openapi: 3.0.3
info:
  title: KubeDB Platform API
  description: 'REST API for the KubeDB Platform. Provides identity
    (users, organizations, teams, authentication) plus multi-cluster Kubernetes management, licensing,
    and billing.


    All routes are served under the `/api/v1` prefix unless otherwise noted. The marketplace webhook service
    is a separate listener rooted at `/marketplace/api/v1`.


    ## Authentication

    Most endpoints require a token. Supply it as either an HTTP header `Authorization: token <PAT>` (`AuthorizationHeaderToken`),
    or as a `token`/`access_token` query parameter. Token-management endpoints accept HTTP Basic auth
    (optionally with a TOTP one-time password). The web console uses a session cookie. Site admins may
    impersonate a user with the `sudo` query parameter or `Sudo` header.


    ## Path parameters

    - `owner` — organization or user that owns a cluster (org slug or username).

    - `cluster` — cluster name within the owner scope.


    ## Kubernetes passthrough

    Endpoints under `/clusters/{owner}/{cluster}/proxy/...` and the Helm/editor endpoints accept and return
    arbitrary Kubernetes objects. Their bodies are documented as the generic `K8sObject` schema (a free-form
    JSON object) rather than the full upstream Kubernetes schemas.'
  version: 1.1.1
  license:
    name: MIT
    url: http://opensource.org/licenses/MIT
servers:
- url: https://{host}/api/v1
  description: KubeDB Platform API server
  variables:
    host:
      default: appscode.com
      description: Deployment host
- url: https://{host}/marketplace/api/v1
  description: Marketplace webhook service (separate listener)
  variables:
    host:
      default: appscode.com
      description: Deployment host
security:
- AuthorizationHeaderToken: []
- Token: []
- AccessToken: []
tags:
- name: Identity - Users & Settings
- name: Identity - Organizations & Teams
- name: Administration
- name: Authorization
- name: Cluster Management v1
- name: Kubernetes Proxy
- name: Helm
- name: Cluster Management v2
- name: Multi-cluster (OCM)
- name: Client Organizations
- name: Cloud Providers
- name: Platform Installer
- name: Platform Upgrade
- name: Licensing & Contracts
- name: Billing Dashboard
- name: Marketplace
- name: Monitoring & Telemetry
- name: Rancher
- name: Chart Repositories
- name: Miscellaneous
paths:
  /users/search:
    get:
      tags:
      - Identity - Users & Settings
      summary: Search for users
      operationId: users_Search
      security: []
      parameters:
      - name: q
        in: query
        required: false
        description: Keyword to search for.
        schema:
          type: string
      - name: uid
        in: query
        required: false
        description: ID of the user to search for.
        schema:
          type: integer
          format: int64
      - name: limit
        in: query
        required: false
        description: Maximum number of users to return.
        schema:
          type: integer
      responses:
        '200':
          description: Search results wrapper with an `ok` flag and a `data` list of users.
          content:
            application/json:
              schema:
                type: object
                properties:
                  ok:
                    type: boolean
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/User'
  /users/{username}:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get a user by username
      operationId: users_GetInfo
      security: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '200':
          description: The requested user.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'
        '404':
          $ref: '#/components/responses/NotFound'
  /users/{username}/tokens:
    get:
      tags:
      - Identity - Users & Settings
      summary: List a user's access tokens
      operationId: users_ListAccessTokens
      description: Requires basic authentication. Tokens are always for the authenticated user.
      security:
      - BasicAuth: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '200':
          description: List of access tokens.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/AccessToken'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Create an access token for a user
      operationId: users_CreateAccessToken
      description: Requires basic authentication. Creates a token for the authenticated user.
      security:
      - BasicAuth: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateAccessTokenOption'
      responses:
        '201':
          description: The created access token (includes the plaintext token value).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AccessToken'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /users/{username}/tokens/{id}:
    delete:
      tags:
      - Identity - Users & Settings
      summary: Delete a user's access token
      operationId: users_DeleteAccessToken
      description: Requires basic authentication. Deletes a token of the authenticated user.
      security:
      - BasicAuth: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      - name: id
        in: path
        required: true
        description: ID of the access token to delete.
        schema:
          type: integer
          format: int64
      responses:
        '204':
          description: Access token deleted.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /users/{username}/followers:
    get:
      tags:
      - Identity - Users & Settings
      summary: List a user's followers
      operationId: users_ListFollowers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      - $ref: '#/components/parameters/pageParam'
      responses:
        '200':
          description: List of followers.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /users/{username}/following:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the users a given user is following
      operationId: users_ListFollowing
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      - $ref: '#/components/parameters/pageParam'
      responses:
        '200':
          description: List of followed users.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /users/{username}/following/{target}:
    get:
      tags:
      - Identity - Users & Settings
      summary: Check if one user follows another
      operationId: users_CheckFollowing
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      - name: target
        in: path
        required: true
        description: Username of the possibly-followed user.
        schema:
          type: string
      responses:
        '204':
          description: The follower is following the target user.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /users/{username}/orgs:
    get:
      tags:
      - Identity - Users & Settings
      summary: List a user's organizations
      operationId: users_ListUserOrgs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '200':
          description: List of organizations the user belongs to.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Organization'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/signin:
    post:
      tags:
      - Identity - Users & Settings
      summary: Sign in with username and password
      operationId: users_SignIn
      description: 'Public sign-in endpoint. On success sets session/CSRF/NATS cookies and returns 200
        with no body. Users enrolled in 2FA cannot sign in through this endpoint (405).

        '
      security: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SignInParams'
      responses:
        '200':
          description: Signed in successfully (session cookies set).
        '404':
          description: User does not exist.
        '405':
          description: Login prohibited, user inactive, or 2FA enabled.
        '409':
          description: Email already in use.
        '422':
          $ref: '#/components/responses/ValidationError'
  /user:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get the authenticated user
      operationId: users_GetAuthenticatedUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: check_client_org
        in: query
        required: false
        description: When "true", populate the clientOrgUser field on the response.
        schema:
          type: string
      responses:
        '200':
          description: The authenticated user.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/firebase-token:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get a Firebase custom token for the authenticated user
      operationId: users_GetFirebaseToken
      description: Only registered when the deployment is AppsCode-hosted.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Firebase custom token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/FirebaseToken'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/nats/credentials:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get the authenticated user's NATS credentials
      operationId: users_GetNatsCredentials
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: NATS endpoints and credential bytes for the primary NATS user.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/NatsCredentialsResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/nats/admin_credentials:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get NATS admin credentials
      operationId: users_GetNatsAdminCredentials
      description: Requires site-admin. Response body is deployment-specific; modeled as an opaque object.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: NATS admin credentials (opaque object).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/nats/user_credentials:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get NATS user credentials
      operationId: users_GetNatsUserCredentials
      description: Requires site-admin. Response body is deployment-specific; modeled as an opaque object.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: NATS user credentials (opaque object).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/nats/cluster-resource-history:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get cluster resource history from NATS
      operationId: users_GetClusterResourceHistoryFromNats
      description: Requires site-admin. Response body is deployment-specific; modeled as an opaque object.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Cluster resource history (opaque object).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/signout:
    get:
      tags:
      - Identity - Users & Settings
      summary: Sign out the authenticated user
      operationId: users_SignOut
      description: Clears session and auth cookies. Returns 200 with no body.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Signed out (cookies cleared).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/emails:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the authenticated user's email addresses
      operationId: users_ListEmails
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of email addresses.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Email'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Add email addresses
      operationId: users_AddEmail
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateEmailOption'
      responses:
        '201':
          description: The updated list of email addresses.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Email'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
    delete:
      tags:
      - Identity - Users & Settings
      summary: Delete email addresses
      operationId: users_DeleteEmail
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/DeleteEmailOption'
      responses:
        '204':
          description: Email addresses deleted.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/followers:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the authenticated user's followers
      operationId: users_ListMyFollowers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/pageParam'
      responses:
        '200':
          description: List of followers.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/following:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the users the authenticated user is following
      operationId: users_ListMyFollowing
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/pageParam'
      responses:
        '200':
          description: List of followed users.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/following/{username}:
    get:
      tags:
      - Identity - Users & Settings
      summary: Check whether the authenticated user follows a user
      operationId: users_CheckMyFollowing
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '204':
          description: The authenticated user is following this user.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
    put:
      tags:
      - Identity - Users & Settings
      summary: Follow a user
      operationId: users_Follow
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '204':
          description: User followed.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
    delete:
      tags:
      - Identity - Users & Settings
      summary: Unfollow a user
      operationId: users_Unfollow
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '204':
          description: User unfollowed.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/clusters:
    get:
      tags:
      - Identity - Users & Settings
      summary: List clusters the authenticated user owns or can access
      operationId: users_ListUserClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: all
        in: query
        required: false
        description: When "true", include clusters the user has access to (not just owned).
        schema:
          type: string
      responses:
        '200':
          description: List of clusters.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/validate/username:
    post:
      tags:
      - Identity - Users & Settings
      summary: Validate username availability
      operationId: users_ValidateUserName
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: user_name
        in: query
        required: false
        description: Username to validate.
        schema:
          type: string
      responses:
        '200':
          description: Validation result.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Validation'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/validate/orgname:
    post:
      tags:
      - Identity - Users & Settings
      summary: Validate organization name availability
      operationId: users_ValidateOrgName
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: org
        in: query
        required: false
        description: Existing organization name (when renaming).
        schema:
          type: string
      - name: user_name
        in: query
        required: false
        description: Proposed organization name to validate.
        schema:
          type: string
      responses:
        '200':
          description: Validation result.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Validation'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/validate/email:
    post:
      tags:
      - Identity - Users & Settings
      summary: Validate email availability
      operationId: users_ValidateEmail
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: email
        in: query
        required: false
        description: Email address to validate.
        schema:
          type: string
      responses:
        '200':
          description: Validation result.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Validation'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/teams:
    get:
      tags:
      - Identity - Users & Settings
      summary: List all teams the authenticated user belongs to
      operationId: users_ListUserTeams
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of teams.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Team'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/credentials:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the authenticated user's cloud credentials
      operationId: users_ListUserCloudCredentials
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: credential_type
        in: query
        required: false
        description: Filter by one or more credential types.
        schema:
          type: array
          items:
            type: string
      - name: rancher_endpoint
        in: query
        required: false
        description: For Rancher credentials, only return those matching this endpoint.
        schema:
          type: string
      responses:
        '200':
          description: List of cloud credentials.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/CloudCredentialApiForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Create a cloud credential for the authenticated user
      operationId: users_CreateUserCloudCredential
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
        description: cloudv1alpha1.CredentialSpec (Kubernetes-style object).
      responses:
        '201':
          description: Cloud credential created (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
    put:
      tags:
      - Identity - Users & Settings
      summary: Update a cloud credential for the authenticated user
      operationId: users_UpdateCloudCredentials
      description: Registered at path "/user/credentials/" (trailing slash).
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
        description: cloudv1alpha1.CredentialSpec (Kubernetes-style object).
      responses:
        '204':
          description: Cloud credential updated (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/credentials/{credName}:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get a cloud credential by name
      operationId: users_GetUserCloudCredential
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: credName
        in: path
        required: true
        description: Name of the cloud credential.
        schema:
          type: string
      responses:
        '200':
          description: The requested cloud credential.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CloudCredentialApiForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
    delete:
      tags:
      - Identity - Users & Settings
      summary: Delete a cloud credential by name
      operationId: users_DeleteCloudCredential
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: credName
        in: path
        required: true
        description: Name of the cloud credential.
        schema:
          type: string
      responses:
        '204':
          description: Cloud credential deleted (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/clouds/{cloud}/buckets:
    get:
      tags:
      - Identity - Users & Settings
      summary: List storage buckets for a cloud
      operationId: users_ListBuckets
      description: 'Bound to a JSON body (BucketListOptions) despite being a GET. Either a cloud credential
        or a secret namespace + name must be provided, plus a cluster UID.

        '
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: cloud
        in: path
        required: true
        description: Cloud provider identifier.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BucketListOptions'
      responses:
        '200':
          description: List of bucket names.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BucketListResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/profile:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get the authenticated user's profile
      operationId: users_GetUserProfile
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: The user profile.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Profile'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Update the authenticated user's profile
      operationId: users_UpdateUserProfile
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Profile'
      responses:
        '200':
          description: The updated profile.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Profile'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/avatar:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get the authenticated user's avatar settings
      operationId: users_GetUserAvatar
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: The avatar settings.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AvatarParams'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Update the authenticated user's avatar
      operationId: users_UpdateUserAvatar
      description: Accepts multipart/form-data (AvatarParams).
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              $ref: '#/components/schemas/AvatarParams'
      responses:
        '200':
          description: Avatar updated (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/avatar/delete:
    post:
      tags:
      - Identity - Users & Settings
      summary: Delete the authenticated user's avatar
      operationId: users_DeleteUserAvatar
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Avatar deleted (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/account/password:
    post:
      tags:
      - Identity - Users & Settings
      summary: Update the authenticated user's password
      operationId: users_UpdatePassword
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UpdatePasswordParams'
      responses:
        '200':
          description: Password updated (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/account/email:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get the authenticated user's email addresses
      operationId: users_GetEmailAddresses
      description: Returns the raw models.EmailAddress records (modeled as an opaque object).
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of email address records.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Add or make primary an email address
      operationId: users_UpdateEmail
      description: 'With query "_method=PRIMARY" and "id", makes an existing email primary. Otherwise
        adds the email in the body. Returns 200 (with or without a string body).

        '
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: _method
        in: query
        required: false
        description: Set to "PRIMARY" to mark an existing email as primary.
        schema:
          type: string
      - name: id
        in: query
        required: false
        description: Email address ID (used with _method=PRIMARY).
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AddEmailParams'
      responses:
        '200':
          description: Email added or made primary.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/account/email/delete:
    post:
      tags:
      - Identity - Users & Settings
      summary: Delete an email address
      operationId: users_DeleteEmailSetting
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: query
        required: false
        description: ID of the email address to delete.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Email address deleted (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/account/delete:
    post:
      tags:
      - Identity - Users & Settings
      summary: Delete the authenticated user's account
      operationId: users_DeleteAccount
      description: Requires the current password (query param "password"). Signs the user out on success.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: password
        in: query
        required: false
        description: Current password for confirmation.
        schema:
          type: string
      responses:
        '200':
          description: Account deleted and user signed out.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/pagination:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get the authenticated user's pagination settings
      operationId: users_GetUserPagination
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: The user's pagination settings.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Pagination'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Update the authenticated user's pagination settings
      operationId: users_UpdateUserPagination
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Pagination'
      responses:
        '200':
          description: The updated pagination settings.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Pagination'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/security/:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get two-factor authentication status
      operationId: users_GetTwoFactorStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Two-factor enrollment status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TwoFAStatus'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/security/twofa/enroll:
    get:
      tags:
      - Identity - Users & Settings
      summary: Begin two-factor enrollment (generate secret and QR)
      operationId: users_EnrollTwoFactor
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: TOTP secret and QR image URL.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Security'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Complete two-factor enrollment
      operationId: users_EnrollTwoFactorPost
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/TwoFactorAuthParams'
      responses:
        '200':
          description: Scratch token string.
          content:
            application/json:
              schema:
                type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/security/twofa/regenerate_scratch:
    post:
      tags:
      - Identity - Users & Settings
      summary: Regenerate the two-factor scratch token
      operationId: users_RegenerateScratchToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: New scratch token string.
          content:
            application/json:
              schema:
                type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/security/twofa/disable:
    post:
      tags:
      - Identity - Users & Settings
      summary: Disable two-factor authentication
      operationId: users_DisableTwoFactor
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Two-factor authentication disabled (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/security/webauthn/keys:
    get:
      tags:
      - Identity - Users & Settings
      summary: List WebAuthn security keys
      operationId: users_GetWebauthnSecurityKeys
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of WebAuthn security keys.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/WebAuthnSecurityKeys'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/security/webauthn/request_register:
    post:
      tags:
      - Identity - Users & Settings
      summary: Begin WebAuthn registration
      operationId: users_WebAuthnRegister
      description: Returns the WebAuthn credential creation options (opaque, protocol-defined object).
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/WebauthnRegistrationOptions'
      responses:
        '200':
          description: WebAuthn credential creation options.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/security/webauthn/register:
    post:
      tags:
      - Identity - Users & Settings
      summary: Complete WebAuthn registration
      operationId: users_WebauthnRegisterPost
      description: Reads the security key response from the request. Returns the created credential (opaque
        object).
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '201':
          description: WebAuthn credential created (opaque object).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/security/webauthn/keys/{id}:
    delete:
      tags:
      - Identity - Users & Settings
      summary: Delete a WebAuthn security key
      operationId: users_WebauthnDelete
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        description: ID of the WebAuthn security key.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: WebAuthn security key deleted (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/settings/security/sessions/:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the authenticated user's active sessions
      operationId: users_ListUserSessions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of sessions.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/SessionInfoAPIForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/security/sessions/{sid}/revoke:
    delete:
      tags:
      - Identity - Users & Settings
      summary: Revoke a session
      operationId: users_RevokeUserSession
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: sid
        in: path
        required: true
        description: Session ID to revoke.
        schema:
          type: string
      responses:
        '200':
          description: The remaining list of sessions.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/SessionInfoAPIForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/settings/security/account_link:
    get:
      tags:
      - Identity - Users & Settings
      summary: List linked external accounts
      operationId: users_GetAccountLinks
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of linked accounts.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/AccountLink'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Delete a linked external account
      operationId: users_DeleteAccountLink
      description: Despite the POST verb, this removes an account link.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AccountLinkParams'
      responses:
        '200':
          description: Account link removed (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/organizations:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the authenticated user's organizations
      operationId: users_ListOrganizations
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of organizations.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Organization'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/organizations/create:
    get:
      tags:
      - Identity - Users & Settings
      summary: Check if the authenticated user can create organizations
      operationId: users_CreateOrganizationPermission
      description: Returns 200 if allowed, 403 if not.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: User can create organizations.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Create an organization
      operationId: users_CreateOrganization
      description: Accepts multipart/form-data (CreateOrgParams).
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              $ref: '#/components/schemas/CreateOrgParams'
      responses:
        '200':
          description: Organization created; optional message about Rancher sync.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponseMessage'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/tokens/access-tokens/:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the authenticated user's access tokens (settings)
      operationId: users_SettingsListAccessTokens
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of access tokens.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/SettingsAccessToken'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Create a new access token (settings)
      operationId: users_CreateNewAccessToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/NewAccessTokenParam'
      responses:
        '201':
          description: The created access token (includes the plaintext token value).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SettingsAccessToken'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/tokens/access-tokens/delete-records:
    post:
      tags:
      - Identity - Users & Settings
      summary: Delete multiple access tokens
      operationId: users_DeleteMultipleAccessTokens
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AccessTokenIdList'
      responses:
        '200':
          description: Result message describing how many records were deleted.
          content:
            application/json:
              schema:
                type: object
                properties:
                  message:
                    type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/tokens/access-tokens/{id}:
    delete:
      tags:
      - Identity - Users & Settings
      summary: Delete an access token (settings)
      operationId: users_SettingsDeleteAccessToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        description: ID of the access token to delete.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Access token deleted (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/settings/tokens/nats-tokens/:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the authenticated user's NATS user-type tokens
      operationId: users_ListNatsUserTypeTokens
      description: Returns NATS user-type token accounts (modeled as an opaque object list).
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of NATS user-type token accounts.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/tokens/nats-tokens/{id}/revoke/:
    post:
      tags:
      - Identity - Users & Settings
      summary: Revoke a NATS user-type token
      operationId: users_RevokeNatsUserTypeToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        description: ID of the NATS token to revoke.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: NATS token revoked (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/settings/applications/oauth2:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the authenticated user's OAuth2 applications
      operationId: users_ListOAuth2Applications
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of OAuth2 applications.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/OAuth2Application'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    post:
      tags:
      - Identity - Users & Settings
      summary: Create an OAuth2 application
      operationId: users_CreateOAuth2Application
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/OAuth2ApplicationParams'
      responses:
        '200':
          description: The created OAuth2 application (includes the client secret).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuth2Application'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/settings/applications/oauth2/{id}:
    get:
      tags:
      - Identity - Users & Settings
      summary: Get an OAuth2 application
      operationId: users_GetOAuth2Application
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        description: ID of the OAuth2 application.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: The OAuth2 application.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuth2Application'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
    put:
      tags:
      - Identity - Users & Settings
      summary: Update an OAuth2 application
      operationId: users_UpdateOAuth2Application
      description: Accepts multipart/form-data (OAuth2ApplicationParams).
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        description: ID of the OAuth2 application.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              $ref: '#/components/schemas/OAuth2ApplicationParams'
      responses:
        '200':
          description: The updated OAuth2 application.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuth2Application'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '422':
          $ref: '#/components/responses/ValidationError'
    delete:
      tags:
      - Identity - Users & Settings
      summary: Delete an OAuth2 application
      operationId: users_DeleteOAuth2Application
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        description: ID of the OAuth2 application.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: OAuth2 application deleted (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/settings/applications/oauth2/{id}/regenerate_secret:
    post:
      tags:
      - Identity - Users & Settings
      summary: Regenerate an OAuth2 application's client secret
      operationId: users_OAuth2ApplicationRegenerateSecret
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        description: ID of the OAuth2 application.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: The new client secret string.
          content:
            application/json:
              schema:
                type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/settings/applications/oauth2/{id}/revoke:
    post:
      tags:
      - Identity - Users & Settings
      summary: Revoke an OAuth2 grant
      operationId: users_RevokeOAuth2Grant
      description: The path {id} is the OAuth2 grant ID.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        description: ID of the OAuth2 grant to revoke.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: OAuth2 grant revoked (no body).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/settings/applications/oauth2/grants:
    get:
      tags:
      - Identity - Users & Settings
      summary: List the authenticated user's OAuth2 grants
      operationId: users_ListOAuth2Grants
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of OAuth2 grants.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/OAuth2Grant'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /orgs:
    post:
      tags:
      - Identity - Organizations & Teams
      summary: Create an organization
      description: Creates a new organization owned by the authenticated user. The user must be permitted
        to create organizations (CanCreateOrganization), otherwise 403 is returned.
      operationId: orgs_CreateOrg
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateOrgOption'
      responses:
        '201':
          description: Organization created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Organization'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '422':
          $ref: '#/components/responses/validationError'
  /orgs/claim/{claimID}:
    patch:
      tags:
      - Identity - Organizations & Teams
      summary: Claim a standalone organization
      description: Claims a previously created standalone organization identified by claimID and assigns
        ownership to the authenticated user. Only registered when the deployment is AppsCode-hosted (setting.AppsCodeHosted).
      operationId: orgs_ClaimStandaloneOrg
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: claimID
        in: path
        required: true
        description: Claim identifier of the standalone organization
        schema:
          type: string
      responses:
        '200':
          description: Organization claimed. Returns the claimed organization (models.User.APIFormat,
            dynamic payload).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
        '409':
          description: Organization already claimed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /orgs/claim/:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Get the oldest claimable standalone organization claim ID
      description: Returns the claim ID of the oldest claimable standalone organization, by proxying an
        eligibility check to the central marketplace server. Only registered for marketplace deployments
        or in dev run mode, and requires site-admin (reqSiteAdmin).
      operationId: orgs_GetStandAloneOrgClaimId
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Claimable check result
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OrgClaimableCheckResp'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
  /orgs/{orgname}/user/{username}:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Check whether a user exists (in the org context)
      description: Looks up a user by username and returns their profile if the user exists and is active.
        Returns 400 if the user does not exist or is inactive.
      operationId: orgs_CheckUserExists
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '200':
          description: User profile
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Profile'
        '400':
          description: User does not exist or is inactive
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
  /orgs/{orgname}/is-owner:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Check if the current user is the organization owner
      description: Returns 200 if the authenticated user is an owner of the organization. Ownership is
        enforced by upstream middleware.
      operationId: orgs_IsOwner
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: Current user is the organization owner
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
  /orgs/{orgname}:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Get an organization
      description: Returns the organization if it is visible to the requesting user.
      operationId: orgs_GetOrg
      security: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: Organization
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Organization'
        '404':
          $ref: '#/components/responses/notFound'
    patch:
      tags:
      - Identity - Organizations & Teams
      summary: Edit an organization
      description: Updates the organization's profile fields. Requires a token and org-edit authorization
        (Organization_CanEditOrg / edit:org).
      operationId: orgs_EditOrg
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EditOrgOption'
      responses:
        '200':
          description: Updated organization
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Organization'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
        '422':
          $ref: '#/components/responses/validationError'
    delete:
      tags:
      - Identity - Organizations & Teams
      summary: Delete an organization
      description: Deletes the organization. Requires a token and delete authorization (Organization_CanDeleteOrg
        / delete:org); the requester must be the last admin per the orgLastAdmin condition.
      operationId: orgs_DeleteOrg
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '204':
          description: Organization deleted
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
  /orgs/{orgname}/avatar/:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Get the organization avatar
      description: Returns the organization's avatar URL. Requires viewer authorization (Organization_Viewer
        / view:avatar).
      operationId: orgs_GetAvatar
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: Avatar URL (string)
          content:
            application/json:
              schema:
                type: string
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
    post:
      tags:
      - Identity - Organizations & Teams
      summary: Update the organization avatar
      description: Uploads or sets the organization avatar via multipart form. Requires editor authorization
        (Organization_Editor / update:avatar).
      operationId: orgs_UpdateAvatar
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              $ref: '#/components/schemas/AvatarParams'
      responses:
        '200':
          description: Avatar updated (response body depends on avatar handler).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '422':
          $ref: '#/components/responses/validationError'
  /orgs/{orgname}/avatar/delete:
    post:
      tags:
      - Identity - Organizations & Teams
      summary: Delete the organization avatar
      description: Removes the organization's avatar. Requires editor authorization (Organization_Editor
        / delete:avatar).
      operationId: orgs_DeleteAvatar
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: Avatar deleted
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
  /orgs/{orgname}/members:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: List an organization's members
      description: Lists organization members. Non-members (and unauthenticated callers) see only public
        members.
      operationId: orgs_ListMembers
      security: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: List of members
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
  /orgs/{orgname}/members/action/{action}:
    post:
      tags:
      - Identity - Organizations & Teams
      summary: Perform a membership action
      description: Performs a membership action (private, public, remove, leave) for a member identified
        by the uid query parameter. Requires a token and org membership.
      operationId: orgs_MemberAction
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - name: action
        in: path
        required: true
        description: Membership action to perform
        schema:
          type: string
          enum:
          - private
          - public
          - remove
          - leave
      - name: uid
        in: query
        required: true
        description: User ID of the member the action applies to
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Action performed
        '400':
          description: uid missing or invalid
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
  /orgs/{orgname}/members/{username}:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Check if a user is a member of an organization
      description: Returns 204 if the user is a member, 404 if not. May redirect (302) to the public-members
        endpoint for non-members of the org.
      operationId: orgs_IsMember
      security: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '204':
          description: User is a member
        '302':
          description: Redirect to the public-members check
        '404':
          description: User is not a member
    delete:
      tags:
      - Identity - Organizations & Teams
      summary: Remove a member from an organization
      description: Removes a member from the organization. Requires a token and org ownership plus remove-member
        authorization (Organization_CanRemoveMember / admin:org, orgLastMember condition). Site admins
        cannot be removed from the administrative org.
      operationId: orgs_DeleteMember
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '204':
          description: Member removed
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
  /orgs/{orgname}/public_members:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: List an organization's public members
      operationId: orgs_ListPublicMembers
      security: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: List of public members
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
  /orgs/{orgname}/public_members/{username}:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Check if a user is a public member of an organization
      operationId: orgs_IsPublicMember
      security: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '204':
          description: User is a public member
        '404':
          description: User is not a public member
    put:
      tags:
      - Identity - Organizations & Teams
      summary: Publicize a user's membership
      description: Makes the caller's own organization membership public. Requires a token and org membership;
        a user cannot publicize another member (403).
      operationId: orgs_PublicizeMember
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '204':
          description: Membership publicized
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
    delete:
      tags:
      - Identity - Organizations & Teams
      summary: Conceal a user's membership
      description: Makes the caller's own organization membership private. Requires a token and org membership;
        a user cannot conceal another member (403).
      operationId: orgs_ConcealMember
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '204':
          description: Membership concealed
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
  /orgs/{orgname}/teams:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: List an organization's teams
      description: Lists the teams of the organization. Requires a token, org membership, and viewer authorization
        (Organization_Viewer / list:team).
      operationId: orgs_ListTeams
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: List of teams
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Team'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
    post:
      tags:
      - Identity - Organizations & Teams
      summary: Create a team
      description: Creates a team in the organization. Requires a token, org membership, and team-editor
        authorization (create:team).
      operationId: orgs_CreateTeam
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateTeamOption'
      responses:
        '201':
          description: Team created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Team'
        '400':
          description: Invalid team type or too many assigned roles
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '422':
          $ref: '#/components/responses/validationError'
  /orgs/{orgname}/teams/{teamid}/action/{action}:
    post:
      tags:
      - Identity - Organizations & Teams
      summary: Perform a team action
      description: Performs a team action (join, leave, remove, add) for the user identified by the uid
        query parameter (or uname for add). Requires a token, org membership, and team-member authorization
        (Team_Member / ctx.param.action:team).
      operationId: orgs_TeamAction
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - name: teamid
        in: path
        required: true
        description: ID of the team
        schema:
          type: integer
          format: int64
      - name: action
        in: path
        required: true
        description: Team action to perform
        schema:
          type: string
          enum:
          - join
          - leave
          - remove
          - add
      - name: uid
        in: query
        required: true
        description: User ID the action applies to
        schema:
          type: integer
          format: int64
      - name: uname
        in: query
        required: false
        description: Username to add (used with the add action)
        schema:
          type: string
      responses:
        '200':
          description: Action performed
        '400':
          description: uid missing or user is an organization
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
        '409':
          description: User already a member of the team
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /orgs/{orgname}/rancher/sync-token:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Get the Rancher organization sync token
      description: Returns the organization's Rancher synchronization token. Requires a token and viewer
        authorization (Organization_Viewer / view:sync-token).
      operationId: orgs_GetRancherOrgSyncToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: Rancher sync token
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RancherAPIToken'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
    delete:
      tags:
      - Identity - Organizations & Teams
      summary: Remove the Rancher organization sync token
      description: Deletes the organization's Rancher synchronization token. Requires a token and editor
        authorization (Organization_Editor / remove:rancher-sync-token).
      operationId: orgs_RemoveRancherOrgSyncToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: Token removed
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
    post:
      tags:
      - Identity - Organizations & Teams
      summary: Create a Rancher organization sync token
      description: Creates a Rancher organization synchronization token from the provided access key.
        The organization must be of Rancher origin. Requires a token and editor authorization (Organization_Editor
        / create:rancher-org-sync-token).
      operationId: orgs_CreateRancherOrgSyncToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AccessToken'
      responses:
        '200':
          description: Token created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiResponseMessage'
        '400':
          description: Organization origin is not Rancher
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '422':
          $ref: '#/components/responses/validationError'
  /orgs/{orgname}/rancher/user-token:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Get the Rancher user token (deprecated)
      description: Deprecated. Returns the caller's Rancher API token for the organization. Requires a
        token, org membership, and viewer authorization (Organization_Viewer / view:sync-token).
      operationId: orgs_GetRancherToken
      deprecated: true
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: Rancher API token
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RancherAPIToken'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
    delete:
      tags:
      - Identity - Organizations & Teams
      summary: Remove the Rancher user token (deprecated)
      description: Deprecated. Deletes the caller's Rancher API token for the organization. Requires a
        token, org membership, and editor authorization (Organization_Editor / remove:rancher-sync-token).
      operationId: orgs_RemoveRancherToken
      deprecated: true
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: Token removed
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
    post:
      tags:
      - Identity - Organizations & Teams
      summary: Add a Rancher user token (deprecated)
      description: Deprecated. Stores a Rancher API token for the caller in the organization. Requires
        a token, org membership, and editor authorization (Organization_Editor / create:rancher-org-sync-token).
      operationId: orgs_AddRancherToken
      deprecated: true
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AccessToken'
      responses:
        '200':
          description: Token added
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '422':
          $ref: '#/components/responses/validationError'
  /orgs/{orgname}/tokens/access-tokens/:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: List the organization's access tokens
      description: Lists access tokens of the organization's system admin. Requires org membership and
        viewer authorization (Organization_Viewer / list:access-token).
      operationId: orgs_ListAccessTokens
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: List of access tokens
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/AccessTokenInfo'
        '400':
          description: Organization system admin does not exist
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
  /orgs/{orgname}/tokens/access-tokens/{id}:
    delete:
      tags:
      - Identity - Organizations & Teams
      summary: Delete an organization access token
      description: Deletes an access token of the organization's system admin. Requires org membership
        and editor authorization (Organization_Editor / delete:access-token).
      operationId: orgs_DeleteAccessToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - name: id
        in: path
        required: true
        description: ID of the access token
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Access token deleted
        '400':
          description: Organization system admin does not exist
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
  /orgs/{orgname}/tokens/nats-tokens/:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: List the organization's NATS user-type tokens
      description: Lists NATS user-type tokens of the organization's system admin. Requires org membership
        and viewer authorization (Organization_Viewer / list:nats-token).
      operationId: orgs_ListNatsUserTypeTokens
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: List of NATS accounts
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/NatsAccount'
        '400':
          description: Organization system admin does not exist
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
  /orgs/{orgname}/tokens/nats-tokens/{id}/revoke:
    post:
      tags:
      - Identity - Organizations & Teams
      summary: Revoke a NATS user-type token
      description: Revokes a NATS user-type token of the organization's system admin. Requires org membership
        and editor authorization (Organization_Editor / revoke:nats-token).
      operationId: orgs_RevokeNatsUserTypeToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - name: id
        in: path
        required: true
        description: ID of the NATS token
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Token revoked
        '400':
          description: Organization system admin missing or NATS user not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
  /teams/{teamid}:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Get a team
      description: Returns a team by ID. Requires a token and view authorization (Team_CanView / view:team).
      operationId: orgs_GetTeam
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: teamid
        in: path
        required: true
        description: ID of the team
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Team
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Team'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
    patch:
      tags:
      - Identity - Organizations & Teams
      summary: Edit a team
      description: Updates a team. Requires a token and edit authorization (Team_CanEdit / edit:team).
        Owner-team permission cannot be changed.
      operationId: orgs_EditTeam
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: teamid
        in: path
        required: true
        description: ID of the team
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EditTeamOption'
      responses:
        '200':
          description: Updated team
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Team'
        '400':
          description: Invalid team type or team name
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
        '422':
          $ref: '#/components/responses/validationError'
    delete:
      tags:
      - Identity - Organizations & Teams
      summary: Delete a team
      description: Deletes a team. Requires a token and delete authorization (Team_CanDelete / delete:team).
      operationId: orgs_DeleteTeam
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: teamid
        in: path
        required: true
        description: ID of the team
        schema:
          type: integer
          format: int64
      responses:
        '204':
          description: Team deleted
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
  /teams/{teamid}/members:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: List a team's members
      description: Lists the members of a team. Requires a token, org membership, and view authorization
        (Team_CanView / list:team-members).
      operationId: orgs_GetTeamMembers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: teamid
        in: path
        required: true
        description: ID of the team
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: List of team members
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
  /teams/{teamid}/members/{username}:
    get:
      tags:
      - Identity - Organizations & Teams
      summary: Get a particular member of a team
      description: Returns a specific team member. Requires a token and view authorization (Team_CanView
        / view:team-member).
      operationId: orgs_GetTeamMember
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: teamid
        in: path
        required: true
        description: ID of the team
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '200':
          description: Team member
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
    put:
      tags:
      - Identity - Organizations & Teams
      summary: Add a team member
      description: Adds a user to the team. Requires a token and add authorization (Team_CanAddMember
        / add:team-member). For the owner team, the autoConnectClusters query flag can trigger cluster
        auto-connect.
      operationId: orgs_AddTeamMember
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: teamid
        in: path
        required: true
        description: ID of the team
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/usernameParam'
      - name: autoConnectClusters
        in: query
        required: false
        description: When adding to the owner team, auto-connect the user to org clusters
        schema:
          type: boolean
      responses:
        '204':
          description: Member added
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
    delete:
      tags:
      - Identity - Organizations & Teams
      summary: Remove a team member
      description: Removes a user from the team. Requires a token and remove authorization (Team_CanRemoveMember
        / remove:team-member, ownerTeamLastMember condition). Site admins cannot be removed from the administrative
        org.
      operationId: orgs_RemoveTeamMember
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: teamid
        in: path
        required: true
        description: ID of the team
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/usernameParam'
      responses:
        '204':
          description: Member removed
        '401':
          $ref: '#/components/responses/unauthorized'
        '403':
          $ref: '#/components/responses/forbidden'
        '404':
          $ref: '#/components/responses/notFound'
  /admin/orgs:
    get:
      tags:
      - Administration
      summary: List all organizations
      description: Requires a valid token, an organization supplied via query, and the `admin_of_administrative_org`
        authorization relation.
      operationId: admin_GetAllOrgs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of organizations
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Organization'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /admin/users:
    get:
      tags:
      - Administration
      summary: List all users
      description: Requires a valid token, an organization supplied via query, and the `admin_of_administrative_org`
        authorization relation.
      operationId: admin_GetAllUsers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of users
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    post:
      tags:
      - Administration
      summary: Create a user
      description: Requires a valid token, an organization supplied via query, and the `admin_of_administrative_org`
        authorization relation.
      operationId: admin_CreateUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateUserOption'
      responses:
        '201':
          description: Created user
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /admin/users/{username}:
    patch:
      tags:
      - Administration
      summary: Edit an existing user
      description: Requires a valid token, an organization supplied via query, and the `admin_of_administrative_org`
        authorization relation.
      operationId: admin_EditUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/username'
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EditUserOption'
      responses:
        '200':
          description: Updated user
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: User not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Administration
      summary: Delete a user
      description: Requires a valid token, an organization supplied via query, and the `admin_of_administrative_org`
        authorization relation.
      operationId: admin_DeleteUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/username'
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '204':
          description: User deleted
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: User not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /admin/users/{username}/update:
    post:
      tags:
      - Administration
      summary: Update a user's profile as admin
      description: Requires a valid token, an organization supplied via query, and the `admin_of_administrative_org`
        authorization relation.
      operationId: admin_UpdateUserProfileByAdmin
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/username'
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Profile'
      responses:
        '200':
          description: Updated profile
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Profile'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: User not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /admin/users/{username}/change-password:
    post:
      tags:
      - Administration
      summary: Change a user's password as admin
      description: Requires a valid token, an organization supplied via query, and the `admin_of_administrative_org`
        authorization relation.
      operationId: admin_UpdateUserPassword
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/username'
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UpdatePasswordParams'
      responses:
        '200':
          description: Password updated
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /admin/users/{username}/orgs:
    get:
      tags:
      - Administration
      summary: List a user's organizations
      description: Requires a valid token, an organization supplied via query, and the `admin_of_administrative_org`
        authorization relation.
      operationId: admin_ListUserOrgs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/username'
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of organizations for the user. Response shape is delegated to org.ListUserOrgs;
            represented here generically.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    post:
      tags:
      - Administration
      summary: Create an organization owned by a user
      description: Requires a valid token, an organization supplied via query, and the `admin_of_administrative_org`
        authorization relation.
      operationId: admin_CreateOrg
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/username'
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateOrgOption'
      responses:
        '201':
          description: Created organization
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Organization'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: User not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /admin/users/{uid}:
    get:
      tags:
      - Administration
      summary: Get user information by user ID
      description: Requires a valid token, an organization supplied via query, and the `admin_of_administrative_org`
        authorization relation.
      operationId: admin_GetInfoByUserId
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: User information
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: User not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin:
    get:
      tags:
      - Administration
      summary: Site administration dashboard
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `view_usage_analytics:site_admin` authorization relation.
      operationId: admin_Dashboard
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: Dashboard payload. Returns an untyped map with `stats` and `sysStatus` keys; represented
            generically.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/config:
    get:
      tags:
      - Administration
      summary: Site administration configuration page
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and site-admin privileges. Renders an HTML template rather than a JSON body.
      operationId: admin_Config
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: HTML config page
          content:
            text/html:
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/config/test_mail:
    post:
      tags:
      - Administration
      summary: Send a test email
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `send_test_mails:site_admin` authorization relation. Redirects to the config page on completion.
      operationId: admin_SendTestMail
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: email
        in: query
        required: false
        schema:
          type: string
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '302':
          description: Redirect to the config page
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/monitor:
    get:
      tags:
      - Administration
      summary: Site administration monitor page
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and site-admin privileges. Renders an HTML template rather than a JSON body.
      operationId: admin_Monitor
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: HTML monitor page
          content:
            text/html:
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/delete/inactive-users:
    delete:
      tags:
      - Administration
      summary: Purge deactivated users inactive for more than 30 days
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `purge_deactivated_users:site_admin` authorization relation.
      operationId: admin_DeleteInActiveUsers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: Inactive users purged
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/users:
    get:
      tags:
      - Administration
      summary: List all users (site administration)
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `view_users:site_admin` authorization relation.
      operationId: admin_Users
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of users. Returns raw models.User records; represented generically.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/users/deleted_accounts:
    get:
      tags:
      - Administration
      summary: List deactivated user accounts
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `view_deleted_members:site_admin` authorization relation.
      operationId: admin_DeletedAccounts
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of deactivated users. Returns raw models.User records; represented generically.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/users/deleted_accounts/{id}/reactivate:
    post:
      tags:
      - Administration
      summary: Reactivate a deactivated user
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `reactivate_members:site_admin` authorization relation.
      operationId: admin_ReactivateUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: User reactivated
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/users/new:
    post:
      tags:
      - Administration
      summary: Create a new user (site administration)
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `create_users:site_admin` authorization relation.
      operationId: admin_NewUserPost
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AdminCreateUserPayload'
      responses:
        '201':
          description: User created
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/users/{userid}:
    post:
      tags:
      - Administration
      summary: Edit a user (site administration)
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `update_users:site_admin` authorization relation.
      operationId: admin_EditUserPost
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: userid
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AdminEditUserPayload'
      responses:
        '200':
          description: User updated
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/users/{userid}/delete:
    post:
      tags:
      - Administration
      summary: Deactivate a user (site administration)
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `delete_users:site_admin` authorization relation.
      operationId: admin_DeleteUserSiteAdmin
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: userid
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: User deactivated
        '400':
          description: User still owns organizations
          content:
            application/json:
              schema:
                type: object
                properties:
                  message:
                    type: string
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/orgs:
    get:
      tags:
      - Administration
      summary: List all organizations (site administration)
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `view_orgs:site_admin` authorization relation.
      operationId: admin_Organizations
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of organizations. Returns raw models.Organization records; represented generically.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/orgs/orphaned/:
    get:
      tags:
      - Administration
      summary: List orphaned organizations
      description: Requires a valid token, an organization supplied via query, and membership of that
        organization.
      operationId: admin_GetAllOrphanedOrganizations
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of orphaned organizations
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Organization'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/orgs/orphaned/delete/{id}:
    delete:
      tags:
      - Administration
      summary: Delete an orphaned organization
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `delete:orphaned-org` authorization relation.
      operationId: admin_DeleteOrganizations
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: Organization deleted
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/clusters:
    get:
      tags:
      - Administration
      summary: List all clusters (site administration)
      description: Requires a valid token, an organization supplied via query, and membership of that
        organization.
      operationId: admin_Clusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of clusters. Returns raw models.ClusterInfo records; represented generically.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/auths:
    get:
      tags:
      - Administration
      summary: List authentication sources
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `site_admin_editor_authn_source` authorization relation.
      operationId: admin_Authentications
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of login sources. Returns raw models.LoginSource records; represented generically.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/auths/auth-types:
    get:
      tags:
      - Administration
      summary: List available authentication source types
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `site_admin_editor_authn_source` authorization relation.
      operationId: admin_AuthenticationsTypes
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of authentication source types (name/type pairs); represented generically.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/auths/new:
    post:
      tags:
      - Administration
      summary: Create an authentication source
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `site_admin_editor_authn_source` authorization relation.
      operationId: admin_NewAuthSourcePost
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AuthenticationPayload'
      responses:
        '201':
          description: Authentication source created
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/auths/{authid}:
    get:
      tags:
      - Administration
      summary: Get an authentication source
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `site_admin_editor_authn_source` authorization relation.
      operationId: admin_GetAuthenticationSource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: authid
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: Login source. Returns a raw models.LoginSource record; represented generically.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    post:
      tags:
      - Administration
      summary: Edit an authentication source
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `site_admin_editor_authn_source` authorization relation.
      operationId: admin_EditAuthSourcePost
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: authid
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AuthenticationPayload'
      responses:
        '200':
          description: Authentication source updated
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/auths/{authid}/delete:
    post:
      tags:
      - Administration
      summary: Delete an authentication source
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `site_admin_editor_authn_source` authorization relation.
      operationId: admin_DeleteAuthSource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: authid
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: Authentication source deleted
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/external_oauth:
    get:
      tags:
      - Administration
      summary: List external OAuth2 authentication sources
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `site_admin_editor_external_authn_source` authorization relation.
      operationId: admin_ExternalAuthentications
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of external OAuth2 applications. Returns raw models.ExternalOAuth2Application
            records; represented generically.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/external_oauth/new:
    post:
      tags:
      - Administration
      summary: Create an external OAuth2 authentication source
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `site_admin_editor_external_authn_source` authorization relation.
      operationId: admin_NewExternalAuthSourcePost
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ExternalOAuth2AppPayload'
      responses:
        '201':
          description: External OAuth2 source created
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/external_oauth/{provider}:
    post:
      tags:
      - Administration
      summary: Edit an external OAuth2 authentication source
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `site_admin_editor_external_authn_source` authorization relation.
      operationId: admin_EditExternalAuthSourcePost
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: provider
        in: path
        required: true
        schema:
          type: string
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ExternalOAuth2AppPayload'
      responses:
        '200':
          description: External OAuth2 source updated
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /accounts/admin/external_oauth/{provider}/delete:
    post:
      tags:
      - Administration
      summary: Delete an external OAuth2 authentication source
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `site_admin_editor_external_authn_source` authorization relation.
      operationId: admin_DeleteExternalAuthSource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: provider
        in: path
        required: true
        schema:
          type: string
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: External OAuth2 source deleted
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /branding:
    get:
      tags:
      - Administration
      summary: Get branding options
      description: Public endpoint. Returns the current branding configuration.
      operationId: admin_GetBrandingOptions
      security: []
      responses:
        '200':
          description: Branding options
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BrandingResponse'
        '304':
          description: Not modified
    post:
      tags:
      - Administration
      summary: Set branding options
      description: Requires a valid token, membership of the organization, and the `edit_branding_options:org`
        authorization relation.
      operationId: admin_SetBrandingOptions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BrandingOptions'
      responses:
        '200':
          description: Branding options updated
        '400':
          description: Invalid branding option
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /allowed-domains:
    get:
      tags:
      - Administration
      summary: List allowed email domains
      description: Public endpoint. Returns the configured email domain whitelist.
      operationId: admin_GetAllowedEmailDomains
      security: []
      responses:
        '200':
          description: List of allowed email domains
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
    post:
      tags:
      - Administration
      summary: Add an email domain to the whitelist
      description: Requires a valid token, an organization supplied via query, and the `edit_allowed_domains:site_admin`
        authorization relation.
      operationId: admin_AddNewEmailDomainIntoWhiteList
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/DomainOpts'
      responses:
        '200':
          description: Domain added
        '400':
          description: Invalid domain name
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '409':
          description: Domain already exists
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    patch:
      tags:
      - Administration
      summary: Remove an email domain from the whitelist
      description: Requires a valid token, an organization supplied via query, and the `edit_allowed_domains:site_admin`
        authorization relation.
      operationId: admin_DeleteEmailDomainFromWhiteList
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/DomainOpts'
      responses:
        '200':
          description: Domain removed
        '400':
          description: Domain not found in whitelist
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /disable-registration:
    get:
      tags:
      - Administration
      summary: Get user registration status
      description: Public endpoint. Returns whether user registration is disabled.
      operationId: admin_GetUserRegistrationStatus
      security: []
      responses:
        '200':
          description: Registration status
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RegistrationOpts'
    post:
      tags:
      - Administration
      summary: Update user registration status
      description: Requires a valid token, an organization supplied via query, and the `update_user_registration:site_admin`
        authorization relation.
      operationId: admin_UpdateUserRegistrationStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RegistrationOpts'
      responses:
        '200':
          description: Registration status updated
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /authz/objects/{objectType}/{objID}/allowed-permissions:
    get:
      tags:
      - Authorization
      summary: Get allowed permissions on an object
      description: Requires a valid token and an organization supplied via query. Returns the requester's
        allowed permissions on the identified object.
      operationId: authz_GetAllowedPermissions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: objectType
        in: path
        required: true
        schema:
          type: string
      - name: objID
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: Allowed permissions for the object
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthObjectAllowedPermissions'
        '400':
          description: Invalid object type or ID
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /authz/objects/allowed-permissions:
    post:
      tags:
      - Authorization
      summary: Batch get allowed permissions on objects
      description: Requires a valid token and an organization supplied via query. Returns the requester's
        allowed permissions for each supplied object identifier.
      operationId: authz_GetBatchAllowedPermissions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: array
              items:
                $ref: '#/components/schemas/AuthObjectIdentifier'
      responses:
        '200':
          description: Allowed permissions for each object
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/AuthObjectAllowedPermissions'
        '400':
          description: Invalid object type or ID
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /authz/roles/available_permissions:
    get:
      tags:
      - Authorization
      summary: List available permissions
      description: Requires a valid token, an organization supplied via query, and membership of that
        organization. Returns the set of permissions assignable in the caller's context.
      operationId: authz_ListAvailablePermissions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: Available permissions. Returns an authzstores.VirtualPermissionsData structure;
            represented generically.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /authz/roles:
    get:
      tags:
      - Authorization
      summary: List roles
      description: Requires a valid token, an organization supplied via query, and membership of that
        organization.
      operationId: authz_ListRoles
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: List of roles
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/RoleResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    post:
      tags:
      - Authorization
      summary: Create a role
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `create_role:org` authorization relation.
      operationId: authz_CreateRole
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateRoleRequest'
      responses:
        '201':
          description: Role created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RoleResponse'
        '400':
          description: Invalid request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /authz/roles/{id}:
    get:
      tags:
      - Authorization
      summary: Get a role
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `view:role` authorization relation.
      operationId: authz_GetRole
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: Role
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RoleResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Role not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    put:
      tags:
      - Authorization
      summary: Update a role
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `edit:role` authorization relation.
      operationId: authz_UpdateRole
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UpdateRoleRequest'
      responses:
        '200':
          description: Role updated
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RoleResponse'
        '400':
          description: Invalid request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Role not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Validation error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Authorization
      summary: Delete a role
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `delete:role` authorization relation.
      operationId: authz_DeleteRole
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '204':
          description: Role deleted
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Role not found
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /authz/roles/{id}/principals:
    get:
      tags:
      - Authorization
      summary: Get principals assigned to a role
      description: Requires a valid token, an organization supplied via query, membership of that organization,
        and the `viewer:role` authorization relation.
      operationId: authz_GetAssignedPrincipalsOfARole
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        schema:
          type: integer
          format: int64
      - $ref: '#/components/parameters/orgnameQuery'
      responses:
        '200':
          description: Principals assigned to the role. Returns the raw output of models.ListPrincipalsOfARole;
            represented generically.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/resources:
    post:
      tags:
      - Cluster Management v1
      summary: Create a generic Kubernetes resource in the cluster
      operationId: clustersV1_GenericCreate
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Raw YAML/JSON of the Kubernetes object to create (parsed into an unstructured object).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The created Kubernetes resource.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/deploy/{id}:
    post:
      tags:
      - Cluster Management v1
      summary: Install a product deploy order in the cluster
      description: Loads the previously generated order.yaml identified by {id} and installs it into the
        cluster. No request body.
      operationId: clustersV1_InstallProduct
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: Deploy order ID.
        schema:
          type: string
      responses:
        '200':
          description: Product installed successfully (empty body).
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Deploy order not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Cluster Management v1
      summary: Uninstall a product deploy order from the cluster
      description: Loads the previously generated order.yaml identified by {id} and uninstalls it from
        the cluster. No request body.
      operationId: clustersV1_UninstallProduct
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: Deploy order ID.
        schema:
          type: string
      responses:
        '200':
          description: Product uninstalled successfully (empty body).
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Deploy order not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/resource-history:
    get:
      tags:
      - Cluster Management v1
      summary: Get resource history from NATS
      description: Returns the change history for resources, filtered by query params (product, group,
        resource, rid).
      operationId: clustersV1_GetResourceHistoryFromNats
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: product
        in: query
        required: false
        schema:
          type: string
      - name: group
        in: query
        required: false
        schema:
          type: string
      - name: resource
        in: query
        required: false
        schema:
          type: string
      - name: rid
        in: query
        required: false
        schema:
          type: string
      responses:
        '200':
          description: Resource history entries.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BadgerEntryList'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}:
    get:
      tags:
      - Cluster Management v1
      summary: Get a cluster
      operationId: clustersV1_GetCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: The cluster info.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Cluster not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    put:
      tags:
      - Cluster Management v1
      summary: Update a cluster
      description: 'Requires authz: update:cluster (Cluster_Editor).'
      operationId: clustersV1_UpdateCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ImportClusterOption'
      responses:
        '200':
          description: The updated cluster info.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfoModel'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Cluster not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Cluster Management v1
      summary: Delete a cluster
      description: 'Submits a cluster deletion command as an async task. Requires authz: delete:cluster
        (Cluster_Editor).'
      operationId: clustersV1_ClusterDeletionCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: The submitted task response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TaskResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Cluster not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/remove:
    post:
      tags:
      - Cluster Management v1
      summary: Remove a cluster
      operationId: clustersV1_RemoveCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: Cluster removed successfully (empty body).
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/client-config:
    get:
      tags:
      - Cluster Management v1
      summary: Get the cluster client (kube) config
      description: 'Requires authz: view:kube-config (Cluster_CanViewKubeconfig). Returns the raw kubeconfig
        as a JSON string.'
      operationId: clustersV1_GetClientConfig
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: The kubeconfig as a string.
          content:
            application/json:
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/available-types:
    get:
      tags:
      - Cluster Management v1
      summary: Find available resource types in the cluster
      description: Returns a nested mapping of group -> version -> list of available kinds/resources.
      operationId: clustersV1_FindAvailableTypes
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: Nested map of available types (dynamic structure).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/db-status:
    get:
      tags:
      - Cluster Management v1
      summary: Get database feature status
      description: Returns a dynamic map of feature gates / DB status for the cluster.
      operationId: clustersV1_GetDBStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: DB status (dynamic map).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/db-bundle:
    get:
      tags:
      - Cluster Management v1
      summary: Get database bundle information
      description: Returns a dynamic map of DB bundle info (map of string to list of strings).
      operationId: clustersV1_GetDBBundle
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: DB bundle (dynamic map of string to string array).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/update-presets/{preset}:
    post:
      tags:
      - Cluster Management v1
      summary: Update presets in a spoke cluster
      description: Updates the given preset by applying the supplied HelmRelease (fluxcd HelmRelease)
        in the spoke cluster.
      operationId: clustersV1_UpdatePresetsInSpokeCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: preset
        in: path
        required: true
        description: Preset name.
        schema:
          type: string
      requestBody:
        description: fluxcd HelmRelease object.
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Presets updated successfully (empty body).
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/is-server:
    get:
      tags:
      - Cluster Management v1
      summary: Check if this is the server cluster
      description: 'Returns {"server": "yes"|"no"}.'
      operationId: clustersV1_CheckIfThisIsServerCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: Server check result.
          content:
            application/json:
              schema:
                type: object
                properties:
                  server:
                    type: string
                    enum:
                    - 'yes'
                    - 'no'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/feature/factory-values:
    get:
      tags:
      - Cluster Management v1
      summary: Get feature factory values
      description: Returns a dynamic map of factory (default) feature values.
      operationId: clustersV1_GetFeatureValues
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: Feature factory values (dynamic map).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/execute-command:
    post:
      tags:
      - Cluster Management v1
      summary: Execute a whitelisted kubectl plugin command
      description: Runs one of the supported commands (kubectl-kubestash, kubectl-stash, kubectl-dba,
        kubectl-vault) against the cluster.
      operationId: clustersV1_ExecuteCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ExecuteCommandPayload'
      responses:
        '200':
          description: Command output.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CommandResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid or unsupported command.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/tiller-config:
    get:
      tags:
      - Helm
      summary: Get the tiller (helm driver) config
      operationId: helm_GetTillerConfig
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: The console/tiller config.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ConsoleConfig'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    put:
      tags:
      - Helm
      summary: Update the tiller (helm driver) config
      operationId: helm_UpdateTillerConfig
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/TillerOptions'
      responses:
        '200':
          description: The updated console/tiller config.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ConsoleConfig'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Config not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/tiller-config/default:
    get:
      tags:
      - Helm
      summary: Get the default tiller (helm driver) config
      operationId: helm_GetDefaultTillerConfig
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: The default console/tiller config.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ConsoleConfig'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/v3/releases/:
    get:
      tags:
      - Helm
      summary: List helm v3 releases
      operationId: helm_ListReleases
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Helm list options (lib-helm action.ListOptions).
        required: false
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: List of helm releases (helm release.Release objects).
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    post:
      tags:
      - Helm
      summary: Install a helm v3 release
      description: Submits an install command as an async task.
      operationId: helm_InstallReleaseCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Helm install options (lib-helm action.InstallOptions).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The submitted task response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TaskResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/v3/releases/{name}/:
    get:
      tags:
      - Helm
      summary: Get the history of a helm release
      operationId: helm_GetHistory
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: name
        in: path
        required: true
        description: Release name.
        schema:
          type: string
      - name: max
        in: query
        required: false
        description: Maximum number of history revisions to return.
        schema:
          type: integer
      responses:
        '200':
          description: List of release revisions (helm release.Release objects).
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Release not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    put:
      tags:
      - Helm
      summary: Upgrade a helm v3 release
      description: Submits an upgrade command as an async task.
      operationId: helm_UpgradeReleaseCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: name
        in: path
        required: true
        description: Release name.
        schema:
          type: string
      requestBody:
        description: Helm upgrade options (lib-helm action.UpgradeOptions).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The submitted task response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TaskResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Release not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Helm
      summary: Uninstall a helm v3 release
      description: Submits an uninstall command as an async task.
      operationId: helm_UninstallReleaseCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: name
        in: path
        required: true
        description: Release name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UninstallReleaseRequest'
      responses:
        '200':
          description: The submitted task response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TaskResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Release not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/v3/releases/{name}/content:
    get:
      tags:
      - Helm
      summary: Get the content of a helm release
      operationId: helm_GetReleaseContent
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: name
        in: path
        required: true
        description: Release name.
        schema:
          type: string
      - name: version
        in: query
        required: false
        schema:
          type: integer
      - name: namespace
        in: query
        required: false
        schema:
          type: string
      responses:
        '200':
          description: The release content (helm release.Release object).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Release not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/v3/releases/{name}/status:
    get:
      tags:
      - Helm
      summary: Get the status of a helm release
      operationId: helm_GetReleaseStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: name
        in: path
        required: true
        description: Release name.
        schema:
          type: string
      - name: version
        in: query
        required: false
        schema:
          type: integer
      - name: namespace
        in: query
        required: false
        schema:
          type: string
      responses:
        '200':
          description: The release status (helm release.Release object).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Release not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/v3/releases/{name}/rollback:
    post:
      tags:
      - Helm
      summary: Rollback a helm v3 release
      description: Submits a rollback command as an async task.
      operationId: helm_RollbackReleaseCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: name
        in: path
        required: true
        description: Release name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RollbackReleaseRequest'
      responses:
        '200':
          description: The submitted task response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TaskResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Release not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/bundleview:
    get:
      tags:
      - Helm
      summary: Get the bundle view for a chart
      operationId: helm_GetBundleViewForChart
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Chart source reference (releasesapi.ChartSourceFlatRef).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The bundle view (releasesapi.BundleView).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/bundleview/orders:
    post:
      tags:
      - Helm
      summary: Create an order for a bundle view
      operationId: helm_CreateOrderForBundle
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Bundle view (releasesapi.BundleView).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The generated order (releasesapi.Order).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/packageview:
    get:
      tags:
      - Helm
      summary: Get the package view for a chart
      operationId: helm_GetPackageViewForChart
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Chart source reference (releasesapi.ChartSourceFlatRef).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The package view (releasesapi.PackageView, serialized as raw JSON).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/packageview/files:
    get:
      tags:
      - Helm
      summary: List the files of a chart package
      operationId: helm_ListPackageFiles
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Chart source reference (releasesapi.ChartSourceFlatRef).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: List of package file paths.
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/packageview/files/{path}:
    get:
      tags:
      - Helm
      summary: Get a single file from a chart package
      operationId: helm_GetPackageFile
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: path
        in: path
        required: true
        description: Path of the file within the chart package.
        schema:
          type: string
      requestBody:
        description: Chart source reference (releasesapi.ChartSourceFlatRef).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The requested file content (raw bytes; content-type varies).
          content:
            application/octet-stream:
              schema:
                type: string
                format: binary
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: File not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/packageview/orders:
    post:
      tags:
      - Helm
      summary: Create an order for an editor package view / chart
      operationId: helm_CreateOrderForPackage
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Chart order (releasesapi.ChartOrder).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The generated order (releasesapi.Order).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/packageview/values:
    get:
      tags:
      - Helm
      summary: Get the values file for a chart preset
      operationId: helm_GetValuesFile
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Chart preset reference (chartsapi.ChartPresetFlatRef).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The merged chart values (dynamic map).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/options/model:
    put:
      tags:
      - Helm
      summary: Generate an editor model from options
      operationId: helm_GenerateEditorModelFromOptions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Options (arbitrary JSON object).
        required: true
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
      responses:
        '200':
          description: The generated editor model (unstructured object; YAML when requested).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/options/manifest:
    put:
      tags:
      - Helm
      summary: Preview the editor manifest from options
      operationId: helm_PreviewEditorManifest
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Options (arbitrary JSON object).
        required: true
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
      responses:
        '200':
          description: The rendered manifest (raw YAML/text).
          content:
            text/plain:
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/options/resources:
    put:
      tags:
      - Helm
      summary: Preview the editor resources from options
      operationId: helm_PreviewEditorResources
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Options (arbitrary JSON object).
        required: true
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
      responses:
        '200':
          description: The rendered resources (releasesapi.ResourceOutput).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/editor/:
    put:
      tags:
      - Helm
      summary: Apply (create/update/install) a resource editor model
      description: Submits an apply command as an async task.
      operationId: helm_ApplyResourceCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Editor model (arbitrary JSON object).
        required: true
        content:
          application/json:
            schema:
              type: object
              additionalProperties: true
      responses:
        '200':
          description: The submitted task response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TaskResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Helm
      summary: Delete a resource editor installation
      description: Submits a delete command as an async task.
      operationId: helm_DeleteResourceCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Resource metadata (releasesapi.MetadataFlat).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The submitted task response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TaskResponse'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/editor/model:
    put:
      tags:
      - Helm
      summary: Load an editor model from an existing installation
      operationId: helm_LoadEditorModel
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Editor model (releasesapi.Model).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The editor model values (raw JSON/YAML).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/editor/manifest:
    put:
      tags:
      - Helm
      summary: Load the editor manifest from an existing installation
      operationId: helm_LoadEditorManifest
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Editor model (releasesapi.Model).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The rendered manifest (raw YAML/text).
          content:
            text/plain:
              schema:
                type: string
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/helm/editor/resources:
    put:
      tags:
      - Helm
      summary: Load the editor resources from an existing installation
      operationId: helm_LoadEditorResources
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        description: Editor model metadata (releasesapi.ModelMetadata).
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: The rendered resources (releasesapi.ResourceOutput).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/all-available:
    get:
      tags:
      - Kubernetes Proxy
      summary: List available object versions for a group/version
      description: Discovers all resources under the given API group/version and returns, per Kind, the
        list of object names available in the cluster.
      operationId: proxy_ListAvailableObjectsByGroupVersion
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      responses:
        '200':
          description: Map of Kind to available object names.
          content:
            application/json:
              schema:
                type: object
                additionalProperties:
                  type: array
                  items:
                    type: string
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/core/v1/namespaces/{namespace}/{resource}/{name}/log:
    get:
      tags:
      - Kubernetes Proxy
      summary: Stream pod logs
      description: Streams container logs for the named pod. The response is a streaming plain-text body.
      operationId: proxy_StreamPodLogs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: namespace
        in: path
        required: true
        description: Namespace of the pod.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Resource type (pods).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Name of the pod.
        schema:
          type: string
      responses:
        '200':
          description: Streaming log output.
          content:
            text/plain:
              schema:
                type: string
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Pod not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/core/v1/namespaces/{namespace}/{resource}/{name}/exec:
    get:
      tags:
      - Kubernetes Proxy
      summary: Exec into a pod container
      description: Establishes an interactive exec session into a container of the named pod. This endpoint
        is upgraded to a WebSocket connection; it is not a plain HTTP request/response.
      operationId: proxy_ExecPod
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: namespace
        in: path
        required: true
        description: Namespace of the pod.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Resource type (pods).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Name of the pod.
        schema:
          type: string
      responses:
        '101':
          description: Switching Protocols; connection upgraded to a WebSocket exec stream.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Pod not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/core/v1/nodes/{name}/metrics:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get node metrics
      description: Returns resource usage metrics for the named node.
      operationId: proxy_GetNodeMetrics
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: name
        in: path
        required: true
        description: Name of the node.
        schema:
          type: string
      responses:
        '200':
          description: Node metrics object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Node not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/core/v1/namespaces/{namespace}/pods/{name}/metrics:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get pod metrics
      description: Returns resource usage metrics for the named pod.
      operationId: proxy_GetPodMetrics
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: namespace
        in: path
        required: true
        description: Namespace of the pod.
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Name of the pod.
        schema:
          type: string
      responses:
        '200':
          description: Pod metrics object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Pod not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/authorization.k8s.io/v1/selfsubjectaccessreviews:
    post:
      tags:
      - Kubernetes Proxy
      summary: Create a SelfSubjectAccessReview
      description: Submits a SelfSubjectAccessReview to check whether the current user can perform an
        action, returning the review with its populated status.
      operationId: proxy_CreateSelfSubjectAccessReview
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: SelfSubjectAccessReview with populated status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/meta.k8s.appscode.com/v1alpha1/{resource}/{menu}/available:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get available user menus for a resource
      description: Returns the available user menu entries for the given meta.k8s.appscode.com resource
        and menu.
      operationId: proxy_GetAvailableUserMenus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: resource
        in: path
        required: true
        description: meta.k8s.appscode.com resource name.
        schema:
          type: string
      - name: menu
        in: path
        required: true
        description: Menu identifier.
        schema:
          type: string
      responses:
        '200':
          description: Available user menus object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/meta.k8s.appscode.com/v1alpha1/renders:
    get:
      tags:
      - Kubernetes Proxy
      summary: Render a resource layout (cacheable create)
      description: Renders a meta.k8s.appscode.com Render object. Implemented as a cacheable create where
        the request object is passed via the "q" query parameter (JSON-encoded) so the response can be
        cached.
      operationId: proxy_RenderResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: q
        in: query
        required: true
        description: JSON-encoded Render request object.
        schema:
          type: string
      responses:
        '200':
          description: Rendered object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/meta.k8s.appscode.com/v1alpha1/renderdashboards:
    get:
      tags:
      - Kubernetes Proxy
      summary: Render dashboards (cacheable create)
      description: Renders a meta.k8s.appscode.com RenderDashboard object. The request object is passed
        via the "q" query parameter (JSON-encoded).
      operationId: proxy_RenderDashboards
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: q
        in: query
        required: true
        description: JSON-encoded RenderDashboard request object.
        schema:
          type: string
      responses:
        '200':
          description: Rendered dashboards object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/meta.k8s.appscode.com/v1alpha1/rendermenus:
    get:
      tags:
      - Kubernetes Proxy
      summary: Render menus (cacheable create)
      description: Renders a meta.k8s.appscode.com RenderMenu object. The request object is passed via
        the "q" query parameter (JSON-encoded).
      operationId: proxy_RenderMenus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: q
        in: query
        required: true
        description: JSON-encoded RenderMenu request object.
        schema:
          type: string
      responses:
        '200':
          description: Rendered menus object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/meta.k8s.appscode.com/v1alpha1/resourcegraphs:
    get:
      tags:
      - Kubernetes Proxy
      summary: Render resource graph (cacheable create)
      description: Renders a meta.k8s.appscode.com ResourceGraph object. The request object is passed
        via the "q" query parameter (JSON-encoded).
      operationId: proxy_RenderResourceGraphs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: q
        in: query
        required: true
        description: JSON-encoded ResourceGraph request object.
        schema:
          type: string
      responses:
        '200':
          description: Rendered resource graph object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/reports.scanner.appscode.com/v1alpha1/images:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get scanner image report (cacheable create)
      description: Produces a reports.scanner.appscode.com Image report. The request object is passed
        via the "q" query parameter (JSON-encoded).
      operationId: proxy_GetScannerImageReport
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: q
        in: query
        required: true
        description: JSON-encoded Image report request object.
        schema:
          type: string
      responses:
        '200':
          description: Image report object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/reports.scanner.appscode.com/v1alpha1/cvereports:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get scanner CVE report (cacheable create)
      description: Produces a reports.scanner.appscode.com CVEReport. The request object is passed via
        the "q" query parameter (JSON-encoded).
      operationId: proxy_GetScannerCVEReport
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: q
        in: query
        required: true
        description: JSON-encoded CVEReport request object.
        schema:
          type: string
      responses:
        '200':
          description: CVE report object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/policy.k8s.appscode.com/v1alpha1/policyreports:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get policy report (cacheable create)
      description: Produces a policy.k8s.appscode.com PolicyReport. The request object is passed via the
        "q" query parameter (JSON-encoded).
      operationId: proxy_GetPolicyReport
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: q
        in: query
        required: true
        description: JSON-encoded PolicyReport request object.
        schema:
          type: string
      responses:
        '200':
          description: Policy report object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/{resource}/:
    post:
      tags:
      - Kubernetes Proxy
      summary: Create a cluster-scoped resource
      description: Creates an arbitrary cluster-scoped Kubernetes object of the given GVR.
      operationId: proxy_CreateClusterScopedResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Created object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    get:
      tags:
      - Kubernetes Proxy
      summary: List cluster-scoped resources
      description: Lists arbitrary cluster-scoped Kubernetes objects of the given GVR. Supports label/field
        selectors, a "filter" query for content filtering and "convertToTable" for table output.
      operationId: proxy_ListClusterScopedResources
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      responses:
        '200':
          description: List of objects (or a Table when convertToTable is set).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Kubernetes Proxy
      summary: Delete a collection of cluster-scoped resources
      description: Deletes a collection of cluster-scoped Kubernetes objects of the given GVR. The optional
        request body carries metav1.DeleteOptions.
      operationId: proxy_DeleteClusterScopedCollection
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      requestBody:
        required: false
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Collection deleted.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/{resource}/{name}:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get a cluster-scoped resource
      description: Reads an arbitrary cluster-scoped Kubernetes object by name.
      operationId: proxy_GetClusterScopedResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      responses:
        '200':
          description: The object (or a Table when convertToTable is set).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Object not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    put:
      tags:
      - Kubernetes Proxy
      summary: Update a cluster-scoped resource
      description: Replaces an arbitrary cluster-scoped Kubernetes object.
      operationId: proxy_UpdateClusterScopedResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Updated object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    patch:
      tags:
      - Kubernetes Proxy
      summary: Patch a cluster-scoped resource
      description: Patches an arbitrary cluster-scoped Kubernetes object. Supports JSON/merge/strategic-merge
        patch types via Content-Type; a plain JSON body is diffed against the current object to build
        a JSON patch.
      operationId: proxy_PatchClusterScopedResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Patched object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Kubernetes Proxy
      summary: Delete a cluster-scoped resource
      description: Deletes an arbitrary cluster-scoped Kubernetes object by name. The optional request
        body carries metav1.DeleteOptions.
      operationId: proxy_DeleteClusterScopedResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: false
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Object deleted.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/{resource}/{name}/status:
    put:
      tags:
      - Kubernetes Proxy
      summary: Update a cluster-scoped resource status
      description: Patches the status subresource of an arbitrary cluster-scoped Kubernetes object.
      operationId: proxy_UpdateClusterScopedResourceStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Object with updated status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    patch:
      tags:
      - Kubernetes Proxy
      summary: Patch a cluster-scoped resource status
      description: Patches the status subresource of an arbitrary cluster-scoped Kubernetes object.
      operationId: proxy_PatchClusterScopedResourceStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Object with updated status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/{resource}/{name}/events:
    get:
      tags:
      - Kubernetes Proxy
      summary: List events for a cluster-scoped resource
      description: Lists Kubernetes events referencing the named cluster-scoped object.
      operationId: proxy_ListClusterScopedResourceEvents
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      responses:
        '200':
          description: Event list.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/{resource}/{name}/controller:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get controller of a cluster-scoped resource
      description: Returns the controlling owner object of the named cluster-scoped object.
      operationId: proxy_GetClusterScopedResourceController
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      responses:
        '200':
          description: Controller object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Controller not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/namespaces/{namespace}/{resource}/{name}/scale:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get the scale subresource
      description: Reads the scale subresource of the named namespaced object.
      operationId: proxy_GetScale
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      responses:
        '200':
          description: Scale object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    put:
      tags:
      - Kubernetes Proxy
      summary: Update the scale subresource
      description: Updates the replica count of the named namespaced object via its scale subresource.
        The request body carries a JSON object with a "replicas" integer field.
      operationId: proxy_UpdateScale
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                replicas:
                  type: integer
                  format: int32
                  description: Desired replica count.
              required:
              - replicas
      responses:
        '200':
          description: Updated scale object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/namespaces/{namespace}/{resource}/{name}/horizontalpodautoscalers:
    get:
      tags:
      - Kubernetes Proxy
      summary: List HPAs targeting a namespaced resource
      description: Returns the HorizontalPodAutoscalers whose scale target matches the named namespaced
        object.
      operationId: proxy_ListResourceHPAs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      responses:
        '200':
          description: Filtered HorizontalPodAutoscaler list.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/namespaces/{namespace}/{resource}/:
    post:
      tags:
      - Kubernetes Proxy
      summary: Create a namespaced resource
      description: Creates an arbitrary namespaced Kubernetes object of the given GVR.
      operationId: proxy_CreateNamespacedResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Target namespace.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Created object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    get:
      tags:
      - Kubernetes Proxy
      summary: List namespaced resources
      description: Lists arbitrary namespaced Kubernetes objects of the given GVR. Supports label/field
        selectors, "filter" and "convertToTable" query parameters.
      operationId: proxy_ListNamespacedResources
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Target namespace.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      responses:
        '200':
          description: List of objects (or a Table when convertToTable is set).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Kubernetes Proxy
      summary: Delete a collection of namespaced resources
      description: Deletes a collection of namespaced Kubernetes objects of the given GVR. The optional
        request body carries metav1.DeleteOptions.
      operationId: proxy_DeleteNamespacedCollection
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Target namespace.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      requestBody:
        required: false
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Collection deleted.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/namespaces/{namespace}/{resource}/{name}:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get a namespaced resource
      description: Reads an arbitrary namespaced Kubernetes object by name.
      operationId: proxy_GetNamespacedResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      responses:
        '200':
          description: The object (or a Table when convertToTable is set).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '304':
          description: Not Modified (Etag matched).
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Object not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    put:
      tags:
      - Kubernetes Proxy
      summary: Update a namespaced resource
      description: Replaces an arbitrary namespaced Kubernetes object.
      operationId: proxy_UpdateNamespacedResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Updated object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    patch:
      tags:
      - Kubernetes Proxy
      summary: Patch a namespaced resource
      description: Patches an arbitrary namespaced Kubernetes object. Supports JSON/merge/strategic-merge
        patch types via Content-Type; a plain JSON body is diffed against the current object to build
        a JSON patch.
      operationId: proxy_PatchNamespacedResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Patched object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Kubernetes Proxy
      summary: Delete a namespaced resource
      description: Deletes an arbitrary namespaced Kubernetes object by name. The optional request body
        carries metav1.DeleteOptions.
      operationId: proxy_DeleteNamespacedResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: false
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Object deleted.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/namespaces/{namespace}/{resource}/{name}/status:
    put:
      tags:
      - Kubernetes Proxy
      summary: Update a namespaced resource status
      description: Patches the status subresource of an arbitrary namespaced Kubernetes object.
      operationId: proxy_UpdateNamespacedResourceStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Object with updated status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    patch:
      tags:
      - Kubernetes Proxy
      summary: Patch a namespaced resource status
      description: Patches the status subresource of an arbitrary namespaced Kubernetes object.
      operationId: proxy_PatchNamespacedResourceStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Object with updated status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/namespaces/{namespace}/{resource}/{name}/events:
    get:
      tags:
      - Kubernetes Proxy
      summary: List events for a namespaced resource
      description: Lists Kubernetes events referencing the named namespaced object.
      operationId: proxy_ListNamespacedResourceEvents
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      responses:
        '200':
          description: Event list.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/{group}/{version}/namespaces/{namespace}/{resource}/{name}/controller:
    get:
      tags:
      - Kubernetes Proxy
      summary: Get controller of a namespaced resource
      description: Returns the controlling owner object of the named namespaced object.
      operationId: proxy_GetNamespacedResourceController
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      - name: group
        in: path
        required: true
        description: Kubernetes API group (use "core" for the legacy core group).
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: Kubernetes API version.
        schema:
          type: string
      - name: namespace
        in: path
        required: true
        description: Namespace of the object.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource (plural).
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Object name.
        schema:
          type: string
      responses:
        '200':
          description: Controller object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Controller not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/{cluster}/proxy/batch-delete:
    post:
      tags:
      - Kubernetes Proxy
      summary: Batch delete resources
      description: Deletes multiple Kubernetes objects in a single request. Each entry is deleted independently;
        the response reports the per-resource deletion status for any that failed.
      operationId: proxy_BatchDeleteResources
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BatchDeleteRequest'
      responses:
        '200':
          description: Per-resource deletion status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BatchDeleteResponse'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/providers/{provider}/skip-credentials:
    get:
      tags:
      - Cluster Management v2
      summary: Check whether credentials can be skipped for a provider
      description: Requires site-admin privileges (admin_of_administrative_org:site_admin). Only EKS is
        supported; verifies the current environment has the AWS IAM permissions needed to skip manual
        credentials.
      operationId: clustersV2_CheckSkipCredentials
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: provider
        in: path
        required: true
        description: Cloud provider identifier (only "eks" is supported).
        schema:
          type: string
      responses:
        '200':
          description: Credentials can be skipped.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SkipCredentialsResponse'
        '400':
          description: Credentials cannot be skipped (unsupported provider or insufficient permissions).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SkipCredentialsResponse'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/all-hubs:
    get:
      tags:
      - Cluster Management v2
      summary: List all hub clusters owned by the user across their organizations
      operationId: clustersV2_ListAllHubClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of active hub clusters.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/HubCluster'
        '400':
          description: User does not own any organization.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/all-clusters:
    get:
      tags:
      - Cluster Management v2
      summary: List all imported clusters for an owner
      description: Requires site-admin privileges (view_orgs:site_admin).
      operationId: clustersV2_ListImportedCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      responses:
        '200':
          description: List of imported clusters.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/identity/{clusterID}:
    get:
      tags:
      - Cluster Management v2
      summary: Get cluster identity metadata by cluster UID
      operationId: clustersV2_GetClusterIdentity
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: clusterID
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      responses:
        '200':
          description: Cluster metadata.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterMetadata'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '404':
          description: Cluster info not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/cluster-profiles:
    get:
      tags:
      - Cluster Management v2
      summary: List available cluster profiles
      operationId: clustersV2_GetClusterProfiles
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: An UnstructuredList of clusterprofiles (meta.k8s.appscode.com/v1alpha1).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/exist:
    get:
      tags:
      - Cluster Management v2
      summary: Check whether the cluster is imported for the given owner
      operationId: clustersV2_IsClusterImportedForThisUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      responses:
        '200':
          description: Existence flag.
          content:
            application/json:
              schema:
                type: object
                properties:
                  exist:
                    type: boolean
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}:
    get:
      tags:
      - Cluster Management v2
      summary: List clusters for an owner
      operationId: clustersV2_ListClusters2
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      responses:
        '200':
          description: List of clusters (with a provider set).
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/hub-info:
    get:
      tags:
      - Cluster Management v2
      summary: Get hub cluster connection info (token and API server) for OCM hub clusters
      operationId: clustersV2_GetHubInfo
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      responses:
        '200':
          description: Map keyed by cluster name; each value contains apiServer and token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '400':
          description: Failed to list OCM manager clusters.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/has-hub:
    get:
      tags:
      - Cluster Management v2
      summary: Check whether the owner has any hub cluster
      operationId: clustersV2_HasHubCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      responses:
        '200':
          description: Hub presence flag.
          content:
            application/json:
              schema:
                type: object
                properties:
                  has-hub:
                    type: boolean
        '400':
          description: Failed to list OCM manager clusters.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/reconcile:
    get:
      tags:
      - Cluster Management v2
      summary: Reconcile Helm releases for specified features
      description: Adds reconcile annotations to the HelmReleases of the features passed in the "features"
        query parameter (comma-separated).
      operationId: clustersV2_ReconcileHelmRelease
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: features
        in: query
        required: false
        description: Comma-separated list of feature names to reconcile.
        schema:
          type: string
      responses:
        '200':
          description: Reconcile triggered.
        '400':
          description: A feature or its HelmRelease was not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/status:
    get:
      tags:
      - Cluster Management v2
      summary: Get the current status of a cluster
      operationId: clustersV2_GetClusterStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      responses:
        '200':
          description: Cluster info with resolved status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/connect:
    post:
      tags:
      - Cluster Management v2
      summary: Connect (or re-connect) to an already-imported cluster
      operationId: clustersV2_Connect
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: operation
        in: query
        required: false
        description: Set to "re-connect" to update existing credentials.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ConnectOptions'
      responses:
        '200':
          description: Cluster info after connecting.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '400':
          description: Failed to connect (already-existing user auth on non-reconnect).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/remove:
    post:
      tags:
      - Cluster Management v2
      summary: Remove a cluster and its components
      operationId: clustersV2_RemoveClusterV2
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: response-id
        in: query
        required: false
        description: Optional response identifier for progress notifications.
        schema:
          type: string
      - name: notify
        in: query
        required: false
        description: Whether to send progress notifications (defaults to true).
        schema:
          type: boolean
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RemovalOptions'
      responses:
        '200':
          description: Removal task submitted.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/update-version/operations:
    get:
      tags:
      - Cluster Management v2
      summary: List cluster version update operations
      operationId: clustersV2_ListUpdateVersionOperations
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      responses:
        '200':
          description: A ConfigMapList of upgrade operations.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/update-version/list:
    get:
      tags:
      - Cluster Management v2
      summary: List upgradeable Kubernetes versions for a cluster
      operationId: clustersV2_GetUpgradeableK8SVersions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      responses:
        '200':
          description: List of upgradeable Kubernetes versions.
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/update-version/{version}:
    get:
      tags:
      - Cluster Management v2
      summary: Upgrade a CAPI cluster to a target Kubernetes version
      operationId: clustersV2_UpdateK8sVersion
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: version
        in: path
        required: true
        description: Target Kubernetes version.
        schema:
          type: string
      responses:
        '200':
          description: Upgrade task submitted.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/gateway-configs:
    get:
      tags:
      - Cluster Management v2
      summary: List gateway configurations
      operationId: clustersV2_ListGatewayConfigs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      responses:
        '200':
          description: List of gateway configuration rows.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/GatewayConfigInfo'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    put:
      tags:
      - Cluster Management v2
      summary: Update all non-ace gateway configurations to the ace chart version
      operationId: clustersV2_UpdateAllGatewayConfigs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      responses:
        '200':
          description: Gateway configurations updated.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/gateway-configs/{namespace}/{name}:
    put:
      tags:
      - Cluster Management v2
      summary: Update a single gateway configuration to the ace chart version
      operationId: clustersV2_UpdateGatewayConfig
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: namespace
        in: path
        required: true
        description: Namespace of the GatewayConfig.
        schema:
          type: string
      - name: name
        in: path
        required: true
        description: Name of the GatewayConfig.
        schema:
          type: string
      responses:
        '200':
          description: Gateway configuration updated.
        '400':
          description: The ace gateway config cannot be updated.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/reconfigure:
    post:
      tags:
      - Cluster Management v2
      summary: Reconfigure a cluster's components
      operationId: clustersV2_Reconfigure
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ReconfigureOptions'
      responses:
        '200':
          description: Reconfiguration accepted. Returns the internal cluster info record (modeled as
            a generic object).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/feature/{feature}/convert:
    post:
      tags:
      - Cluster Management v2
      summary: Convert a feature to be UI-managed
      operationId: clustersV2_ConvertFeature
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: feature
        in: path
        required: true
        description: Name of the feature to convert.
        schema:
          type: string
      responses:
        '200':
          description: Feature converted to UI-managed.
        '400':
          description: Feature is not enabled or already UI-managed.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/subscriptions/:
    post:
      tags:
      - Cluster Management v2
      summary: Subscribe the current user to cluster-level inbox notifications
      operationId: clustersV2_CreateClusterSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      responses:
        '200':
          description: Subscription created.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    get:
      tags:
      - Cluster Management v2
      summary: Check the current user's cluster-level inbox subscription
      operationId: clustersV2_CheckClusterSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      responses:
        '200':
          description: Subscription exists.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Cluster Management v2
      summary: Remove the cluster-level inbox subscription
      operationId: clustersV2_RemoveClusterSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      responses:
        '200':
          description: Subscription removed.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/subscriptions/namespaces/{namespace}/:
    post:
      tags:
      - Cluster Management v2
      summary: Subscribe the current user to namespace-level inbox notifications
      operationId: clustersV2_CreateNamespaceSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: namespace
        in: path
        required: true
        description: Namespace to subscribe to.
        schema:
          type: string
      responses:
        '200':
          description: Subscription created.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    get:
      tags:
      - Cluster Management v2
      summary: Check the current user's namespace-level inbox subscription
      operationId: clustersV2_CheckNamespaceSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: namespace
        in: path
        required: true
        description: Namespace to check.
        schema:
          type: string
      responses:
        '200':
          description: Subscription exists.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Cluster Management v2
      summary: Remove the namespace-level inbox subscription
      operationId: clustersV2_RemoveNamespaceSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: namespace
        in: path
        required: true
        description: Namespace to unsubscribe from.
        schema:
          type: string
      responses:
        '200':
          description: Subscription removed.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/{cluster}/subscriptions/namespaces/{namespace}/{group}/{version}/{resource}/{resourceName}:
    post:
      tags:
      - Cluster Management v2
      summary: Subscribe the current user to resource-level inbox notifications
      operationId: clustersV2_CreateResourceSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: namespace
        in: path
        required: true
        description: Namespace of the resource.
        schema:
          type: string
      - name: group
        in: path
        required: true
        description: API group of the resource.
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: API version of the resource.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Resource (plural) name.
        schema:
          type: string
      - name: resourceName
        in: path
        required: true
        description: Name of the specific resource object.
        schema:
          type: string
      responses:
        '200':
          description: Subscription created.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    get:
      tags:
      - Cluster Management v2
      summary: Check the current user's resource-level inbox subscription
      operationId: clustersV2_CheckResourceSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: namespace
        in: path
        required: true
        description: Namespace of the resource.
        schema:
          type: string
      - name: group
        in: path
        required: true
        description: API group of the resource.
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: API version of the resource.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Resource (plural) name.
        schema:
          type: string
      - name: resourceName
        in: path
        required: true
        description: Name of the specific resource object.
        schema:
          type: string
      responses:
        '200':
          description: Subscription exists.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
    delete:
      tags:
      - Cluster Management v2
      summary: Remove the resource-level inbox subscription
      operationId: clustersV2_RemoveResourceSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - $ref: '#/components/parameters/clusterPathParam'
      - name: namespace
        in: path
        required: true
        description: Namespace of the resource.
        schema:
          type: string
      - name: group
        in: path
        required: true
        description: API group of the resource.
        schema:
          type: string
      - name: version
        in: path
        required: true
        description: API version of the resource.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Resource (plural) name.
        schema:
          type: string
      - name: resourceName
        in: path
        required: true
        description: Name of the specific resource object.
        schema:
          type: string
      responses:
        '200':
          description: Subscription removed.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/check:
    post:
      tags:
      - Cluster Management v2
      summary: Check whether a cluster already exists / is importable
      operationId: clustersV2_CheckClusterExistence
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CheckOptions'
      responses:
        '200':
          description: Cluster info describing existence / import status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/validate:
    post:
      tags:
      - Cluster Management v2
      summary: Validate cluster import options
      operationId: clustersV2_ValidateHandler
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      - name: operation
        in: query
        required: false
        description: Set to "connect" to skip flux/feature-set detection.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ImportOptions'
      responses:
        '200':
          description: Validation result.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationResponse'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/import:
    post:
      tags:
      - Cluster Management v2
      summary: Import a cluster
      operationId: clustersV2_ImportClusterHandler
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ImportOptions'
      responses:
        '200':
          description: Imported cluster info.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/vcluster/create:
    post:
      tags:
      - Cluster Management v2
      summary: Create a virtual cluster on a host cluster
      operationId: clustersV2_CreateVirtualCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ClusterOptions'
      responses:
        '200':
          description: Virtual cluster creation task submitted.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clustersv2/{owner}/vcluster/import:
    post:
      tags:
      - Cluster Management v2
      summary: Import a virtual cluster from a host cluster
      operationId: clustersV2_ImportVirtualCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerPathParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ClusterOptions'
      responses:
        '200':
          description: Virtual cluster import task submitted.
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          description: Invalid request body.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /agent/{clusterName}/{clusterID}/token:
    get:
      tags:
      - Cluster Management v2
      summary: Get an inbox agent JWT token for a cluster
      operationId: clustersV2_GetInboxAgentToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: clusterName
        in: path
        required: true
        description: Cluster name.
        schema:
          type: string
      - name: clusterID
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      responses:
        '200':
          description: Inbox agent token response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InboxTokenRequestResponse'
        '401':
          description: Unauthorized.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '403':
          description: Forbidden.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
  /clusters/{owner}/hubs:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List OCM hub clusters owned by the owner
      operationId: ocm_ListHubClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of hub clusters (OCM / OCM-MC) owned by the owner.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/HubCluster'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/accept-spoke:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Accept spoke cluster join requests on the hub
      operationId: ocm_AcceptSpokeClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AcceptOptions'
      responses:
        '200':
          description: Spoke cluster join requests accepted.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/managed-clusters:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List all OCM managed clusters
      operationId: ocm_ListManagedClusters
      description: Returns the raw OCM ManagedClusterList object from the hub cluster.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: OCM ManagedClusterList object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/not-accepted-clusters:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List managed clusters not yet accepted by the hub
      operationId: ocm_ListNotAcceptedClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: List of managed clusters that have not been accepted.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ManagedClusterInfo'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/accepted-clusters:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List managed clusters accepted by the hub
      operationId: ocm_ListAcceptedClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: List of accepted managed clusters.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ManagedClusterInfo'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/validate-profile:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: Validate spoke cluster feature sets against a profile
      operationId: ocm_ValidateSpokeClustersFeatureSets
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: profile
        in: query
        required: false
        description: Cluster profile to validate against (defaults to "dbaas-generic").
        schema:
          type: string
      responses:
        '200':
          description: Validation result. Contains "valid" ("true"/"false" string) and, when invalid,
            a "recommended-features" list.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/available-clusters:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List managed clusters available for use by the owner
      operationId: ocm_GetAvailableManagedClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: List of available managed clusters.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ManagedClusterInfo'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/available-clustersets:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List cluster sets available for use by the owner
      operationId: ocm_GetAvailableManagedClusterSets
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: type
        in: query
        required: false
        description: Filter mode. When set to "client-org", cluster sets are further filtered for client-org
          eligibility.
        schema:
          type: string
      responses:
        '200':
          description: List of available cluster set names.
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/clustersets:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List cluster sets on the hub
      operationId: ocm_ListClusterSets
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: List of cluster sets with cluster counts.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ListClusterSetResp'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/clustersets/add:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Add clusters to a cluster set
      operationId: ocm_AddToClusterSet
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ClusterSetOptions'
      responses:
        '200':
          description: Clusters added to the cluster set.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/clustersets/remove:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Remove clusters from a cluster set
      operationId: ocm_RemoveFromClusterSet
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ClusterSetOptions'
      responses:
        '200':
          description: Clusters removed from the cluster set.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/clustersets/create:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Create a cluster set
      operationId: ocm_CreateClusterSet
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ClusterSetOptions'
      responses:
        '200':
          description: Cluster set created.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/clustersets/delete:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Delete a cluster set
      operationId: ocm_DeleteClusterSet
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ClusterSetOptions'
      responses:
        '200':
          description: Cluster set deleted.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/featuresets:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List available feature sets of a cluster set
      operationId: ocm_GetAvailableFeatureSetsOfClusterSet
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      responses:
        '200':
          description: List of feature set info for the cluster set.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/FeatureSetInfo'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/clusters:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List clusters belonging to a cluster set
      operationId: ocm_GetClusterOfClusterSet
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      responses:
        '200':
          description: Clusters belonging to the cluster set.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClustersResp'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/clusterlist:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List clusters that can be added to a cluster set
      operationId: ocm_ListAddableClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      responses:
        '200':
          description: List of managed cluster names addable to the cluster set.
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/disable-featureset:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Disable a feature set on a cluster set
      operationId: ocm_DisableFeatureSetFromClusterSet
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EnableFeatureOptions'
      responses:
        '200':
          description: Feature set disabled on the cluster set.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/install-featureset:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Install a feature set on a cluster set
      operationId: ocm_InstallFeatureSetOnClusterSet
      description: The request body is a free-form Helm values / model object (map[string]any) describing
        the feature set to install.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Feature set installed on the cluster set.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/{managedCluster}/update-featureset:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Update the profile binding / feature set for a managed cluster
      operationId: ocm_UpdateManagedClusterProfileBinding
      description: The request body is a free-form Helm values / model object (map[string]any) describing
        the feature set update.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      - name: managedCluster
        in: path
        required: true
        description: Managed cluster name.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Managed cluster profile binding updated.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/auth-info:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: Get authorization info for a cluster set
      operationId: ocm_GetAuthInfoOfClusterSet
      description: Returns a map of role-ref name to the list of users granted that role on the cluster
        set. Users are returned as the internal user model.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      responses:
        '200':
          description: Map of role-ref name to a list of users. Modeled as a free-form object because
            the value is the internal user model.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/auto-update:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Trigger auto-update of a cluster set
      operationId: ocm_AutoUpdateClusterSet
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      responses:
        '200':
          description: Cluster set auto-update triggered.
        '400':
          description: Auto-update is not possible (spoke clusters not on the latest version).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/auto-update/check:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: Check whether auto-update is possible for a cluster set
      operationId: ocm_IsAutoUpdatePossible
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      responses:
        '200':
          description: Whether auto-update is possible.
          content:
            application/json:
              schema:
                type: object
                properties:
                  possible:
                    type: boolean
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/sync-status/all-features:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: Get sync status of all features in a cluster set
      operationId: ocm_AllFeaturesSyncStatus
      description: Returns a nested map of feature set to feature to sync status (in-sync and unaligned
        cluster names).
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      responses:
        '200':
          description: Nested feature-set / feature sync status map.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/sync-status/opscenter-features-version:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: Get opscenter-features version sync status for a cluster set
      operationId: ocm_OpscenterFeaturesVersionSyncStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      responses:
        '200':
          description: Cluster set opscenter-features version and per-cluster version list.
          content:
            application/json:
              schema:
                type: object
                properties:
                  clusterSetVersion:
                    type: string
                  clusters:
                    type: array
                    items:
                      $ref: '#/components/schemas/versionObj'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/clustersets/{clusterset}/sync-status/{feature}:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: Get sync status of a single feature in a cluster set
      operationId: ocm_FeatureSyncStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: clusterset
        in: path
        required: true
        description: Cluster set name.
        schema:
          type: string
      - name: feature
        in: path
        required: true
        description: Feature name.
        schema:
          type: string
      responses:
        '200':
          description: In-sync and out-of-sync cluster names for the feature.
          content:
            application/json:
              schema:
                type: object
                properties:
                  insyncClusters:
                    type: array
                    items:
                      type: string
                  outOfSyncClusters:
                    type: array
                    items:
                      type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/bound-namespaces:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List namespaces and their bound cluster sets
      operationId: ocm_GetBoundNamespaces
      description: Returns a map of namespace name to the list of cluster sets bound to that namespace.
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: Map of namespace name to bound cluster set names.
          content:
            application/json:
              schema:
                type: object
                additionalProperties:
                  type: array
                  items:
                    type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/bound-namespaces/bind:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Bind a namespace to a cluster set
      operationId: ocm_BindNamespaceWithClusterSet
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BindNamespaceOptions'
      responses:
        '200':
          description: Namespace bound to the cluster set.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/bound-namespaces/unbind:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Unbind a namespace from a cluster set
      operationId: ocm_UnBindNamespaceWithClusterSet
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BindNamespaceOptions'
      responses:
        '200':
          description: Namespace unbound from the cluster set.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/spoke-command:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Generate the spoke cluster install command
      operationId: ocm_GenerateSpokeInstallCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ClusterOptions'
      responses:
        '200':
          description: The generated spoke install command.
          content:
            application/json:
              schema:
                type: object
                properties:
                  spoke:
                    type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/import-spoke:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Accept and import a spoke cluster
      operationId: ocm_AcceptAndImportCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ImportOptions'
      responses:
        '200':
          description: Cluster import by OCM submitted.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/convert/spoke:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Convert a cluster to a spoke cluster
      operationId: ocm_ConvertToSpokeCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ImportOptions'
      responses:
        '200':
          description: Cluster converted to a spoke cluster.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/remove-managed-cluster:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Remove a managed cluster (uninstall the spoke agent)
      operationId: ocm_RemoveManagedCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RemoveClusterOptions'
      responses:
        '200':
          description: Managed cluster removed.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/sync-accounts:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Sync account objects (users/groups) to the hub cluster
      operationId: ocm_SyncAccountObjects
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: Account objects synced.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/users:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List OCM users on the hub cluster
      operationId: ocm_GetUserList
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: List of OCM users.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/user/create:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Create an OCM user with cluster/cluster-set permissions
      operationId: ocm_CreateOCMUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UserOptions'
      responses:
        '200':
          description: OCM user created.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/user/{id}:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: Get an OCM user's permissions
      operationId: ocm_GetUserInfo
      description: Returns the user's cluster and cluster-set permissions. The two maps marshal with capitalized
        Go field names (ClusterPermissions / ClusterSetPermissions).
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: OCM user ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: The user's permissions.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UserPermissions'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /clusters/{owner}/{cluster}/user/{id}/access:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: List clusters/namespaces accessible to an OCM user
      operationId: ocm_GetAccessibleClusterList
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: OCM user ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Sorted list of accessible cluster/namespace names.
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /clusters/{owner}/{cluster}/user/{id}/{spokeName}/kubeconfig:
    get:
      tags:
      - Multi-cluster (OCM)
      summary: Get an OCM user's kubeconfig for a spoke cluster
      operationId: ocm_GetUserKubeConfig
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: OCM user ID.
        schema:
          type: integer
          format: int64
      - name: spokeName
        in: path
        required: true
        description: Spoke cluster name.
        schema:
          type: string
      responses:
        '200':
          description: The kubeconfig (YAML) as a JSON-encoded string.
          content:
            application/json:
              schema:
                type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /clusters/{owner}/{cluster}/user/{id}/remove:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Remove specific permissions from an OCM user
      operationId: ocm_RemoveOCMUserPermission
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: OCM user ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RemovePermissionOpts'
      responses:
        '200':
          description: Permissions removed from the user.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/user/{id}/update:
    post:
      tags:
      - Multi-cluster (OCM)
      summary: Update an OCM user's permissions
      operationId: ocm_UpdateOCMUserPermission
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: OCM user ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UserOptions'
      responses:
        '200':
          description: User permissions updated.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/user/{id}/delete:
    delete:
      tags:
      - Multi-cluster (OCM)
      summary: Delete an OCM user
      operationId: ocm_RemoveOCMUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: OCM user ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: OCM user deleted.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /clusters/{owner}/{cluster}/permission/users:
    get:
      tags:
      - Client Organizations
      summary: List users of a client organization
      description: Returns the list of users belonging to the client organization (`owner`) that have
        been granted access on this cluster. Requires a valid token and that `owner` resolves to a client
        organization (`reqClientOrg`).
      operationId: clientOrg_ListUsers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      responses:
        '200':
          description: The list of users of the client organization.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/User'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /clusters/{owner}/{cluster}/permission/user/create:
    post:
      tags:
      - Client Organizations
      summary: Create a client-org user and assign permissions
      description: Creates an OCM user for the client organization (`owner`) on this cluster and assigns
        the requested permissions (creating the necessary RBAC role/cluster-role bindings and importing/connecting
        clusters for the user). Requires organization-admin authorization on `owner` (`Organization_Admin`).
      operationId: clientOrg_CreateUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UserOptions'
      responses:
        '200':
          description: The user was created and permissions were assigned.
        '400':
          description: Invalid permission options for the client organization.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/permission/user/{id}:
    post:
      tags:
      - Client Organizations
      summary: Get a client-org user's permissions on a cluster
      description: Returns the roles and cluster-roles assigned to the client-org user (`id`) on this
        cluster, scoped to the namespaces supplied in the request body. Requires organization-admin authorization
        on `owner`.
      operationId: clientOrg_GetUserInfo
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: Numeric ID of the user.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PermissionScopes'
      responses:
        '200':
          description: The user's permissions on the cluster.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClientOrgUserPermission'
        '400':
          description: The user is not part of the client organization.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/permission/user/{id}/kubeconfig:
    get:
      tags:
      - Client Organizations
      summary: Get a kubeconfig for a client-org user
      description: Generates a kubeconfig for the client-org user (`id`) to access this cluster, provided
        the user has permission in the client organization's cluster. Requires organization-admin authorization
        on `owner`.
      operationId: clientOrg_GetUserKubeConfig
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: Numeric ID of the user.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: The generated kubeconfig (YAML document as a JSON string).
          content:
            application/json:
              schema:
                type: string
        '400':
          description: The user does not have permission in the client-org cluster.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /clusters/{owner}/{cluster}/permission/user/{id}/remove:
    post:
      tags:
      - Client Organizations
      summary: Remove specific permissions from a client-org user
      description: Deletes the named cluster-scoped and namespace-scoped RBAC bindings for the client-org
        user (`id`) on this cluster. Requires organization-admin authorization on `owner`.
      operationId: clientOrg_RemoveUserPermission
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: Numeric ID of the user.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RemovePermissionOpts'
      responses:
        '200':
          description: The specified permissions were removed.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/permission/user/{id}/update:
    post:
      tags:
      - Client Organizations
      summary: Update a client-org user's permissions
      description: Re-assigns permissions for the client-org user on this cluster. Requires organization-admin
        authorization on `owner`.
      operationId: clientOrg_UpdateUserPermission
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: Numeric ID of the user.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UserOptions'
      responses:
        '200':
          description: The user's permissions were updated.
        '400':
          description: Invalid permission options for the client organization.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '422':
          $ref: '#/components/responses/ValidationError'
  /clusters/{owner}/{cluster}/permission/user/{id}/delete:
    delete:
      tags:
      - Client Organizations
      summary: Remove a client-org user
      description: 'Removes the client-org user (`id`) entirely from this cluster: strips the hub-owner
        and client-org annotations and deletes all associated RBAC role and cluster-role bindings. Requires
        organization-admin authorization on `owner`.'
      operationId: clientOrg_DeleteUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - $ref: '#/components/parameters/clusterParam'
      - name: id
        in: path
        required: true
        description: Numeric ID of the user.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: The user was removed from the cluster.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/clients:
    get:
      tags:
      - Client Organizations
      summary: List client organizations
      description: Returns all client organizations known to the platform. Site-admin only (`Organization_SiteAdminCanViewClientOrg`);
        the caller must be acting within an organization (`reqMustFromOrg`).
      operationId: clientOrg_List
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: The list of client organizations.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Organization'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/client/{id}:
    get:
      tags:
      - Client Organizations
      summary: Get a client organization
      description: Returns a single client organization by its numeric ID. Site-admin only (`Organization_SiteAdminCanViewClientOrg`).
      operationId: clientOrg_Get
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        description: Numeric ID of the client organization.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: The client organization.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Organization'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /user/client/create:
    post:
      tags:
      - Client Organizations
      summary: Create a client organization
      description: Creates a client organization, provisions the org admin user, grants permission on
        the hub cluster, and imports the requested spoke cluster(s) with the client org as owner. Site-admin
        only (`Organization_SiteAdminCanCreateClientOrg`).
      operationId: clientOrg_Create
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ClientOrgParams'
      responses:
        '200':
          description: The client organization was created.
        '400':
          description: Invalid parameters (e.g. missing Rancher management cluster endpoint).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '409':
          description: An organization with the same name already exists.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/client/{orgname}/add-cluster:
    post:
      tags:
      - Client Organizations
      summary: Add a cluster to a client organization
      description: Imports an additional spoke cluster into the client organization (`orgname`), granting
        the org admins access and setting up the associated namespaces/gateway presets and telemetry.
        Site-admin only (`Organization_SiteAdminCanAddClusterToClientOrg`).
      operationId: clientOrg_AddCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AddClusterParams'
      responses:
        '200':
          description: The cluster was added to the client organization.
        '400':
          description: The cluster is already imported for this organization.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/APIError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/client/{orgname}/delete-cluster:
    post:
      tags:
      - Client Organizations
      summary: Remove a cluster from a client organization
      description: Removes a spoke cluster from the client organization (`orgname`), cleaning up the client-org
        namespace and associated hub/spoke resources. Site-admin only (`Organization_SiteAdminCanRemoveClusterFromClientOrg`).
      operationId: clientOrg_RemoveCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RemoveClusterParams'
      responses:
        '200':
          description: The cluster removal was accepted (cleanup runs asynchronously).
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '422':
          $ref: '#/components/responses/ValidationError'
  /user/client/{orgname}/cluster/{cluster}/status:
    get:
      tags:
      - Client Organizations
      summary: Get a client-org cluster's status
      description: Returns the deletion/active status of a single cluster within the client organization
        (`orgname`). Site-admin only (`Organization_SiteAdminCanViewClientOrg`).
      operationId: clientOrg_GetClusterStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      - name: cluster
        in: path
        required: true
        description: Cluster name within the client organization.
        schema:
          type: string
      responses:
        '200':
          description: The cluster status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClientOrgStatus'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/client/{orgname}/status:
    get:
      tags:
      - Client Organizations
      summary: Get a client organization's aggregate status
      description: Returns the aggregate deletion/active status across all clusters of the client organization
        (`orgname`). Site-admin only (`Organization_SiteAdminCanViewClientOrg`).
      operationId: clientOrg_GetStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: The aggregate status of the client organization.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClientOrgStatus'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /user/client/delete/{id}:
    delete:
      tags:
      - Client Organizations
      summary: Delete a client organization
      description: Deletes the client organization (`id`), tearing down its namespaces and cluster resources
        across all spoke clusters. Deletion is rejected if another organization still references this
        client org's gateway config. Site-admin only (`Organization_SiteAdminCanDeleteClientOrg`).
      operationId: clientOrg_Delete
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: id
        in: path
        required: true
        description: Numeric ID of the client organization.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: The deletion was accepted (teardown runs asynchronously).
        '400':
          description: The client organization cannot be deleted because another organization is using
            resources from it.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /clouds:
    get:
      tags:
      - Cloud Providers
      summary: List supported cloud providers
      description: Returns the list of cloud providers supported by the platform for cluster provisioning
        and discovery. This endpoint is public and requires no authentication.
      operationId: clouds_ListClouds
      security: []
      parameters: []
      responses:
        '200':
          description: List of supported cloud providers
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CloudProviderList'
  /clouds/{owner}/{provider}/cluster:
    post:
      tags:
      - Cloud Providers
      summary: Provision a managed (CAPI) cluster on a cloud provider
      description: Provisions a new Cluster API (CAPI) based cluster on the given cloud provider and imports
        it into the platform. Requires a valid authentication token and stored cloud credentials for the
        referenced provider. The `provider` path parameter selects the target cloud provider (e.g. `kubevirt`);
        for `kubevirt` the CAPI cluster config is validated (worker pools, machine count, cpu, memory
        are required). An optional `response-id` query parameter correlates the async provisioning response.
      operationId: clouds_ProvisionClusterCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: provider
        in: path
        required: true
        description: Target cloud provider name (e.g. gke, aks, eks, kubevirt).
        schema:
          type: string
      - name: response-id
        in: query
        required: false
        description: Correlation id for the asynchronous provisioning response.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ClusterProvisionConfig'
      responses:
        '200':
          description: Provider options for the provisioned cluster
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProviderOptions'
        '400':
          description: Invalid CAPI cluster config (e.g. missing worker pools)
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
        '422':
          description: Unprocessable entity - request body failed validation
  /clouds/{owner}/providers/gke/projects:
    get:
      tags:
      - Cloud Providers
      summary: List GKE projects
      description: Lists Google Cloud projects accessible with the stored GKE credentials. Requires a
        valid authentication token and stored cloud credentials.
      operationId: clouds_GetGKEProjects
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of GKE project names
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/gke/projects/{project}/regions/:
    get:
      tags:
      - Cloud Providers
      summary: List GKE regions
      description: Lists available regions (with zones) for the given GKE project. Requires a valid authentication
        token and stored cloud credentials.
      operationId: clouds_GetGKERegions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: project
        in: path
        required: true
        description: GKE project id.
        schema:
          type: string
      responses:
        '200':
          description: List of regions and their zones
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Locations'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/gke/projects/{project}/regions/{region}/kubernetesversions:
    get:
      tags:
      - Cloud Providers
      summary: List GKE Kubernetes versions
      description: Lists the supported Kubernetes versions for the given GKE project and region. Requires
        a valid authentication token and stored cloud credentials.
      operationId: clouds_GetGKEKubernetesVersions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: project
        in: path
        required: true
        description: GKE project id.
        schema:
          type: string
      - name: region
        in: path
        required: true
        description: GKE region.
        schema:
          type: string
      responses:
        '200':
          description: List of supported Kubernetes versions
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/gke/projects/{project}/regions/{region}/vms:
    get:
      tags:
      - Cloud Providers
      summary: List GKE machine types (VMs)
      description: Lists available machine types for the given GKE project, region and zone, grouped by
        family. The `zone` query parameter is required (e.g. `zone=us-east1-b`). Requires a valid authentication
        token and stored cloud credentials.
      operationId: clouds_GetGKEVMs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: project
        in: path
        required: true
        description: GKE project id.
        schema:
          type: string
      - name: region
        in: path
        required: true
        description: GKE region.
        schema:
          type: string
      - name: zone
        in: query
        required: true
        description: GKE zone (e.g. us-east1-b).
        schema:
          type: string
      responses:
        '200':
          description: Machine types grouped by family
          content:
            application/json:
              schema:
                type: object
                additionalProperties:
                  type: array
                  items:
                    $ref: '#/components/schemas/VMInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/gke/projects/{project}/clusters:
    get:
      tags:
      - Cloud Providers
      summary: List GKE clusters in a project
      description: Lists the GKE clusters that exist in the given project. Requires a valid authentication
        token and stored cloud credentials.
      operationId: clouds_GetGKEProjectClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: project
        in: path
        required: true
        description: GKE project id.
        schema:
          type: string
      responses:
        '200':
          description: List of GKE clusters
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/gke/projects/{project}/clusters/{cluster}:
    get:
      tags:
      - Cloud Providers
      summary: Get GKE cluster info
      description: 'Returns detailed information for a single GKE cluster (for import). The `location`
        query parameter identifies the cluster location. Requires a valid authentication token and stored
        cloud credentials. Note: the response is serialized from the internal `models.ClusterInfo` type,
        which shares the same JSON shape as ClusterInfo.'
      operationId: clouds_GetGKEClusterInfo
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: project
        in: path
        required: true
        description: GKE project id.
        schema:
          type: string
      - name: cluster
        in: path
        required: true
        description: GKE cluster name.
        schema:
          type: string
      - name: location
        in: query
        required: false
        description: GKE cluster location.
        schema:
          type: string
      responses:
        '200':
          description: GKE cluster info
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
        '404':
          description: Cluster not found
        '409':
          description: Cluster already exists (import conflict)
  /clouds/{owner}/providers/aks/regions/:
    get:
      tags:
      - Cloud Providers
      summary: List AKS regions
      description: Lists the supported Azure (AKS) regions. Requires a valid authentication token and
        stored cloud credentials.
      operationId: clouds_GetAKSRegions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of AKS regions
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Locations'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/aks/regions/{region}/vms:
    get:
      tags:
      - Cloud Providers
      summary: List AKS machine types (VMs)
      description: Lists available machine types for the given AKS region, grouped by family. The `zones`
        query parameter is required (comma-separated, e.g. `zones=1,2,3`). Requires a valid authentication
        token and stored cloud credentials.
      operationId: clouds_GetAKSVMs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: region
        in: path
        required: true
        description: AKS region.
        schema:
          type: string
      - name: zones
        in: query
        required: true
        description: Comma-separated availability zones (e.g. 1,2,3).
        schema:
          type: string
      responses:
        '200':
          description: Machine types grouped by family
          content:
            application/json:
              schema:
                type: object
                additionalProperties:
                  type: array
                  items:
                    $ref: '#/components/schemas/VMInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/aks/regions/{region}/kubernetesversions:
    get:
      tags:
      - Cloud Providers
      summary: List AKS Kubernetes versions
      description: Lists the supported Kubernetes versions for the given AKS region. Requires a valid
        authentication token and stored cloud credentials.
      operationId: clouds_GetAKSKubernetesVersions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: region
        in: path
        required: true
        description: AKS region.
        schema:
          type: string
      responses:
        '200':
          description: List of supported Kubernetes versions
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/aks/resourcegroups:
    get:
      tags:
      - Cloud Providers
      summary: List Azure resource groups
      description: Lists the Azure resource groups accessible with the stored AKS credentials. Requires
        a valid authentication token and stored cloud credentials.
      operationId: clouds_GetAzureResourceGroups
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of Azure resource group names
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/aks/resourcegroups/{resourcegroup}/clusters:
    get:
      tags:
      - Cloud Providers
      summary: List AKS clusters in a resource group
      description: Lists the AKS managed clusters in the given Azure resource group. Requires a valid
        authentication token and stored cloud credentials.
      operationId: clouds_GetAzureClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: resourcegroup
        in: path
        required: true
        description: Azure resource group name.
        schema:
          type: string
      responses:
        '200':
          description: List of AKS clusters
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/aks/resourcegroups/{resourcegroup}/clusters/{cluster}:
    get:
      tags:
      - Cloud Providers
      summary: Get AKS cluster info
      description: 'Returns detailed information for a single AKS cluster (for import). Requires a valid
        authentication token and stored cloud credentials. Note: the response is serialized from the internal
        `models.ClusterInfo` type, which shares the same JSON shape as ClusterInfo.'
      operationId: clouds_GetAzureClusterInfo
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: resourcegroup
        in: path
        required: true
        description: Azure resource group name.
        schema:
          type: string
      - name: cluster
        in: path
        required: true
        description: AKS cluster name.
        schema:
          type: string
      responses:
        '200':
          description: AKS cluster info
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
        '404':
          description: Cluster not found
        '409':
          description: Cluster already exists (import conflict)
  /clouds/{owner}/providers/eks/regions:
    get:
      tags:
      - Cloud Providers
      summary: List EKS regions
      description: Lists the supported AWS (EKS) regions. If no credential is stored, a default credential
        is used. Requires a valid authentication token and stored cloud credentials.
      operationId: clouds_GetAWSRegions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of EKS regions
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Locations'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/eks/regions/{region}/kubernetesversions:
    get:
      tags:
      - Cloud Providers
      summary: List EKS Kubernetes versions
      description: Lists the supported Kubernetes versions for EKS. Requires a valid authentication token
        and stored cloud credentials.
      operationId: clouds_GetAWSKubernetesVersions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: region
        in: path
        required: true
        description: EKS region.
        schema:
          type: string
      responses:
        '200':
          description: List of supported Kubernetes versions
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/eks/regions/{region}/vms:
    get:
      tags:
      - Cloud Providers
      summary: List EKS machine types (VMs)
      description: Lists available machine types for the given EKS region, grouped by family. Requires
        a valid authentication token and stored cloud credentials.
      operationId: clouds_GetAWSVMs
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: region
        in: path
        required: true
        description: EKS region.
        schema:
          type: string
      responses:
        '200':
          description: Machine types grouped by family
          content:
            application/json:
              schema:
                type: object
                additionalProperties:
                  type: array
                  items:
                    $ref: '#/components/schemas/VMInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/eks/regions/{region}/clusters:
    get:
      tags:
      - Cloud Providers
      summary: List EKS clusters in a region
      description: Lists the EKS clusters in the given AWS region. Requires a valid authentication token
        and stored cloud credentials.
      operationId: clouds_GetAWSClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: region
        in: path
        required: true
        description: EKS region.
        schema:
          type: string
      responses:
        '200':
          description: List of EKS clusters
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/eks/regions/{region}/clusters/{cluster}:
    get:
      tags:
      - Cloud Providers
      summary: Get EKS cluster info
      description: 'Returns detailed information for a single EKS cluster (for import). Requires a valid
        authentication token and stored cloud credentials. Note: the response is serialized from the internal
        `models.ClusterInfo` type, which shares the same JSON shape as ClusterInfo.'
      operationId: clouds_GetAWSClusterInfo
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: region
        in: path
        required: true
        description: EKS region.
        schema:
          type: string
      - name: cluster
        in: path
        required: true
        description: EKS cluster name.
        schema:
          type: string
      responses:
        '200':
          description: EKS cluster info
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
        '404':
          description: Cluster not found
        '409':
          description: Cluster already exists (import conflict)
  /clouds/{owner}/providers/digitalocean/clusters:
    get:
      tags:
      - Cloud Providers
      summary: List DigitalOcean clusters
      description: Lists the DigitalOcean managed Kubernetes (DOKS) clusters. Requires a valid authentication
        token and stored cloud credentials.
      operationId: clouds_GetDigitalOceanClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of DigitalOcean clusters
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/digitalocean/clusters/{id}:
    get:
      tags:
      - Cloud Providers
      summary: Get DigitalOcean cluster info
      description: 'Returns detailed information for a single DigitalOcean cluster (for import). Requires
        a valid authentication token and stored cloud credentials. Note: the response is serialized from
        the internal `models.ClusterInfo` type, which shares the same JSON shape as ClusterInfo.'
      operationId: clouds_GetDigitalOceanClusterInfo
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: id
        in: path
        required: true
        description: DigitalOcean cluster id.
        schema:
          type: string
      responses:
        '200':
          description: DigitalOcean cluster info
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
        '404':
          description: Cluster not found
        '409':
          description: Cluster already exists (import conflict)
  /clouds/{owner}/providers/linode/clusters:
    get:
      tags:
      - Cloud Providers
      summary: List Linode (LKE) clusters
      description: Lists the Linode Kubernetes Engine (LKE) clusters. Requires a valid authentication
        token and stored cloud credentials.
      operationId: clouds_GetLinodeClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of Linode clusters
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/linode/clusters/{id}:
    get:
      tags:
      - Cloud Providers
      summary: Get Linode (LKE) cluster info
      description: 'Returns detailed information for a single Linode cluster (for import). The `id` path
        parameter is the numeric LKE cluster id. Requires a valid authentication token and stored cloud
        credentials. Note: the response is serialized from the internal `models.ClusterInfo` type, which
        shares the same JSON shape as ClusterInfo.'
      operationId: clouds_GetLinodeClusterInfo
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: id
        in: path
        required: true
        description: Linode (LKE) cluster id.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Linode cluster info
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
        '404':
          description: Cluster not found
        '409':
          description: Cluster already exists (import conflict)
  /clouds/{owner}/providers/rancher/clusters/:
    get:
      tags:
      - Cloud Providers
      summary: List Rancher managed clusters
      description: Lists the clusters managed by the configured Rancher server. Requires a valid authentication
        token, stored cloud credentials, and a configured Rancher client.
      operationId: clouds_GetRancherClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of Rancher clusters
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/rancher/clusters/{id}:
    get:
      tags:
      - Cloud Providers
      summary: Get Rancher cluster info
      description: 'Returns detailed information for a single Rancher managed cluster (for import). Requires
        a valid authentication token, stored cloud credentials, and a configured Rancher client. Note:
        the response is serialized from the internal `models.ClusterInfo` type, which shares the same
        JSON shape as ClusterInfo.'
      operationId: clouds_GetRancherClusterInfo
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: id
        in: path
        required: true
        description: Rancher cluster id.
        schema:
          type: string
      responses:
        '200':
          description: Rancher cluster info
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
        '404':
          description: Cluster not found
        '409':
          description: Cluster already exists (import conflict)
  /clouds/{owner}/providers/hetzner/servers:
    get:
      tags:
      - Cloud Providers
      summary: List all Hetzner server types
      description: Lists all Hetzner Cloud server types (machine types). Requires a valid authentication
        token and stored cloud credentials.
      operationId: clouds_GetHetznerAllServerTypes
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of Hetzner server types
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/VMInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/hetzner/kubernetesversions:
    get:
      tags:
      - Cloud Providers
      summary: List Hetzner Kubernetes versions
      description: Lists the supported Kubernetes versions for Hetzner. Requires a valid authentication
        token and stored cloud credentials.
      operationId: clouds_GetHetznerKubernetesVersions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of supported Kubernetes versions
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/hetzner/regions/:
    get:
      tags:
      - Cloud Providers
      summary: List Hetzner regions
      description: Lists the available Hetzner Cloud regions (locations). Requires a valid authentication
        token and stored cloud credentials.
      operationId: clouds_GetHetznerRegions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of Hetzner regions
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Locations'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/hetzner/regions/{region}/servers:
    get:
      tags:
      - Cloud Providers
      summary: List Hetzner server types for a region
      description: Lists the Hetzner Cloud server types available in the given region. Requires a valid
        authentication token and stored cloud credentials.
      operationId: clouds_GetHetznerServerTypes
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: region
        in: path
        required: true
        description: Hetzner region (location).
        schema:
          type: string
      responses:
        '200':
          description: List of Hetzner server types
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/VMInfo'
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /clouds/{owner}/providers/kubevirt/kubernetesversions:
    get:
      tags:
      - Cloud Providers
      summary: List KubeVirt Kubernetes versions
      description: Lists the supported Kubernetes versions for KubeVirt-based clusters. Requires a valid
        authentication token and stored cloud credentials.
      operationId: clouds_GetKubeVirtKubernetesVersions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      responses:
        '200':
          description: List of supported Kubernetes versions
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          description: Unauthorized - missing or invalid authentication token
        '403':
          description: Forbidden - insufficient permissions
  /ace-installer/schema.json:
    get:
      tags:
      - Platform Installer
      summary: Serve the installer options OpenAPI v3 JSON schema
      description: Returns the raw OpenAPI v3 JSON schema for installer options (ace-options/values.openapiv3_schema.yaml)
        as a dynamic JSON object. The ace-installer APIs are AppsCode-hosted only. Requires an org resolved
        from the `org` query param.
      operationId: installer_ServeACESchema
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Raw OpenAPI v3 JSON schema.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Not permitted.
        '500':
          description: Internal server error.
  /ace-installer/model.json:
    get:
      tags:
      - Platform Installer
      summary: Serve default installer options
      description: Returns the default options model (AceOptionsSpec) pre-filled with the requesting
        user's admin details. The response is a complex Kubernetes-style options object returned as dynamic
        JSON. The ace-installer APIs are AppsCode-hosted only.
      operationId: installer_ServeDefaultOptions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Default AceOptionsSpec options object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Not permitted.
  /ace-installer/generate:
    post:
      tags:
      - Platform Installer
      summary: Generate a new installer
      description: Generates a new installer from the supplied AceOptionsSpec options and returns
        the resulting installer metadata. The request body is a free-form AceOptionsSpec object (bound
        as a dynamic JSON map, then decoded into AceOptionsSpec). The ace-installer APIs are AppsCode-hosted
        only. Requires the `create_installers` authorization (Organization_HostedModeCanCreateInstallers).
      operationId: installer_GenerateInstaller
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Generated installer metadata.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InstallerMetadata'
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `create_installers` authorization.
        '422':
          description: Unprocessable entity. Invalid request body.
        '500':
          description: Internal server error.
  /ace-installer/import:
    post:
      tags:
      - Platform Installer
      summary: Import an existing installer
      description: Imports an existing installer described by the supplied AceOptionsSpec options and
        returns the resulting installer metadata. The request body is a free-form AceOptionsSpec object
        (bound as a dynamic JSON map, then decoded into AceOptionsSpec). The ace-installer APIs are AppsCode-hosted
        only. Requires the `import_installers` authorization (Organization_HostedModeCanImportInstallers).
      operationId: installer_ImportInstaller
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Imported installer metadata.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InstallerMetadata'
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `import_installers` authorization.
        '422':
          description: Unprocessable entity. Invalid request body.
        '500':
          description: Internal server error.
  /ace-installer/installer-meta:
    get:
      tags:
      - Platform Installer
      summary: Get installer metadata for the current access token
      description: Returns the installer metadata associated with the access token used to authenticate
        the request. The ace-installer APIs are AppsCode-hosted only. Requires the `view_installers` authorization
        (Organization_HostedModeCanViewInstallers).
      operationId: installer_GetInstallerMetadata
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Installer metadata.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InstallerMetadata'
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `view_installers` authorization.
        '500':
          description: Internal server error.
  /ace-installer/latest-version:
    get:
      tags:
      - Platform Installer
      summary: Get the latest installer version
      description: Returns the latest available installer chart version. The ace-installer APIs are
        AppsCode-hosted only. Requires the `view_installers` authorization (Organization_HostedModeCanViewInstallers).
      operationId: installer_GetAceLatestInstallerVersion
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Latest installer version.
          content:
            application/json:
              schema:
                type: object
                properties:
                  version:
                    type: string
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `view_installers` authorization.
  /ace-installer/installers/:
    get:
      tags:
      - Platform Installer
      summary: List installers grouped by name
      description: Lists the installers for the owner organization, grouped by installer name (one metadata
        entry per group). The ace-installer APIs are AppsCode-hosted only. Requires the `view_installers`
        authorization (Organization_HostedModeCanViewInstallers).
      operationId: installer_ListInstallers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of installer metadata grouped by name.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/InstallerMetadata'
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `view_installers` authorization.
        '500':
          description: Internal server error.
  /ace-installer/installers/{name}:
    get:
      tags:
      - Platform Installer
      summary: List generated installers for an installer name
      description: Lists all generated installers matching the given installer name for the owner organization.
        The ace-installer APIs are AppsCode-hosted only. Requires the `view_installers` authorization
        (Organization_HostedModeCanViewInstallers).
      operationId: installer_ListGeneratedInstallers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: name
        in: path
        required: true
        description: Installer name.
        schema:
          type: string
      responses:
        '200':
          description: List of generated installer metadata.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/InstallerMetadata'
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `view_installers` authorization.
        '404':
          description: Not found.
        '500':
          description: Internal server error.
  /ace-installer/installers/{name}/{id}:
    get:
      tags:
      - Platform Installer
      summary: Get installer details
      description: Returns detailed metadata for a single generated installer, including readme and archive
        download URLs. May return 428 Precondition Required (redirect) when a marketplace installer is
        not yet in a bound phase. The ace-installer APIs are AppsCode-hosted only. Requires the `view_installers`
        authorization (Organization_HostedModeCanViewInstallers).
      operationId: installer_GetInstallerDetails
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: name
        in: path
        required: true
        description: Installer name.
        schema:
          type: string
      - name: id
        in: path
        required: true
        description: Installer ID.
        schema:
          type: string
      responses:
        '200':
          description: Installer details.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InstallerDetails'
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `view_installers` authorization.
        '404':
          description: Installer not found.
        '428':
          description: Precondition Required. Marketplace installer not yet bound; a redirect to the marketplace
            URL is returned.
        '500':
          description: Internal server error.
    delete:
      tags:
      - Platform Installer
      summary: Delete a generated installer
      description: Deletes a generated installer by ID. Installers owned by a marketplace organization
        cannot be deleted. The ace-installer APIs are AppsCode-hosted only. Requires the `delete_installers`
        authorization (Organization_HostedModeCanDeleteInstallers).
      operationId: installer_DeleteGeneratedInstaller
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: name
        in: path
        required: true
        description: Installer name.
        schema:
          type: string
      - name: id
        in: path
        required: true
        description: Installer ID.
        schema:
          type: string
      responses:
        '200':
          description: Installer deleted.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `delete_installers` authorization, or the installer belongs
            to a marketplace organization.
        '500':
          description: Internal server error.
  /ace-installer/installers/{name}/{id}/reconfigure:
    post:
      tags:
      - Platform Installer
      summary: Reconfigure a generated installer
      description: Reconfigures an existing installer using the supplied AceOptionsSpec options. The `installerOps`
        query parameter selects the operation (`reconfigure` or `promote-to-prod`). The request body is
        a free-form AceOptionsSpec object (bound as a dynamic JSON map, then decoded into AceOptionsSpec).
        The ace-installer APIs are AppsCode-hosted only. Requires the `reconfigure_installers` authorization
        (Organization_HostedModeCanReconfigureInstallers).
      operationId: installer_ReconfigureInstaller
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: name
        in: path
        required: true
        description: Installer name.
        schema:
          type: string
      - name: id
        in: path
        required: true
        description: Installer ID.
        schema:
          type: string
      - name: installerOps
        in: query
        required: true
        description: Operation to perform (`reconfigure` or `promote-to-prod`).
        schema:
          type: string
          enum:
          - reconfigure
          - promote-to-prod
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/K8sObject'
      responses:
        '200':
          description: Reconfigured installer metadata.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InstallerMetadata'
        '400':
          description: Bad request. Invalid installerOps or installer mismatch.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `reconfigure_installers` authorization.
        '422':
          description: Unprocessable entity. Invalid request body.
        '500':
          description: Internal server error.
  /ace-installer/installers/{name}/{id}/upgrade:
    post:
      tags:
      - Platform Installer
      summary: Upgrade a generated installer
      description: Upgrades an existing installer to the latest installer version and returns the
        updated installer metadata. The ace-installer APIs are AppsCode-hosted only. Requires the `upgrade_installers`
        authorization (Organization_HostedModeCanUpgradeInstallers).
      operationId: installer_UpgradeInstaller
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: name
        in: path
        required: true
        description: Installer name.
        schema:
          type: string
      - name: id
        in: path
        required: true
        description: Installer ID.
        schema:
          type: string
      responses:
        '200':
          description: Upgraded installer metadata.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InstallerMetadata'
        '400':
          description: Bad request. Installer not found.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `upgrade_installers` authorization.
        '500':
          description: Internal server error.
  /ace-installer/installers/{name}/{id}/versions:
    get:
      tags:
      - Platform Installer
      summary: List installer versions
      description: Lists the available versions (archives) for a generated installer. The ace-installer
        APIs are AppsCode-hosted only. Requires the `view_installers` authorization (Organization_HostedModeCanViewInstallers).
      operationId: installer_ListInstallerVersions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: name
        in: path
        required: true
        description: Installer name.
        schema:
          type: string
      - name: id
        in: path
        required: true
        description: Installer ID.
        schema:
          type: string
      responses:
        '200':
          description: List of installer versions.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/InstallerVersion'
        '400':
          description: Bad request. Installer not found.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `view_installers` authorization.
        '500':
          description: Internal server error.
  /ace-installer/installers/{name}/{id}/archives/{archiveName}:
    get:
      tags:
      - Platform Installer
      summary: Get installer details from a tar archive
      description: Extracts and returns installer details (readme, archive URL) from the specified tar
        archive of a generated installer. The ace-installer APIs are AppsCode-hosted only. Requires the
        `download_installers` authorization (Organization_HostedModeCanDownloadInstallers).
      operationId: installer_GetInstallerDetailsFromTarArchive
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: name
        in: path
        required: true
        description: Installer name.
        schema:
          type: string
      - name: id
        in: path
        required: true
        description: Installer ID.
        schema:
          type: string
      - name: archiveName
        in: path
        required: true
        description: Archive file name.
        schema:
          type: string
      responses:
        '200':
          description: Installer details extracted from the tar archive.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InstallerDetails'
        '400':
          description: Bad request. Installer not found.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `download_installers` authorization.
        '500':
          description: Internal server error.
  /ace-installer/installers/{name}/{id}/model.json:
    get:
      tags:
      - Platform Installer
      summary: Serve installer options
      description: Returns the stored AceOptionsSpec options for a generated installer. When `configureProductionOptions=true`,
        options are adjusted for a self-hosted production deployment. The response is a complex Kubernetes-style
        options object returned as dynamic JSON. The ace-installer APIs are AppsCode-hosted only. Requires
        the `create_installers` authorization (Organization_HostedModeCanCreateInstallers).
      operationId: installer_ServeInstallerOptions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: name
        in: path
        required: true
        description: Installer name.
        schema:
          type: string
      - name: id
        in: path
        required: true
        description: Installer ID.
        schema:
          type: string
      - name: configureProductionOptions
        in: query
        required: false
        description: When true, adjust options for a production deployment.
        schema:
          type: boolean
      responses:
        '200':
          description: AceOptionsSpec options object for the installer.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `create_installers` authorization.
        '500':
          description: Internal server error.
  /ace-installer/deployment/marketplace/installers/{installerID}/status:
    get:
      tags:
      - Platform Installer
      summary: Get marketplace installer status
      description: Returns the marketplace subscription status (`Pending` or `Bound`) for a marketplace-type
        installer, along with its metadata, download link, and expiry state. When `redirect=true` and
        the installer is bound, a redirect to the self-host URL is returned. The ace-installer APIs are
        AppsCode-hosted only. This route does not carry an additional installer-specific authorization
        check beyond the base org token/authz.
      operationId: installer_GetMarketplaceInstallerStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: installerID
        in: path
        required: true
        description: Installer ID.
        schema:
          type: string
      - name: redirect
        in: query
        required: false
        description: When true and installer is bound, redirect to the self-host URL.
        schema:
          type: boolean
      responses:
        '200':
          description: Marketplace installer status.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MarketplaceInstallerStatus'
        '400':
          description: Bad request. Installer not found or not a marketplace deployment type.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Not permitted.
        '428':
          description: Precondition Required. When bound and redirect requested, a redirect to the self-host
            URL is returned.
        '500':
          description: Internal server error.
  /upgrade:
    get:
      tags:
      - Platform Upgrade
      summary: Get platform upgrade status
      description: Returns the most recent KubeDB Platform upgrade status (from the latest upgrader ConfigMap
        data). Platform upgrade routes require site-admin organization authorization `view_upgrade_history:org`
        (Organization_SiteAdminCanViewUpgradeHistory). The response is dynamic ConfigMap key/value data.
      operationId: upgrade_GetUpgradeStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Upgrade status ConfigMap data (dynamic key/value map).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '400':
          description: Bad request. No upgrade status found.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `view_upgrade_history:org` authorization.
        '500':
          description: Internal server error.
    post:
      tags:
      - Platform Upgrade
      summary: Upgrade the KubeDB Platform
      description: Triggers an KubeDB Platform upgrade using a multipart form containing a target version,
        a values file, and an optional flag to use the latest image. The version may be overridden by
        an `installerVersion` field inside the uploaded values file. Platform upgrade routes require site-admin
        organization authorization `upgrade_platform:org` (Organization_SiteAdminCanUpgradePlatform).
      operationId: upgrade_UpgradeACE
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              $ref: '#/components/schemas/UpgradeOptions'
      responses:
        '200':
          description: Upgrade job accepted and started.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `upgrade_platform:org` authorization.
        '422':
          description: Unprocessable entity. Invalid form or values file.
        '500':
          description: Internal server error.
  /upgrade/status:
    get:
      tags:
      - Platform Upgrade
      summary: Get platform upgrade job status
      description: Returns the status of the most recent KubeDB Platform upgrade job (`pending` with version,
        or `completed`). Platform upgrade routes require site-admin organization authorization `view_upgrade_history:org`
        (Organization_SiteAdminCanViewUpgradeHistory).
      operationId: upgrade_GetJobStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Upgrade job status.
          content:
            application/json:
              schema:
                type: object
                properties:
                  status:
                    type: string
                  version:
                    type: string
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `view_upgrade_history:org` authorization.
        '500':
          description: Internal server error.
  /upgrade/history:
    get:
      tags:
      - Platform Upgrade
      summary: Get platform upgrade history
      description: Returns the KubeDB Platform upgrade history as a list of ConfigMap data maps (each augmented
        with a `status` field). Platform upgrade routes require site-admin organization authorization
        `view_upgrade_history:org` (Organization_SiteAdminCanViewUpgradeHistory).
      operationId: upgrade_UpgradeHistory
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Upgrade history (list of dynamic key/value maps).
          content:
            application/json:
              schema:
                type: array
                items:
                  type: object
                  additionalProperties:
                    type: string
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `view_upgrade_history:org` authorization.
        '500':
          description: Internal server error.
  /upgrade/current-version:
    get:
      tags:
      - Platform Upgrade
      summary: Get the current KubeDB Platform version
      description: Returns the currently installed KubeDB Platform (ace-installer helm release) version.
        Platform upgrade routes require site-admin organization authorization `view_upgrade_history:org`
        (Organization_SiteAdminCanViewUpgradeHistory).
      operationId: upgrade_CurrentVersion
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Current platform version.
          content:
            application/json:
              schema:
                type: object
                properties:
                  version:
                    type: string
        '400':
          description: Bad request. No version found.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Missing `view_upgrade_history:org` authorization.
        '500':
          description: Internal server error.
  /clusters/{owner}/{cluster}/upgrade:
    get:
      tags:
      - Platform Upgrade
      summary: Get imported cluster upgrade status
      description: Returns the most recent upgrade status for an imported cluster (from the latest upgrader
        ConfigMap data in the cluster). Access is controlled by cluster assignment for the given owner/cluster.
        The response is dynamic ConfigMap key/value data.
      operationId: upgrade_GetUpgradeStatus_ImportedCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      responses:
        '200':
          description: Imported cluster upgrade status ConfigMap data.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '400':
          description: Bad request. No upgrade status found.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Cluster not assigned or not permitted.
        '500':
          description: Internal server error.
    post:
      tags:
      - Platform Upgrade
      summary: Upgrade imported cluster resources
      description: Triggers an upgrade of the opscenter-features helm release and managed features in
        an imported cluster to the server's current version. Runs asynchronously; progress is tracked
        in a ConfigMap. Access is controlled by cluster assignment for the given owner/cluster.
      operationId: upgrade_UpgradeClusterResources
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      responses:
        '200':
          description: Upgrade started.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Cluster not assigned or not permitted.
        '500':
          description: Internal server error.
  /clusters/{owner}/{cluster}/upgrade/history:
    get:
      tags:
      - Platform Upgrade
      summary: Get imported cluster upgrade history
      description: Returns the upgrade history for an imported cluster as a list of ConfigMap data maps.
        Access is controlled by cluster assignment for the given owner/cluster.
      operationId: upgrade_UpgradeHistoryOfImportedCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      responses:
        '200':
          description: Imported cluster upgrade history (list of key/value maps).
          content:
            application/json:
              schema:
                type: array
                items:
                  type: object
                  additionalProperties:
                    type: string
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Cluster not assigned or not permitted.
        '500':
          description: Internal server error.
  /clusters/{owner}/{cluster}/upgrade/current-version:
    get:
      tags:
      - Platform Upgrade
      summary: Get imported cluster current version
      description: Returns the currently installed opscenter-features chart version in an imported cluster.
        Access is controlled by cluster assignment for the given owner/cluster.
      operationId: upgrade_GetClusterCurrentVersion
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      responses:
        '200':
          description: Imported cluster current version.
          content:
            application/json:
              schema:
                type: object
                properties:
                  version:
                    type: string
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Cluster not assigned or not permitted.
        '500':
          description: Internal server error.
  /clusters/{owner}/{cluster}/upgrade/latest-version:
    get:
      tags:
      - Platform Upgrade
      summary: Get latest KubeDB Platform version for imported cluster
      description: Returns the latest available opscenter-features chart version from the server, used
        as the target for imported cluster upgrades. Access is controlled by cluster assignment for the
        given owner/cluster.
      operationId: upgrade_GetACELatestVersion
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      responses:
        '200':
          description: Latest available version.
          content:
            application/json:
              schema:
                type: object
                properties:
                  version:
                    type: string
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Cluster not assigned or not permitted.
        '500':
          description: Internal server error.
  /clusters/{owner}/{cluster}/spoke/upgrade:
    get:
      tags:
      - Platform Upgrade
      summary: Get spoke cluster upgrade status
      description: Returns the most recent upgrade status for a spoke cluster (read from the hub cluster's
        upgrader ConfigMap data for the spoke). Access is controlled by cluster assignment for the given
        owner/cluster. The response is dynamic ConfigMap key/value data.
      operationId: upgrade_GetSpokeClusterUpgradeStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      responses:
        '200':
          description: Spoke cluster upgrade status ConfigMap data.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '400':
          description: Bad request. No upgrade status found.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Cluster not assigned or not permitted.
        '500':
          description: Internal server error.
    post:
      tags:
      - Platform Upgrade
      summary: Upgrade spoke cluster resources
      description: Triggers an upgrade of a spoke cluster by updating its managed cluster profile binding
        and related features to the hub's opscenter-features version. Runs asynchronous post-processing.
        Access is controlled by cluster assignment for the given owner/cluster.
      operationId: upgrade_UpgradeSpokeClusterResources
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      responses:
        '200':
          description: Spoke cluster upgrade started.
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Cluster not assigned or not permitted.
        '500':
          description: Internal server error.
  /clusters/{owner}/{cluster}/spoke/upgrade/history:
    get:
      tags:
      - Platform Upgrade
      summary: Get spoke cluster upgrade history
      description: Returns the upgrade history for a spoke cluster as a list of ConfigMap data maps (read
        from the hub cluster). Access is controlled by cluster assignment for the given owner/cluster.
      operationId: upgrade_UpgradeHistoryOfSpokeCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/owner'
      - $ref: '#/components/parameters/cluster'
      responses:
        '200':
          description: Spoke cluster upgrade history (list of key/value maps).
          content:
            application/json:
              schema:
                type: array
                items:
                  type: object
                  additionalProperties:
                    type: string
        '401':
          description: Unauthorized. Missing or invalid token.
        '403':
          description: Forbidden. Cluster not assigned or not permitted.
        '500':
          description: Internal server error.
  /contracts:
    get:
      tags:
      - Licensing & Contracts
      summary: List all contracts (admin)
      description: Site-admin API. Lists all contracts across accounts. Requires a token plus site-admin
        authorization (`view_contracts:site_admin`) and is only available on AppsCode-hosted deployments.
        The target org/user is scoped via the `orgOrUserId`/`org` query parameter.
      operationId: contracts_ListContracts
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      responses:
        '200':
          description: List of contracts
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Contract'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
    post:
      tags:
      - Licensing & Contracts
      summary: Create a contract (admin)
      description: Site-admin API. Creates one or more contracts (one per product listed in `products`).
        Accepts a multipart/form-data body so an optional contract `document` file can be uploaded. Requires
        a token plus site-admin authorization (`create_contracts:site_admin`); AppsCode-hosted only.
      operationId: contracts_AddContract
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              $ref: '#/components/schemas/AddContractParams'
      responses:
        '201':
          description: Contract(s) created
        '400':
          description: Bad request (empty products, invalid emails, unsupported product, or bad quota)
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '422':
          description: Unprocessable entity (invalid request body)
  /contracts/active/associated-clusters/{clusterID}/status:
    get:
      tags:
      - Licensing & Contracts
      summary: Get contract-cluster status for a user (admin)
      description: Site-admin API. Returns the association/validity status of a single cluster for the
        target user. Requires a token plus site-admin authorization (`view_contracts:site_admin`); AppsCode-hosted
        only.
      operationId: contracts_GetContractClusterStatusOfAUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: clusterID
        in: path
        required: true
        description: Cluster UUID.
        schema:
          type: string
      - name: orgOrUserId
        in: query
        required: false
        description: Target account ID; defaults to the caller when omitted or 0.
        schema:
          type: integer
          format: int64
      - name: contract
        in: query
        required: false
        description: Optional contract ID to check the cluster against.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Cluster status
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ContractClusterStatus'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '500':
          description: Internal server error
  /contracts/active/associated-clusters/batch-status:
    post:
      tags:
      - Licensing & Contracts
      summary: Get batch contract-cluster status for a user (admin)
      description: Site-admin API. Returns association/validity status for a batch of clusters for the
        target user. Requires a token plus site-admin authorization (`view_contracts:site_admin`); AppsCode-hosted
        only.
      operationId: contracts_GetBatchContractClusterStatusOfAUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: orgOrUserId
        in: query
        required: false
        description: Target account ID; defaults to the caller when omitted or 0.
        schema:
          type: integer
          format: int64
      - name: contract
        in: query
        required: false
        description: Optional contract ID to check the clusters against.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BatchClusterStatusRequest'
      responses:
        '200':
          description: List of cluster statuses
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ContractClusterStatus'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '422':
          description: Unprocessable entity (invalid request body)
        '500':
          description: Internal server error
  /contracts/{id}:
    get:
      tags:
      - Licensing & Contracts
      summary: Get a contract (admin)
      description: Site-admin API. Requires a token plus site-admin authorization (`view_contracts:site_admin`);
        AppsCode-hosted only.
      operationId: contracts_GetContract
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Contract
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Contract'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '404':
          description: Contract not found
    put:
      tags:
      - Licensing & Contracts
      summary: Update a contract (admin)
      description: Site-admin API. Accepts a multipart/form-data body so an optional replacement contract
        `document` file can be uploaded. Requires a token plus site-admin authorization (`update_contracts:site_admin`);
        AppsCode-hosted only.
      operationId: contracts_UpdateContract
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          multipart/form-data:
            schema:
              $ref: '#/components/schemas/Contract'
      responses:
        '200':
          description: Updated contract
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Contract'
        '400':
          description: Bad request (invalid quota or emails)
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '404':
          description: Contract not found
        '422':
          description: Unprocessable entity (invalid request body)
    delete:
      tags:
      - Licensing & Contracts
      summary: Delete a contract (admin)
      description: Site-admin API. Requires a token plus site-admin authorization (`delete_contracts:site_admin`);
        AppsCode-hosted only.
      operationId: contracts_DeleteContract
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Contract deleted
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '404':
          description: Contract not found
  /contracts/{id}/extend:
    post:
      tags:
      - Licensing & Contracts
      summary: Extend a contract (admin)
      description: Site-admin API. Extends a contract's end time using the `end` field of the request
        body. Requires a token plus site-admin authorization (`extend_contracts:site_admin`); AppsCode-hosted
        only.
      operationId: contracts_ExtendContract
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Contract'
      responses:
        '200':
          description: Extended contract
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Contract'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '404':
          description: Contract not found
        '422':
          description: Unprocessable entity (invalid request body)
  /contracts/{id}/document:
    get:
      tags:
      - Licensing & Contracts
      summary: Get contract document signed URL (admin)
      description: Site-admin API. Returns a time-limited signed URL (as a JSON string) to download the
        contract document. Requires a token plus site-admin authorization (`view_contracts:site_admin`);
        AppsCode-hosted only.
      operationId: contracts_GetContractDocument
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: A signed URL string pointing to the contract document (valid for 30 minutes). The
            handler returns the URL as a JSON string, not the file bytes.
          content:
            application/json:
              schema:
                type: string
                format: uri
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '404':
          description: Contract not found
  /contracts/{id}/revoke:
    post:
      tags:
      - Licensing & Contracts
      summary: Revoke a contract (admin)
      description: Site-admin API. Requires a token plus site-admin authorization (`revoke_contracts:site_admin`);
        AppsCode-hosted only.
      operationId: contracts_RevokeContract
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Contract revoked
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '404':
          description: Contract not found
  /contracts/{id}/audit:
    get:
      tags:
      - Licensing & Contracts
      summary: List contract audit events (admin)
      description: Site-admin API. Lists the audit trail of a contract. Requires a token plus contract-management
        authorization (`view_contracts:contract_mgmt`); AppsCode-hosted only.
      operationId: contracts_ListContractAudit
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: List of contract audit events
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ContractAudit'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (authorization required)
        '404':
          description: Contract not found
  /contracts/{id}/clusters/imported/non-associated:
    get:
      tags:
      - Licensing & Contracts
      summary: List imported clusters not associated with a contract (admin)
      description: Site-admin API. Lists the owner's imported clusters that are not yet bound to the contract.
        Requires a token plus site-admin authorization (`add_cluster:site_admin`); AppsCode-hosted only.
      operationId: contracts_ListImportedNonAssociatedClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: List of cluster info records
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '400':
          description: Contract not found
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
  /contracts/{id}/clusters:
    get:
      tags:
      - Licensing & Contracts
      summary: List clusters bound to a contract (admin)
      description: Site-admin API. Requires a token plus site-admin authorization (`add_cluster:site_admin`);
        AppsCode-hosted only.
      operationId: contracts_GetContractClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: List of contract-cluster status records
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ContractClusterStatus'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
    post:
      tags:
      - Licensing & Contracts
      summary: Bind multiple clusters to a contract (admin)
      description: Site-admin API. Binds one or more clusters to the contract. Requires a token plus site-admin
        authorization (`add_cluster:site_admin`); AppsCode-hosted only.
      operationId: contracts_BindMultipleClustersToContract
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: array
              items:
                $ref: '#/components/schemas/BindContractCluster'
      responses:
        '201':
          description: Clusters bound; returns updated contract-cluster list
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ContractClusterStatus'
        '400':
          description: Bad request (empty list, invalid cluster UUID, or cluster already associated)
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '422':
          description: Unprocessable entity (invalid request body)
  /contracts/{id}/clusters/{ccID}:
    delete:
      tags:
      - Licensing & Contracts
      summary: Remove a cluster from a contract (admin)
      description: Site-admin API. Requires a token plus site-admin authorization (`remove_cluster:site_admin`);
        AppsCode-hosted only.
      operationId: contracts_RemoveContractCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      - name: ccID
        in: path
        required: true
        description: Contract-cluster ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Cluster removed from contract
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
  /contracts/{id}/clusters/{ccID}/issue-license:
    post:
      tags:
      - Licensing & Contracts
      summary: Issue a full license for a contract cluster (admin)
      description: Site-admin API. Issues a full (offline-capable) license for the given contract cluster.
        Requires a token plus site-admin authorization (`issue_license:site_admin`); AppsCode-hosted only.
      operationId: contracts_IssueFullLicense
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      - name: ccID
        in: path
        required: true
        description: Contract-cluster ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Issued license
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/License'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (quota exceeded or authorization required)
        '404':
          description: Contract not found
        '405':
          description: License issuance not allowed (revoked contract or offline not allowed)
  /contracts/{id}/clusters/{ccID}/name:
    patch:
      tags:
      - Licensing & Contracts
      summary: Update a contract cluster display name (admin)
      description: Site-admin API. Requires a token plus site-admin authorization (`update_cluster_name:site_admin`);
        AppsCode-hosted only.
      operationId: contracts_UpdateAdminContractClusterName
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      - name: ccID
        in: path
        required: true
        description: Contract-cluster ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PatchUserContractClusterName'
      responses:
        '200':
          description: Cluster name updated
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '422':
          description: Unprocessable entity (invalid request body)
  /contracts/{id}/clusters/{ccID}/tags:
    patch:
      tags:
      - Licensing & Contracts
      summary: Update a contract cluster tags (admin)
      description: Site-admin API. Replaces the tag set for a cluster and syncs it across contracts sharing
        the same cluster UUID. Requires a token plus site-admin authorization (`update_cluster_tags:site_admin`);
        AppsCode-hosted only.
      operationId: contracts_UpdateAdminContractClusterTags
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      - name: ccID
        in: path
        required: true
        description: Contract-cluster ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PatchUserContractClusterTags'
      responses:
        '200':
          description: Cluster tags updated
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
        '422':
          description: Unprocessable entity (invalid request body)
  /contracts/available_products:
    get:
      tags:
      - Licensing & Contracts
      summary: List products available for contracts (admin)
      description: Site-admin API. Returns the map of non-community products supported for contracts,
        keyed by product alias. Requires a token plus site-admin authorization (`create_contracts:site_admin`);
        AppsCode-hosted only.
      operationId: contracts_GetAvailableProductsForContracts
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      responses:
        '200':
          description: Map of product alias to plan info
          content:
            application/json:
              schema:
                type: object
                additionalProperties:
                  $ref: '#/components/schemas/PlanInfo'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (site-admin authorization required)
  /user/contracts:
    get:
      tags:
      - Licensing & Contracts
      summary: List the owner's contracts
      description: Lists contracts owned by the resolved owner (org/user). Requires a token; AppsCode-hosted
        only.
      operationId: contracts_ListUserContracts
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      responses:
        '200':
          description: List of contracts
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Contract'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
  /user/contracts/active-offline-contracts:
    get:
      tags:
      - Licensing & Contracts
      summary: List the owner's active offline contracts
      description: Lists the owner's active offline (air-gapped) contracts. Requires a token; AppsCode-hosted
        only.
      operationId: contracts_ListActiveUserOfflineContracts
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      responses:
        '200':
          description: List of active offline contracts
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Contract'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
  /user/contracts/assign-cluster:
    post:
      tags:
      - Licensing & Contracts
      summary: Assign a cluster to multiple contracts
      description: Assigns a single cluster to multiple contracts owned by the caller. Requires a token
        plus contract-management authorization (`add_cluster:contract_mgmt`); AppsCode-hosted only.
      operationId: contracts_AssignClusterToMultipleContracts
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ClusterContractList'
      responses:
        '200':
          description: Cluster assigned
        '400':
          description: Bad request (empty contract list or invalid cluster UUID)
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
        '422':
          description: Unprocessable entity (invalid request body)
  /user/contracts/active/associated-with/clusters/{clusterID}:
    get:
      tags:
      - Licensing & Contracts
      summary: List active contracts associated with a cluster
      description: Lists the owner's active contracts associated with the given cluster. Pass `onlyOffline=true`
        to restrict to offline contracts. Requires a token; AppsCode-hosted only.
      operationId: contracts_ListActiveContractsAssociatedWithACluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: clusterID
        in: path
        required: true
        description: Cluster UUID.
        schema:
          type: string
      - name: onlyOffline
        in: query
        required: false
        description: Restrict the result to offline contracts only.
        schema:
          type: boolean
      responses:
        '200':
          description: List of active associated contracts
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Contract'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
  /user/contracts/active/not-associated-with/clusters/{clusterID}:
    get:
      tags:
      - Licensing & Contracts
      summary: List active contracts not associated with a cluster
      description: Lists the owner's active contracts that are not associated with the given cluster.
        Requires a token; AppsCode-hosted only.
      operationId: contracts_ListActiveContractsNotAssociatedWithACluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: clusterID
        in: path
        required: true
        description: Cluster UUID.
        schema:
          type: string
      responses:
        '200':
          description: List of active non-associated contracts
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Contract'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
  /user/contracts/active/associated-clusters:
    get:
      tags:
      - Licensing & Contracts
      summary: List clusters of the owner's active offline contracts
      description: Lists the unique clusters associated with the owner's offline active contracts. Requires
        a token; AppsCode-hosted only.
      operationId: contracts_ListClustersAssociatedWithAUsersOfflineActiveContracts
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      responses:
        '200':
          description: List of clusters with associated contracts
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterWithAssociatedContracts'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
  /user/contracts/active/associated-clusters/{clusterID}/status:
    get:
      tags:
      - Licensing & Contracts
      summary: Get contract-cluster status for the owner
      description: Returns the association/validity status of a single cluster for the caller. Requires
        a token; AppsCode-hosted only.
      operationId: contracts_GetContractClusterStatus
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: clusterID
        in: path
        required: true
        description: Cluster UUID.
        schema:
          type: string
      - name: contract
        in: query
        required: false
        description: Optional contract ID to check the cluster against.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Cluster status
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ContractClusterStatus'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
        '500':
          description: Internal server error
  /user/contracts/active/associated-clusters/batch-status:
    post:
      tags:
      - Licensing & Contracts
      summary: Get batch contract-cluster status for the owner
      description: Returns association/validity status for a batch of clusters for the caller. Requires
        a token; AppsCode-hosted only.
      operationId: contracts_GetBatchClusterStatusForAContract
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: contract
        in: query
        required: false
        description: Optional contract ID to check the clusters against.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/BatchClusterStatusRequest'
      responses:
        '200':
          description: List of cluster statuses
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ContractClusterStatus'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
        '422':
          description: Unprocessable entity (invalid request body)
        '500':
          description: Internal server error
  /user/contracts/{id}:
    get:
      tags:
      - Licensing & Contracts
      summary: Get one of the owner's contracts
      description: Returns a single contract owned by the caller (admin-only email fields sanitized).
        Requires a token; AppsCode-hosted only.
      operationId: contracts_GetUserContract
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Contract
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Contract'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
        '404':
          description: Contract not found
  /user/contracts/{id}/document:
    get:
      tags:
      - Licensing & Contracts
      summary: Get the owner's contract document signed URL
      description: Returns a time-limited signed URL (as a JSON string) to download the contract document.
        Requires a token; AppsCode-hosted only.
      operationId: contracts_GetUserContractDocument
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: A signed URL string pointing to the contract document (valid for 30 minutes). The
            handler returns the URL as a JSON string, not the file bytes.
          content:
            application/json:
              schema:
                type: string
                format: uri
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
        '404':
          description: Contract not found
  /user/contracts/{id}/audit:
    get:
      tags:
      - Licensing & Contracts
      summary: List the owner's contract audit events
      description: Lists the audit trail of one of the caller's contracts. Requires a token; AppsCode-hosted
        only.
      operationId: contracts_ListUserContractAudit
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: List of contract audit events
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ContractAudit'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (contract not found or authorization denied)
  /user/contracts/{id}/preferences:
    put:
      tags:
      - Licensing & Contracts
      summary: Update the owner's contract preferences
      description: Updates the caller-editable preferences (auto-assign clusters, usage alert client recipients)
        for one of the caller's contracts. Requires a token plus authorization (`updated_preferences:contracts`);
        AppsCode-hosted only.
      operationId: contracts_UpdateUserContractPreferences
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UpdateUserContractPreferences'
      responses:
        '200':
          description: Updated contract
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Contract'
        '400':
          description: Bad request (invalid usage alert client recipients)
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
        '422':
          description: Unprocessable entity (invalid request body)
  /user/contracts/{id}/clusters/imported/non-associated:
    get:
      tags:
      - Licensing & Contracts
      summary: List the owner's imported clusters not associated with a contract
      description: Lists the owner's imported clusters not yet bound to the contract. Requires a token;
        AppsCode-hosted only.
      operationId: contracts_ListUserImportedNonAssociatedClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: List of cluster info records
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '400':
          description: Contract not found
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
  /user/contracts/{id}/clusters:
    get:
      tags:
      - Licensing & Contracts
      summary: List clusters bound to the owner's contract
      description: Requires a token; AppsCode-hosted only.
      operationId: contracts_GetUserContractClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: List of contract-cluster status records
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ContractClusterStatus'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
    post:
      tags:
      - Licensing & Contracts
      summary: Bind multiple clusters to the owner's contract
      description: Binds one or more clusters to one of the caller's contracts. Requires a token plus
        authorization; AppsCode-hosted only.
      operationId: contracts_BindUserMultipleClustersToContract
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: array
              items:
                $ref: '#/components/schemas/BindContractCluster'
      responses:
        '201':
          description: Clusters bound; returns updated contract-cluster list
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ContractClusterStatus'
        '400':
          description: Bad request (empty list, invalid UUID, invalid contract, or already associated)
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
        '422':
          description: Unprocessable entity (invalid request body)
  /user/contracts/{id}/clusters/{ccID}:
    delete:
      tags:
      - Licensing & Contracts
      summary: Remove a cluster from the owner's contract
      description: Requires a token; AppsCode-hosted only.
      operationId: contracts_RemoveUserContractCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      - name: ccID
        in: path
        required: true
        description: Contract-cluster ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Cluster removed from contract
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
  /user/contracts/{id}/clusters/{ccID}/name:
    patch:
      tags:
      - Licensing & Contracts
      summary: Update a cluster display name on the owner's contract
      description: Requires a token; AppsCode-hosted only.
      operationId: contracts_UpdateUserContractClusterName
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      - name: ccID
        in: path
        required: true
        description: Contract-cluster ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PatchUserContractClusterName'
      responses:
        '200':
          description: Cluster name updated
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
        '422':
          description: Unprocessable entity (invalid request body)
  /user/contracts/{id}/clusters/{ccID}/tags:
    patch:
      tags:
      - Licensing & Contracts
      summary: Update cluster tags on the owner's contract
      description: Replaces the tag set for a cluster and syncs it across the owner's contracts sharing
        the same cluster UUID. Requires a token; AppsCode-hosted only.
      operationId: contracts_UpdateUserContractClusterTags
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      - name: ccID
        in: path
        required: true
        description: Contract-cluster ID.
        schema:
          type: integer
          format: int64
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PatchUserContractClusterTags'
      responses:
        '200':
          description: Cluster tags updated
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
        '422':
          description: Unprocessable entity (invalid request body)
  /user/contracts/{id}/clusters/{ccID}/issue-license:
    post:
      tags:
      - Licensing & Contracts
      summary: Issue a full license for the owner's contract cluster
      description: Issues a full (offline-capable) license for one of the caller's contract clusters.
        Requires a token plus authorization (`issue-license:cluster`); AppsCode-hosted only.
      operationId: contracts_IssueUserFullLicense
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      - name: id
        in: path
        required: true
        description: Contract ID.
        schema:
          type: integer
          format: int64
      - name: ccID
        in: path
        required: true
        description: Contract-cluster ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Issued license
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/License'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (quota exceeded or authorization denied)
        '404':
          description: Contract not found
        '405':
          description: License issuance not allowed (revoked contract or offline not allowed)
  /user/license-proxy:
    post:
      tags:
      - Licensing & Contracts
      summary: Generate a license-proxy server installer
      description: Generates a license-proxy server installer script for the resolved organization. When
        `clusterID`/`contractIDs` are supplied an offline installer is generated; otherwise an online
        installer. Requires a token plus dynamic authorization on the organization; AppsCode-hosted only.
      operationId: contracts_GenerateLicenseProxyServerInstaller
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/OwnerQueryParam'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/InstallerOptions'
      responses:
        '200':
          description: Installer scripts. The handler returns a dynamic JSON object (map[string]any) containing
            the generated YAML/Helm3 installer scripts; modeled as a free-form object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden
        '422':
          description: Unprocessable entity (invalid request body)
        '500':
          description: Internal server error
  /register:
    post:
      tags:
      - Licensing & Contracts
      summary: Register a licensed user
      description: Public-ish endpoint used by on-prem/air-gapped deployments to register a user against
        a previously issued license. No auth token is required, but the request must carry a valid license
        payload (`license`) which is cryptographically verified; a license-validation middleware also
        gates the request. Only available when self-registration is permitted for the deployment type.
      operationId: contracts_RegisterLicensedUser
      security: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/VerifierOptions'
      responses:
        '200':
          description: User registered
        '400':
          description: Bad request (empty features or unregistered cluster-uid)
        '403':
          description: Registration not supported for this deployment type
        '422':
          description: Unprocessable entity (invalid request body or license)
        '500':
          description: Internal server error (license verification or user creation failed)
  /license/issue:
    post:
      tags:
      - Licensing & Contracts
      summary: Issue a license for a cluster
      description: Issues a license for the caller's cluster/product based on the caller's active contract.
        Requires a valid token.
      operationId: contracts_GetLicense
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/LicenseOpts'
      responses:
        '200':
          description: Issued license
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/License'
        '401':
          description: Unauthorized
        '403':
          description: Forbidden (contract quota exceeded)
        '405':
          description: Contract invalid (revoked or expired)
        '422':
          description: Unprocessable entity (invalid request body)
        '500':
          description: Internal server error
  /dashboard/users:
    get:
      tags:
      - Billing Dashboard
      summary: List licensed users
      description: Lists all users that have ever reported a license to this deployment. Site-admin only
        (`view_licensed_users:site_admin`). Requires a billing-enabled KubeDB Platform deployment.
      operationId: dashboard_ListLicensedUsers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of licensed users.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/LicensedUserAPIForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/users/active:
    get:
      tags:
      - Billing Dashboard
      summary: List active licensed users
      description: Lists licensed users that have reported within the `limit` window (defaults to the
        last 6 months). Site-admin only (`view_licensed_users:site_admin`). Requires a billing-enabled
        deployment.
      operationId: dashboard_ListActiveLicensedUsers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: limit
        in: query
        required: false
        description: Activity window. A Go duration (e.g. `720h`) or a `YYYY-MM-DD` date; defaults to
          the last ~6 months when omitted.
        schema:
          type: string
      responses:
        '200':
          description: List of active licensed users.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/LicensedUserAPIForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/users/inactive:
    get:
      tags:
      - Billing Dashboard
      summary: List inactive licensed users
      description: Lists licensed users that have never reported a licensed product. Site-admin only (`view_licensed_users:site_admin`).
        Requires a billing-enabled deployment.
      operationId: dashboard_ListInactiveLicensedUsers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of inactive licensed users.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/LicensedUserAPIForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/users/{uid}/clusters:
    get:
      tags:
      - Billing Dashboard
      summary: List a user's clusters
      description: Lists cluster information for the given licensed user. Site-admin only (`view_licensed_users:site_admin`).
        Requires a billing-enabled deployment.
      operationId: dashboard_ListUserClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: List of cluster information objects.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterInfo'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '500':
          description: Internal error.
  /dashboard/users/{uid}/clusters/active:
    get:
      tags:
      - Billing Dashboard
      summary: List a user's active clusters
      description: Lists clusters that reported for the given user within the `limit` window. Site-admin
        only (`view_licensed_users:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_ListActiveUserClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: limit
        in: query
        required: false
        description: Activity window (Go duration or `YYYY-MM-DD` date).
        schema:
          type: string
      responses:
        '200':
          description: List of active clusters for the user.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ActiveClustersAPIForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/users/{uid}/clusters/{cid}:
    get:
      tags:
      - Billing Dashboard
      summary: Get a user's cluster information
      description: Returns cluster information for a specific user/cluster. Site-admin only (`view_licensed_users:site_admin`).
        Requires a billing-enabled deployment.
      operationId: dashboard_GetUserClusterInformation
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      responses:
        '200':
          description: Cluster information.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/users/{uid}/clusters/{cid}/licenses:
    get:
      tags:
      - Billing Dashboard
      summary: List a user's licenses on a cluster
      description: Lists licensed plans associated with the given user and cluster. Site-admin only (`view_licensed_users:site_admin`).
        Requires a billing-enabled deployment.
      operationId: dashboard_ListUserLicenses
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      responses:
        '200':
          description: List of licensed plans.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/LicensedPlan'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/users/{uid}/clusters/{cid}/licenses/active:
    get:
      tags:
      - Billing Dashboard
      summary: List active licenses for a user's cluster
      description: Lists licenses that reported within the `limit` window for the given user and cluster.
        Site-admin only (`view_licensed_users:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_ListActiveLicensesForSpecificUserCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: limit
        in: query
        required: false
        description: Activity window (Go duration or `YYYY-MM-DD` date).
        schema:
          type: string
      responses:
        '200':
          description: List of active licenses.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ActiveLicenseAPIForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/users/{uid}/clusters/{cid}/licenses/{lid}:
    get:
      tags:
      - Billing Dashboard
      summary: Get a user's license (with site info)
      description: Returns a licensed plan together with the latest reported SiteInfo. Site-admin only
        (`view_licensed_users:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_GetUserLicense
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      responses:
        '200':
          description: Object with `license` (the licensed plan) and `siteinfo` (a kmodules identity SiteInfo,
            free-form).
          content:
            application/json:
              schema:
                type: object
                properties:
                  license:
                    $ref: '#/components/schemas/LicensedPlan'
                  siteinfo:
                    $ref: '#/components/schemas/K8sObject'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/users/{uid}/clusters/{cid}/licenses/{lid}/products:
    get:
      tags:
      - Billing Dashboard
      summary: List active products for a license
      description: Lists reported licensed products for the given user/cluster/license. Site-admin only
        (`view_licensed_users:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_ListActiveProductsForSpecificLicense
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      - name: limit
        in: query
        required: false
        description: Activity window (Go duration or `YYYY-MM-DD` date).
        schema:
          type: string
      responses:
        '200':
          description: List of received licensed products.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ReceivedLicensedProduct'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/users/{uid}/clusters/{cid}/licenses/{lid}/products/{productName}:
    get:
      tags:
      - Billing Dashboard
      summary: Get an active product for a license
      description: Returns the reported licensed product for the given user/cluster/license/product. Site-admin
        only (`view_licensed_users:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_GetActiveProductForSpecificLicense
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      - name: productName
        in: path
        required: true
        description: Product name.
        schema:
          type: string
      - name: limit
        in: query
        required: false
        description: Activity window (Go duration or `YYYY-MM-DD` date).
        schema:
          type: string
      responses:
        '200':
          description: Received licensed product.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ReceivedLicensedProduct'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/users/{uid}/clusters/{cid}/licenses/{lid}/products/{productName}/resources:
    get:
      tags:
      - Billing Dashboard
      summary: Get cluster resource history (from NATS)
      description: Fetches the badger resource history for a product from the member cluster over NATS.
        Site-admin only (`view_licensed_users:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_GetClusterResourceHistoryFromNats
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      - name: productName
        in: path
        required: true
        description: Product name.
        schema:
          type: string
      - name: group
        in: query
        required: false
        description: Kubernetes API group filter.
        schema:
          type: string
      - name: resource
        in: query
        required: false
        description: Kubernetes resource filter.
        schema:
          type: string
      responses:
        '200':
          description: Badger entry list of resource history.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BadgerEntryList'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/users/{uid}/clusters/{cid}/licenses/{lid}/products/{productName}/events-histories:
    get:
      tags:
      - Billing Dashboard
      summary: Get auditor events history for a resource
      description: Returns an events history report for a specific resource (admin/testing use). Site-admin
        only (`view_licensed_users:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_GetAuditorEventsHistoryForSpecificResource
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      - name: productName
        in: path
        required: true
        description: Product name.
        schema:
          type: string
      - name: group
        in: query
        required: false
        description: Kubernetes API group.
        schema:
          type: string
      - name: resource
        in: query
        required: false
        description: Kubernetes resource.
        schema:
          type: string
      - name: rid
        in: query
        required: false
        description: Resource ID (object UID).
        schema:
          type: string
      responses:
        '200':
          description: Events history report.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EventsReport'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/users/{uid}/clusters/{cid}/licenses/{lid}/products/{productName}/events:
    get:
      tags:
      - Billing Dashboard
      summary: List events for a license (admin)
      description: Returns the tabular event list for a licensed user's cluster/license/ product. Site-admin
        only (`view_licensed_users:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_GetEventsListForLicense
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      - name: productName
        in: path
        required: true
        description: Product name.
        schema:
          type: string
      - name: lastDays
        in: query
        required: false
        description: Look-back window in days (max 14; defaults to 14).
        schema:
          type: integer
      responses:
        '200':
          description: Tabular event list, newest first.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterResourceTabularForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/users/{uid}/clusters/{cid}/licenses/{lid}/products/{productName}/events/raw-event:
    get:
      tags:
      - Billing Dashboard
      summary: Get raw event data (admin)
      description: Returns the raw badger value for a specific event key/version. Site-admin only (`view_licensed_users:site_admin`).
        Requires a billing-enabled deployment.
      operationId: dashboard_GetRawEventData
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uid
        in: path
        required: true
        description: User (account) ID.
        schema:
          type: integer
          format: int64
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      - name: productName
        in: path
        required: true
        description: Product name.
        schema:
          type: string
      - name: key
        in: query
        required: true
        description: Badger event key.
        schema:
          type: string
      - name: version
        in: query
        required: true
        description: Event version (uint).
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Raw badger value.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BadgerValue'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/clusters/{cid}/licenses/active:
    get:
      tags:
      - Billing Dashboard
      summary: List active licenses for a cluster
      description: Lists licenses that reported within the `limit` window for the given cluster, across
        users. Site-admin only (`view_licensed_users:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_ListActiveLicensesForSpecificCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: limit
        in: query
        required: false
        description: Activity window (Go duration or `YYYY-MM-DD` date).
        schema:
          type: string
      responses:
        '200':
          description: List of received licensed products (one per active license).
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ReceivedLicensedProduct'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/system-outages:
    post:
      tags:
      - Billing Dashboard
      summary: Create a system outage entry
      description: Records a system outage window for an account/cluster. Site-admin only (`view_system_outages:site_admin`).
        Requires a billing-enabled deployment.
      operationId: dashboard_CreateSystemOutageEntry
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SystemOutageRequest'
      responses:
        '201':
          description: Created system outage entry.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SystemOutageApiForm'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '409':
          description: An overlapping system outage entry already exists.
        '422':
          $ref: '#/components/responses/ValidationError'
  /dashboard/system-outages/report:
    get:
      tags:
      - Billing Dashboard
      summary: List system outages with extended report
      description: Lists system outage entries with an aggregated report (top tags, accounts and clusters
        by duration). Site-admin only (`view_system_outages:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_ListSystemOutageEntriesWithExtendedReport
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: start
        in: query
        required: false
        description: RFC3339 start time filter.
        schema:
          type: string
          format: date-time
      - name: account_id
        in: query
        required: false
        description: Filter by account ID.
        schema:
          type: string
      - name: cluster_id
        in: query
        required: false
        description: Filter by cluster ID.
        schema:
          type: string
      - name: tags
        in: query
        required: false
        description: Filter by tags (repeatable).
        schema:
          type: array
          items:
            type: string
      responses:
        '200':
          description: System outages and aggregated report.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SystemOutagesAndReportAPIForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/system-outages/tags:
    get:
      tags:
      - Billing Dashboard
      summary: List all system outage tags
      description: Lists all unique tags used across system outage entries. Site-admin only (`view_system_outages:site_admin`).
        Requires a billing-enabled deployment.
      operationId: dashboard_ListAllUniqueTagsUsedInSystemOutagesEntries
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of unique tags.
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/marketplaces/subscriptions:
    get:
      tags:
      - Billing Dashboard
      summary: List all marketplace subscriptions
      description: Lists all marketplace subscriptions (minimal API form), newest updated first. Site-admin
        only (`view_marketplace_usage:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_ListAllMarketplaceSubscriptions
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: List of marketplace subscriptions.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Subscription'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/marketplaces/settings/warnings:
    get:
      tags:
      - Billing Dashboard
      summary: Get marketplace setting warnings
      description: Returns configuration warnings for marketplace integrations (e.g. Azure client-secret
        expiry). Site-admin only (`view_marketplace_usage:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_GetMarketplaceSettingWarnings
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Marketplace setting warnings.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SettingWarnings'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/marketplaces/{marketplace}/{subscriptionId}:
    get:
      tags:
      - Billing Dashboard
      summary: Get a marketplace subscription
      description: Returns the full API form of a marketplace subscription. Site-admin only (`view_marketplace_usage:site_admin`).
        Requires a billing-enabled deployment.
      operationId: dashboard_GetMarketplaceSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: marketplace
        in: path
        required: true
        description: Marketplace identifier (e.g. `Aws`, `Azure`, `Gcp`).
        schema:
          $ref: '#/components/schemas/Marketplace'
      - name: subscriptionId
        in: path
        required: true
        description: Marketplace subscription ID.
        schema:
          type: string
      responses:
        '200':
          description: Marketplace subscription.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Subscription'
        '400':
          description: Subscription not found or invalid.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
    delete:
      tags:
      - Billing Dashboard
      summary: Revoke a marketplace subscription
      description: Revokes a revocable marketplace subscription and all associated contracts. Site-admin
        only (`view_marketplace_usage:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_RevokeMarketplaceSubscription
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: marketplace
        in: path
        required: true
        description: Marketplace identifier.
        schema:
          $ref: '#/components/schemas/Marketplace'
      - name: subscriptionId
        in: path
        required: true
        description: Marketplace subscription ID.
        schema:
          type: string
      responses:
        '200':
          description: Subscription revoked.
        '400':
          description: Subscription not found or not revocable.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/marketplaces/{marketplace}/{subscriptionId}/ping:
    get:
      tags:
      - Billing Dashboard
      summary: Ping a marketplace subscription endpoint
      description: Pings the hosted KubeDB Platform metering readiness endpoint for a subscription (AWS or GCP only).
        Site-admin only (`view_marketplace_usage:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_PingMarketplaceEndpoint
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: marketplace
        in: path
        required: true
        description: Marketplace identifier.
        schema:
          $ref: '#/components/schemas/Marketplace'
      - name: subscriptionId
        in: path
        required: true
        description: Marketplace subscription ID.
        schema:
          type: string
      responses:
        '200':
          description: Endpoint reachable.
        '400':
          description: Subscription not found or marketplace unsupported.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/marketplaces/{marketplace}/{subscriptionId}/audit-logs:
    get:
      tags:
      - Billing Dashboard
      summary: Get marketplace subscription audit reports
      description: Returns audit event reports for a marketplace subscription, grouped by audit period.
        Site-admin only (`view_marketplace_usage:site_admin`). Requires a billing-enabled deployment.
      operationId: dashboard_GetAuditReports
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: marketplace
        in: path
        required: true
        description: Marketplace identifier.
        schema:
          $ref: '#/components/schemas/Marketplace'
      - name: subscriptionId
        in: path
        required: true
        description: Marketplace subscription ID.
        schema:
          type: string
      responses:
        '200':
          description: Audit reports grouped by period.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuditReportsResp'
        '400':
          description: Subscription not found.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/clusters/active:
    get:
      tags:
      - Billing Dashboard
      summary: List the caller's active clusters
      description: Lists clusters that reported within the `limit` window for the owner resolved from
        the query. Requires `view:contracts` authorization and a billing-enabled deployment.
      operationId: dashboard_ListActiveClusters
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: limit
        in: query
        required: false
        description: Activity window (Go duration or `YYYY-MM-DD` date).
        schema:
          type: string
      responses:
        '200':
          description: List of active clusters.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ActiveClustersAPIForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/clusters/{cid}:
    get:
      tags:
      - Billing Dashboard
      summary: Get cluster information (caller)
      description: Returns cluster information for a cluster owned by the request owner. Requires `view:contracts`
        authorization and a billing-enabled deployment.
      operationId: dashboard_GetClusterInformation
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      responses:
        '200':
          description: Cluster information.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ClusterInfo'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/clusters/{cid}/events-count:
    get:
      tags:
      - Billing Dashboard
      summary: Get cluster events count (caller)
      description: Returns today's event count for the cluster. Requires `view:contracts` authorization
        and a billing-enabled deployment.
      operationId: dashboard_GetClusterEventsCount
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      responses:
        '200':
          description: Events counter response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EventsCounterResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/clusters/{cid}/licenses:
    get:
      tags:
      - Billing Dashboard
      summary: List licenses on a cluster (caller)
      description: Lists licensed plans associated with the request owner and cluster. Requires `view:contracts`
        authorization and a billing-enabled deployment.
      operationId: dashboard_ListLicenses
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      responses:
        '200':
          description: List of licensed plans.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/LicensedPlan'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/clusters/{cid}/licenses/{lid}:
    get:
      tags:
      - Billing Dashboard
      summary: Get a license (caller)
      description: Returns a licensed plan (API form) associated with the request owner. Requires `view:contracts`
        authorization and a billing-enabled deployment.
      operationId: dashboard_GetLicense
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      responses:
        '200':
          description: Licensed plan (API form).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/LicensePlanApiForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/clusters/{cid}/licenses/{lid}/products/{product}/events-count:
    get:
      tags:
      - Billing Dashboard
      summary: Get license events count (caller)
      description: Returns today's event count for a license/product. Requires `view:contracts` authorization
        and a billing-enabled deployment.
      operationId: dashboard_GetLicenseEventsCount
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      - name: product
        in: path
        required: true
        description: Product name.
        schema:
          type: string
      responses:
        '200':
          description: Events counter response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EventsCounterResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/clusters/{cid}/licenses/{lid}/products/{product}/groups/{group}/resources/{resource}/{rid}/events-count:
    get:
      tags:
      - Billing Dashboard
      summary: Get resource events count (caller)
      description: Returns today's event count for a specific resource object. Requires `view:contracts`
        authorization and a billing-enabled deployment.
      operationId: dashboard_GetResourceEventsCount
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      - name: product
        in: path
        required: true
        description: Product name.
        schema:
          type: string
      - name: group
        in: path
        required: true
        description: Kubernetes API group.
        schema:
          type: string
      - name: resource
        in: path
        required: true
        description: Kubernetes resource.
        schema:
          type: string
      - name: rid
        in: path
        required: true
        description: Resource ID (object UID).
        schema:
          type: string
      responses:
        '200':
          description: Events counter response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EventsCounterResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/clusters/{cid}/licenses/{lid}/products/{product}/events:
    get:
      tags:
      - Billing Dashboard
      summary: List events for a license (caller)
      description: Returns the tabular event list for the caller's cluster/license/product. Requires `view:contracts`
        authorization and a billing-enabled deployment.
      operationId: dashboard_GetEventsListForLicenseUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      - name: product
        in: path
        required: true
        description: Product name.
        schema:
          type: string
      - name: lastDays
        in: query
        required: false
        description: Look-back window in days (max 14; defaults to 14).
        schema:
          type: integer
      responses:
        '200':
          description: Tabular event list, newest first.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ClusterResourceTabularForm'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/clusters/{cid}/licenses/{lid}/products/{product}/events/raw-event:
    get:
      tags:
      - Billing Dashboard
      summary: Get raw event data (caller)
      description: Returns the raw badger value for a specific event key/version. Requires `view:contracts`
        authorization and a billing-enabled deployment.
      operationId: dashboard_GetRawEventDataUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: cid
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: lid
        in: path
        required: true
        description: License ID.
        schema:
          type: string
      - name: product
        in: path
        required: true
        description: Product name.
        schema:
          type: string
      - name: key
        in: query
        required: true
        description: Badger event key.
        schema:
          type: string
      - name: version
        in: query
        required: true
        description: Event version (uint).
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Raw badger value.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BadgerValue'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
  /dashboard/summary/generated-months:
    get:
      tags:
      - Billing Dashboard
      summary: List generated summary months
      description: Returns the year/month combinations for which a usage summary has been generated for
        the owner. Requires `view_usage_analytics:site_admin` and a billing-enabled deployment.
      operationId: dashboard_GetGeneratedMonthsForUser
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Generated year/month list.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GeneratedDates'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/object-quota-history/clusters/{clusterUID}/objects/{objectID}:
    get:
      tags:
      - Billing Dashboard
      summary: Get KubeDB object quota history
      description: Returns the quota-history usage view for a specific KubeDB object. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment. Response is a complex, deeply-nested usage view modeled as a
        free-form object.
      operationId: dashboard_GetKubeDbObjectQuotaHistoryView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: clusterUID
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: objectID
        in: path
        required: true
        description: Object (database) ID.
        schema:
          type: string
      responses:
        '200':
          description: Object quota history view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeDb/views/objects-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeDB objects usage view
      description: Returns the KubeDB objects usage view for the month, enriched with each object's daily
        event count. Requires `view_usage_analytics:site_admin` and a billing-enabled deployment.
      operationId: dashboard_GetKubeDbObjectsUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        description: View type selector.
        schema:
          type: string
      - name: group
        in: query
        required: false
        schema:
          type: string
      - name: kind
        in: query
        required: false
        schema:
          type: string
      - name: clusterUID
        in: query
        required: false
        schema:
          type: string
      - name: namespace
        in: query
        required: false
        schema:
          type: string
      - name: namespaceUID
        in: query
        required: false
        schema:
          type: string
      responses:
        '200':
          description: KubeDB objects usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeDb/views/clusters-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeDB clusters usage view
      description: Returns the KubeDB clusters usage view for the month. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment.
      operationId: dashboard_GetKubeDbClustersUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        schema:
          type: string
      - name: group
        in: query
        required: false
        schema:
          type: string
      - name: kind
        in: query
        required: false
        schema:
          type: string
      - name: contractID
        in: query
        required: false
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: KubeDB clusters usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeDb/views/namespaces-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeDB namespaces usage view
      description: Returns the KubeDB namespaces usage view for the month. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment.
      operationId: dashboard_GetKubeDbNamespacesUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        schema:
          type: string
      - name: clusterUID
        in: query
        required: false
        schema:
          type: string
      responses:
        '200':
          description: KubeDB namespaces usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeDb/views/gks-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeDB GKs usage view
      description: Returns the KubeDB "GKs" (group/kind) usage view for the month, with total monthly
        usage matrix. Requires `view_usage_analytics:site_admin` and a billing-enabled deployment.
      operationId: dashboard_GetKubeDbGksUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        schema:
          type: string
      - name: clusterUID
        in: query
        required: false
        schema:
          type: string
      responses:
        '200':
          description: KubeDB GKs usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeDb/views/contracts-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeDB contracts usage view
      description: Returns the KubeDB contracts usage view for the month. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment.
      operationId: dashboard_GetKubeDbContractsUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        schema:
          type: string
      responses:
        '200':
          description: KubeDB contracts usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeDb/views/object-quota-history-summaries-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeDB object quota history summaries view
      description: Returns the month-specific KubeDB object quota-history summaries. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment.
      operationId: dashboard_GetKubeDbQuotaHistoryMonthSpecificSummariesView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      responses:
        '200':
          description: Object quota history summaries view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  ? /dashboard/summary/{year}/{month}/usage-report/products/kubeDb/views/object-quota-history-summaries-view/clusters/{clusterUID}/objects/{objectID}
  : get:
      tags:
      - Billing Dashboard
      summary: KubeDB object quota history summary (specific object)
      description: Returns the month-specific KubeDB object quota-history summary for a specific cluster/object.
        Requires `view_usage_analytics:site_admin` and a billing-enabled deployment.
      operationId: dashboard_GetSpecificGetKubeDbQuotaHistoryMonthSpecificSummaryView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: clusterUID
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: objectID
        in: path
        required: true
        description: Object (database) ID.
        schema:
          type: string
      responses:
        '200':
          description: Object quota history summary view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeDb/views/objects-cluster-mode-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeDB objects cluster-mode usage view
      description: Returns the KubeDB objects cluster-mode usage history list for the month. Requires
        `view_usage_analytics:site_admin` and a billing-enabled deployment.
      operationId: dashboard_GetAllObjectsClusterModeUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      responses:
        '200':
          description: Objects cluster-mode usage history list view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  ? /dashboard/summary/{year}/{month}/usage-report/products/kubeDb/views/objects-cluster-mode-usage-view/clusters/{clusterUID}/objects/{objectID}
  : get:
      tags:
      - Billing Dashboard
      summary: KubeDB object cluster-mode usage view (specific object)
      description: Returns the KubeDB cluster-mode usage history for a specific cluster/ object. Requires
        `view_usage_analytics:site_admin` and a billing-enabled deployment.
      operationId: dashboard_GetSpecificKubeDbObjectClusterModeUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: clusterUID
        in: path
        required: true
        description: Cluster UID.
        schema:
          type: string
      - name: objectID
        in: path
        required: true
        description: Object (database) ID.
        schema:
          type: string
      responses:
        '200':
          description: Object cluster-mode usage history view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeStash/views/clusters-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeStash clusters usage view
      description: Returns the KubeStash clusters usage view for the month. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment.
      operationId: dashboard_GetKubeStashClustersUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        schema:
          type: string
      - name: contractID
        in: query
        required: false
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: KubeStash clusters usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeStash/views/contracts-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeStash contracts usage view
      description: Returns the KubeStash contracts usage view for the month. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment.
      operationId: dashboard_GetKubeStashContractsUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        schema:
          type: string
      responses:
        '200':
          description: KubeStash contracts usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeVault/views/clusters-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeVault clusters usage view
      description: Returns the KubeVault clusters usage view for the month. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment.
      operationId: dashboard_GetKubeVaultClustersUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        schema:
          type: string
      - name: contractID
        in: query
        required: false
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: KubeVault clusters usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/kubeVault/views/contracts-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: KubeVault contracts usage view
      description: Returns the KubeVault contracts usage view for the month. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment.
      operationId: dashboard_GetKubeVaultContractsUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        schema:
          type: string
      responses:
        '200':
          description: KubeVault contracts usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/voyager/views/clusters-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: Voyager clusters usage view
      description: Returns the Voyager clusters usage view for the month. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment.
      operationId: dashboard_GetVoyagerClustersUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        schema:
          type: string
      - name: contractID
        in: query
        required: false
        schema:
          type: integer
          format: int64
      responses:
        '200':
          description: Voyager clusters usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/usage-report/products/voyager/views/contracts-usage-view:
    get:
      tags:
      - Billing Dashboard
      summary: Voyager contracts usage view
      description: Returns the Voyager contracts usage view for the month. Requires `view_usage_analytics:site_admin`
        and a billing-enabled deployment.
      operationId: dashboard_GetVoyagerContractsUsageView
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      - name: view_type
        in: query
        required: false
        schema:
          type: string
      responses:
        '200':
          description: Voyager contracts usage view.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '400':
          $ref: '#/components/responses/ValidationError'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dashboard/summary/{year}/{month}/download:
    get:
      tags:
      - Billing Dashboard
      summary: Download the monthly usage report (PDF)
      description: Renders and returns the KubeDB usage summary as a PDF document for the given month.
        Requires `view_usage_analytics:site_admin` and a billing-enabled deployment.
      operationId: dashboard_DownloadKubeDbPdfReport
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/summaryYearParam'
      - $ref: '#/components/parameters/summaryMonthParam'
      responses:
        '200':
          description: The usage report PDF.
          content:
            application/pdf:
              schema:
                type: string
                format: binary
            application/octet-stream:
              schema:
                type: string
                format: binary
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dbaas/billing/reports/namespaces:
    get:
      tags:
      - Billing Dashboard
      summary: List DBaaS namespace reports
      description: Returns the DBaaS namespace report list (V1) for the owner. Requires a billing-enabled
        deployment.
      operationId: dashboard_GetNamespaceReportList
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: Namespace report list (pre-marshaled view, free-form).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /dbaas/billing/reports/clusters/{clusterID}/namespaces/{namespaceName}:
    get:
      tags:
      - Billing Dashboard
      summary: Get a DBaaS namespace report
      description: Returns the DBaaS namespace report (V1) for a specific cluster/namespace. Requires
        a billing-enabled deployment.
      operationId: dashboard_GetNamespaceReport
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: clusterID
        in: path
        required: true
        description: Cluster ID.
        schema:
          type: string
      - name: namespaceName
        in: path
        required: true
        description: Namespace name.
        schema:
          type: string
      responses:
        '200':
          description: Namespace report (pre-marshaled view, free-form).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UsageView'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
  /marketplaces/standalone-organizations/{claimID}/claimable:
    get:
      tags:
      - Marketplace
      summary: Check whether a standalone marketplace organization is claimable
      description: 'Served by the marketplace webhook listener (rooted at `/marketplace/api/v1`). Evaluates
        the claim-rules flags of a standalone (marketplace-created) organization identified by its claim
        ID and reports whether it can currently be claimed. This endpoint is public. Note: this webhook
        listener also serves GET /version (identical to the main server /version).'
      operationId: marketplace_CheckClaimRulesOfStandaloneOrg
      x-listener: marketplace
      security: []
      parameters:
      - name: claimID
        in: path
        required: true
        description: The claim ID of the standalone organization.
        schema:
          type: string
      responses:
        '200':
          description: Claimable check result. Returned both when the organization is claimable and when
            the retry backoff has not yet expired but the organization is already flagged claimable.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OrgClaimableCheckResp'
        '404':
          description: Standalone organization not found.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '409':
          description: The organization is already claimed.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '429':
          description: Retry backoff is not expired; try again later.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '500':
          description: Internal server error while evaluating claim rules.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
    servers: &id001
    - url: https://{host}/marketplace/api/v1
      description: Marketplace webhook listener (separate service)
      variables:
        host:
          default: appscode.com
          description: Deployment host
  /marketplaces/aws/notification/resource:
    post:
      tags:
      - Marketplace
      summary: Handle an AWS Marketplace webhook notification
      description: 'Served by the marketplace webhook listener (rooted at `/marketplace/api/v1`). Receives
        AWS Marketplace bind-event notifications. Authentication is enforced by the webhook itself: the
        request payload is verified (`marketplace` must be `Aws`, cluster ID and options validated) and,
        outside dev run mode, the source IP must fall within the allowed AWS EC2 IP ranges. No platform
        bearer-token security applies.'
      operationId: marketplace_HandleAwsWebhookCalls
      x-listener: marketplace
      security: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AwsWebhookNotification'
      responses:
        '200':
          description: Subscription bound successfully. Returns the installer archive download link.
          content:
            application/json:
              schema:
                type: object
                properties:
                  link:
                    type: string
        '400':
          description: Payload verification, binding-info validation, or installer option processing failed.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '403':
          description: Request originated from an unauthorized IP address.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '500':
          description: Internal server error while provisioning the subscription.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
    servers: *id001
  /marketplaces/azure/notification/resource:
    post:
      tags:
      - Marketplace
      summary: Handle an Azure Marketplace webhook notification
      description: Served by the marketplace webhook listener (rooted at `/marketplace/api/v1`). Receives
        Azure Marketplace lifecycle notifications (`PUT`, `DELETE`, `BIND`). Authentication is enforced
        by the webhook itself via a per-installer `secret` query parameter that must match the configured
        marketplace API secret. No platform bearer-token security applies.
      operationId: marketplace_HandleAzureWebhookCalls
      x-listener: marketplace
      security: []
      parameters:
      - name: secret
        in: query
        required: false
        description: Marketplace API secret used to authenticate the Azure webhook call.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AzureWebhookNotification'
      responses:
        '200':
          description: Notification processed successfully. For `PUT`/`DELETE` events an empty body with
            status 200 is returned; for `BIND` events the installer archive link is returned.
        '400':
          description: Invalid subscription ID, unknown event type, or invalid binding info.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '403':
          description: Marketplace API secret mismatch, or subscription not found while revoking contracts
            on delete.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '500':
          description: Internal server error while processing the notification.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
    servers: *id001
  /marketplaces/gcp/notification/resource:
    post:
      tags:
      - Marketplace
      summary: Handle a GCP Marketplace webhook notification
      description: Served by the marketplace webhook listener (rooted at `/marketplace/api/v1`). Receives
        GCP Marketplace bind-event notifications. Authentication is enforced by the webhook itself via
        a per-installer `secret` query parameter that must match the configured marketplace API secret
        (bypassed only for the designated GCP Marketplace test installer). No platform bearer-token security
        applies.
      operationId: marketplace_HandleGcpWebhookCalls
      x-listener: marketplace
      security: []
      parameters:
      - name: secret
        in: query
        required: false
        description: Marketplace API secret used to authenticate the GCP webhook call.
        schema:
          type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/GcpWebhookNotification'
      responses:
        '200':
          description: Subscription bound successfully. Returns the installer archive download link.
          content:
            application/json:
              schema:
                type: object
                properties:
                  link:
                    type: string
        '400':
          description: Invalid binding info or installer lookup failure.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '403':
          description: Marketplace API secret mismatch or installer already bound.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '500':
          description: Internal server error while provisioning the subscription.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
    servers: *id001
  /proxy/metered-billing/marketplaces/aws/report-usage:
    post:
      tags:
      - Marketplace
      summary: Proxy a metered-usage report to AWS Marketplace Metering
      description: Forwards a usage report to the AWS Marketplace Metering service. Requires site-admin
        privileges. This route is only registered when the KubeDB Platform deployment type is `AWSMarketplaceDeployment`;
        on other deployments it does not exist.
      operationId: marketplace_ReportAwsUsage
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/MeterUsageInput'
      responses:
        '200':
          description: Usage reported successfully. Returns the AWS metering record.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/MeterUsageOutput'
        '400':
          description: AWS Marketplace Metering rejected the request (e.g. customer not entitled, duplicate
            request, invalid product code, or throttling).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AwsMeteringProxyErr'
        '401':
          description: Authentication required.
        '403':
          description: Site-admin privileges required.
        '422':
          description: Unprocessable request body.
        '500':
          description: Failed to report usage to AWS, or an unmapped AWS error code was returned.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AwsMeteringProxyErr'
  /proxy/metered-billing/marketplaces/aws/check/readiness:
    get:
      tags:
      - Marketplace
      summary: Check readiness of the AWS metering proxy endpoint
      description: Readiness probe for the AWS metering proxy. Requires site-admin privileges. This route
        is only registered when the KubeDB Platform deployment type is `AWSMarketplaceDeployment`; on other deployments
        it does not exist.
      operationId: marketplace_ReadinessCheckAwsMeteringEndpoint
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: The AWS metering proxy is ready.
        '401':
          description: Authentication required.
        '403':
          description: Site-admin privileges required.
  /proxy/metered-billing/marketplaces/gcp/report-usage:
    post:
      tags:
      - Marketplace
      summary: Proxy a metered-usage report to GCP Service Control
      description: Forwards a usage report to the GCP Service Control reporting API. Requires site-admin
        privileges. This route is only registered when the KubeDB Platform deployment type is `GCPMarketplaceDeployment`;
        on other deployments it does not exist.
      operationId: marketplace_ReportGcpUsage
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/GcpUsageReport'
      responses:
        '200':
          description: Usage reported successfully. Returns the GCP Service Control report response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Authentication required.
        '403':
          description: Site-admin privileges required.
        '422':
          description: Unprocessable request body.
        '500':
          description: Failed to report usage to GCP Service Control.
  /proxy/metered-billing/marketplaces/gcp/check/readiness:
    get:
      tags:
      - Marketplace
      summary: Check readiness of the GCP metering proxy endpoint
      description: Readiness probe for the GCP metering proxy. Requires site-admin privileges. This route
        is only registered when the KubeDB Platform deployment type is `GCPMarketplaceDeployment`; on other deployments
        it does not exist.
      operationId: marketplace_ReadinessCheckGcpMeteringEndpoint
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: The GCP metering proxy is ready.
        '401':
          description: Authentication required.
        '403':
          description: Site-admin privileges required.
  /telemetry/{owner}/monitoring-clusters:
    get:
      tags:
      - Monitoring & Telemetry
      summary: List monitoring clusters of the owner
      description: Returns the names of clusters imported by the owner that are configured as monitoring
        clusters, optionally filtered to the region of the target cluster given by the `targetClusterName`
        query parameter. Requires the caller to be an admin of the {owner} organization.
      operationId: telemetry_GetMonitoringClustersOfThisOwner
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: targetClusterName
        in: query
        required: false
        schema:
          type: string
        description: Name of the target cluster used to determine the region filter.
      responses:
        '200':
          description: List of monitoring cluster names.
          content:
            application/json:
              schema:
                type: array
                items:
                  type: string
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not an org admin.
        '500':
          description: Internal server error.
  /telemetry/{owner}/{cluster}/stack:
    post:
      tags:
      - Monitoring & Telemetry
      summary: Create a TelemetryStack on the monitoring cluster
      description: Creates a TelemetryStack custom resource on the given monitoring cluster and marks
        the cluster as a monitoring cluster. Requires the caller to be an admin of the {owner} organization.
      operationId: telemetry_CreateTelemetryStack
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: cluster
        in: path
        required: true
        schema:
          type: string
        description: Name of the monitoring cluster.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateTelemetryStackRequest'
      responses:
        '200':
          description: The created TelemetryStack object.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not an org admin.
        '500':
          description: Internal server error.
  /telemetry/{owner}/{cluster}/values/appscode-otel-stack:
    get:
      tags:
      - Monitoring & Telemetry
      summary: Get appscode-otel-stack Helm values for a cluster
      description: Returns the Helm values for the `opentelemetry-kube-stack` chart to be installed on
        the target cluster (given by the `targetClusterName` query parameter) so it ships telemetry to
        the given monitoring cluster. Requires the caller to be an admin of the {owner} organization.
      operationId: telemetry_GetOtelKubestackValuesOfCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: cluster
        in: path
        required: true
        schema:
          type: string
        description: Name of the monitoring cluster.
      - name: targetClusterName
        in: query
        required: true
        schema:
          type: string
        description: Name of the target cluster the values are generated for.
      responses:
        '200':
          description: A dynamic Helm values object for the appscode-otel-stack chart.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/K8sObject'
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not an org admin.
        '500':
          description: Internal server error.
  /telemetry/{owner}/{cluster}/stack/host:
    get:
      tags:
      - Monitoring & Telemetry
      summary: Get the host of a monitoring cluster
      description: Returns the ingress host (hostname or IP) of the given monitoring cluster used by telemetry
        collectors. Requires the caller to be an admin of the {owner} organization.
      operationId: telemetry_GetHostOfMonitoringCluster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: cluster
        in: path
        required: true
        schema:
          type: string
        description: Name of the monitoring cluster.
      responses:
        '200':
          description: The host string of the monitoring cluster.
          content:
            application/json:
              schema:
                type: string
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not an org admin.
        '500':
          description: Internal server error.
  /telemetry/{owner}/{cluster}/tenants/ownerlist:
    get:
      tags:
      - Monitoring & Telemetry
      summary: List tenant owners on a monitoring cluster
      description: Lists the Tenant custom resources present on the given monitoring cluster, returning
        a map of tenant owner identifier (`ace.user.{id}`) to the KubeDB Platform user name. Requires the caller to
        be an admin of the {owner} organization.
      operationId: telemetry_GetTenantOwner
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/ownerParam'
      - name: cluster
        in: path
        required: true
        schema:
          type: string
        description: Name of the monitoring cluster.
      responses:
        '200':
          description: Map of tenant owner identifier to KubeDB Platform user name.
          content:
            application/json:
              schema:
                type: object
                additionalProperties:
                  type: string
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not an org admin.
        '500':
          description: Internal server error.
  /trickster/register:
    post:
      tags:
      - Monitoring & Telemetry
      summary: Register a Trickster (Grafana) backend
      description: Registers a Prometheus backend with the Trickster proxy and returns a Grafana datasource
        response. Requires a valid token and org-admin context.
      operationId: trickster_RegisterTricksterBackend
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RegisterRequest'
      responses:
        '200':
          description: Grafana datasource response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/GrafanaDatasourceResponse'
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not an org admin.
        '404':
          description: Cluster not found.
        '500':
          description: Internal server error.
  /trickster/perses/register:
    post:
      tags:
      - Monitoring & Telemetry
      summary: Register a Trickster (Perses) backend
      description: Registers a Prometheus backend with the Trickster proxy and returns a Perses datasource
        response. Requires a valid token and org-admin context.
      operationId: trickster_RegisterTricksterBackendForPerses
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RegisterRequest'
      responses:
        '200':
          description: Perses datasource response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PersesDatasourceResponse'
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not an org admin.
        '404':
          description: Cluster not found.
        '500':
          description: Internal server error.
  /trickster/unregister:
    post:
      tags:
      - Monitoring & Telemetry
      summary: Unregister a Trickster (Grafana) backend
      description: Removes the Trickster backend and Grafana datasource associated with the given Prometheus
        context. Requires a valid token and org-admin context.
      operationId: trickster_UnregisterTricksterBackend
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PrometheusContext'
      responses:
        '200':
          description: Backend unregistered.
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not an org admin.
        '404':
          description: Cluster not found.
        '500':
          description: Internal server error.
  /trickster/perses/unregister:
    post:
      tags:
      - Monitoring & Telemetry
      summary: Unregister a Trickster (Perses) backend
      description: Removes the Trickster backend and Perses datasource associated with the given Prometheus
        context. Requires a valid token and org-admin context.
      operationId: trickster_UnregisterTricksterBackendForPerses
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PrometheusContext'
      responses:
        '200':
          description: Backend unregistered.
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not an org admin.
        '404':
          description: Cluster not found.
        '500':
          description: Internal server error.
  /trickster/auth/{uidcid}/{path}:
    get:
      tags:
      - Monitoring & Telemetry
      summary: Check cluster ownership for Trickster auth
      description: Auth-proxy hook used by prom-authproxy. Validates that the caller owns (or is a member
        of the org that owns) the cluster identified by the `uid.clusterid[.projectid]` path segment and
        returns owner/cluster/tenant metadata. The trailing wildcard path captures the proxied request
        path. Requires a valid token and org-admin context.
      operationId: trickster_CheckClusterOwnershipForTrickster
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - name: uidcid
        in: path
        required: true
        schema:
          type: string
        description: Identifier following the `uid.clusterid[.projectid]` pattern.
      - name: path
        in: path
        required: true
        schema:
          type: string
        description: Remaining proxied request path (matched by the trailing wildcard).
      responses:
        '200':
          description: Cluster ownership metadata.
          content:
            application/json:
              schema:
                type: object
                additionalProperties:
                  type: string
                description: Contains keys `owner`, `clusterName`, `tenantID`, and optionally `clientOrg`.
        '400':
          description: Bad request — malformed id parameter.
        '401':
          description: Unauthorized — caller is not an organization member.
        '403':
          description: Forbidden.
        '404':
          description: Cluster or owner not found.
        '500':
          description: Internal server error.
  /rancher/org/{orgname}/sync/users:
    get:
      tags:
      - Rancher
      summary: Sync Rancher users into the organization
      description: Imports users from the org's Rancher management cluster into the KubeDB Platform, creating KubeDB Platform users
        and adding them to the viewer team. Requires site-admin privileges and a Rancher-managed organization.
      operationId: rancher_SyncRancherUsers
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: Result of the sync operation.
          content:
            application/json:
              schema:
                type: object
                properties:
                  synced_users:
                    type: array
                    items:
                      type: string
                  failed_users:
                    type: array
                    items:
                      type: object
                      additionalProperties:
                        type: string
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not a site admin.
        '500':
          description: Internal server error.
  /rancher/org/{orgname}/acerproxy:
    get:
      tags:
      - Rancher
      summary: Get the acerproxy Helm installation command
      description: Returns a ready-to-run Helm command to install the acerproxy chart, wired with a freshly
        issued Rancher extended server token and the platform base URL. Requires site-admin privileges
        and a Rancher-managed organization.
      operationId: rancher_GetAcerProxyInstallationCommand
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: Object containing the Helm installation command.
          content:
            application/json:
              schema:
                type: object
                properties:
                  helm:
                    type: string
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not a site admin.
        '500':
          description: Internal server error.
  /rancher/org/{orgname}/ca/download:
    get:
      tags:
      - Rancher
      summary: Download the platform CA certificate
      description: Returns the platform CA certificate as a downloadable text file (`ace-ca.txt`). Requires
        site-admin privileges and a Rancher-managed organization.
      operationId: rancher_DownloadCA
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      parameters:
      - $ref: '#/components/parameters/orgnameParam'
      responses:
        '200':
          description: The CA certificate file.
          content:
            text/plain:
              schema:
                type: string
        '400':
          description: No CA certificate found.
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not a site admin.
        '500':
          description: Internal server error.
  /rancher/proxy-token:
    post:
      tags:
      - Rancher
      summary: Create a Rancher proxy server token
      description: Creates a Rancher extended server token for the given Rancher URL and returns it in
        access-token API format. Requires site-admin privileges.
      operationId: rancher_CreateRancherProxyServerToken
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      requestBody:
        required: true
        description: A string map; the `rancherUrl` key specifies the Rancher management cluster endpoint.
        content:
          application/json:
            schema:
              type: object
              additionalProperties:
                type: string
      responses:
        '201':
          description: The created access token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AccessToken'
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden — caller is not a site admin.
        '500':
          description: Internal server error.
  /rancher/nats-cred:
    get:
      tags:
      - Rancher
      summary: Get NATS user credentials for the Rancher user
      description: Returns the primary NATS user JWT and seed for the authenticated Rancher user, recreating
        the primary NATS account if the existing credentials are no longer authorized. Requires a valid
        token (Rancher user context injected by injectRancherUserInfo).
      operationId: rancher_GetNatsUserCredentials
      security:
      - AuthorizationHeaderToken: []
      - Token: []
      - AccessToken: []
      responses:
        '200':
          description: NATS user credentials.
          content:
            application/json:
              schema:
                type: object
                properties:
                  user-jwt:
                    type: string
                  user-seed:
                    type: string
                  url:
                    type: string
                    description: Present only when two external NATS addresses are configured.
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden.
        '500':
          description: Internal server error.
  /chartrepositories:
    get:
      tags:
      - Chart Repositories
      summary: List Helm Hub chart repositories
      description: Returns the list of known Helm Hub chart repositories. Public endpoint.
      operationId: charts_repo_GetChartRepos
      security: []
      responses:
        '200':
          description: List of chart repository entries.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ChartRepositoryEntry'
        '500':
          description: Internal server error.
  /chartrepositories/charts:
    get:
      tags:
      - Chart Repositories
      summary: List charts in a chart repository
      description: Loads the chart repository at the given `url` and returns the list of charts it contains.
        Public endpoint.
      operationId: charts_repo_GetCharts
      security: []
      parameters:
      - name: url
        in: query
        required: true
        schema:
          type: string
        description: URL of the chart repository.
      responses:
        '200':
          description: List of charts in the repository.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ChartVersion'
        '400':
          description: Missing chart repo url.
        '500':
          description: Internal server error.
  /chartrepositories/charts/{name}/versions:
    get:
      tags:
      - Chart Repositories
      summary: List versions of a chart
      description: Loads the chart repository at the given `url` and returns the available versions of
        the named chart. Public endpoint.
      operationId: charts_repo_GetChartVersions
      security: []
      parameters:
      - name: name
        in: path
        required: true
        schema:
          type: string
        description: Name of the chart.
      - name: url
        in: query
        required: true
        schema:
          type: string
        description: URL of the chart repository.
      responses:
        '200':
          description: List of chart versions.
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ChartVersion'
        '400':
          description: Missing chart repo url or chart name.
        '500':
          description: Internal server error.
  /version:
    get:
      tags:
      - Miscellaneous
      summary: Get the server version
      description: Returns the version of the server application. Public endpoint.
      operationId: misc_Version
      security: []
      responses:
        '200':
          description: The server version.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ServerVersion'
  /markdown:
    post:
      tags:
      - Miscellaneous
      summary: Render a markdown document as HTML
      description: Renders the supplied markdown as HTML. In `gfm` mode links are resolved relative to
        the provided context. Public endpoint.
      operationId: misc_Markdown
      security: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/MarkdownOption'
      responses:
        '200':
          description: The rendered HTML.
          content:
            text/html:
              schema:
                type: string
        '422':
          description: Validation error.
  /markdown/raw:
    post:
      tags:
      - Miscellaneous
      summary: Render raw markdown as HTML
      description: Renders the raw markdown request body (text/plain) as HTML. Public endpoint.
      operationId: misc_MarkdownRaw
      security: []
      requestBody:
        required: true
        description: Raw markdown text to render.
        content:
          text/plain:
            schema:
              type: string
      responses:
        '200':
          description: The rendered HTML.
          content:
            text/html:
              schema:
                type: string
        '422':
          description: Validation error.
  /swagger:
    get:
      tags:
      - Miscellaneous
      summary: Render the Swagger UI page
      description: Serves the Swagger UI HTML page for the v1 API. Only registered when swagger is enabled
        in the server configuration. Public endpoint.
      operationId: misc_Swagger
      security: []
      responses:
        '200':
          description: The Swagger UI HTML page.
          content:
            text/html:
              schema:
                type: string
components:
  securitySchemes:
    AuthorizationHeaderToken:
      type: apiKey
      in: header
      name: Authorization
      description: 'Personal access token, prefixed with the literal "token ": `Authorization: token <PAT>`.'
    Token:
      type: apiKey
      in: query
      name: token
      description: Personal access token supplied as a query parameter.
    AccessToken:
      type: apiKey
      in: query
      name: access_token
      description: Personal access token supplied as the `access_token` query parameter.
    BasicAuth:
      type: http
      scheme: basic
      description: HTTP Basic authentication, used by token-management endpoints (optionally with an OTP
        header for 2FA).
    SessionCookie:
      type: apiKey
      in: cookie
      name: i_like_ace
      description: Session cookie issued to the web console after sign-in (CSRF-protected). The cookie
        name is configurable via the session COOKIE_NAME setting.
    SudoParam:
      type: apiKey
      in: query
      name: sudo
      description: Site-admin impersonation of the named user.
    SudoHeader:
      type: apiKey
      in: header
      name: Sudo
      description: Site-admin impersonation of the named user.
  parameters:
    ownerParam:
      name: owner
      in: path
      required: true
      description: Organization slug or username that owns the cluster.
      schema: &id003
        type: string
    clusterParam:
      name: cluster
      in: path
      required: true
      description: Cluster name within the owner scope.
      schema: &id002
        type: string
    orgnameParam:
      name: orgname
      in: path
      required: true
      description: Organization slug.
      schema:
        type: string
    orgnameQuery:
      name: org
      in: query
      required: false
      description: Organization slug providing org context, resolved from the `?org=` query parameter
        (used by admin/authorization endpoints).
      schema:
        type: string
    OwnerQueryParam:
      name: org
      in: query
      required: false
      description: Owner (organization) context supplied as the `?org=` query parameter (used by contract
        endpoints).
      schema:
        type: string
    usernameParam:
      name: username
      in: path
      required: true
      description: Account username.
      schema: &id004
        type: string
    pageParam:
      name: page
      in: query
      required: false
      description: Page number of results to return (1-based).
      schema:
        type: integer
    limitParam:
      name: limit
      in: query
      required: false
      description: Page size of results.
      schema:
        type: integer
    summaryYearParam:
      name: year
      in: path
      required: true
      description: Report year (e.g. `2026`).
      schema:
        type: string
    summaryMonthParam:
      name: month
      in: path
      required: true
      description: Report month name (case-insensitive, e.g. `january`).
      schema:
        type: string
    cluster:
      name: cluster
      in: path
      required: true
      description: Cluster name within the owner scope.
      schema: *id002
    clusterPathParam:
      name: cluster
      in: path
      required: true
      description: Cluster name within the owner scope.
      schema: *id002
    owner:
      name: owner
      in: path
      required: true
      description: Organization slug or username that owns the cluster.
      schema: *id003
    ownerPathParam:
      name: owner
      in: path
      required: true
      description: Organization slug or username that owns the cluster.
      schema: *id003
    username:
      name: username
      in: path
      required: true
      description: Account username.
      schema: *id004
  responses:
    NotFound:
      description: The target could not be found.
      content: &id006
        application/json:
          schema:
            $ref: '#/components/schemas/APIError'
    Unauthorized:
      description: Authentication is required or has failed.
      content: &id007
        application/json:
          schema:
            $ref: '#/components/schemas/APIError'
    Forbidden:
      description: The caller is authenticated but not authorized for this action.
      content: &id005
        application/json:
          schema:
            $ref: '#/components/schemas/APIError'
    ValidationError:
      description: The request body or parameters failed validation.
      content: &id008
        application/json:
          schema:
            $ref: '#/components/schemas/APIError'
    forbidden:
      description: The caller is authenticated but not authorized for this action.
      content: *id005
    notFound:
      description: The target could not be found.
      content: *id006
    unauthorized:
      description: Authentication is required or has failed.
      content: *id007
    validationError:
      description: The request body or parameters failed validation.
      content: *id008
  schemas:
    APIError:
      type: object
      description: Standard error envelope returned by the API on failure.
      properties:
        message:
          type: string
        url:
          type: string
    K8sObject:
      type: object
      description: A free-form Kubernetes object (arbitrary group/version/kind). Passed through to/from
        the member cluster verbatim.
      additionalProperties: true
    K8sStatus:
      type: object
      description: A Kubernetes metav1.Status object.
      additionalProperties: true
    ObjectReference:
      type: object
      description: A reference to a Kubernetes object (kmodules ObjectReference).
      properties:
        namespace:
          type: string
        name:
          type: string
    GroupVersionResource:
      type: object
      properties:
        group:
          type: string
        version:
          type: string
        resource:
          type: string
    User:
      type: object
      description: Represents a user (individual or organization).
      properties:
        id:
          type: integer
          format: int64
        login:
          type: string
          description: The user's username.
        username:
          type: string
          description: Backward-compatibility alias of login (added via custom MarshalJSON).
        full_name:
          type: string
        email:
          type: string
          format: email
        avatar_url:
          type: string
        language:
          type: string
        is_admin:
          type: boolean
        last_login:
          type: string
          format: date-time
        created:
          type: string
          format: date-time
        type:
          type: integer
        active:
          type: boolean
        prohibit_login:
          type: boolean
        location:
          type: string
        website:
          type: string
        description:
          type: string
        orgAdmin:
          type: boolean
        orgType:
          type: integer
        clientOrgUser:
          type: boolean
    Email:
      type: object
      description: An email address belonging to a user.
      properties:
        email:
          type: string
          format: email
        verified:
          type: boolean
        primary:
          type: boolean
    CreateEmailOption:
      type: object
      description: Options when creating email addresses.
      properties:
        emails:
          type: array
          items:
            type: string
    DeleteEmailOption:
      type: object
      description: Options when deleting email addresses.
      properties:
        emails:
          type: array
          items:
            type: string
    AccessToken:
      type: object
      description: An API access token (structs.AccessToken).
      properties:
        id:
          type: integer
          format: int64
        name:
          type: string
        sha1:
          type: string
          description: The plaintext token, returned only on creation.
        token_last_eight:
          type: string
    CreateAccessTokenOption:
      type: object
      description: Options when creating an access token.
      required:
      - name
      properties:
        name:
          type: string
    Organization:
      type: object
      description: Represents an organization.
      properties:
        id:
          type: integer
          format: int64
        username:
          type: string
        full_name:
          type: string
        avatar_url:
          type: string
        description:
          type: string
        website:
          type: string
        location:
          type: string
        rancherManagementClusterEndPoint:
          type: string
        visibility:
          type: string
        orgType:
          type: integer
    Team:
      type: object
      description: Represents a team in an organization.
      properties:
        id:
          type: integer
          format: int64
        name:
          type: string
        description:
          type: string
        organization:
          $ref: '#/components/schemas/Organization'
        permission:
          type: string
          description: One of none, read, write, admin, owner.
        units:
          type: array
          items:
            type: string
        type:
          type: string
        role_ids:
          type: array
          items:
            type: integer
            format: int64
    FirebaseToken:
      type: object
      description: A Firebase custom auth token.
      properties:
        firebaseToken:
          type: string
    NatsCredentialsResponse:
      type: object
      description: NATS endpoints and credential bytes for the authenticated user.
      properties:
        natsEndpoints:
          type: array
          items:
            type: string
        credentials:
          type: string
          format: byte
    SignInParams:
      type: object
      description: Credentials for signing in with username and password.
      properties:
        username:
          type: string
        password:
          type: string
        remember:
          type: boolean
    Profile:
      type: object
      description: Editable user profile fields.
      properties:
        name:
          type: string
        full_name:
          type: string
        email:
          type: string
          format: email
        keep_email_private:
          type: boolean
        website:
          type: string
        location:
          type: string
        language:
          type: string
        description:
          type: string
    AvatarParams:
      type: object
      description: Avatar settings. On update accepts multipart/form-data with an avatar file.
      properties:
        source:
          type: string
        avatar:
          type: string
          format: binary
          description: Uploaded avatar file (multipart).
        gravatar:
          type: string
        federavatar:
          type: boolean
    UpdatePasswordParams:
      type: object
      description: Fields for updating the user's password.
      properties:
        old_password:
          type: string
        password:
          type: string
        retype:
          type: string
    AddEmailParams:
      type: object
      description: Field for adding a new email address.
      properties:
        email:
          type: string
          format: email
    Pagination:
      type: object
      description: Per-UI pagination page-size settings (models.Pagination).
      properties:
        kubeDBUI:
          type: integer
          format: int64
        consoleUI:
          type: integer
          format: int64
        platformUI:
          type: integer
          format: int64
    Validation:
      type: object
      description: Result of a username/orgname/email validation check.
      properties:
        Status:
          type: string
          description: One of VALID, USER_EXISTS, RESERVED, INVALID, NOT_ALLOWED.
    TwoFAStatus:
      type: object
      description: Two-factor enrollment status.
      properties:
        twoFAEnrolled:
          type: boolean
    TwoFactorAuthParams:
      type: object
      description: TOTP passcode used to complete two-factor enrollment.
      properties:
        passCode:
          type: string
    Security:
      type: object
      description: TOTP secret and QR image data URL for two-factor enrollment.
      properties:
        twoFASecret:
          type: string
        twoFAImageURL:
          type: string
          description: data:image/png;base64 encoded QR code.
    WebauthnRegistrationOptions:
      type: object
      description: Options for reserving a WebAuthn credential name.
      required:
      - name
      properties:
        name:
          type: string
    WebAuthnSecurityKeys:
      type: object
      description: A registered WebAuthn security key.
      properties:
        ID:
          type: integer
          format: int64
        Name:
          type: string
        UID:
          type: integer
          format: int64
    SessionInfoAPIForm:
      type: object
      description: 'A user session record. Embeds go-macaron session.SessInfo (opaque, protocol-defined)
        plus the fields below.

        '
      properties:
        isActiveSession:
          type: boolean
        lastAccessedZonedTime:
          type: string
        lastAccessed:
          type: integer
          format: int64
    AccountLink:
      type: object
      description: A linked external (OAuth2/login-source) account.
      properties:
        loginSourceID:
          type: integer
          format: int64
        externalID:
          type: string
        type:
          type: integer
        providerDisplayName:
          type: string
        isActived:
          type: boolean
        isSyncEnabled:
          type: boolean
    AccountLinkParams:
      type: object
      description: Identifies a linked account to remove.
      properties:
        loginSourceID:
          type: integer
          format: int64
        externalID:
          type: string
    CreateOrgParams:
      type: object
      description: Multipart form for creating an organization.
      properties:
        orgName:
          type: string
        orgFullName:
          type: string
        description:
          type: string
        website:
          type: string
        location:
          type: string
        orgType:
          type: string
        rancherManagementClusterEndPoint:
          type: string
        provideSyncToken:
          type: boolean
        rancherSyncToken:
          $ref: '#/components/schemas/RancherAccessToken'
        visibility:
          type: string
        source:
          type: string
        avatar:
          type: string
          format: binary
        gravatar:
          type: string
        federavatar:
          type: boolean
    RancherAccessToken:
      type: object
      description: Rancher sync-token access key pair (settings.AccessToken).
      properties:
        rancherSyncTokenAccessKeyID:
          type: string
        rancherSyncTokenSecretAccessKey:
          type: string
    ApiResponseMessage:
      type: object
      description: Generic message wrapper.
      properties:
        message:
          type: string
    NewAccessTokenParam:
      type: object
      description: Parameters for creating a new access token via settings.
      properties:
        name:
          type: string
        expTime:
          type: integer
          format: int64
          description: Unix timestamp expiry; 0 means no expiry.
    AccessTokenIdList:
      type: object
      description: List of access token IDs to delete.
      properties:
        tokenIDs:
          type: array
          items:
            type: integer
            format: int64
    SettingsAccessToken:
      type: object
      description: Access token in the settings API format (pkg.AccessToken).
      properties:
        id:
          type: integer
          format: int64
        uid:
          type: integer
          format: int64
        name:
          type: string
        token:
          type: string
          description: The plaintext token, returned only on creation.
        tokenLastEight:
          type: string
        createdAt:
          type: integer
          format: int64
        updatedAt:
          type: integer
          format: int64
        hasRecentActivity:
          type: boolean
        hasUsed:
          type: boolean
        expDate:
          type: integer
          format: int64
          description: TimeStamp (Unix seconds).
    OAuth2ApplicationParams:
      type: object
      description: Parameters for creating/updating an OAuth2 application.
      properties:
        name:
          type: string
        redirectUri:
          type: string
        logo:
          type: string
          format: binary
          description: Logo file (multipart, on update).
    OAuth2Application:
      type: object
      description: An OAuth2 application (pkg.OAuth2Application).
      properties:
        id:
          type: integer
          format: int64
        uid:
          type: integer
          format: int64
        name:
          type: string
        clientId:
          type: string
        clientSecret:
          type: string
          description: Plaintext client secret, returned only on create/regenerate.
        clientSecretHash:
          type: string
        redirectURIs:
          type: array
          items:
            type: string
        logo:
          type: string
        createdAt:
          type: integer
          format: int64
        updatedAt:
          type: integer
          format: int64
    OAuth2Grant:
      type: object
      description: An OAuth2 grant (pkg.OAuth2Grant).
      properties:
        id:
          type: integer
          format: int64
        userId:
          type: integer
          format: int64
        applicationId:
          type: integer
          format: int64
        applicationName:
          type: string
        logo:
          type: string
        counter:
          type: integer
          format: int64
        createdAt:
          type: integer
          format: int64
        updatedAt:
          type: integer
          format: int64
    ClusterInfo:
      type: object
      description: Summary information about a cluster (pkg.ClusterInfo).
      properties:
        id:
          type: integer
          format: int64
        displayName:
          type: string
        name:
          type: string
        uid:
          type: string
        ownerID:
          type: integer
          format: int64
        managerID:
          type: integer
          format: int64
        externalID:
          type: string
        hubClusterName:
          type: string
        hubClusterUID:
          type: string
        hubClusterOwnerName:
          type: string
        clusterSetName:
          type: string
        ownerName:
          type: string
        provider:
          type: string
        vendor:
          type: string
        infraNamespace:
          type: string
        isMonitoringCluster:
          type: boolean
        endpoint:
          type: string
        location:
          type: string
        project:
          type: string
        kubernetesVersion:
          type: string
        nodeCount:
          type: integer
          format: int32
        createdAt:
          type: string
          format: date-time
        age:
          type: string
        clusterManagers:
          type: array
          items:
            type: string
        isCapiClusterUpgradeable:
          type: boolean
        status:
          $ref: '#/components/schemas/K8sObject'
          description: rsapi.ClusterStatus (Kubernetes-style object).
    CloudCredentialApiForm:
      type: object
      description: 'A cloud credential in API form. Embeds cloudv1alpha1.CredentialSpec (a Kubernetes-style
        object, modeled as an opaque object) plus a creation timestamp.

        '
      properties:
        creationTimestamp:
          type: string
          format: date-time
      additionalProperties: true
    BucketListOptions:
      type: object
      description: Options for listing storage buckets.
      properties:
        credential:
          type: string
        gce_project:
          type: string
        cluster_uid:
          type: string
        secret_namespace:
          type: string
        secret_name:
          type: string
        provider:
          type: string
    BucketListResponse:
      type: object
      description: List of bucket names.
      properties:
        names:
          type: array
          items:
            type: string
    CreateOrgOption:
      type: object
      required:
      - username
      properties:
        username:
          type: string
        full_name:
          type: string
        description:
          type: string
        website:
          type: string
        location:
          type: string
        orgType:
          type: string
          description: possible values are `public` (default), `limited` or `private`
        rancherManagementClusterEndPoint:
          type: string
        visibility:
          type: string
          enum:
          - ''
          - public
          - limited
          - private
    EditOrgOption:
      type: object
      properties:
        full_name:
          type: string
        description:
          type: string
        website:
          type: string
        location:
          type: string
        orgType:
          type: string
          description: possible values are `public`, `limited` or `private`
        rancherManagementClusterEndPoint:
          type: string
        visibility:
          type: string
          enum:
          - ''
          - public
          - limited
          - private
    OrgClaimableCheckResp:
      type: object
      properties:
        isClaimable:
          type: boolean
        claimID:
          type: string
    CreateTeamOption:
      type: object
      required:
      - name
      - type
      properties:
        name:
          type: string
        description:
          type: string
        permission:
          type: string
          enum:
          - read
          - write
          - admin
        assignedRoleIDs:
          type: array
          items:
            type: integer
            format: int64
        type:
          type: string
    EditTeamOption:
      type: object
      required:
      - name
      properties:
        name:
          type: string
        description:
          type: string
        permission:
          type: string
          enum:
          - read
          - write
          - admin
          - custom
        assignedRoleIDs:
          type: array
          items:
            type: integer
            format: int64
        type:
          type: string
    RancherAPIToken:
      type: object
      properties:
        userID:
          type: integer
          format: int64
        orgID:
          type: integer
          format: int64
        orgName:
          type: string
        accessKeyID:
          type: string
        secretAccessKey:
          type: string
    AccessTokenInfo:
      type: object
      description: API representation of a personal/system access token (routers/api/v1/settings/pkg.AccessToken).
      properties:
        id:
          type: integer
          format: int64
        uid:
          type: integer
          format: int64
        name:
          type: string
        token:
          type: string
        tokenLastEight:
          type: string
        createdAt:
          type: integer
          format: int64
        updatedAt:
          type: integer
          format: int64
        hasRecentActivity:
          type: boolean
        hasUsed:
          type: boolean
        expDate:
          type: integer
          format: int64
          description: Unix timestamp (util.TimeStamp)
    NatsAccount:
      type: object
      description: API representation of a NATS account/token (routers/api/v1/settings/pkg.NatsAccount).
      properties:
        id:
          type: integer
          format: int64
        uid:
          type: integer
          format: int64
        accountType:
          type: string
        natsPubKey:
          type: string
        clusterID:
          type: string
        productName:
          type: string
        revoked:
          type: boolean
    CreateUserOption:
      type: object
      required:
      - username
      - email
      - password
      properties:
        source_id:
          type: integer
          format: int64
        login_name:
          type: string
        username:
          type: string
        full_name:
          type: string
        email:
          type: string
          format: email
        password:
          type: string
        must_change_password:
          type: boolean
        send_notify:
          type: boolean
    EditUserOption:
      type: object
      required:
      - email
      properties:
        source_id:
          type: integer
          format: int64
        login_name:
          type: string
        full_name:
          type: string
        email:
          type: string
          format: email
        password:
          type: string
        must_change_password:
          type: boolean
        website:
          type: string
        location:
          type: string
        active:
          type: boolean
        admin:
          type: boolean
        allow_git_hook:
          type: boolean
        allow_import_local:
          type: boolean
        prohibit_login:
          type: boolean
        allow_create_organization:
          type: boolean
    AdminCreateUserPayload:
      type: object
      required:
      - loginType
      - userName
      - email
      properties:
        loginType:
          type: string
        loginName:
          type: string
        userName:
          type: string
        fullName:
          type: string
        email:
          type: string
          format: email
        password:
          type: string
        sendNotify:
          type: boolean
        mustChangePassword:
          type: boolean
    AdminEditUserPayload:
      type: object
      required:
      - loginType
      - email
      properties:
        loginType:
          type: string
        loginName:
          type: string
        fullName:
          type: string
        email:
          type: string
          format: email
        password:
          type: string
        website:
          type: string
        location:
          type: string
        active:
          type: boolean
        admin:
          type: boolean
        allowGitHook:
          type: boolean
        allowImportLocal:
          type: boolean
        allowCreateOrganization:
          type: boolean
        prohibitLogin:
          type: boolean
        disableTwoFactor:
          type: boolean
    AuthenticationPayload:
      type: object
      required:
      - name
      properties:
        id:
          type: integer
          format: int64
        type:
          type: integer
        name:
          type: string
        host:
          type: string
        port:
          type: integer
        bindDN:
          type: string
        bindPassword:
          type: string
        userBase:
          type: string
        userDN:
          type: string
        attributeUsername:
          type: string
        attributeName:
          type: string
        attributeSurname:
          type: string
        attributeMail:
          type: string
        attributeSSHPublicKey:
          type: string
        attributesInBind:
          type: boolean
        usePagedSearch:
          type: boolean
        searchPageSize:
          type: integer
        filter:
          type: string
        adminFilter:
          type: string
        isActive:
          type: boolean
        isSyncEnabled:
          type: boolean
        smtpAuth:
          type: string
        smtpHost:
          type: string
        smtpPort:
          type: integer
        allowedDomains:
          type: string
        securityProtocol:
          type: integer
        tls:
          type: boolean
        skipVerify:
          type: boolean
        pamServiceName:
          type: string
        oauth2Provider:
          type: string
        oauth2Key:
          type: string
        oauth2Secret:
          type: string
        openIDConnectAutoDiscoveryURL:
          type: string
        oauth2UseCustomURL:
          type: boolean
        oauth2TokenURL:
          type: string
        oauth2AuthURL:
          type: string
        oauth2ProfileURL:
          type: string
        oauth2EmailURL:
          type: string
    ExternalOAuth2AppPayload:
      type: object
      properties:
        provider:
          type: string
        clientID:
          type: string
        clientSecret:
          type: string
        callbackURL:
          type: string
    BrandingResponse:
      type: object
      properties:
        logo:
          type: string
          description: Base64-encoded image (base64Image.Base64ImageFormat).
        favicons:
          $ref: '#/components/schemas/K8sObject'
        primaryColor:
          type: string
        runMode:
          type: string
        deploymentType:
          type: string
        isOfflineInstaller:
          type: boolean
        showAppTag:
          type: boolean
        appName:
          type: string
    BrandingOptions:
      type: object
      properties:
        logo:
          type: string
          description: Base64-encoded image (base64Image.Base64ImageFormat).
        favicon:
          type: string
          description: Base64-encoded image (base64Image.Base64ImageFormat).
        primaryColor:
          type: string
        showAppTag:
          type: boolean
        appName:
          type: string
    DomainOpts:
      type: object
      properties:
        name:
          type: string
    RegistrationOpts:
      type: object
      properties:
        disableRegistration:
          type: boolean
    AuthObjectIdentifier:
      type: object
      properties:
        objectType:
          type: string
        objectID:
          type: integer
          format: int64
    AuthObjectAllowedPermissions:
      type: object
      properties:
        objectType:
          type: string
        objectID:
          type: integer
          format: int64
        allowedPermissions:
          type: array
          items:
            type: string
    PermissionInput:
      type: object
      properties:
        namespace:
          type: string
          description: PermissionNamespace value.
        action:
          type: string
    RoleResponse:
      type: object
      properties:
        id:
          type: integer
          format: int64
        name:
          type: string
        owner_id:
          type: integer
          format: int64
        description:
          type: string
        permissions:
          type: array
          items:
            $ref: '#/components/schemas/PermissionInput'
        team_ids:
          type: array
          items:
            type: integer
            format: int64
        created_at:
          type: string
          format: date-time
        updated_at:
          type: string
          format: date-time
    CreateRoleRequest:
      type: object
      required:
      - name
      - permissions
      properties:
        name:
          type: string
        description:
          type: string
        permissions:
          type: array
          items:
            $ref: '#/components/schemas/PermissionInput'
        teamIDs:
          type: array
          items:
            type: integer
            format: int64
    UpdateRoleRequest:
      type: object
      properties:
        name:
          type: string
        description:
          type: string
        permissions:
          type: array
          items:
            $ref: '#/components/schemas/PermissionInput'
        teamIDs:
          type: array
          items:
            type: integer
            format: int64
    ClusterInfoModel:
      type: object
      description: Persisted cluster info model returned by UpdateCluster (models.ClusterInfo). Fields
        are dynamic/DB-backed; represented as an open object.
      additionalProperties: true
    ImportClusterOption:
      type: object
      description: Request body for importing/updating a cluster (structs.ImportClusterOption).
      properties:
        displayName:
          type: string
        name:
          type: string
        provider:
          type: string
        kubeConfig:
          type: string
      required:
      - provider
      - kubeConfig
    ExecuteCommandPayload:
      type: object
      description: Request body for executing a kubectl plugin command.
      properties:
        command:
          type: string
      required:
      - command
    CommandResponse:
      type: object
      description: Output of an executed command.
      properties:
        stdout:
          type: string
        stderr:
          type: string
    BadgerEntryList:
      type: object
      description: List of resource-history entries (models.BadgerEntryList).
      properties:
        items:
          type: array
          items:
            $ref: '#/components/schemas/BadgerEntry'
    BadgerEntry:
      type: object
      description: A single resource-history entry (models.BadgerEntry).
      properties:
        key:
          type: string
        values:
          type: array
          items:
            $ref: '#/components/schemas/BadgerValue'
        lastSeen:
          type: integer
          format: int64
      required:
      - key
      - values
    BadgerValue:
      type: object
      description: A single value within a resource-history entry (models.BadgerValue).
      properties:
        resource:
          $ref: '#/components/schemas/K8sObject'
        resourceID:
          $ref: '#/components/schemas/K8sObject'
        licenseID:
          type: string
        version:
          type: integer
          format: int64
        timestamp:
          type: integer
          format: int64
      required:
      - resourceID
      - licenseID
      - version
      - timestamp
    TaskResponse:
      type: object
      description: Async task submission response (natjobs/manager.TaskResponse).
      properties:
        id:
          type: string
        subject:
          type: string
    ConsoleConfig:
      type: object
      description: Console/tiller config in API format (console_config.ConsoleConfig).
      properties:
        id:
          type: integer
          format: int64
        userID:
          type: integer
          format: int64
        clusterID:
          type: string
        type:
          type: string
          description: models.SettingType
        data:
          type: object
          additionalProperties: true
        createdUnix:
          type: integer
          format: int64
        updatedUnix:
          type: integer
          format: int64
      required:
      - id
      - userID
      - clusterID
      - type
      - data
      - createdUnix
      - updatedUnix
    TillerOptions:
      type: object
      description: Helm driver (tiller) options (console_config.TillerOptions).
      properties:
        driver:
          $ref: '#/components/schemas/HelmDriver'
    HelmDriver:
      type: object
      properties:
        helm3:
          $ref: '#/components/schemas/Helm3Driver'
    Helm3Driver:
      type: object
      properties:
        driverName:
          type: string
    UninstallReleaseRequest:
      type: object
      description: Request body to uninstall a helm release (helm3.UninstallReleaseRequest).
      properties:
        namespace:
          type: string
        disable_hooks:
          type: boolean
        purge:
          type: boolean
        timeout:
          type: integer
          format: int64
    RollbackReleaseRequest:
      type: object
      description: Request body to rollback a helm release (helm3.RollbackReleaseRequest).
      properties:
        namespace:
          type: string
        dry_run:
          type: boolean
        disable_hooks:
          type: boolean
        version:
          type: integer
          format: int32
        recreate:
          type: boolean
        timeout:
          type: integer
          format: int64
        wait:
          type: boolean
        force:
          type: boolean
        description:
          type: string
        cleanup_on_fail:
          type: boolean
    K8sResource:
      type: object
      description: Identifies a single Kubernetes object by its object reference (namespace/name) and
        GroupVersionResource.
      properties:
        namespace:
          type: string
          description: Namespace of the object (empty for cluster-scoped resources).
        name:
          type: string
          description: Name of the object.
        group:
          type: string
          description: Kubernetes API group.
        version:
          type: string
          description: Kubernetes API version.
        resource:
          type: string
          description: Kubernetes resource (plural).
    BatchDeleteRequest:
      type: object
      description: Request body for the batch-delete endpoint.
      properties:
        resources:
          type: array
          description: The resources to delete.
          items:
            $ref: '#/components/schemas/K8sResource'
      required:
      - resources
    K8sResourceDeleteStatus:
      type: object
      description: Deletion outcome for a single resource in a batch-delete request.
      properties:
        namespace:
          type: string
        name:
          type: string
        group:
          type: string
        version:
          type: string
        resource:
          type: string
        status:
          allOf:
          - $ref: '#/components/schemas/K8sStatus'
          description: The metav1.Status describing the deletion result.
    BatchDeleteResponse:
      type: object
      description: Response body for the batch-delete endpoint.
      properties:
        resourcesStatus:
          type: array
          description: Per-resource deletion statuses (populated for failures).
          items:
            $ref: '#/components/schemas/K8sResourceDeleteStatus'
    BasicInfo:
      type: object
      properties:
        name:
          type: string
        displayName:
          type: string
        ownerID:
          type: integer
          format: int64
        managerID:
          type: integer
          format: int64
        userID:
          type: integer
          format: int64
        clusterUID:
          type: string
        hubClusterID:
          type: string
        infraNamespace:
          type: string
    ProviderOptions:
      type: object
      properties:
        name:
          type: string
        credential:
          type: string
        eksAuthMode:
          type: string
          enum:
          - IRSA
          - PodIdentity
        clusterID:
          type: string
        project:
          type: string
        region:
          type: string
        resourceGroup:
          type: string
        kubeConfig:
          type: string
    FeatureSet:
      type: object
      properties:
        name:
          type: string
        features:
          type: array
          items:
            type: string
    ComponentOptions:
      type: object
      properties:
        fluxCD:
          type: boolean
        featureSets:
          type: array
          items:
            $ref: '#/components/schemas/FeatureSet'
        allFeatures:
          type: boolean
        clusterProfile:
          type: string
        monitoringClusterName:
          type: string
        spokeComponent:
          type: boolean
    CheckOptions:
      type: object
      properties:
        basicInfo:
          $ref: '#/components/schemas/BasicInfo'
        provider:
          $ref: '#/components/schemas/ProviderOptions'
    ImportOptions:
      type: object
      properties:
        basicInfo:
          $ref: '#/components/schemas/BasicInfo'
        provider:
          $ref: '#/components/schemas/ProviderOptions'
        components:
          $ref: '#/components/schemas/ComponentOptions'
    ConnectOptions:
      type: object
      properties:
        name:
          type: string
        credential:
          type: string
        kubeConfig:
          type: string
    ReconfigureOptions:
      type: object
      properties:
        basicInfo:
          $ref: '#/components/schemas/BasicInfo'
        components:
          $ref: '#/components/schemas/ComponentOptions'
    RemovalOptions:
      type: object
      properties:
        name:
          type: string
        components:
          $ref: '#/components/schemas/ComponentOptions'
    ClusterOptions:
      type: object
      description: Options for creating or importing a virtual cluster.
      properties:
        clusterName:
          type: string
        hostClusterName:
          type: string
        hostClusterUID:
          type: string
        hostClusterOwnerID:
          type: integer
          format: int64
        hubClusterName:
          type: string
        hubClusterUID:
          type: string
        hubClusterOwnerID:
          type: integer
          format: int64
    ClusterMetadata:
      type: object
      properties:
        uid:
          type: string
        name:
          type: string
        displayName:
          type: string
        provider:
          type: string
        ownerID:
          type: string
        ownerType:
          type: string
        apiEndpoint:
          type: string
        caBundle:
          type: string
        managerID:
          type: string
        hubClusterID:
          type: string
        cloudServiceAuthMode:
          type: string
        mode:
          type: string
          enum:
          - prod
          - qa
          - staging
          - dev
    HubCluster:
      type: object
      properties:
        name:
          type: string
        ownerName:
          type: string
        displayName:
          type: string
        hubClusterUID:
          type: string
        spokeClusters:
          type: integer
        addOns:
          type: integer
        clusterNode:
          type: integer
        provider:
          type: string
        hubType:
          type: string
        locations:
          type: string
        age:
          type: string
        createdAt:
          type: string
          format: date-time
    SkipCredentialsResponse:
      type: object
      properties:
        skipCredentials:
          type: boolean
        reason:
          type: string
        message:
          type: string
    GatewayConfigInfo:
      type: object
      properties:
        presetName:
          type: string
        presetNamespace:
          type: string
        configName:
          type: string
        configNamespace:
          type: string
        version:
          type: string
        host:
          type: string
        hostType:
          type: string
        isDefault:
          type: boolean
        updateAvailable:
          type: boolean
    ValidationResponse:
      type: object
      description: Result of validating cluster import options.
      properties:
        alreadyImported:
          type: boolean
        displayName:
          $ref: '#/components/schemas/FieldValidation'
        clusterId:
          $ref: '#/components/schemas/FieldValidation'
        fluxCD:
          $ref: '#/components/schemas/K8sObject'
        message:
          type: string
        availableFeatureSets:
          $ref: '#/components/schemas/K8sObject'
        clusterAPI:
          $ref: '#/components/schemas/K8sObject'
        clusterMetadata:
          $ref: '#/components/schemas/ClusterMetadata'
        monitoringClusterList:
          type: array
          items:
            type: string
    FieldValidation:
      type: object
      properties:
        valid:
          type: boolean
        reason:
          type: string
    InboxTokenRequestResponse:
      type: object
      properties:
        agentJwtToken:
          type: string
        caBundle:
          type: string
    AcceptOptions:
      type: object
      description: Options for accepting spoke cluster join requests.
      properties:
        clusters:
          type: array
          items:
            type: string
        skipApproveCheck:
          type: boolean
        requesters:
          type: array
          items:
            type: string
    ClusterSetOptions:
      type: object
      description: Options identifying clusters and a cluster set.
      properties:
        clusters:
          type: array
          items:
            type: string
        clusterSet:
          type: string
    BindNamespaceOptions:
      type: object
      description: Options binding a namespace to a cluster set.
      properties:
        clusterSet:
          type: string
        namespace:
          type: string
    EnableFeatureOptions:
      type: object
      description: Options for enabling/disabling a feature set on a cluster set.
      properties:
        clusterSet:
          type: string
        features:
          type: array
          items:
            type: string
        featureSet:
          type: string
    RemoveClusterOptions:
      type: object
      description: Options identifying a managed cluster to remove.
      properties:
        clusterName:
          type: string
    UserOptions:
      type: object
      description: Options for creating or updating an OCM user's permissions.
      properties:
        id:
          type: integer
          format: int64
        userName:
          type: string
        email:
          type: string
        permissions:
          type: array
          items:
            $ref: '#/components/schemas/Permission'
        importCluster:
          type: boolean
        clientOrg:
          type: boolean
    Permission:
      type: object
      description: A single cluster or cluster-set permission grant.
      properties:
        name:
          type: string
          description: Cluster or cluster set name.
        isClusterSet:
          type: boolean
        roleType:
          type: string
          description: 'Role scope: "ClusterRole" or "Role".'
        roleRefName:
          type: string
        roleRefNamespace:
          type: array
          items:
            type: string
        managedClusterRoleBindingName:
          type: string
        managedClusterSetRoleBindingName:
          type: string
    RemovePermissionOpts:
      type: object
      description: Options identifying permissions to remove from an OCM user.
      properties:
        namespaceScopedResources:
          type: array
          items:
            $ref: '#/components/schemas/NamespacedName'
        clusterScopedResources:
          type: array
          items:
            type: string
    NamespacedName:
      type: object
      description: A Kubernetes namespaced-name pair. Marshals with capitalized keys (Namespace, Name)
        because the source struct has no json tags.
      properties:
        Namespace:
          type: string
        Name:
          type: string
    UserPermissions:
      type: object
      description: An OCM user's cluster and cluster-set permissions. The map keys are cluster / cluster-set
        names. Marshals with capitalized Go field names.
      properties:
        ClusterPermissions:
          type: object
          additionalProperties:
            type: array
            items:
              $ref: '#/components/schemas/Permission'
        ClusterSetPermissions:
          type: object
          additionalProperties:
            type: array
            items:
              $ref: '#/components/schemas/Permission'
    ManagedClusterInfo:
      type: object
      description: Summary of an OCM managed (spoke) cluster.
      properties:
        name:
          type: string
        clusterURL:
          type: string
        clusterUID:
          type: string
        clusterSet:
          type: string
    ListClusterSetResp:
      type: object
      description: Summary of a cluster set with its cluster count.
      properties:
        clusterSetName:
          type: string
        clusterSetTitle:
          type: string
        clusters:
          type: integer
    ClustersResp:
      type: object
      description: Summary of a cluster within a cluster set.
      properties:
        name:
          type: string
        displayName:
          type: string
        clusterNode:
          type: integer
          format: int32
        provider:
          type: string
        kubernetesVersion:
          type: string
        imported:
          type: boolean
    FeatureSetInfo:
      type: object
      description: Availability and installation info for a feature set.
      properties:
        name:
          type: string
        title:
          type: string
        description:
          type: string
        recommended:
          type: boolean
        features:
          type: array
          items:
            $ref: '#/components/schemas/FeatureInfo'
        requiredFeatures:
          type: array
          items:
            type: string
        installed:
          type: boolean
    FeatureInfo:
      type: object
      description: Availability and installation info for a single feature.
      properties:
        name:
          type: string
        title:
          type: string
        description:
          type: string
        recommended:
          type: boolean
        installed:
          type: boolean
        featureBlock:
          type: string
    versionObj:
      type: object
      description: A named component and its version.
      properties:
        name:
          type: string
        version:
          type: string
    PermissionScopes:
      type: object
      description: Namespace scope selector for querying a user's permissions (ocm.PermissionScopes).
      properties:
        namespaceList:
          type: array
          items:
            type: string
        allNamespaces:
          type: boolean
    ClientOrgUserPermission:
      type: object
      description: The roles and cluster-roles bound to a client-org user (ocm.ClientOrgUserPermission).
      properties:
        ClusterRoles:
          type: array
          items:
            $ref: '#/components/schemas/ClientOrgUserPermissionDetails'
        Roles:
          type: array
          items:
            $ref: '#/components/schemas/ClientOrgUserPermissionDetails'
    ClientOrgUserPermissionDetails:
      type: object
      description: Details of a single RBAC binding (ocm.ClientOrgUserPermissionDetails).
      properties:
        ResourceName:
          type: string
        ResourceNamespace:
          type: string
        RoleName:
          type: string
        RoleNamespace:
          type: string
    ClientOrgStatus:
      type: object
      description: Status envelope returned for client-org and client-org-cluster status endpoints. One
        of Active, Deleting, Partially Deleted, Deleted or NotFound.
      properties:
        status:
          type: string
    ClientOrgParams:
      type: object
      description: Parameters for creating a client organization (settings.ClientOrgParams).
      properties:
        clientOrg:
          $ref: '#/components/schemas/CreateOrgParams'
        hubClusterUID:
          type: string
          description: UID of the hub cluster imported by the site admin.
        hubClusterOwnerName:
          type: string
        userPermission:
          $ref: '#/components/schemas/UserOptions'
        annotations:
          type: object
          additionalProperties:
            type: string
        kubeDBConfig:
          $ref: '#/components/schemas/KubeDBConfig'
        useGateway:
          type: boolean
        usableAsShared:
          type: boolean
        gatewayConfig:
          $ref: '#/components/schemas/GatewayConfigOptions'
        gatewayConfigRef:
          $ref: '#/components/schemas/K8sObject'
        telemetryParams:
          $ref: '#/components/schemas/TelemetryParams'
    KubeDBConfig:
      type: object
      description: KubeDB scheduling configuration (settings.KubeDBConfig).
      properties:
        nodeSelector:
          type: object
          additionalProperties:
            type: string
        tolerations:
          type: array
          description: Kubernetes core/v1 Tolerations.
          items:
            $ref: '#/components/schemas/K8sObject'
    GatewayConfigOptions:
      type: object
      description: Gateway configuration options (settings.GatewayConfigOptions).
      properties:
        cluster:
          $ref: '#/components/schemas/K8sObject'
        envoy:
          $ref: '#/components/schemas/Envoy'
        infra:
          $ref: '#/components/schemas/K8sObject'
    Envoy:
      type: object
      description: Envoy gateway provisioning options (settings.Envoy).
      properties:
        provisionerType:
          type: string
        service:
          $ref: '#/components/schemas/K8sObject'
    TelemetryParams:
      type: object
      description: Telemetry/retention configuration (settings.TelemetryParams).
      properties:
        monitoringClusterName:
          type: string
        logsRetentionPeriods:
          type: string
        tracesRetentionPeriods:
          type: string
        metricsRetentionPeriods:
          $ref: '#/components/schemas/MetricsRetentionConfig'
    MetricsRetentionConfig:
      type: object
      description: Metrics retention periods (settings.MetricsRetentionConfig).
      properties:
        fiveMinuteRetentionPeriod:
          type: string
        oneHourRetentionPeriod:
          type: string
        rawsRetentionPeriod:
          type: string
    AddClusterParams:
      type: object
      description: Parameters for adding a cluster to a client organization (settings.AddClusterParams).
        Embeds HubSpokeInfo inline.
      properties:
        hubClusterOwnerName:
          type: string
        hubClusterName:
          type: string
        hubClusterUID:
          type: string
        spokeClusterName:
          type: string
        annotations:
          type: object
          additionalProperties:
            type: string
        kubeDBConfig:
          $ref: '#/components/schemas/KubeDBConfig'
        useGateway:
          type: boolean
        gatewayConfig:
          $ref: '#/components/schemas/GatewayConfigOptions'
        gatewayPresetRef:
          $ref: '#/components/schemas/K8sObject'
        telemetryParams:
          $ref: '#/components/schemas/TelemetryParams'
    RemoveClusterParams:
      type: object
      description: Parameters for removing a cluster from a client organization (settings.RemoveClusterParams).
        Embeds HubSpokeInfo inline.
      properties:
        hubClusterOwnerName:
          type: string
        hubClusterName:
          type: string
        hubClusterUID:
          type: string
        spokeClusterName:
          type: string
    CloudProviderList:
      type: object
      description: List of supported cloud providers.
      properties:
        kind:
          type: string
        apiVersion:
          type: string
        metadata:
          $ref: '#/components/schemas/K8sObject'
        items:
          type: array
          items:
            $ref: '#/components/schemas/CloudProvider'
    CloudProvider:
      type: object
      description: A supported cloud provider (name carried in metadata).
      properties:
        kind:
          type: string
        apiVersion:
          type: string
        metadata:
          $ref: '#/components/schemas/K8sObject'
        spec:
          $ref: '#/components/schemas/CloudProviderSpec'
    CloudProviderSpec:
      type: object
      properties:
        regions:
          type: array
          items:
            $ref: '#/components/schemas/Region'
        machineTypes:
          type: array
          items:
            $ref: '#/components/schemas/K8sObject'
    Region:
      type: object
      properties:
        region:
          type: string
        zones:
          type: array
          items:
            type: string
        location:
          type: string
      required:
      - region
    Locations:
      type: object
      description: A cloud region with its availability zones.
      properties:
        region:
          type: string
        description:
          type: string
        zones:
          type: array
          items:
            type: string
      required:
      - region
    VMInfo:
      type: object
      description: A cloud provider machine type / server type.
      properties:
        name:
          type: string
        description:
          type: string
        cpu:
          type: integer
        core:
          type: integer
        memoryMb:
          type: integer
        disksSizeGb:
          type: integer
        iops:
          type: integer
        shared:
          type: boolean
        baremetal:
          type: boolean
        gpus:
          type: integer
        category:
          type: string
        family:
          type: string
        instanceHypervisor:
          type: string
        architecture:
          type: array
          items:
            type: string
        capacityType:
          type: array
          items:
            type: string
        networkBW:
          type: string
        ebsBW:
          type: string
        monthlyCost:
          type: string
      required:
      - name
      - cpu
      - memoryMb
      - iops
      - shared
      - baremetal
    ClusterProvisionConfig:
      type: object
      description: Configuration for provisioning a CAPI-based cluster.
      properties:
        capiClusterConfig:
          $ref: '#/components/schemas/CAPIClusterConfig'
        importOptions:
          $ref: '#/components/schemas/ImportOptions'
    CAPIClusterConfig:
      type: object
      description: Cluster API (CAPI) cluster configuration.
      properties:
        clusterName:
          type: string
        region:
          type: string
        networkCIDR:
          type: string
        kubernetesVersion:
          type: string
        googleProjectID:
          type: string
        controlPlane:
          $ref: '#/components/schemas/MachinePool'
        workerPools:
          type: array
          items:
            $ref: '#/components/schemas/MachinePool'
    MachinePool:
      type: object
      properties:
        machineType:
          type: string
        machineCount:
          type: integer
        cpu:
          type: integer
        memory:
          type: integer
      required:
      - machineType
      - machineCount
      - cpu
      - memory
    InstallerMetadata:
      type: object
      description: Metadata describing a generated or imported installer (selfclient.InstallerMetadata).
      properties:
        ID:
          type: string
        installerName:
          type: string
        deploymentType:
          type: string
          description: KubeDB Platform deployment type (api.DeploymentType).
        requestedDomain:
          type: string
        host:
          type: string
        hostType:
          type: string
          description: Host type (catgwapi.HostType).
        hostedDomain:
          type: string
        ownerName:
          type: string
        requesterDisplayName:
          type: string
        requesterUsername:
          type: string
        adminDisplayName:
          type: string
        adminEmail:
          type: string
        accessTokenID:
          type: integer
          format: int64
        clusterID:
          type: string
        version:
          type: string
        promotedToProduction:
          type: boolean
        createTimestamp:
          type: string
          format: date-time
        expiryTimestamp:
          type: string
          format: date-time
        lastUpgradeTimestamp:
          type: string
          format: date-time
        lastUpdateTimestamp:
          type: string
          format: date-time
    InstallerDetails:
      type: object
      description: Details for a generated installer including readme content and archive URLs (installer.Details).
      properties:
        meta:
          $ref: '#/components/schemas/InstallerMetadata'
        readme:
          type: string
          format: byte
        archiveZipURL:
          type: string
        archiveTarURL:
          type: string
    MarketplaceInstallerStatus:
      type: object
      description: Marketplace subscription status for a marketplace-type installer (installer.MarketplaceInstallerStatus).
      properties:
        status:
          type: string
          description: Either "Pending" or "Bound".
        link:
          type: string
        meta:
          $ref: '#/components/schemas/InstallerMetadata'
        isExpired:
          type: boolean
    InstallerVersion:
      type: object
      description: A single installer version/archive entry (installer.Version).
      properties:
        version:
          type: string
        creationTime:
          type: string
          format: date-time
        archiveURL:
          type: string
        archiveName:
          type: string
        createdBy:
          $ref: '#/components/schemas/User'
        lastOperation:
          type: string
        latestInstaller:
          type: boolean
    UpgradeOptions:
      type: object
      description: Multipart form options for triggering an KubeDB Platform upgrade (upgrader.UpgradeOptions).
      properties:
        version:
          type: string
          description: Target upgrade version. May be overridden by an `installerVersion` field in the
            uploaded values file.
        valuesFile:
          type: string
          format: binary
          description: Helm values file (values.yaml) for the upgrade.
        useLatestImage:
          type: boolean
          description: When true, use the latest upgrader image for the target version.
    LicenseOpts:
      type: object
      description: Options for issuing a license for a cluster.
      properties:
        cluster:
          type: string
          description: Cluster UUID the license is issued for.
        features:
          type: array
          items:
            type: string
    AddContractParams:
      type: object
      description: Parameters for creating a contract. Submitted as multipart/form-data so an optional
        contract document file can be attached. One contract is created per entry in `products`.
      properties:
        id:
          type: integer
          format: int64
        uid:
          type: integer
          format: int64
        orgOrUser:
          type: string
        name:
          type: string
        products:
          type: array
          items:
            type: string
        features:
          type: array
          items:
            type: string
        clusters:
          type: array
          items:
            $ref: '#/components/schemas/ContractClusterStatus'
        emails:
          $ref: '#/components/schemas/ContractEmail'
        quota:
          $ref: '#/components/schemas/QuotaRule'
        start:
          type: integer
          format: int64
          description: Contract start time (Unix seconds).
        end:
          type: integer
          format: int64
          description: Contract end time (Unix seconds).
        document:
          type: string
          format: binary
          description: Optional contract document file (multipart upload).
        documentPath:
          type: string
        allowOffline:
          type: boolean
        disableAnalytics:
          type: boolean
        enableClientBilling:
          type: boolean
        autoAssignCluster:
          type: boolean
        revoked:
          type: boolean
        restrictions:
          type: string
          description: JSON-encoded restrictions data.
    Contract:
      type: object
      description: A licensing contract. Used both as request body (multipart/form-data on update/extend)
        and as response.
      properties:
        id:
          type: integer
          format: int64
        uid:
          type: integer
          format: int64
        orgOrUser:
          type: string
        name:
          type: string
        product:
          type: string
        features:
          type: array
          items:
            type: string
        clusters:
          type: array
          items:
            $ref: '#/components/schemas/ContractClusterStatus'
        associatedCluster:
          $ref: '#/components/schemas/ContractClusterStatus'
        emails:
          $ref: '#/components/schemas/ContractEmail'
        quota:
          $ref: '#/components/schemas/QuotaRule'
        start:
          type: integer
          format: int64
          description: Contract start time (Unix seconds).
        end:
          type: integer
          format: int64
          description: Contract end time (Unix seconds).
        document:
          type: string
          format: binary
          description: Optional contract document file (multipart upload).
        documentPath:
          type: string
        allowOffline:
          type: boolean
        autoAssignCluster:
          type: boolean
        disableAnalytics:
          type: boolean
        enableClientBilling:
          type: boolean
        revoked:
          type: boolean
        restrictions:
          type: string
          description: JSON-encoded restrictions data.
        Reminder45DaysSentUnix:
          type: integer
          format: int64
          nullable: true
        Reminder10DaysSentUnix:
          type: integer
          format: int64
          nullable: true
    ContractEmail:
      type: object
      description: Contract email recipient groups. For subfields, set values against the subfield name
        (e.g. contactPerson). The usageAlertAdmin field is stripped from user-facing (non-admin) responses.
      properties:
        contactPerson:
          type: array
          items:
            type: string
        signingAuthority:
          type: array
          items:
            type: string
        licenseUsers:
          type: array
          items:
            type: string
        financeTeam:
          type: array
          items:
            type: string
        usageAlertClient:
          type: array
          description: Email recipients. Accepts either a JSON array of strings or a single string (which
            is normalized to a one-element array).
          items:
            type: string
        usageAlertAdmin:
          type: array
          description: Email recipients. Accepts either a JSON array of strings or a single string (which
            is normalized to a one-element array).
          items:
            type: string
    QuotaRule:
      type: object
      description: Quota enforcement configuration for one metric.
      properties:
        enabled:
          type: boolean
        metric:
          type: string
          description: Billable usage metric (e.g. memory_gib_month, cpu_core_month).
        limit:
          type: number
          format: double
        alertThresholds:
          type: array
          items:
            type: integer
        disableLicenseOnLimitReached:
          type: boolean
    UpdateUserContractPreferences:
      type: object
      description: Caller-editable contract preferences.
      properties:
        autoAssignCluster:
          type: boolean
          nullable: true
        usageAlertClient:
          type: array
          nullable: true
          description: Email recipients. Accepts either a JSON array of strings or a single string.
          items:
            type: string
    License:
      type: object
      description: An issued license and its contract window.
      properties:
        contract:
          $ref: '#/components/schemas/LicenseContract'
        license:
          type: string
          format: byte
          description: The license certificate bytes (base64-encoded in JSON).
    LicenseContract:
      type: object
      description: License contract window (from license-verifier v1alpha1.Contract).
      properties:
        id:
          type: string
        startTimestamp:
          type: string
          format: date-time
        expiryTimestamp:
          type: string
          format: date-time
    ContractAudit:
      type: object
      description: A single contract audit-trail event.
      properties:
        id:
          type: integer
          format: int64
        contractID:
          type: integer
          format: int64
        addedBy:
          type: string
        event:
          type: string
        createdUnix:
          type: integer
          format: int64
    InstallerOptions:
      type: object
      description: Options for generating a license-proxy installer. When clusterID or contractIDs are
        set, an offline installer is generated.
      properties:
        clusterID:
          type: string
        contractIDs:
          type: array
          items:
            type: integer
            format: int64
    BindContractCluster:
      type: object
      description: Options for binding a cluster to an existing contract.
      properties:
        displayName:
          type: string
        cluster:
          type: string
          description: Cluster UUID (validated as a UUID).
        tags:
          type: array
          items:
            type: string
    ClusterContractList:
      type: object
      description: A cluster and the set of contract IDs to assign it to.
      properties:
        clusterId:
          type: string
        displayName:
          type: string
        contractIds:
          type: array
          items:
            type: integer
            format: int64
    BatchClusterStatusRequest:
      type: object
      description: A batch of cluster UUIDs to check status for.
      properties:
        clusters:
          type: array
          items:
            type: string
    ContractClusterStatus:
      type: object
      description: A cluster associated with a contract along with its status in the console system.
      properties:
        id:
          type: integer
          format: int64
        contractId:
          type: integer
          format: int64
        cluster:
          type: string
        displayName:
          type: string
        clusterStatus:
          $ref: '#/components/schemas/ClusterStatus'
        duplicateContractFeatures:
          type: array
          items:
            $ref: '#/components/schemas/ContractFeatures'
        error:
          type: string
    PatchUserContractClusterName:
      type: object
      description: New display name for a contract cluster.
      properties:
        clusterName:
          type: string
    PatchUserContractClusterTags:
      type: object
      description: Full replacement tag set for a contract cluster.
      properties:
        tags:
          type: array
          items:
            type: string
    ContractFeatures:
      type: object
      properties:
        contractId:
          type: integer
          format: int64
        product:
          type: string
        features:
          type: array
          items:
            type: string
    ClusterWithAssociatedContracts:
      type: object
      properties:
        associatedContractIDs:
          type: array
          items:
            type: integer
            format: int64
        cluster:
          type: string
        displayName:
          type: string
        tags:
          type: array
          items:
            type: string
    ClusterStatus:
      type: object
      description: Whether a bound contract cluster is already imported in the console.
      properties:
        isImported:
          type: boolean
        name:
          type: string
        tags:
          type: array
          items:
            type: string
        associatedContractId:
          type: integer
          format: int64
    PlanInfo:
      type: object
      description: Metadata about a supported contract product/plan.
      properties:
        DisplayName:
          type: string
        ProductLine:
          type: string
        TierName:
          type: string
        TwitterHandle:
          type: string
        QuickstartLink:
          type: string
        Features:
          type: array
          items:
            type: string
        MailingLists:
          type: array
          items:
            type: string
    VerifierOptions:
      type: object
      description: License registration payload (license-verifier Options). The license field carries
        the cryptographically-signed license used to authenticate the /register request.
      properties:
        clusterUID:
          type: string
        features:
          type: string
        caCert:
          type: string
          format: byte
        license:
          type: string
          format: byte
    LicensedUserAPIForm:
      type: object
      description: Summary of a licensed user for the billing dashboard.
      properties:
        username:
          type: string
        userType:
          type: string
        email:
          type: string
        userID:
          type: integer
          format: int64
        lastReceivedAt:
          type: integer
          format: int64
    ActiveClustersAPIForm:
      type: object
      description: An active cluster reported for a user, with contract count.
      properties:
        username:
          type: string
        clusterID:
          type: string
        firstReceivedAt:
          type: integer
          format: int64
        lastReceivedAt:
          type: integer
          format: int64
        noOfAssociatedContracts:
          type: integer
          format: int64
    ActiveLicenseAPIForm:
      type: object
      description: An active license reported for a user's cluster.
      properties:
        username:
          type: string
        email:
          type: string
        userId:
          type: integer
          format: int64
        licenseID:
          type: string
        firstReceivedAt:
          type: integer
          format: int64
        lastReceivedAt:
          type: integer
          format: int64
    SystemOutageRequest:
      type: object
      description: Request body to create a system outage entry.
      properties:
        accountName:
          type: string
        clusterID:
          type: string
        start:
          type: string
          format: date-time
        end:
          type: string
          format: date-time
        tags:
          type: array
          items:
            type: string
        comments:
          type: string
    SystemOutageApiForm:
      type: object
      description: A recorded system outage entry.
      properties:
        id:
          type: integer
          format: int64
        accountID:
          type: integer
          format: int64
        accountName:
          type: string
        clusterID:
          type: string
        start:
          type: string
          format: date-time
        end:
          type: string
          format: date-time
        tags:
          type: array
          items:
            type: string
        comments:
          type: string
        createdAt:
          type: string
          format: date-time
    SystemOutagesAndReportAPIForm:
      type: object
      description: System outage entries together with an aggregated report.
      properties:
        report:
          $ref: '#/components/schemas/SystemOutageReport'
        entries:
          type: array
          items:
            $ref: '#/components/schemas/SystemOutageApiForm'
    SystemOutageReport:
      type: object
      description: Aggregated report over a set of system outage entries.
      properties:
        totalOutages:
          type: integer
          format: int64
        totalDurationHours:
          type: number
          format: double
        topTagsPercentage:
          type: array
          items:
            $ref: '#/components/schemas/TagPercentage'
        topAccountsDuration:
          type: array
          items:
            $ref: '#/components/schemas/EntityDurationPercentage'
        topClustersDuration:
          type: array
          items:
            $ref: '#/components/schemas/EntityDurationPercentage'
    TagPercentage:
      type: object
      properties:
        tag:
          type: string
        percentage:
          type: number
          format: double
    EntityDurationPercentage:
      type: object
      properties:
        entity:
          type: string
        entityName:
          type: string
        durationHours:
          type: number
          format: double
        percentage:
          type: number
          format: double
    LicensedPlan:
      type: object
      description: A licensed plan associated with one or more clusters.
      properties:
        uid:
          type: integer
          format: int64
          nullable: true
        email:
          type: string
        licenseID:
          type: string
        clusters:
          type: array
          items:
            type: string
        planName:
          type: string
        notBefore:
          type: integer
          format: int64
          nullable: true
        notAfter:
          type: integer
          format: int64
          nullable: true
        reconciledAt:
          type: integer
          format: int64
          nullable: true
        registeredAt:
          type: integer
          format: int64
          nullable: true
        createdAt:
          type: integer
          format: int64
        updatedAt:
          type: integer
          format: int64
    LicensePlanApiForm:
      type: object
      description: API representation of a licensed plan.
      properties:
        uid:
          type: integer
          format: int64
          nullable: true
        email:
          type: string
        licenseID:
          type: string
        clusters:
          type: array
          items:
            type: string
        planName:
          type: string
        notBefore:
          type: integer
          format: int64
          nullable: true
        notAfter:
          type: integer
          format: int64
          nullable: true
        reconciledAt:
          type: integer
          format: int64
          nullable: true
        registeredAt:
          type: integer
          format: int64
          nullable: true
        createdAt:
          type: integer
          format: int64
        updatedAt:
          type: integer
          format: int64
    ReceivedLicensedProduct:
      type: object
      description: A licensed product reported by a cluster.
      properties:
        userName:
          type: string
        userType:
          type: string
        email:
          type: string
        userID:
          type: integer
          format: int64
        clusterID:
          type: string
        licenseID:
          type: string
        productName:
          type: string
        firstReceivedAt:
          type: integer
          format: int64
        lastReceivedAt:
          type: integer
          format: int64
    EventsReport:
      type: object
      description: Aggregated events history report for a resource.
      properties:
        userID:
          type: integer
          format: int64
        clusterID:
          type: string
        licenseID:
          type: string
        group:
          type: string
        resource:
          type: string
        resourceID:
          type: string
        totalEvents:
          type: integer
        eventsTimeHistories:
          type: array
          items:
            type: string
            format: date-time
        eventsDurationHours:
          type: number
          format: double
        averageEventsPerHour:
          type: number
          format: double
    ClusterResourceTabularForm:
      type: object
      description: A tabular event row for a cluster resource.
      properties:
        key:
          type: string
        version:
          type: integer
          format: int64
        timestamp:
          type: integer
          format: int64
        partialResource:
          $ref: '#/components/schemas/PartialResourceAPIForm'
    PartialResourceAPIForm:
      type: object
      properties:
        partialObjectMeta:
          $ref: '#/components/schemas/K8sObject'
    EventsCounterResponse:
      type: object
      description: Today's event count for a cluster/license/resource.
      properties:
        clusterID:
          type: string
        product:
          type: string
        licenseID:
          type: string
        group:
          type: string
        resource:
          type: string
        RID:
          type: string
        date:
          type: string
        noOfEvents:
          type: integer
          format: int64
        error:
          type: string
    Marketplace:
      type: string
      description: Marketplace identifier.
      enum:
      - Aws
      - Azure
      - Gcp
    SubscriptionState:
      type: string
      description: Lifecycle state of a marketplace subscription.
      enum:
      - Pending
      - Bounded
      - Running
      - Failed
      - Deleting
      - DeletionFailed
      - Deleted
      - Revoked
    Subscription:
      type: object
      description: A marketplace subscription.
      properties:
        marketplace:
          $ref: '#/components/schemas/Marketplace'
        subscriptionId:
          type: string
        subscriberId:
          type: integer
          format: int64
        requesterId:
          type: integer
          format: int64
        boundedInstallerId:
          type: string
        state:
          $ref: '#/components/schemas/SubscriptionState'
        azureBillingDetails:
          $ref: '#/components/schemas/AzureBillingDetails'
        awsBillingDetails:
          $ref: '#/components/schemas/AwsBillingDetails'
        gcpBillingDetails:
          $ref: '#/components/schemas/GcpBillingDetails'
        lastBillingEventSentAt:
          type: string
          format: date-time
          nullable: true
        noOfBillingEventSent:
          type: integer
        lastAlertNotificationSentAt:
          type: string
          format: date-time
          nullable: true
        noOfAlertNotificationsSent:
          type: integer
        billingNotBefore:
          type: string
          format: date-time
          nullable: true
        isRevocable:
          type: boolean
        createdAt:
          type: string
          format: date-time
        lastUpdatedAt:
          type: string
          format: date-time
    GcpBillingDetails:
      type: object
      properties:
        hostedB3BaseURL:
          type: string
        meteringProxyApiToken:
          type: string
    AwsBillingDetails:
      type: object
      properties:
        hostedB3BaseURL:
          type: string
        meteringProxyApiToken:
          type: string
    AzureBillingDetails:
      type: object
      properties:
        resourceUri:
          type: string
        resourceUsageId:
          type: string
        managedResourceGroupId:
          type: string
        planId:
          type: string
        subscriptionId:
          type: string
        customerOwnedRG:
          type: string
        appName:
          type: string
    SettingWarnings:
      type: object
      description: Marketplace configuration warnings keyed by marketplace.
      properties:
        warnings:
          type: object
          additionalProperties:
            type: array
            items:
              $ref: '#/components/schemas/Warning'
    Warning:
      type: object
      properties:
        Level:
          type: string
        Msg:
          type: string
    AuditReportsResp:
      type: object
      description: Marketplace audit event reports grouped by audit period.
      properties:
        auditReports:
          type: object
          additionalProperties:
            type: array
            items:
              $ref: '#/components/schemas/MarketplaceAuditEvent'
    MarketplaceAuditEvent:
      type: object
      description: A single marketplace audit event.
      properties:
        marketplace:
          $ref: '#/components/schemas/Marketplace'
        subscriptionID:
          type: string
        status:
          type: string
        operationType:
          type: string
        description:
          type: string
        data:
          type: object
          additionalProperties: true
        timestamp:
          type: string
          format: date-time
    GeneratedDates:
      type: object
      description: Year/month combinations for which a usage summary has been generated. The map is keyed
        by year (string) with month-name lists as values.
      properties:
        yearMonthList:
          type: object
          additionalProperties:
            type: array
            items:
              type: string
    UsageView:
      type: object
      description: A billing usage-report view. These views (KubeDB/KubeStash/KubeVault/ Voyager objects/clusters/namespaces/GKs/contracts/quota-history
        and the DBaaS namespace reports) are complex, deeply-nested aggregation structures whose shape
        varies by `view_type` and product; they are modeled here as a free-form JSON object.
      additionalProperties: true
    ApiError:
      type: object
      description: Generic marketplace error response produced by `NewApiErr`; a single `message` field
        carrying the joined error messages.
      properties:
        message:
          type: string
    InitialInput:
      type: object
      description: Initial admin/domain inputs used for AWS and GCP marketplace deployments.
      properties:
        adminUsername:
          type: string
        adminPassword:
          type: string
        domainWhiteList:
          type: array
          items:
            type: string
    BindingInfo:
      type: object
      description: Marketplace binding information carried in webhook notification payloads. Embeds InitialInput
        fields (adminUsername, adminPassword, domainWhiteList).
      properties:
        marketplace:
          type: string
          enum:
          - Aws
          - Azure
          - Gcp
        installerId:
          type: string
        clusterId:
          type: string
        AWSAccountID:
          type: string
        adminUsername:
          type: string
        adminPassword:
          type: string
        domainWhiteList:
          type: array
          items:
            type: string
        options:
          type: object
          additionalProperties: true
    AwsWebhookNotification:
      type: object
      description: AWS Marketplace webhook notification payload.
      properties:
        eventType:
          type: string
        eventTime:
          type: string
          format: date-time
        bindingInfo:
          $ref: '#/components/schemas/BindingInfo'
    GcpWebhookNotification:
      type: object
      description: GCP Marketplace webhook notification payload.
      properties:
        eventType:
          type: string
        eventTime:
          type: string
          format: date-time
        bindingInfo:
          $ref: '#/components/schemas/BindingInfo'
    AzureResourceIdParts:
      type: object
      description: Parsed parts of an Azure application resource ID. Populated server-side and not part
        of the incoming JSON payload.
      properties:
        ClientSubscriptionId:
          type: string
        ResourceGroup:
          type: string
        Provider:
          type: string
        Application:
          type: string
    AzureWebhookNotification:
      type: object
      description: Azure Marketplace webhook notification payload. Some fields (managedResourceGroupId,
        resourceIdParts) are populated server-side and are not part of the incoming JSON payload.
      properties:
        eventType:
          type: string
        applicationId:
          type: string
        managedResourceGroupId:
          type: string
        resourceIdParts:
          $ref: '#/components/schemas/AzureResourceIdParts'
        eventTime:
          type: string
          format: date-time
        provisioningState:
          type: string
        billingDetails:
          type: object
          properties:
            resourceUsageId:
              type: string
        plan:
          type: object
          properties:
            publisher:
              type: string
            product:
              type: string
            name:
              type: string
            version:
              type: string
        error:
          type: object
          properties:
            code:
              type: string
            message:
              type: string
            details:
              type: array
              items:
                type: object
                properties:
                  code:
                    type: string
                  message:
                    type: string
        bindingInfo:
          $ref: '#/components/schemas/BindingInfo'
    GcpUsageValue:
      type: object
      properties:
        int64Value:
          type: integer
          format: int64
        doubleValue:
          type: number
          format: double
    GcpUsageReport:
      type: object
      description: Usage report forwarded to the GCP Service Control reporting API via the metered-billing
        proxy.
      properties:
        name:
          type: string
        startTime:
          type: string
          format: date-time
        endTime:
          type: string
          format: date-time
        labels:
          type: object
          additionalProperties:
            type: string
        value:
          $ref: '#/components/schemas/GcpUsageValue'
        dimension:
          type: string
        serviceName:
          type: string
    Tag:
      type: object
      description: AWS Marketplace Metering usage-allocation tag (key-value pair).
      required:
      - Key
      - Value
      properties:
        Key:
          type: string
        Value:
          type: string
    UsageAllocation:
      type: object
      description: AWS Marketplace Metering usage allocation bucket.
      required:
      - AllocatedUsageQuantity
      properties:
        AllocatedUsageQuantity:
          type: integer
          format: int64
        Tags:
          type: array
          items:
            $ref: '#/components/schemas/Tag'
    MeterUsageInput:
      type: object
      description: AWS Marketplace Metering `MeterUsage` request forwarded via the metered-billing proxy.
      required:
      - ProductCode
      - Timestamp
      - UsageDimension
      properties:
        DryRun:
          type: boolean
        ProductCode:
          type: string
        Timestamp:
          type: string
          format: date-time
        UsageAllocations:
          type: array
          items:
            $ref: '#/components/schemas/UsageAllocation'
        UsageDimension:
          type: string
        UsageQuantity:
          type: integer
          format: int64
    MeterUsageOutput:
      type: object
      description: AWS Marketplace Metering `MeterUsage` response.
      properties:
        MeteringRecordId:
          type: string
    AwsMeteringProxyErr:
      type: object
      description: Error returned when the AWS Marketplace Metering service rejects a usage report.
      properties:
        code:
          type: string
        message:
          type: string
        origErr:
          type: object
          nullable: true
    CreateTelemetryStackRequest:
      type: object
      description: Request to create a TelemetryStack. The `spec` field is a TelemetryStackSpec (go.open-pulse.dev/tenant-operator)
        and is modeled as a free-form Kubernetes object.
      properties:
        name:
          type: string
        namespace:
          type: string
        spec:
          $ref: '#/components/schemas/K8sObject'
    RegisterRequest:
      type: object
      description: Trickster backend registration request. Embeds PrometheusContext fields inline alongside
        the Prometheus connection config.
      properties:
        prometheus:
          $ref: '#/components/schemas/PrometheusConfig'
        hubUID:
          type: string
        clusterUID:
          type: string
        projectId:
          type: string
        default:
          type: boolean
        issueToken:
          type: boolean
        clientOrgID:
          type: string
    PrometheusConfig:
      type: object
      properties:
        url:
          type: string
        service:
          $ref: '#/components/schemas/ServiceSpec'
        basicAuth:
          $ref: '#/components/schemas/BasicAuth'
        bearerToken:
          type: string
        tls:
          $ref: '#/components/schemas/TLSConfig'
    PrometheusContext:
      type: object
      properties:
        hubUID:
          type: string
        clusterUID:
          type: string
        projectId:
          type: string
        default:
          type: boolean
        issueToken:
          type: boolean
        clientOrgID:
          type: string
    ServiceSpec:
      type: object
      properties:
        scheme:
          type: string
        name:
          type: string
        namespace:
          type: string
        port:
          type: string
        path:
          type: string
        query:
          type: string
    BasicAuth:
      type: object
      properties:
        username:
          type: string
        password:
          type: string
    TLSConfig:
      type: object
      properties:
        ca:
          type: string
        cert:
          type: string
        key:
          type: string
        serverName:
          type: string
        insecureSkipTLSVerify:
          type: boolean
    DashboardSpec:
      type: object
      properties:
        datasource:
          type: string
        folderID:
          type: integer
    PersesDashboardSpec:
      type: object
      properties:
        projectName:
          type: string
        folderName:
          type: string
        datasource:
          type: string
    GrafanaConfig:
      type: object
      properties:
        url:
          type: string
        service:
          $ref: '#/components/schemas/ServiceSpec'
        basicAuth:
          $ref: '#/components/schemas/BasicAuth'
        bearerToken:
          type: string
        tls:
          $ref: '#/components/schemas/TLSConfig'
        dashboard:
          $ref: '#/components/schemas/DashboardSpec'
    PersesConfig:
      type: object
      properties:
        url:
          type: string
        service:
          $ref: '#/components/schemas/ServiceSpec'
        basicAuth:
          $ref: '#/components/schemas/BasicAuth'
        bearerToken:
          type: string
        tls:
          $ref: '#/components/schemas/TLSConfig'
        dashboard:
          $ref: '#/components/schemas/PersesDashboardSpec'
    GrafanaContext:
      type: object
      properties:
        folderID:
          type: integer
          format: int64
        datasource:
          type: string
    PersesContext:
      type: object
      properties:
        projectName:
          type: string
        folderName:
          type: string
        datasource:
          type: string
    GrafanaDatasourceResponse:
      type: object
      description: Grafana datasource registration response. Embeds GrafanaContext fields inline alongside
        the Grafana connection config.
      properties:
        grafana:
          $ref: '#/components/schemas/GrafanaConfig'
        folderID:
          type: integer
          format: int64
        datasource:
          type: string
    PersesDatasourceResponse:
      type: object
      description: Perses datasource registration response. Embeds PersesContext fields inline alongside
        the Perses connection config.
      properties:
        perses:
          $ref: '#/components/schemas/PersesConfig'
        projectName:
          type: string
        folderName:
          type: string
        datasource:
          type: string
    ChartRepositoryEntry:
      type: object
      description: A Helm Hub chart repository entry (Helm repo.Entry). Fields are those of the Helm repository
        configuration.
      properties:
        name:
          type: string
        url:
          type: string
        username:
          type: string
        password:
          type: string
        certFile:
          type: string
        keyFile:
          type: string
        caFile:
          type: string
        insecure_skip_tls_verify:
          type: boolean
        pass_credentials_all:
          type: boolean
    ChartVersion:
      type: object
      description: A Helm chart version entry (Helm repo.ChartVersion / chart.Metadata plus distribution
        fields). Modeled with the common chart metadata fields.
      properties:
        name:
          type: string
        version:
          type: string
        description:
          type: string
        apiVersion:
          type: string
        appVersion:
          type: string
        type:
          type: string
        deprecated:
          type: boolean
        icon:
          type: string
        home:
          type: string
        keywords:
          type: array
          items:
            type: string
        sources:
          type: array
          items:
            type: string
        urls:
          type: array
          items:
            type: string
        created:
          type: string
          format: date-time
        digest:
          type: string
    MarkdownOption:
      type: object
      description: Markdown rendering options.
      properties:
        Text:
          type: string
          description: Markdown to render.
        Mode:
          type: string
          description: Rendering mode (e.g. "gfm").
        Context:
          type: string
          description: URL context for resolving relative links.
        Wiki:
          type: boolean
          description: Whether the document is a wiki page.
    ServerVersion:
      type: object
      properties:
        version:
          type: string
