAiB,cAAc,CAAC;AAElE,SAAS,gBAAgB,KAAuB;AACrD,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,IAAI,IAAI,CAAC,SAAS,gBAAgB,IAAI,CAAC;AAAA,EAChD;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,SAAkC,CAAC;AACzC,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,GAA8B,GAAG;AACzE,UAAI,eAAe,IAAI,GAAG,GAAG;AAC3B,eAAO,GAAG,IAAI;AAAA,MAChB,OAAO;AACL,eAAO,GAAG,IAAI,gBAAgB,KAAK;AAAA,MACrC;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;;;ACsBA,SAAS,YAAY,KAAmB;AACtC,UAAQ,OAAO,MAAM,MAAM,IAAI;AACjC;AAEA,IAAM,qBAAN,MAAmD;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,MAA6B;AACvC,SAAK,UAAU,KAAK,QAAQ,QAAQ,OAAO,EAAE;AAC7C,SAAK,QAAQ,KAAK;AAClB,SAAK,UAAU,KAAK,SAAS,WAAW;AACxC,SAAK,OAAO,KAAK,QAAQ;AACzB,SAAK,YAAY,KAAK,aAAa;AAAA,EACrC;AAAA,EAEQ,SAAS,QAAgBA,OAAc,QAAgB,MAAqB;AAClF,QAAI,QAAQ,IAAI,qBAAqB,MAAM,SAAS;AAClD,YAAM,WAAW,gBAAgB,IAAI;AACrC,WAAK,KAAK,eAAe,MAAM,IAAIA,KAAI,WAAM,MAAM,IAAI,KAAK,UAAU,QAAQ,CAAC,EAAE;AAAA,IACnF;AAAA,EACF;AAAA,EAEA,MAAc,QACZ,QACA,SACA,MACY;AACZ,UAAM,MAAM,GAAG,KAAK,OAAO,gBAAgB,OAAO;AAClD,UAAM,UAAkC;AAAA,MACtC,eAAe,UAAU,KAAK,KAAK;AAAA,MACnC,cAAc,KAAK;AAAA,MACnB,QAAQ;AAAA,IACV;AAIA,QAAI,SAAS,QAAW;AACtB,cAAQ,cAAc,IAAI;AAAA,IAC5B;AAEA,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM,KAAK,QAAQ,KAAK;AAAA,QACjC;AAAA,QACA;AAAA,QACA,MAAM,SAAS,SAAY,KAAK,UAAU,IAAI,IAAI;AAAA,MACpD,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,QACA,gBAAgB,KAAK,OAAO,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MACnF;AAAA,IACF;AAGA,QAAI,eAAwB;AAC5B,UAAM,cAAc,SAAS,QAAQ,IAAI,cAAc,KAAK;AAC5D,QAAI,YAAY,SAAS,kBAAkB,GAAG;AAC5C,UAAI;AACF,uBAAe,MAAM,SAAS,KAAK;AAAA,MACrC,QAAQ;AACN,uBAAe;AAAA,MACjB;AAAA,IACF;AAEA,SAAK,SAAS,QAAQ,SAAS,SAAS,QAAQ,YAAY;AAG5D,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,UAAU;AAChB,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,QAAQ,KAAK,cAAc,uBAAuB;AAAA,MAC5E;AACA,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,aAAa,KAAK,cAAc,0BAA0B;AAAA,MACpF;AACA,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,aAAa,KAAK,cAAc,YAAY;AAAA,MACtE;AACA,UAAI,SAAS,WAAW,OAAO,SAAS,WAAW,KAAK;AACtD,cAAM,IAAI;AAAA,UACR;AAAA,UACA,SAAS;AAAA,UACT,SAAS,WAAW;AAAA,UACpB,oBAAoB,SAAS,SAAS,SAAS;AAAA,QACjD;AAAA,MACF;AACA,UAAI,SAAS,UAAU,KAAK;AAC1B,cAAM,IAAI;AAAA,UACR;AAAA,UACA,SAAS;AAAA,UACT;AAAA,UACA,gBAAgB,SAAS,MAAM;AAAA,QACjC;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR;AAAA,QACA,SAAS;AAAA,QACT;AAAA,QACA,qBAAqB,SAAS,MAAM;AAAA,MACtC;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,cAAc,OAA2C;AAC7D,UAAM,MAAM,MAAM,KAAK,QAAiB,QAAQ,aAAa,EAAE,MAAM,MAAM,KAAK,CAAC;AACjF,UAAM,SAAS,cAAc,UAAU,GAAG;AAC1C,QAAI,CAAC,OAAO,SAAS;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,aAAa,OAKQ;AACzB,UAAM,OAAgC;AAAA,MACpC,OAAO,MAAM;AAAA,MACb,MAAM,MAAM;AAAA,IACd;AACA,QAAI,MAAM,gBAAgB,QAAW;AACnC,WAAK,cAAc,IAAI,MAAM;AAAA,IAC/B;AACA,UAAM,MAAM,MAAM,KAAK;AAAA,MACrB;AAAA,MACA,aAAa,MAAM,SAAS;AAAA,MAC5B;AAAA,IACF;AACA,UAAM,SAAS,oBAAoB,UAAU,GAAG;AAChD,QAAI,CAAC,OAAO,SAAS;AAEnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,WAAW,OAKQ;AACvB,UAAM,OAAgC;AAAA,MACpC,WAAW,MAAM;AAAA,MACjB,MAAM,MAAM;AAAA,IACd;AACA,QAAI,MAAM,cAAc,QAAW;AACjC,WAAK,YAAY,IAAI,MAAM;AAAA,IAC7B;AACA,UAAM,MAAM,MAAM,KAAK;AAAA,MACrB;AAAA,MACA,aAAa,MAAM,SAAS;AAAA,MAC5B;AAAA,IACF;AACA,UAAM,SAAS,kBAAkB,UAAU,GAAG;AAC9C,QAAI,CAAC,OAAO,SAAS;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,YAAY,OAA2C;AAE3D,UAAM,KAAK,QAAiB,UAAU,WAAW,MAAM,OAAO,IAAI,MAAS;AAAA,EAC7E;AACF;AAEO,SAAS,qBAAqB,MAA6C;AAChF,SAAO,IAAI,mBAAmB,IAAI;AACpC;;;ACtOA,SAAoB;AACpB,SAAoB;AACpB,WAAsB;AACtB,IAAAC,cAAkB;AAEX,IAAM,sBAAsB,cAChC,OAAO;AAAA,EACN,SAAS,cAAE,QAAQ,CAAC;AAAA,EACpB,OAAO,cAAE,OAAO,EAAE,IAAI,CAAC;AACzB,CAAC,EACA,OAAO;AAcV,IAAM,sBACJ;AAEK,SAAS,cAAc,MAAwC;AACpE,QAAM,MAAM,MAAM,OAAO,QAAQ;AACjC,QAAM,OAAO,MAAM,SAAS,CAAC,QAAgB,QAAQ,OAAO,MAAM,MAAM,IAAI;AAG5E,QAAM,WAAW,IAAI,uBAAuB;AAC5C,MAAI,UAAU;AACZ,WAAO,EAAE,OAAO,UAAU,QAAQ,MAAM;AAAA,EAC1C;AAGA,QAAM,YAAY,MAAM,WAAc;AACtC,QAAM,WACJ,MAAM,YAAiB,UAAK,UAAU,GAAG,cAAc,iBAAiB;AAG1E,MAAI;AACJ,MAAI;AACF,UAAS,gBAAa,UAAU,MAAM;AAAA,EACxC,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,UAAU,OAAQ,IAA8B,SAAS,UAAU;AAC7F,YAAM,IAAI,MAAM,mBAAmB;AAAA,IACrC;AACA,UAAM,IAAI,MAAM,qCAAqC,QAAQ,KAAK,OAAO,GAAG,CAAC,EAAE;AAAA,EACjF;AAGA,MAAI;AACF,UAAM,OAAU,YAAS,QAAQ;AACjC,UAAM,OAAO,KAAK,OAAO;AACzB,QAAI,OAAO,IAAO;AAChB;AAAA,QACE,6BAA6B,QAAQ,kCAAmC,KAAM,SAAS,CAAC,EAAE,SAAS,GAAG,GAAG,CAAC,qBAAqB,QAAQ;AAAA,MACzI;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAGA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,UAAM,IAAI,MAAM,sCAAsC,QAAQ,gBAAgB;AAAA,EAChF;AAGA,QAAM,SAAS,oBAAoB,UAAU,MAAM;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,UAAM,IAAI;AAAA,MACR,8BAA8B,QAAQ,KAAK,OAAO,MAAM,OAAO;AAAA,IACjE;AAAA,EACF;AAEA,SAAO,EAAE,OAAO,OAAO,KAAK,OAAO,QAAQ,OAAO;AACpD;","names":["path","import_zod"]}
+{"version":3,"sources":["../../src/admin-api/index.ts","../../src/admin-api/errors.ts","../../src/admin-api/responses.ts","../../src/admin-api/redact.ts","../../src/admin-api/client.ts","../../src/admin-api/admin-auth.ts"],"sourcesContent":["/**\n * Barrel export for admin-api module.\n * Consumed by cleargate-admin commands via cleargate/admin-api.\n */\nexport * from './client.js';\nexport * from './errors.js';\nexport * from './redact.js';\nexport * from './responses.js';\nexport * from './admin-auth.js';\n","/**\n * Typed error class for all admin API failures.\n * kind → exit code mapping lives in mcp/scripts/commands/_render-error.ts\n */\nexport class AdminApiError extends Error {\n  constructor(\n    public readonly kind:\n      | 'network'\n      | 'auth'\n      | 'forbidden'\n      | 'not_found'\n      | 'invalid_request'\n      | 'server'\n      | 'response_shape',\n    public readonly status: number | null,\n    public readonly details: unknown,\n    message: string,\n  ) {\n    super(message);\n    this.name = 'AdminApiError';\n  }\n}\n","/**\n * Vendored Zod response schemas — hand-authored from\n * mcp/src/admin-api/__snapshots__/openapi.test.ts.snap\n *\n * Snapshot drift is detected by cleargate-cli/test/admin-api/snapshot-drift.test.ts,\n * which reads the snapshot file at runtime and asserts field-set equality.\n */\nimport { z } from 'zod';\n\nexport const ProjectSchema = z\n  .object({\n    id: z.string(),\n    name: z.string(),\n    created_by: z.string(),\n    created_at: z.string(),\n    deleted_at: z.string().nullable(),\n  })\n  .strict();\n\nexport type Project = z.infer<typeof ProjectSchema>;\n\nexport const MemberSchema = z\n  .object({\n    id: z.string(),\n    project_id: z.string(),\n    email: z.string(),\n    role: z.string(),\n    display_name: z.string().nullable().optional(),\n    created_at: z.string(),\n    status: z.enum(['pending', 'active', 'expired']),\n  })\n  .strict();\n\nexport type Member = z.infer<typeof MemberSchema>;\n\nexport const InviteCreatedSchema = z\n  .object({\n    member: MemberSchema,\n    invite_url: z.string(),\n    invite_token: z.string(),\n    invite_expires_in: z.number().int(),\n  })\n  .strict();\n\nexport type InviteCreated = z.infer<typeof InviteCreatedSchema>;\n\nexport const TokenMetaSchema = z\n  .object({\n    id: z.string(),\n    member_id: z.string(),\n    name: z.string(),\n    created_at: z.string(),\n    expires_at: z.string().nullable().optional(),\n    last_used_at: z.string().nullable().optional(),\n    revoked_at: z.string().nullable().optional(),\n  })\n  .strict();\n\nexport type TokenMeta = z.infer<typeof TokenMetaSchema>;\n\n// TokenIssued = TokenMeta + plaintext token field (returned exactly once)\nexport const TokenIssuedSchema = z\n  .object({\n    id: z.string(),\n    member_id: z.string(),\n    name: z.string(),\n    created_at: z.string(),\n    expires_at: z.string().nullable().optional(),\n    last_used_at: z.string().nullable().optional(),\n    revoked_at: z.string().nullable().optional(),\n    token: z.string(),\n  })\n  .strict();\n\nexport type TokenIssued = z.infer<typeof TokenIssuedSchema>;\n\nexport const AuthExchangeResponseSchema = z\n  .object({\n    admin_token: z.string(),\n    expires_at: z.string(),\n  })\n  .strict();\n\nexport type AuthExchangeResponse = z.infer<typeof AuthExchangeResponseSchema>;\n\nexport const ErrorBodySchema = z\n  .object({\n    error: z.string(),\n    details: z.record(z.string(), z.unknown()).optional(),\n  })\n  .strict();\n\nexport type ErrorBody = z.infer<typeof ErrorBodySchema>;\n\n// ── Items admin API (STORY-004-09) ───────────────────────────────────────────\n\nexport const ItemSummarySchema = z\n  .object({\n    id: z.string(),\n    cleargate_id: z.string(),\n    type: z.string(),\n    title: z.string(),\n    status: z.string(),\n    remote_id: z.string().nullable(),\n    last_pushed_at: z.string().nullable(),\n    pushed_by_member_id: z.string().nullable(),\n    version: z.number().int(),\n    updated_at: z.string(),\n    current_payload: z.record(z.string(), z.unknown()).default({}),\n  })\n  .strict();\n\nexport type ItemSummary = z.infer<typeof ItemSummarySchema>;\n\nexport const ItemsListResponseSchema = z\n  .object({\n    items: z.array(ItemSummarySchema),\n    next_cursor: z.string().nullable(),\n  })\n  .strict();\n\nexport type ItemsListResponse = z.infer<typeof ItemsListResponseSchema>;\n\nexport const ItemVersionSchema = z\n  .object({\n    version: z.number().int(),\n    pushed_by_member_id: z.string().nullable(),\n    pushed_at: z.string(),\n    status: z.string(),\n    diff_summary: z.string().nullable(),\n  })\n  .strict();\n\nexport type ItemVersion = z.infer<typeof ItemVersionSchema>;\n\nexport const ItemVersionsResponseSchema = z\n  .object({\n    versions: z.array(ItemVersionSchema),\n  })\n  .strict();\n\nexport type ItemVersionsResponse = z.infer<typeof ItemVersionsResponseSchema>;\n\n// ── Device-flow schemas (STORY-005-06) ───────────────────────────────────────\n\nexport const DeviceStartResponseSchema = z\n  .object({\n    device_code: z.string(),\n    user_code: z.string(),\n    verification_uri: z.string(),\n    expires_in: z.number().int(),\n    interval: z.number().int(),\n  })\n  .strict();\n\nexport type DeviceStartResponse = z.infer<typeof DeviceStartResponseSchema>;\n\nexport const DevicePollPendingResponseSchema = z\n  .object({\n    pending: z.literal(true),\n    retry_after: z.number().int().optional(),\n  })\n  .strict();\n\nexport type DevicePollPendingResponse = z.infer<typeof DevicePollPendingResponseSchema>;\n\nexport const DevicePollSuccessResponseSchema = z\n  .object({\n    pending: z.literal(false),\n    admin_token: z.string(),\n    expires_at: z.string(),\n    admin_user_id: z.string(),\n  })\n  .strict();\n\nexport type DevicePollSuccessResponse = z.infer<typeof DevicePollSuccessResponseSchema>;\n\n// ── Admin users API (STORY-006-09) ───────────────────────────────────────────\n\nexport const AdminUserSchema = z\n  .object({\n    id: z.string(),\n    github_handle: z.string(),\n    github_user_id: z.string().nullable(),\n    is_root: z.boolean(),\n    disabled_at: z.string().nullable(),\n    created_at: z.string(),\n    created_by: z.string().nullable(),\n  })\n  .strict();\n\nexport type AdminUser = z.infer<typeof AdminUserSchema>;\n\nexport const AdminUsersListResponseSchema = z\n  .object({\n    admin_users: z.array(AdminUserSchema),\n  })\n  .strict();\n\nexport type AdminUsersListResponse = z.infer<typeof AdminUsersListResponseSchema>;\n\nexport const UsersMeResponseSchema = z\n  .object({\n    id: z.string(),\n    github_handle: z.string(),\n    is_root: z.boolean(),\n  })\n  .strict();\n\nexport type UsersMeResponse = z.infer<typeof UsersMeResponseSchema>;\n","/**\n * Recursively replaces sensitive key values with '<redacted>'.\n * Used in debug log paths — never in success output.\n * Keys stripped: token, refresh_token, invite_token\n */\nconst SENSITIVE_KEYS = new Set(['token', 'refresh_token', 'invite_token']);\n\nexport function redactSensitive(obj: unknown): unknown {\n  if (Array.isArray(obj)) {\n    return obj.map((item) => redactSensitive(item));\n  }\n  if (obj !== null && typeof obj === 'object') {\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (SENSITIVE_KEYS.has(key)) {\n        result[key] = '<redacted>';\n      } else {\n        result[key] = redactSensitive(value);\n      }\n    }\n    return result;\n  }\n  return obj;\n}\n","/**\n * AdminApiClient — typed HTTP client for the ClearGate admin API.\n *\n * Key implementation notes:\n * - CLI method args are camelCase; wire bodies are snake_case (converted internally)\n * - DELETE requests MUST omit Content-Type (Fastify 5 FST_ERR_CTP_EMPTY_JSON_BODY)\n * - All 2xx responses are validated through vendored Zod schemas\n * - Errors map to AdminApiError with kind → exit code table in D6\n */\nimport { AdminApiError } from './errors.js';\nimport {\n  ProjectSchema,\n  InviteCreatedSchema,\n  TokenIssuedSchema,\n  type Project,\n  type InviteCreated,\n  type TokenIssued,\n} from './responses.js';\nimport { redactSensitive } from './redact.js';\n\nexport interface AdminApiClientOptions {\n  baseUrl: string;\n  token: string;\n  fetch?: typeof globalThis.fetch;\n  warn?: (msg: string) => void;\n  userAgent?: string;\n}\n\nexport interface AdminApiClient {\n  createProject(input: { name: string }): Promise<Project>;\n  inviteMember(input: {\n    projectId: string;\n    email: string;\n    role: 'user' | 'service';\n    displayName?: string;\n  }): Promise<InviteCreated>;\n  issueToken(input: {\n    projectId: string;\n    memberId: string;\n    name: string;\n    expiresAt?: string;\n  }): Promise<TokenIssued>;\n  revokeToken(input: { tokenId: string }): Promise<void>;\n}\n\nfunction defaultWarn(msg: string): void {\n  process.stderr.write(msg + '\\n');\n}\n\nclass AdminApiClientImpl implements AdminApiClient {\n  private readonly baseUrl: string;\n  private readonly token: string;\n  private readonly fetchFn: typeof globalThis.fetch;\n  private readonly warn: (msg: string) => void;\n  private readonly userAgent: string;\n\n  constructor(opts: AdminApiClientOptions) {\n    this.baseUrl = opts.baseUrl.replace(/\\/$/, '');\n    this.token = opts.token;\n    this.fetchFn = opts.fetch ?? globalThis.fetch;\n    this.warn = opts.warn ?? defaultWarn;\n    this.userAgent = opts.userAgent ?? `cleargate`;\n  }\n\n  private debugLog(method: string, path: string, status: number, body: unknown): void {\n    if (process.env['CLEARGATE_LOG_LEVEL'] === 'debug') {\n      const redacted = redactSensitive(body);\n      this.warn(`[admin-api] ${method} ${path} → ${status} ${JSON.stringify(redacted)}`);\n    }\n  }\n\n  private async request<T>(\n    method: string,\n    urlPath: string,\n    body?: Record<string, unknown>,\n  ): Promise<T> {\n    const url = `${this.baseUrl}/admin-api/v1${urlPath}`;\n    const headers: Record<string, string> = {\n      Authorization: `Bearer ${this.token}`,\n      'User-Agent': this.userAgent,\n      Accept: 'application/json',\n    };\n\n    // CRITICAL: omit Content-Type on requests without body (DELETE)\n    // Fastify 5 throws FST_ERR_CTP_EMPTY_JSON_BODY if Content-Type is set with empty body\n    if (body !== undefined) {\n      headers['Content-Type'] = 'application/json';\n    }\n\n    let response: Response;\n    try {\n      response = await this.fetchFn(url, {\n        method,\n        headers,\n        body: body !== undefined ? JSON.stringify(body) : undefined,\n      });\n    } catch (err) {\n      throw new AdminApiError(\n        'network',\n        null,\n        err,\n        `cannot reach ${this.baseUrl} (${err instanceof Error ? err.message : String(err)})`,\n      );\n    }\n\n    // Parse response body when present\n    let responseBody: unknown = null;\n    const contentType = response.headers.get('content-type') ?? '';\n    if (contentType.includes('application/json')) {\n      try {\n        responseBody = await response.json();\n      } catch {\n        responseBody = null;\n      }\n    }\n\n    this.debugLog(method, urlPath, response.status, responseBody);\n\n    // Map HTTP status to AdminApiError kinds\n    if (!response.ok) {\n      const errBody = responseBody as { error?: string; details?: unknown } | null;\n      if (response.status === 401) {\n        throw new AdminApiError('auth', 401, responseBody, 'Admin token rejected.');\n      }\n      if (response.status === 403) {\n        throw new AdminApiError('forbidden', 403, responseBody, 'Token is not admin-role.');\n      }\n      if (response.status === 404) {\n        throw new AdminApiError('not_found', 404, responseBody, 'Not found.');\n      }\n      if (response.status === 400 || response.status === 409) {\n        throw new AdminApiError(\n          'invalid_request',\n          response.status,\n          errBody?.details ?? responseBody,\n          `Invalid request: ${errBody?.error ?? 'unknown'}`,\n        );\n      }\n      if (response.status >= 500) {\n        throw new AdminApiError(\n          'server',\n          response.status,\n          responseBody,\n          `Server error ${response.status}.`,\n        );\n      }\n      throw new AdminApiError(\n        'server',\n        response.status,\n        responseBody,\n        `Unexpected status ${response.status}.`,\n      );\n    }\n\n    return responseBody as T;\n  }\n\n  async createProject(input: { name: string }): Promise<Project> {\n    const raw = await this.request<unknown>('POST', '/projects', { name: input.name });\n    const parsed = ProjectSchema.safeParse(raw);\n    if (!parsed.success) {\n      throw new AdminApiError(\n        'response_shape',\n        null,\n        parsed.error,\n        'Server returned unexpected response shape (CLI may be out of date).',\n      );\n    }\n    return parsed.data;\n  }\n\n  async inviteMember(input: {\n    projectId: string;\n    email: string;\n    role: 'user' | 'service';\n    displayName?: string;\n  }): Promise<InviteCreated> {\n    const body: Record<string, unknown> = {\n      email: input.email,\n      role: input.role,\n    };\n    if (input.displayName !== undefined) {\n      body['display_name'] = input.displayName;\n    }\n    const raw = await this.request<unknown>(\n      'POST',\n      `/projects/${input.projectId}/members`,\n      body,\n    );\n    const parsed = InviteCreatedSchema.safeParse(raw);\n    if (!parsed.success) {\n      // Try MemberSchema in case the server returned a member-only response\n      throw new AdminApiError(\n        'response_shape',\n        null,\n        parsed.error,\n        'Server returned unexpected response shape (CLI may be out of date).',\n      );\n    }\n    return parsed.data;\n  }\n\n  async issueToken(input: {\n    projectId: string;\n    memberId: string;\n    name: string;\n    expiresAt?: string;\n  }): Promise<TokenIssued> {\n    const body: Record<string, unknown> = {\n      member_id: input.memberId,\n      name: input.name,\n    };\n    if (input.expiresAt !== undefined) {\n      body['expires_at'] = input.expiresAt;\n    }\n    const raw = await this.request<unknown>(\n      'POST',\n      `/projects/${input.projectId}/tokens`,\n      body,\n    );\n    const parsed = TokenIssuedSchema.safeParse(raw);\n    if (!parsed.success) {\n      throw new AdminApiError(\n        'response_shape',\n        null,\n        parsed.error,\n        'Server returned unexpected response shape (CLI may be out of date).',\n      );\n    }\n    return parsed.data;\n  }\n\n  async revokeToken(input: { tokenId: string }): Promise<void> {\n    // No body — Content-Type must be omitted (Fastify 5 CTP quirk)\n    await this.request<unknown>('DELETE', `/tokens/${input.tokenId}`, undefined);\n  }\n}\n\nexport function createAdminApiClient(opts: AdminApiClientOptions): AdminApiClient {\n  return new AdminApiClientImpl(opts);\n}\n","/**\n * Loads an admin JWT for use with cleargate-admin CLI commands.\n *\n * Load order:\n *  1. CLEARGATE_ADMIN_TOKEN env var (wins immediately — file is not read)\n *  2. ~/.cleargate/admin-auth.json (shape: { version: 1, token: string })\n *\n * DISTINCT from FileTokenStore: that file holds user profile → refresh-token maps.\n * This file holds a single admin JWT acquired out-of-band via dev-issue-token.\n */\nimport * as fs from 'node:fs';\nimport * as os from 'node:os';\nimport * as path from 'node:path';\nimport { z } from 'zod';\n\nexport const AdminAuthFileSchema = z\n  .object({\n    version: z.literal(1),\n    token: z.string().min(1),\n  })\n  .strict();\n\nexport interface LoadAdminAuthOptions {\n  env?: NodeJS.ProcessEnv;\n  filePath?: string;\n  homedir?: () => string;\n  warn?: (msg: string) => void;\n}\n\nexport interface AdminAuth {\n  token: string;\n  source: 'env' | 'file';\n}\n\nconst MISSING_TOKEN_ERROR =\n  'No admin token. Set CLEARGATE_ADMIN_TOKEN or write ~/.cleargate/admin-auth.json (chmod 600). See README §admin-jwt.';\n\nexport function loadAdminAuth(opts?: LoadAdminAuthOptions): AdminAuth {\n  const env = opts?.env ?? process.env;\n  const warn = opts?.warn ?? ((msg: string) => process.stderr.write(msg + '\\n'));\n\n  // Env wins — file is not read at all when env is set\n  const envToken = env['CLEARGATE_ADMIN_TOKEN'];\n  if (envToken) {\n    return { token: envToken, source: 'env' };\n  }\n\n  // Resolve file path\n  const homedirFn = opts?.homedir ?? os.homedir;\n  const filePath =\n    opts?.filePath ?? path.join(homedirFn(), '.cleargate', 'admin-auth.json');\n\n  // Try file\n  let raw: string;\n  try {\n    raw = fs.readFileSync(filePath, 'utf8');\n  } catch (err) {\n    if (err instanceof Error && 'code' in err && (err as NodeJS.ErrnoException).code === 'ENOENT') {\n      throw new Error(MISSING_TOKEN_ERROR);\n    }\n    throw new Error(`Failed to read admin-auth file at ${filePath}: ${String(err)}`);\n  }\n\n  // Check file permissions (warn if too permissive)\n  try {\n    const stat = fs.statSync(filePath);\n    const mode = stat.mode & 0o777;\n    if (mode & 0o077) {\n      warn(\n        `cleargate-admin: warning: ${filePath} is group/world readable (mode ${(mode).toString(8).padStart(3, '0')}). Run: chmod 600 ${filePath}`,\n      );\n    }\n  } catch {\n    // If we can't stat the file, ignore — the read already succeeded\n  }\n\n  // Parse JSON\n  let parsed: unknown;\n  try {\n    parsed = JSON.parse(raw);\n  } catch {\n    throw new Error(`Failed to parse admin-auth file at ${filePath}: invalid JSON`);\n  }\n\n  // Validate with strict schema\n  const result = AdminAuthFileSchema.safeParse(parsed);\n  if (!result.success) {\n    throw new Error(\n      `Invalid admin-auth file at ${filePath}: ${result.error.message}`,\n    );\n  }\n\n  return { token: result.data.token, source: 'file' };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACIO,IAAM,gBAAN,cAA4B,MAAM;AAAA,EACvC,YACkB,MAQA,QACA,SAChB,SACA;AACA,UAAM,OAAO;AAZG;AAQA;AACA;AAIhB,SAAK,OAAO;AAAA,EACd;AAAA,EAdkB;AAAA,EAQA;AAAA,EACA;AAMpB;;;ACdA,iBAAkB;AAEX,IAAM,gBAAgB,aAC1B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,MAAM,aAAE,OAAO;AAAA,EACf,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO,EAAE,SAAS;AAClC,CAAC,EACA,OAAO;AAIH,IAAM,eAAe,aACzB,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,YAAY,aAAE,OAAO;AAAA,EACrB,OAAO,aAAE,OAAO;AAAA,EAChB,MAAM,aAAE,OAAO;AAAA,EACf,cAAc,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,aAAE,OAAO;AAAA,EACrB,QAAQ,aAAE,KAAK,CAAC,WAAW,UAAU,SAAS,CAAC;AACjD,CAAC,EACA,OAAO;AAIH,IAAM,sBAAsB,aAChC,OAAO;AAAA,EACN,QAAQ;AAAA,EACR,YAAY,aAAE,OAAO;AAAA,EACrB,cAAc,aAAE,OAAO;AAAA,EACvB,mBAAmB,aAAE,OAAO,EAAE,IAAI;AACpC,CAAC,EACA,OAAO;AAIH,IAAM,kBAAkB,aAC5B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,WAAW,aAAE,OAAO;AAAA,EACpB,MAAM,aAAE,OAAO;AAAA,EACf,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,cAAc,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC7C,CAAC,EACA,OAAO;AAKH,IAAM,oBAAoB,aAC9B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,WAAW,aAAE,OAAO;AAAA,EACpB,MAAM,aAAE,OAAO;AAAA,EACf,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,cAAc,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,OAAO,aAAE,OAAO;AAClB,CAAC,EACA,OAAO;AAIH,IAAM,6BAA6B,aACvC,OAAO;AAAA,EACN,aAAa,aAAE,OAAO;AAAA,EACtB,YAAY,aAAE,OAAO;AACvB,CAAC,EACA,OAAO;AAIH,IAAM,kBAAkB,aAC5B,OAAO;AAAA,EACN,OAAO,aAAE,OAAO;AAAA,EAChB,SAAS,aAAE,OAAO,aAAE,OAAO,GAAG,aAAE,QAAQ,CAAC,EAAE,SAAS;AACtD,CAAC,EACA,OAAO;AAMH,IAAM,oBAAoB,aAC9B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,cAAc,aAAE,OAAO;AAAA,EACvB,MAAM,aAAE,OAAO;AAAA,EACf,OAAO,aAAE,OAAO;AAAA,EAChB,QAAQ,aAAE,OAAO;AAAA,EACjB,WAAW,aAAE,OAAO,EAAE,SAAS;AAAA,EAC/B,gBAAgB,aAAE,OAAO,EAAE,SAAS;AAAA,EACpC,qBAAqB,aAAE,OAAO,EAAE,SAAS;AAAA,EACzC,SAAS,aAAE,OAAO,EAAE,IAAI;AAAA,EACxB,YAAY,aAAE,OAAO;AAAA,EACrB,iBAAiB,aAAE,OAAO,aAAE,OAAO,GAAG,aAAE,QAAQ,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC/D,CAAC,EACA,OAAO;AAIH,IAAM,0BAA0B,aACpC,OAAO;AAAA,EACN,OAAO,aAAE,MAAM,iBAAiB;AAAA,EAChC,aAAa,aAAE,OAAO,EAAE,SAAS;AACnC,CAAC,EACA,OAAO;AAIH,IAAM,oBAAoB,aAC9B,OAAO;AAAA,EACN,SAAS,aAAE,OAAO,EAAE,IAAI;AAAA,EACxB,qBAAqB,aAAE,OAAO,EAAE,SAAS;AAAA,EACzC,WAAW,aAAE,OAAO;AAAA,EACpB,QAAQ,aAAE,OAAO;AAAA,EACjB,cAAc,aAAE,OAAO,EAAE,SAAS;AACpC,CAAC,EACA,OAAO;AAIH,IAAM,6BAA6B,aACvC,OAAO;AAAA,EACN,UAAU,aAAE,MAAM,iBAAiB;AACrC,CAAC,EACA,OAAO;AAMH,IAAM,4BAA4B,aACtC,OAAO;AAAA,EACN,aAAa,aAAE,OAAO;AAAA,EACtB,WAAW,aAAE,OAAO;AAAA,EACpB,kBAAkB,aAAE,OAAO;AAAA,EAC3B,YAAY,aAAE,OAAO,EAAE,IAAI;AAAA,EAC3B,UAAU,aAAE,OAAO,EAAE,IAAI;AAC3B,CAAC,EACA,OAAO;AAIH,IAAM,kCAAkC,aAC5C,OAAO;AAAA,EACN,SAAS,aAAE,QAAQ,IAAI;AAAA,EACvB,aAAa,aAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AACzC,CAAC,EACA,OAAO;AAIH,IAAM,kCAAkC,aAC5C,OAAO;AAAA,EACN,SAAS,aAAE,QAAQ,KAAK;AAAA,EACxB,aAAa,aAAE,OAAO;AAAA,EACtB,YAAY,aAAE,OAAO;AAAA,EACrB,eAAe,aAAE,OAAO;AAC1B,CAAC,EACA,OAAO;AAMH,IAAM,kBAAkB,aAC5B,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,eAAe,aAAE,OAAO;AAAA,EACxB,gBAAgB,aAAE,OAAO,EAAE,SAAS;AAAA,EACpC,SAAS,aAAE,QAAQ;AAAA,EACnB,aAAa,aAAE,OAAO,EAAE,SAAS;AAAA,EACjC,YAAY,aAAE,OAAO;AAAA,EACrB,YAAY,aAAE,OAAO,EAAE,SAAS;AAClC,CAAC,EACA,OAAO;AAIH,IAAM,+BAA+B,aACzC,OAAO;AAAA,EACN,aAAa,aAAE,MAAM,eAAe;AACtC,CAAC,EACA,OAAO;AAIH,IAAM,wBAAwB,aAClC,OAAO;AAAA,EACN,IAAI,aAAE,OAAO;AAAA,EACb,eAAe,aAAE,OAAO;AAAA,EACxB,SAAS,aAAE,QAAQ;AACrB,CAAC,EACA,OAAO;;;AC1MV,IAAM,iBAAiB,oBAAI,IAAI,CAAC,SAAS,iBAAiB,cAAc,CAAC;AAElE,SAAS,gBAAgB,KAAuB;AACrD,MAAI,MAAM,QAAQ,GAAG,GAAG;AACtB,WAAO,IAAI,IAAI,CAAC,SAAS,gBAAgB,IAAI,CAAC;AAAA,EAChD;AACA,MAAI,QAAQ,QAAQ,OAAO,QAAQ,UAAU;AAC3C,UAAM,SAAkC,CAAC;AACzC,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,GAA8B,GAAG;AACzE,UAAI,eAAe,IAAI,GAAG,GAAG;AAC3B,eAAO,GAAG,IAAI;AAAA,MAChB,OAAO;AACL,eAAO,GAAG,IAAI,gBAAgB,KAAK;AAAA,MACrC;AAAA,IACF;AACA,WAAO;AAAA,EACT;AACA,SAAO;AACT;;;ACsBA,SAAS,YAAY,KAAmB;AACtC,UAAQ,OAAO,MAAM,MAAM,IAAI;AACjC;AAEA,IAAM,qBAAN,MAAmD;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEjB,YAAY,MAA6B;AACvC,SAAK,UAAU,KAAK,QAAQ,QAAQ,OAAO,EAAE;AAC7C,SAAK,QAAQ,KAAK;AAClB,SAAK,UAAU,KAAK,SAAS,WAAW;AACxC,SAAK,OAAO,KAAK,QAAQ;AACzB,SAAK,YAAY,KAAK,aAAa;AAAA,EACrC;AAAA,EAEQ,SAAS,QAAgBA,OAAc,QAAgB,MAAqB;AAClF,QAAI,QAAQ,IAAI,qBAAqB,MAAM,SAAS;AAClD,YAAM,WAAW,gBAAgB,IAAI;AACrC,WAAK,KAAK,eAAe,MAAM,IAAIA,KAAI,WAAM,MAAM,IAAI,KAAK,UAAU,QAAQ,CAAC,EAAE;AAAA,IACnF;AAAA,EACF;AAAA,EAEA,MAAc,QACZ,QACA,SACA,MACY;AACZ,UAAM,MAAM,GAAG,KAAK,OAAO,gBAAgB,OAAO;AAClD,UAAM,UAAkC;AAAA,MACtC,eAAe,UAAU,KAAK,KAAK;AAAA,MACnC,cAAc,KAAK;AAAA,MACnB,QAAQ;AAAA,IACV;AAIA,QAAI,SAAS,QAAW;AACtB,cAAQ,cAAc,IAAI;AAAA,IAC5B;AAEA,QAAI;AACJ,QAAI;AACF,iBAAW,MAAM,KAAK,QAAQ,KAAK;AAAA,QACjC;AAAA,QACA;AAAA,QACA,MAAM,SAAS,SAAY,KAAK,UAAU,IAAI,IAAI;AAAA,MACpD,CAAC;AAAA,IACH,SAAS,KAAK;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,QACA,gBAAgB,KAAK,OAAO,KAAK,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MACnF;AAAA,IACF;AAGA,QAAI,eAAwB;AAC5B,UAAM,cAAc,SAAS,QAAQ,IAAI,cAAc,KAAK;AAC5D,QAAI,YAAY,SAAS,kBAAkB,GAAG;AAC5C,UAAI;AACF,uBAAe,MAAM,SAAS,KAAK;AAAA,MACrC,QAAQ;AACN,uBAAe;AAAA,MACjB;AAAA,IACF;AAEA,SAAK,SAAS,QAAQ,SAAS,SAAS,QAAQ,YAAY;AAG5D,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,UAAU;AAChB,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,QAAQ,KAAK,cAAc,uBAAuB;AAAA,MAC5E;AACA,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,aAAa,KAAK,cAAc,0BAA0B;AAAA,MACpF;AACA,UAAI,SAAS,WAAW,KAAK;AAC3B,cAAM,IAAI,cAAc,aAAa,KAAK,cAAc,YAAY;AAAA,MACtE;AACA,UAAI,SAAS,WAAW,OAAO,SAAS,WAAW,KAAK;AACtD,cAAM,IAAI;AAAA,UACR;AAAA,UACA,SAAS;AAAA,UACT,SAAS,WAAW;AAAA,UACpB,oBAAoB,SAAS,SAAS,SAAS;AAAA,QACjD;AAAA,MACF;AACA,UAAI,SAAS,UAAU,KAAK;AAC1B,cAAM,IAAI;AAAA,UACR;AAAA,UACA,SAAS;AAAA,UACT;AAAA,UACA,gBAAgB,SAAS,MAAM;AAAA,QACjC;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR;AAAA,QACA,SAAS;AAAA,QACT;AAAA,QACA,qBAAqB,SAAS,MAAM;AAAA,MACtC;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,cAAc,OAA2C;AAC7D,UAAM,MAAM,MAAM,KAAK,QAAiB,QAAQ,aAAa,EAAE,MAAM,MAAM,KAAK,CAAC;AACjF,UAAM,SAAS,cAAc,UAAU,GAAG;AAC1C,QAAI,CAAC,OAAO,SAAS;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,aAAa,OAKQ;AACzB,UAAM,OAAgC;AAAA,MACpC,OAAO,MAAM;AAAA,MACb,MAAM,MAAM;AAAA,IACd;AACA,QAAI,MAAM,gBAAgB,QAAW;AACnC,WAAK,cAAc,IAAI,MAAM;AAAA,IAC/B;AACA,UAAM,MAAM,MAAM,KAAK;AAAA,MACrB;AAAA,MACA,aAAa,MAAM,SAAS;AAAA,MAC5B;AAAA,IACF;AACA,UAAM,SAAS,oBAAoB,UAAU,GAAG;AAChD,QAAI,CAAC,OAAO,SAAS;AAEnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,WAAW,OAKQ;AACvB,UAAM,OAAgC;AAAA,MACpC,WAAW,MAAM;AAAA,MACjB,MAAM,MAAM;AAAA,IACd;AACA,QAAI,MAAM,cAAc,QAAW;AACjC,WAAK,YAAY,IAAI,MAAM;AAAA,IAC7B;AACA,UAAM,MAAM,MAAM,KAAK;AAAA,MACrB;AAAA,MACA,aAAa,MAAM,SAAS;AAAA,MAC5B;AAAA,IACF;AACA,UAAM,SAAS,kBAAkB,UAAU,GAAG;AAC9C,QAAI,CAAC,OAAO,SAAS;AACnB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,OAAO;AAAA,QACP;AAAA,MACF;AAAA,IACF;AACA,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,MAAM,YAAY,OAA2C;AAE3D,UAAM,KAAK,QAAiB,UAAU,WAAW,MAAM,OAAO,IAAI,MAAS;AAAA,EAC7E;AACF;AAEO,SAAS,qBAAqB,MAA6C;AAChF,SAAO,IAAI,mBAAmB,IAAI;AACpC;;;ACtOA,SAAoB;AACpB,SAAoB;AACpB,WAAsB;AACtB,IAAAC,cAAkB;AAEX,IAAM,sBAAsB,cAChC,OAAO;AAAA,EACN,SAAS,cAAE,QAAQ,CAAC;AAAA,EACpB,OAAO,cAAE,OAAO,EAAE,IAAI,CAAC;AACzB,CAAC,EACA,OAAO;AAcV,IAAM,sBACJ;AAEK,SAAS,cAAc,MAAwC;AACpE,QAAM,MAAM,MAAM,OAAO,QAAQ;AACjC,QAAM,OAAO,MAAM,SAAS,CAAC,QAAgB,QAAQ,OAAO,MAAM,MAAM,IAAI;AAG5E,QAAM,WAAW,IAAI,uBAAuB;AAC5C,MAAI,UAAU;AACZ,WAAO,EAAE,OAAO,UAAU,QAAQ,MAAM;AAAA,EAC1C;AAGA,QAAM,YAAY,MAAM,WAAc;AACtC,QAAM,WACJ,MAAM,YAAiB,UAAK,UAAU,GAAG,cAAc,iBAAiB;AAG1E,MAAI;AACJ,MAAI;AACF,UAAS,gBAAa,UAAU,MAAM;AAAA,EACxC,SAAS,KAAK;AACZ,QAAI,eAAe,SAAS,UAAU,OAAQ,IAA8B,SAAS,UAAU;AAC7F,YAAM,IAAI,MAAM,mBAAmB;AAAA,IACrC;AACA,UAAM,IAAI,MAAM,qCAAqC,QAAQ,KAAK,OAAO,GAAG,CAAC,EAAE;AAAA,EACjF;AAGA,MAAI;AACF,UAAM,OAAU,YAAS,QAAQ;AACjC,UAAM,OAAO,KAAK,OAAO;AACzB,QAAI,OAAO,IAAO;AAChB;AAAA,QACE,6BAA6B,QAAQ,kCAAmC,KAAM,SAAS,CAAC,EAAE,SAAS,GAAG,GAAG,CAAC,qBAAqB,QAAQ;AAAA,MACzI;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAGA,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,GAAG;AAAA,EACzB,QAAQ;AACN,UAAM,IAAI,MAAM,sCAAsC,QAAQ,gBAAgB;AAAA,EAChF;AAGA,QAAM,SAAS,oBAAoB,UAAU,MAAM;AACnD,MAAI,CAAC,OAAO,SAAS;AACnB,UAAM,IAAI;AAAA,MACR,8BAA8B,QAAQ,KAAK,OAAO,MAAM,OAAO;AAAA,IACjE;AAAA,EACF;AAEA,SAAO,EAAE,OAAO,OAAO,KAAK,OAAO,QAAQ,OAAO;AACpD;","names":["path","import_zod"]}

package/dist/admin-api/index.d.cts

@@ -26,6 +26,7 @@ declare const MemberSchema: z.ZodObject<{
     status: z.ZodEnum<{
         pending: "pending";
         active: "active";
+        expired: "expired";
     }>;
 }, z.core.$strict>;
 type Member = z.infer<typeof MemberSchema>;
@@ -40,6 +41,7 @@ declare const InviteCreatedSchema: z.ZodObject<{
         status: z.ZodEnum<{
             pending: "pending";
             active: "active";
+            expired: "expired";
         }>;
     }, z.core.$strict>;
     invite_url: z.ZodString;
@@ -68,11 +70,113 @@ declare const TokenIssuedSchema: z.ZodObject<{
     token: z.ZodString;
 }, z.core.$strict>;
 type TokenIssued = z.infer<typeof TokenIssuedSchema>;
+declare const AuthExchangeResponseSchema: z.ZodObject<{
+    admin_token: z.ZodString;
+    expires_at: z.ZodString;
+}, z.core.$strict>;
+type AuthExchangeResponse = z.infer<typeof AuthExchangeResponseSchema>;
 declare const ErrorBodySchema: z.ZodObject<{
     error: z.ZodString;
     details: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
 }, z.core.$strict>;
 type ErrorBody = z.infer<typeof ErrorBodySchema>;
+declare const ItemSummarySchema: z.ZodObject<{
+    id: z.ZodString;
+    cleargate_id: z.ZodString;
+    type: z.ZodString;
+    title: z.ZodString;
+    status: z.ZodString;
+    remote_id: z.ZodNullable<z.ZodString>;
+    last_pushed_at: z.ZodNullable<z.ZodString>;
+    pushed_by_member_id: z.ZodNullable<z.ZodString>;
+    version: z.ZodNumber;
+    updated_at: z.ZodString;
+    current_payload: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strict>;
+type ItemSummary = z.infer<typeof ItemSummarySchema>;
+declare const ItemsListResponseSchema: z.ZodObject<{
+    items: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        cleargate_id: z.ZodString;
+        type: z.ZodString;
+        title: z.ZodString;
+        status: z.ZodString;
+        remote_id: z.ZodNullable<z.ZodString>;
+        last_pushed_at: z.ZodNullable<z.ZodString>;
+        pushed_by_member_id: z.ZodNullable<z.ZodString>;
+        version: z.ZodNumber;
+        updated_at: z.ZodString;
+        current_payload: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, z.core.$strict>>;
+    next_cursor: z.ZodNullable<z.ZodString>;
+}, z.core.$strict>;
+type ItemsListResponse = z.infer<typeof ItemsListResponseSchema>;
+declare const ItemVersionSchema: z.ZodObject<{
+    version: z.ZodNumber;
+    pushed_by_member_id: z.ZodNullable<z.ZodString>;
+    pushed_at: z.ZodString;
+    status: z.ZodString;
+    diff_summary: z.ZodNullable<z.ZodString>;
+}, z.core.$strict>;
+type ItemVersion = z.infer<typeof ItemVersionSchema>;
+declare const ItemVersionsResponseSchema: z.ZodObject<{
+    versions: z.ZodArray<z.ZodObject<{
+        version: z.ZodNumber;
+        pushed_by_member_id: z.ZodNullable<z.ZodString>;
+        pushed_at: z.ZodString;
+        status: z.ZodString;
+        diff_summary: z.ZodNullable<z.ZodString>;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+type ItemVersionsResponse = z.infer<typeof ItemVersionsResponseSchema>;
+declare const DeviceStartResponseSchema: z.ZodObject<{
+    device_code: z.ZodString;
+    user_code: z.ZodString;
+    verification_uri: z.ZodString;
+    expires_in: z.ZodNumber;
+    interval: z.ZodNumber;
+}, z.core.$strict>;
+type DeviceStartResponse = z.infer<typeof DeviceStartResponseSchema>;
+declare const DevicePollPendingResponseSchema: z.ZodObject<{
+    pending: z.ZodLiteral<true>;
+    retry_after: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>;
+type DevicePollPendingResponse = z.infer<typeof DevicePollPendingResponseSchema>;
+declare const DevicePollSuccessResponseSchema: z.ZodObject<{
+    pending: z.ZodLiteral<false>;
+    admin_token: z.ZodString;
+    expires_at: z.ZodString;
+    admin_user_id: z.ZodString;
+}, z.core.$strict>;
+type DevicePollSuccessResponse = z.infer<typeof DevicePollSuccessResponseSchema>;
+declare const AdminUserSchema: z.ZodObject<{
+    id: z.ZodString;
+    github_handle: z.ZodString;
+    github_user_id: z.ZodNullable<z.ZodString>;
+    is_root: z.ZodBoolean;
+    disabled_at: z.ZodNullable<z.ZodString>;
+    created_at: z.ZodString;
+    created_by: z.ZodNullable<z.ZodString>;
+}, z.core.$strict>;
+type AdminUser = z.infer<typeof AdminUserSchema>;
+declare const AdminUsersListResponseSchema: z.ZodObject<{
+    admin_users: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        github_handle: z.ZodString;
+        github_user_id: z.ZodNullable<z.ZodString>;
+        is_root: z.ZodBoolean;
+        disabled_at: z.ZodNullable<z.ZodString>;
+        created_at: z.ZodString;
+        created_by: z.ZodNullable<z.ZodString>;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+type AdminUsersListResponse = z.infer<typeof AdminUsersListResponseSchema>;
+declare const UsersMeResponseSchema: z.ZodObject<{
+    id: z.ZodString;
+    github_handle: z.ZodString;
+    is_root: z.ZodBoolean;
+}, z.core.$strict>;
+type UsersMeResponse = z.infer<typeof UsersMeResponseSchema>;
 
 interface AdminApiClientOptions {
     baseUrl: string;
@@ -132,4 +236,4 @@ interface AdminAuth {
 }
 declare function loadAdminAuth(opts?: LoadAdminAuthOptions): AdminAuth;
 
-export { type AdminApiClient, type AdminApiClientOptions, AdminApiError, type AdminAuth, AdminAuthFileSchema, type ErrorBody, ErrorBodySchema, type InviteCreated, InviteCreatedSchema, type LoadAdminAuthOptions, type Member, MemberSchema, type Project, ProjectSchema, type TokenIssued, TokenIssuedSchema, type TokenMeta, TokenMetaSchema, createAdminApiClient, loadAdminAuth, redactSensitive };
+export { type AdminApiClient, type AdminApiClientOptions, AdminApiError, type AdminAuth, AdminAuthFileSchema, type AdminUser, AdminUserSchema, type AdminUsersListResponse, AdminUsersListResponseSchema, type AuthExchangeResponse, AuthExchangeResponseSchema, type DevicePollPendingResponse, DevicePollPendingResponseSchema, type DevicePollSuccessResponse, DevicePollSuccessResponseSchema, type DeviceStartResponse, DeviceStartResponseSchema, type ErrorBody, ErrorBodySchema, type InviteCreated, InviteCreatedSchema, type ItemSummary, ItemSummarySchema, type ItemVersion, ItemVersionSchema, type ItemVersionsResponse, ItemVersionsResponseSchema, type ItemsListResponse, ItemsListResponseSchema, type LoadAdminAuthOptions, type Member, MemberSchema, type Project, ProjectSchema, type TokenIssued, TokenIssuedSchema, type TokenMeta, TokenMetaSchema, type UsersMeResponse, UsersMeResponseSchema, createAdminApiClient, loadAdminAuth, redactSensitive };