From b85f7e31e2647087eac1ceee0cfad191408d8a95 Mon Sep 17 00:00:00 2001
From: StringKE <stringke.me@gmail.com>
Date: Sat, 2 May 2026 16:33:16 +0400
Subject: [PATCH 1/2] feat(auth): add enterprise SSO and RBAC

---
 .../src/components/settings-sidebar/index.vue |    3 +-
 apps/web/src/i18n/locales/en.json             |   49 +
 apps/web/src/i18n/locales/zh.json             |   49 +
 apps/web/src/pages/iam/index.vue              | 1091 +++
 apps/web/src/pages/login/index.vue            |   69 +-
 apps/web/src/pages/login/sso-callback.vue     |   41 +
 apps/web/src/pages/profile/index.vue          |    1 -
 apps/web/src/router.ts                        |   16 +
 apps/web/src/store/user.ts                    |    2 -
 cmd/agent/app.go                              |   54 +-
 cmd/agent/module.go                           |    2 +
 .../migrations/0077_iam_sso_rbac.down.sql     |   64 +
 .../migrations/0077_iam_sso_rbac.up.sql       |  304 +
 db/postgres/queries/acl.sql                   |    4 +-
 db/postgres/queries/bind.sql                  |    8 +-
 db/postgres/queries/channel_identities.sql    |   24 +-
 db/postgres/queries/channels.sql              |    6 +-
 db/postgres/queries/iam.sql                   |  282 +
 db/postgres/queries/messages.sql              |   22 +-
 db/postgres/queries/user_provider_oauth.sql   |   10 +-
 db/postgres/queries/users.sql                 |   79 +-
 .../migrations/0003_iam_sso_rbac.down.sql     |   50 +
 db/sqlite/migrations/0003_iam_sso_rbac.up.sql |  342 +
 db/sqlite/queries/acl.sql                     |    4 +-
 db/sqlite/queries/bind.sql                    |    8 +-
 db/sqlite/queries/channel_identities.sql      |   24 +-
 db/sqlite/queries/channels.sql                |    6 +-
 db/sqlite/queries/iam.sql                     |  318 +
 db/sqlite/queries/messages.sql                |   22 +-
 db/sqlite/queries/user_provider_oauth.sql     |   10 +-
 db/sqlite/queries/users.sql                   |  107 +-
 docs/sdlc/2026-05-02/iam-sso-rbac/plan.md     |  548 ++
 docs/sdlc/2026-05-02/iam-sso-rbac/spec.md     |  850 ++
 go.mod                                        |   33 +-
 go.sum                                        |   60 +
 internal/accounts/service.go                  |   56 -
 internal/accounts/types.go                    |    3 -
 internal/bind/service.go                      |    2 +-
 internal/bind/service_test.go                 |    4 +-
 internal/bots/service.go                      |   91 +-
 internal/bots/service_test.go                 |   31 +-
 internal/channel/identities/service.go        |    4 +-
 internal/channel/inbound/channel.go           |   41 +-
 internal/channel/inbound/channel_test.go      |  106 +
 internal/channel/service.go                   |    2 +-
 internal/command/access.go                    |    4 +-
 internal/command/handler.go                   |   51 +-
 internal/command/handler_test.go              |   67 +-
 internal/command/registry.go                  |    6 +-
 internal/db/postgres/sqlc/acl.sql.go          |    6 +-
 internal/db/postgres/sqlc/bind.sql.go         |   26 +-
 internal/db/postgres/sqlc/bots.sql.go         |    2 +-
 .../db/postgres/sqlc/browser_contexts.sql.go  |    2 +-
 .../postgres/sqlc/channel_identities.sql.go   |   56 +-
 .../db/postgres/sqlc/channel_routes.sql.go    |    2 +-
 internal/db/postgres/sqlc/channels.sql.go     |   22 +-
 .../db/postgres/sqlc/compaction_logs.sql.go   |    2 +-
 internal/db/postgres/sqlc/containers.sql.go   |    2 +-
 .../db/postgres/sqlc/conversations.sql.go     |    2 +-
 internal/db/postgres/sqlc/db.go               |    2 +-
 .../db/postgres/sqlc/email_bindings.sql.go    |    2 +-
 .../postgres/sqlc/email_oauth_tokens.sql.go   |    2 +-
 internal/db/postgres/sqlc/email_outbox.sql.go |    2 +-
 .../db/postgres/sqlc/email_providers.sql.go   |    2 +-
 internal/db/postgres/sqlc/events.sql.go       |    2 +-
 .../db/postgres/sqlc/heartbeat_logs.sql.go    |    2 +-
 internal/db/postgres/sqlc/iam.sql.go          | 1195 +++
 internal/db/postgres/sqlc/mcp.sql.go          |    2 +-
 internal/db/postgres/sqlc/mcp_oauth.sql.go    |    2 +-
 internal/db/postgres/sqlc/media.sql.go        |    2 +-
 .../db/postgres/sqlc/memory_providers.sql.go  |    2 +-
 internal/db/postgres/sqlc/messages.sql.go     |   24 +-
 internal/db/postgres/sqlc/models.go           |  254 +-
 internal/db/postgres/sqlc/models.sql.go       |    2 +-
 internal/db/postgres/sqlc/network.sql.go      |    2 +-
 .../db/postgres/sqlc/provider_oauth.sql.go    |    2 +-
 internal/db/postgres/sqlc/schedule.sql.go     |    2 +-
 .../db/postgres/sqlc/schedule_logs.sql.go     |    2 +-
 .../db/postgres/sqlc/search_providers.sql.go  |    2 +-
 .../db/postgres/sqlc/session_events.sql.go    |    2 +-
 internal/db/postgres/sqlc/session_info.sql.go |    2 +-
 internal/db/postgres/sqlc/sessions.sql.go     |    2 +-
 internal/db/postgres/sqlc/settings.sql.go     |    2 +-
 internal/db/postgres/sqlc/snapshots.sql.go    |    2 +-
 internal/db/postgres/sqlc/token_usage.sql.go  |    2 +-
 .../db/postgres/sqlc/tool_approval.sql.go     |    2 +-
 .../postgres/sqlc/user_provider_oauth.sql.go  |   24 +-
 internal/db/postgres/sqlc/users.sql.go        |  231 +-
 internal/db/postgres/sqlc/versions.sql.go     |    2 +-
 internal/db/postgres/store/accounts.go        |   84 +-
 internal/db/sqlite/sqlc/acl.sql.go            |    6 +-
 internal/db/sqlite/sqlc/bind.sql.go           |   26 +-
 internal/db/sqlite/sqlc/bots.sql.go           |    2 +-
 .../db/sqlite/sqlc/browser_contexts.sql.go    |    2 +-
 .../db/sqlite/sqlc/channel_identities.sql.go  |   56 +-
 internal/db/sqlite/sqlc/channel_routes.sql.go |    2 +-
 internal/db/sqlite/sqlc/channels.sql.go       |   22 +-
 .../db/sqlite/sqlc/compaction_logs.sql.go     |    2 +-
 internal/db/sqlite/sqlc/containers.sql.go     |    2 +-
 internal/db/sqlite/sqlc/conversations.sql.go  |    2 +-
 internal/db/sqlite/sqlc/db.go                 |    2 +-
 internal/db/sqlite/sqlc/email_bindings.sql.go |    2 +-
 .../db/sqlite/sqlc/email_oauth_tokens.sql.go  |    2 +-
 internal/db/sqlite/sqlc/email_outbox.sql.go   |    2 +-
 .../db/sqlite/sqlc/email_providers.sql.go     |    2 +-
 internal/db/sqlite/sqlc/events.sql.go         |    2 +-
 internal/db/sqlite/sqlc/heartbeat_logs.sql.go |    2 +-
 internal/db/sqlite/sqlc/iam.sql.go            | 1262 +++
 internal/db/sqlite/sqlc/mcp.sql.go            |    2 +-
 internal/db/sqlite/sqlc/mcp_oauth.sql.go      |    2 +-
 internal/db/sqlite/sqlc/media.sql.go          |    2 +-
 .../db/sqlite/sqlc/memory_providers.sql.go    |    2 +-
 internal/db/sqlite/sqlc/messages.sql.go       |   24 +-
 internal/db/sqlite/sqlc/models.go             |  254 +-
 internal/db/sqlite/sqlc/models.sql.go         |    2 +-
 internal/db/sqlite/sqlc/network.sql.go        |    2 +-
 internal/db/sqlite/sqlc/provider_oauth.sql.go |    2 +-
 internal/db/sqlite/sqlc/schedule.sql.go       |    2 +-
 internal/db/sqlite/sqlc/schedule_logs.sql.go  |    2 +-
 .../db/sqlite/sqlc/search_providers.sql.go    |    2 +-
 internal/db/sqlite/sqlc/session_events.sql.go |    2 +-
 internal/db/sqlite/sqlc/session_info.sql.go   |    2 +-
 internal/db/sqlite/sqlc/sessions.sql.go       |    2 +-
 internal/db/sqlite/sqlc/settings.sql.go       |    2 +-
 internal/db/sqlite/sqlc/snapshots.sql.go      |    2 +-
 internal/db/sqlite/sqlc/token_usage.sql.go    |    2 +-
 internal/db/sqlite/sqlc/tool_approval.sql.go  |    2 +-
 .../db/sqlite/sqlc/user_provider_oauth.sql.go |   24 +-
 internal/db/sqlite/sqlc/users.sql.go          |  257 +-
 internal/db/sqlite/sqlc/versions.sql.go       |    2 +-
 internal/db/sqlite/store/accounts.go          |   90 +-
 internal/db/sqlite/store/iam_queries.go       |  414 +
 internal/db/sqlite/store/queries.go           |  320 +-
 internal/db/store/contracts.go                |    3 -
 internal/db/store/queries.go                  |   93 +-
 internal/handlers/auth.go                     |  485 +-
 internal/handlers/auth_session_store.go       |   81 +
 internal/handlers/auth_test.go                |  357 +
 internal/handlers/handler_helpers.go          |    8 +-
 internal/handlers/iam.go                      |  973 +++
 internal/handlers/message.go                  |   15 +-
 internal/handlers/skills_test.go              |   15 +-
 internal/handlers/users.go                    |   74 +-
 internal/iam/accounts/service.go              |  380 +
 internal/iam/accounts/service_test.go         |  286 +
 internal/iam/accounts/types.go                |  112 +
 internal/iam/auth/jwt.go                      |  236 +
 internal/iam/auth/jwt_test.go                 |  103 +
 internal/iam/auth/session_middleware.go       |   37 +
 internal/iam/auth/session_middleware_test.go  |  111 +
 internal/iam/rbac/bootstrap.go                |   69 +
 internal/iam/rbac/bootstrap_test.go           |   65 +
 internal/iam/rbac/service.go                  |  115 +
 internal/iam/rbac/service_test.go             |  148 +
 internal/iam/rbac/store.go                    |   47 +
 internal/iam/rbac/types.go                    |   52 +
 internal/iam/sso/cookie.go                    |  142 +
 internal/iam/sso/cookie_test.go               |   66 +
 internal/iam/sso/db_service.go                |  473 ++
 internal/iam/sso/login_code.go                |   22 +
 internal/iam/sso/login_code_test.go           |   22 +
 internal/iam/sso/oidc.go                      |  188 +
 internal/iam/sso/oidc_test.go                 |   83 +
 internal/iam/sso/saml.go                      |  100 +
 internal/iam/sso/saml_test.go                 |   42 +
 internal/iam/sso/service.go                   |  132 +
 internal/iam/sso/service_test.go              |  195 +
 internal/iam/sso/types.go                     |  171 +
 internal/memory/adapters/builtin/builtin.go   |   11 +-
 internal/providers/oauth.go                   |    2 +-
 internal/server/server.go                     |    3 +
 internal/tui/api.go                           |    1 -
 packages/sdk/src/@pinia/colada.gen.ts         |  447 +-
 packages/sdk/src/index.ts                     |    4 +-
 packages/sdk/src/sdk.gen.ts                   |  243 +-
 packages/sdk/src/types.gen.ts                 | 1401 +++-
 spec/docs.go                                  | 7318 ++++++++++-------
 spec/swagger.json                             | 7318 ++++++++++-------
 spec/swagger.yaml                             | 7230 +++++++++-------
 179 files changed, 29239 insertions(+), 10071 deletions(-)
 create mode 100644 apps/web/src/pages/iam/index.vue
 create mode 100644 apps/web/src/pages/login/sso-callback.vue
 create mode 100644 db/postgres/migrations/0077_iam_sso_rbac.down.sql
 create mode 100644 db/postgres/migrations/0077_iam_sso_rbac.up.sql
 create mode 100644 db/postgres/queries/iam.sql
 create mode 100644 db/sqlite/migrations/0003_iam_sso_rbac.down.sql
 create mode 100644 db/sqlite/migrations/0003_iam_sso_rbac.up.sql
 create mode 100644 db/sqlite/queries/iam.sql
 create mode 100644 docs/sdlc/2026-05-02/iam-sso-rbac/plan.md
 create mode 100644 docs/sdlc/2026-05-02/iam-sso-rbac/spec.md
 create mode 100644 internal/db/postgres/sqlc/iam.sql.go
 create mode 100644 internal/db/sqlite/sqlc/iam.sql.go
 create mode 100644 internal/db/sqlite/store/iam_queries.go
 create mode 100644 internal/handlers/auth_session_store.go
 create mode 100644 internal/handlers/auth_test.go
 create mode 100644 internal/handlers/iam.go
 create mode 100644 internal/iam/accounts/service.go
 create mode 100644 internal/iam/accounts/service_test.go
 create mode 100644 internal/iam/accounts/types.go
 create mode 100644 internal/iam/auth/jwt.go
 create mode 100644 internal/iam/auth/jwt_test.go
 create mode 100644 internal/iam/auth/session_middleware.go
 create mode 100644 internal/iam/auth/session_middleware_test.go
 create mode 100644 internal/iam/rbac/bootstrap.go
 create mode 100644 internal/iam/rbac/bootstrap_test.go
 create mode 100644 internal/iam/rbac/service.go
 create mode 100644 internal/iam/rbac/service_test.go
 create mode 100644 internal/iam/rbac/store.go
 create mode 100644 internal/iam/rbac/types.go
 create mode 100644 internal/iam/sso/cookie.go
 create mode 100644 internal/iam/sso/cookie_test.go
 create mode 100644 internal/iam/sso/db_service.go
 create mode 100644 internal/iam/sso/login_code.go
 create mode 100644 internal/iam/sso/login_code_test.go
 create mode 100644 internal/iam/sso/oidc.go
 create mode 100644 internal/iam/sso/oidc_test.go
 create mode 100644 internal/iam/sso/saml.go
 create mode 100644 internal/iam/sso/saml_test.go
 create mode 100644 internal/iam/sso/service.go
 create mode 100644 internal/iam/sso/service_test.go
 create mode 100644 internal/iam/sso/types.go

diff --git a/apps/web/src/components/settings-sidebar/index.vue b/apps/web/src/components/settings-sidebar/index.vue
index b03b97af9..aa678c401 100644
--- a/apps/web/src/components/settings-sidebar/index.vue
+++ b/apps/web/src/components/settings-sidebar/index.vue
@@ -63,7 +63,7 @@ import { computed, inject, type Component } from 'vue'
 import { storeToRefs } from 'pinia'
 import { useRouter, useRoute } from 'vue-router'
 import { useI18n } from 'vue-i18n'
-import { ChevronLeft, Bot, Boxes, Globe, Brain, Volume2, AudioLines, Mail, AppWindow, ChartLine, User, Store, Info } from 'lucide-vue-next'
+import { ChevronLeft, Bot, Boxes, Globe, Brain, Volume2, AudioLines, Mail, AppWindow, ShieldCheck, ChartLine, User, Store, Info } from 'lucide-vue-next'
 import { useChatSelectionStore } from '@/store/chat-selection'
 import {
   Sidebar,
@@ -119,6 +119,7 @@ const allNavItems: { title: string; name: string; icon: Component }[] = [
   { title: t('sidebar.transcription'), name: 'transcription', icon: AudioLines },
   { title: t('sidebar.email'), name: 'email', icon: Mail },
   { title: t('sidebar.browser'), name: 'browser', icon: AppWindow },
+  { title: t('sidebar.iam'), name: 'iam', icon: ShieldCheck },
   { title: t('sidebar.supermarket'), name: 'supermarket', icon: Store },
   { title: t('sidebar.usage'), name: 'usage', icon: ChartLine },
   { title: t('sidebar.profile'), name: 'profile', icon: User },
diff --git a/apps/web/src/i18n/locales/en.json b/apps/web/src/i18n/locales/en.json
index 18879d85e..af4f7fa76 100644
--- a/apps/web/src/i18n/locales/en.json
+++ b/apps/web/src/i18n/locales/en.json
@@ -12,6 +12,8 @@
     "loading": "Loading...",
     "operation": "Actions",
     "enable": "Enable",
+    "enabled": "Enabled",
+    "disabled": "Disabled",
     "optional": "optional",
     "advanced": "Advanced",
     "import": "Import",
@@ -75,6 +77,7 @@
     "platform": "Platform",
     "usage": "Usage",
     "browser": "Browser",
+    "iam": "IAM",
     "supermarket": "Supermarket",
     "about": "About"
   },
@@ -1607,6 +1610,52 @@
     "colInputTokens": "Input",
     "colOutputTokens": "Output"
   },
+  "iam": {
+    "title": "Identity and Access",
+    "subtitle": "Manage SSO providers, groups, role assignments, and built-in roles.",
+    "roles": "Roles",
+    "groups": "Groups",
+    "sso": "SSO",
+    "botPermissions": "Bot permissions",
+    "key": "Key",
+    "displayName": "Display name",
+    "source": "Source",
+    "actions": "Actions",
+    "members": "Members",
+    "createGroup": "Create group",
+    "editGroup": "Edit group",
+    "externalId": "External ID",
+    "metadata": "Metadata JSON",
+    "groupMembers": "Group members",
+    "selectGroup": "Select group",
+    "selectUser": "Select user",
+    "deleteGroupConfirm": "Delete this group?",
+    "name": "Name",
+    "type": "Type",
+    "enabled": "Enabled",
+    "mappings": "Mappings",
+    "createProvider": "Create provider",
+    "editProvider": "Edit provider",
+    "trustEmail": "Trust email",
+    "emailLinkingPolicy": "Email linking policy",
+    "configJson": "Config JSON",
+    "attributeMappingJson": "Attribute mapping JSON",
+    "deleteProviderConfirm": "Delete this SSO provider?",
+    "groupMappings": "Group mappings",
+    "selectProvider": "Select provider",
+    "externalGroup": "External group",
+    "assignBotRole": "Assign bot role",
+    "bot": "Bot",
+    "selectBot": "Select bot",
+    "principalType": "Principal type",
+    "principal": "Principal",
+    "selectPrincipal": "Select principal",
+    "role": "Role",
+    "assign": "Assign",
+    "scope": "Scope",
+    "system": "System",
+    "empty": "No records"
+  },
   "supermarket": {
     "title": "Supermarket",
     "searchPlaceholder": "Search MCPs and Skills...",
diff --git a/apps/web/src/i18n/locales/zh.json b/apps/web/src/i18n/locales/zh.json
index 797c590af..dd25d7393 100644
--- a/apps/web/src/i18n/locales/zh.json
+++ b/apps/web/src/i18n/locales/zh.json
@@ -12,6 +12,8 @@
     "loading": "加载中...",
     "operation": "操作",
     "enable": "启用",
+    "enabled": "已启用",
+    "disabled": "已禁用",
     "optional": "可选",
     "advanced": "高级选项",
     "import": "导入",
@@ -75,6 +77,7 @@
     "platform": "接入平台",
     "usage": "用量统计",
     "browser": "浏览器",
+    "iam": "身份权限",
     "supermarket": "市场",
     "about": "关于"
   },
@@ -1603,6 +1606,52 @@
     "colInputTokens": "输入",
     "colOutputTokens": "输出"
   },
+  "iam": {
+    "title": "身份与权限",
+    "subtitle": "管理 SSO 提供方、用户组、角色分配和内置角色。",
+    "roles": "角色",
+    "groups": "用户组",
+    "sso": "SSO",
+    "botPermissions": "Bot 权限",
+    "key": "Key",
+    "displayName": "显示名称",
+    "source": "来源",
+    "actions": "操作",
+    "members": "成员",
+    "createGroup": "创建用户组",
+    "editGroup": "编辑用户组",
+    "externalId": "外部 ID",
+    "metadata": "Metadata JSON",
+    "groupMembers": "用户组成员",
+    "selectGroup": "选择用户组",
+    "selectUser": "选择用户",
+    "deleteGroupConfirm": "删除这个用户组？",
+    "name": "名称",
+    "type": "类型",
+    "enabled": "启用",
+    "mappings": "映射",
+    "createProvider": "创建提供方",
+    "editProvider": "编辑提供方",
+    "trustEmail": "信任邮箱",
+    "emailLinkingPolicy": "邮箱合并策略",
+    "configJson": "Config JSON",
+    "attributeMappingJson": "Attribute mapping JSON",
+    "deleteProviderConfirm": "删除这个 SSO 提供方？",
+    "groupMappings": "用户组映射",
+    "selectProvider": "选择提供方",
+    "externalGroup": "外部用户组",
+    "assignBotRole": "分配 Bot 角色",
+    "bot": "Bot",
+    "selectBot": "选择 Bot",
+    "principalType": "主体类型",
+    "principal": "主体",
+    "selectPrincipal": "选择主体",
+    "role": "角色",
+    "assign": "分配",
+    "scope": "Scope",
+    "system": "系统",
+    "empty": "暂无记录"
+  },
   "supermarket": {
     "title": "市场",
     "searchPlaceholder": "搜索 MCP 和 Skills...",
diff --git a/apps/web/src/pages/iam/index.vue b/apps/web/src/pages/iam/index.vue
new file mode 100644
index 000000000..caabbfd53
--- /dev/null
+++ b/apps/web/src/pages/iam/index.vue
@@ -0,0 +1,1091 @@
+<template>
+  <SettingsShell width="wide">
+    <div class="space-y-5">
+      <div class="flex items-center justify-between gap-3">
+        <div>
+          <h1 class="text-lg font-semibold">
+            {{ $t('iam.title') }}
+          </h1>
+          <p class="mt-1 text-xs text-muted-foreground">
+            {{ $t('iam.subtitle') }}
+          </p>
+        </div>
+        <Button
+          variant="outline"
+          size="sm"
+          :disabled="loading"
+          @click="loadAll"
+        >
+          <RefreshCw class="size-3.5" />
+          {{ $t('common.refresh') }}
+        </Button>
+      </div>
+
+      <div
+        v-if="loading"
+        class="flex items-center text-xs text-muted-foreground"
+      >
+        <Spinner class="mr-2 size-4" />
+        {{ $t('common.loading') }}
+      </div>
+
+      <Tabs
+        default-value="groups"
+        class="w-full"
+      >
+        <TabsList>
+          <TabsTrigger value="groups">
+            {{ $t('iam.groups') }}
+          </TabsTrigger>
+          <TabsTrigger value="sso">
+            {{ $t('iam.sso') }}
+          </TabsTrigger>
+          <TabsTrigger value="botPermissions">
+            {{ $t('iam.botPermissions') }}
+          </TabsTrigger>
+          <TabsTrigger value="roles">
+            {{ $t('iam.roles') }}
+          </TabsTrigger>
+        </TabsList>
+
+        <TabsContent value="groups">
+          <section class="grid gap-4 lg:grid-cols-[minmax(0,1fr)_340px]">
+            <div class="rounded-md border">
+              <Table>
+                <TableHeader>
+                  <TableRow>
+                    <TableHead>{{ $t('iam.key') }}</TableHead>
+                    <TableHead>{{ $t('iam.displayName') }}</TableHead>
+                    <TableHead>{{ $t('iam.source') }}</TableHead>
+                    <TableHead class="text-right">
+                      {{ $t('iam.actions') }}
+                    </TableHead>
+                  </TableRow>
+                </TableHeader>
+                <TableBody>
+                  <TableRow v-if="groups.length === 0">
+                    <TableCell
+                      colspan="4"
+                      class="text-center text-muted-foreground"
+                    >
+                      {{ $t('iam.empty') }}
+                    </TableCell>
+                  </TableRow>
+                  <TableRow
+                    v-for="group in groups"
+                    v-else
+                    :key="group.id"
+                    :class="selectedGroupId === group.id ? 'bg-accent/40' : ''"
+                  >
+                    <TableCell class="font-medium">
+                      {{ group.key }}
+                    </TableCell>
+                    <TableCell>{{ group.display_name }}</TableCell>
+                    <TableCell>{{ group.source }}</TableCell>
+                    <TableCell>
+                      <div class="flex justify-end gap-2">
+                        <Button
+                          variant="outline"
+                          size="sm"
+                          @click="selectGroup(group)"
+                        >
+                          {{ $t('iam.members') }}
+                        </Button>
+                        <Button
+                          variant="outline"
+                          size="sm"
+                          @click="editGroup(group)"
+                        >
+                          {{ $t('common.edit') }}
+                        </Button>
+                        <ConfirmPopover
+                          :message="$t('iam.deleteGroupConfirm')"
+                          @confirm="deleteGroup(group.id || '')"
+                        >
+                          <template #trigger>
+                            <Button
+                              variant="destructive"
+                              size="sm"
+                            >
+                              {{ $t('common.delete') }}
+                            </Button>
+                          </template>
+                        </ConfirmPopover>
+                      </div>
+                    </TableCell>
+                  </TableRow>
+                </TableBody>
+              </Table>
+            </div>
+
+            <div class="space-y-4">
+              <section class="rounded-md border p-4 space-y-3">
+                <h2 class="text-sm font-medium">
+                  {{ groupForm.id ? $t('iam.editGroup') : $t('iam.createGroup') }}
+                </h2>
+                <div class="space-y-2">
+                  <Label>{{ $t('iam.key') }}</Label>
+                  <Input v-model="groupForm.key" />
+                </div>
+                <div class="space-y-2">
+                  <Label>{{ $t('iam.displayName') }}</Label>
+                  <Input v-model="groupForm.display_name" />
+                </div>
+                <div class="space-y-2">
+                  <Label>{{ $t('iam.source') }}</Label>
+                  <Input v-model="groupForm.source" />
+                </div>
+                <div class="space-y-2">
+                  <Label>{{ $t('iam.externalId') }}</Label>
+                  <Input v-model="groupForm.external_id" />
+                </div>
+                <div class="space-y-2">
+                  <Label>{{ $t('iam.metadata') }}</Label>
+                  <Textarea
+                    v-model="groupForm.metadata"
+                    class="min-h-24 font-mono text-xs"
+                  />
+                </div>
+                <div class="flex gap-2">
+                  <Button
+                    size="sm"
+                    :disabled="savingGroup"
+                    @click="saveGroup"
+                  >
+                    <Spinner
+                      v-if="savingGroup"
+                      class="size-3.5"
+                    />
+                    {{ $t('common.save') }}
+                  </Button>
+                  <Button
+                    variant="outline"
+                    size="sm"
+                    @click="resetGroupForm"
+                  >
+                    {{ $t('common.cancel') }}
+                  </Button>
+                </div>
+              </section>
+
+              <section class="rounded-md border p-4 space-y-3">
+                <h2 class="text-sm font-medium">
+                  {{ $t('iam.groupMembers') }}
+                </h2>
+                <select
+                  v-model="selectedGroupId"
+                  class="h-9 w-full rounded-md border border-border bg-background px-3 text-xs"
+                  @change="loadGroupMembers"
+                >
+                  <option value="">
+                    {{ $t('iam.selectGroup') }}
+                  </option>
+                  <option
+                    v-for="group in groups"
+                    :key="group.id"
+                    :value="group.id"
+                  >
+                    {{ group.display_name || group.key }}
+                  </option>
+                </select>
+                <div class="flex gap-2">
+                  <select
+                    v-model="memberUserId"
+                    class="h-9 min-w-0 flex-1 rounded-md border border-border bg-background px-3 text-xs"
+                  >
+                    <option value="">
+                      {{ $t('iam.selectUser') }}
+                    </option>
+                    <option
+                      v-for="user in users"
+                      :key="user.id"
+                      :value="user.id"
+                    >
+                      {{ accountLabel(user) }}
+                    </option>
+                  </select>
+                  <Button
+                    size="sm"
+                    :disabled="!selectedGroupId || !memberUserId"
+                    @click="addGroupMember"
+                  >
+                    {{ $t('common.add') }}
+                  </Button>
+                </div>
+                <div class="space-y-2">
+                  <div
+                    v-for="member in groupMembers"
+                    :key="member.user_id"
+                    class="flex items-center justify-between gap-2 rounded-md border px-3 py-2"
+                  >
+                    <div class="min-w-0">
+                      <p class="truncate text-xs font-medium">
+                        {{ member.display_name || member.username || member.email || member.user_id }}
+                      </p>
+                      <p class="truncate text-[11px] text-muted-foreground">
+                        {{ member.email || member.user_id }}
+                      </p>
+                    </div>
+                    <Button
+                      variant="ghost"
+                      size="sm"
+                      @click="removeGroupMember(member.user_id || '')"
+                    >
+                      <Trash2 class="size-3.5" />
+                    </Button>
+                  </div>
+                </div>
+              </section>
+            </div>
+          </section>
+        </TabsContent>
+
+        <TabsContent value="sso">
+          <section class="grid gap-4 lg:grid-cols-[minmax(0,1fr)_420px]">
+            <div class="rounded-md border">
+              <Table>
+                <TableHeader>
+                  <TableRow>
+                    <TableHead>{{ $t('iam.name') }}</TableHead>
+                    <TableHead>{{ $t('iam.type') }}</TableHead>
+                    <TableHead>{{ $t('iam.key') }}</TableHead>
+                    <TableHead>{{ $t('iam.enabled') }}</TableHead>
+                    <TableHead class="text-right">
+                      {{ $t('iam.actions') }}
+                    </TableHead>
+                  </TableRow>
+                </TableHeader>
+                <TableBody>
+                  <TableRow v-if="providers.length === 0">
+                    <TableCell
+                      colspan="5"
+                      class="text-center text-muted-foreground"
+                    >
+                      {{ $t('iam.empty') }}
+                    </TableCell>
+                  </TableRow>
+                  <TableRow
+                    v-for="provider in providers"
+                    v-else
+                    :key="provider.id"
+                  >
+                    <TableCell class="font-medium">
+                      {{ provider.name }}
+                    </TableCell>
+                    <TableCell>{{ provider.type }}</TableCell>
+                    <TableCell>{{ provider.key }}</TableCell>
+                    <TableCell>{{ provider.enabled ? $t('common.enabled') : $t('common.disabled') }}</TableCell>
+                    <TableCell>
+                      <div class="flex justify-end gap-2">
+                        <Button
+                          variant="outline"
+                          size="sm"
+                          @click="selectProvider(provider)"
+                        >
+                          {{ $t('iam.mappings') }}
+                        </Button>
+                        <Button
+                          variant="outline"
+                          size="sm"
+                          @click="editProvider(provider)"
+                        >
+                          {{ $t('common.edit') }}
+                        </Button>
+                        <ConfirmPopover
+                          :message="$t('iam.deleteProviderConfirm')"
+                          @confirm="deleteProvider(provider.id || '')"
+                        >
+                          <template #trigger>
+                            <Button
+                              variant="destructive"
+                              size="sm"
+                            >
+                              {{ $t('common.delete') }}
+                            </Button>
+                          </template>
+                        </ConfirmPopover>
+                      </div>
+                    </TableCell>
+                  </TableRow>
+                </TableBody>
+              </Table>
+            </div>
+
+            <div class="space-y-4">
+              <section class="rounded-md border p-4 space-y-3">
+                <h2 class="text-sm font-medium">
+                  {{ providerForm.id ? $t('iam.editProvider') : $t('iam.createProvider') }}
+                </h2>
+                <div class="grid grid-cols-2 gap-3">
+                  <div class="space-y-2">
+                    <Label>{{ $t('iam.type') }}</Label>
+                    <select
+                      v-model="providerForm.type"
+                      class="h-9 w-full rounded-md border border-border bg-background px-3 text-xs"
+                      @change="resetProviderConfig"
+                    >
+                      <option value="oidc">
+                        OIDC
+                      </option>
+                      <option value="saml">
+                        SAML
+                      </option>
+                    </select>
+                  </div>
+                  <div class="space-y-2">
+                    <Label>{{ $t('iam.key') }}</Label>
+                    <Input v-model="providerForm.key" />
+                  </div>
+                </div>
+                <div class="space-y-2">
+                  <Label>{{ $t('iam.name') }}</Label>
+                  <Input v-model="providerForm.name" />
+                </div>
+                <div class="grid grid-cols-3 gap-3">
+                  <label class="flex items-center gap-2 text-xs">
+                    <Switch v-model:checked="providerForm.enabled" />
+                    {{ $t('iam.enabled') }}
+                  </label>
+                  <label class="flex items-center gap-2 text-xs">
+                    <Switch v-model:checked="providerForm.jit_enabled" />
+                    JIT
+                  </label>
+                  <label class="flex items-center gap-2 text-xs">
+                    <Switch v-model:checked="providerForm.trust_email" />
+                    {{ $t('iam.trustEmail') }}
+                  </label>
+                </div>
+                <div class="space-y-2">
+                  <Label>{{ $t('iam.emailLinkingPolicy') }}</Label>
+                  <select
+                    v-model="providerForm.email_linking_policy"
+                    class="h-9 w-full rounded-md border border-border bg-background px-3 text-xs"
+                  >
+                    <option value="link_existing">
+                      link_existing
+                    </option>
+                    <option value="reject_existing">
+                      reject_existing
+                    </option>
+                  </select>
+                </div>
+                <div class="space-y-2">
+                  <Label>{{ $t('iam.configJson') }}</Label>
+                  <Textarea
+                    v-model="providerForm.config"
+                    class="min-h-40 font-mono text-xs"
+                  />
+                </div>
+                <div class="space-y-2">
+                  <Label>{{ $t('iam.attributeMappingJson') }}</Label>
+                  <Textarea
+                    v-model="providerForm.attribute_mapping"
+                    class="min-h-32 font-mono text-xs"
+                  />
+                </div>
+                <div class="flex gap-2">
+                  <Button
+                    size="sm"
+                    :disabled="savingProvider"
+                    @click="saveProvider"
+                  >
+                    <Spinner
+                      v-if="savingProvider"
+                      class="size-3.5"
+                    />
+                    {{ $t('common.save') }}
+                  </Button>
+                  <Button
+                    variant="outline"
+                    size="sm"
+                    @click="resetProviderForm"
+                  >
+                    {{ $t('common.cancel') }}
+                  </Button>
+                </div>
+              </section>
+
+              <section class="rounded-md border p-4 space-y-3">
+                <h2 class="text-sm font-medium">
+                  {{ $t('iam.groupMappings') }}
+                </h2>
+                <select
+                  v-model="selectedProviderId"
+                  class="h-9 w-full rounded-md border border-border bg-background px-3 text-xs"
+                  @change="loadMappings"
+                >
+                  <option value="">
+                    {{ $t('iam.selectProvider') }}
+                  </option>
+                  <option
+                    v-for="provider in providers"
+                    :key="provider.id"
+                    :value="provider.id"
+                  >
+                    {{ provider.name || provider.key }}
+                  </option>
+                </select>
+                <div class="grid grid-cols-[minmax(0,1fr)_minmax(0,1fr)_auto] gap-2">
+                  <Input
+                    v-model="mappingExternalGroup"
+                    :placeholder="$t('iam.externalGroup')"
+                  />
+                  <select
+                    v-model="mappingGroupId"
+                    class="h-9 rounded-md border border-border bg-background px-3 text-xs"
+                  >
+                    <option value="">
+                      {{ $t('iam.selectGroup') }}
+                    </option>
+                    <option
+                      v-for="group in groups"
+                      :key="group.id"
+                      :value="group.id"
+                    >
+                      {{ group.display_name || group.key }}
+                    </option>
+                  </select>
+                  <Button
+                    size="sm"
+                    :disabled="!selectedProviderId || !mappingExternalGroup || !mappingGroupId"
+                    @click="saveMapping"
+                  >
+                    {{ $t('common.add') }}
+                  </Button>
+                </div>
+                <div class="space-y-2">
+                  <div
+                    v-for="mapping in mappings"
+                    :key="mapping.external_group"
+                    class="flex items-center justify-between gap-2 rounded-md border px-3 py-2"
+                  >
+                    <div class="min-w-0">
+                      <p class="truncate text-xs font-medium">
+                        {{ mapping.external_group }}
+                      </p>
+                      <p class="truncate text-[11px] text-muted-foreground">
+                        {{ mapping.group_display_name || mapping.group_key }}
+                      </p>
+                    </div>
+                    <Button
+                      variant="ghost"
+                      size="sm"
+                      @click="deleteMapping(mapping.external_group || '')"
+                    >
+                      <Trash2 class="size-3.5" />
+                    </Button>
+                  </div>
+                </div>
+              </section>
+            </div>
+          </section>
+        </TabsContent>
+
+        <TabsContent value="botPermissions">
+          <section class="grid gap-4 lg:grid-cols-[360px_minmax(0,1fr)]">
+            <div class="rounded-md border p-4 space-y-3">
+              <h2 class="text-sm font-medium">
+                {{ $t('iam.assignBotRole') }}
+              </h2>
+              <div class="space-y-2">
+                <Label>{{ $t('iam.bot') }}</Label>
+                <select
+                  v-model="selectedBotId"
+                  class="h-9 w-full rounded-md border border-border bg-background px-3 text-xs"
+                  @change="loadPrincipalRoles"
+                >
+                  <option value="">
+                    {{ $t('iam.selectBot') }}
+                  </option>
+                  <option
+                    v-for="bot in bots"
+                    :key="bot.id"
+                    :value="bot.id"
+                  >
+                    {{ bot.display_name || bot.id }}
+                  </option>
+                </select>
+              </div>
+              <div class="space-y-2">
+                <Label>{{ $t('iam.principalType') }}</Label>
+                <select
+                  v-model="assignmentPrincipalType"
+                  class="h-9 w-full rounded-md border border-border bg-background px-3 text-xs"
+                >
+                  <option value="user">
+                    user
+                  </option>
+                  <option value="group">
+                    group
+                  </option>
+                </select>
+              </div>
+              <div class="space-y-2">
+                <Label>{{ $t('iam.principal') }}</Label>
+                <select
+                  v-model="assignmentPrincipalId"
+                  class="h-9 w-full rounded-md border border-border bg-background px-3 text-xs"
+                >
+                  <option value="">
+                    {{ $t('iam.selectPrincipal') }}
+                  </option>
+                  <option
+                    v-for="principal in principalOptions"
+                    :key="principal.id"
+                    :value="principal.id"
+                  >
+                    {{ principal.label }}
+                  </option>
+                </select>
+              </div>
+              <div class="space-y-2">
+                <Label>{{ $t('iam.role') }}</Label>
+                <select
+                  v-model="assignmentRoleKey"
+                  class="h-9 w-full rounded-md border border-border bg-background px-3 text-xs"
+                >
+                  <option
+                    v-for="role in botRoles"
+                    :key="role.key"
+                    :value="role.key"
+                  >
+                    {{ role.key }}
+                  </option>
+                </select>
+              </div>
+              <Button
+                size="sm"
+                :disabled="!selectedBotId || !assignmentPrincipalId || !assignmentRoleKey"
+                @click="assignBotRole"
+              >
+                {{ $t('iam.assign') }}
+              </Button>
+            </div>
+
+            <div class="rounded-md border">
+              <Table>
+                <TableHeader>
+                  <TableRow>
+                    <TableHead>{{ $t('iam.principal') }}</TableHead>
+                    <TableHead>{{ $t('iam.role') }}</TableHead>
+                    <TableHead>{{ $t('iam.source') }}</TableHead>
+                    <TableHead class="text-right">
+                      {{ $t('iam.actions') }}
+                    </TableHead>
+                  </TableRow>
+                </TableHeader>
+                <TableBody>
+                  <TableRow v-if="principalRoles.length === 0">
+                    <TableCell
+                      colspan="4"
+                      class="text-center text-muted-foreground"
+                    >
+                      {{ $t('iam.empty') }}
+                    </TableCell>
+                  </TableRow>
+                  <TableRow
+                    v-for="assignment in principalRoles"
+                    v-else
+                    :key="assignment.id"
+                  >
+                    <TableCell>
+                      {{ principalRoleLabel(assignment) }}
+                    </TableCell>
+                    <TableCell>{{ assignment.role_key }}</TableCell>
+                    <TableCell>{{ assignment.source }}</TableCell>
+                    <TableCell class="text-right">
+                      <Button
+                        variant="ghost"
+                        size="sm"
+                        @click="deletePrincipalRole(assignment.id || '')"
+                      >
+                        <Trash2 class="size-3.5" />
+                      </Button>
+                    </TableCell>
+                  </TableRow>
+                </TableBody>
+              </Table>
+            </div>
+          </section>
+        </TabsContent>
+
+        <TabsContent value="roles">
+          <div class="rounded-md border">
+            <Table>
+              <TableHeader>
+                <TableRow>
+                  <TableHead>{{ $t('iam.key') }}</TableHead>
+                  <TableHead>{{ $t('iam.scope') }}</TableHead>
+                  <TableHead>{{ $t('iam.system') }}</TableHead>
+                </TableRow>
+              </TableHeader>
+              <TableBody>
+                <TableRow
+                  v-for="role in roles"
+                  :key="role.id"
+                >
+                  <TableCell class="font-medium">
+                    {{ role.key }}
+                  </TableCell>
+                  <TableCell>{{ role.scope }}</TableCell>
+                  <TableCell>{{ role.is_system ? 'true' : 'false' }}</TableCell>
+                </TableRow>
+              </TableBody>
+            </Table>
+          </div>
+        </TabsContent>
+      </Tabs>
+    </div>
+  </SettingsShell>
+</template>
+
+<script setup lang="ts">
+import { computed, onMounted, reactive, ref } from 'vue'
+import { RefreshCw, Trash2 } from 'lucide-vue-next'
+import { toast } from 'vue-sonner'
+import {
+  Button,
+  Input,
+  Label,
+  Spinner,
+  Switch,
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableHeader,
+  TableRow,
+  Tabs,
+  TabsContent,
+  TabsList,
+  TabsTrigger,
+  Textarea,
+} from '@memohai/ui'
+import {
+  deleteIamGroupsById,
+  deleteIamGroupsByIdMembersByUserId,
+  deleteIamPrincipalRolesById,
+  deleteIamSsoProvidersById,
+  deleteIamSsoProvidersByIdGroupMappingsByExternalGroup,
+  getBots,
+  getIamBotsByBotIdPrincipalRoles,
+  getIamGroups,
+  getIamGroupsByIdMembers,
+  getIamRoles,
+  getIamSsoProviders,
+  getIamSsoProvidersByIdGroupMappings,
+  getUsers,
+  postIamBotsByBotIdPrincipalRoles,
+  postIamGroups,
+  postIamGroupsByIdMembers,
+  postIamSsoProviders,
+  postIamSsoProvidersByIdGroupMappings,
+  putIamGroupsById,
+  putIamSsoProvidersById,
+  type BotsBot,
+  type GithubComMemohaiMemohInternalAccountsAccount,
+  type HandlersIamGroupMemberResponse,
+  type HandlersIamGroupResponse,
+  type HandlersIamPrincipalRoleResponse,
+  type HandlersIamRoleResponse,
+  type HandlersIamssoGroupMappingResponse,
+  type HandlersIamssoProviderResponse,
+} from '@memohai/sdk'
+import SettingsShell from '@/components/settings-shell/index.vue'
+import ConfirmPopover from '@/components/confirm-popover/index.vue'
+import { resolveApiErrorMessage } from '@/utils/api-error'
+
+const loading = ref(false)
+const savingGroup = ref(false)
+const savingProvider = ref(false)
+
+const users = ref<GithubComMemohaiMemohInternalAccountsAccount[]>([])
+const bots = ref<BotsBot[]>([])
+const roles = ref<HandlersIamRoleResponse[]>([])
+const groups = ref<HandlersIamGroupResponse[]>([])
+const providers = ref<HandlersIamssoProviderResponse[]>([])
+const groupMembers = ref<HandlersIamGroupMemberResponse[]>([])
+const mappings = ref<HandlersIamssoGroupMappingResponse[]>([])
+const principalRoles = ref<HandlersIamPrincipalRoleResponse[]>([])
+
+const selectedGroupId = ref('')
+const memberUserId = ref('')
+const selectedProviderId = ref('')
+const mappingExternalGroup = ref('')
+const mappingGroupId = ref('')
+const selectedBotId = ref('')
+const assignmentPrincipalType = ref<'user' | 'group'>('user')
+const assignmentPrincipalId = ref('')
+const assignmentRoleKey = ref('bot_operator')
+
+const groupForm = reactive({
+  id: '',
+  key: '',
+  display_name: '',
+  source: 'manual',
+  external_id: '',
+  metadata: '{}',
+})
+
+const providerForm = reactive({
+  id: '',
+  type: 'oidc',
+  key: '',
+  name: '',
+  enabled: true,
+  config: oidcConfigJSON(),
+  attribute_mapping: attributeMappingJSON(),
+  jit_enabled: true,
+  email_linking_policy: 'link_existing',
+  trust_email: true,
+})
+
+const botRoles = computed(() => roles.value.filter(role => role.scope === 'bot'))
+
+const principalOptions = computed(() => {
+  if (assignmentPrincipalType.value === 'user') {
+    return users.value.map(user => ({ id: user.id || '', label: accountLabel(user) })).filter(item => item.id)
+  }
+  return groups.value.map(group => ({ id: group.id || '', label: group.display_name || group.key || group.id || '' })).filter(item => item.id)
+})
+
+onMounted(loadAll)
+
+async function loadAll() {
+  loading.value = true
+  try {
+    const [userResult, botResult, roleResult, groupResult, providerResult] = await Promise.all([
+      getUsers({ throwOnError: true }),
+      getBots({ throwOnError: true }),
+      getIamRoles({ throwOnError: true }),
+      getIamGroups({ throwOnError: true }),
+      getIamSsoProviders({ throwOnError: true }),
+    ])
+    users.value = userResult.data.items || []
+    bots.value = botResult.data.items || []
+    roles.value = roleResult.data.items || []
+    groups.value = groupResult.data.items || []
+    providers.value = providerResult.data.items || []
+    if (!assignmentRoleKey.value && botRoles.value[0]?.key) {
+      assignmentRoleKey.value = botRoles.value[0].key
+    }
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to load IAM data'))
+  } finally {
+    loading.value = false
+  }
+}
+
+async function loadGroups() {
+  const { data } = await getIamGroups({ throwOnError: true })
+  groups.value = data.items || []
+}
+
+async function loadProviders() {
+  const { data } = await getIamSsoProviders({ throwOnError: true })
+  providers.value = data.items || []
+}
+
+async function loadGroupMembers() {
+  if (!selectedGroupId.value) {
+    groupMembers.value = []
+    return
+  }
+  const { data } = await getIamGroupsByIdMembers({ path: { id: selectedGroupId.value }, throwOnError: true })
+  groupMembers.value = data.items || []
+}
+
+async function loadMappings() {
+  if (!selectedProviderId.value) {
+    mappings.value = []
+    return
+  }
+  const { data } = await getIamSsoProvidersByIdGroupMappings({ path: { id: selectedProviderId.value }, throwOnError: true })
+  mappings.value = data.items || []
+}
+
+async function loadPrincipalRoles() {
+  if (!selectedBotId.value) {
+    principalRoles.value = []
+    return
+  }
+  const { data } = await getIamBotsByBotIdPrincipalRoles({ path: { bot_id: selectedBotId.value }, throwOnError: true })
+  principalRoles.value = data.items || []
+}
+
+function resetGroupForm() {
+  groupForm.id = ''
+  groupForm.key = ''
+  groupForm.display_name = ''
+  groupForm.source = 'manual'
+  groupForm.external_id = ''
+  groupForm.metadata = '{}'
+}
+
+function editGroup(group: HandlersIamGroupResponse) {
+  groupForm.id = group.id || ''
+  groupForm.key = group.key || ''
+  groupForm.display_name = group.display_name || ''
+  groupForm.source = group.source || 'manual'
+  groupForm.external_id = group.external_id || ''
+  groupForm.metadata = stringifyJSON(group.metadata)
+}
+
+async function saveGroup() {
+  savingGroup.value = true
+  try {
+    const body = {
+      key: groupForm.key.trim(),
+      display_name: groupForm.display_name.trim(),
+      source: groupForm.source.trim() || 'manual',
+      external_id: groupForm.external_id.trim(),
+      metadata: parseJSON(groupForm.metadata, 'metadata'),
+    }
+    if (groupForm.id) {
+      await putIamGroupsById({ path: { id: groupForm.id }, body: body as never, throwOnError: true })
+    } else {
+      await postIamGroups({ body: body as never, throwOnError: true })
+    }
+    await loadGroups()
+    resetGroupForm()
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to save group'))
+  } finally {
+    savingGroup.value = false
+  }
+}
+
+async function deleteGroup(id: string) {
+  if (!id) return
+  try {
+    await deleteIamGroupsById({ path: { id }, throwOnError: true })
+    if (selectedGroupId.value === id) {
+      selectedGroupId.value = ''
+      groupMembers.value = []
+    }
+    await loadGroups()
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to delete group'))
+  }
+}
+
+async function selectGroup(group: HandlersIamGroupResponse) {
+  selectedGroupId.value = group.id || ''
+  await loadGroupMembers()
+}
+
+async function addGroupMember() {
+  if (!selectedGroupId.value || !memberUserId.value) return
+  try {
+    await postIamGroupsByIdMembers({
+      path: { id: selectedGroupId.value },
+      body: { user_id: memberUserId.value, source: 'manual' },
+      throwOnError: true,
+    })
+    memberUserId.value = ''
+    await loadGroupMembers()
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to add group member'))
+  }
+}
+
+async function removeGroupMember(userId: string) {
+  if (!selectedGroupId.value || !userId) return
+  try {
+    await deleteIamGroupsByIdMembersByUserId({ path: { id: selectedGroupId.value, user_id: userId }, throwOnError: true })
+    await loadGroupMembers()
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to remove group member'))
+  }
+}
+
+function resetProviderForm() {
+  providerForm.id = ''
+  providerForm.type = 'oidc'
+  providerForm.key = ''
+  providerForm.name = ''
+  providerForm.enabled = true
+  providerForm.config = oidcConfigJSON()
+  providerForm.attribute_mapping = attributeMappingJSON()
+  providerForm.jit_enabled = true
+  providerForm.email_linking_policy = 'link_existing'
+  providerForm.trust_email = true
+}
+
+function resetProviderConfig() {
+  providerForm.config = providerForm.type === 'saml' ? samlConfigJSON() : oidcConfigJSON()
+}
+
+function editProvider(provider: HandlersIamssoProviderResponse) {
+  providerForm.id = provider.id || ''
+  providerForm.type = provider.type || 'oidc'
+  providerForm.key = provider.key || ''
+  providerForm.name = provider.name || ''
+  providerForm.enabled = !!provider.enabled
+  providerForm.config = stringifyJSON(provider.config)
+  providerForm.attribute_mapping = stringifyJSON(provider.attribute_mapping)
+  providerForm.jit_enabled = provider.jit_enabled !== false
+  providerForm.email_linking_policy = provider.email_linking_policy || 'link_existing'
+  providerForm.trust_email = !!provider.trust_email
+}
+
+async function saveProvider() {
+  savingProvider.value = true
+  try {
+    const body = {
+      type: providerForm.type,
+      key: providerForm.key.trim(),
+      name: providerForm.name.trim(),
+      enabled: providerForm.enabled,
+      config: parseJSON(providerForm.config, 'config'),
+      attribute_mapping: parseJSON(providerForm.attribute_mapping, 'attribute_mapping'),
+      jit_enabled: providerForm.jit_enabled,
+      email_linking_policy: providerForm.email_linking_policy,
+      trust_email: providerForm.trust_email,
+    }
+    if (providerForm.id) {
+      await putIamSsoProvidersById({ path: { id: providerForm.id }, body: body as never, throwOnError: true })
+    } else {
+      await postIamSsoProviders({ body: body as never, throwOnError: true })
+    }
+    await loadProviders()
+    resetProviderForm()
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to save SSO provider'))
+  } finally {
+    savingProvider.value = false
+  }
+}
+
+async function deleteProvider(id: string) {
+  if (!id) return
+  try {
+    await deleteIamSsoProvidersById({ path: { id }, throwOnError: true })
+    if (selectedProviderId.value === id) {
+      selectedProviderId.value = ''
+      mappings.value = []
+    }
+    await loadProviders()
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to delete SSO provider'))
+  }
+}
+
+async function selectProvider(provider: HandlersIamssoProviderResponse) {
+  selectedProviderId.value = provider.id || ''
+  await loadMappings()
+}
+
+async function saveMapping() {
+  if (!selectedProviderId.value || !mappingExternalGroup.value || !mappingGroupId.value) return
+  try {
+    await postIamSsoProvidersByIdGroupMappings({
+      path: { id: selectedProviderId.value },
+      body: { external_group: mappingExternalGroup.value.trim(), group_id: mappingGroupId.value },
+      throwOnError: true,
+    })
+    mappingExternalGroup.value = ''
+    mappingGroupId.value = ''
+    await loadMappings()
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to save group mapping'))
+  }
+}
+
+async function deleteMapping(externalGroup: string) {
+  if (!selectedProviderId.value || !externalGroup) return
+  try {
+    await deleteIamSsoProvidersByIdGroupMappingsByExternalGroup({
+      path: { id: selectedProviderId.value, external_group: externalGroup },
+      throwOnError: true,
+    })
+    await loadMappings()
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to delete group mapping'))
+  }
+}
+
+async function assignBotRole() {
+  if (!selectedBotId.value || !assignmentPrincipalId.value || !assignmentRoleKey.value) return
+  try {
+    await postIamBotsByBotIdPrincipalRoles({
+      path: { bot_id: selectedBotId.value },
+      body: {
+        principal_type: assignmentPrincipalType.value,
+        principal_id: assignmentPrincipalId.value,
+        role_key: assignmentRoleKey.value,
+      },
+      throwOnError: true,
+    })
+    assignmentPrincipalId.value = ''
+    await loadPrincipalRoles()
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to assign bot role'))
+  }
+}
+
+async function deletePrincipalRole(id: string) {
+  if (!id) return
+  try {
+    await deleteIamPrincipalRolesById({ path: { id }, throwOnError: true })
+    await loadPrincipalRoles()
+  } catch (error) {
+    toast.error(resolveApiErrorMessage(error, 'Failed to delete role assignment'))
+  }
+}
+
+function accountLabel(user: GithubComMemohaiMemohInternalAccountsAccount) {
+  return user.display_name || user.username || user.email || user.id || ''
+}
+
+function principalRoleLabel(role: HandlersIamPrincipalRoleResponse) {
+  if (role.principal_type === 'group') {
+    return `group:${role.group_display_name || role.group_key || role.principal_id}`
+  }
+  return `user:${role.user_display_name || role.user_username || role.user_email || role.principal_id}`
+}
+
+function parseJSON(value: string, field: string): unknown {
+  try {
+    return JSON.parse(value || '{}')
+  } catch {
+    throw new Error(`${field} must be valid JSON`)
+  }
+}
+
+function stringifyJSON(value: unknown) {
+  if (!value) return '{}'
+  if (typeof value === 'string') return value
+  return JSON.stringify(value, null, 2)
+}
+
+function attributeMappingJSON() {
+  return JSON.stringify({
+    subject: 'sub',
+    email: 'email',
+    username: 'preferred_username',
+    display_name: 'name',
+    avatar_url: 'picture',
+    groups: ['groups'],
+  }, null, 2)
+}
+
+function oidcConfigJSON() {
+  return JSON.stringify({
+    issuer: '',
+    client_id: '',
+    client_secret: '',
+    redirect_url: '',
+    scopes: ['openid', 'profile', 'email'],
+  }, null, 2)
+}
+
+function samlConfigJSON() {
+  return JSON.stringify({
+    entity_id: '',
+    metadata_xml: '',
+    metadata_url: '',
+    acs_url: '',
+  }, null, 2)
+}
+</script>
diff --git a/apps/web/src/pages/login/index.vue b/apps/web/src/pages/login/index.vue
index fd03c2320..238938450 100644
--- a/apps/web/src/pages/login/index.vue
+++ b/apps/web/src/pages/login/index.vue
@@ -107,14 +107,28 @@
           </CardContent>
 
           <CardFooter>
-            <Button
-              class="w-full"
-              type="submit"
-              @click="login"
-            >
-              <Spinner v-if="loading" />
-              {{ $t('auth.login') }}
-            </Button>
+            <div class="w-full flex flex-col gap-3">
+              <Button
+                class="w-full"
+                type="submit"
+                @click="login"
+              >
+                <Spinner v-if="loading" />
+                {{ $t('auth.login') }}
+              </Button>
+              <Button
+                v-for="provider in ssoProviders"
+                :key="provider.id"
+                class="w-full"
+                type="button"
+                variant="outline"
+                :disabled="ssoLoading === provider.id"
+                @click="startSSO(provider.id)"
+              >
+                <Spinner v-if="ssoLoading === provider.id" />
+                {{ provider.name }}
+              </Button>
+            </div>
           </CardFooter>
         </Card>
       </form>
@@ -148,11 +162,12 @@ import { useForm } from 'vee-validate'
 import * as z from 'zod'
 import { useUserStore } from '@/store/user'
 import { useSettingsStore } from '@/store/settings'
-import { ref } from 'vue'
+import { onMounted, ref } from 'vue'
 import { storeToRefs } from 'pinia'
 import { toast } from 'vue-sonner'
 import { useI18n } from 'vue-i18n'
-import { postAuthLogin } from '@memohai/sdk'
+import { getAuthSsoByProviderIdStart, getAuthSsoProviders, postAuthLogin } from '@memohai/sdk'
+import type { HandlersSsoProviderResponse } from '@memohai/sdk'
 import type { Locale } from '@/i18n'
 
 const router = useRouter()
@@ -175,6 +190,35 @@ const form = useForm({
 
 const { login: loginHandle } = useUserStore()
 const loading = ref(false)
+const ssoLoading = ref('')
+type LoginSSOProvider = Required<Pick<HandlersSsoProviderResponse, 'id' | 'name' | 'type'>>
+
+const ssoProviders = ref<LoginSSOProvider[]>([])
+
+async function loadSSOProviders() {
+  const { data } = await getAuthSsoProviders()
+  ssoProviders.value = (data.items ?? [])
+    .filter((item): item is LoginSSOProvider => Boolean(item.id && item.name && item.type))
+}
+
+async function startSSO(providerID: string) {
+  try {
+    ssoLoading.value = providerID
+    const provider = ssoProviders.value.find((item) => item.id === providerID)
+    if (!provider) throw new Error(t('auth.loginFailed'))
+    if (provider.type === 'saml') {
+      window.location.href = `/api/auth/sso/${encodeURIComponent(providerID)}/saml/start`
+      return
+    }
+    const { data } = await getAuthSsoByProviderIdStart({ path: { provider_id: providerID } })
+    if (!data?.redirect_url) throw new Error(t('auth.loginFailed'))
+    window.location.href = data.redirect_url
+  } catch {
+    toast.error(t('auth.loginFailed'))
+  } finally {
+    ssoLoading.value = ''
+  }
+}
 
 const login = form.handleSubmit(async (values) => {
   try {
@@ -185,7 +229,6 @@ const login = form.handleSubmit(async (values) => {
         id: data.user_id,
         username: data.username,
         displayName: data.display_name ?? '',
-        role: data.role ?? '',
         avatarUrl: data.avatar_url ?? '',
         timezone: data.timezone ?? 'UTC',
       }, data.access_token)
@@ -201,4 +244,8 @@ const login = form.handleSubmit(async (values) => {
     loading.value = false
   }
 })
+
+onMounted(() => {
+  void loadSSOProviders()
+})
 </script>
diff --git a/apps/web/src/pages/login/sso-callback.vue b/apps/web/src/pages/login/sso-callback.vue
new file mode 100644
index 000000000..26d3bdc93
--- /dev/null
+++ b/apps/web/src/pages/login/sso-callback.vue
@@ -0,0 +1,41 @@
+<template>
+  <main class="w-screen h-screen flex items-center justify-center bg-background p-4">
+    <Spinner />
+  </main>
+</template>
+
+<script setup lang="ts">
+import { Spinner } from '@memohai/ui'
+import { onMounted } from 'vue'
+import { useRouter } from 'vue-router'
+import { toast } from 'vue-sonner'
+import { useUserStore } from '@/store/user'
+import { postAuthSsoExchange } from '@memohai/sdk'
+
+const router = useRouter()
+const { login } = useUserStore()
+
+onMounted(async () => {
+  const code = new URLSearchParams(window.location.search).get('code')?.trim()
+  if (!code) {
+    toast.error('SSO login failed')
+    await router.replace({ name: 'Login' })
+    return
+  }
+
+  const { data } = await postAuthSsoExchange({ body: { code } })
+  if (!data?.access_token || !data.user_id) {
+    toast.error('SSO login failed')
+    await router.replace({ name: 'Login' })
+    return
+  }
+  login({
+    id: data.user_id,
+    username: data.username ?? '',
+    displayName: data.display_name ?? '',
+    avatarUrl: data.avatar_url ?? '',
+    timezone: data.timezone ?? 'UTC',
+  }, data.access_token)
+  await router.replace({ path: '/' })
+})
+</script>
diff --git a/apps/web/src/pages/profile/index.vue b/apps/web/src/pages/profile/index.vue
index d6741ffbd..33f70e2c5 100644
--- a/apps/web/src/pages/profile/index.vue
+++ b/apps/web/src/pages/profile/index.vue
@@ -249,7 +249,6 @@ async function loadMyAccount() {
   patchUserInfo({
     id: data.id,
     username: data.username,
-    role: data.role,
     displayName: data.display_name || '',
     avatarUrl: data.avatar_url || '',
     timezone: data.timezone || 'UTC',
diff --git a/apps/web/src/router.ts b/apps/web/src/router.ts
index 926bae497..db67a2ecd 100644
--- a/apps/web/src/router.ts
+++ b/apps/web/src/router.ts
@@ -121,6 +121,14 @@ const routes = [
           breadcrumb: i18nRef('sidebar.browser'),
         },
       },
+      {
+        name: 'iam',
+        path: 'iam',
+        component: () => import('@/pages/iam/index.vue'),
+        meta: {
+          breadcrumb: i18nRef('sidebar.iam'),
+        },
+      },
       {
         name: 'usage',
         path: 'usage',
@@ -168,6 +176,11 @@ const routes = [
     path: '/login',
     component: () => import('@/pages/login/index.vue'),
   },
+  {
+    name: 'sso-callback',
+    path: '/login/sso/callback',
+    component: () => import('@/pages/login/sso-callback.vue'),
+  },
   {
     name: 'oauth-mcp-callback',
     path: '/oauth/mcp/callback',
@@ -200,6 +213,9 @@ router.beforeEach((to) => {
   if (to.fullPath === '/login') {
     return token ? { path: '/' } : true
   }
+  if (to.path === '/login/sso/callback') {
+    return true
+  }
   if (to.path.startsWith('/oauth/')) {
     return true
   }
diff --git a/apps/web/src/store/user.ts b/apps/web/src/store/user.ts
index d5b34846a..1077ddaeb 100644
--- a/apps/web/src/store/user.ts
+++ b/apps/web/src/store/user.ts
@@ -6,7 +6,6 @@ import { useRouter } from 'vue-router'
 export interface UserInfo {
   id: string;
   username: string;
-  role: string;
   displayName: string;
   avatarUrl: string;
   timezone: string;
@@ -18,7 +17,6 @@ export const useUserStore = defineStore(
     const userInfo = reactive<UserInfo>({
       id: '',
       username: '',
-      role: '',
       displayName: '',
       avatarUrl: '',
       timezone: 'UTC',
diff --git a/cmd/agent/app.go b/cmd/agent/app.go
index f9308dbb2..175c1b4ac 100644
--- a/cmd/agent/app.go
+++ b/cmd/agent/app.go
@@ -52,6 +52,7 @@ import (
 	"github.com/memohai/memoh/internal/conversation"
 	"github.com/memohai/memoh/internal/conversation/flow"
 	"github.com/memohai/memoh/internal/db"
+	"github.com/memohai/memoh/internal/db/postgres/sqlc"
 	postgresstore "github.com/memohai/memoh/internal/db/postgres/store"
 	sqlitestore "github.com/memohai/memoh/internal/db/sqlite/store"
 	dbstore "github.com/memohai/memoh/internal/db/store"
@@ -65,6 +66,8 @@ import (
 	mcpchecker "github.com/memohai/memoh/internal/healthcheck/checkers/mcp"
 	modelchecker "github.com/memohai/memoh/internal/healthcheck/checkers/model"
 	"github.com/memohai/memoh/internal/heartbeat"
+	"github.com/memohai/memoh/internal/iam/rbac"
+	"github.com/memohai/memoh/internal/iam/sso"
 	"github.com/memohai/memoh/internal/logger"
 	"github.com/memohai/memoh/internal/mcp"
 	mcpfederation "github.com/memohai/memoh/internal/mcp/sources/federation"
@@ -263,7 +266,7 @@ func provideMemoryLLM(modelsService *models.Service, settingsService *settings.S
 	}
 }
 
-func provideMemoryProviderRegistry(log *slog.Logger, llm memprovider.LLM, chatService *conversation.Service, accountService *accounts.Service, provider bridge.Provider, queries dbstore.Queries, cfg config.Config) *memprovider.Registry {
+func provideMemoryProviderRegistry(log *slog.Logger, llm memprovider.LLM, chatService *conversation.Service, rbacService *rbac.Service, provider bridge.Provider, queries dbstore.Queries, cfg config.Config) *memprovider.Registry {
 	registry := memprovider.NewRegistry(log)
 	fileRuntime := handlers.NewBuiltinMemoryRuntime(provider)
 	fileStore := storefs.New(log, provider)
@@ -272,7 +275,7 @@ func provideMemoryProviderRegistry(log *slog.Logger, llm memprovider.LLM, chatSe
 		if err != nil {
 			return nil, err
 		}
-		p := membuiltin.NewBuiltinProvider(log, runtime, chatService, accountService)
+		p := membuiltin.NewBuiltinProvider(log, runtime, chatService, rbacService)
 		p.SetLLM(llm)
 		p.ApplyProviderConfig(providerConfig)
 		return p, nil
@@ -283,7 +286,7 @@ func provideMemoryProviderRegistry(log *slog.Logger, llm memprovider.LLM, chatSe
 	registry.RegisterFactory(string(memprovider.ProviderOpenViking), func(_ string, providerConfig map[string]any) (memprovider.Provider, error) {
 		return memopenviking.NewOpenVikingProvider(log, providerConfig)
 	})
-	defaultProvider := membuiltin.NewBuiltinProvider(log, fileRuntime, chatService, accountService)
+	defaultProvider := membuiltin.NewBuiltinProvider(log, fileRuntime, chatService, rbacService)
 	defaultProvider.SetLLM(llm)
 	registry.Register("__builtin_default__", defaultProvider)
 	return registry
@@ -598,14 +601,22 @@ func provideMemoryHandler(log *slog.Logger, botService *bots.Service, accountSer
 	return h
 }
 
-func provideAuthHandler(log *slog.Logger, accountService *accounts.Service, rc *boot.RuntimeConfig) *handlers.AuthHandler {
-	return handlers.NewAuthHandler(log, accountService, rc.JwtSecret, rc.JwtExpiresIn)
+func provideAuthHandler(log *slog.Logger, accountService *accounts.Service, queries dbstore.Queries, rc *boot.RuntimeConfig) *handlers.AuthHandler {
+	h := handlers.NewAuthHandler(log, accountService, rc.JwtSecret, rc.JwtExpiresIn)
+	h.SetSessionStore(handlers.NewDBAuthSessionStore(queries))
+	h.SetSSOService(sso.NewAuthService(queries, rc.JwtExpiresIn, "/login/sso/callback"))
+	return h
+}
+
+func provideRBACService(queries dbstore.Queries) *rbac.Service {
+	return rbac.NewService(rbac.NewSQLStore(queries))
 }
 
-func provideMessageHandler(log *slog.Logger, chatService *conversation.Service, msgService *message.DBService, mediaService *media.Service, botService *bots.Service, accountService *accounts.Service, hub *event.Hub, toolApproval *toolapproval.Service) *handlers.MessageHandler {
+func provideMessageHandler(log *slog.Logger, chatService *conversation.Service, msgService *message.DBService, mediaService *media.Service, botService *bots.Service, accountService *accounts.Service, hub *event.Hub, toolApproval *toolapproval.Service, rbacService *rbac.Service) *handlers.MessageHandler {
 	h := handlers.NewMessageHandler(log, chatService, msgService, botService, accountService, hub)
 	h.SetMediaService(mediaService)
 	h.SetToolApprovalService(toolApproval)
+	h.SetRBACService(rbacService)
 	return h
 }
 
@@ -624,8 +635,8 @@ func provideMediaService(log *slog.Logger, provider bridge.Provider, cfg config.
 	return media.NewService(log, storageProvider)
 }
 
-func provideUsersHandler(log *slog.Logger, accountService *accounts.Service, identityService *identities.Service, botService *bots.Service, routeService *route.DBService, channelStore *channel.Store, channelLifecycle *channel.Lifecycle, channelManager *channel.Manager, registry *channel.Registry) *handlers.UsersHandler {
-	return handlers.NewUsersHandler(log, accountService, identityService, botService, routeService, channelStore, channelLifecycle, channelManager, registry)
+func provideUsersHandler(log *slog.Logger, accountService *accounts.Service, identityService *identities.Service, botService *bots.Service, routeService *route.DBService, channelStore *channel.Store, channelLifecycle *channel.Lifecycle, channelManager *channel.Manager, registry *channel.Registry, rbacService *rbac.Service) *handlers.UsersHandler {
+	return handlers.NewUsersHandler(log, accountService, identityService, botService, routeService, channelStore, channelLifecycle, channelManager, registry, rbacService)
 }
 
 func provideWebHandler(channelManager *channel.Manager, channelStore *channel.Store, chatService *conversation.Service, hub *local.RouteHub, botService *bots.Service, accountService *accounts.Service, resolver *flow.Resolver, mediaService *media.Service, audioService *audiopkg.Service, settingsService *settings.Service) *handlers.LocalChannelHandler {
@@ -932,14 +943,15 @@ func startContainerReconciliation(lc fx.Lifecycle, manager *workspace.Manager, _
 	})
 }
 
-func startServer(lc fx.Lifecycle, logger *slog.Logger, srv *server.Server, shutdowner fx.Shutdowner, cfg config.Config, queries dbstore.Queries, accountStore dbstore.AccountStore, botService *bots.Service, _ *handlers.ContainerdHandler, manager *workspace.Manager, mcpConnService *mcp.ConnectionService, toolGateway *mcp.ToolGatewayService, channelManager *channel.Manager, modelsService *models.Service) {
+func startServer(lc fx.Lifecycle, logger *slog.Logger, srv *server.Server, shutdowner fx.Shutdowner, cfg config.Config, queries dbstore.Queries, accountStore dbstore.AccountStore, botService *bots.Service, rbacService *rbac.Service, _ *handlers.ContainerdHandler, manager *workspace.Manager, mcpConnService *mcp.ConnectionService, toolGateway *mcp.ToolGatewayService, channelManager *channel.Manager, modelsService *models.Service) {
 	fmt.Printf("Starting Memoh Agent %s\n", version.GetInfo())
 
 	lc.Append(fx.Hook{
 		OnStart: func(ctx context.Context) error {
-			if err := ensureAdminUser(ctx, logger, accountStore, cfg); err != nil {
+			if err := ensureAdminUser(ctx, logger, queries, accountStore, cfg); err != nil {
 				return err
 			}
+			botService.SetRBACService(rbacService)
 			botService.SetContainerLifecycle(manager)
 			botService.SetContainerReachability(func(ctx context.Context, botID string) error {
 				_, err := manager.MCPClient(ctx, botID)
@@ -972,7 +984,7 @@ func startServer(lc fx.Lifecycle, logger *slog.Logger, srv *server.Server, shutd
 	})
 }
 
-func ensureAdminUser(ctx context.Context, log *slog.Logger, accountStore dbstore.AccountStore, cfg config.Config) error {
+func ensureAdminUser(ctx context.Context, log *slog.Logger, queries dbstore.Queries, accountStore dbstore.AccountStore, cfg config.Config) error {
 	if accountStore == nil {
 		return errors.New("account store not configured")
 	}
@@ -1012,7 +1024,6 @@ func ensureAdminUser(ctx context.Context, log *slog.Logger, accountStore dbstore
 		Username:     username,
 		Email:        email,
 		PasswordHash: string(hashed),
-		Role:         "admin",
 		DisplayName:  username,
 		IsActive:     true,
 		DataRoot:     cfg.Workspace.DataRoot,
@@ -1020,6 +1031,25 @@ func ensureAdminUser(ctx context.Context, log *slog.Logger, accountStore dbstore
 	if err != nil {
 		return err
 	}
+	if queries != nil {
+		role, err := queries.GetRoleByKey(ctx, string(rbac.RoleAdmin))
+		if err != nil {
+			return fmt.Errorf("get admin role: %w", err)
+		}
+		userID, err := db.ParseUUID(user.ID)
+		if err != nil {
+			return err
+		}
+		if _, err := queries.AssignPrincipalRole(ctx, sqlc.AssignPrincipalRoleParams{
+			PrincipalType: string(rbac.PrincipalUser),
+			PrincipalID:   userID,
+			RoleID:        role.ID,
+			ResourceType:  string(rbac.ResourceSystem),
+			Source:        string(rbac.SourceSystem),
+		}); err != nil {
+			return fmt.Errorf("assign admin role: %w", err)
+		}
+	}
 	log.Info("Admin user created", slog.String("username", username))
 	return nil
 }
diff --git a/cmd/agent/module.go b/cmd/agent/module.go
index 4cbdd7f93..2b6b56292 100644
--- a/cmd/agent/module.go
+++ b/cmd/agent/module.go
@@ -60,6 +60,7 @@ func options() fx.Option {
 			provideMemoryProviderRegistry,
 			models.NewService,
 			bots.NewService,
+			provideRBACService,
 			accounts.NewService,
 			acl.NewService,
 			settings.NewService,
@@ -130,6 +131,7 @@ func options() fx.Option {
 			provideServerHandler(handlers.NewChannelHandler),
 			provideServerHandler(channel.NewWebhookServerHandler),
 			provideServerHandler(weixin.NewQRServerHandler),
+			provideServerHandler(handlers.NewIAMHandler),
 			provideServerHandler(provideUsersHandler),
 			provideServerHandler(handlers.NewMemoryProvidersHandler),
 			provideServerHandler(handlers.NewNetworkHandler),
diff --git a/db/postgres/migrations/0077_iam_sso_rbac.down.sql b/db/postgres/migrations/0077_iam_sso_rbac.down.sql
new file mode 100644
index 000000000..a2e626052
--- /dev/null
+++ b/db/postgres/migrations/0077_iam_sso_rbac.down.sql
@@ -0,0 +1,64 @@
+-- 0077_iam_sso_rbac
+-- Roll back IAM SSO RBAC schema to the legacy users/password_hash/role model.
+
+DO $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'user_role') THEN
+    CREATE TYPE user_role AS ENUM ('member', 'admin');
+  END IF;
+END
+$$;
+
+ALTER TABLE iam_users ADD COLUMN IF NOT EXISTS password_hash TEXT;
+ALTER TABLE iam_users ADD COLUMN IF NOT EXISTS role user_role NOT NULL DEFAULT 'member';
+
+UPDATE iam_users u
+SET password_hash = i.credential_secret
+FROM iam_identities i
+WHERE i.user_id = u.id
+  AND i.provider_type = 'password'
+  AND i.credential_secret IS NOT NULL;
+
+UPDATE iam_users u
+SET role = 'admin'::user_role
+FROM iam_principal_roles pr
+JOIN iam_roles r ON r.id = pr.role_id
+WHERE pr.principal_type = 'user'
+  AND pr.principal_id = u.id
+  AND pr.resource_type = 'system'
+  AND pr.resource_id IS NULL
+  AND r.key = 'admin';
+
+DROP TABLE IF EXISTS iam_sso_group_mappings;
+DROP TABLE IF EXISTS iam_principal_roles;
+DROP TABLE IF EXISTS iam_role_permissions;
+DROP TABLE IF EXISTS iam_group_members;
+DROP TABLE IF EXISTS iam_login_codes;
+DROP TABLE IF EXISTS iam_sessions;
+DROP TABLE IF EXISTS iam_identities;
+DROP TABLE IF EXISTS iam_groups;
+DROP TABLE IF EXISTS iam_roles;
+DROP TABLE IF EXISTS iam_permissions;
+DROP TABLE IF EXISTS iam_sso_providers;
+
+DROP INDEX IF EXISTS idx_iam_users_email_unique;
+DROP INDEX IF EXISTS idx_iam_users_username_unique;
+
+ALTER TABLE iam_users ADD CONSTRAINT users_email_unique UNIQUE (email);
+ALTER TABLE iam_users RENAME CONSTRAINT iam_users_username_unique TO users_username_unique;
+
+ALTER TABLE iam_user_provider_oauth_tokens RENAME CONSTRAINT iam_user_provider_oauth_tokens_provider_user_unique TO user_provider_oauth_tokens_provider_user_unique;
+ALTER TABLE iam_channel_identity_bind_codes RENAME CONSTRAINT iam_channel_identity_bind_codes_token_unique TO channel_identity_bind_codes_token_unique;
+ALTER TABLE iam_user_channel_bindings RENAME CONSTRAINT iam_user_channel_bindings_unique TO user_channel_bindings_unique;
+ALTER TABLE iam_channel_identities RENAME CONSTRAINT iam_channel_identities_channel_type_subject_unique TO channel_identities_channel_type_subject_unique;
+
+ALTER INDEX IF EXISTS idx_iam_user_provider_oauth_tokens_state RENAME TO idx_user_provider_oauth_tokens_state;
+ALTER INDEX IF EXISTS idx_iam_channel_identity_bind_codes_channel_type RENAME TO idx_channel_identity_bind_codes_channel_type;
+ALTER INDEX IF EXISTS idx_iam_user_channel_bindings_user_id RENAME TO idx_user_channel_bindings_user_id;
+ALTER INDEX IF EXISTS idx_iam_channel_identities_user_id RENAME TO idx_channel_identities_user_id;
+
+ALTER TABLE iam_user_provider_oauth_tokens RENAME TO user_provider_oauth_tokens;
+ALTER TABLE iam_channel_identity_bind_codes RENAME TO channel_identity_bind_codes;
+ALTER TABLE iam_user_channel_bindings RENAME TO user_channel_bindings;
+ALTER TABLE iam_channel_identities RENAME TO channel_identities;
+ALTER TABLE iam_users RENAME TO users;
diff --git a/db/postgres/migrations/0077_iam_sso_rbac.up.sql b/db/postgres/migrations/0077_iam_sso_rbac.up.sql
new file mode 100644
index 000000000..e134ba58f
--- /dev/null
+++ b/db/postgres/migrations/0077_iam_sso_rbac.up.sql
@@ -0,0 +1,304 @@
+-- 0077_iam_sso_rbac
+-- Introduce IAM identities, sessions, SSO providers, groups, and RBAC assignments.
+
+ALTER TABLE IF EXISTS users RENAME TO iam_users;
+ALTER TABLE IF EXISTS channel_identities RENAME TO iam_channel_identities;
+ALTER TABLE IF EXISTS user_channel_bindings RENAME TO iam_user_channel_bindings;
+ALTER TABLE IF EXISTS channel_identity_bind_codes RENAME TO iam_channel_identity_bind_codes;
+ALTER TABLE IF EXISTS user_provider_oauth_tokens RENAME TO iam_user_provider_oauth_tokens;
+
+ALTER INDEX IF EXISTS idx_channel_identities_user_id RENAME TO idx_iam_channel_identities_user_id;
+ALTER INDEX IF EXISTS idx_user_channel_bindings_user_id RENAME TO idx_iam_user_channel_bindings_user_id;
+ALTER INDEX IF EXISTS idx_channel_identity_bind_codes_channel_type RENAME TO idx_iam_channel_identity_bind_codes_channel_type;
+ALTER INDEX IF EXISTS idx_user_provider_oauth_tokens_state RENAME TO idx_iam_user_provider_oauth_tokens_state;
+
+DO $$
+BEGIN
+  IF EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'users_email_unique') THEN
+    ALTER TABLE iam_users RENAME CONSTRAINT users_email_unique TO iam_users_email_unique;
+  END IF;
+  IF EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'users_username_unique') THEN
+    ALTER TABLE iam_users RENAME CONSTRAINT users_username_unique TO iam_users_username_unique;
+  END IF;
+  IF EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'channel_identities_channel_type_subject_unique') THEN
+    ALTER TABLE iam_channel_identities RENAME CONSTRAINT channel_identities_channel_type_subject_unique TO iam_channel_identities_channel_type_subject_unique;
+  END IF;
+  IF EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'user_channel_bindings_unique') THEN
+    ALTER TABLE iam_user_channel_bindings RENAME CONSTRAINT user_channel_bindings_unique TO iam_user_channel_bindings_unique;
+  END IF;
+  IF EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'channel_identity_bind_codes_token_unique') THEN
+    ALTER TABLE iam_channel_identity_bind_codes RENAME CONSTRAINT channel_identity_bind_codes_token_unique TO iam_channel_identity_bind_codes_token_unique;
+  END IF;
+  IF EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'user_provider_oauth_tokens_provider_user_unique') THEN
+    ALTER TABLE iam_user_provider_oauth_tokens RENAME CONSTRAINT user_provider_oauth_tokens_provider_user_unique TO iam_user_provider_oauth_tokens_provider_user_unique;
+  END IF;
+END
+$$;
+
+ALTER TABLE iam_users DROP CONSTRAINT IF EXISTS iam_users_email_unique;
+CREATE UNIQUE INDEX IF NOT EXISTS idx_iam_users_email_unique
+  ON iam_users(email)
+  WHERE email IS NOT NULL AND email <> '';
+CREATE UNIQUE INDEX IF NOT EXISTS idx_iam_users_username_unique
+  ON iam_users(username)
+  WHERE username IS NOT NULL AND username <> '';
+
+CREATE TABLE IF NOT EXISTS iam_sso_providers (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  type TEXT NOT NULL,
+  key TEXT NOT NULL,
+  name TEXT NOT NULL,
+  enabled BOOLEAN NOT NULL DEFAULT true,
+  config JSONB NOT NULL DEFAULT '{}'::jsonb,
+  attribute_mapping JSONB NOT NULL DEFAULT '{}'::jsonb,
+  jit_enabled BOOLEAN NOT NULL DEFAULT true,
+  email_linking_policy TEXT NOT NULL DEFAULT 'link_existing',
+  trust_email BOOLEAN NOT NULL DEFAULT false,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  CONSTRAINT iam_sso_providers_type_check CHECK (type IN ('oidc', 'saml')),
+  CONSTRAINT iam_sso_providers_key_unique UNIQUE (key),
+  CONSTRAINT iam_sso_providers_email_linking_policy_check CHECK (email_linking_policy IN ('link_existing', 'reject_existing'))
+);
+
+CREATE TABLE IF NOT EXISTS iam_identities (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES iam_users(id) ON DELETE CASCADE,
+  provider_type TEXT NOT NULL,
+  provider_id UUID REFERENCES iam_sso_providers(id) ON DELETE CASCADE,
+  subject TEXT NOT NULL,
+  credential_secret TEXT,
+  email TEXT,
+  username TEXT,
+  display_name TEXT,
+  avatar_url TEXT,
+  raw_claims JSONB NOT NULL DEFAULT '{}'::jsonb,
+  last_login_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  CONSTRAINT iam_identities_provider_type_check CHECK (provider_type IN ('password', 'oidc', 'saml', 'channel')),
+  CONSTRAINT iam_identities_password_provider_check CHECK (
+    (provider_type = 'password' AND provider_id IS NULL AND credential_secret IS NOT NULL)
+    OR provider_type <> 'password'
+  ),
+  CONSTRAINT iam_identities_provider_subject_unique UNIQUE NULLS NOT DISTINCT (provider_type, provider_id, subject)
+);
+CREATE INDEX IF NOT EXISTS idx_iam_identities_user_id ON iam_identities(user_id);
+CREATE INDEX IF NOT EXISTS idx_iam_identities_email ON iam_identities(email) WHERE email IS NOT NULL AND email <> '';
+
+CREATE TABLE IF NOT EXISTS iam_sessions (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES iam_users(id) ON DELETE CASCADE,
+  identity_id UUID REFERENCES iam_identities(id) ON DELETE SET NULL,
+  issued_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  expires_at TIMESTAMPTZ NOT NULL,
+  revoked_at TIMESTAMPTZ,
+  ip_address TEXT,
+  user_agent TEXT,
+  metadata JSONB NOT NULL DEFAULT '{}'::jsonb,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+CREATE INDEX IF NOT EXISTS idx_iam_sessions_user_id ON iam_sessions(user_id);
+CREATE INDEX IF NOT EXISTS idx_iam_sessions_active ON iam_sessions(user_id, expires_at) WHERE revoked_at IS NULL;
+
+CREATE TABLE IF NOT EXISTS iam_login_codes (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  code_hash TEXT NOT NULL,
+  user_id UUID NOT NULL REFERENCES iam_users(id) ON DELETE CASCADE,
+  identity_id UUID REFERENCES iam_identities(id) ON DELETE SET NULL,
+  session_id UUID NOT NULL REFERENCES iam_sessions(id) ON DELETE CASCADE,
+  expires_at TIMESTAMPTZ NOT NULL,
+  used_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  CONSTRAINT iam_login_codes_code_hash_unique UNIQUE (code_hash)
+);
+CREATE INDEX IF NOT EXISTS idx_iam_login_codes_expires_at ON iam_login_codes(expires_at);
+
+CREATE TABLE IF NOT EXISTS iam_groups (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  key TEXT NOT NULL,
+  display_name TEXT NOT NULL DEFAULT '',
+  source TEXT NOT NULL DEFAULT 'local',
+  external_id TEXT,
+  metadata JSONB NOT NULL DEFAULT '{}'::jsonb,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  CONSTRAINT iam_groups_key_unique UNIQUE (key),
+  CONSTRAINT iam_groups_source_check CHECK (source IN ('local', 'sso', 'scim'))
+);
+
+CREATE TABLE IF NOT EXISTS iam_group_members (
+  user_id UUID NOT NULL REFERENCES iam_users(id) ON DELETE CASCADE,
+  group_id UUID NOT NULL REFERENCES iam_groups(id) ON DELETE CASCADE,
+  source TEXT NOT NULL DEFAULT 'manual',
+  provider_id UUID REFERENCES iam_sso_providers(id) ON DELETE CASCADE,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  CONSTRAINT iam_group_members_source_check CHECK (source IN ('manual', 'sso', 'scim')),
+  CONSTRAINT iam_group_members_unique UNIQUE NULLS NOT DISTINCT (user_id, group_id, source, provider_id)
+);
+CREATE INDEX IF NOT EXISTS idx_iam_group_members_user_id ON iam_group_members(user_id);
+CREATE INDEX IF NOT EXISTS idx_iam_group_members_group_id ON iam_group_members(group_id);
+
+CREATE TABLE IF NOT EXISTS iam_permissions (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  key TEXT NOT NULL,
+  description TEXT NOT NULL DEFAULT '',
+  is_system BOOLEAN NOT NULL DEFAULT true,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  CONSTRAINT iam_permissions_key_unique UNIQUE (key)
+);
+
+CREATE TABLE IF NOT EXISTS iam_roles (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  key TEXT NOT NULL,
+  scope TEXT NOT NULL,
+  description TEXT NOT NULL DEFAULT '',
+  is_system BOOLEAN NOT NULL DEFAULT false,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  CONSTRAINT iam_roles_key_unique UNIQUE (key),
+  CONSTRAINT iam_roles_scope_check CHECK (scope IN ('system', 'bot'))
+);
+
+CREATE TABLE IF NOT EXISTS iam_role_permissions (
+  role_id UUID NOT NULL REFERENCES iam_roles(id) ON DELETE CASCADE,
+  permission_id UUID NOT NULL REFERENCES iam_permissions(id) ON DELETE CASCADE,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  PRIMARY KEY (role_id, permission_id)
+);
+
+CREATE TABLE IF NOT EXISTS iam_principal_roles (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  principal_type TEXT NOT NULL,
+  principal_id UUID NOT NULL,
+  role_id UUID NOT NULL REFERENCES iam_roles(id) ON DELETE CASCADE,
+  resource_type TEXT NOT NULL,
+  resource_id UUID,
+  source TEXT NOT NULL DEFAULT 'manual',
+  provider_id UUID REFERENCES iam_sso_providers(id) ON DELETE SET NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  CONSTRAINT iam_principal_roles_principal_type_check CHECK (principal_type IN ('user', 'group')),
+  CONSTRAINT iam_principal_roles_resource_type_check CHECK (resource_type IN ('system', 'bot')),
+  CONSTRAINT iam_principal_roles_source_check CHECK (source IN ('system', 'manual', 'sso', 'scim')),
+  CONSTRAINT iam_principal_roles_resource_id_check CHECK (
+    (resource_type = 'system' AND resource_id IS NULL)
+    OR resource_type = 'bot'
+  ),
+  CONSTRAINT iam_principal_roles_unique UNIQUE NULLS NOT DISTINCT (
+    principal_type, principal_id, role_id, resource_type, resource_id, source, provider_id
+  )
+);
+CREATE INDEX IF NOT EXISTS idx_iam_principal_roles_user ON iam_principal_roles(principal_id) WHERE principal_type = 'user';
+CREATE INDEX IF NOT EXISTS idx_iam_principal_roles_group ON iam_principal_roles(principal_id) WHERE principal_type = 'group';
+CREATE INDEX IF NOT EXISTS idx_iam_principal_roles_resource ON iam_principal_roles(resource_type, resource_id);
+
+CREATE TABLE IF NOT EXISTS iam_sso_group_mappings (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  provider_id UUID NOT NULL REFERENCES iam_sso_providers(id) ON DELETE CASCADE,
+  external_group TEXT NOT NULL,
+  group_id UUID NOT NULL REFERENCES iam_groups(id) ON DELETE CASCADE,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+  CONSTRAINT iam_sso_group_mappings_unique UNIQUE (provider_id, external_group)
+);
+CREATE INDEX IF NOT EXISTS idx_iam_sso_group_mappings_group_id ON iam_sso_group_mappings(group_id);
+
+INSERT INTO iam_permissions (key, description, is_system)
+VALUES
+  ('system.login', 'Log in to the system', true),
+  ('system.admin', 'Administer the system', true),
+  ('bot.read', 'Read bot data', true),
+  ('bot.chat', 'Chat with bot', true),
+  ('bot.update', 'Update bot configuration', true),
+  ('bot.delete', 'Delete bot', true),
+  ('bot.permissions.manage', 'Manage bot permissions', true)
+ON CONFLICT (key) DO NOTHING;
+
+INSERT INTO iam_roles (key, scope, description, is_system)
+VALUES
+  ('member', 'system', 'Default authenticated user', true),
+  ('admin', 'system', 'System administrator', true),
+  ('bot_viewer', 'bot', 'Bot viewer', true),
+  ('bot_operator', 'bot', 'Bot operator', true),
+  ('bot_owner', 'bot', 'Bot owner', true)
+ON CONFLICT (key) DO NOTHING;
+
+INSERT INTO iam_role_permissions (role_id, permission_id)
+SELECT r.id, p.id
+FROM iam_roles r
+JOIN iam_permissions p ON (
+  (r.key = 'member' AND p.key IN ('system.login')) OR
+  (r.key = 'admin' AND p.key IN ('system.login', 'system.admin')) OR
+  (r.key = 'bot_viewer' AND p.key IN ('bot.read', 'bot.chat')) OR
+  (r.key = 'bot_operator' AND p.key IN ('bot.read', 'bot.chat', 'bot.update')) OR
+  (r.key = 'bot_owner' AND p.key IN ('bot.read', 'bot.chat', 'bot.update', 'bot.delete', 'bot.permissions.manage'))
+)
+ON CONFLICT DO NOTHING;
+
+DO $$
+BEGIN
+  IF EXISTS (
+    SELECT 1 FROM information_schema.columns
+    WHERE table_name = 'iam_users' AND column_name = 'password_hash'
+  ) THEN
+    EXECUTE $migrate_password$
+      INSERT INTO iam_identities (
+        user_id, provider_type, provider_id, subject, credential_secret, email, username,
+        display_name, avatar_url, raw_claims, last_login_at, created_at, updated_at
+      )
+      SELECT
+        id,
+        'password',
+        NULL,
+        lower(username),
+        password_hash,
+        email,
+        username,
+        display_name,
+        avatar_url,
+        '{}'::jsonb,
+        last_login_at,
+        created_at,
+        updated_at
+      FROM iam_users
+      WHERE username IS NOT NULL AND username <> ''
+        AND password_hash IS NOT NULL AND password_hash <> ''
+      ON CONFLICT DO NOTHING
+    $migrate_password$;
+  END IF;
+
+  IF EXISTS (
+    SELECT 1 FROM information_schema.columns
+    WHERE table_name = 'iam_users' AND column_name = 'role'
+  ) THEN
+    EXECUTE $migrate_roles$
+      INSERT INTO iam_principal_roles (principal_type, principal_id, role_id, resource_type, resource_id, source)
+      SELECT 'user', u.id, r.id, 'system', NULL, 'system'
+      FROM iam_users u
+      JOIN iam_roles r ON r.key = CASE WHEN u.role::text = 'admin' THEN 'admin' ELSE 'member' END
+      ON CONFLICT DO NOTHING
+    $migrate_roles$;
+  ELSE
+    INSERT INTO iam_principal_roles (principal_type, principal_id, role_id, resource_type, resource_id, source)
+    SELECT 'user', u.id, r.id, 'system', NULL, 'system'
+    FROM iam_users u
+    JOIN iam_roles r ON r.key = 'member'
+    ON CONFLICT DO NOTHING;
+  END IF;
+END
+$$;
+
+INSERT INTO iam_principal_roles (principal_type, principal_id, role_id, resource_type, resource_id, source)
+SELECT 'user', b.owner_user_id, r.id, 'bot', b.id, 'system'
+FROM bots b
+JOIN iam_roles r ON r.key = 'bot_owner'
+WHERE b.owner_user_id IS NOT NULL
+ON CONFLICT DO NOTHING;
+
+ALTER TABLE iam_users DROP COLUMN IF EXISTS password_hash;
+ALTER TABLE iam_users DROP COLUMN IF EXISTS role;
+DROP TYPE IF EXISTS user_role;
diff --git a/db/postgres/queries/acl.sql b/db/postgres/queries/acl.sql
index 5b78caa7f..f98c0f1a7 100644
--- a/db/postgres/queries/acl.sql
+++ b/db/postgres/queries/acl.sql
@@ -50,8 +50,8 @@ SELECT
   linked.display_name AS linked_user_display_name,
   linked.avatar_url AS linked_user_avatar_url
 FROM bot_acl_rules r
-LEFT JOIN channel_identities ci ON ci.id = r.channel_identity_id
-LEFT JOIN users linked ON linked.id = ci.user_id
+LEFT JOIN iam_channel_identities ci ON ci.id = r.channel_identity_id
+LEFT JOIN iam_users linked ON linked.id = ci.user_id
 WHERE r.bot_id = $1
   AND r.action = 'chat.trigger'
 ORDER BY r.priority ASC, r.created_at ASC;
diff --git a/db/postgres/queries/bind.sql b/db/postgres/queries/bind.sql
index a2f30218d..f9790b3d3 100644
--- a/db/postgres/queries/bind.sql
+++ b/db/postgres/queries/bind.sql
@@ -1,21 +1,21 @@
 -- name: CreateBindCode :one
-INSERT INTO channel_identity_bind_codes (token, issued_by_user_id, channel_type, expires_at)
+INSERT INTO iam_channel_identity_bind_codes (token, issued_by_user_id, channel_type, expires_at)
 VALUES ($1, $2, $3, $4)
 RETURNING id, token, issued_by_user_id, channel_type, expires_at, used_at, used_by_channel_identity_id, created_at;
 
 -- name: GetBindCode :one
 SELECT id, token, issued_by_user_id, channel_type, expires_at, used_at, used_by_channel_identity_id, created_at
-FROM channel_identity_bind_codes
+FROM iam_channel_identity_bind_codes
 WHERE token = $1;
 
 -- name: GetBindCodeForUpdate :one
 SELECT id, token, issued_by_user_id, channel_type, expires_at, used_at, used_by_channel_identity_id, created_at
-FROM channel_identity_bind_codes
+FROM iam_channel_identity_bind_codes
 WHERE token = $1
 FOR UPDATE;
 
 -- name: MarkBindCodeUsed :one
-UPDATE channel_identity_bind_codes
+UPDATE iam_channel_identity_bind_codes
 SET used_at = now(), used_by_channel_identity_id = $2
 WHERE id = $1
   AND used_at IS NULL
diff --git a/db/postgres/queries/channel_identities.sql b/db/postgres/queries/channel_identities.sql
index cef7e9095..0660d2d56 100644
--- a/db/postgres/queries/channel_identities.sql
+++ b/db/postgres/queries/channel_identities.sql
@@ -1,39 +1,39 @@
 -- name: CreateChannelIdentity :one
-INSERT INTO channel_identities (user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
+INSERT INTO iam_channel_identities (user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
 VALUES ($1, $2, $3, $4, $5, $6)
 RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at;
 
 -- name: GetChannelIdentityByID :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE id = $1;
 
 -- name: GetChannelIdentityByIDForUpdate :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE id = $1
 FOR UPDATE;
 
 -- name: GetChannelIdentityByChannelSubject :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE channel_type = $1 AND channel_subject_id = $2;
 
 -- name: UpsertChannelIdentityByChannelSubject :one
-INSERT INTO channel_identities (user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
+INSERT INTO iam_channel_identities (user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
 VALUES ($1, $2, $3, $4, $5, $6)
 ON CONFLICT (channel_type, channel_subject_id)
 DO UPDATE SET
-  display_name = COALESCE(NULLIF(EXCLUDED.display_name, ''), channel_identities.display_name),
-  avatar_url = COALESCE(NULLIF(EXCLUDED.avatar_url, ''), channel_identities.avatar_url),
+  display_name = COALESCE(NULLIF(EXCLUDED.display_name, ''), iam_channel_identities.display_name),
+  avatar_url = COALESCE(NULLIF(EXCLUDED.avatar_url, ''), iam_channel_identities.avatar_url),
   metadata = EXCLUDED.metadata,
-  user_id = COALESCE(channel_identities.user_id, EXCLUDED.user_id),
+  user_id = COALESCE(iam_channel_identities.user_id, EXCLUDED.user_id),
   updated_at = now()
 RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at;
 
 -- name: ListChannelIdentitiesByUserID :many
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE user_id = $1
 ORDER BY created_at DESC;
 
@@ -51,8 +51,8 @@ SELECT
   u.username AS linked_username,
   u.display_name AS linked_display_name,
   u.avatar_url AS linked_avatar_url
-FROM channel_identities ci
-LEFT JOIN users u ON u.id = ci.user_id
+FROM iam_channel_identities ci
+LEFT JOIN iam_users u ON u.id = ci.user_id
 WHERE
   sqlc.arg(query)::text = ''
   OR ci.channel_type ILIKE '%' || sqlc.arg(query)::text || '%'
@@ -64,7 +64,7 @@ ORDER BY ci.updated_at DESC
 LIMIT sqlc.arg(limit_count);
 
 -- name: SetChannelIdentityLinkedUser :one
-UPDATE channel_identities
+UPDATE iam_channel_identities
 SET user_id = $2, updated_at = now()
 WHERE id = $1
 RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at;
diff --git a/db/postgres/queries/channels.sql b/db/postgres/queries/channels.sql
index 8269370ef..4b5b4cd0c 100644
--- a/db/postgres/queries/channels.sql
+++ b/db/postgres/queries/channels.sql
@@ -55,12 +55,12 @@ ORDER BY created_at DESC;
 
 -- name: GetUserChannelBinding :one
 SELECT id, user_id, channel_type, config, created_at, updated_at
-FROM user_channel_bindings
+FROM iam_user_channel_bindings
 WHERE user_id = $1 AND channel_type = $2
 LIMIT 1;
 
 -- name: UpsertUserChannelBinding :one
-INSERT INTO user_channel_bindings (user_id, channel_type, config)
+INSERT INTO iam_user_channel_bindings (user_id, channel_type, config)
 VALUES ($1, $2, $3)
 ON CONFLICT (user_id, channel_type)
 DO UPDATE SET
@@ -70,6 +70,6 @@ RETURNING id, user_id, channel_type, config, created_at, updated_at;
 
 -- name: ListUserChannelBindingsByPlatform :many
 SELECT id, user_id, channel_type, config, created_at, updated_at
-FROM user_channel_bindings
+FROM iam_user_channel_bindings
 WHERE channel_type = $1
 ORDER BY created_at DESC;
diff --git a/db/postgres/queries/iam.sql b/db/postgres/queries/iam.sql
new file mode 100644
index 000000000..bc4cdd916
--- /dev/null
+++ b/db/postgres/queries/iam.sql
@@ -0,0 +1,282 @@
+-- name: CreatePasswordIdentity :one
+INSERT INTO iam_identities (
+  user_id, provider_type, provider_id, subject, credential_secret, email, username,
+  display_name, avatar_url, raw_claims
+)
+VALUES (
+  sqlc.arg(user_id), 'password', NULL, lower(sqlc.arg(subject)::text), sqlc.arg(credential_secret),
+  sqlc.narg(email), sqlc.narg(username), sqlc.narg(display_name), sqlc.narg(avatar_url), '{}'::jsonb
+)
+ON CONFLICT (provider_type, provider_id, subject) DO UPDATE SET
+  credential_secret = EXCLUDED.credential_secret,
+  email = EXCLUDED.email,
+  username = EXCLUDED.username,
+  display_name = EXCLUDED.display_name,
+  avatar_url = EXCLUDED.avatar_url,
+  updated_at = now()
+RETURNING *;
+
+-- name: GetIdentityByProviderSubject :one
+SELECT *
+FROM iam_identities
+WHERE provider_type = sqlc.arg(provider_type)
+  AND provider_id IS NOT DISTINCT FROM sqlc.narg(provider_id)::uuid
+  AND subject = sqlc.arg(subject);
+
+-- name: GetPasswordIdentityBySubject :one
+SELECT *
+FROM iam_identities
+WHERE provider_type = 'password'
+  AND subject = lower(sqlc.arg(subject)::text);
+
+-- name: UpsertExternalIdentity :one
+INSERT INTO iam_identities (
+  user_id, provider_type, provider_id, subject, email, username, display_name, avatar_url, raw_claims
+)
+VALUES (
+  sqlc.arg(user_id), sqlc.arg(provider_type), sqlc.arg(provider_id), sqlc.arg(subject),
+  sqlc.narg(email), sqlc.narg(username), sqlc.narg(display_name), sqlc.narg(avatar_url), sqlc.arg(raw_claims)
+)
+ON CONFLICT (provider_type, provider_id, subject) DO UPDATE SET
+  user_id = EXCLUDED.user_id,
+  email = EXCLUDED.email,
+  username = EXCLUDED.username,
+  display_name = EXCLUDED.display_name,
+  avatar_url = EXCLUDED.avatar_url,
+  raw_claims = EXCLUDED.raw_claims,
+  updated_at = now()
+RETURNING *;
+
+-- name: UpdateIdentityLastLogin :exec
+UPDATE iam_identities
+SET last_login_at = now(), updated_at = now()
+WHERE id = sqlc.arg(id);
+
+-- name: CreateIAMSession :one
+INSERT INTO iam_sessions (user_id, identity_id, expires_at, ip_address, user_agent, metadata)
+VALUES (sqlc.arg(user_id), sqlc.narg(identity_id), sqlc.arg(expires_at), sqlc.narg(ip_address), sqlc.narg(user_agent), sqlc.arg(metadata))
+RETURNING *;
+
+-- name: GetIAMSessionByID :one
+SELECT s.*, u.is_active AS user_is_active
+FROM iam_sessions s
+JOIN iam_users u ON u.id = s.user_id
+WHERE s.id = sqlc.arg(id);
+
+-- name: RevokeIAMSession :exec
+UPDATE iam_sessions
+SET revoked_at = now(), updated_at = now()
+WHERE id = sqlc.arg(id)
+  AND revoked_at IS NULL;
+
+-- name: ExtendIAMSession :one
+UPDATE iam_sessions
+SET expires_at = sqlc.arg(expires_at), updated_at = now()
+WHERE id = sqlc.arg(id)
+  AND revoked_at IS NULL
+RETURNING *;
+
+-- name: CreateIAMLoginCode :one
+INSERT INTO iam_login_codes (code_hash, user_id, identity_id, session_id, expires_at)
+VALUES (sqlc.arg(code_hash), sqlc.arg(user_id), sqlc.narg(identity_id), sqlc.arg(session_id), sqlc.arg(expires_at))
+RETURNING *;
+
+-- name: UseIAMLoginCode :one
+UPDATE iam_login_codes
+SET used_at = now()
+WHERE code_hash = sqlc.arg(code_hash)
+  AND used_at IS NULL
+  AND expires_at > now()
+RETURNING *;
+
+-- name: ListSSOProviders :many
+SELECT *
+FROM iam_sso_providers
+ORDER BY created_at DESC;
+
+-- name: ListEnabledSSOProviders :many
+SELECT *
+FROM iam_sso_providers
+WHERE enabled = true
+ORDER BY name ASC;
+
+-- name: GetSSOProviderByID :one
+SELECT *
+FROM iam_sso_providers
+WHERE id = sqlc.arg(id);
+
+-- name: GetSSOProviderByKey :one
+SELECT *
+FROM iam_sso_providers
+WHERE key = sqlc.arg(key);
+
+-- name: UpsertSSOProvider :one
+INSERT INTO iam_sso_providers (
+  id, type, key, name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email
+)
+VALUES (
+  sqlc.arg(id), sqlc.arg(type), sqlc.arg(key), sqlc.arg(name), sqlc.arg(enabled), sqlc.arg(config),
+  sqlc.arg(attribute_mapping), sqlc.arg(jit_enabled), sqlc.arg(email_linking_policy), sqlc.arg(trust_email)
+)
+ON CONFLICT (key) DO UPDATE SET
+  type = EXCLUDED.type,
+  name = EXCLUDED.name,
+  enabled = EXCLUDED.enabled,
+  config = EXCLUDED.config,
+  attribute_mapping = EXCLUDED.attribute_mapping,
+  jit_enabled = EXCLUDED.jit_enabled,
+  email_linking_policy = EXCLUDED.email_linking_policy,
+  trust_email = EXCLUDED.trust_email,
+  updated_at = now()
+RETURNING *;
+
+-- name: DeleteSSOProvider :exec
+DELETE FROM iam_sso_providers WHERE id = sqlc.arg(id);
+
+-- name: ListIAMGroups :many
+SELECT *
+FROM iam_groups
+ORDER BY key ASC;
+
+-- name: GetIAMGroupByID :one
+SELECT *
+FROM iam_groups
+WHERE id = sqlc.arg(id);
+
+-- name: UpsertIAMGroup :one
+INSERT INTO iam_groups (id, key, display_name, source, external_id, metadata)
+VALUES (sqlc.arg(id), sqlc.arg(key), sqlc.arg(display_name), sqlc.arg(source), sqlc.narg(external_id), sqlc.arg(metadata))
+ON CONFLICT (key) DO UPDATE SET
+  display_name = EXCLUDED.display_name,
+  source = EXCLUDED.source,
+  external_id = EXCLUDED.external_id,
+  metadata = EXCLUDED.metadata,
+  updated_at = now()
+RETURNING *;
+
+-- name: DeleteIAMGroup :exec
+DELETE FROM iam_groups
+WHERE id = sqlc.arg(id);
+
+-- name: ListIAMGroupMembers :many
+SELECT gm.*, u.username, u.email, u.display_name
+FROM iam_group_members gm
+JOIN iam_users u ON u.id = gm.user_id
+WHERE gm.group_id = sqlc.arg(group_id)
+ORDER BY u.username ASC, u.email ASC;
+
+-- name: UpsertIAMGroupMember :one
+INSERT INTO iam_group_members (user_id, group_id, source, provider_id)
+VALUES (sqlc.arg(user_id), sqlc.arg(group_id), sqlc.arg(source), sqlc.narg(provider_id))
+ON CONFLICT (user_id, group_id, source, provider_id) DO UPDATE SET
+  updated_at = now()
+RETURNING *;
+
+-- name: DeleteIAMGroupMember :exec
+DELETE FROM iam_group_members
+WHERE user_id = sqlc.arg(user_id)
+  AND group_id = sqlc.arg(group_id);
+
+-- name: ListSSOGroupMappingsByProvider :many
+SELECT m.*, g.key AS group_key, g.display_name AS group_display_name
+FROM iam_sso_group_mappings m
+JOIN iam_groups g ON g.id = m.group_id
+WHERE m.provider_id = sqlc.arg(provider_id)
+ORDER BY m.external_group ASC;
+
+-- name: UpsertSSOGroupMapping :one
+INSERT INTO iam_sso_group_mappings (provider_id, external_group, group_id)
+VALUES (sqlc.arg(provider_id), sqlc.arg(external_group), sqlc.arg(group_id))
+ON CONFLICT (provider_id, external_group) DO UPDATE SET
+  group_id = EXCLUDED.group_id,
+  updated_at = now()
+RETURNING *;
+
+-- name: DeleteSSOGroupMapping :exec
+DELETE FROM iam_sso_group_mappings
+WHERE provider_id = sqlc.arg(provider_id)
+  AND external_group = sqlc.arg(external_group);
+
+-- name: ReplaceSSOGroupMemberships :exec
+WITH deleted AS (
+  DELETE FROM iam_group_members
+  WHERE user_id = sqlc.arg(user_id)
+    AND source = 'sso'
+    AND provider_id = sqlc.arg(provider_id)
+)
+INSERT INTO iam_group_members (user_id, group_id, source, provider_id)
+SELECT sqlc.arg(user_id), unnest(sqlc.arg(group_ids)::uuid[]), 'sso', sqlc.arg(provider_id);
+
+-- name: AssignPrincipalRole :one
+INSERT INTO iam_principal_roles (
+  principal_type, principal_id, role_id, resource_type, resource_id, source, provider_id
+)
+VALUES (
+  sqlc.arg(principal_type), sqlc.arg(principal_id), sqlc.arg(role_id), sqlc.arg(resource_type),
+  sqlc.narg(resource_id), sqlc.arg(source), sqlc.narg(provider_id)
+)
+ON CONFLICT DO NOTHING
+RETURNING *;
+
+-- name: DeletePrincipalRole :exec
+DELETE FROM iam_principal_roles
+WHERE id = sqlc.arg(id);
+
+-- name: ListPrincipalRoles :many
+SELECT
+  pr.*,
+  r.key AS role_key,
+  r.scope AS role_scope,
+  u.username AS user_username,
+  u.email AS user_email,
+  u.display_name AS user_display_name,
+  g.key AS group_key,
+  g.display_name AS group_display_name
+FROM iam_principal_roles pr
+JOIN iam_roles r ON r.id = pr.role_id
+LEFT JOIN iam_users u ON pr.principal_type = 'user' AND u.id = pr.principal_id
+LEFT JOIN iam_groups g ON pr.principal_type = 'group' AND g.id = pr.principal_id
+WHERE pr.resource_type = sqlc.arg(resource_type)
+  AND pr.resource_id IS NOT DISTINCT FROM sqlc.narg(resource_id)::uuid
+ORDER BY r.key ASC, pr.principal_type ASC, user_username ASC, group_key ASC;
+
+-- name: DeletePrincipalRoleAssignment :exec
+DELETE FROM iam_principal_roles pr
+USING iam_roles r
+WHERE pr.role_id = r.id
+  AND pr.principal_type = sqlc.arg(principal_type)
+  AND pr.principal_id = sqlc.arg(principal_id)
+  AND pr.resource_type = sqlc.arg(resource_type)
+  AND pr.resource_id = sqlc.narg(resource_id)
+  AND r.key = sqlc.arg(role_key);
+
+-- name: HasPermission :one
+SELECT EXISTS (
+  SELECT 1
+  FROM iam_principal_roles pr
+  JOIN iam_roles r ON r.id = pr.role_id
+  JOIN iam_role_permissions rp ON rp.role_id = r.id
+  JOIN iam_permissions p ON p.id = rp.permission_id
+  WHERE p.key = sqlc.arg(permission_key)
+    AND pr.resource_type = sqlc.arg(resource_type)
+    AND (pr.resource_id = sqlc.narg(resource_id)::uuid OR pr.resource_id IS NULL)
+    AND (
+      (pr.principal_type = 'user' AND pr.principal_id = sqlc.arg(user_id))
+      OR (
+        pr.principal_type = 'group'
+        AND pr.principal_id IN (
+          SELECT group_id FROM iam_group_members WHERE user_id = sqlc.arg(user_id)
+        )
+      )
+    )
+) AS allowed;
+
+-- name: GetRoleByKey :one
+SELECT *
+FROM iam_roles
+WHERE key = sqlc.arg(key);
+
+-- name: ListRoles :many
+SELECT *
+FROM iam_roles
+ORDER BY scope ASC, key ASC;
diff --git a/db/postgres/queries/messages.sql b/db/postgres/queries/messages.sql
index 6fd85746c..10e84a23c 100644
--- a/db/postgres/queries/messages.sql
+++ b/db/postgres/queries/messages.sql
@@ -65,7 +65,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
 ORDER BY m.created_at ASC
@@ -91,7 +91,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = sqlc.arg(session_id)
 ORDER BY m.created_at ASC
@@ -117,7 +117,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
   AND m.created_at >= sqlc.arg(created_at)
@@ -143,7 +143,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = sqlc.arg(session_id)
   AND m.created_at >= sqlc.arg(created_at)
@@ -170,7 +170,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
   AND m.created_at >= sqlc.arg(created_at)
@@ -198,7 +198,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = sqlc.arg(session_id)
   AND m.created_at >= sqlc.arg(created_at)
@@ -225,7 +225,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
   AND m.created_at < sqlc.arg(created_at)
@@ -252,7 +252,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = sqlc.arg(session_id)
   AND m.created_at < sqlc.arg(created_at)
@@ -279,7 +279,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
 ORDER BY m.created_at DESC
@@ -305,7 +305,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = sqlc.arg(session_id)
 ORDER BY m.created_at DESC
@@ -413,7 +413,7 @@ SELECT
   ci.display_name AS sender_display_name,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
   AND (sqlc.narg(session_id)::uuid IS NULL OR m.session_id = sqlc.narg(session_id)::uuid)
diff --git a/db/postgres/queries/user_provider_oauth.sql b/db/postgres/queries/user_provider_oauth.sql
index c47933459..834e9a4ec 100644
--- a/db/postgres/queries/user_provider_oauth.sql
+++ b/db/postgres/queries/user_provider_oauth.sql
@@ -1,5 +1,5 @@
 -- name: UpsertUserProviderOAuthToken :one
-INSERT INTO user_provider_oauth_tokens (
+INSERT INTO iam_user_provider_oauth_tokens (
   provider_id,
   user_id,
   access_token,
@@ -36,17 +36,17 @@ ON CONFLICT (provider_id, user_id) DO UPDATE SET
 RETURNING *;
 
 -- name: GetUserProviderOAuthToken :one
-SELECT * FROM user_provider_oauth_tokens
+SELECT * FROM iam_user_provider_oauth_tokens
 WHERE provider_id = sqlc.arg(provider_id)
   AND user_id = sqlc.arg(user_id);
 
 -- name: GetUserProviderOAuthTokenByState :one
-SELECT * FROM user_provider_oauth_tokens
+SELECT * FROM iam_user_provider_oauth_tokens
 WHERE state = sqlc.arg(state)
   AND state != '';
 
 -- name: UpdateUserProviderOAuthState :exec
-INSERT INTO user_provider_oauth_tokens (provider_id, user_id, state, pkce_code_verifier, metadata)
+INSERT INTO iam_user_provider_oauth_tokens (provider_id, user_id, state, pkce_code_verifier, metadata)
 VALUES (
   sqlc.arg(provider_id),
   sqlc.arg(user_id),
@@ -61,6 +61,6 @@ ON CONFLICT (provider_id, user_id) DO UPDATE SET
   updated_at = now();
 
 -- name: DeleteUserProviderOAuthToken :exec
-DELETE FROM user_provider_oauth_tokens
+DELETE FROM iam_user_provider_oauth_tokens
 WHERE provider_id = sqlc.arg(provider_id)
   AND user_id = sqlc.arg(user_id);
diff --git a/db/postgres/queries/users.sql b/db/postgres/queries/users.sql
index 571900066..d40d0b7a3 100644
--- a/db/postgres/queries/users.sql
+++ b/db/postgres/queries/users.sql
@@ -1,19 +1,17 @@
 -- name: CreateUser :one
-INSERT INTO users (is_active, metadata)
+INSERT INTO iam_users (is_active, metadata)
 VALUES ($1, $2)
 RETURNING *;
 
 -- name: GetUserByID :one
 SELECT *
-FROM users
+FROM iam_users
 WHERE id = $1;
 
 -- name: CreateAccount :one
-UPDATE users
+UPDATE iam_users
 SET username = sqlc.arg(username),
     email = sqlc.arg(email),
-    password_hash = sqlc.arg(password_hash),
-    role = sqlc.arg(role)::user_role,
     display_name = sqlc.arg(display_name),
     avatar_url = sqlc.arg(avatar_url),
     is_active = sqlc.arg(is_active),
@@ -23,13 +21,11 @@ WHERE id = sqlc.arg(user_id)
 RETURNING *;
 
 -- name: UpsertAccountByUsername :one
-INSERT INTO users (id, username, email, password_hash, role, display_name, avatar_url, is_active, data_root, metadata)
+INSERT INTO iam_users (id, username, email, display_name, avatar_url, is_active, data_root, metadata)
 VALUES (
   sqlc.arg(user_id),
   sqlc.arg(username),
   sqlc.arg(email),
-  sqlc.arg(password_hash),
-  sqlc.arg(role)::user_role,
   sqlc.arg(display_name),
   sqlc.arg(avatar_url),
   sqlc.arg(is_active),
@@ -38,8 +34,6 @@ VALUES (
 )
 ON CONFLICT (username) DO UPDATE SET
   email = EXCLUDED.email,
-  password_hash = EXCLUDED.password_hash,
-  role = EXCLUDED.role,
   display_name = EXCLUDED.display_name,
   avatar_url = EXCLUDED.avatar_url,
   is_active = EXCLUDED.is_active,
@@ -48,37 +42,45 @@ ON CONFLICT (username) DO UPDATE SET
 RETURNING *;
 
 -- name: GetAccountByIdentity :one
-SELECT * FROM users WHERE username = sqlc.arg(identity) OR email = sqlc.arg(identity);
+SELECT u.*
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password'
+  AND (i.subject = lower(sqlc.arg(identity)::text) OR lower(COALESCE(i.email, '')) = lower(sqlc.arg(identity)::text))
+LIMIT 1;
 
 -- name: GetAccountByUserID :one
-SELECT * FROM users WHERE id = sqlc.arg(user_id);
+SELECT * FROM iam_users WHERE id = sqlc.arg(user_id);
 
 -- name: CountAccounts :one
-SELECT COUNT(*)::bigint AS count
-FROM users
-WHERE username IS NOT NULL
-  AND password_hash IS NOT NULL;
+SELECT COUNT(DISTINCT u.id)::bigint AS count
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password';
 
 -- name: ListAccounts :many
-SELECT * FROM users
-WHERE username IS NOT NULL
-ORDER BY created_at DESC;
+SELECT DISTINCT u.*
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password'
+ORDER BY u.created_at DESC;
 
 -- name: SearchAccounts :many
-SELECT *
-FROM users
-WHERE username IS NOT NULL
+SELECT DISTINCT u.*
+FROM iam_users u
+LEFT JOIN iam_identities i ON i.user_id = u.id AND i.provider_type = 'password'
+WHERE i.id IS NOT NULL
   AND (
     sqlc.arg(query)::text = ''
-    OR username ILIKE '%' || sqlc.arg(query)::text || '%'
-    OR COALESCE(display_name, '') ILIKE '%' || sqlc.arg(query)::text || '%'
-    OR COALESCE(email, '') ILIKE '%' || sqlc.arg(query)::text || '%'
+    OR u.username ILIKE '%' || sqlc.arg(query)::text || '%'
+    OR COALESCE(u.display_name, '') ILIKE '%' || sqlc.arg(query)::text || '%'
+    OR COALESCE(u.email, '') ILIKE '%' || sqlc.arg(query)::text || '%'
   )
-ORDER BY last_login_at DESC NULLS LAST, created_at DESC
+ORDER BY u.last_login_at DESC NULLS LAST, u.created_at DESC
 LIMIT sqlc.arg(limit_count);
 
 -- name: UpdateAccountProfile :one
-UPDATE users
+UPDATE iam_users
 SET display_name = $2,
     avatar_url = $3,
     timezone = $4,
@@ -88,9 +90,8 @@ WHERE id = $1
 RETURNING *;
 
 -- name: UpdateAccountAdmin :one
-UPDATE users
-SET role = sqlc.arg(role)::user_role,
-    display_name = sqlc.arg(display_name),
+UPDATE iam_users
+SET display_name = sqlc.arg(display_name),
     avatar_url = sqlc.arg(avatar_url),
     is_active = sqlc.arg(is_active),
     updated_at = now()
@@ -98,14 +99,20 @@ WHERE id = sqlc.arg(user_id)
 RETURNING *;
 
 -- name: UpdateAccountPassword :one
-UPDATE users
-SET password_hash = $2,
-    updated_at = now()
-WHERE id = $1
-RETURNING *;
+WITH updated AS (
+  UPDATE iam_identities
+  SET credential_secret = sqlc.arg(password_hash),
+      updated_at = now()
+  WHERE user_id = sqlc.arg(user_id)
+    AND provider_type = 'password'
+  RETURNING user_id
+)
+SELECT u.*
+FROM iam_users u
+JOIN updated ON updated.user_id = u.id;
 
 -- name: UpdateAccountLastLogin :one
-UPDATE users
+UPDATE iam_users
 SET last_login_at = now(),
     updated_at = now()
 WHERE id = $1
diff --git a/db/sqlite/migrations/0003_iam_sso_rbac.down.sql b/db/sqlite/migrations/0003_iam_sso_rbac.down.sql
new file mode 100644
index 000000000..cfff49b4e
--- /dev/null
+++ b/db/sqlite/migrations/0003_iam_sso_rbac.down.sql
@@ -0,0 +1,50 @@
+-- 0003_iam_sso_rbac
+-- Roll back IAM SSO RBAC schema to the legacy users/password_hash/role model.
+
+PRAGMA foreign_keys = OFF;
+
+ALTER TABLE iam_users ADD COLUMN password_hash TEXT;
+ALTER TABLE iam_users ADD COLUMN role TEXT NOT NULL DEFAULT 'member';
+
+UPDATE iam_users
+SET password_hash = (
+  SELECT credential_secret
+  FROM iam_identities
+  WHERE iam_identities.user_id = iam_users.id
+    AND iam_identities.provider_type = 'password'
+    AND iam_identities.credential_secret IS NOT NULL
+  LIMIT 1
+);
+
+UPDATE iam_users
+SET role = 'admin'
+WHERE EXISTS (
+  SELECT 1
+  FROM iam_principal_roles pr
+  JOIN iam_roles r ON r.id = pr.role_id
+  WHERE pr.principal_type = 'user'
+    AND pr.principal_id = iam_users.id
+    AND pr.resource_type = 'system'
+    AND pr.resource_id IS NULL
+    AND r.key = 'admin'
+);
+
+DROP TABLE IF EXISTS iam_sso_group_mappings;
+DROP TABLE IF EXISTS iam_principal_roles;
+DROP TABLE IF EXISTS iam_role_permissions;
+DROP TABLE IF EXISTS iam_group_members;
+DROP TABLE IF EXISTS iam_login_codes;
+DROP TABLE IF EXISTS iam_sessions;
+DROP TABLE IF EXISTS iam_identities;
+DROP TABLE IF EXISTS iam_groups;
+DROP TABLE IF EXISTS iam_roles;
+DROP TABLE IF EXISTS iam_permissions;
+DROP TABLE IF EXISTS iam_sso_providers;
+
+ALTER TABLE iam_user_provider_oauth_tokens RENAME TO user_provider_oauth_tokens;
+ALTER TABLE iam_channel_identity_bind_codes RENAME TO channel_identity_bind_codes;
+ALTER TABLE iam_user_channel_bindings RENAME TO user_channel_bindings;
+ALTER TABLE iam_channel_identities RENAME TO channel_identities;
+ALTER TABLE iam_users RENAME TO users;
+
+PRAGMA foreign_keys = ON;
diff --git a/db/sqlite/migrations/0003_iam_sso_rbac.up.sql b/db/sqlite/migrations/0003_iam_sso_rbac.up.sql
new file mode 100644
index 000000000..e51da936d
--- /dev/null
+++ b/db/sqlite/migrations/0003_iam_sso_rbac.up.sql
@@ -0,0 +1,342 @@
+-- 0003_iam_sso_rbac
+-- Introduce IAM identities, sessions, SSO providers, groups, and RBAC assignments.
+
+PRAGMA foreign_keys = OFF;
+
+CREATE TABLE IF NOT EXISTS users (
+  id TEXT PRIMARY KEY,
+  username TEXT,
+  email TEXT,
+  password_hash TEXT,
+  role TEXT NOT NULL DEFAULT 'member',
+  display_name TEXT,
+  avatar_url TEXT,
+  timezone TEXT NOT NULL DEFAULT 'UTC',
+  data_root TEXT,
+  last_login_at TEXT,
+  is_active INTEGER NOT NULL DEFAULT 1,
+  metadata TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  UNIQUE (email),
+  UNIQUE (username)
+);
+
+CREATE TABLE IF NOT EXISTS channel_identities (
+  id TEXT PRIMARY KEY,
+  user_id TEXT REFERENCES users(id) ON DELETE SET NULL,
+  channel_type TEXT NOT NULL,
+  channel_subject_id TEXT NOT NULL,
+  display_name TEXT,
+  avatar_url TEXT,
+  metadata TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  UNIQUE (channel_type, channel_subject_id)
+);
+
+CREATE TABLE IF NOT EXISTS user_channel_bindings (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  channel_type TEXT NOT NULL,
+  config TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  UNIQUE (user_id, channel_type)
+);
+
+CREATE TABLE IF NOT EXISTS channel_identity_bind_codes (
+  id TEXT PRIMARY KEY,
+  token TEXT NOT NULL UNIQUE,
+  issued_by_user_id TEXT NOT NULL REFERENCES users(id),
+  channel_type TEXT,
+  expires_at TEXT,
+  used_at TEXT,
+  used_by_channel_identity_id TEXT REFERENCES channel_identities(id),
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS user_provider_oauth_tokens (
+  id TEXT PRIMARY KEY,
+  provider_id TEXT NOT NULL REFERENCES providers(id) ON DELETE CASCADE,
+  user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  access_token TEXT NOT NULL DEFAULT '',
+  refresh_token TEXT NOT NULL DEFAULT '',
+  expires_at TEXT,
+  scope TEXT NOT NULL DEFAULT '',
+  token_type TEXT NOT NULL DEFAULT '',
+  state TEXT NOT NULL DEFAULT '',
+  pkce_code_verifier TEXT NOT NULL DEFAULT '',
+  metadata TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  UNIQUE (provider_id, user_id)
+);
+
+DROP TABLE IF EXISTS iam_sso_group_mappings;
+DROP TABLE IF EXISTS iam_principal_roles;
+DROP TABLE IF EXISTS iam_role_permissions;
+DROP TABLE IF EXISTS iam_group_members;
+DROP TABLE IF EXISTS iam_login_codes;
+DROP TABLE IF EXISTS iam_sessions;
+DROP TABLE IF EXISTS iam_identities;
+DROP TABLE IF EXISTS iam_groups;
+DROP TABLE IF EXISTS iam_roles;
+DROP TABLE IF EXISTS iam_permissions;
+DROP TABLE IF EXISTS iam_sso_providers;
+DROP TABLE IF EXISTS iam_user_provider_oauth_tokens;
+DROP TABLE IF EXISTS iam_channel_identity_bind_codes;
+DROP TABLE IF EXISTS iam_user_channel_bindings;
+DROP TABLE IF EXISTS iam_channel_identities;
+DROP TABLE IF EXISTS iam_users;
+
+ALTER TABLE users RENAME TO iam_users;
+ALTER TABLE channel_identities RENAME TO iam_channel_identities;
+ALTER TABLE user_channel_bindings RENAME TO iam_user_channel_bindings;
+ALTER TABLE channel_identity_bind_codes RENAME TO iam_channel_identity_bind_codes;
+ALTER TABLE user_provider_oauth_tokens RENAME TO iam_user_provider_oauth_tokens;
+
+CREATE TABLE IF NOT EXISTS iam_sso_providers (
+  id TEXT PRIMARY KEY,
+  type TEXT NOT NULL CHECK (type IN ('oidc', 'saml')),
+  key TEXT NOT NULL UNIQUE,
+  name TEXT NOT NULL,
+  enabled INTEGER NOT NULL DEFAULT 1,
+  config TEXT NOT NULL DEFAULT '{}',
+  attribute_mapping TEXT NOT NULL DEFAULT '{}',
+  jit_enabled INTEGER NOT NULL DEFAULT 1,
+  email_linking_policy TEXT NOT NULL DEFAULT 'link_existing' CHECK (email_linking_policy IN ('link_existing', 'reject_existing')),
+  trust_email INTEGER NOT NULL DEFAULT 0,
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS iam_identities (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL REFERENCES iam_users(id) ON DELETE CASCADE,
+  provider_type TEXT NOT NULL CHECK (provider_type IN ('password', 'oidc', 'saml', 'channel')),
+  provider_id TEXT REFERENCES iam_sso_providers(id) ON DELETE CASCADE,
+  subject TEXT NOT NULL,
+  credential_secret TEXT,
+  email TEXT,
+  username TEXT,
+  display_name TEXT,
+  avatar_url TEXT,
+  raw_claims TEXT NOT NULL DEFAULT '{}',
+  last_login_at TEXT,
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT iam_identities_password_provider_check CHECK (
+    (provider_type = 'password' AND provider_id IS NULL AND credential_secret IS NOT NULL)
+    OR provider_type <> 'password'
+  )
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_iam_identities_provider_subject_unique
+  ON iam_identities(provider_type, COALESCE(provider_id, ''), subject);
+CREATE INDEX IF NOT EXISTS idx_iam_identities_user_id ON iam_identities(user_id);
+CREATE INDEX IF NOT EXISTS idx_iam_identities_email ON iam_identities(email) WHERE email IS NOT NULL AND email != '';
+
+CREATE TABLE IF NOT EXISTS iam_sessions (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL REFERENCES iam_users(id) ON DELETE CASCADE,
+  identity_id TEXT REFERENCES iam_identities(id) ON DELETE SET NULL,
+  issued_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  expires_at TEXT NOT NULL,
+  revoked_at TEXT,
+  ip_address TEXT,
+  user_agent TEXT,
+  metadata TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+CREATE INDEX IF NOT EXISTS idx_iam_sessions_user_id ON iam_sessions(user_id);
+CREATE INDEX IF NOT EXISTS idx_iam_sessions_active ON iam_sessions(user_id, expires_at) WHERE revoked_at IS NULL;
+
+CREATE TABLE IF NOT EXISTS iam_login_codes (
+  id TEXT PRIMARY KEY,
+  code_hash TEXT NOT NULL UNIQUE,
+  user_id TEXT NOT NULL REFERENCES iam_users(id) ON DELETE CASCADE,
+  identity_id TEXT REFERENCES iam_identities(id) ON DELETE SET NULL,
+  session_id TEXT NOT NULL REFERENCES iam_sessions(id) ON DELETE CASCADE,
+  expires_at TEXT NOT NULL,
+  used_at TEXT,
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+CREATE INDEX IF NOT EXISTS idx_iam_login_codes_expires_at ON iam_login_codes(expires_at);
+
+CREATE TABLE IF NOT EXISTS iam_groups (
+  id TEXT PRIMARY KEY,
+  key TEXT NOT NULL UNIQUE,
+  display_name TEXT NOT NULL DEFAULT '',
+  source TEXT NOT NULL DEFAULT 'local' CHECK (source IN ('local', 'sso', 'scim')),
+  external_id TEXT,
+  metadata TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS iam_group_members (
+  user_id TEXT NOT NULL REFERENCES iam_users(id) ON DELETE CASCADE,
+  group_id TEXT NOT NULL REFERENCES iam_groups(id) ON DELETE CASCADE,
+  source TEXT NOT NULL DEFAULT 'manual' CHECK (source IN ('manual', 'sso', 'scim')),
+  provider_id TEXT REFERENCES iam_sso_providers(id) ON DELETE CASCADE,
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_iam_group_members_unique
+  ON iam_group_members(user_id, group_id, source, COALESCE(provider_id, ''));
+CREATE INDEX IF NOT EXISTS idx_iam_group_members_user_id ON iam_group_members(user_id);
+CREATE INDEX IF NOT EXISTS idx_iam_group_members_group_id ON iam_group_members(group_id);
+
+CREATE TABLE IF NOT EXISTS iam_permissions (
+  id TEXT PRIMARY KEY,
+  key TEXT NOT NULL UNIQUE,
+  description TEXT NOT NULL DEFAULT '',
+  is_system INTEGER NOT NULL DEFAULT 1,
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS iam_roles (
+  id TEXT PRIMARY KEY,
+  key TEXT NOT NULL UNIQUE,
+  scope TEXT NOT NULL CHECK (scope IN ('system', 'bot')),
+  description TEXT NOT NULL DEFAULT '',
+  is_system INTEGER NOT NULL DEFAULT 0,
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TABLE IF NOT EXISTS iam_role_permissions (
+  role_id TEXT NOT NULL REFERENCES iam_roles(id) ON DELETE CASCADE,
+  permission_id TEXT NOT NULL REFERENCES iam_permissions(id) ON DELETE CASCADE,
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  PRIMARY KEY (role_id, permission_id)
+);
+
+CREATE TABLE IF NOT EXISTS iam_principal_roles (
+  id TEXT PRIMARY KEY,
+  principal_type TEXT NOT NULL CHECK (principal_type IN ('user', 'group')),
+  principal_id TEXT NOT NULL,
+  role_id TEXT NOT NULL REFERENCES iam_roles(id) ON DELETE CASCADE,
+  resource_type TEXT NOT NULL CHECK (resource_type IN ('system', 'bot')),
+  resource_id TEXT,
+  source TEXT NOT NULL DEFAULT 'manual' CHECK (source IN ('system', 'manual', 'sso', 'scim')),
+  provider_id TEXT REFERENCES iam_sso_providers(id) ON DELETE SET NULL,
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT iam_principal_roles_resource_id_check CHECK (
+    (resource_type = 'system' AND resource_id IS NULL)
+    OR resource_type = 'bot'
+  )
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_iam_principal_roles_unique
+  ON iam_principal_roles(principal_type, principal_id, role_id, resource_type, COALESCE(resource_id, ''), source, COALESCE(provider_id, ''));
+CREATE INDEX IF NOT EXISTS idx_iam_principal_roles_user ON iam_principal_roles(principal_id) WHERE principal_type = 'user';
+CREATE INDEX IF NOT EXISTS idx_iam_principal_roles_group ON iam_principal_roles(principal_id) WHERE principal_type = 'group';
+CREATE INDEX IF NOT EXISTS idx_iam_principal_roles_resource ON iam_principal_roles(resource_type, resource_id);
+
+CREATE TABLE IF NOT EXISTS iam_sso_group_mappings (
+  id TEXT PRIMARY KEY,
+  provider_id TEXT NOT NULL REFERENCES iam_sso_providers(id) ON DELETE CASCADE,
+  external_group TEXT NOT NULL,
+  group_id TEXT NOT NULL REFERENCES iam_groups(id) ON DELETE CASCADE,
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  UNIQUE (provider_id, external_group)
+);
+CREATE INDEX IF NOT EXISTS idx_iam_sso_group_mappings_group_id ON iam_sso_group_mappings(group_id);
+
+INSERT OR IGNORE INTO iam_permissions (id, key, description, is_system) VALUES
+  ('00000000-0000-0000-0000-000000000001', 'system.login', 'Log in to the system', 1),
+  ('00000000-0000-0000-0000-000000000002', 'system.admin', 'Administer the system', 1),
+  ('00000000-0000-0000-0000-000000000003', 'bot.read', 'Read bot data', 1),
+  ('00000000-0000-0000-0000-000000000004', 'bot.chat', 'Chat with bot', 1),
+  ('00000000-0000-0000-0000-000000000005', 'bot.update', 'Update bot configuration', 1),
+  ('00000000-0000-0000-0000-000000000006', 'bot.delete', 'Delete bot', 1),
+  ('00000000-0000-0000-0000-000000000007', 'bot.permissions.manage', 'Manage bot permissions', 1);
+
+INSERT OR IGNORE INTO iam_roles (id, key, scope, description, is_system) VALUES
+  ('00000000-0000-0000-0000-000000000101', 'member', 'system', 'Default authenticated user', 1),
+  ('00000000-0000-0000-0000-000000000102', 'admin', 'system', 'System administrator', 1),
+  ('00000000-0000-0000-0000-000000000103', 'bot_viewer', 'bot', 'Bot viewer', 1),
+  ('00000000-0000-0000-0000-000000000104', 'bot_operator', 'bot', 'Bot operator', 1),
+  ('00000000-0000-0000-0000-000000000105', 'bot_owner', 'bot', 'Bot owner', 1);
+
+INSERT OR IGNORE INTO iam_role_permissions (role_id, permission_id) VALUES
+  ('00000000-0000-0000-0000-000000000101', '00000000-0000-0000-0000-000000000001'),
+  ('00000000-0000-0000-0000-000000000102', '00000000-0000-0000-0000-000000000001'),
+  ('00000000-0000-0000-0000-000000000102', '00000000-0000-0000-0000-000000000002'),
+  ('00000000-0000-0000-0000-000000000103', '00000000-0000-0000-0000-000000000003'),
+  ('00000000-0000-0000-0000-000000000103', '00000000-0000-0000-0000-000000000004'),
+  ('00000000-0000-0000-0000-000000000104', '00000000-0000-0000-0000-000000000003'),
+  ('00000000-0000-0000-0000-000000000104', '00000000-0000-0000-0000-000000000004'),
+  ('00000000-0000-0000-0000-000000000104', '00000000-0000-0000-0000-000000000005'),
+  ('00000000-0000-0000-0000-000000000105', '00000000-0000-0000-0000-000000000003'),
+  ('00000000-0000-0000-0000-000000000105', '00000000-0000-0000-0000-000000000004'),
+  ('00000000-0000-0000-0000-000000000105', '00000000-0000-0000-0000-000000000005'),
+  ('00000000-0000-0000-0000-000000000105', '00000000-0000-0000-0000-000000000006'),
+  ('00000000-0000-0000-0000-000000000105', '00000000-0000-0000-0000-000000000007');
+
+INSERT OR IGNORE INTO iam_identities (
+  id, user_id, provider_type, provider_id, subject, credential_secret, email, username,
+  display_name, avatar_url, raw_claims, last_login_at, created_at, updated_at
+)
+SELECT
+  lower(hex(randomblob(4))) || '-' || lower(hex(randomblob(2))) || '-' || '4' || substr(lower(hex(randomblob(2))), 2) || '-' || substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' || lower(hex(randomblob(6))),
+  id, 'password', NULL, lower(username), password_hash, email, username, display_name, avatar_url, '{}', last_login_at, created_at, updated_at
+FROM iam_users
+WHERE username IS NOT NULL AND username != ''
+  AND password_hash IS NOT NULL AND password_hash != '';
+
+INSERT OR IGNORE INTO iam_principal_roles (id, principal_type, principal_id, role_id, resource_type, resource_id, source)
+SELECT
+  lower(hex(randomblob(4))) || '-' || lower(hex(randomblob(2))) || '-' || '4' || substr(lower(hex(randomblob(2))), 2) || '-' || substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' || lower(hex(randomblob(6))),
+  'user',
+  id,
+  CASE WHEN role = 'admin' THEN '00000000-0000-0000-0000-000000000102' ELSE '00000000-0000-0000-0000-000000000101' END,
+  'system',
+  NULL,
+  'system'
+FROM iam_users;
+
+INSERT OR IGNORE INTO iam_principal_roles (id, principal_type, principal_id, role_id, resource_type, resource_id, source)
+SELECT
+  lower(hex(randomblob(4))) || '-' || lower(hex(randomblob(2))) || '-' || '4' || substr(lower(hex(randomblob(2))), 2) || '-' || substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' || lower(hex(randomblob(6))),
+  'user',
+  owner_user_id,
+  '00000000-0000-0000-0000-000000000105',
+  'bot',
+  id,
+  'system'
+FROM bots
+WHERE owner_user_id IS NOT NULL;
+
+CREATE TABLE iam_users_new (
+  id TEXT PRIMARY KEY,
+  username TEXT,
+  email TEXT,
+  display_name TEXT,
+  avatar_url TEXT,
+  timezone TEXT NOT NULL DEFAULT 'UTC',
+  data_root TEXT,
+  last_login_at TEXT,
+  is_active INTEGER NOT NULL DEFAULT 1,
+  metadata TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  updated_at TEXT NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT iam_users_username_unique UNIQUE (username)
+);
+INSERT INTO iam_users_new (
+  id, username, email, display_name, avatar_url, timezone, data_root, last_login_at,
+  is_active, metadata, created_at, updated_at
+)
+SELECT
+  id, username, email, display_name, avatar_url, timezone, data_root, last_login_at,
+  is_active, metadata, created_at, updated_at
+FROM iam_users;
+DROP TABLE iam_users;
+ALTER TABLE iam_users_new RENAME TO iam_users;
+CREATE UNIQUE INDEX IF NOT EXISTS idx_iam_users_email_unique ON iam_users(email) WHERE email IS NOT NULL AND email != '';
+
+PRAGMA foreign_keys = ON;
diff --git a/db/sqlite/queries/acl.sql b/db/sqlite/queries/acl.sql
index 1d465d65f..7c11bf3cb 100644
--- a/db/sqlite/queries/acl.sql
+++ b/db/sqlite/queries/acl.sql
@@ -48,8 +48,8 @@ SELECT
   linked.display_name AS linked_user_display_name,
   linked.avatar_url AS linked_user_avatar_url
 FROM bot_acl_rules r
-LEFT JOIN channel_identities ci ON ci.id = r.channel_identity_id
-LEFT JOIN users linked ON linked.id = ci.user_id
+LEFT JOIN iam_channel_identities ci ON ci.id = r.channel_identity_id
+LEFT JOIN iam_users linked ON linked.id = ci.user_id
 WHERE r.bot_id = sqlc.arg(bot_id)
   AND r.action = 'chat.trigger'
 ORDER BY r.priority ASC, r.created_at ASC;
diff --git a/db/sqlite/queries/bind.sql b/db/sqlite/queries/bind.sql
index 522c828ed..e3d204c43 100644
--- a/db/sqlite/queries/bind.sql
+++ b/db/sqlite/queries/bind.sql
@@ -1,5 +1,5 @@
 -- name: CreateBindCode :one
-INSERT INTO channel_identity_bind_codes (id, token, issued_by_user_id, channel_type, expires_at)
+INSERT INTO iam_channel_identity_bind_codes (id, token, issued_by_user_id, channel_type, expires_at)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -15,16 +15,16 @@ RETURNING id, token, issued_by_user_id, channel_type, expires_at, used_at, used_
 
 -- name: GetBindCode :one
 SELECT id, token, issued_by_user_id, channel_type, expires_at, used_at, used_by_channel_identity_id, created_at
-FROM channel_identity_bind_codes
+FROM iam_channel_identity_bind_codes
 WHERE token = sqlc.arg(token);
 
 -- name: GetBindCodeForUpdate :one
 SELECT id, token, issued_by_user_id, channel_type, expires_at, used_at, used_by_channel_identity_id, created_at
-FROM channel_identity_bind_codes
+FROM iam_channel_identity_bind_codes
 WHERE token = sqlc.arg(token);
 
 -- name: MarkBindCodeUsed :one
-UPDATE channel_identity_bind_codes
+UPDATE iam_channel_identity_bind_codes
 SET used_at = CURRENT_TIMESTAMP, used_by_channel_identity_id = sqlc.arg(used_by_channel_identity_id)
 WHERE id = sqlc.arg(id)
   AND used_at IS NULL
diff --git a/db/sqlite/queries/channel_identities.sql b/db/sqlite/queries/channel_identities.sql
index 5df1afaff..287793fae 100644
--- a/db/sqlite/queries/channel_identities.sql
+++ b/db/sqlite/queries/channel_identities.sql
@@ -1,5 +1,5 @@
 -- name: CreateChannelIdentity :one
-INSERT INTO channel_identities (id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
+INSERT INTO iam_channel_identities (id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -17,21 +17,21 @@ RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_ur
 
 -- name: GetChannelIdentityByID :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE id = sqlc.arg(id);
 
 -- name: GetChannelIdentityByIDForUpdate :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE id = sqlc.arg(id);
 
 -- name: GetChannelIdentityByChannelSubject :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE channel_type = sqlc.arg(channel_type) AND channel_subject_id = sqlc.arg(channel_subject_id);
 
 -- name: UpsertChannelIdentityByChannelSubject :one
-INSERT INTO channel_identities (id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
+INSERT INTO iam_channel_identities (id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -47,16 +47,16 @@ VALUES (
 )
 ON CONFLICT (channel_type, channel_subject_id)
 DO UPDATE SET
-  display_name = COALESCE(NULLIF(EXCLUDED.display_name, ''), channel_identities.display_name),
-  avatar_url = COALESCE(NULLIF(EXCLUDED.avatar_url, ''), channel_identities.avatar_url),
+  display_name = COALESCE(NULLIF(EXCLUDED.display_name, ''), iam_channel_identities.display_name),
+  avatar_url = COALESCE(NULLIF(EXCLUDED.avatar_url, ''), iam_channel_identities.avatar_url),
   metadata = EXCLUDED.metadata,
-  user_id = COALESCE(channel_identities.user_id, EXCLUDED.user_id),
+  user_id = COALESCE(iam_channel_identities.user_id, EXCLUDED.user_id),
   updated_at = CURRENT_TIMESTAMP
 RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at;
 
 -- name: ListChannelIdentitiesByUserID :many
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE user_id = sqlc.arg(user_id)
 ORDER BY created_at DESC;
 
@@ -74,8 +74,8 @@ SELECT
   u.username AS linked_username,
   u.display_name AS linked_display_name,
   u.avatar_url AS linked_avatar_url
-FROM channel_identities ci
-LEFT JOIN users u ON u.id = ci.user_id
+FROM iam_channel_identities ci
+LEFT JOIN iam_users u ON u.id = ci.user_id
 WHERE
   sqlc.arg(query) = ''
   OR lower(ci.channel_type) LIKE '%' || lower(sqlc.arg(query)) || '%'
@@ -87,7 +87,7 @@ ORDER BY ci.updated_at DESC
 LIMIT sqlc.arg(limit_count);
 
 -- name: SetChannelIdentityLinkedUser :one
-UPDATE channel_identities
+UPDATE iam_channel_identities
 SET user_id = sqlc.arg(user_id), updated_at = CURRENT_TIMESTAMP
 WHERE id = sqlc.arg(id)
 RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at;
diff --git a/db/sqlite/queries/channels.sql b/db/sqlite/queries/channels.sql
index f912c6fcf..b00667d4d 100644
--- a/db/sqlite/queries/channels.sql
+++ b/db/sqlite/queries/channels.sql
@@ -68,12 +68,12 @@ ORDER BY created_at DESC;
 
 -- name: GetUserChannelBinding :one
 SELECT id, user_id, channel_type, config, created_at, updated_at
-FROM user_channel_bindings
+FROM iam_user_channel_bindings
 WHERE user_id = sqlc.arg(user_id) AND channel_type = sqlc.arg(channel_type)
 LIMIT 1;
 
 -- name: UpsertUserChannelBinding :one
-INSERT INTO user_channel_bindings (id, user_id, channel_type, config)
+INSERT INTO iam_user_channel_bindings (id, user_id, channel_type, config)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -92,6 +92,6 @@ RETURNING id, user_id, channel_type, config, created_at, updated_at;
 
 -- name: ListUserChannelBindingsByPlatform :many
 SELECT id, user_id, channel_type, config, created_at, updated_at
-FROM user_channel_bindings
+FROM iam_user_channel_bindings
 WHERE channel_type = sqlc.arg(channel_type)
 ORDER BY created_at DESC;
diff --git a/db/sqlite/queries/iam.sql b/db/sqlite/queries/iam.sql
new file mode 100644
index 000000000..5d64e6b9f
--- /dev/null
+++ b/db/sqlite/queries/iam.sql
@@ -0,0 +1,318 @@
+-- name: CreatePasswordIdentity :one
+INSERT INTO iam_identities (
+  id, user_id, provider_type, provider_id, subject, credential_secret, email, username,
+  display_name, avatar_url, raw_claims
+)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  sqlc.arg(user_id), 'password', NULL, lower(sqlc.arg(subject)), sqlc.arg(credential_secret),
+  sqlc.narg(email), sqlc.narg(username), sqlc.narg(display_name), sqlc.narg(avatar_url), '{}'
+)
+ON CONFLICT DO UPDATE SET
+  credential_secret = EXCLUDED.credential_secret,
+  email = EXCLUDED.email,
+  username = EXCLUDED.username,
+  display_name = EXCLUDED.display_name,
+  avatar_url = EXCLUDED.avatar_url,
+  updated_at = CURRENT_TIMESTAMP
+RETURNING *;
+
+-- name: GetIdentityByProviderSubject :one
+SELECT *
+FROM iam_identities
+WHERE provider_type = sqlc.arg(provider_type)
+  AND COALESCE(provider_id, '') = COALESCE(sqlc.narg(provider_id), '')
+  AND subject = sqlc.arg(subject);
+
+-- name: GetPasswordIdentityBySubject :one
+SELECT *
+FROM iam_identities
+WHERE provider_type = 'password'
+  AND subject = lower(sqlc.arg(subject));
+
+-- name: UpsertExternalIdentity :one
+INSERT INTO iam_identities (
+  id, user_id, provider_type, provider_id, subject, email, username, display_name, avatar_url, raw_claims
+)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  sqlc.arg(user_id), sqlc.arg(provider_type), sqlc.arg(provider_id), sqlc.arg(subject),
+  sqlc.narg(email), sqlc.narg(username), sqlc.narg(display_name), sqlc.narg(avatar_url), sqlc.arg(raw_claims)
+)
+ON CONFLICT DO UPDATE SET
+  user_id = EXCLUDED.user_id,
+  email = EXCLUDED.email,
+  username = EXCLUDED.username,
+  display_name = EXCLUDED.display_name,
+  avatar_url = EXCLUDED.avatar_url,
+  raw_claims = EXCLUDED.raw_claims,
+  updated_at = CURRENT_TIMESTAMP
+RETURNING *;
+
+-- name: UpdateIdentityLastLogin :exec
+UPDATE iam_identities
+SET last_login_at = CURRENT_TIMESTAMP, updated_at = CURRENT_TIMESTAMP
+WHERE id = sqlc.arg(id);
+
+-- name: CreateIAMSession :one
+INSERT INTO iam_sessions (id, user_id, identity_id, expires_at, ip_address, user_agent, metadata)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  sqlc.arg(user_id), sqlc.narg(identity_id), sqlc.arg(expires_at), sqlc.narg(ip_address), sqlc.narg(user_agent), sqlc.arg(metadata)
+)
+RETURNING *;
+
+-- name: GetIAMSessionByID :one
+SELECT s.*, u.is_active AS user_is_active
+FROM iam_sessions s
+JOIN iam_users u ON u.id = s.user_id
+WHERE s.id = sqlc.arg(id);
+
+-- name: RevokeIAMSession :exec
+UPDATE iam_sessions
+SET revoked_at = CURRENT_TIMESTAMP, updated_at = CURRENT_TIMESTAMP
+WHERE id = sqlc.arg(id)
+  AND revoked_at IS NULL;
+
+-- name: ExtendIAMSession :one
+UPDATE iam_sessions
+SET expires_at = sqlc.arg(expires_at), updated_at = CURRENT_TIMESTAMP
+WHERE id = sqlc.arg(id)
+  AND revoked_at IS NULL
+RETURNING *;
+
+-- name: CreateIAMLoginCode :one
+INSERT INTO iam_login_codes (id, code_hash, user_id, identity_id, session_id, expires_at)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  sqlc.arg(code_hash), sqlc.arg(user_id), sqlc.narg(identity_id), sqlc.arg(session_id), sqlc.arg(expires_at)
+)
+RETURNING *;
+
+-- name: UseIAMLoginCode :one
+UPDATE iam_login_codes
+SET used_at = CURRENT_TIMESTAMP
+WHERE code_hash = sqlc.arg(code_hash)
+  AND used_at IS NULL
+  AND expires_at > CURRENT_TIMESTAMP
+RETURNING *;
+
+-- name: ListSSOProviders :many
+SELECT *
+FROM iam_sso_providers
+ORDER BY created_at DESC;
+
+-- name: ListEnabledSSOProviders :many
+SELECT *
+FROM iam_sso_providers
+WHERE enabled = 1
+ORDER BY name ASC;
+
+-- name: GetSSOProviderByID :one
+SELECT *
+FROM iam_sso_providers
+WHERE id = sqlc.arg(id);
+
+-- name: GetSSOProviderByKey :one
+SELECT *
+FROM iam_sso_providers
+WHERE key = sqlc.arg(key);
+
+-- name: UpsertSSOProvider :one
+INSERT INTO iam_sso_providers (
+  id, type, key, name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email
+)
+VALUES (
+  sqlc.arg(id), sqlc.arg(type), sqlc.arg(key), sqlc.arg(name), sqlc.arg(enabled), sqlc.arg(config),
+  sqlc.arg(attribute_mapping), sqlc.arg(jit_enabled), sqlc.arg(email_linking_policy), sqlc.arg(trust_email)
+)
+ON CONFLICT (key) DO UPDATE SET
+  type = EXCLUDED.type,
+  name = EXCLUDED.name,
+  enabled = EXCLUDED.enabled,
+  config = EXCLUDED.config,
+  attribute_mapping = EXCLUDED.attribute_mapping,
+  jit_enabled = EXCLUDED.jit_enabled,
+  email_linking_policy = EXCLUDED.email_linking_policy,
+  trust_email = EXCLUDED.trust_email,
+  updated_at = CURRENT_TIMESTAMP
+RETURNING *;
+
+-- name: DeleteSSOProvider :exec
+DELETE FROM iam_sso_providers WHERE id = sqlc.arg(id);
+
+-- name: ListIAMGroups :many
+SELECT *
+FROM iam_groups
+ORDER BY key ASC;
+
+-- name: GetIAMGroupByID :one
+SELECT *
+FROM iam_groups
+WHERE id = sqlc.arg(id);
+
+-- name: UpsertIAMGroup :one
+INSERT INTO iam_groups (id, key, display_name, source, external_id, metadata)
+VALUES (sqlc.arg(id), sqlc.arg(key), sqlc.arg(display_name), sqlc.arg(source), sqlc.narg(external_id), sqlc.arg(metadata))
+ON CONFLICT (key) DO UPDATE SET
+  display_name = EXCLUDED.display_name,
+  source = EXCLUDED.source,
+  external_id = EXCLUDED.external_id,
+  metadata = EXCLUDED.metadata,
+  updated_at = CURRENT_TIMESTAMP
+RETURNING *;
+
+-- name: DeleteIAMGroup :exec
+DELETE FROM iam_groups
+WHERE id = sqlc.arg(id);
+
+-- name: ListIAMGroupMembers :many
+SELECT gm.*, u.username, u.email, u.display_name
+FROM iam_group_members gm
+JOIN iam_users u ON u.id = gm.user_id
+WHERE gm.group_id = sqlc.arg(group_id)
+ORDER BY u.username ASC, u.email ASC;
+
+-- name: UpsertIAMGroupMember :one
+INSERT INTO iam_group_members (user_id, group_id, source, provider_id)
+VALUES (sqlc.arg(user_id), sqlc.arg(group_id), sqlc.arg(source), sqlc.narg(provider_id))
+ON CONFLICT (user_id, group_id, source, provider_id) DO UPDATE SET
+  updated_at = CURRENT_TIMESTAMP
+RETURNING *;
+
+-- name: DeleteIAMGroupMember :exec
+DELETE FROM iam_group_members
+WHERE user_id = sqlc.arg(user_id)
+  AND group_id = sqlc.arg(group_id);
+
+-- name: ListSSOGroupMappingsByProvider :many
+SELECT m.*, g.key AS group_key, g.display_name AS group_display_name
+FROM iam_sso_group_mappings m
+JOIN iam_groups g ON g.id = m.group_id
+WHERE m.provider_id = sqlc.arg(provider_id)
+ORDER BY m.external_group ASC;
+
+-- name: UpsertSSOGroupMapping :one
+INSERT INTO iam_sso_group_mappings (id, provider_id, external_group, group_id)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  sqlc.arg(provider_id), sqlc.arg(external_group), sqlc.arg(group_id)
+)
+ON CONFLICT (provider_id, external_group) DO UPDATE SET
+  group_id = EXCLUDED.group_id,
+  updated_at = CURRENT_TIMESTAMP
+RETURNING *;
+
+-- name: DeleteSSOGroupMapping :exec
+DELETE FROM iam_sso_group_mappings
+WHERE provider_id = sqlc.arg(provider_id)
+  AND external_group = sqlc.arg(external_group);
+
+-- name: ClearSSOGroupMemberships :exec
+DELETE FROM iam_group_members
+WHERE user_id = sqlc.arg(user_id)
+  AND source = 'sso'
+  AND provider_id = sqlc.arg(provider_id);
+
+-- name: AddSSOGroupMembership :exec
+INSERT OR IGNORE INTO iam_group_members (user_id, group_id, source, provider_id)
+VALUES (sqlc.arg(user_id), sqlc.arg(group_id), 'sso', sqlc.arg(provider_id));
+
+-- name: AssignPrincipalRole :one
+INSERT INTO iam_principal_roles (
+  id, principal_type, principal_id, role_id, resource_type, resource_id, source, provider_id
+)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  sqlc.arg(principal_type), sqlc.arg(principal_id), sqlc.arg(role_id), sqlc.arg(resource_type),
+  sqlc.narg(resource_id), sqlc.arg(source), sqlc.narg(provider_id)
+)
+ON CONFLICT DO NOTHING
+RETURNING *;
+
+-- name: DeletePrincipalRole :exec
+DELETE FROM iam_principal_roles
+WHERE id = sqlc.arg(id);
+
+-- name: ListPrincipalRoles :many
+SELECT
+  pr.*,
+  r.key AS role_key,
+  r.scope AS role_scope,
+  u.username AS user_username,
+  u.email AS user_email,
+  u.display_name AS user_display_name,
+  g.key AS group_key,
+  g.display_name AS group_display_name
+FROM iam_principal_roles pr
+JOIN iam_roles r ON r.id = pr.role_id
+LEFT JOIN iam_users u ON pr.principal_type = 'user' AND u.id = pr.principal_id
+LEFT JOIN iam_groups g ON pr.principal_type = 'group' AND g.id = pr.principal_id
+WHERE pr.resource_type = sqlc.arg(resource_type)
+  AND COALESCE(pr.resource_id, '') = COALESCE(sqlc.narg(resource_id), '')
+ORDER BY r.key ASC, pr.principal_type ASC, user_username ASC, group_key ASC;
+
+-- name: DeletePrincipalRoleAssignment :exec
+DELETE FROM iam_principal_roles
+WHERE principal_type = sqlc.arg(principal_type)
+  AND principal_id = sqlc.arg(principal_id)
+  AND resource_type = sqlc.arg(resource_type)
+  AND resource_id = sqlc.narg(resource_id)
+  AND role_id = (
+    SELECT id FROM iam_roles WHERE key = sqlc.arg(role_key)
+  );
+
+-- name: HasPermission :one
+SELECT EXISTS (
+  SELECT 1
+  FROM iam_principal_roles pr
+  JOIN iam_roles r ON r.id = pr.role_id
+  JOIN iam_role_permissions rp ON rp.role_id = r.id
+  JOIN iam_permissions p ON p.id = rp.permission_id
+  WHERE p.key = sqlc.arg(permission_key)
+    AND pr.resource_type = sqlc.arg(resource_type)
+    AND (pr.resource_id = sqlc.narg(resource_id) OR pr.resource_id IS NULL)
+    AND (
+      (pr.principal_type = 'user' AND pr.principal_id = sqlc.arg(user_id))
+      OR (
+        pr.principal_type = 'group'
+        AND pr.principal_id IN (
+          SELECT group_id FROM iam_group_members WHERE user_id = sqlc.arg(user_id)
+        )
+      )
+    )
+) AS allowed;
+
+-- name: GetRoleByKey :one
+SELECT *
+FROM iam_roles
+WHERE key = sqlc.arg(key);
+
+-- name: ListRoles :many
+SELECT *
+FROM iam_roles
+ORDER BY scope ASC, key ASC;
diff --git a/db/sqlite/queries/messages.sql b/db/sqlite/queries/messages.sql
index ae263c7c3..cb9495d36 100644
--- a/db/sqlite/queries/messages.sql
+++ b/db/sqlite/queries/messages.sql
@@ -42,7 +42,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
 ORDER BY m.created_at ASC
@@ -59,7 +59,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = sqlc.arg(session_id)
 ORDER BY m.created_at ASC
@@ -76,7 +76,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
   AND m.created_at >= sqlc.arg(created_at)
@@ -93,7 +93,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = sqlc.arg(session_id)
   AND m.created_at >= sqlc.arg(created_at)
@@ -110,7 +110,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
   AND m.created_at >= sqlc.arg(created_at)
@@ -128,7 +128,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = sqlc.arg(session_id)
   AND m.created_at >= sqlc.arg(created_at)
@@ -146,7 +146,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
   AND m.created_at < sqlc.arg(created_at)
@@ -164,7 +164,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = sqlc.arg(session_id)
   AND m.created_at < sqlc.arg(created_at)
@@ -182,7 +182,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
 ORDER BY m.created_at DESC
@@ -199,7 +199,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = sqlc.arg(session_id)
 ORDER BY m.created_at DESC
@@ -285,7 +285,7 @@ SELECT
   ci.display_name AS sender_display_name,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = sqlc.arg(bot_id)
   AND (sqlc.narg(session_id) IS NULL OR m.session_id = sqlc.narg(session_id))
diff --git a/db/sqlite/queries/user_provider_oauth.sql b/db/sqlite/queries/user_provider_oauth.sql
index fd1fb6933..c4b530108 100644
--- a/db/sqlite/queries/user_provider_oauth.sql
+++ b/db/sqlite/queries/user_provider_oauth.sql
@@ -1,5 +1,5 @@
 -- name: UpsertUserProviderOAuthToken :one
-INSERT INTO user_provider_oauth_tokens (id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata)
+INSERT INTO iam_user_provider_oauth_tokens (id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -30,17 +30,17 @@ ON CONFLICT (provider_id, user_id) DO UPDATE SET
 RETURNING *;
 
 -- name: GetUserProviderOAuthToken :one
-SELECT * FROM user_provider_oauth_tokens
+SELECT * FROM iam_user_provider_oauth_tokens
 WHERE provider_id = sqlc.arg(provider_id)
   AND user_id = sqlc.arg(user_id);
 
 -- name: GetUserProviderOAuthTokenByState :one
-SELECT * FROM user_provider_oauth_tokens
+SELECT * FROM iam_user_provider_oauth_tokens
 WHERE state = sqlc.arg(state)
   AND state != '';
 
 -- name: UpdateUserProviderOAuthState :exec
-INSERT INTO user_provider_oauth_tokens (id, provider_id, user_id, state, pkce_code_verifier, metadata)
+INSERT INTO iam_user_provider_oauth_tokens (id, provider_id, user_id, state, pkce_code_verifier, metadata)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -60,6 +60,6 @@ ON CONFLICT (provider_id, user_id) DO UPDATE SET
   updated_at = CURRENT_TIMESTAMP;
 
 -- name: DeleteUserProviderOAuthToken :exec
-DELETE FROM user_provider_oauth_tokens
+DELETE FROM iam_user_provider_oauth_tokens
 WHERE provider_id = sqlc.arg(provider_id)
   AND user_id = sqlc.arg(user_id);
diff --git a/db/sqlite/queries/users.sql b/db/sqlite/queries/users.sql
index f269cb7fd..a917e6a4e 100644
--- a/db/sqlite/queries/users.sql
+++ b/db/sqlite/queries/users.sql
@@ -1,5 +1,5 @@
 -- name: CreateUser :one
-INSERT INTO users (id, is_active, metadata)
+INSERT INTO iam_users (id, is_active, metadata)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -13,17 +13,15 @@ RETURNING *;
 
 -- name: GetUserByID :one
 SELECT *
-FROM users
+FROM iam_users
 WHERE id = sqlc.arg(id);
 
 -- name: UpsertAccountByUsername :one
-INSERT INTO users (id, username, email, password_hash, role, display_name, avatar_url, is_active, data_root, metadata)
+INSERT INTO iam_users (id, username, email, display_name, avatar_url, is_active, data_root, metadata)
 VALUES (
   sqlc.arg(user_id),
   sqlc.arg(username),
   sqlc.arg(email),
-  sqlc.arg(password_hash),
-  sqlc.arg(role),
   sqlc.arg(display_name),
   sqlc.arg(avatar_url),
   sqlc.arg(is_active),
@@ -32,8 +30,6 @@ VALUES (
 )
 ON CONFLICT (username) DO UPDATE SET
   email = EXCLUDED.email,
-  password_hash = EXCLUDED.password_hash,
-  role = EXCLUDED.role,
   display_name = EXCLUDED.display_name,
   avatar_url = EXCLUDED.avatar_url,
   is_active = EXCLUDED.is_active,
@@ -42,11 +38,9 @@ ON CONFLICT (username) DO UPDATE SET
 RETURNING *;
 
 -- name: CreateAccount :one
-UPDATE users
+UPDATE iam_users
 SET username = sqlc.arg(username),
     email = sqlc.arg(email),
-    password_hash = sqlc.arg(password_hash),
-    role = sqlc.arg(role),
     display_name = sqlc.arg(display_name),
     avatar_url = sqlc.arg(avatar_url),
     is_active = sqlc.arg(is_active),
@@ -56,37 +50,45 @@ WHERE id = sqlc.arg(user_id)
 RETURNING *;
 
 -- name: GetAccountByIdentity :one
-SELECT * FROM users WHERE username = sqlc.arg(identity) OR email = sqlc.arg(identity);
+SELECT u.*
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password'
+  AND (i.subject = lower(sqlc.arg(identity)) OR lower(COALESCE(i.email, '')) = lower(sqlc.arg(identity)))
+LIMIT 1;
 
 -- name: GetAccountByUserID :one
-SELECT * FROM users WHERE id = sqlc.arg(user_id);
+SELECT * FROM iam_users WHERE id = sqlc.arg(user_id);
 
 -- name: CountAccounts :one
-SELECT COUNT(*) AS count
-FROM users
-WHERE username IS NOT NULL
-  AND password_hash IS NOT NULL;
+SELECT COUNT(DISTINCT u.id) AS count
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password';
 
 -- name: ListAccounts :many
-SELECT * FROM users
-WHERE username IS NOT NULL
-ORDER BY created_at DESC;
+SELECT DISTINCT u.*
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password'
+ORDER BY u.created_at DESC;
 
 -- name: SearchAccounts :many
-SELECT *
-FROM users
-WHERE username IS NOT NULL
+SELECT DISTINCT u.*
+FROM iam_users u
+LEFT JOIN iam_identities i ON i.user_id = u.id AND i.provider_type = 'password'
+WHERE i.id IS NOT NULL
   AND (
     sqlc.arg(query) = ''
-    OR lower(username) LIKE '%' || lower(sqlc.arg(query)) || '%'
-    OR lower(COALESCE(display_name, '')) LIKE '%' || lower(sqlc.arg(query)) || '%'
-    OR lower(COALESCE(email, '')) LIKE '%' || lower(sqlc.arg(query)) || '%'
+    OR lower(u.username) LIKE '%' || lower(sqlc.arg(query)) || '%'
+    OR lower(COALESCE(u.display_name, '')) LIKE '%' || lower(sqlc.arg(query)) || '%'
+    OR lower(COALESCE(u.email, '')) LIKE '%' || lower(sqlc.arg(query)) || '%'
   )
-ORDER BY last_login_at DESC, created_at DESC
+ORDER BY u.last_login_at DESC, u.created_at DESC
 LIMIT sqlc.arg(limit_count);
 
 -- name: UpdateAccountProfile :one
-UPDATE users
+UPDATE iam_users
 SET display_name = sqlc.arg(display_name),
     avatar_url = sqlc.arg(avatar_url),
     timezone = sqlc.arg(timezone),
@@ -96,9 +98,8 @@ WHERE id = sqlc.arg(id)
 RETURNING *;
 
 -- name: UpdateAccountAdmin :one
-UPDATE users
-SET role = sqlc.arg(role),
-    display_name = sqlc.arg(display_name),
+UPDATE iam_users
+SET display_name = sqlc.arg(display_name),
     avatar_url = sqlc.arg(avatar_url),
     is_active = sqlc.arg(is_active),
     updated_at = CURRENT_TIMESTAMP
@@ -106,14 +107,50 @@ WHERE id = sqlc.arg(user_id)
 RETURNING *;
 
 -- name: UpdateAccountPassword :one
-UPDATE users
-SET password_hash = sqlc.arg(password_hash),
+UPDATE iam_identities
+SET credential_secret = sqlc.arg(password_hash),
     updated_at = CURRENT_TIMESTAMP
-WHERE id = sqlc.arg(id)
-RETURNING *;
+WHERE user_id = sqlc.arg(user_id)
+  AND provider_type = 'password'
+RETURNING (
+  SELECT id FROM iam_users WHERE id = iam_identities.user_id
+) AS id,
+(
+  SELECT username FROM iam_users WHERE id = iam_identities.user_id
+) AS username,
+(
+  SELECT email FROM iam_users WHERE id = iam_identities.user_id
+) AS email,
+(
+  SELECT display_name FROM iam_users WHERE id = iam_identities.user_id
+) AS display_name,
+(
+  SELECT avatar_url FROM iam_users WHERE id = iam_identities.user_id
+) AS avatar_url,
+(
+  SELECT timezone FROM iam_users WHERE id = iam_identities.user_id
+) AS timezone,
+(
+  SELECT data_root FROM iam_users WHERE id = iam_identities.user_id
+) AS data_root,
+(
+  SELECT last_login_at FROM iam_users WHERE id = iam_identities.user_id
+) AS last_login_at,
+(
+  SELECT is_active FROM iam_users WHERE id = iam_identities.user_id
+) AS is_active,
+(
+  SELECT metadata FROM iam_users WHERE id = iam_identities.user_id
+) AS metadata,
+(
+  SELECT created_at FROM iam_users WHERE id = iam_identities.user_id
+) AS created_at,
+(
+  SELECT updated_at FROM iam_users WHERE id = iam_identities.user_id
+) AS updated_at;
 
 -- name: UpdateAccountLastLogin :one
-UPDATE users
+UPDATE iam_users
 SET last_login_at = CURRENT_TIMESTAMP,
     updated_at = CURRENT_TIMESTAMP
 WHERE id = sqlc.arg(id)
diff --git a/docs/sdlc/2026-05-02/iam-sso-rbac/plan.md b/docs/sdlc/2026-05-02/iam-sso-rbac/plan.md
new file mode 100644
index 000000000..4079f717e
--- /dev/null
+++ b/docs/sdlc/2026-05-02/iam-sso-rbac/plan.md
@@ -0,0 +1,548 @@
+# IAM SSO RBAC 重构实现计划
+
+## 执行状态
+
+- 已完成：数据库 IAM schema/migration、PostgreSQL/SQLite baseline、SQLC 查询与生成代码。
+- 已完成：password identity、session JWT、OIDC/SAML SSO 登录、SSO one-time code exchange。
+- 已完成：RBAC service、LRU TTL cache、group inherited role、bot-scoped user/group role assignment。
+- 已完成：`bot_acl_rules` 保持外部 channel ACL，绑定用户后串联 `bot.chat`。
+- 已完成：IAM 管理 API、OpenAPI、SDK、登录 SSO UI、IAM 管理 UI。
+- 已完成：OIDC `client_secret` 管理接口响应脱敏，编辑保存脱敏占位值时保留原 secret。
+- 已验证：`mise run sqlc-generate`、`mise run swagger-generate`、`./node_modules/.bin/openapi-ts -f openapi-ts.config.ts`、`mise exec -- go test ./internal/... ./cmd/...`、`./apps/web/node_modules/.bin/vite build`。
+- 阻断：`mise run lint` 被本机工具链阻断，`pnpm lint` 因 `ERR_PNPM_IGNORED_BUILDS` 停止，`golangci-lint` 因当前二进制使用 Go 1.25 而依赖文件要求 Go 1.26 panic。
+
+## 方案说明
+
+本计划基于 `docs/sdlc/2026-05-02/iam-sso-rbac/spec.md`，一次性完成 IAM 表命名统一、password identity 迁移、RBAC、session、OIDC/SAML SSO 登录、用户组映射、bot 权限接入和前端管理入口。
+
+核心实现策略：
+
+- 数据库先行：PostgreSQL 增量 migration 和 baseline 同步更新，SQLite baseline 和 `0003_iam_sso_rbac` 同步更新，所有数据迁移由 SQL migration 自动完成。
+- 权限统一：删除 `users.role` 语义，所有 system/bot 授权通过 `internal/iam/rbac.Service.HasPermission`。
+- 登录统一：password/OIDC/SAML 都产出 `iam_sessions` 和 Memoh JWT，JWT 只包含 `user_id/session_id/iat/exp`。
+- Channel ACL 保持独立：`bot_acl_rules` 继续控制外部 channel `chat.trigger`，绑定用户时再串联 `bot.chat`。
+- 不做兼容层：旧 API/UI 的 `role` 字段删除，前后端和 SDK 一次性更新。
+
+## 子代理并行策略
+
+实现阶段按依赖分批并行推进，写入范围必须互不重叠。关键接口按顺序落地，测试和前端页面在接口稳定后并行。
+
+Batch 1:
+
+- Worker A 数据库 migration/query：`db/postgres/**`、`db/sqlite/**`。
+- Worker B DB store 接口草案：等 Worker A 生成 sqlc 后接手 `internal/db/**`。
+
+Batch 2:
+
+- Worker C IAM accounts/auth/rbac：`internal/iam/accounts/**`、`internal/iam/auth/**`、`internal/iam/rbac/**`。
+- Worker D SSO core：`internal/iam/sso/**`，不修改 `*_test.go`。
+- Worker F 后端单元测试：只改 `internal/iam/**/*_test.go`，包含 accounts/auth/rbac/sso 测试。
+
+Batch 3:
+
+- Worker E Auth handler：`internal/handlers/auth.go`。
+- Worker G 权限接入和 IAM 管理 API：`internal/handlers/**` 中除 `auth.go` 外的文件、`internal/bots/**`、`internal/channel/inbound/channel.go`、`internal/command/handler.go`。
+- Worker H Channel/IAM 表名适配：`internal/acl/**`、`internal/channel/identities/**`、`internal/bind/**`。
+
+Batch 4:
+
+- Worker I OpenAPI/SDK：`spec/**`、`packages/sdk/**`。
+- Worker J Web login：`apps/web/src/pages/login/**`、`apps/web/src/store/user.ts`。
+- Worker K Web IAM 管理页面：新增 IAM 管理页面路由、列表、表单、保存、脱敏字段展示和错误态组件。
+
+合并顺序：
+
+1. Worker A 完成 migration/query 后运行 `mise run sqlc-generate`。
+2. Worker B 修复 `internal/db/**` 适配生成类型。
+3. Worker C/D 并行实现 IAM core 和 SSO core。
+4. Worker E/G/H 接入 handlers、bot、channel、command。
+5. Worker I 生成 OpenAPI/SDK。
+6. Worker J/K 接前端。
+7. Worker F 补齐测试并执行最终验证。
+
+## 改动文件
+
+数据库：
+
+- `db/postgres/migrations/0077_iam_sso_rbac.up.sql`：新增自动数据迁移。
+- `db/postgres/migrations/0077_iam_sso_rbac.down.sql`：新增回滚迁移。
+- `db/postgres/migrations/0001_init.up.sql`：更新 PostgreSQL baseline 到最终 schema。
+- `db/postgres/migrations/0001_init.down.sql`：更新 baseline rollback。
+- `db/sqlite/migrations/0001_init.up.sql`：更新 SQLite baseline 到最终 schema。
+- `db/sqlite/migrations/0001_init.down.sql`：更新 baseline rollback。
+- `db/sqlite/migrations/0003_iam_sso_rbac.up.sql`：新增 SQLite 自动数据迁移。
+- `db/sqlite/migrations/0003_iam_sso_rbac.down.sql`：新增 SQLite 回滚迁移。
+- `db/postgres/queries/users.sql`：改为 `iam_users` 和 `iam_identities`。
+- `db/sqlite/queries/users.sql`：同步改为 `iam_users` 和 `iam_identities`。
+- `db/postgres/queries/iam.sql`：新增 RBAC/session/SSO/group 查询。
+- `db/sqlite/queries/iam.sql`：新增 SQLite 对应查询。
+- `db/postgres/queries/acl.sql`：引用 `iam_channel_identities`、`iam_users`。
+- `db/sqlite/queries/acl.sql`：同步更新引用。
+- `db/postgres/queries/acl.sql`：改名引用和 list join。
+- `db/postgres/queries/bind.sql`：改名引用。
+- `db/postgres/queries/channel_identities.sql`：改名引用。
+- `db/postgres/queries/channels.sql`：改名引用。
+- `db/postgres/queries/messages.sql`：改名 `sender_channel_identity_id` 相关引用。
+- `db/postgres/queries/user_provider_oauth.sql`：改名引用。
+- `db/postgres/queries/users.sql`：改为 `iam_users` + password `iam_identities`。
+- `db/sqlite/queries/acl.sql`：同步更新。
+- `db/sqlite/queries/bind.sql`：同步更新。
+- `db/sqlite/queries/channel_identities.sql`：同步更新。
+- `db/sqlite/queries/channels.sql`：同步更新。
+- `db/sqlite/queries/messages.sql`：同步更新。
+- `db/sqlite/queries/user_provider_oauth.sql`：同步更新。
+- `db/sqlite/queries/users.sql`：同步更新。
+- `internal/db/postgres/sqlc/**`：由 `mise run sqlc-generate` 生成。
+- `internal/db/sqlite/sqlc/**`：由 `mise run sqlc-generate` 生成。
+- `internal/db/store/queries.go`：补充 IAM 查询接口。
+- `internal/db/store/contracts.go`：替换 AccountStore 输入输出模型。
+- `internal/db/postgres/store/accounts.go`：适配 password identity。
+- `internal/db/sqlite/store/accounts.go`：同步适配。
+- `internal/db/sqlite/store/queries.go`：同步转换 sqlc 参数。
+
+后端 IAM：
+
+- `internal/iam/accounts/types.go`：新增无 role 的 Account、创建/更新/密码 DTO。
+- `internal/iam/accounts/service.go`：实现 password identity 登录、用户 CRUD、密码更新。
+- `internal/iam/auth/jwt.go`：新增 session_id claim，保留 chat token 逻辑。
+- `internal/iam/auth/session_middleware.go`：校验 `iam_sessions` 和 `iam_users.is_active`。
+- `internal/iam/rbac/types.go`：定义 permission、role、resource 常量。
+- `internal/iam/rbac/service.go`：实现 `HasPermission`、LRU TTL cache、role assignment 管理。
+- `internal/iam/rbac/bootstrap.go`：seed 内置 permissions/roles/role_permissions。
+- `internal/iam/sso/types.go`：定义 SSO provider config、attribute mapping、normalized profile。
+- `internal/iam/sso/service.go`：实现 JIT/link、group sync、session issuance 和 one-time login code 协调。
+- `internal/iam/sso/oidc.go`：实现 OIDC start/callback。
+- `internal/iam/sso/saml.go`：实现 SAML start/ACS/metadata。
+- `internal/iam/sso/cookie.go`：实现 state/nonce/code_verifier 短期 cookie。
+- `internal/iam/sso/login_code.go`：实现 SSO one-time login code 创建和兑换。
+
+后端接入：
+
+- `internal/handlers/auth.go`：接入 password login/logout/refresh/SSO routes，移除 role response。
+- `internal/handlers/users.go`：用 `rbac.HasPermission` 替换 `IsAdmin`，移除 role 请求/响应。
+- `internal/handlers/handler_helpers.go`：改为 permission helper。
+- `internal/handlers/message.go`：替换 admin 判断。
+- `internal/bots/service.go`：`AuthorizeAccess` 改为 permission-based，创建/转移 owner 同步 `iam_principal_roles`。
+- `internal/acl/service.go`：保留 ACL 逻辑，适配 `iam_channel_identities`。
+- `internal/channel/inbound/channel.go`：外部 channel 入口 ACL allow 后，绑定用户再检查 `bot.chat`。
+- `internal/command/handler.go`：把 write command 的 owner 字符串判断改为 `bot.update` 或更细 permission 判断。
+- `internal/channel/identities/service.go`：适配 `iam_channel_identities.user_id`。
+- `internal/bind/service.go`：适配 `iam_channel_identity_bind_codes` 和 `iam_user_channel_bindings`。
+- `cmd/agent/app.go`：FX wiring 新增 IAM 服务，重写 bootstrap admin。
+- `cmd/memoh/login.go`：适配 login response 移除 role。
+- `internal/tui/api.go`：适配 login response 移除 role。
+- `go.mod` / `go.sum`：新增 OIDC/SAML/LRU 依赖。
+
+前端：
+
+- `apps/web/src/store/user.ts`：移除 `role`，保留 profile 和 token。
+- `apps/web/src/pages/login/index.vue`：增加 SSO provider 列表和跳转，password login 不再读 role。
+- `apps/web/src/pages/login/sso-callback.vue`：用一次性 code 调 `POST /auth/sso/exchange`，拿到 JWT 后写入 store。
+- `apps/web/src/lib/api-client.ts`：确认 Authorization header 行为不变。
+- `apps/web/src/pages/**`：移除 role 字段使用。
+- 新增 IAM 管理页面：SSO providers、groups、group mappings、bot permissions。
+- `spec/swagger.json` / `spec/swagger.yaml`：由 `mise run swagger-generate` 更新。
+- `packages/sdk/**`：由 `mise run sdk-generate` 更新。
+
+测试：
+
+- `internal/iam/accounts/service_test.go`
+- `internal/iam/auth/jwt_test.go`
+- `internal/iam/auth/session_middleware_test.go`
+- `internal/iam/rbac/service_test.go`
+- `internal/iam/sso/service_test.go`
+- `internal/iam/sso/oidc_test.go`
+- `internal/iam/sso/saml_test.go`
+- `internal/handlers/auth_test.go`
+- `internal/handlers/users_test.go`
+- `internal/bots/service_test.go`
+- `internal/acl/service_test.go`
+- `internal/db/migrate_test.go`
+- `apps/web/src/store/user.test.ts`
+- `apps/web/src/pages/login/index.test.ts`
+
+## 代码片段
+
+JWT 只携带 session 信息：
+
+```go
+claims := jwt.MapClaims{
+    "sub":        userID,
+    "user_id":    userID,
+    "session_id": sessionID,
+    "iat":        now.Unix(),
+    "exp":        expiresAt.Unix(),
+}
+```
+
+RBAC 统一入口：
+
+```go
+allowed, err := rbacService.HasPermission(ctx, rbac.Check{
+    UserID:        userID,
+    PermissionKey: rbac.PermissionBotChat,
+    ResourceType:  rbac.ResourceBot,
+    ResourceID:    botID,
+})
+if err != nil {
+    return err
+}
+if !allowed {
+    return ErrBotAccessDenied
+}
+```
+
+外部 channel 串联判断：
+
+```go
+allowedByACL, err := aclService.Evaluate(ctx, aclReq)
+if err != nil || !allowedByACL {
+    return allowedByACL, err
+}
+if linkedUserID != "" {
+    return rbacService.HasPermission(ctx, rbac.Check{
+        UserID:        linkedUserID,
+        PermissionKey: rbac.PermissionBotChat,
+        ResourceType:  rbac.ResourceBot,
+        ResourceID:    botID,
+    })
+}
+return true, nil
+```
+
+SSO email linking：
+
+```go
+if provider.EmailLinkingPolicy == LinkExisting && provider.TrustEmail && profile.EmailVerified {
+    user, err := users.GetByEmail(ctx, profile.Email)
+    if err == nil {
+        return identities.Link(ctx, user.ID, profile)
+    }
+}
+```
+
+这些片段必须保持最小示意，不直接复制为最终实现。最终实现以 sqlc 生成类型和现有错误处理风格为准。
+
+## 考量与权衡
+
+- 当前仓库没有 `.codex/rules/` 或 `rules/workflow.md` 文件，根目录 `AGENTS.md` 和本任务 `spec.md` 是约束来源。
+- 数据迁移必须由 `golang-migrate` 自动执行，不能要求管理员手动搬数据。
+- PostgreSQL 和 SQLite 必须同步更新 schema、query 和生成代码。
+- `iam_principal_roles` 只支持 allow，避免 deny 冲突；外部入口 deny 继续由 `bot_acl_rules` 承担。
+- 不在 JWT 中放权限，撤权延迟由 30s LRU TTL 控制。
+- SSO provider 私钥保存在 `config` JSON，API 响应必须脱敏。
+- 删除旧 `role` 字段是破坏性 API/UI 变更，本 PR 不提供兼容字段。
+- 这个 PR 面向官方主分支，必须包含 migration、单元测试、集成测试、OpenAPI/SDK 生成和前端验证。
+
+## 影响的测试
+
+必须新增或更新：
+
+- Password login 从 `iam_identities` 校验 bcrypt。
+- JWT 包含 `session_id`，session revoked 后请求 401。
+- 禁用 `iam_users.is_active=false` 后请求 401。
+- Bootstrap admin 创建 admin user、password identity、system admin assignment。
+- Migration 将旧 `users.role/password_hash` 迁到 RBAC 和 password identity。
+- RBAC user direct assignment 命中。
+- RBAC group inherited assignment 命中。
+- `resource_id=NULL` bot global assignment 命中。
+- bot owner migration 后拥有 `bot_owner` 权限。
+- `bot_acl_rules` 未绑定用户只看 ACL。
+- `bot_acl_rules` 绑定用户时额外检查 `bot.chat`。
+- OIDC state/nonce 校验、email linking policy、group mapping sync。
+- SAML ACS 校验、NameID subject、group mapping sync。
+- SSO callback URL 不暴露 JWT，one-time code exchange 成功后才返回 JWT。
+- 前端 password login 不再依赖 role。
+- 前端 SSO provider 列表和 redirect 行为。
+
+## Todo List
+
+### Phase 1: 数据库 schema 与 migration
+
+- [ ] 阅读 `db/postgres/migrations/0076_container_workspace_backend.up.sql` 和 `db/sqlite/migrations/0002_container_workspace_backend.up.sql`，确认下一版本号和迁移风格。
+- [ ] 在 `db/postgres/migrations/0077_iam_sso_rbac.up.sql` 添加 `CREATE TYPE` / `ALTER TYPE` 预备语句。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 先重命名 `users -> iam_users`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 重命名 `channel_identities -> iam_channel_identities`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 重命名 `user_channel_bindings -> iam_user_channel_bindings`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 重命名 `channel_identity_bind_codes -> iam_channel_identity_bind_codes`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 重命名 `user_provider_oauth_tokens -> iam_user_provider_oauth_tokens`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 调整 `iam_users` indexes 和 constraints 名称。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_identities`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_sessions`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_login_codes`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_sso_providers`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_groups`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_group_members`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_sso_group_mappings`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_permissions`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_roles`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_role_permissions`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 创建全新表 `iam_principal_roles`。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 写入内置 permission seed。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 写入内置 role seed。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 写入 role_permissions seed。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 迁移 password identity。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 迁移 `users.role` 到 system role assignment。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 迁移 `bots.owner_user_id` 到 bot owner assignment。
+- [ ] 在 `0077_iam_sso_rbac.up.sql` 删除 `iam_users.password_hash`、`iam_users.role`、`user_role` enum。
+- [ ] 在 `db/postgres/migrations/0077_iam_sso_rbac.down.sql` 先恢复 `user_role` enum。
+- [ ] 在 `0077_iam_sso_rbac.down.sql` 给 `iam_users` 恢复 `role` 和 `password_hash` 列。
+- [ ] 在 `0077_iam_sso_rbac.down.sql` 从 `iam_identities` 写回 password hash。
+- [ ] 在 `0077_iam_sso_rbac.down.sql` 从 system role assignment 写回 `users.role`。
+- [ ] 在 `0077_iam_sso_rbac.down.sql` drop 新增 IAM 表。
+- [ ] 在 `0077_iam_sso_rbac.down.sql` rename `iam_*` 旧表回原名。
+- [ ] 更新 `db/postgres/migrations/0001_init.up.sql` 到最终 schema。
+- [ ] 更新 `db/postgres/migrations/0001_init.down.sql` 的 drop 顺序。
+- [ ] 在 `db/sqlite/migrations/0003_iam_sso_rbac.up.sql` 按 SQLite rebuild-table 方式迁移 `users -> iam_users`。
+- [ ] 在 `0003_iam_sso_rbac.up.sql` 创建 SQLite 全新 IAM 表。
+- [ ] 在 `0003_iam_sso_rbac.up.sql` 迁移 password identity、system role、bot owner role。
+- [ ] 在 `db/sqlite/migrations/0003_iam_sso_rbac.down.sql` 写 SQLite rebuild-table 回滚迁移。
+- [ ] 更新 `db/sqlite/migrations/0001_init.up.sql` 到最终 schema。
+- [ ] 更新 `db/sqlite/migrations/0001_init.down.sql` 的 drop 顺序。
+
+### Phase 2: SQL queries 与生成代码
+
+- [ ] 更新 `db/postgres/queries/users.sql`，改为 `iam_users` + password `iam_identities`。
+- [ ] 更新 `db/sqlite/queries/users.sql`，保持 PostgreSQL 等价语义。
+- [ ] 新增 `db/postgres/queries/iam.sql` 的 session 查询。
+- [ ] 新增 `db/sqlite/queries/iam.sql` 的 session 查询。
+- [ ] 在 `iam.sql` 添加 RBAC permission check 查询。
+- [ ] 在 `iam.sql` 添加 one-time login code create/exchange 查询。
+- [ ] 在 `iam.sql` 添加 role/permission seed upsert 查询。
+- [ ] 在 `iam.sql` 添加 principal role assignment CRUD 查询。
+- [ ] 在 `iam.sql` 添加 SSO provider CRUD 查询。
+- [ ] 在 `iam.sql` 添加 identity lookup/link 查询。
+- [ ] 在 `iam.sql` 添加 group/group member/group mapping 查询。
+- [ ] 更新 `db/postgres/queries/acl.sql` 的 `iam_channel_identities` / `iam_users` join。
+- [ ] 更新 `db/sqlite/queries/acl.sql` 的等价 join。
+- [ ] 更新 `db/postgres/queries/bind.sql` 的 bind code 和 channel identity 表名。
+- [ ] 更新 `db/sqlite/queries/bind.sql` 的等价表名。
+- [ ] 更新 `db/postgres/queries/channel_identities.sql` 的表名。
+- [ ] 更新 `db/sqlite/queries/channel_identities.sql` 的表名。
+- [ ] 更新 `db/postgres/queries/channels.sql` 的 channel identity 表名。
+- [ ] 更新 `db/sqlite/queries/channels.sql` 的 channel identity 表名。
+- [ ] 更新 `db/postgres/queries/messages.sql` 的 channel identity FK/join 表名。
+- [ ] 更新 `db/sqlite/queries/messages.sql` 的 channel identity FK/join 表名。
+- [ ] 更新 `db/postgres/queries/user_provider_oauth.sql` 的表名。
+- [ ] 更新 `db/sqlite/queries/user_provider_oauth.sql` 的表名。
+- [ ] 运行 `mise run sqlc-generate`。
+- [ ] 修复 `internal/db/store/queries.go` 中 sqlc 接口编译错误。
+- [ ] 修复 `internal/db/sqlite/store/queries.go` 中 PostgreSQL/SQLite 类型转换错误。
+- [ ] 修复 `internal/db/store/contracts.go` 的 AccountStore 模型。
+
+### Phase 3: IAM auth/accounts/session 核心
+
+- [ ] 创建 `internal/iam/accounts/types.go`，移除 role 字段。
+- [ ] 创建 `internal/iam/accounts/service.go`，迁移 `internal/accounts/service.go` 中 profile CRUD。
+- [ ] 在 accounts service 实现 password identity 登录。
+- [ ] 在 accounts service 实现本地用户创建并写 password identity。
+- [ ] 在 accounts service 实现用户密码更新到 `iam_identities.credential_secret`。
+- [ ] 在 accounts service 实现管理员重置 password identity。
+- [ ] 创建 `internal/iam/auth/jwt.go`，加入 `session_id` claim。
+- [ ] 保留 chat token claims，避免 channel route token 回归。
+- [ ] 创建 `internal/iam/auth/session_middleware.go`，验证 session 和 active user。
+- [ ] 修改 `internal/server/server.go`，JWT middleware 串接 session 验证。
+- [ ] 更新 `internal/auth/jwt_test.go` 到 `internal/iam/auth/jwt_test.go`。
+- [ ] 新增 session middleware revoked/inactive/expired 测试。
+- [ ] 删除或迁移旧 `internal/accounts` 和 `internal/auth` 引用。
+
+### Phase 4: RBAC 核心
+
+- [ ] 创建 `internal/iam/rbac/types.go`，定义 permission、role、resource 常量。
+- [ ] 创建 `internal/iam/rbac/service.go`，实现 `HasPermission`。
+- [ ] 在 RBAC service 中接入 `expirable.LRU`，TTL 30s、max entries 10000。
+- [ ] 实现 user direct role 查询路径。
+- [ ] 实现 group inherited role 查询路径。
+- [ ] 实现 bot `resource_id=NULL` global assignment 查询路径。
+- [ ] 实现 `system.admin` 全局管理员判断。
+- [ ] 创建 `internal/iam/rbac/bootstrap.go`，封装内置 seed 校验。
+- [ ] 新增 role assignment 管理方法，限制 bot owner 只能授予 bot scope role。
+- [ ] 新增 RBAC 单元测试覆盖 direct/group/global/system.admin。
+- [ ] 新增缓存 TTL 和权限变更延迟测试。
+
+### Phase 5: Bootstrap 与 FX wiring
+
+- [ ] 修改 `cmd/agent/app.go` provider，注册 IAM accounts/auth/rbac/sso 服务。
+- [ ] 重写 `ensureAdminUser` 为 `ensureIAMBootstrap`。
+- [ ] 在 bootstrap 中确保内置 permissions/roles/role_permissions。
+- [ ] 在 bootstrap 中确保 admin `iam_users`。
+- [ ] 在 bootstrap 中确保 admin password `iam_identities`。
+- [ ] 在 bootstrap 中确保 admin system role assignment。
+- [ ] 更新相关构造函数参数，消除旧 `accounts.Service` 编译错误。
+- [ ] 新增 bootstrap 测试覆盖空库和已有库。
+
+### Phase 6: SSO service
+
+- [ ] 创建 `internal/iam/sso/types.go`，定义 OIDC/SAML config 和 mapping structs。
+- [ ] 创建 `internal/iam/sso/cookie.go`，实现 state/nonce/code_verifier cookie。
+- [ ] 在 `cookie.go` 实现 `SetOIDCStateCookie`。
+- [ ] 在 `cookie.go` 实现 `ReadAndClearOIDCStateCookie`。
+- [ ] 创建 `internal/iam/sso/login_code.go`，实现随机 code 生成和 hash。
+- [ ] 在 `login_code.go` 实现 `CreateLoginCode` 写入 `iam_login_codes`。
+- [ ] 在 `login_code.go` 实现 `ExchangeLoginCode` 的过期和 used_at 校验。
+- [ ] 创建 `internal/iam/sso/service.go`，实现 provider lookup。
+- [ ] 在 `service.go` 实现 `FindOrProvisionUser` 主流程。
+- [ ] 在 `service.go` 实现 `LinkExistingUserByEmail`。
+- [ ] 在 `service.go` 实现 `CreateJITUser`。
+- [ ] 在 `service.go` 实现 `UpdateIdentitySnapshot`。
+- [ ] 在 `service.go` 实现 `SyncMappedGroups`。
+- [ ] 在 `SyncMappedGroups` 中只删除当前 provider 的 `source=sso` membership。
+- [ ] 创建 `internal/iam/sso/oidc.go`，实现 `BuildOIDCAuthRedirect`。
+- [ ] 在 `oidc.go` 实现 `ExchangeOIDCCode`。
+- [ ] 在 `oidc.go` 实现 `VerifyOIDCIDToken`。
+- [ ] 在 `oidc.go` 实现 `NormalizeOIDCClaims`。
+- [ ] 在 `oidc.go` 串接 callback 到 `FindOrProvisionUser` 和 `CreateLoginCode`。
+- [ ] 创建 `internal/iam/sso/saml.go`，实现 `BuildSAMLMetadata`。
+- [ ] 在 `saml.go` 实现 `BuildSAMLAuthRedirect`。
+- [ ] 在 `saml.go` 实现 `ParseAndValidateSAMLResponse`。
+- [ ] 在 `saml.go` 实现 `NormalizeSAMLAssertion`。
+- [ ] 在 `saml.go` 串接 ACS 到 `FindOrProvisionUser` 和 `CreateLoginCode`。
+- [ ] 新增 OIDC 单元测试，使用 `httptest` fake issuer 和 JWKS。
+- [ ] 新增 OIDC nonce/audience/issuer 错误测试。
+- [ ] 新增 SAML 单元测试，使用固定测试证书和 signed response fixture。
+- [ ] 新增 SAML Audience/ACS URL/signature 错误测试。
+- [ ] 新增 group mapping sync 测试。
+
+### Phase 7: Auth handlers
+
+- [ ] 修改 `internal/handlers/auth.go` imports 到 `internal/iam/accounts` 和 `internal/iam/auth`。
+- [ ] 修改 `LoginResponse`，移除 `role`，增加 `session_id`。
+- [ ] 修改 password `Login`，创建 session 后签发 JWT。
+- [ ] 新增 `POST /auth/logout`，撤销当前 session。
+- [ ] 修改 `POST /auth/refresh`，校验 session 后续期并签发新 JWT。
+- [ ] 新增 `GET /auth/sso/providers`，只返回 enabled providers 和脱敏信息。
+- [ ] 新增 OIDC start/callback handlers。
+- [ ] 新增 SAML start/ACS/metadata handlers。
+- [ ] 新增 `POST /auth/sso/exchange` handler，使用 one-time login code 返回 JWT。
+- [ ] 修改 `internal/server/server.go::shouldSkipJWT`，放行 SSO start/callback/metadata/exchange。
+- [ ] 新增 auth handler tests 覆盖 login/logout/refresh/SSO routes/exchange。
+
+### Phase 8: 用户与 bot handler 权限替换
+
+- [ ] 修改 `internal/handlers/handler_helpers.go`，新增 `RequirePermission` helper。
+- [ ] 在 `internal/handlers/users.go::ListUsers` 使用 `system.admin`。
+- [ ] 在 `GetUser` 保留 self 访问，非 self 使用 `system.admin`。
+- [ ] 在 `UpdateUser`、`ResetUserPassword`、`CreateUser` 使用 `system.admin`。
+- [ ] 在 `CreateBot` owner override 使用 `system.admin`。
+- [ ] 在 `ListBots` owner filter 使用 `system.admin`。
+- [ ] 修改 `GetBot` 使用 `bot.read`。
+- [ ] 修改 `UpdateBot` 使用 `bot.update`。
+- [ ] 修改 `DeleteBot` 使用 `bot.delete`。
+- [ ] 修改 `TransferBotOwner` 使用 `bot.permissions.manage` 或 `system.admin`。
+- [ ] 修改 channel config handlers 使用 `bot.update`。
+- [ ] 修改 send/chat handlers 使用 `bot.chat`。
+- [ ] 修改 `internal/handlers/message.go` 中 admin 判断为 RBAC。
+- [ ] 更新 `internal/command/handler.go::MemberRoleResolver` 为 permission resolver。
+- [ ] 更新 `internal/command/handler.go::ExecuteWithInput`，write command 使用 permission 判断。
+- [ ] 更新 users handler tests 覆盖 forbidden/allowed。
+
+### Phase 9: Bot service 与 ACL 串联
+
+- [ ] 修改 `internal/bots/service.go::AuthorizeAccess` 签名，移除 `isAdmin` 参数。
+- [ ] 在 `AuthorizeAccess` 中调用 RBAC `bot.read`。
+- [ ] 在 `Create` 成功后写 `bot_owner` role assignment。
+- [ ] 在 `TransferOwner` 中同步删除旧 owner assignment 并写新 owner assignment。
+- [ ] 在 `ListAccessible` 中改为 RBAC 查询可见 bot。
+- [ ] 保留 `bots.owner_user_id` 字段作为归属和查询字段。
+- [ ] 修改 `internal/acl/service.go` 只做 channel ACL，不引入 IAM。
+- [ ] 修改 `internal/channel/inbound/channel.go` 的 ACL 判断点，ACL allow 后读取 linked user。
+- [ ] 在 `internal/channel/inbound/channel.go` 绑定用户分支增加 `bot.chat` RBAC 检查。
+- [ ] 在 `internal/channel/inbound/channel.go` 未绑定用户分支保持只看 `bot_acl_rules`。
+- [ ] 更新 channel inbound 相关测试覆盖绑定/未绑定两条路径。
+- [ ] 更新 `internal/bots/service_test.go`。
+- [ ] 更新 `internal/acl/service_test.go` 覆盖重命名表和串联策略。
+
+### Phase 10: IAM 管理 API
+
+- [ ] 新增 `internal/handlers/iam.go` 注册 IAM 管理 routes。
+- [ ] 添加 SSO provider CRUD API，要求 `system.admin`。
+- [ ] 添加 group CRUD API，要求 `system.admin`。
+- [ ] 添加 group member 管理 API，要求 `system.admin`。
+- [ ] 添加 SSO group mapping API，要求 `system.admin`。
+- [ ] 添加 role list/detail API，要求 `system.admin`。
+- [ ] 添加 role permission 管理 API，要求 `system.admin`。
+- [ ] 添加 principal role assignment API，system/global bot 要求 `system.admin`。
+- [ ] 添加 bot scoped principal role assignment API，要求 `bot.permissions.manage`。
+- [ ] API 响应中对 SAML private key、OIDC client_secret 脱敏。
+- [ ] 新增 IAM handler tests 覆盖权限和脱敏。
+
+### Phase 11: 表名改名影响修复
+
+- [ ] 更新 `internal/channel/identities/service.go` 到 `iam_channel_identities` sqlc 类型。
+- [ ] 更新 `internal/bind/service.go` 到 `iam_channel_identity_bind_codes`。
+- [ ] 更新 user provider OAuth 相关 store/handler 到 `iam_user_provider_oauth_tokens`。
+- [ ] 更新 provider OAuth、email OAuth、MCP OAuth 不属于 IAM 的表引用，确认未误改。
+- [ ] 全库 `rg \"\\busers\\b|channel_identities|user_channel_bindings|channel_identity_bind_codes|user_provider_oauth_tokens\"`，逐项确认 SQL 和 Go 引用。
+- [ ] 全库 `rg \"\\.Role|role:\" internal apps/web/src packages/sdk`，移除旧 user role 依赖。
+
+### Phase 12: OpenAPI、SDK 与前端
+
+- [ ] 更新 swaggo annotations，移除 LoginResponse role。
+- [ ] 添加 auth SSO endpoints annotations。
+- [ ] 添加 IAM management endpoints annotations。
+- [ ] 运行 `mise run swagger-generate`。
+- [ ] 运行 `mise run sdk-generate`。
+- [ ] 修改 `apps/web/src/store/user.ts`，移除 role。
+- [ ] 修改 `apps/web/src/pages/login/index.vue`，password login 不再读 role。
+- [ ] 在 login 页面加载 enabled SSO providers。
+- [ ] 在 login 页面添加 SSO provider 按钮和 redirect。
+- [ ] 新增 SSO callback 页面，从 URL 读取 one-time code。
+- [ ] 在 SSO callback 页面调用 `POST /auth/sso/exchange`。
+- [ ] SSO exchange 成功后写入 `useUserStore` token。
+- [ ] SSO exchange 失败后清理本地 token 并回到 login。
+- [ ] 新增 IAM 管理路由和导航入口。
+- [ ] 新增 SSO provider 列表页面。
+- [ ] 新增 SSO provider 创建/编辑表单。
+- [ ] SSO provider 表单支持 OIDC config 字段。
+- [ ] SSO provider 表单支持 SAML metadata/config 字段。
+- [ ] SSO provider 详情和列表中脱敏 `client_secret` / private key 字段。
+- [ ] 新增 SSO provider 保存错误态和 loading 态。
+- [ ] 新增 IAM group 列表页面。
+- [ ] 新增 IAM group 创建/编辑表单。
+- [ ] 新增 SSO group mapping 列表页面。
+- [ ] 新增 SSO group mapping 创建/编辑表单。
+- [ ] 新增 bot permissions 页面入口。
+- [ ] 新增 bot permissions user/group assignment 列表。
+- [ ] 新增 bot permissions role assignment 表单。
+- [ ] bot permissions 页面限制角色选择为 bot scope roles。
+- [ ] 新增 IAM 管理页面空态、错误态和 loading 态。
+- [ ] 更新前端 i18n 文案。
+- [ ] 新增或更新 Vitest 测试。
+
+### Phase 13: 迁移与集成测试
+
+- [ ] 新增 PostgreSQL migration 测试 fixture：旧 users role/password_hash/bots owner。
+- [ ] 验证 PostgreSQL `0077 up` 后 identity、roles、principal roles 正确。
+- [ ] 验证 PostgreSQL `0077 down` 能恢复旧 schema。
+- [ ] 新增 SQLite migration 测试 fixture。
+- [ ] 验证 SQLite `0003 up` 后 identity、roles、principal roles 正确。
+- [ ] 验证 password login 使用迁移后的 password identity。
+- [ ] 验证 session revoke 后 protected endpoint 401。
+- [ ] 验证 inactive user protected endpoint 401。
+- [ ] 验证 admin bootstrap 空库创建完整 RBAC。
+- [ ] 验证 bot owner 可 read/update/delete 自己 bot。
+- [ ] 验证 group bot_viewer 只能 read/chat。
+- [ ] 验证 bot global role 对所有 bot 生效。
+- [ ] 验证 SSO group mapping 只同步命中 group。
+- [ ] 验证未映射 external group 不创建本地 group。
+- [ ] 验证 OIDC callback URL 不包含 JWT。
+- [ ] 验证 SSO one-time code 只能 exchange 一次。
+- [ ] 验证过期 SSO one-time code exchange 返回 401。
+
+### Phase 14: 最终验证
+
+- [ ] 运行 `mise run sqlc-generate`，确认无 diff 或提交生成物。
+- [ ] 运行 `mise run swagger-generate`。
+- [ ] 运行 `mise run sdk-generate`。
+- [ ] 运行 `go test ./internal/iam/...`。
+- [ ] 运行 `rg "github.com/memohai/memoh/internal/(accounts|auth)" internal cmd`，确认旧包 import 已清空。
+- [ ] 运行 `go test ./internal/handlers ./internal/bots ./internal/acl`。
+- [ ] 运行 `go test ./internal/db/...`。
+- [ ] 运行 `go test ./cmd/agent`。
+- [ ] 运行前端相关 Vitest。
+- [ ] 运行 `mise run lint`。
+- [ ] 在 PostgreSQL dev 环境执行 `go run ./cmd/agent migrate up`。
+- [ ] 在 SQLite dev 环境执行 `go run ./cmd/agent migrate up`。
+- [ ] 手动验证 password login、SSO provider list、bot permissions 管理、channel ACL 串联。
+- [ ] 全库 `rg "role"`，确认剩余命中不是旧 `users.role` 语义。
+- [ ] 全库 `rg "users|channel_identities"`，确认剩余命中不是旧表名。
diff --git a/docs/sdlc/2026-05-02/iam-sso-rbac/spec.md b/docs/sdlc/2026-05-02/iam-sso-rbac/spec.md
new file mode 100644
index 000000000..687bc5496
--- /dev/null
+++ b/docs/sdlc/2026-05-02/iam-sso-rbac/spec.md
@@ -0,0 +1,850 @@
+# IAM SSO RBAC 重构规格
+
+## 问题定义
+
+Memoh 当前认证和权限模型以 `users` 表为中心：
+
+- 本地账号密码直接存在 `users.password_hash`
+- 全局权限通过 `users.role = member | admin` 表达
+- bot Web/API 访问通过 `isAdmin || bots.owner_user_id == userID` 判断
+- 外部渠道触发 bot 使用独立的 `bot_acl_rules`
+
+这个模型无法表达企业 SSO 和用户组权限：
+
+- 一个用户需要同时绑定 password、OIDC、SAML、channel 等多个身份
+- OIDC/SAML 登录需要 JIT 创建或绑定已有用户
+- SSO group 需要映射到 Memoh group
+- user/group 需要获得 system scope 或 bot scope 的 role
+- `users.role` 只能表达全局 admin/member，无法表达 per-bot 权限
+
+本次重构目标是一次性引入新的 IAM 域模型，移除 `users.role` 和 `users.password_hash` 的业务语义，支持 OIDC/SAML SSO 登录、用户组、RBAC 授权，并保持 `bot_acl_rules` 作为外部 channel 入口 ACL。
+
+## 非目标
+
+- 不实现 SCIM。
+- 不引入 organization / tenant。
+- 不支持 group 嵌套。
+- 不实现 OAuth2/OIDC Provider。
+- 不把权限写入 JWT。
+- 不把 `bot_acl_rules` 合并进 IAM RBAC。
+- 不保留旧 `users.role` API/UI 兼容层。
+
+## 依赖
+
+使用当前 Go proxy latest 版本：
+
+```text
+github.com/zitadel/oidc/v3 v3.47.5
+github.com/crewjam/saml v0.5.1
+github.com/hashicorp/golang-lru/v2/expirable
+```
+
+用途：
+
+- `github.com/zitadel/oidc/v3`: OIDC Relying Party，使用 Authorization Code + PKCE。
+- `github.com/crewjam/saml`: SAML Service Provider，处理 AuthnRequest、ACS、SAMLResponse 验证。
+- `github.com/hashicorp/golang-lru/v2/expirable`: RBAC permission check 的进程内 LRU TTL cache。
+
+## 命名决策
+
+IAM 域内表统一使用 `iam_*` 前缀。
+
+现有表一次性重命名：
+
+```text
+users -> iam_users
+channel_identities -> iam_channel_identities
+user_channel_bindings -> iam_user_channel_bindings
+channel_identity_bind_codes -> iam_channel_identity_bind_codes
+user_provider_oauth_tokens -> iam_user_provider_oauth_tokens
+```
+
+保留 `bot_acl_rules` 名称。它属于 bot 外部入口规则，不属于 IAM RBAC。
+
+## 数据模型
+
+### iam_users
+
+用户主体，只存 profile、状态和默认展示信息。
+
+```text
+id
+username
+email
+display_name
+avatar_url
+timezone
+data_root
+is_active
+metadata
+last_login_at
+created_at
+updated_at
+```
+
+约束：
+
+```text
+username UNIQUE
+email UNIQUE WHERE email IS NOT NULL AND email <> ''
+```
+
+移除：
+
+```text
+role
+password_hash
+```
+
+### iam_identities
+
+所有登录身份和外部身份绑定。
+
+```text
+id
+user_id
+provider_type: password | oidc | saml | channel
+provider_id
+subject
+credential_secret
+email
+username
+display_name
+avatar_url
+raw_claims
+last_login_at
+created_at
+updated_at
+```
+
+约束：
+
+```text
+UNIQUE(provider_type, provider_id, subject)
+```
+
+本地密码迁移到：
+
+```text
+provider_type = password
+provider_id = NULL
+subject = lower(username)
+credential_secret = 原 users.password_hash
+```
+
+OIDC subject：
+
+```text
+provider_type = oidc
+provider_id = iam_sso_providers.id
+subject = issuer + "|" + sub
+```
+
+SAML subject：
+
+```text
+provider_type = saml
+provider_id = iam_sso_providers.id
+subject = NameID
+```
+
+### iam_sessions
+
+服务端 session，用于撤销、禁用用户后立即失效和登录审计。
+
+```text
+id
+user_id
+identity_id
+issued_at
+expires_at
+revoked_at
+ip_address
+user_agent
+metadata
+created_at
+updated_at
+```
+
+JWT claims：
+
+```text
+sub
+user_id
+session_id
+iat
+exp
+```
+
+JWT 不包含：
+
+```text
+roles
+permissions
+groups
+```
+
+### iam_login_codes
+
+SSO callback 使用一次性登录 code 交付 token，避免把 JWT 放入 URL。
+
+```text
+id
+code_hash
+user_id
+identity_id
+session_id
+expires_at
+used_at
+created_at
+```
+
+约束：
+
+```text
+UNIQUE(code_hash)
+expires_at <= created_at + 2 minutes
+```
+
+流程：
+
+```text
+1. SSO callback 验证成功后创建 iam_sessions。
+2. 生成随机 code，只存 code_hash。
+3. redirect 到 Web callback 页面，URL 只带 code。
+4. 前端调用 POST /auth/sso/exchange。
+5. 后端校验 code 未过期且未使用，标记 used_at，返回 JWT。
+```
+
+### iam_sso_providers
+
+OIDC/SAML provider 配置。
+
+```text
+id
+type: oidc | saml
+key
+name
+enabled
+config
+attribute_mapping
+jit_enabled
+email_linking_policy
+trust_email
+created_at
+updated_at
+```
+
+`email_linking_policy`：
+
+```text
+link_existing
+reject_existing
+```
+
+默认：
+
+```text
+jit_enabled = true
+email_linking_policy = link_existing
+trust_email = false
+```
+
+OIDC `config` 示例：
+
+```json
+{
+  "issuer": "https://accounts.google.com",
+  "client_id": "...",
+  "client_secret": "...",
+  "scopes": ["openid", "profile", "email", "groups"],
+  "redirect_url": "https://memoh.example.com/auth/sso/google/callback"
+}
+```
+
+SAML `config` 示例：
+
+```json
+{
+  "entity_id": "https://memoh.example.com/auth/sso/acme/saml/metadata",
+  "metadata_xml": "...",
+  "acs_url": "https://memoh.example.com/auth/sso/acme/saml/acs"
+}
+```
+
+`attribute_mapping` 示例：
+
+```json
+{
+  "subject": "sub",
+  "email": "email",
+  "email_verified": "email_verified",
+  "display_name": "name",
+  "avatar_url": "picture",
+  "groups": ["groups", "roles", "memberOf"]
+}
+```
+
+### iam_groups
+
+扁平用户组。
+
+```text
+id
+key
+display_name
+source: local | sso | scim
+external_id
+metadata
+created_at
+updated_at
+```
+
+不支持嵌套 group。
+
+### iam_group_members
+
+用户组成员关系。
+
+```text
+id
+group_id
+user_id
+source: manual | sso | scim
+provider_id
+created_at
+updated_at
+```
+
+约束：
+
+```text
+UNIQUE(group_id, user_id, source, provider_id)
+```
+
+### iam_sso_group_mappings
+
+SSO 外部 group 到 Memoh group 的显式映射。
+
+```text
+id
+provider_id
+external_group
+group_id
+created_at
+updated_at
+```
+
+约束：
+
+```text
+UNIQUE(provider_id, external_group)
+```
+
+SSO 登录不自动创建 `iam_groups`。只同步已配置 mapping 命中的 group。
+
+### iam_permissions
+
+代码定义的能力点。
+
+```text
+id
+key
+description
+is_system
+created_at
+updated_at
+```
+
+内置 permission：
+
+```text
+system.login
+system.admin
+bot.read
+bot.chat
+bot.update
+bot.delete
+bot.permissions.manage
+```
+
+不允许管理员自定义 permission。
+
+### iam_roles
+
+permission 的组合。
+
+```text
+id
+key
+scope: system | bot
+display_name
+description
+is_system
+created_at
+updated_at
+```
+
+允许管理员自定义 role。
+
+内置 role：
+
+```text
+member
+admin
+bot_viewer
+bot_operator
+bot_owner
+```
+
+### iam_role_permissions
+
+role 到 permission 的映射。
+
+```text
+role_id
+permission_id
+created_at
+```
+
+内置映射：
+
+```text
+member -> system.login
+
+admin -> system.login
+admin -> system.admin
+
+bot_viewer -> bot.read
+bot_viewer -> bot.chat
+
+bot_operator -> bot.read
+bot_operator -> bot.chat
+bot_operator -> bot.update
+
+bot_owner -> bot.read
+bot_owner -> bot.chat
+bot_owner -> bot.update
+bot_owner -> bot.delete
+bot_owner -> bot.permissions.manage
+```
+
+### iam_principal_roles
+
+user/group 在 system/bot scope 下的 role assignment。
+
+```text
+id
+principal_type: user | group
+principal_id
+role_id
+resource_type: system | bot
+resource_id
+source: system | manual | sso | scim
+provider_id
+created_at
+updated_at
+```
+
+约束：
+
+```text
+resource_type = system -> resource_id IS NULL
+resource_type = bot -> resource_id IS NULL OR resource_id = bot id
+```
+
+`resource_id = NULL` 表示该 `resource_type` 下的全局授权。
+
+IAM RBAC 不支持 deny。撤权通过删除 assignment 完成。
+
+## 登录流程
+
+### Password
+
+```text
+1. 根据 input 查 iam_identities:
+   provider_type='password'
+   subject=lower(input)
+   或 email=lower(input)
+2. bcrypt 校验 credential_secret
+3. 查 iam_users.is_active
+4. 更新 iam_users.last_login_at 和 iam_identities.last_login_at
+5. 创建 iam_sessions
+6. 签发 Memoh JWT
+```
+
+### OIDC
+
+入口：
+
+```text
+GET /auth/sso/:provider_id/start
+GET /auth/sso/:provider_id/callback
+```
+
+流程：
+
+```text
+1. start 使用 Authorization Code + PKCE 生成 auth URL
+2. state / nonce / code_verifier 使用安全短期存储
+3. callback 校验 state
+4. exchange code
+5. 校验 id_token issuer / audience / nonce / signature / exp
+6. 提取 sub / email / email_verified / profile / groups
+7. 用 provider_id + issuer + sub 查 iam_identities
+8. 找到则更新 identity snapshot 和 user profile
+9. 未找到则执行 JIT/link
+10. 同步 SSO group mappings
+11. 创建 iam_sessions
+12. 创建一次性 iam_login_codes
+13. redirect 到 Web callback 页面
+14. 前端调用 /auth/sso/exchange 换取 Memoh JWT
+```
+
+Email 自动绑定规则：
+
+```text
+email_linking_policy = link_existing
+trust_email = true
+email_verified = true
+iam_users.email 命中
+```
+
+不满足时：
+
+```text
+email_linking_policy = reject_existing -> 拒绝登录
+email 不存在且 jit_enabled = true -> 创建新用户
+email 不存在且 jit_enabled = false -> 拒绝登录
+```
+
+### SAML
+
+入口：
+
+```text
+GET  /auth/sso/:provider_id/saml/start
+POST /auth/sso/:provider_id/saml/acs
+GET  /auth/sso/:provider_id/saml/metadata
+```
+
+流程：
+
+```text
+1. start 生成 SP-initiated AuthnRequest
+2. ACS 校验 SAMLResponse 签名、Audience、Destination、NotBefore、NotOnOrAfter
+3. 提取 NameID / email / profile / groups
+4. 用 provider_id + NameID 查 iam_identities
+5. 找到则更新 identity snapshot 和 user profile
+6. 未找到则执行 JIT/link
+7. 同步 SSO group mappings
+8. 创建 iam_sessions
+9. 创建一次性 iam_login_codes
+10. redirect 到 Web callback 页面
+11. 前端调用 /auth/sso/exchange 换取 Memoh JWT
+```
+
+SAML 没有标准 `email_verified`。是否信任 email 只由 provider 的 `trust_email` 控制。
+
+## SSO Group 同步
+
+登录时执行：
+
+```text
+1. 从 OIDC claims 或 SAML attributes 提取 external groups
+2. 使用 provider_id + external_group 查 iam_sso_group_mappings
+3. 只保留命中的 iam_groups
+4. upsert iam_group_members(source='sso', provider_id=当前 provider)
+5. 删除该 provider 下本次未命中的 source='sso' membership
+6. 不影响 source='manual'、source='scim' 或其他 provider 的 membership
+```
+
+## 授权模型
+
+统一入口：
+
+```text
+HasPermission(ctx, userID, permissionKey, resourceType, resourceID)
+```
+
+查询主体：
+
+```text
+1. user direct role assignments
+2. user group inherited role assignments
+```
+
+查询资源：
+
+```text
+resource_type = system, resource_id = NULL
+resource_type = bot, resource_id = botID
+resource_type = bot, resource_id = NULL
+```
+
+`system.admin` 可视为全局管理员能力。业务代码不再读取 `users.role`。
+
+缓存：
+
+```text
+cache key = user_id + permission_key + resource_type + resource_id
+ttl = 30s
+max entries = 10000
+```
+
+权限变更不做分布式失效。30s TTL 作为撤权延迟上限。
+
+## bot_acl_rules 分层
+
+`bot_acl_rules` 保留。它控制外部 channel 消息能否触发 bot。
+
+现有语义：
+
+```text
+action = chat.trigger
+effect = allow | deny
+subject_kind = all | channel_identity | channel_type
+priority first-match-wins
+bots.acl_default_effect fallback
+source_conversation_type/source_conversation_id/source_thread_id 做入口 scope
+```
+
+它不是 IAM RBAC，因为它的主体是 channel identity / channel type，不是 iam_user / iam_group。
+
+调用规则：
+
+```text
+Web/API chat:
+  只判断 iam_rbac bot.chat
+
+外部 channel chat:
+  1. 判断 bot_acl_rules chat.trigger
+  2. 如果 iam_channel_identities.user_id 非空，再判断 iam_rbac bot.chat
+  3. 如果未绑定 iam_user，只判断 bot_acl_rules
+```
+
+## 管理权限
+
+`system.admin`：
+
+```text
+管理 iam_sso_providers
+管理 iam_sso_group_mappings
+管理 iam_roles
+管理 iam_role_permissions
+管理 system scope principal roles
+管理 bot global principal roles(resource_type='bot', resource_id=NULL)
+```
+
+`bot.permissions.manage`：
+
+```text
+管理指定 bot 的 user/group role assignment
+只能授予 bot scope role
+resource_type='bot'
+resource_id=指定 bot_id
+```
+
+## Bootstrap Admin
+
+保留配置文件 `[admin]` bootstrap 机制，但不写 `users.role`。
+
+启动时确保：
+
+```text
+1. iam_users 中存在 admin user
+2. iam_identities 中存在 password identity
+3. iam_roles / iam_permissions / iam_role_permissions 中存在内置 RBAC seed
+4. iam_principal_roles 中存在 admin user -> admin role -> system
+```
+
+## 数据库迁移
+
+迁移不是人工操作。项目使用：
+
+```text
+github.com/golang-migrate/migrate/v4 v4.19.1
+cmd/agent migrate up
+internal/db/migrate.go
+```
+
+### PostgreSQL
+
+新增：
+
+```text
+db/postgres/migrations/0077_iam_sso_rbac.up.sql
+db/postgres/migrations/0077_iam_sso_rbac.down.sql
+```
+
+`0077_iam_sso_rbac.up.sql` 自动执行：
+
+```text
+1. 重命名 IAM 旧表为 iam_*。
+2. 创建 iam_identities / iam_sessions / iam_login_codes / iam_sso_providers / iam_groups / iam_group_members / iam_roles / iam_permissions / iam_role_permissions / iam_principal_roles / iam_sso_group_mappings。
+3. seed 内置 permissions、roles、role_permissions。
+4. 将原 users.password_hash 写入 iam_identities(provider_type='password')。
+5. 将原 users.role='admin' 写入 iam_principal_roles(system admin)。
+6. 将原 users.role='member' 写入 iam_principal_roles(system member)。
+7. 将 bots.owner_user_id 写入 iam_principal_roles(bot_owner, resource_type='bot', resource_id=bots.id)。
+8. 删除 iam_users.password_hash。
+9. 删除 iam_users.role。
+10. 删除 user_role enum。
+11. 修正所有 FK、index、constraint、query 引用。
+```
+
+同时更新 PostgreSQL baseline：
+
+```text
+db/postgres/migrations/0001_init.up.sql
+db/postgres/migrations/0001_init.down.sql
+```
+
+### SQLite
+
+更新 SQLite baseline：
+
+```text
+db/sqlite/migrations/0001_init.up.sql
+db/sqlite/migrations/0001_init.down.sql
+```
+
+同时新增自动迁移：
+
+```text
+db/sqlite/migrations/0003_iam_sso_rbac.up.sql
+db/sqlite/migrations/0003_iam_sso_rbac.down.sql
+```
+
+SQLite migration 也必须自动迁移已有数据，不能要求管理员手工搬迁。
+
+### sqlc
+
+所有 schema/query 变更同时更新：
+
+```text
+db/postgres/queries/*.sql
+db/sqlite/queries/*.sql
+```
+
+然后运行：
+
+```bash
+mise run sqlc-generate
+```
+
+## API 影响
+
+认证：
+
+```text
+POST /auth/login
+POST /auth/logout
+POST /auth/refresh
+GET  /auth/sso/providers
+GET  /auth/sso/:provider_id/start
+GET  /auth/sso/:provider_id/callback
+GET  /auth/sso/:provider_id/saml/start
+POST /auth/sso/:provider_id/saml/acs
+GET  /auth/sso/:provider_id/saml/metadata
+POST /auth/sso/exchange
+```
+
+管理：
+
+```text
+iam users
+iam identities
+iam sessions
+iam sso providers
+iam groups
+iam group members
+iam roles
+iam role permissions
+iam principal roles
+iam sso group mappings
+```
+
+旧 API/UI 中的 `role` 字段移除，不提供兼容字段。
+
+## 代码影响范围
+
+后端：
+
+```text
+internal/accounts -> internal/iam/accounts
+internal/auth -> internal/iam/auth
+internal/rbac
+internal/sso
+internal/handlers/auth.go
+internal/bots/service.go
+internal/acl
+internal/db/store
+internal/db/postgres/sqlc
+internal/db/sqlite/sqlc
+cmd/agent bootstrap wiring
+cmd/memoh login
+internal/tui api
+```
+
+前端：
+
+```text
+apps/web/src/pages/login
+apps/web/src/store/user.ts
+apps/web/src/lib/api-client.ts
+SSO provider 管理 UI
+Group 管理 UI
+Bot permission 管理 UI
+```
+
+生成物：
+
+```text
+spec/swagger.*
+packages/sdk
+```
+
+## 验证要求
+
+数据库：
+
+```bash
+mise run sqlc-generate
+go run ./cmd/agent migrate up
+```
+
+需要覆盖 PostgreSQL 和 SQLite migration track。
+
+后端测试：
+
+```text
+password login
+OIDC callback
+SAML ACS
+email linking policy
+SSO group mapping sync
+RBAC HasPermission direct user role
+RBAC HasPermission group inherited role
+bot owner migration
+system admin bootstrap
+bot_acl_rules + iam_rbac 串联
+session revoke
+inactive user request denied
+```
+
+前端验证：
+
+```text
+password login
+SSO button list
+SSO callback one-time code exchange
+user store 不再依赖 role
+bot permission management
+group mapping management
+```
+
+## 开放问题
+
+1. SAML SP signing/encryption certificate 的存储位置在本阶段定为 `iam_sso_providers.config`。私钥字段必须按敏感配置处理，API 响应默认脱敏。
+2. OIDC state/nonce/code_verifier 使用短期、HttpOnly、Secure、SameSite=Lax cookie。callback 成功或失败后清理 cookie。
diff --git a/go.mod b/go.mod
index 311ad0b42..fc7abb286 100644
--- a/go.mod
+++ b/go.mod
@@ -17,6 +17,7 @@ require (
 	github.com/containerd/errdefs v1.0.0
 	github.com/containerd/go-cni v1.1.13
 	github.com/creack/pty v1.1.24
+	github.com/crewjam/saml v0.5.1
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/emersion/go-imap/v2 v2.0.0-beta.8
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6
@@ -47,10 +48,11 @@ require (
 	github.com/swaggo/swag v1.16.6
 	github.com/wneessen/go-mail v0.7.2
 	github.com/yuin/goldmark v1.7.13
+	github.com/zitadel/oidc/v3 v3.47.5
 	go.uber.org/fx v1.24.0
-	golang.org/x/crypto v0.48.0
+	golang.org/x/crypto v0.49.0
 	golang.org/x/oauth2 v0.36.0
-	golang.org/x/term v0.40.0
+	golang.org/x/term v0.41.0
 	golang.org/x/time v0.14.0
 	google.golang.org/grpc v1.78.0
 	google.golang.org/protobuf v1.36.11
@@ -90,6 +92,7 @@ require (
 	github.com/aws/smithy-go v1.24.2 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/beevik/etree v1.5.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/charmbracelet/colorprofile v0.4.1 // indirect
@@ -121,6 +124,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.22.4 // indirect
@@ -137,14 +141,18 @@ require (
 	github.com/go-shiori/dom v0.0.0-20230515143342-73569d674e1c // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
+	github.com/jonboulle/clockwork v0.2.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
@@ -153,6 +161,7 @@ require (
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
@@ -174,6 +183,7 @@ require (
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/reflow v0.3.0 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/muhlemmer/gu v0.3.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/oapi-codegen/runtime v1.1.2 // indirect
@@ -185,6 +195,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/russellhaering/goxmldsig v1.4.0 // indirect
 	github.com/sahilm/fuzzy v0.1.1 // indirect
 	github.com/sasha-s/go-deadlock v0.3.6 // indirect
 	github.com/segmentio/asm v1.2.1 // indirect
@@ -197,23 +208,25 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	github.com/yuin/goldmark-emoji v1.0.6 // indirect
+	github.com/zitadel/logging v0.7.0 // indirect
+	github.com/zitadel/schema v1.3.2 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 // indirect
-	go.opentelemetry.io/otel v1.40.0 // indirect
-	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.uber.org/dig v1.19.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.1 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.33.0 // indirect
-	golang.org/x/net v0.50.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/mod v0.34.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.42.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/tools v0.43.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
diff --git a/go.sum b/go.sum
index 0a584aacb..4db3f9ad8 100644
--- a/go.sum
+++ b/go.sum
@@ -68,6 +68,9 @@ github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3v
 github.com/aymanbagabas/go-udiff v0.3.1/go.mod h1:G0fsKmG+P6ylD0r6N/KgQD/nWzgfnl8ZBcNLgcbrw8E=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
+github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
+github.com/beevik/etree v1.5.0 h1:iaQZFSDS+3kYZiGoc9uKeOkUY3nYMXOKLl6KIJxiJWs=
+github.com/beevik/etree v1.5.0/go.mod h1:gPNJNaBGVZ9AwsidazFZyygnd+0pAU38N4D+WemwKNs=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bwmarrin/discordgo v0.29.0 h1:FmWeXFaKUwrcL3Cx65c20bTRW+vOb6k8AnaP+EgjDno=
@@ -136,8 +139,11 @@ github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsx
 github.com/containernetworking/cni v1.3.0 h1:v6EpN8RznAZj9765HhXQrtXgX+ECGebEYEmnuFjskwo=
 github.com/containernetworking/cni v1.3.0/go.mod h1:Bs8glZjjFfGPHMw6hQu82RUgEPNGEaBb9KS5KtNMnJ4=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
+github.com/crewjam/saml v0.5.1 h1:g+mfp0CrLuLRZCK793PgJcZeg5dS/0CDwoeAX2zcwNI=
+github.com/crewjam/saml v0.5.1/go.mod h1:r0fDkmFe5URDgPrmtH0IYokva6fac3AUdstiPhyEolQ=
 github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
 github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -181,6 +187,8 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
 github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
+github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -228,6 +236,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f h1:3BSP1Tbs2djlpprl7wCLuiqMaUh5SJkkzI2gDs+FgLs=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
 github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
@@ -270,6 +280,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
 github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
@@ -280,6 +292,8 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -292,6 +306,8 @@ github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo=
 github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
+github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@@ -304,8 +320,13 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
 github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
@@ -326,6 +347,8 @@ github.com/mailgun/mailgun-go/v5 v5.14.0 h1:s1S7MbO0G24zew1cCvTGUA7yvJNf9T/HEiVE
 github.com/mailgun/mailgun-go/v5 v5.14.0/go.mod h1:8jl24zvg8DPd5R3dUGIM77J76CWE+esAO+3w0/1c9AA=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
+github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
@@ -388,6 +411,8 @@ github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s=
 github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
+github.com/muhlemmer/gu v0.3.1 h1:7EAqmFrW7n3hETvuAdmFmn4hS8W+z3LgKtrnow+YzNM=
+github.com/muhlemmer/gu v0.3.1/go.mod h1:YHtHR+gxM+bKEIIs7Hmi9sPT3ZDUvTN/i88wQpZkrdM=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
@@ -412,6 +437,7 @@ github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZH
 github.com/petermattis/goid v0.0.0-20250813065127-a731cc31b4fe/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
 github.com/petermattis/goid v0.0.0-20260113132338-7c7de50cc741 h1:KPpdlQLZcHfTMQRi6bFQ7ogNO0ltFT4PmtwTLW4W+14=
 github.com/petermattis/goid v0.0.0-20260113132338-7c7de50cc741/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -430,8 +456,12 @@ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
+github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/russellhaering/goxmldsig v1.4.0 h1:8UcDh/xGyQiyrW+Fq5t8f+l2DLB1+zlhYzkPUJ7Qhys=
+github.com/russellhaering/goxmldsig v1.4.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA=
 github.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=
@@ -460,6 +490,7 @@ github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpE
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -495,6 +526,12 @@ github.com/yuin/goldmark v1.7.13 h1:GPddIs617DnBLFFVJFgpo1aBfe/4xcvMc3SB5t/D0pA=
 github.com/yuin/goldmark v1.7.13/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
 github.com/yuin/goldmark-emoji v1.0.6 h1:QWfF2FYaXwL74tfGOW5izeiZepUDroDJfWubQI9HTHs=
 github.com/yuin/goldmark-emoji v1.0.6/go.mod h1:ukxJDKFpdFb5x0a5HqbdlcKtebh086iJpI31LTKmWuA=
+github.com/zitadel/logging v0.7.0 h1:eugftwMM95Wgqwftsvj81isL0JK/hoScVqp/7iA2adQ=
+github.com/zitadel/logging v0.7.0/go.mod h1:9A6h9feBF/3u0IhA4uffdzSDY7mBaf7RE78H5sFMINQ=
+github.com/zitadel/oidc/v3 v3.47.5 h1:cR2z0oqa5XZkwpXQiPCUGqKtndrjHgEXb81y3oXocK4=
+github.com/zitadel/oidc/v3 v3.47.5/go.mod h1:XxFh0666HRXycyrKmono+3gY0RACpYJLgy4r/+kliKY=
+github.com/zitadel/schema v1.3.2 h1:gfJvt7dOMfTmxzhscZ9KkapKo3Nei3B6cAxjav+lyjI=
+github.com/zitadel/schema v1.3.2/go.mod h1:IZmdfF9Wu62Zu6tJJTH3UsArevs3Y4smfJIj3L8fzxw=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
@@ -503,18 +540,24 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
 go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
 go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 h1:wVZXIWjQSeSmMoxF74LzAnpVQOAFDo3pPji9Y4SOFKc=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0/go.mod h1:khvBS2IggMFNwZK/6lEeHg/W57h/IX6J4URh57fuI40=
 go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
 go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
 go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
 go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
 go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
 go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
 go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
 go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/dig v1.19.0 h1:BACLhebsYdpQ7IROQ1AGPjrXcP5dF80U3gKoFzbaq/4=
@@ -542,6 +585,8 @@ golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
 golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f h1:XdNn9LlyWAhLVp6P/i8QYBW+hlyhrhei9uErw2B5GJo=
 golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f/go.mod h1:D5SMRVC3C2/4+F/DB1wZsLRnSNimn2Sp/NPsCrsv8ak=
@@ -557,6 +602,8 @@ golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
 golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -576,6 +623,8 @@ golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
 golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
@@ -592,6 +641,8 @@ golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -624,6 +675,8 @@ golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
 golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -635,6 +688,8 @@ golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
 golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -652,6 +707,8 @@ golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
 golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -687,13 +744,16 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
 google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
diff --git a/internal/accounts/service.go b/internal/accounts/service.go
index 51f7a77c7..33bcd10fe 100644
--- a/internal/accounts/service.go
+++ b/internal/accounts/service.go
@@ -3,7 +3,6 @@ package accounts
 import (
 	"context"
 	"errors"
-	"fmt"
 	"log/slog"
 	"strings"
 
@@ -117,21 +116,6 @@ func (s *Service) SearchAccounts(ctx context.Context, query string, limit int) (
 	return items, nil
 }
 
-// IsAdmin checks if the user has admin role.
-func (s *Service) IsAdmin(ctx context.Context, userID string) (bool, error) {
-	if s.store == nil {
-		return false, errors.New("account store not configured")
-	}
-	row, err := s.store.GetByUserID(ctx, userID)
-	if err != nil {
-		if errors.Is(err, db.ErrNotFound) {
-			return false, nil
-		}
-		return false, err
-	}
-	return isAdminRole(row.Role), nil
-}
-
 // Create creates a new account for an existing user.
 func (s *Service) Create(ctx context.Context, userID string, req CreateAccountRequest) (Account, error) {
 	if s.store == nil {
@@ -145,11 +129,6 @@ func (s *Service) Create(ctx context.Context, userID string, req CreateAccountRe
 	if password == "" {
 		return Account{}, errors.New("password is required")
 	}
-	role, err := normalizeRole(req.Role)
-	if err != nil {
-		return Account{}, err
-	}
-
 	hashed, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
 	if err != nil {
 		return Account{}, err
@@ -171,7 +150,6 @@ func (s *Service) Create(ctx context.Context, userID string, req CreateAccountRe
 		Username:     username,
 		Email:        email,
 		PasswordHash: string(hashed),
-		Role:         role,
 		DisplayName:  displayName,
 		AvatarURL:    avatarURL,
 		IsActive:     isActive,
@@ -215,13 +193,6 @@ func (s *Service) UpdateAdmin(ctx context.Context, userID string, req UpdateAcco
 	if err != nil {
 		return Account{}, err
 	}
-	role := existing.Role
-	if req.Role != nil {
-		role, err = normalizeRole(*req.Role)
-		if err != nil {
-			return Account{}, err
-		}
-	}
 	displayName := strings.TrimSpace(existing.DisplayName)
 	if req.DisplayName != nil {
 		displayName = strings.TrimSpace(*req.DisplayName)
@@ -240,7 +211,6 @@ func (s *Service) UpdateAdmin(ctx context.Context, userID string, req UpdateAcco
 
 	row, err := s.store.UpdateAdmin(ctx, dbstore.UpdateAccountAdminInput{
 		UserID:      userID,
-		Role:        role,
 		DisplayName: displayName,
 		AvatarURL:   avatarURL,
 		IsActive:    isActive,
@@ -344,31 +314,6 @@ func (s *Service) ResetPassword(ctx context.Context, userID, newPassword string)
 	})
 }
 
-func normalizeRole(raw string) (string, error) {
-	role := strings.ToLower(strings.TrimSpace(raw))
-	if role == "" {
-		return "member", nil
-	}
-	if role != "member" && role != "admin" {
-		return "", fmt.Errorf("invalid role: %s", raw)
-	}
-	return role, nil
-}
-
-func isAdminRole(role any) bool {
-	if role == nil {
-		return false
-	}
-	switch v := role.(type) {
-	case string:
-		return strings.EqualFold(v, "admin")
-	case fmt.Stringer:
-		return strings.EqualFold(v.String(), "admin")
-	default:
-		return strings.EqualFold(fmt.Sprint(v), "admin")
-	}
-}
-
 func toAccount(row dbstore.AccountRecord) Account {
 	username := strings.TrimSpace(row.Username)
 	email := strings.TrimSpace(row.Email)
@@ -382,7 +327,6 @@ func toAccount(row dbstore.AccountRecord) Account {
 		ID:          row.ID,
 		Username:    username,
 		Email:       email,
-		Role:        row.Role,
 		DisplayName: displayName,
 		AvatarURL:   avatarURL,
 		Timezone:    timezone,
diff --git a/internal/accounts/types.go b/internal/accounts/types.go
index c96ab027c..219072127 100644
--- a/internal/accounts/types.go
+++ b/internal/accounts/types.go
@@ -7,7 +7,6 @@ type Account struct {
 	ID          string    `json:"id"`
 	Username    string    `json:"username"`
 	Email       string    `json:"email,omitempty"`
-	Role        string    `json:"role"`
 	DisplayName string    `json:"display_name"`
 	AvatarURL   string    `json:"avatar_url,omitempty"`
 	Timezone    string    `json:"timezone,omitempty"`
@@ -22,7 +21,6 @@ type CreateAccountRequest struct {
 	Username    string `json:"username"`
 	Password    string `json:"password"` //nolint:gosec // intentional: JSON request field carrying a user-supplied credential
 	Email       string `json:"email,omitempty"`
-	Role        string `json:"role,omitempty"`
 	DisplayName string `json:"display_name,omitempty"`
 	AvatarURL   string `json:"avatar_url,omitempty"`
 	IsActive    *bool  `json:"is_active,omitempty"`
@@ -30,7 +28,6 @@ type CreateAccountRequest struct {
 
 // UpdateAccountRequest is the input for admin-level account updates.
 type UpdateAccountRequest struct {
-	Role        *string `json:"role,omitempty"`
 	DisplayName *string `json:"display_name,omitempty"`
 	AvatarURL   *string `json:"avatar_url,omitempty"`
 	IsActive    *bool   `json:"is_active,omitempty"`
diff --git a/internal/bind/service.go b/internal/bind/service.go
index 86b014992..2120a0739 100644
--- a/internal/bind/service.go
+++ b/internal/bind/service.go
@@ -216,7 +216,7 @@ func isNotFound(err error) bool {
 	return errors.Is(err, pgx.ErrNoRows) || errors.Is(err, db.ErrNotFound)
 }
 
-func toCode(row sqlc.ChannelIdentityBindCode) Code {
+func toCode(row sqlc.IamChannelIdentityBindCode) Code {
 	c := Code{
 		ID:             row.ID.String(),
 		Token:          row.Token,
diff --git a/internal/bind/service_test.go b/internal/bind/service_test.go
index 69af52fa0..6c70761b7 100644
--- a/internal/bind/service_test.go
+++ b/internal/bind/service_test.go
@@ -83,7 +83,7 @@ func TestToCode(t *testing.T) {
 	now := time.Now().UTC()
 	var usedBy pgtype.UUID
 	_ = usedBy.Scan("660e8400-e29b-41d4-a716-446655440001")
-	row := sqlc.ChannelIdentityBindCode{
+	row := sqlc.IamChannelIdentityBindCode{
 		ID:                      pgID,
 		Token:                   "ABC12345",
 		IssuedByUserID:          pgID,
@@ -121,7 +121,7 @@ func TestToCode_OptionalFields(t *testing.T) {
 		t.Fatal(err)
 	}
 	now := time.Now().UTC()
-	row := sqlc.ChannelIdentityBindCode{
+	row := sqlc.IamChannelIdentityBindCode{
 		ID:             pgID,
 		Token:          "TOKEN",
 		IssuedByUserID: pgID,
diff --git a/internal/bots/service.go b/internal/bots/service.go
index 6da328270..adc04a264 100644
--- a/internal/bots/service.go
+++ b/internal/bots/service.go
@@ -17,13 +17,19 @@ import (
 	"github.com/memohai/memoh/internal/db"
 	"github.com/memohai/memoh/internal/db/postgres/sqlc"
 	dbstore "github.com/memohai/memoh/internal/db/store"
+	"github.com/memohai/memoh/internal/iam/rbac"
 	tzutil "github.com/memohai/memoh/internal/timezone"
 )
 
+type PermissionService interface {
+	HasPermission(ctx context.Context, check rbac.Check) (bool, error)
+}
+
 // Service provides bot CRUD and membership management.
 type Service struct {
 	queries               dbstore.Queries
 	logger                *slog.Logger
+	rbac                  PermissionService
 	containerLifecycle    ContainerLifecycle
 	checkers              []RuntimeChecker
 	containerReachability func(ctx context.Context, botID string) error
@@ -55,6 +61,10 @@ func (s *Service) SetContainerLifecycle(lc ContainerLifecycle) {
 	s.containerLifecycle = lc
 }
 
+func (s *Service) SetRBACService(service PermissionService) {
+	s.rbac = service
+}
+
 // SetContainerReachability registers a function that checks whether a bot's
 // container is reachable via gRPC. Returns nil on success, error otherwise.
 func (s *Service) SetContainerReachability(fn func(ctx context.Context, botID string) error) {
@@ -68,11 +78,12 @@ func (s *Service) AddRuntimeChecker(c RuntimeChecker) {
 	}
 }
 
-// AuthorizeAccess checks whether userID may access the given bot (owner or admin only).
+// AuthorizeAccess checks whether userID may read the given bot.
 func (s *Service) AuthorizeAccess(ctx context.Context, userID, botID string, isAdmin bool) (Bot, error) {
 	if s.queries == nil {
 		return Bot{}, errors.New("bot queries not configured")
 	}
+	_ = isAdmin
 	bot, err := s.Get(ctx, botID)
 	if err != nil {
 		if errors.Is(err, pgx.ErrNoRows) {
@@ -80,7 +91,11 @@ func (s *Service) AuthorizeAccess(ctx context.Context, userID, botID string, isA
 		}
 		return Bot{}, err
 	}
-	if isAdmin || bot.OwnerUserID == userID {
+	allowed, err := s.hasBotPermission(ctx, userID, bot.ID, rbac.PermissionBotRead)
+	if err != nil {
+		return Bot{}, err
+	}
+	if allowed {
 		return bot, nil
 	}
 	return Bot{}, ErrBotAccessDenied
@@ -152,6 +167,15 @@ func (s *Service) Create(ctx context.Context, ownerUserID string, req CreateBotR
 		}
 		return Bot{}, fmt.Errorf("apply acl preset: %w", err)
 	}
+	if err := s.assignBotOwnerRole(ctx, ownerUUID, row.ID); err != nil {
+		if cleanupErr := s.queries.DeleteBotByID(ctx, row.ID); cleanupErr != nil {
+			return Bot{}, errors.Join(
+				fmt.Errorf("assign bot owner role: %w", err),
+				fmt.Errorf("cleanup bot after owner role failure: %w", cleanupErr),
+			)
+		}
+		return Bot{}, fmt.Errorf("assign bot owner role: %w", err)
+	}
 	if err := s.attachCheckSummary(ctx, &bot, asSQLCBot(row)); err != nil {
 		return Bot{}, err
 	}
@@ -297,6 +321,11 @@ func (s *Service) TransferOwner(ctx context.Context, botID string, ownerUserID s
 	if err := s.ensureUserExists(ctx, ownerUUID); err != nil {
 		return Bot{}, err
 	}
+	current, err := s.queries.GetBotByID(ctx, botUUID)
+	if err != nil {
+		return Bot{}, err
+	}
+	oldOwnerID := current.OwnerUserID
 	row, err := s.queries.UpdateBotOwner(ctx, sqlc.UpdateBotOwnerParams{
 		ID:          botUUID,
 		OwnerUserID: ownerUUID,
@@ -311,9 +340,67 @@ func (s *Service) TransferOwner(ctx context.Context, botID string, ownerUserID s
 	if err := s.attachCheckSummary(ctx, &bot, asSQLCBot(row)); err != nil {
 		return Bot{}, err
 	}
+	if err := s.assignBotOwnerRole(ctx, ownerUUID, botUUID); err != nil {
+		return Bot{}, fmt.Errorf("assign bot owner role: %w", err)
+	}
+	if oldOwnerID.Valid && oldOwnerID != ownerUUID {
+		if err := s.deleteBotOwnerRole(ctx, oldOwnerID, botUUID); err != nil {
+			return Bot{}, fmt.Errorf("delete previous bot owner role: %w", err)
+		}
+	}
 	return bot, nil
 }
 
+func (s *Service) HasBotPermission(ctx context.Context, userID, botID string, permission rbac.PermissionKey) (bool, error) {
+	return s.hasBotPermission(ctx, userID, botID, permission)
+}
+
+func (s *Service) hasBotPermission(ctx context.Context, userID, botID string, permission rbac.PermissionKey) (bool, error) {
+	if s.rbac == nil {
+		return false, errors.New("bot rbac service not configured")
+	}
+	userID = strings.TrimSpace(userID)
+	botID = strings.TrimSpace(botID)
+	if userID == "" || botID == "" {
+		return false, nil
+	}
+	return s.rbac.HasPermission(ctx, rbac.Check{
+		UserID:        userID,
+		PermissionKey: permission,
+		ResourceType:  rbac.ResourceBot,
+		ResourceID:    botID,
+	})
+}
+
+func (s *Service) assignBotOwnerRole(ctx context.Context, ownerID pgtype.UUID, botID pgtype.UUID) error {
+	role, err := s.queries.GetRoleByKey(ctx, string(rbac.RoleBotOwner))
+	if err != nil {
+		return err
+	}
+	_, err = s.queries.AssignPrincipalRole(ctx, sqlc.AssignPrincipalRoleParams{
+		PrincipalType: string(rbac.PrincipalUser),
+		PrincipalID:   ownerID,
+		RoleID:        role.ID,
+		ResourceType:  string(rbac.ResourceBot),
+		ResourceID:    botID,
+		Source:        string(rbac.SourceSystem),
+	})
+	if errors.Is(err, pgx.ErrNoRows) {
+		return nil
+	}
+	return err
+}
+
+func (s *Service) deleteBotOwnerRole(ctx context.Context, ownerID pgtype.UUID, botID pgtype.UUID) error {
+	return s.queries.DeletePrincipalRoleAssignment(ctx, sqlc.DeletePrincipalRoleAssignmentParams{
+		PrincipalType: string(rbac.PrincipalUser),
+		PrincipalID:   ownerID,
+		ResourceType:  string(rbac.ResourceBot),
+		ResourceID:    botID,
+		RoleKey:       string(rbac.RoleBotOwner),
+	})
+}
+
 // Delete removes a bot and its associated resources.
 func (s *Service) Delete(ctx context.Context, botID string) error {
 	if s.queries == nil {
diff --git a/internal/bots/service_test.go b/internal/bots/service_test.go
index e8382fb95..7492deb50 100644
--- a/internal/bots/service_test.go
+++ b/internal/bots/service_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/memohai/memoh/internal/acl"
 	"github.com/memohai/memoh/internal/db/postgres/sqlc"
 	postgresstore "github.com/memohai/memoh/internal/db/postgres/store"
+	"github.com/memohai/memoh/internal/iam/rbac"
 )
 
 // fakeRow implements pgx.Row with a custom scan function.
@@ -91,6 +92,17 @@ func mustParseUUID(s string) pgtype.UUID {
 	return u
 }
 
+type fakePermissionService struct {
+	allowed bool
+	err     error
+	check   rbac.Check
+}
+
+func (f *fakePermissionService) HasPermission(_ context.Context, check rbac.Check) (bool, error) {
+	f.check = check
+	return f.allowed, f.err
+}
+
 func TestAuthorizeAccess(t *testing.T) {
 	ownerUUID := mustParseUUID("00000000-0000-0000-0000-000000000001")
 	botUUID := mustParseUUID("00000000-0000-0000-0000-000000000002")
@@ -102,19 +114,20 @@ func TestAuthorizeAccess(t *testing.T) {
 	tests := []struct {
 		name      string
 		userID    string
-		isAdmin   bool
+		allowed   bool
 		wantErr   bool
 		wantErrIs error
 	}{
 		{
 			name:    "owner always allowed",
 			userID:  ownerID,
+			allowed: true,
 			wantErr: false,
 		},
 		{
-			name:    "admin always allowed",
+			name:    "rbac allowed",
 			userID:  strangerID,
-			isAdmin: true,
+			allowed: true,
 			wantErr: false,
 		},
 		{
@@ -134,8 +147,10 @@ func TestAuthorizeAccess(t *testing.T) {
 				},
 			}
 			svc := NewService(nil, postgresstore.NewQueries(sqlc.New(db)))
+			permission := &fakePermissionService{allowed: tt.allowed}
+			svc.SetRBACService(permission)
 
-			_, err := svc.AuthorizeAccess(context.Background(), tt.userID, botID, tt.isAdmin)
+			_, err := svc.AuthorizeAccess(context.Background(), tt.userID, botID, false)
 			if tt.wantErr {
 				if err == nil {
 					t.Fatal("expected error, got nil")
@@ -146,6 +161,12 @@ func TestAuthorizeAccess(t *testing.T) {
 			} else if err != nil {
 				t.Fatalf("unexpected error: %v", err)
 			}
+			if permission.check.PermissionKey != rbac.PermissionBotRead {
+				t.Fatalf("permission = %q, want %q", permission.check.PermissionKey, rbac.PermissionBotRead)
+			}
+			if permission.check.ResourceType != rbac.ResourceBot || permission.check.ResourceID != botID {
+				t.Fatalf("unexpected permission check: %+v", permission.check)
+			}
 		})
 	}
 }
@@ -157,7 +178,7 @@ func TestCreateRejectsUnknownACLPreset(t *testing.T) {
 	db := &fakeDBTX{
 		queryRowFunc: func(_ context.Context, sql string, _ ...any) pgx.Row {
 			switch {
-			case strings.Contains(sql, "FROM users") && strings.Contains(sql, "WHERE id = $1"):
+			case strings.Contains(sql, "FROM iam_users") && strings.Contains(sql, "WHERE id = $1"):
 				return &fakeRow{scanFunc: func(_ ...any) error { return nil }}
 			case strings.Contains(sql, "INSERT INTO bots"):
 				createCalled = true
diff --git a/internal/channel/identities/service.go b/internal/channel/identities/service.go
index 8c36086b1..05e74f259 100644
--- a/internal/channel/identities/service.go
+++ b/internal/channel/identities/service.go
@@ -210,7 +210,7 @@ func (s *Service) Search(ctx context.Context, query string, limit int) ([]Search
 	items := make([]SearchResult, 0, len(rows))
 	for _, row := range rows {
 		item := SearchResult{
-			ChannelIdentity: toChannelIdentity(sqlc.ChannelIdentity{
+			ChannelIdentity: toChannelIdentity(sqlc.IamChannelIdentity{
 				ID:               row.ID,
 				UserID:           row.UserID,
 				ChannelType:      row.ChannelType,
@@ -298,7 +298,7 @@ func (s *Service) LinkChannelIdentityToUser(ctx context.Context, channelIdentity
 	return nil
 }
 
-func toChannelIdentity(row sqlc.ChannelIdentity) ChannelIdentity {
+func toChannelIdentity(row sqlc.IamChannelIdentity) ChannelIdentity {
 	var metadata map[string]any
 	if len(row.Metadata) > 0 {
 		_ = json.Unmarshal(row.Metadata, &metadata)
diff --git a/internal/channel/inbound/channel.go b/internal/channel/inbound/channel.go
index 075647380..7d46cb555 100644
--- a/internal/channel/inbound/channel.go
+++ b/internal/channel/inbound/channel.go
@@ -24,6 +24,7 @@ import (
 	"github.com/memohai/memoh/internal/command"
 	"github.com/memohai/memoh/internal/conversation"
 	"github.com/memohai/memoh/internal/conversation/flow"
+	"github.com/memohai/memoh/internal/iam/rbac"
 	"github.com/memohai/memoh/internal/media"
 	messagepkg "github.com/memohai/memoh/internal/message"
 	pipelinepkg "github.com/memohai/memoh/internal/pipeline"
@@ -53,6 +54,10 @@ type chatACL interface {
 	Evaluate(ctx context.Context, req acl.EvaluateRequest) (bool, error)
 }
 
+type botPermissionChecker interface {
+	HasPermission(ctx context.Context, check rbac.Check) (bool, error)
+}
+
 type mediaIngestor interface {
 	channel.OutboundAttachmentStore
 	channel.ContainerAttachmentIngester
@@ -128,6 +133,7 @@ type ChannelInboundProcessor struct {
 	policy              PolicyService
 	dispatcher          *RouteDispatcher
 	acl                 chatACL
+	rbac                botPermissionChecker
 	observer            channel.StreamObserver
 	speechService       speechSynthesizer
 	speechModelResolver speechModelResolver
@@ -185,6 +191,13 @@ func (p *ChannelInboundProcessor) SetACLService(service chatACL) {
 	p.acl = service
 }
 
+func (p *ChannelInboundProcessor) SetRBACService(service botPermissionChecker) {
+	if p == nil {
+		return
+	}
+	p.rbac = service
+}
+
 // IdentityMiddleware returns the identity resolution middleware.
 func (p *ChannelInboundProcessor) IdentityMiddleware() channel.Middleware {
 	if p == nil || p.identity == nil {
@@ -485,7 +498,7 @@ func (p *ChannelInboundProcessor) HandleInbound(ctx context.Context, cfg channel
 		p.persistPassiveMessage(ctx, identity, msg, text, attachments, resolved.RouteID, sessionID, "")
 		if p.logger != nil {
 			p.logger.Info(
-				"inbound denied by acl — event not ingested",
+				"inbound denied by acl; event not ingested",
 				slog.String("channel", msg.Channel.String()),
 				slog.String("bot_id", strings.TrimSpace(identity.BotID)),
 				slog.String("channel_identity_id", strings.TrimSpace(identity.ChannelIdentityID)),
@@ -495,6 +508,32 @@ func (p *ChannelInboundProcessor) HandleInbound(ctx context.Context, cfg channel
 		return nil
 	}
 
+	if strings.TrimSpace(identity.UserID) != "" && p.rbac != nil {
+		allowed, permissionErr := p.rbac.HasPermission(ctx, rbac.Check{
+			UserID:        strings.TrimSpace(identity.UserID),
+			PermissionKey: rbac.PermissionBotChat,
+			ResourceType:  rbac.ResourceBot,
+			ResourceID:    strings.TrimSpace(identity.BotID),
+		})
+		if permissionErr != nil {
+			return fmt.Errorf("evaluate bot chat permission: %w", permissionErr)
+		}
+		if !allowed {
+			p.persistPassiveMessage(ctx, identity, msg, text, attachments, resolved.RouteID, sessionID, "")
+			if p.logger != nil {
+				p.logger.Info(
+					"inbound denied by rbac; event not ingested",
+					slog.String("channel", msg.Channel.String()),
+					slog.String("bot_id", strings.TrimSpace(identity.BotID)),
+					slog.String("user_id", strings.TrimSpace(identity.UserID)),
+					slog.String("channel_identity_id", strings.TrimSpace(identity.ChannelIdentityID)),
+					slog.String("conversation_type", strings.TrimSpace(msg.Conversation.Type)),
+				)
+			}
+			return nil
+		}
+	}
+
 	if isToolApprovalCommand(cmdText) && isDirectedAtBot(msg) {
 		return p.handleToolApprovalCommand(ctx, msg, sender, identity, resolved.RouteID, sessionID, cmdText)
 	}
diff --git a/internal/channel/inbound/channel_test.go b/internal/channel/inbound/channel_test.go
index f46aaafe0..4f2f3865b 100644
--- a/internal/channel/inbound/channel_test.go
+++ b/internal/channel/inbound/channel_test.go
@@ -22,6 +22,7 @@ import (
 	"github.com/memohai/memoh/internal/command"
 	"github.com/memohai/memoh/internal/conversation"
 	dbsqlc "github.com/memohai/memoh/internal/db/postgres/sqlc"
+	"github.com/memohai/memoh/internal/iam/rbac"
 	"github.com/memohai/memoh/internal/media"
 	messagepkg "github.com/memohai/memoh/internal/message"
 	pipelinepkg "github.com/memohai/memoh/internal/pipeline"
@@ -190,6 +191,22 @@ type fakeChatACL struct {
 	lastReq acl.EvaluateRequest
 }
 
+type fakeRBACService struct {
+	allowed bool
+	err     error
+	calls   int
+	last    rbac.Check
+}
+
+func (f *fakeRBACService) HasPermission(_ context.Context, check rbac.Check) (bool, error) {
+	f.calls++
+	f.last = check
+	if f.err != nil {
+		return false, f.err
+	}
+	return f.allowed, nil
+}
+
 type fakeSessionEnsurer struct {
 	activeSession SessionResult
 	activeErr     error
@@ -508,6 +525,95 @@ func TestChannelInboundProcessorDeniedByACL(t *testing.T) {
 	}
 }
 
+func TestChannelInboundProcessorLinkedUserDeniedByRBACAfterACLAllow(t *testing.T) {
+	channelIdentitySvc := &fakeChannelIdentityService{
+		channelIdentity: identities.ChannelIdentity{ID: "channelIdentity-rbac-deny"},
+		linked:          map[string]string{"channelIdentity-rbac-deny": "user-rbac-deny"},
+	}
+	policySvc := &fakePolicyService{}
+	chatSvc := &fakeChatService{resolveResult: route.ResolveConversationResult{ChatID: "chat-rbac-denied", RouteID: "route-rbac-denied"}}
+	gateway := &fakeChatGateway{}
+	processor := NewChannelInboundProcessor(slog.Default(), nil, chatSvc, chatSvc, gateway, channelIdentitySvc, policySvc, nil, "", 0)
+	processor.SetACLService(&fakeChatACL{allowed: true})
+	rbacSvc := &fakeRBACService{allowed: false}
+	processor.SetRBACService(rbacSvc)
+	sender := &fakeReplySender{}
+
+	msg := channel.InboundMessage{
+		BotID:       "bot-rbac-1",
+		Channel:     channel.ChannelType("feishu"),
+		Message:     channel.Message{ID: "msg-rbac-1", Text: "hello"},
+		ReplyTarget: "target-id",
+		Sender:      channel.Identity{SubjectID: "linked-user-1"},
+		Conversation: channel.Conversation{
+			ID:   "chat-1",
+			Type: channel.ConversationTypePrivate,
+		},
+	}
+
+	err := processor.HandleInbound(context.Background(), channel.ChannelConfig{ID: "cfg-1", BotID: "bot-rbac-1"}, msg, sender)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if rbacSvc.calls != 1 {
+		t.Fatalf("expected rbac to be checked once, got %d", rbacSvc.calls)
+	}
+	if rbacSvc.last.UserID != "user-rbac-deny" || rbacSvc.last.PermissionKey != rbac.PermissionBotChat ||
+		rbacSvc.last.ResourceType != rbac.ResourceBot || rbacSvc.last.ResourceID != "bot-rbac-1" {
+		t.Fatalf("unexpected rbac check: %+v", rbacSvc.last)
+	}
+	if gateway.gotReq.Query != "" {
+		t.Fatal("rbac denied linked user should not trigger chat call")
+	}
+	if len(chatSvc.persistedIn) != 1 {
+		t.Fatalf("rbac denied linked user should persist 1 passive message, got %d", len(chatSvc.persistedIn))
+	}
+}
+
+func TestChannelInboundProcessorUnlinkedIdentitySkipsRBACAfterACLAllow(t *testing.T) {
+	channelIdentitySvc := &fakeChannelIdentityService{
+		channelIdentity: identities.ChannelIdentity{ID: "channelIdentity-unlinked"},
+		linked:          map[string]string{},
+	}
+	policySvc := &fakePolicyService{}
+	chatSvc := &fakeChatService{resolveResult: route.ResolveConversationResult{ChatID: "chat-unlinked-rbac", RouteID: "route-unlinked-rbac"}}
+	gateway := &fakeChatGateway{
+		resp: conversation.ChatResponse{
+			Messages: []conversation.ModelMessage{
+				{Role: "assistant", Content: conversation.NewTextContent("AI reply")},
+			},
+		},
+	}
+	processor := NewChannelInboundProcessor(slog.Default(), nil, chatSvc, chatSvc, gateway, channelIdentitySvc, policySvc, nil, "", 0)
+	processor.SetACLService(&fakeChatACL{allowed: true})
+	rbacSvc := &fakeRBACService{allowed: false}
+	processor.SetRBACService(rbacSvc)
+	sender := &fakeReplySender{}
+
+	msg := channel.InboundMessage{
+		BotID:       "bot-rbac-2",
+		Channel:     channel.ChannelType("feishu"),
+		Message:     channel.Message{ID: "msg-rbac-2", Text: "hello"},
+		ReplyTarget: "target-id",
+		Sender:      channel.Identity{SubjectID: "guest-rbac-1"},
+		Conversation: channel.Conversation{
+			ID:   "chat-1",
+			Type: channel.ConversationTypePrivate,
+		},
+	}
+
+	err := processor.HandleInbound(context.Background(), channel.ChannelConfig{ID: "cfg-1", BotID: "bot-rbac-2"}, msg, sender)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if rbacSvc.calls != 0 {
+		t.Fatalf("unlinked identity should skip rbac, got %d checks", rbacSvc.calls)
+	}
+	if gateway.gotReq.Query != "hello" {
+		t.Fatalf("unlinked identity allowed by ACL should trigger chat, got %q", gateway.gotReq.Query)
+	}
+}
+
 func TestChannelInboundProcessorACLGuestDeniedDowngradesToNotify(t *testing.T) {
 	channelIdentitySvc := &fakeChannelIdentityService{channelIdentity: identities.ChannelIdentity{ID: "channelIdentity-acl-deny"}}
 	policySvc := &fakePolicyService{}
diff --git a/internal/channel/service.go b/internal/channel/service.go
index 01e8726a1..fb6878c4e 100644
--- a/internal/channel/service.go
+++ b/internal/channel/service.go
@@ -425,7 +425,7 @@ func normalizeChannelConfigFields(
 	}, nil
 }
 
-func normalizeChannelIdentityBinding(row sqlc.UserChannelBinding) (ChannelIdentityBinding, error) {
+func normalizeChannelIdentityBinding(row sqlc.IamUserChannelBinding) (ChannelIdentityBinding, error) {
 	config, err := DecodeConfigMap(row.Config)
 	if err != nil {
 		return ChannelIdentityBinding{}, err
diff --git a/internal/command/access.go b/internal/command/access.go
index 5dbd764c8..12f534cad 100644
--- a/internal/command/access.go
+++ b/internal/command/access.go
@@ -15,14 +15,14 @@ func (h *Handler) buildAccessGroup() *CommandGroup {
 		Usage: "show - Show current identity, write access, and chat ACL context",
 		Handler: func(cc CommandContext) (string, error) {
 			writeAccess := "no"
-			if cc.Role == "owner" {
+			if cc.BotUpdateAllowed {
 				writeAccess = "yes"
 			}
 
 			pairs := []kv{
 				{"Channel Identity", fallbackValue(cc.ChannelIdentityID)},
 				{"Linked User", fallbackValue(cc.UserID)},
-				{"Bot Role", fallbackValue(cc.Role)},
+				{"Bot Permission", "bot.update=" + writeAccess},
 				{"Write Commands", writeAccess},
 				{"Channel", fallbackValue(cc.ChannelType)},
 				{"Conversation Type", fallbackValue(cc.ConversationType)},
diff --git a/internal/command/handler.go b/internal/command/handler.go
index b76e2ccdd..c9ffa12b0 100644
--- a/internal/command/handler.go
+++ b/internal/command/handler.go
@@ -12,6 +12,7 @@ import (
 	dbstore "github.com/memohai/memoh/internal/db/store"
 	emailpkg "github.com/memohai/memoh/internal/email"
 	"github.com/memohai/memoh/internal/heartbeat"
+	"github.com/memohai/memoh/internal/iam/rbac"
 	"github.com/memohai/memoh/internal/mcp"
 	memprovider "github.com/memohai/memoh/internal/memory/adapters"
 	"github.com/memohai/memoh/internal/models"
@@ -21,31 +22,27 @@ import (
 	"github.com/memohai/memoh/internal/settings"
 )
 
-// MemberRoleResolver resolves a user's role within a bot.
-type MemberRoleResolver interface {
-	GetMemberRole(ctx context.Context, botID, channelIdentityID string) (string, error)
+// MemberPermissionResolver resolves a user's permission within a bot.
+type MemberPermissionResolver interface {
+	HasBotPermission(ctx context.Context, userID, botID string, permission rbac.PermissionKey) (bool, error)
 }
 
-// BotMemberRoleAdapter adapts bots.Service to MemberRoleResolver.
+// BotMemberRoleAdapter adapts bots.Service to MemberPermissionResolver.
 type BotMemberRoleAdapter struct {
 	BotService *bots.Service
 }
 
-func (a *BotMemberRoleAdapter) GetMemberRole(ctx context.Context, botID, channelIdentityID string) (string, error) {
-	bot, err := a.BotService.Get(ctx, botID)
-	if err != nil {
-		return "", err
-	}
-	if bot.OwnerUserID == channelIdentityID {
-		return "owner", nil
+func (a *BotMemberRoleAdapter) HasBotPermission(ctx context.Context, userID, botID string, permission rbac.PermissionKey) (bool, error) {
+	if a == nil || a.BotService == nil {
+		return false, nil
 	}
-	return "", nil
+	return a.BotService.HasBotPermission(ctx, userID, botID, permission)
 }
 
 // Handler processes slash commands intercepted before they reach the LLM.
 type Handler struct {
 	registry        *Registry
-	roleResolver    MemberRoleResolver
+	permission      MemberPermissionResolver
 	scheduleService *schedule.Service
 	settingsService *settings.Service
 	mcpConnService  *mcp.ConnectionService
@@ -85,7 +82,7 @@ type ExecuteInput struct {
 // NewHandler creates a Handler with all required services.
 func NewHandler(
 	log *slog.Logger,
-	roleResolver MemberRoleResolver,
+	permission MemberPermissionResolver,
 	scheduleService *schedule.Service,
 	settingsService *settings.Service,
 	mcpConnService *mcp.ConnectionService,
@@ -106,7 +103,7 @@ func NewHandler(
 		log = slog.Default()
 	}
 	h := &Handler{
-		roleResolver:       roleResolver,
+		permission:         permission,
 		scheduleService:    scheduleService,
 		settingsService:    settingsService,
 		mcpConnService:     mcpConnService,
@@ -172,6 +169,7 @@ func (h *Handler) Execute(ctx context.Context, botID, channelIdentityID, text st
 	return h.ExecuteWithInput(ctx, ExecuteInput{
 		BotID:             botID,
 		ChannelIdentityID: channelIdentityID,
+		UserID:            channelIdentityID,
 		Text:              text,
 	})
 }
@@ -187,29 +185,24 @@ func (h *Handler) ExecuteWithInput(ctx context.Context, input ExecuteInput) (str
 		return h.registry.GlobalHelp(), nil
 	}
 
-	// Resolve the user's role in this bot.
-	role := ""
-	roleIdentityID := input.ChannelIdentityID
-	if strings.TrimSpace(input.UserID) != "" {
-		roleIdentityID = strings.TrimSpace(input.UserID)
-	}
-	if h.roleResolver != nil && roleIdentityID != "" {
-		r, err := h.roleResolver.GetMemberRole(ctx, input.BotID, roleIdentityID)
+	botUpdateAllowed := false
+	if h.permission != nil && strings.TrimSpace(input.UserID) != "" {
+		allowed, err := h.permission.HasBotPermission(ctx, strings.TrimSpace(input.UserID), input.BotID, rbac.PermissionBotUpdate)
 		if err != nil {
-			h.logger.Warn("failed to resolve member role",
+			h.logger.Warn("failed to resolve bot update permission",
 				slog.String("bot_id", input.BotID),
-				slog.String("role_identity_id", roleIdentityID),
+				slog.String("user_id", strings.TrimSpace(input.UserID)),
 				slog.Any("error", err),
 			)
 		} else {
-			role = r
+			botUpdateAllowed = allowed
 		}
 	}
 
 	cc := CommandContext{
 		Ctx:               ctx,
 		BotID:             input.BotID,
-		Role:              role,
+		BotUpdateAllowed:  botUpdateAllowed,
 		Args:              parsed.Args,
 		ChannelIdentityID: strings.TrimSpace(input.ChannelIdentityID),
 		UserID:            strings.TrimSpace(input.UserID),
@@ -257,8 +250,8 @@ func (h *Handler) ExecuteWithInput(ctx context.Context, input ExecuteInput) (str
 		return fmt.Sprintf("Unknown action \"%s\" for /%s.\n\n%s", parsed.Action, parsed.Resource, group.Usage()), nil
 	}
 
-	if sub.IsWrite && role != "owner" {
-		return "Permission denied: only the bot owner can execute this command.", nil
+	if sub.IsWrite && !botUpdateAllowed {
+		return "Permission denied: bot.update permission is required to execute this command.", nil
 	}
 
 	result, handlerErr := safeExecute(sub.Handler, cc)
diff --git a/internal/command/handler_test.go b/internal/command/handler_test.go
index ed3d8b556..e237c2e4a 100644
--- a/internal/command/handler_test.go
+++ b/internal/command/handler_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 
 	dbsqlc "github.com/memohai/memoh/internal/db/postgres/sqlc"
+	"github.com/memohai/memoh/internal/iam/rbac"
 	"github.com/memohai/memoh/internal/mcp"
 	"github.com/memohai/memoh/internal/schedule"
 	"github.com/memohai/memoh/internal/settings"
@@ -16,13 +17,15 @@ import (
 
 // --- fake services ---
 
-type fakeRoleResolver struct {
-	role string
-	err  error
+type fakePermissionResolver struct {
+	allowed bool
+	err     error
+	checks  []rbac.PermissionKey
 }
 
-func (f *fakeRoleResolver) GetMemberRole(_ context.Context, _, _ string) (string, error) {
-	return f.role, f.err
+func (f *fakePermissionResolver) HasBotPermission(_ context.Context, _, _ string, permission rbac.PermissionKey) (bool, error) {
+	f.checks = append(f.checks, permission)
+	return f.allowed, f.err
 }
 
 type fakeScheduleService struct {
@@ -75,12 +78,12 @@ func (*fakeCommandQueries) GetTokenUsageByModel(_ context.Context, _ dbsqlc.GetT
 }
 
 // newTestHandler creates a Handler with nil services for use in tests.
-func newTestHandler(roleResolver MemberRoleResolver) *Handler {
-	return NewHandler(nil, roleResolver, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil)
+func newTestHandler(permission MemberPermissionResolver) *Handler {
+	return NewHandler(nil, permission, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil)
 }
 
-func newTestHandlerWithQueries(roleResolver MemberRoleResolver, queries CommandQueries) *Handler {
-	return NewHandler(nil, roleResolver, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, queries, nil, nil, nil)
+func newTestHandlerWithQueries(permission MemberPermissionResolver, queries CommandQueries) *Handler {
+	return NewHandler(nil, permission, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, queries, nil, nil, nil)
 }
 
 // --- tests ---
@@ -118,7 +121,7 @@ func TestIsCommand(t *testing.T) {
 
 func TestExecute_Help(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "/help")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -136,7 +139,7 @@ func TestExecute_Help(t *testing.T) {
 
 func TestExecute_HelpGroup(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "/help model")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -144,14 +147,14 @@ func TestExecute_HelpGroup(t *testing.T) {
 	if !strings.Contains(result, "/model - Manage bot models") {
 		t.Errorf("expected group help, got: %s", result)
 	}
-	if !strings.Contains(result, "- set - Set the chat model [owner]") {
+	if !strings.Contains(result, "- set - Set the chat model [bot.update]") {
 		t.Errorf("expected compact action summary, got: %s", result)
 	}
 }
 
 func TestExecute_HelpAction(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "/help model set")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -159,14 +162,14 @@ func TestExecute_HelpAction(t *testing.T) {
 	if !strings.Contains(result, "Usage: /model set <model_id> | <provider_name> <model_name>") {
 		t.Errorf("expected action usage, got: %s", result)
 	}
-	if !strings.Contains(result, "Access: owner only") {
-		t.Errorf("expected owner hint, got: %s", result)
+	if !strings.Contains(result, "Access: bot.update") {
+		t.Errorf("expected bot.update hint, got: %s", result)
 	}
 }
 
 func TestExecute_UnknownCommand(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "/foobar")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -178,7 +181,7 @@ func TestExecute_UnknownCommand(t *testing.T) {
 
 func TestExecute_WithMentionPrefix(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "@BotName /help")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -190,7 +193,7 @@ func TestExecute_WithMentionPrefix(t *testing.T) {
 
 func TestExecute_TelegramBotSuffix(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "/help@MemohBot")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -202,7 +205,7 @@ func TestExecute_TelegramBotSuffix(t *testing.T) {
 
 func TestExecute_UnknownAction(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "/schedule foobar")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -217,7 +220,7 @@ func TestExecute_UnknownAction(t *testing.T) {
 
 func TestExecute_WritePermissionDenied(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: ""})
+	h := newTestHandler(&fakePermissionResolver{allowed: false})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "/schedule create test desc")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -229,13 +232,13 @@ func TestExecute_WritePermissionDenied(t *testing.T) {
 
 func TestExecute_WritePermissionAllowedForOwner(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "/schedule create")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
 	if strings.Contains(result, "Permission denied") {
-		t.Errorf("owner should not get permission denied, got: %s", result)
+		t.Errorf("user with bot.update should not get permission denied, got: %s", result)
 	}
 	if !strings.Contains(result, "Usage:") {
 		t.Errorf("expected usage hint for missing args, got: %s", result)
@@ -244,7 +247,7 @@ func TestExecute_WritePermissionAllowedForOwner(t *testing.T) {
 
 func TestExecute_SettingsDefaultAction(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: ""})
+	h := newTestHandler(&fakePermissionResolver{allowed: false})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "/settings")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -256,7 +259,7 @@ func TestExecute_SettingsDefaultAction(t *testing.T) {
 
 func TestExecute_MissingArgs(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	tests := []struct {
 		cmd      string
 		contains string
@@ -354,7 +357,7 @@ func TestGlobalHelp_AllGroups(t *testing.T) {
 
 func TestExecuteWithInput_Access(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	result, err := h.ExecuteWithInput(context.Background(), ExecuteInput{
 		BotID:             "bot-1",
 		ChannelIdentityID: "channel-id-1",
@@ -383,7 +386,7 @@ func TestExecute_StatusLatest(t *testing.T) {
 	sessionUUID := pgtype.UUID{}
 	copy(sessionUUID.Bytes[:], []byte{1, 2, 3, 4, 5, 6, 7, 8, 9})
 	sessionUUID.Valid = true
-	h := newTestHandlerWithQueries(&fakeRoleResolver{role: "owner"}, &fakeCommandQueries{
+	h := newTestHandlerWithQueries(&fakePermissionResolver{allowed: true}, &fakeCommandQueries{
 		latestSessionID: sessionUUID,
 		messageCount:    42,
 		latestUsage:     1200,
@@ -408,7 +411,7 @@ func TestExecute_StatusLatest(t *testing.T) {
 
 func TestExecute_StatusLatestNoRows(t *testing.T) {
 	t.Parallel()
-	h := newTestHandlerWithQueries(&fakeRoleResolver{role: "owner"}, &fakeCommandQueries{
+	h := newTestHandlerWithQueries(&fakePermissionResolver{allowed: true}, &fakeCommandQueries{
 		latestSessionErr: pgx.ErrNoRows,
 	})
 	result, err := h.Execute(context.Background(), "11111111-1111-1111-1111-111111111111", "user-1", "/status latest")
@@ -422,7 +425,7 @@ func TestExecute_StatusLatestNoRows(t *testing.T) {
 
 func TestExecute_StatusShowWithoutSession(t *testing.T) {
 	t.Parallel()
-	h := newTestHandlerWithQueries(&fakeRoleResolver{role: "owner"}, &fakeCommandQueries{})
+	h := newTestHandlerWithQueries(&fakePermissionResolver{allowed: true}, &fakeCommandQueries{})
 	result, err := h.Execute(context.Background(), "bot-1", "user-1", "/status")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -432,7 +435,7 @@ func TestExecute_StatusShowWithoutSession(t *testing.T) {
 	}
 }
 
-// Verify write commands are tagged with [owner] in usage.
+// Verify write commands are tagged with [bot.update] in usage.
 func TestUsage_OwnerTag(t *testing.T) {
 	t.Parallel()
 	h := newTestHandler(nil)
@@ -441,8 +444,8 @@ func TestUsage_OwnerTag(t *testing.T) {
 		usage := group.Usage()
 		for _, subName := range group.order {
 			sub := group.commands[subName]
-			if sub.IsWrite && !strings.Contains(usage, "[owner]") {
-				t.Errorf("/%s %s is a write command but usage missing [owner] tag", name, subName)
+			if sub.IsWrite && !strings.Contains(usage, "[bot.update]") {
+				t.Errorf("/%s %s is a write command but usage missing [bot.update] tag", name, subName)
 			}
 		}
 	}
@@ -451,7 +454,7 @@ func TestUsage_OwnerTag(t *testing.T) {
 // Verify new commands with nil services return graceful errors, not panics.
 func TestNewCommands_NilServices(t *testing.T) {
 	t.Parallel()
-	h := newTestHandler(&fakeRoleResolver{role: "owner"})
+	h := newTestHandler(&fakePermissionResolver{allowed: true})
 	cmds := []string{
 		"/skill list",
 		"/fs list",
diff --git a/internal/command/registry.go b/internal/command/registry.go
index d6d10d533..13e09dc98 100644
--- a/internal/command/registry.go
+++ b/internal/command/registry.go
@@ -10,7 +10,7 @@ import (
 type CommandContext struct {
 	Ctx               context.Context
 	BotID             string
-	Role              string // "owner", "admin", "member", or "" (guest)
+	BotUpdateAllowed  bool
 	Args              []string
 	ChannelIdentityID string
 	UserID            string
@@ -60,7 +60,7 @@ func (g *CommandGroup) Usage() string {
 		sub := g.commands[name]
 		desc := subSummary(sub)
 		if sub.IsWrite {
-			desc += " [owner]"
+			desc += " [bot.update]"
 		}
 		fmt.Fprintf(&b, "- %s\n", desc)
 	}
@@ -84,7 +84,7 @@ func (g *CommandGroup) ActionHelp(action string) string {
 	}
 	fmt.Fprintf(&b, "- Usage: /%s %s\n", g.Name, usage)
 	if sub.IsWrite {
-		b.WriteString("- Access: owner only\n")
+		b.WriteString("- Access: bot.update\n")
 	}
 	fmt.Fprintf(&b, "- Tip: use /help %s to view sibling actions.", g.Name)
 	return strings.TrimRight(b.String(), "\n")
diff --git a/internal/db/postgres/sqlc/acl.sql.go b/internal/db/postgres/sqlc/acl.sql.go
index bedb96888..89882e809 100644
--- a/internal/db/postgres/sqlc/acl.sql.go
+++ b/internal/db/postgres/sqlc/acl.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: acl.sql
 
 package sqlc
@@ -214,8 +214,8 @@ SELECT
   linked.display_name AS linked_user_display_name,
   linked.avatar_url AS linked_user_avatar_url
 FROM bot_acl_rules r
-LEFT JOIN channel_identities ci ON ci.id = r.channel_identity_id
-LEFT JOIN users linked ON linked.id = ci.user_id
+LEFT JOIN iam_channel_identities ci ON ci.id = r.channel_identity_id
+LEFT JOIN iam_users linked ON linked.id = ci.user_id
 WHERE r.bot_id = $1
   AND r.action = 'chat.trigger'
 ORDER BY r.priority ASC, r.created_at ASC
diff --git a/internal/db/postgres/sqlc/bind.sql.go b/internal/db/postgres/sqlc/bind.sql.go
index 39347a54f..47de5d571 100644
--- a/internal/db/postgres/sqlc/bind.sql.go
+++ b/internal/db/postgres/sqlc/bind.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: bind.sql
 
 package sqlc
@@ -12,7 +12,7 @@ import (
 )
 
 const createBindCode = `-- name: CreateBindCode :one
-INSERT INTO channel_identity_bind_codes (token, issued_by_user_id, channel_type, expires_at)
+INSERT INTO iam_channel_identity_bind_codes (token, issued_by_user_id, channel_type, expires_at)
 VALUES ($1, $2, $3, $4)
 RETURNING id, token, issued_by_user_id, channel_type, expires_at, used_at, used_by_channel_identity_id, created_at
 `
@@ -24,14 +24,14 @@ type CreateBindCodeParams struct {
 	ExpiresAt      pgtype.Timestamptz `json:"expires_at"`
 }
 
-func (q *Queries) CreateBindCode(ctx context.Context, arg CreateBindCodeParams) (ChannelIdentityBindCode, error) {
+func (q *Queries) CreateBindCode(ctx context.Context, arg CreateBindCodeParams) (IamChannelIdentityBindCode, error) {
 	row := q.db.QueryRow(ctx, createBindCode,
 		arg.Token,
 		arg.IssuedByUserID,
 		arg.ChannelType,
 		arg.ExpiresAt,
 	)
-	var i ChannelIdentityBindCode
+	var i IamChannelIdentityBindCode
 	err := row.Scan(
 		&i.ID,
 		&i.Token,
@@ -47,13 +47,13 @@ func (q *Queries) CreateBindCode(ctx context.Context, arg CreateBindCodeParams)
 
 const getBindCode = `-- name: GetBindCode :one
 SELECT id, token, issued_by_user_id, channel_type, expires_at, used_at, used_by_channel_identity_id, created_at
-FROM channel_identity_bind_codes
+FROM iam_channel_identity_bind_codes
 WHERE token = $1
 `
 
-func (q *Queries) GetBindCode(ctx context.Context, token string) (ChannelIdentityBindCode, error) {
+func (q *Queries) GetBindCode(ctx context.Context, token string) (IamChannelIdentityBindCode, error) {
 	row := q.db.QueryRow(ctx, getBindCode, token)
-	var i ChannelIdentityBindCode
+	var i IamChannelIdentityBindCode
 	err := row.Scan(
 		&i.ID,
 		&i.Token,
@@ -69,14 +69,14 @@ func (q *Queries) GetBindCode(ctx context.Context, token string) (ChannelIdentit
 
 const getBindCodeForUpdate = `-- name: GetBindCodeForUpdate :one
 SELECT id, token, issued_by_user_id, channel_type, expires_at, used_at, used_by_channel_identity_id, created_at
-FROM channel_identity_bind_codes
+FROM iam_channel_identity_bind_codes
 WHERE token = $1
 FOR UPDATE
 `
 
-func (q *Queries) GetBindCodeForUpdate(ctx context.Context, token string) (ChannelIdentityBindCode, error) {
+func (q *Queries) GetBindCodeForUpdate(ctx context.Context, token string) (IamChannelIdentityBindCode, error) {
 	row := q.db.QueryRow(ctx, getBindCodeForUpdate, token)
-	var i ChannelIdentityBindCode
+	var i IamChannelIdentityBindCode
 	err := row.Scan(
 		&i.ID,
 		&i.Token,
@@ -91,7 +91,7 @@ func (q *Queries) GetBindCodeForUpdate(ctx context.Context, token string) (Chann
 }
 
 const markBindCodeUsed = `-- name: MarkBindCodeUsed :one
-UPDATE channel_identity_bind_codes
+UPDATE iam_channel_identity_bind_codes
 SET used_at = now(), used_by_channel_identity_id = $2
 WHERE id = $1
   AND used_at IS NULL
@@ -103,9 +103,9 @@ type MarkBindCodeUsedParams struct {
 	UsedByChannelIdentityID pgtype.UUID `json:"used_by_channel_identity_id"`
 }
 
-func (q *Queries) MarkBindCodeUsed(ctx context.Context, arg MarkBindCodeUsedParams) (ChannelIdentityBindCode, error) {
+func (q *Queries) MarkBindCodeUsed(ctx context.Context, arg MarkBindCodeUsedParams) (IamChannelIdentityBindCode, error) {
 	row := q.db.QueryRow(ctx, markBindCodeUsed, arg.ID, arg.UsedByChannelIdentityID)
-	var i ChannelIdentityBindCode
+	var i IamChannelIdentityBindCode
 	err := row.Scan(
 		&i.ID,
 		&i.Token,
diff --git a/internal/db/postgres/sqlc/bots.sql.go b/internal/db/postgres/sqlc/bots.sql.go
index 5f576f24b..7621f7d2e 100644
--- a/internal/db/postgres/sqlc/bots.sql.go
+++ b/internal/db/postgres/sqlc/bots.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: bots.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/browser_contexts.sql.go b/internal/db/postgres/sqlc/browser_contexts.sql.go
index ecbe4fabd..b923569b4 100644
--- a/internal/db/postgres/sqlc/browser_contexts.sql.go
+++ b/internal/db/postgres/sqlc/browser_contexts.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: browser_contexts.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/channel_identities.sql.go b/internal/db/postgres/sqlc/channel_identities.sql.go
index 4842b7723..173dd9447 100644
--- a/internal/db/postgres/sqlc/channel_identities.sql.go
+++ b/internal/db/postgres/sqlc/channel_identities.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: channel_identities.sql
 
 package sqlc
@@ -12,7 +12,7 @@ import (
 )
 
 const createChannelIdentity = `-- name: CreateChannelIdentity :one
-INSERT INTO channel_identities (user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
+INSERT INTO iam_channel_identities (user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
 VALUES ($1, $2, $3, $4, $5, $6)
 RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
 `
@@ -26,7 +26,7 @@ type CreateChannelIdentityParams struct {
 	Metadata         []byte      `json:"metadata"`
 }
 
-func (q *Queries) CreateChannelIdentity(ctx context.Context, arg CreateChannelIdentityParams) (ChannelIdentity, error) {
+func (q *Queries) CreateChannelIdentity(ctx context.Context, arg CreateChannelIdentityParams) (IamChannelIdentity, error) {
 	row := q.db.QueryRow(ctx, createChannelIdentity,
 		arg.UserID,
 		arg.ChannelType,
@@ -35,7 +35,7 @@ func (q *Queries) CreateChannelIdentity(ctx context.Context, arg CreateChannelId
 		arg.AvatarUrl,
 		arg.Metadata,
 	)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -52,7 +52,7 @@ func (q *Queries) CreateChannelIdentity(ctx context.Context, arg CreateChannelId
 
 const getChannelIdentityByChannelSubject = `-- name: GetChannelIdentityByChannelSubject :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE channel_type = $1 AND channel_subject_id = $2
 `
 
@@ -61,9 +61,9 @@ type GetChannelIdentityByChannelSubjectParams struct {
 	ChannelSubjectID string `json:"channel_subject_id"`
 }
 
-func (q *Queries) GetChannelIdentityByChannelSubject(ctx context.Context, arg GetChannelIdentityByChannelSubjectParams) (ChannelIdentity, error) {
+func (q *Queries) GetChannelIdentityByChannelSubject(ctx context.Context, arg GetChannelIdentityByChannelSubjectParams) (IamChannelIdentity, error) {
 	row := q.db.QueryRow(ctx, getChannelIdentityByChannelSubject, arg.ChannelType, arg.ChannelSubjectID)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -80,13 +80,13 @@ func (q *Queries) GetChannelIdentityByChannelSubject(ctx context.Context, arg Ge
 
 const getChannelIdentityByID = `-- name: GetChannelIdentityByID :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE id = $1
 `
 
-func (q *Queries) GetChannelIdentityByID(ctx context.Context, id pgtype.UUID) (ChannelIdentity, error) {
+func (q *Queries) GetChannelIdentityByID(ctx context.Context, id pgtype.UUID) (IamChannelIdentity, error) {
 	row := q.db.QueryRow(ctx, getChannelIdentityByID, id)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -103,14 +103,14 @@ func (q *Queries) GetChannelIdentityByID(ctx context.Context, id pgtype.UUID) (C
 
 const getChannelIdentityByIDForUpdate = `-- name: GetChannelIdentityByIDForUpdate :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE id = $1
 FOR UPDATE
 `
 
-func (q *Queries) GetChannelIdentityByIDForUpdate(ctx context.Context, id pgtype.UUID) (ChannelIdentity, error) {
+func (q *Queries) GetChannelIdentityByIDForUpdate(ctx context.Context, id pgtype.UUID) (IamChannelIdentity, error) {
 	row := q.db.QueryRow(ctx, getChannelIdentityByIDForUpdate, id)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -127,20 +127,20 @@ func (q *Queries) GetChannelIdentityByIDForUpdate(ctx context.Context, id pgtype
 
 const listChannelIdentitiesByUserID = `-- name: ListChannelIdentitiesByUserID :many
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE user_id = $1
 ORDER BY created_at DESC
 `
 
-func (q *Queries) ListChannelIdentitiesByUserID(ctx context.Context, userID pgtype.UUID) ([]ChannelIdentity, error) {
+func (q *Queries) ListChannelIdentitiesByUserID(ctx context.Context, userID pgtype.UUID) ([]IamChannelIdentity, error) {
 	rows, err := q.db.Query(ctx, listChannelIdentitiesByUserID, userID)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
-	var items []ChannelIdentity
+	var items []IamChannelIdentity
 	for rows.Next() {
-		var i ChannelIdentity
+		var i IamChannelIdentity
 		if err := rows.Scan(
 			&i.ID,
 			&i.UserID,
@@ -176,8 +176,8 @@ SELECT
   u.username AS linked_username,
   u.display_name AS linked_display_name,
   u.avatar_url AS linked_avatar_url
-FROM channel_identities ci
-LEFT JOIN users u ON u.id = ci.user_id
+FROM iam_channel_identities ci
+LEFT JOIN iam_users u ON u.id = ci.user_id
 WHERE
   $1::text = ''
   OR ci.channel_type ILIKE '%' || $1::text || '%'
@@ -243,7 +243,7 @@ func (q *Queries) SearchChannelIdentities(ctx context.Context, arg SearchChannel
 }
 
 const setChannelIdentityLinkedUser = `-- name: SetChannelIdentityLinkedUser :one
-UPDATE channel_identities
+UPDATE iam_channel_identities
 SET user_id = $2, updated_at = now()
 WHERE id = $1
 RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
@@ -254,9 +254,9 @@ type SetChannelIdentityLinkedUserParams struct {
 	UserID pgtype.UUID `json:"user_id"`
 }
 
-func (q *Queries) SetChannelIdentityLinkedUser(ctx context.Context, arg SetChannelIdentityLinkedUserParams) (ChannelIdentity, error) {
+func (q *Queries) SetChannelIdentityLinkedUser(ctx context.Context, arg SetChannelIdentityLinkedUserParams) (IamChannelIdentity, error) {
 	row := q.db.QueryRow(ctx, setChannelIdentityLinkedUser, arg.ID, arg.UserID)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -272,14 +272,14 @@ func (q *Queries) SetChannelIdentityLinkedUser(ctx context.Context, arg SetChann
 }
 
 const upsertChannelIdentityByChannelSubject = `-- name: UpsertChannelIdentityByChannelSubject :one
-INSERT INTO channel_identities (user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
+INSERT INTO iam_channel_identities (user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
 VALUES ($1, $2, $3, $4, $5, $6)
 ON CONFLICT (channel_type, channel_subject_id)
 DO UPDATE SET
-  display_name = COALESCE(NULLIF(EXCLUDED.display_name, ''), channel_identities.display_name),
-  avatar_url = COALESCE(NULLIF(EXCLUDED.avatar_url, ''), channel_identities.avatar_url),
+  display_name = COALESCE(NULLIF(EXCLUDED.display_name, ''), iam_channel_identities.display_name),
+  avatar_url = COALESCE(NULLIF(EXCLUDED.avatar_url, ''), iam_channel_identities.avatar_url),
   metadata = EXCLUDED.metadata,
-  user_id = COALESCE(channel_identities.user_id, EXCLUDED.user_id),
+  user_id = COALESCE(iam_channel_identities.user_id, EXCLUDED.user_id),
   updated_at = now()
 RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
 `
@@ -293,7 +293,7 @@ type UpsertChannelIdentityByChannelSubjectParams struct {
 	Metadata         []byte      `json:"metadata"`
 }
 
-func (q *Queries) UpsertChannelIdentityByChannelSubject(ctx context.Context, arg UpsertChannelIdentityByChannelSubjectParams) (ChannelIdentity, error) {
+func (q *Queries) UpsertChannelIdentityByChannelSubject(ctx context.Context, arg UpsertChannelIdentityByChannelSubjectParams) (IamChannelIdentity, error) {
 	row := q.db.QueryRow(ctx, upsertChannelIdentityByChannelSubject,
 		arg.UserID,
 		arg.ChannelType,
@@ -302,7 +302,7 @@ func (q *Queries) UpsertChannelIdentityByChannelSubject(ctx context.Context, arg
 		arg.AvatarUrl,
 		arg.Metadata,
 	)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
diff --git a/internal/db/postgres/sqlc/channel_routes.sql.go b/internal/db/postgres/sqlc/channel_routes.sql.go
index b10d8b9e9..992276db4 100644
--- a/internal/db/postgres/sqlc/channel_routes.sql.go
+++ b/internal/db/postgres/sqlc/channel_routes.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: channel_routes.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/channels.sql.go b/internal/db/postgres/sqlc/channels.sql.go
index 45a8836f4..d0ce9f627 100644
--- a/internal/db/postgres/sqlc/channels.sql.go
+++ b/internal/db/postgres/sqlc/channels.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: channels.sql
 
 package sqlc
@@ -92,7 +92,7 @@ func (q *Queries) GetBotChannelConfigByExternalIdentity(ctx context.Context, arg
 
 const getUserChannelBinding = `-- name: GetUserChannelBinding :one
 SELECT id, user_id, channel_type, config, created_at, updated_at
-FROM user_channel_bindings
+FROM iam_user_channel_bindings
 WHERE user_id = $1 AND channel_type = $2
 LIMIT 1
 `
@@ -102,9 +102,9 @@ type GetUserChannelBindingParams struct {
 	ChannelType string      `json:"channel_type"`
 }
 
-func (q *Queries) GetUserChannelBinding(ctx context.Context, arg GetUserChannelBindingParams) (UserChannelBinding, error) {
+func (q *Queries) GetUserChannelBinding(ctx context.Context, arg GetUserChannelBindingParams) (IamUserChannelBinding, error) {
 	row := q.db.QueryRow(ctx, getUserChannelBinding, arg.UserID, arg.ChannelType)
-	var i UserChannelBinding
+	var i IamUserChannelBinding
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -158,20 +158,20 @@ func (q *Queries) ListBotChannelConfigsByType(ctx context.Context, channelType s
 
 const listUserChannelBindingsByPlatform = `-- name: ListUserChannelBindingsByPlatform :many
 SELECT id, user_id, channel_type, config, created_at, updated_at
-FROM user_channel_bindings
+FROM iam_user_channel_bindings
 WHERE channel_type = $1
 ORDER BY created_at DESC
 `
 
-func (q *Queries) ListUserChannelBindingsByPlatform(ctx context.Context, channelType string) ([]UserChannelBinding, error) {
+func (q *Queries) ListUserChannelBindingsByPlatform(ctx context.Context, channelType string) ([]IamUserChannelBinding, error) {
 	rows, err := q.db.Query(ctx, listUserChannelBindingsByPlatform, channelType)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
-	var items []UserChannelBinding
+	var items []IamUserChannelBinding
 	for rows.Next() {
-		var i UserChannelBinding
+		var i IamUserChannelBinding
 		if err := rows.Scan(
 			&i.ID,
 			&i.UserID,
@@ -308,7 +308,7 @@ func (q *Queries) UpsertBotChannelConfig(ctx context.Context, arg UpsertBotChann
 }
 
 const upsertUserChannelBinding = `-- name: UpsertUserChannelBinding :one
-INSERT INTO user_channel_bindings (user_id, channel_type, config)
+INSERT INTO iam_user_channel_bindings (user_id, channel_type, config)
 VALUES ($1, $2, $3)
 ON CONFLICT (user_id, channel_type)
 DO UPDATE SET
@@ -323,9 +323,9 @@ type UpsertUserChannelBindingParams struct {
 	Config      []byte      `json:"config"`
 }
 
-func (q *Queries) UpsertUserChannelBinding(ctx context.Context, arg UpsertUserChannelBindingParams) (UserChannelBinding, error) {
+func (q *Queries) UpsertUserChannelBinding(ctx context.Context, arg UpsertUserChannelBindingParams) (IamUserChannelBinding, error) {
 	row := q.db.QueryRow(ctx, upsertUserChannelBinding, arg.UserID, arg.ChannelType, arg.Config)
-	var i UserChannelBinding
+	var i IamUserChannelBinding
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
diff --git a/internal/db/postgres/sqlc/compaction_logs.sql.go b/internal/db/postgres/sqlc/compaction_logs.sql.go
index db2622874..528c594f0 100644
--- a/internal/db/postgres/sqlc/compaction_logs.sql.go
+++ b/internal/db/postgres/sqlc/compaction_logs.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: compaction_logs.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/containers.sql.go b/internal/db/postgres/sqlc/containers.sql.go
index 5291f35f9..a9802f036 100644
--- a/internal/db/postgres/sqlc/containers.sql.go
+++ b/internal/db/postgres/sqlc/containers.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: containers.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/conversations.sql.go b/internal/db/postgres/sqlc/conversations.sql.go
index e254fba0a..e729b4ca8 100644
--- a/internal/db/postgres/sqlc/conversations.sql.go
+++ b/internal/db/postgres/sqlc/conversations.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: conversations.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/db.go b/internal/db/postgres/sqlc/db.go
index 7a5650746..693c7e5dd 100644
--- a/internal/db/postgres/sqlc/db.go
+++ b/internal/db/postgres/sqlc/db.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 
 package sqlc
 
diff --git a/internal/db/postgres/sqlc/email_bindings.sql.go b/internal/db/postgres/sqlc/email_bindings.sql.go
index c654fb326..3217d538a 100644
--- a/internal/db/postgres/sqlc/email_bindings.sql.go
+++ b/internal/db/postgres/sqlc/email_bindings.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: email_bindings.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/email_oauth_tokens.sql.go b/internal/db/postgres/sqlc/email_oauth_tokens.sql.go
index de7b94a2c..65f890907 100644
--- a/internal/db/postgres/sqlc/email_oauth_tokens.sql.go
+++ b/internal/db/postgres/sqlc/email_oauth_tokens.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: email_oauth_tokens.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/email_outbox.sql.go b/internal/db/postgres/sqlc/email_outbox.sql.go
index 42d27542d..1ddcaa116 100644
--- a/internal/db/postgres/sqlc/email_outbox.sql.go
+++ b/internal/db/postgres/sqlc/email_outbox.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: email_outbox.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/email_providers.sql.go b/internal/db/postgres/sqlc/email_providers.sql.go
index ecea39ecc..436b2cf3d 100644
--- a/internal/db/postgres/sqlc/email_providers.sql.go
+++ b/internal/db/postgres/sqlc/email_providers.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: email_providers.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/events.sql.go b/internal/db/postgres/sqlc/events.sql.go
index c5700595e..b209d171e 100644
--- a/internal/db/postgres/sqlc/events.sql.go
+++ b/internal/db/postgres/sqlc/events.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: events.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/heartbeat_logs.sql.go b/internal/db/postgres/sqlc/heartbeat_logs.sql.go
index 6efc09d6b..6db287a9c 100644
--- a/internal/db/postgres/sqlc/heartbeat_logs.sql.go
+++ b/internal/db/postgres/sqlc/heartbeat_logs.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: heartbeat_logs.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/iam.sql.go b/internal/db/postgres/sqlc/iam.sql.go
new file mode 100644
index 000000000..6d16dc8c5
--- /dev/null
+++ b/internal/db/postgres/sqlc/iam.sql.go
@@ -0,0 +1,1195 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.31.0
+// source: iam.sql
+
+package sqlc
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const assignPrincipalRole = `-- name: AssignPrincipalRole :one
+INSERT INTO iam_principal_roles (
+  principal_type, principal_id, role_id, resource_type, resource_id, source, provider_id
+)
+VALUES (
+  $1, $2, $3, $4,
+  $5, $6, $7
+)
+ON CONFLICT DO NOTHING
+RETURNING id, principal_type, principal_id, role_id, resource_type, resource_id, source, provider_id, created_at, updated_at
+`
+
+type AssignPrincipalRoleParams struct {
+	PrincipalType string      `json:"principal_type"`
+	PrincipalID   pgtype.UUID `json:"principal_id"`
+	RoleID        pgtype.UUID `json:"role_id"`
+	ResourceType  string      `json:"resource_type"`
+	ResourceID    pgtype.UUID `json:"resource_id"`
+	Source        string      `json:"source"`
+	ProviderID    pgtype.UUID `json:"provider_id"`
+}
+
+func (q *Queries) AssignPrincipalRole(ctx context.Context, arg AssignPrincipalRoleParams) (IamPrincipalRole, error) {
+	row := q.db.QueryRow(ctx, assignPrincipalRole,
+		arg.PrincipalType,
+		arg.PrincipalID,
+		arg.RoleID,
+		arg.ResourceType,
+		arg.ResourceID,
+		arg.Source,
+		arg.ProviderID,
+	)
+	var i IamPrincipalRole
+	err := row.Scan(
+		&i.ID,
+		&i.PrincipalType,
+		&i.PrincipalID,
+		&i.RoleID,
+		&i.ResourceType,
+		&i.ResourceID,
+		&i.Source,
+		&i.ProviderID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const createIAMLoginCode = `-- name: CreateIAMLoginCode :one
+INSERT INTO iam_login_codes (code_hash, user_id, identity_id, session_id, expires_at)
+VALUES ($1, $2, $3, $4, $5)
+RETURNING id, code_hash, user_id, identity_id, session_id, expires_at, used_at, created_at
+`
+
+type CreateIAMLoginCodeParams struct {
+	CodeHash   string             `json:"code_hash"`
+	UserID     pgtype.UUID        `json:"user_id"`
+	IdentityID pgtype.UUID        `json:"identity_id"`
+	SessionID  pgtype.UUID        `json:"session_id"`
+	ExpiresAt  pgtype.Timestamptz `json:"expires_at"`
+}
+
+func (q *Queries) CreateIAMLoginCode(ctx context.Context, arg CreateIAMLoginCodeParams) (IamLoginCode, error) {
+	row := q.db.QueryRow(ctx, createIAMLoginCode,
+		arg.CodeHash,
+		arg.UserID,
+		arg.IdentityID,
+		arg.SessionID,
+		arg.ExpiresAt,
+	)
+	var i IamLoginCode
+	err := row.Scan(
+		&i.ID,
+		&i.CodeHash,
+		&i.UserID,
+		&i.IdentityID,
+		&i.SessionID,
+		&i.ExpiresAt,
+		&i.UsedAt,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const createIAMSession = `-- name: CreateIAMSession :one
+INSERT INTO iam_sessions (user_id, identity_id, expires_at, ip_address, user_agent, metadata)
+VALUES ($1, $2, $3, $4, $5, $6)
+RETURNING id, user_id, identity_id, issued_at, expires_at, revoked_at, ip_address, user_agent, metadata, created_at, updated_at
+`
+
+type CreateIAMSessionParams struct {
+	UserID     pgtype.UUID        `json:"user_id"`
+	IdentityID pgtype.UUID        `json:"identity_id"`
+	ExpiresAt  pgtype.Timestamptz `json:"expires_at"`
+	IpAddress  pgtype.Text        `json:"ip_address"`
+	UserAgent  pgtype.Text        `json:"user_agent"`
+	Metadata   []byte             `json:"metadata"`
+}
+
+func (q *Queries) CreateIAMSession(ctx context.Context, arg CreateIAMSessionParams) (IamSession, error) {
+	row := q.db.QueryRow(ctx, createIAMSession,
+		arg.UserID,
+		arg.IdentityID,
+		arg.ExpiresAt,
+		arg.IpAddress,
+		arg.UserAgent,
+		arg.Metadata,
+	)
+	var i IamSession
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.IdentityID,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.RevokedAt,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.Metadata,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const createPasswordIdentity = `-- name: CreatePasswordIdentity :one
+INSERT INTO iam_identities (
+  user_id, provider_type, provider_id, subject, credential_secret, email, username,
+  display_name, avatar_url, raw_claims
+)
+VALUES (
+  $1, 'password', NULL, lower($2::text), $3,
+  $4, $5, $6, $7, '{}'::jsonb
+)
+ON CONFLICT (provider_type, provider_id, subject) DO UPDATE SET
+  credential_secret = EXCLUDED.credential_secret,
+  email = EXCLUDED.email,
+  username = EXCLUDED.username,
+  display_name = EXCLUDED.display_name,
+  avatar_url = EXCLUDED.avatar_url,
+  updated_at = now()
+RETURNING id, user_id, provider_type, provider_id, subject, credential_secret, email, username, display_name, avatar_url, raw_claims, last_login_at, created_at, updated_at
+`
+
+type CreatePasswordIdentityParams struct {
+	UserID           pgtype.UUID `json:"user_id"`
+	Subject          string      `json:"subject"`
+	CredentialSecret pgtype.Text `json:"credential_secret"`
+	Email            pgtype.Text `json:"email"`
+	Username         pgtype.Text `json:"username"`
+	DisplayName      pgtype.Text `json:"display_name"`
+	AvatarUrl        pgtype.Text `json:"avatar_url"`
+}
+
+func (q *Queries) CreatePasswordIdentity(ctx context.Context, arg CreatePasswordIdentityParams) (IamIdentity, error) {
+	row := q.db.QueryRow(ctx, createPasswordIdentity,
+		arg.UserID,
+		arg.Subject,
+		arg.CredentialSecret,
+		arg.Email,
+		arg.Username,
+		arg.DisplayName,
+		arg.AvatarUrl,
+	)
+	var i IamIdentity
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.ProviderType,
+		&i.ProviderID,
+		&i.Subject,
+		&i.CredentialSecret,
+		&i.Email,
+		&i.Username,
+		&i.DisplayName,
+		&i.AvatarUrl,
+		&i.RawClaims,
+		&i.LastLoginAt,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const deleteIAMGroup = `-- name: DeleteIAMGroup :exec
+DELETE FROM iam_groups
+WHERE id = $1
+`
+
+func (q *Queries) DeleteIAMGroup(ctx context.Context, id pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteIAMGroup, id)
+	return err
+}
+
+const deleteIAMGroupMember = `-- name: DeleteIAMGroupMember :exec
+DELETE FROM iam_group_members
+WHERE user_id = $1
+  AND group_id = $2
+`
+
+type DeleteIAMGroupMemberParams struct {
+	UserID  pgtype.UUID `json:"user_id"`
+	GroupID pgtype.UUID `json:"group_id"`
+}
+
+func (q *Queries) DeleteIAMGroupMember(ctx context.Context, arg DeleteIAMGroupMemberParams) error {
+	_, err := q.db.Exec(ctx, deleteIAMGroupMember, arg.UserID, arg.GroupID)
+	return err
+}
+
+const deletePrincipalRole = `-- name: DeletePrincipalRole :exec
+DELETE FROM iam_principal_roles
+WHERE id = $1
+`
+
+func (q *Queries) DeletePrincipalRole(ctx context.Context, id pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deletePrincipalRole, id)
+	return err
+}
+
+const deletePrincipalRoleAssignment = `-- name: DeletePrincipalRoleAssignment :exec
+DELETE FROM iam_principal_roles pr
+USING iam_roles r
+WHERE pr.role_id = r.id
+  AND pr.principal_type = $1
+  AND pr.principal_id = $2
+  AND pr.resource_type = $3
+  AND pr.resource_id = $4
+  AND r.key = $5
+`
+
+type DeletePrincipalRoleAssignmentParams struct {
+	PrincipalType string      `json:"principal_type"`
+	PrincipalID   pgtype.UUID `json:"principal_id"`
+	ResourceType  string      `json:"resource_type"`
+	ResourceID    pgtype.UUID `json:"resource_id"`
+	RoleKey       string      `json:"role_key"`
+}
+
+func (q *Queries) DeletePrincipalRoleAssignment(ctx context.Context, arg DeletePrincipalRoleAssignmentParams) error {
+	_, err := q.db.Exec(ctx, deletePrincipalRoleAssignment,
+		arg.PrincipalType,
+		arg.PrincipalID,
+		arg.ResourceType,
+		arg.ResourceID,
+		arg.RoleKey,
+	)
+	return err
+}
+
+const deleteSSOGroupMapping = `-- name: DeleteSSOGroupMapping :exec
+DELETE FROM iam_sso_group_mappings
+WHERE provider_id = $1
+  AND external_group = $2
+`
+
+type DeleteSSOGroupMappingParams struct {
+	ProviderID    pgtype.UUID `json:"provider_id"`
+	ExternalGroup string      `json:"external_group"`
+}
+
+func (q *Queries) DeleteSSOGroupMapping(ctx context.Context, arg DeleteSSOGroupMappingParams) error {
+	_, err := q.db.Exec(ctx, deleteSSOGroupMapping, arg.ProviderID, arg.ExternalGroup)
+	return err
+}
+
+const deleteSSOProvider = `-- name: DeleteSSOProvider :exec
+DELETE FROM iam_sso_providers WHERE id = $1
+`
+
+func (q *Queries) DeleteSSOProvider(ctx context.Context, id pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteSSOProvider, id)
+	return err
+}
+
+const extendIAMSession = `-- name: ExtendIAMSession :one
+UPDATE iam_sessions
+SET expires_at = $1, updated_at = now()
+WHERE id = $2
+  AND revoked_at IS NULL
+RETURNING id, user_id, identity_id, issued_at, expires_at, revoked_at, ip_address, user_agent, metadata, created_at, updated_at
+`
+
+type ExtendIAMSessionParams struct {
+	ExpiresAt pgtype.Timestamptz `json:"expires_at"`
+	ID        pgtype.UUID        `json:"id"`
+}
+
+func (q *Queries) ExtendIAMSession(ctx context.Context, arg ExtendIAMSessionParams) (IamSession, error) {
+	row := q.db.QueryRow(ctx, extendIAMSession, arg.ExpiresAt, arg.ID)
+	var i IamSession
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.IdentityID,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.RevokedAt,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.Metadata,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getIAMGroupByID = `-- name: GetIAMGroupByID :one
+SELECT id, key, display_name, source, external_id, metadata, created_at, updated_at
+FROM iam_groups
+WHERE id = $1
+`
+
+func (q *Queries) GetIAMGroupByID(ctx context.Context, id pgtype.UUID) (IamGroup, error) {
+	row := q.db.QueryRow(ctx, getIAMGroupByID, id)
+	var i IamGroup
+	err := row.Scan(
+		&i.ID,
+		&i.Key,
+		&i.DisplayName,
+		&i.Source,
+		&i.ExternalID,
+		&i.Metadata,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getIAMSessionByID = `-- name: GetIAMSessionByID :one
+SELECT s.id, s.user_id, s.identity_id, s.issued_at, s.expires_at, s.revoked_at, s.ip_address, s.user_agent, s.metadata, s.created_at, s.updated_at, u.is_active AS user_is_active
+FROM iam_sessions s
+JOIN iam_users u ON u.id = s.user_id
+WHERE s.id = $1
+`
+
+type GetIAMSessionByIDRow struct {
+	ID           pgtype.UUID        `json:"id"`
+	UserID       pgtype.UUID        `json:"user_id"`
+	IdentityID   pgtype.UUID        `json:"identity_id"`
+	IssuedAt     pgtype.Timestamptz `json:"issued_at"`
+	ExpiresAt    pgtype.Timestamptz `json:"expires_at"`
+	RevokedAt    pgtype.Timestamptz `json:"revoked_at"`
+	IpAddress    pgtype.Text        `json:"ip_address"`
+	UserAgent    pgtype.Text        `json:"user_agent"`
+	Metadata     []byte             `json:"metadata"`
+	CreatedAt    pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt    pgtype.Timestamptz `json:"updated_at"`
+	UserIsActive bool               `json:"user_is_active"`
+}
+
+func (q *Queries) GetIAMSessionByID(ctx context.Context, id pgtype.UUID) (GetIAMSessionByIDRow, error) {
+	row := q.db.QueryRow(ctx, getIAMSessionByID, id)
+	var i GetIAMSessionByIDRow
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.IdentityID,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.RevokedAt,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.Metadata,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+		&i.UserIsActive,
+	)
+	return i, err
+}
+
+const getIdentityByProviderSubject = `-- name: GetIdentityByProviderSubject :one
+SELECT id, user_id, provider_type, provider_id, subject, credential_secret, email, username, display_name, avatar_url, raw_claims, last_login_at, created_at, updated_at
+FROM iam_identities
+WHERE provider_type = $1
+  AND provider_id IS NOT DISTINCT FROM $2::uuid
+  AND subject = $3
+`
+
+type GetIdentityByProviderSubjectParams struct {
+	ProviderType string      `json:"provider_type"`
+	ProviderID   pgtype.UUID `json:"provider_id"`
+	Subject      string      `json:"subject"`
+}
+
+func (q *Queries) GetIdentityByProviderSubject(ctx context.Context, arg GetIdentityByProviderSubjectParams) (IamIdentity, error) {
+	row := q.db.QueryRow(ctx, getIdentityByProviderSubject, arg.ProviderType, arg.ProviderID, arg.Subject)
+	var i IamIdentity
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.ProviderType,
+		&i.ProviderID,
+		&i.Subject,
+		&i.CredentialSecret,
+		&i.Email,
+		&i.Username,
+		&i.DisplayName,
+		&i.AvatarUrl,
+		&i.RawClaims,
+		&i.LastLoginAt,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getPasswordIdentityBySubject = `-- name: GetPasswordIdentityBySubject :one
+SELECT id, user_id, provider_type, provider_id, subject, credential_secret, email, username, display_name, avatar_url, raw_claims, last_login_at, created_at, updated_at
+FROM iam_identities
+WHERE provider_type = 'password'
+  AND subject = lower($1::text)
+`
+
+func (q *Queries) GetPasswordIdentityBySubject(ctx context.Context, subject string) (IamIdentity, error) {
+	row := q.db.QueryRow(ctx, getPasswordIdentityBySubject, subject)
+	var i IamIdentity
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.ProviderType,
+		&i.ProviderID,
+		&i.Subject,
+		&i.CredentialSecret,
+		&i.Email,
+		&i.Username,
+		&i.DisplayName,
+		&i.AvatarUrl,
+		&i.RawClaims,
+		&i.LastLoginAt,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getRoleByKey = `-- name: GetRoleByKey :one
+SELECT id, key, scope, description, is_system, created_at, updated_at
+FROM iam_roles
+WHERE key = $1
+`
+
+func (q *Queries) GetRoleByKey(ctx context.Context, key string) (IamRole, error) {
+	row := q.db.QueryRow(ctx, getRoleByKey, key)
+	var i IamRole
+	err := row.Scan(
+		&i.ID,
+		&i.Key,
+		&i.Scope,
+		&i.Description,
+		&i.IsSystem,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getSSOProviderByID = `-- name: GetSSOProviderByID :one
+SELECT id, type, key, name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email, created_at, updated_at
+FROM iam_sso_providers
+WHERE id = $1
+`
+
+func (q *Queries) GetSSOProviderByID(ctx context.Context, id pgtype.UUID) (IamSsoProvider, error) {
+	row := q.db.QueryRow(ctx, getSSOProviderByID, id)
+	var i IamSsoProvider
+	err := row.Scan(
+		&i.ID,
+		&i.Type,
+		&i.Key,
+		&i.Name,
+		&i.Enabled,
+		&i.Config,
+		&i.AttributeMapping,
+		&i.JitEnabled,
+		&i.EmailLinkingPolicy,
+		&i.TrustEmail,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getSSOProviderByKey = `-- name: GetSSOProviderByKey :one
+SELECT id, type, key, name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email, created_at, updated_at
+FROM iam_sso_providers
+WHERE key = $1
+`
+
+func (q *Queries) GetSSOProviderByKey(ctx context.Context, key string) (IamSsoProvider, error) {
+	row := q.db.QueryRow(ctx, getSSOProviderByKey, key)
+	var i IamSsoProvider
+	err := row.Scan(
+		&i.ID,
+		&i.Type,
+		&i.Key,
+		&i.Name,
+		&i.Enabled,
+		&i.Config,
+		&i.AttributeMapping,
+		&i.JitEnabled,
+		&i.EmailLinkingPolicy,
+		&i.TrustEmail,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const hasPermission = `-- name: HasPermission :one
+SELECT EXISTS (
+  SELECT 1
+  FROM iam_principal_roles pr
+  JOIN iam_roles r ON r.id = pr.role_id
+  JOIN iam_role_permissions rp ON rp.role_id = r.id
+  JOIN iam_permissions p ON p.id = rp.permission_id
+  WHERE p.key = $1
+    AND pr.resource_type = $2
+    AND (pr.resource_id = $3::uuid OR pr.resource_id IS NULL)
+    AND (
+      (pr.principal_type = 'user' AND pr.principal_id = $4)
+      OR (
+        pr.principal_type = 'group'
+        AND pr.principal_id IN (
+          SELECT group_id FROM iam_group_members WHERE user_id = $4
+        )
+      )
+    )
+) AS allowed
+`
+
+type HasPermissionParams struct {
+	PermissionKey string      `json:"permission_key"`
+	ResourceType  string      `json:"resource_type"`
+	ResourceID    pgtype.UUID `json:"resource_id"`
+	UserID        pgtype.UUID `json:"user_id"`
+}
+
+func (q *Queries) HasPermission(ctx context.Context, arg HasPermissionParams) (bool, error) {
+	row := q.db.QueryRow(ctx, hasPermission,
+		arg.PermissionKey,
+		arg.ResourceType,
+		arg.ResourceID,
+		arg.UserID,
+	)
+	var allowed bool
+	err := row.Scan(&allowed)
+	return allowed, err
+}
+
+const listEnabledSSOProviders = `-- name: ListEnabledSSOProviders :many
+SELECT id, type, key, name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email, created_at, updated_at
+FROM iam_sso_providers
+WHERE enabled = true
+ORDER BY name ASC
+`
+
+func (q *Queries) ListEnabledSSOProviders(ctx context.Context) ([]IamSsoProvider, error) {
+	rows, err := q.db.Query(ctx, listEnabledSSOProviders)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []IamSsoProvider
+	for rows.Next() {
+		var i IamSsoProvider
+		if err := rows.Scan(
+			&i.ID,
+			&i.Type,
+			&i.Key,
+			&i.Name,
+			&i.Enabled,
+			&i.Config,
+			&i.AttributeMapping,
+			&i.JitEnabled,
+			&i.EmailLinkingPolicy,
+			&i.TrustEmail,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listIAMGroupMembers = `-- name: ListIAMGroupMembers :many
+SELECT gm.user_id, gm.group_id, gm.source, gm.provider_id, gm.created_at, gm.updated_at, u.username, u.email, u.display_name
+FROM iam_group_members gm
+JOIN iam_users u ON u.id = gm.user_id
+WHERE gm.group_id = $1
+ORDER BY u.username ASC, u.email ASC
+`
+
+type ListIAMGroupMembersRow struct {
+	UserID      pgtype.UUID        `json:"user_id"`
+	GroupID     pgtype.UUID        `json:"group_id"`
+	Source      string             `json:"source"`
+	ProviderID  pgtype.UUID        `json:"provider_id"`
+	CreatedAt   pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt   pgtype.Timestamptz `json:"updated_at"`
+	Username    pgtype.Text        `json:"username"`
+	Email       pgtype.Text        `json:"email"`
+	DisplayName pgtype.Text        `json:"display_name"`
+}
+
+func (q *Queries) ListIAMGroupMembers(ctx context.Context, groupID pgtype.UUID) ([]ListIAMGroupMembersRow, error) {
+	rows, err := q.db.Query(ctx, listIAMGroupMembers, groupID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListIAMGroupMembersRow
+	for rows.Next() {
+		var i ListIAMGroupMembersRow
+		if err := rows.Scan(
+			&i.UserID,
+			&i.GroupID,
+			&i.Source,
+			&i.ProviderID,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			&i.Username,
+			&i.Email,
+			&i.DisplayName,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listIAMGroups = `-- name: ListIAMGroups :many
+SELECT id, key, display_name, source, external_id, metadata, created_at, updated_at
+FROM iam_groups
+ORDER BY key ASC
+`
+
+func (q *Queries) ListIAMGroups(ctx context.Context) ([]IamGroup, error) {
+	rows, err := q.db.Query(ctx, listIAMGroups)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []IamGroup
+	for rows.Next() {
+		var i IamGroup
+		if err := rows.Scan(
+			&i.ID,
+			&i.Key,
+			&i.DisplayName,
+			&i.Source,
+			&i.ExternalID,
+			&i.Metadata,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listPrincipalRoles = `-- name: ListPrincipalRoles :many
+SELECT
+  pr.id, pr.principal_type, pr.principal_id, pr.role_id, pr.resource_type, pr.resource_id, pr.source, pr.provider_id, pr.created_at, pr.updated_at,
+  r.key AS role_key,
+  r.scope AS role_scope,
+  u.username AS user_username,
+  u.email AS user_email,
+  u.display_name AS user_display_name,
+  g.key AS group_key,
+  g.display_name AS group_display_name
+FROM iam_principal_roles pr
+JOIN iam_roles r ON r.id = pr.role_id
+LEFT JOIN iam_users u ON pr.principal_type = 'user' AND u.id = pr.principal_id
+LEFT JOIN iam_groups g ON pr.principal_type = 'group' AND g.id = pr.principal_id
+WHERE pr.resource_type = $1
+  AND pr.resource_id IS NOT DISTINCT FROM $2::uuid
+ORDER BY r.key ASC, pr.principal_type ASC, user_username ASC, group_key ASC
+`
+
+type ListPrincipalRolesParams struct {
+	ResourceType string      `json:"resource_type"`
+	ResourceID   pgtype.UUID `json:"resource_id"`
+}
+
+type ListPrincipalRolesRow struct {
+	ID               pgtype.UUID        `json:"id"`
+	PrincipalType    string             `json:"principal_type"`
+	PrincipalID      pgtype.UUID        `json:"principal_id"`
+	RoleID           pgtype.UUID        `json:"role_id"`
+	ResourceType     string             `json:"resource_type"`
+	ResourceID       pgtype.UUID        `json:"resource_id"`
+	Source           string             `json:"source"`
+	ProviderID       pgtype.UUID        `json:"provider_id"`
+	CreatedAt        pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt        pgtype.Timestamptz `json:"updated_at"`
+	RoleKey          string             `json:"role_key"`
+	RoleScope        string             `json:"role_scope"`
+	UserUsername     pgtype.Text        `json:"user_username"`
+	UserEmail        pgtype.Text        `json:"user_email"`
+	UserDisplayName  pgtype.Text        `json:"user_display_name"`
+	GroupKey         pgtype.Text        `json:"group_key"`
+	GroupDisplayName pgtype.Text        `json:"group_display_name"`
+}
+
+func (q *Queries) ListPrincipalRoles(ctx context.Context, arg ListPrincipalRolesParams) ([]ListPrincipalRolesRow, error) {
+	rows, err := q.db.Query(ctx, listPrincipalRoles, arg.ResourceType, arg.ResourceID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListPrincipalRolesRow
+	for rows.Next() {
+		var i ListPrincipalRolesRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.PrincipalType,
+			&i.PrincipalID,
+			&i.RoleID,
+			&i.ResourceType,
+			&i.ResourceID,
+			&i.Source,
+			&i.ProviderID,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			&i.RoleKey,
+			&i.RoleScope,
+			&i.UserUsername,
+			&i.UserEmail,
+			&i.UserDisplayName,
+			&i.GroupKey,
+			&i.GroupDisplayName,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listRoles = `-- name: ListRoles :many
+SELECT id, key, scope, description, is_system, created_at, updated_at
+FROM iam_roles
+ORDER BY scope ASC, key ASC
+`
+
+func (q *Queries) ListRoles(ctx context.Context) ([]IamRole, error) {
+	rows, err := q.db.Query(ctx, listRoles)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []IamRole
+	for rows.Next() {
+		var i IamRole
+		if err := rows.Scan(
+			&i.ID,
+			&i.Key,
+			&i.Scope,
+			&i.Description,
+			&i.IsSystem,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listSSOGroupMappingsByProvider = `-- name: ListSSOGroupMappingsByProvider :many
+SELECT m.id, m.provider_id, m.external_group, m.group_id, m.created_at, m.updated_at, g.key AS group_key, g.display_name AS group_display_name
+FROM iam_sso_group_mappings m
+JOIN iam_groups g ON g.id = m.group_id
+WHERE m.provider_id = $1
+ORDER BY m.external_group ASC
+`
+
+type ListSSOGroupMappingsByProviderRow struct {
+	ID               pgtype.UUID        `json:"id"`
+	ProviderID       pgtype.UUID        `json:"provider_id"`
+	ExternalGroup    string             `json:"external_group"`
+	GroupID          pgtype.UUID        `json:"group_id"`
+	CreatedAt        pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt        pgtype.Timestamptz `json:"updated_at"`
+	GroupKey         string             `json:"group_key"`
+	GroupDisplayName string             `json:"group_display_name"`
+}
+
+func (q *Queries) ListSSOGroupMappingsByProvider(ctx context.Context, providerID pgtype.UUID) ([]ListSSOGroupMappingsByProviderRow, error) {
+	rows, err := q.db.Query(ctx, listSSOGroupMappingsByProvider, providerID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListSSOGroupMappingsByProviderRow
+	for rows.Next() {
+		var i ListSSOGroupMappingsByProviderRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.ProviderID,
+			&i.ExternalGroup,
+			&i.GroupID,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			&i.GroupKey,
+			&i.GroupDisplayName,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listSSOProviders = `-- name: ListSSOProviders :many
+SELECT id, type, key, name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email, created_at, updated_at
+FROM iam_sso_providers
+ORDER BY created_at DESC
+`
+
+func (q *Queries) ListSSOProviders(ctx context.Context) ([]IamSsoProvider, error) {
+	rows, err := q.db.Query(ctx, listSSOProviders)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []IamSsoProvider
+	for rows.Next() {
+		var i IamSsoProvider
+		if err := rows.Scan(
+			&i.ID,
+			&i.Type,
+			&i.Key,
+			&i.Name,
+			&i.Enabled,
+			&i.Config,
+			&i.AttributeMapping,
+			&i.JitEnabled,
+			&i.EmailLinkingPolicy,
+			&i.TrustEmail,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const replaceSSOGroupMemberships = `-- name: ReplaceSSOGroupMemberships :exec
+WITH deleted AS (
+  DELETE FROM iam_group_members
+  WHERE user_id = $1
+    AND source = 'sso'
+    AND provider_id = $3
+)
+INSERT INTO iam_group_members (user_id, group_id, source, provider_id)
+SELECT $1, unnest($2::uuid[]), 'sso', $3
+`
+
+type ReplaceSSOGroupMembershipsParams struct {
+	UserID     pgtype.UUID   `json:"user_id"`
+	GroupIds   []pgtype.UUID `json:"group_ids"`
+	ProviderID pgtype.UUID   `json:"provider_id"`
+}
+
+func (q *Queries) ReplaceSSOGroupMemberships(ctx context.Context, arg ReplaceSSOGroupMembershipsParams) error {
+	_, err := q.db.Exec(ctx, replaceSSOGroupMemberships, arg.UserID, arg.GroupIds, arg.ProviderID)
+	return err
+}
+
+const revokeIAMSession = `-- name: RevokeIAMSession :exec
+UPDATE iam_sessions
+SET revoked_at = now(), updated_at = now()
+WHERE id = $1
+  AND revoked_at IS NULL
+`
+
+func (q *Queries) RevokeIAMSession(ctx context.Context, id pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, revokeIAMSession, id)
+	return err
+}
+
+const updateIdentityLastLogin = `-- name: UpdateIdentityLastLogin :exec
+UPDATE iam_identities
+SET last_login_at = now(), updated_at = now()
+WHERE id = $1
+`
+
+func (q *Queries) UpdateIdentityLastLogin(ctx context.Context, id pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, updateIdentityLastLogin, id)
+	return err
+}
+
+const upsertExternalIdentity = `-- name: UpsertExternalIdentity :one
+INSERT INTO iam_identities (
+  user_id, provider_type, provider_id, subject, email, username, display_name, avatar_url, raw_claims
+)
+VALUES (
+  $1, $2, $3, $4,
+  $5, $6, $7, $8, $9
+)
+ON CONFLICT (provider_type, provider_id, subject) DO UPDATE SET
+  user_id = EXCLUDED.user_id,
+  email = EXCLUDED.email,
+  username = EXCLUDED.username,
+  display_name = EXCLUDED.display_name,
+  avatar_url = EXCLUDED.avatar_url,
+  raw_claims = EXCLUDED.raw_claims,
+  updated_at = now()
+RETURNING id, user_id, provider_type, provider_id, subject, credential_secret, email, username, display_name, avatar_url, raw_claims, last_login_at, created_at, updated_at
+`
+
+type UpsertExternalIdentityParams struct {
+	UserID       pgtype.UUID `json:"user_id"`
+	ProviderType string      `json:"provider_type"`
+	ProviderID   pgtype.UUID `json:"provider_id"`
+	Subject      string      `json:"subject"`
+	Email        pgtype.Text `json:"email"`
+	Username     pgtype.Text `json:"username"`
+	DisplayName  pgtype.Text `json:"display_name"`
+	AvatarUrl    pgtype.Text `json:"avatar_url"`
+	RawClaims    []byte      `json:"raw_claims"`
+}
+
+func (q *Queries) UpsertExternalIdentity(ctx context.Context, arg UpsertExternalIdentityParams) (IamIdentity, error) {
+	row := q.db.QueryRow(ctx, upsertExternalIdentity,
+		arg.UserID,
+		arg.ProviderType,
+		arg.ProviderID,
+		arg.Subject,
+		arg.Email,
+		arg.Username,
+		arg.DisplayName,
+		arg.AvatarUrl,
+		arg.RawClaims,
+	)
+	var i IamIdentity
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.ProviderType,
+		&i.ProviderID,
+		&i.Subject,
+		&i.CredentialSecret,
+		&i.Email,
+		&i.Username,
+		&i.DisplayName,
+		&i.AvatarUrl,
+		&i.RawClaims,
+		&i.LastLoginAt,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const upsertIAMGroup = `-- name: UpsertIAMGroup :one
+INSERT INTO iam_groups (id, key, display_name, source, external_id, metadata)
+VALUES ($1, $2, $3, $4, $5, $6)
+ON CONFLICT (key) DO UPDATE SET
+  display_name = EXCLUDED.display_name,
+  source = EXCLUDED.source,
+  external_id = EXCLUDED.external_id,
+  metadata = EXCLUDED.metadata,
+  updated_at = now()
+RETURNING id, key, display_name, source, external_id, metadata, created_at, updated_at
+`
+
+type UpsertIAMGroupParams struct {
+	ID          pgtype.UUID `json:"id"`
+	Key         string      `json:"key"`
+	DisplayName string      `json:"display_name"`
+	Source      string      `json:"source"`
+	ExternalID  pgtype.Text `json:"external_id"`
+	Metadata    []byte      `json:"metadata"`
+}
+
+func (q *Queries) UpsertIAMGroup(ctx context.Context, arg UpsertIAMGroupParams) (IamGroup, error) {
+	row := q.db.QueryRow(ctx, upsertIAMGroup,
+		arg.ID,
+		arg.Key,
+		arg.DisplayName,
+		arg.Source,
+		arg.ExternalID,
+		arg.Metadata,
+	)
+	var i IamGroup
+	err := row.Scan(
+		&i.ID,
+		&i.Key,
+		&i.DisplayName,
+		&i.Source,
+		&i.ExternalID,
+		&i.Metadata,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const upsertIAMGroupMember = `-- name: UpsertIAMGroupMember :one
+INSERT INTO iam_group_members (user_id, group_id, source, provider_id)
+VALUES ($1, $2, $3, $4)
+ON CONFLICT (user_id, group_id, source, provider_id) DO UPDATE SET
+  updated_at = now()
+RETURNING user_id, group_id, source, provider_id, created_at, updated_at
+`
+
+type UpsertIAMGroupMemberParams struct {
+	UserID     pgtype.UUID `json:"user_id"`
+	GroupID    pgtype.UUID `json:"group_id"`
+	Source     string      `json:"source"`
+	ProviderID pgtype.UUID `json:"provider_id"`
+}
+
+func (q *Queries) UpsertIAMGroupMember(ctx context.Context, arg UpsertIAMGroupMemberParams) (IamGroupMember, error) {
+	row := q.db.QueryRow(ctx, upsertIAMGroupMember,
+		arg.UserID,
+		arg.GroupID,
+		arg.Source,
+		arg.ProviderID,
+	)
+	var i IamGroupMember
+	err := row.Scan(
+		&i.UserID,
+		&i.GroupID,
+		&i.Source,
+		&i.ProviderID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const upsertSSOGroupMapping = `-- name: UpsertSSOGroupMapping :one
+INSERT INTO iam_sso_group_mappings (provider_id, external_group, group_id)
+VALUES ($1, $2, $3)
+ON CONFLICT (provider_id, external_group) DO UPDATE SET
+  group_id = EXCLUDED.group_id,
+  updated_at = now()
+RETURNING id, provider_id, external_group, group_id, created_at, updated_at
+`
+
+type UpsertSSOGroupMappingParams struct {
+	ProviderID    pgtype.UUID `json:"provider_id"`
+	ExternalGroup string      `json:"external_group"`
+	GroupID       pgtype.UUID `json:"group_id"`
+}
+
+func (q *Queries) UpsertSSOGroupMapping(ctx context.Context, arg UpsertSSOGroupMappingParams) (IamSsoGroupMapping, error) {
+	row := q.db.QueryRow(ctx, upsertSSOGroupMapping, arg.ProviderID, arg.ExternalGroup, arg.GroupID)
+	var i IamSsoGroupMapping
+	err := row.Scan(
+		&i.ID,
+		&i.ProviderID,
+		&i.ExternalGroup,
+		&i.GroupID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const upsertSSOProvider = `-- name: UpsertSSOProvider :one
+INSERT INTO iam_sso_providers (
+  id, type, key, name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email
+)
+VALUES (
+  $1, $2, $3, $4, $5, $6,
+  $7, $8, $9, $10
+)
+ON CONFLICT (key) DO UPDATE SET
+  type = EXCLUDED.type,
+  name = EXCLUDED.name,
+  enabled = EXCLUDED.enabled,
+  config = EXCLUDED.config,
+  attribute_mapping = EXCLUDED.attribute_mapping,
+  jit_enabled = EXCLUDED.jit_enabled,
+  email_linking_policy = EXCLUDED.email_linking_policy,
+  trust_email = EXCLUDED.trust_email,
+  updated_at = now()
+RETURNING id, type, key, name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email, created_at, updated_at
+`
+
+type UpsertSSOProviderParams struct {
+	ID                 pgtype.UUID `json:"id"`
+	Type               string      `json:"type"`
+	Key                string      `json:"key"`
+	Name               string      `json:"name"`
+	Enabled            bool        `json:"enabled"`
+	Config             []byte      `json:"config"`
+	AttributeMapping   []byte      `json:"attribute_mapping"`
+	JitEnabled         bool        `json:"jit_enabled"`
+	EmailLinkingPolicy string      `json:"email_linking_policy"`
+	TrustEmail         bool        `json:"trust_email"`
+}
+
+func (q *Queries) UpsertSSOProvider(ctx context.Context, arg UpsertSSOProviderParams) (IamSsoProvider, error) {
+	row := q.db.QueryRow(ctx, upsertSSOProvider,
+		arg.ID,
+		arg.Type,
+		arg.Key,
+		arg.Name,
+		arg.Enabled,
+		arg.Config,
+		arg.AttributeMapping,
+		arg.JitEnabled,
+		arg.EmailLinkingPolicy,
+		arg.TrustEmail,
+	)
+	var i IamSsoProvider
+	err := row.Scan(
+		&i.ID,
+		&i.Type,
+		&i.Key,
+		&i.Name,
+		&i.Enabled,
+		&i.Config,
+		&i.AttributeMapping,
+		&i.JitEnabled,
+		&i.EmailLinkingPolicy,
+		&i.TrustEmail,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const useIAMLoginCode = `-- name: UseIAMLoginCode :one
+UPDATE iam_login_codes
+SET used_at = now()
+WHERE code_hash = $1
+  AND used_at IS NULL
+  AND expires_at > now()
+RETURNING id, code_hash, user_id, identity_id, session_id, expires_at, used_at, created_at
+`
+
+func (q *Queries) UseIAMLoginCode(ctx context.Context, codeHash string) (IamLoginCode, error) {
+	row := q.db.QueryRow(ctx, useIAMLoginCode, codeHash)
+	var i IamLoginCode
+	err := row.Scan(
+		&i.ID,
+		&i.CodeHash,
+		&i.UserID,
+		&i.IdentityID,
+		&i.SessionID,
+		&i.ExpiresAt,
+		&i.UsedAt,
+		&i.CreatedAt,
+	)
+	return i, err
+}
diff --git a/internal/db/postgres/sqlc/mcp.sql.go b/internal/db/postgres/sqlc/mcp.sql.go
index 84cc39d01..6146ce432 100644
--- a/internal/db/postgres/sqlc/mcp.sql.go
+++ b/internal/db/postgres/sqlc/mcp.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: mcp.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/mcp_oauth.sql.go b/internal/db/postgres/sqlc/mcp_oauth.sql.go
index d3d05d11d..ab28fe404 100644
--- a/internal/db/postgres/sqlc/mcp_oauth.sql.go
+++ b/internal/db/postgres/sqlc/mcp_oauth.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: mcp_oauth.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/media.sql.go b/internal/db/postgres/sqlc/media.sql.go
index a3035565d..f6f6c1db8 100644
--- a/internal/db/postgres/sqlc/media.sql.go
+++ b/internal/db/postgres/sqlc/media.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: media.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/memory_providers.sql.go b/internal/db/postgres/sqlc/memory_providers.sql.go
index 4bfaf5202..70c4fc4b5 100644
--- a/internal/db/postgres/sqlc/memory_providers.sql.go
+++ b/internal/db/postgres/sqlc/memory_providers.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: memory_providers.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/messages.sql.go b/internal/db/postgres/sqlc/messages.sql.go
index 668b829c3..e2dffcdd8 100644
--- a/internal/db/postgres/sqlc/messages.sql.go
+++ b/internal/db/postgres/sqlc/messages.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: messages.sql
 
 package sqlc
@@ -169,7 +169,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = $1
   AND m.created_at >= $2
@@ -263,7 +263,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = $1
   AND m.created_at >= $2
@@ -356,7 +356,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = $1
 ORDER BY m.created_at ASC
@@ -441,7 +441,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = $1
   AND m.created_at < $2
@@ -533,7 +533,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = $1
   AND m.created_at < $2
@@ -625,7 +625,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = $1
 ORDER BY m.created_at ASC
@@ -710,7 +710,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = $1
 ORDER BY m.created_at DESC
@@ -800,7 +800,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = $1
 ORDER BY m.created_at DESC
@@ -890,7 +890,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = $1
   AND m.created_at >= $2
@@ -980,7 +980,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = $1
   AND m.created_at >= $2
@@ -1298,7 +1298,7 @@ SELECT
   ci.display_name AS sender_display_name,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = $1
   AND ($2::uuid IS NULL OR m.session_id = $2::uuid)
diff --git a/internal/db/postgres/sqlc/models.go b/internal/db/postgres/sqlc/models.go
index 58df26a1b..a93f45227 100644
--- a/internal/db/postgres/sqlc/models.go
+++ b/internal/db/postgres/sqlc/models.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 
 package sqlc
 
@@ -211,29 +211,6 @@ type BrowserContext struct {
 	UpdatedAt pgtype.Timestamptz `json:"updated_at"`
 }
 
-type ChannelIdentity struct {
-	ID               pgtype.UUID        `json:"id"`
-	UserID           pgtype.UUID        `json:"user_id"`
-	ChannelType      string             `json:"channel_type"`
-	ChannelSubjectID string             `json:"channel_subject_id"`
-	DisplayName      pgtype.Text        `json:"display_name"`
-	AvatarUrl        pgtype.Text        `json:"avatar_url"`
-	Metadata         []byte             `json:"metadata"`
-	CreatedAt        pgtype.Timestamptz `json:"created_at"`
-	UpdatedAt        pgtype.Timestamptz `json:"updated_at"`
-}
-
-type ChannelIdentityBindCode struct {
-	ID                      pgtype.UUID        `json:"id"`
-	Token                   string             `json:"token"`
-	IssuedByUserID          pgtype.UUID        `json:"issued_by_user_id"`
-	ChannelType             pgtype.Text        `json:"channel_type"`
-	ExpiresAt               pgtype.Timestamptz `json:"expires_at"`
-	UsedAt                  pgtype.Timestamptz `json:"used_at"`
-	UsedByChannelIdentityID pgtype.UUID        `json:"used_by_channel_identity_id"`
-	CreatedAt               pgtype.Timestamptz `json:"created_at"`
-}
-
 type Container struct {
 	ID               pgtype.UUID        `json:"id"`
 	BotID            pgtype.UUID        `json:"bot_id"`
@@ -298,6 +275,193 @@ type EmailProvider struct {
 	UpdatedAt pgtype.Timestamptz `json:"updated_at"`
 }
 
+type IamChannelIdentity struct {
+	ID               pgtype.UUID        `json:"id"`
+	UserID           pgtype.UUID        `json:"user_id"`
+	ChannelType      string             `json:"channel_type"`
+	ChannelSubjectID string             `json:"channel_subject_id"`
+	DisplayName      pgtype.Text        `json:"display_name"`
+	AvatarUrl        pgtype.Text        `json:"avatar_url"`
+	Metadata         []byte             `json:"metadata"`
+	CreatedAt        pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt        pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamChannelIdentityBindCode struct {
+	ID                      pgtype.UUID        `json:"id"`
+	Token                   string             `json:"token"`
+	IssuedByUserID          pgtype.UUID        `json:"issued_by_user_id"`
+	ChannelType             pgtype.Text        `json:"channel_type"`
+	ExpiresAt               pgtype.Timestamptz `json:"expires_at"`
+	UsedAt                  pgtype.Timestamptz `json:"used_at"`
+	UsedByChannelIdentityID pgtype.UUID        `json:"used_by_channel_identity_id"`
+	CreatedAt               pgtype.Timestamptz `json:"created_at"`
+}
+
+type IamGroup struct {
+	ID          pgtype.UUID        `json:"id"`
+	Key         string             `json:"key"`
+	DisplayName string             `json:"display_name"`
+	Source      string             `json:"source"`
+	ExternalID  pgtype.Text        `json:"external_id"`
+	Metadata    []byte             `json:"metadata"`
+	CreatedAt   pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt   pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamGroupMember struct {
+	UserID     pgtype.UUID        `json:"user_id"`
+	GroupID    pgtype.UUID        `json:"group_id"`
+	Source     string             `json:"source"`
+	ProviderID pgtype.UUID        `json:"provider_id"`
+	CreatedAt  pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt  pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamIdentity struct {
+	ID               pgtype.UUID        `json:"id"`
+	UserID           pgtype.UUID        `json:"user_id"`
+	ProviderType     string             `json:"provider_type"`
+	ProviderID       pgtype.UUID        `json:"provider_id"`
+	Subject          string             `json:"subject"`
+	CredentialSecret pgtype.Text        `json:"credential_secret"`
+	Email            pgtype.Text        `json:"email"`
+	Username         pgtype.Text        `json:"username"`
+	DisplayName      pgtype.Text        `json:"display_name"`
+	AvatarUrl        pgtype.Text        `json:"avatar_url"`
+	RawClaims        []byte             `json:"raw_claims"`
+	LastLoginAt      pgtype.Timestamptz `json:"last_login_at"`
+	CreatedAt        pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt        pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamLoginCode struct {
+	ID         pgtype.UUID        `json:"id"`
+	CodeHash   string             `json:"code_hash"`
+	UserID     pgtype.UUID        `json:"user_id"`
+	IdentityID pgtype.UUID        `json:"identity_id"`
+	SessionID  pgtype.UUID        `json:"session_id"`
+	ExpiresAt  pgtype.Timestamptz `json:"expires_at"`
+	UsedAt     pgtype.Timestamptz `json:"used_at"`
+	CreatedAt  pgtype.Timestamptz `json:"created_at"`
+}
+
+type IamPermission struct {
+	ID          pgtype.UUID        `json:"id"`
+	Key         string             `json:"key"`
+	Description string             `json:"description"`
+	IsSystem    bool               `json:"is_system"`
+	CreatedAt   pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt   pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamPrincipalRole struct {
+	ID            pgtype.UUID        `json:"id"`
+	PrincipalType string             `json:"principal_type"`
+	PrincipalID   pgtype.UUID        `json:"principal_id"`
+	RoleID        pgtype.UUID        `json:"role_id"`
+	ResourceType  string             `json:"resource_type"`
+	ResourceID    pgtype.UUID        `json:"resource_id"`
+	Source        string             `json:"source"`
+	ProviderID    pgtype.UUID        `json:"provider_id"`
+	CreatedAt     pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt     pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamRole struct {
+	ID          pgtype.UUID        `json:"id"`
+	Key         string             `json:"key"`
+	Scope       string             `json:"scope"`
+	Description string             `json:"description"`
+	IsSystem    bool               `json:"is_system"`
+	CreatedAt   pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt   pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamRolePermission struct {
+	RoleID       pgtype.UUID        `json:"role_id"`
+	PermissionID pgtype.UUID        `json:"permission_id"`
+	CreatedAt    pgtype.Timestamptz `json:"created_at"`
+}
+
+type IamSession struct {
+	ID         pgtype.UUID        `json:"id"`
+	UserID     pgtype.UUID        `json:"user_id"`
+	IdentityID pgtype.UUID        `json:"identity_id"`
+	IssuedAt   pgtype.Timestamptz `json:"issued_at"`
+	ExpiresAt  pgtype.Timestamptz `json:"expires_at"`
+	RevokedAt  pgtype.Timestamptz `json:"revoked_at"`
+	IpAddress  pgtype.Text        `json:"ip_address"`
+	UserAgent  pgtype.Text        `json:"user_agent"`
+	Metadata   []byte             `json:"metadata"`
+	CreatedAt  pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt  pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamSsoGroupMapping struct {
+	ID            pgtype.UUID        `json:"id"`
+	ProviderID    pgtype.UUID        `json:"provider_id"`
+	ExternalGroup string             `json:"external_group"`
+	GroupID       pgtype.UUID        `json:"group_id"`
+	CreatedAt     pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt     pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamSsoProvider struct {
+	ID                 pgtype.UUID        `json:"id"`
+	Type               string             `json:"type"`
+	Key                string             `json:"key"`
+	Name               string             `json:"name"`
+	Enabled            bool               `json:"enabled"`
+	Config             []byte             `json:"config"`
+	AttributeMapping   []byte             `json:"attribute_mapping"`
+	JitEnabled         bool               `json:"jit_enabled"`
+	EmailLinkingPolicy string             `json:"email_linking_policy"`
+	TrustEmail         bool               `json:"trust_email"`
+	CreatedAt          pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt          pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamUser struct {
+	ID          pgtype.UUID        `json:"id"`
+	Username    pgtype.Text        `json:"username"`
+	Email       pgtype.Text        `json:"email"`
+	DisplayName pgtype.Text        `json:"display_name"`
+	AvatarUrl   pgtype.Text        `json:"avatar_url"`
+	Timezone    string             `json:"timezone"`
+	DataRoot    pgtype.Text        `json:"data_root"`
+	LastLoginAt pgtype.Timestamptz `json:"last_login_at"`
+	IsActive    bool               `json:"is_active"`
+	Metadata    []byte             `json:"metadata"`
+	CreatedAt   pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt   pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamUserChannelBinding struct {
+	ID          pgtype.UUID        `json:"id"`
+	UserID      pgtype.UUID        `json:"user_id"`
+	ChannelType string             `json:"channel_type"`
+	Config      []byte             `json:"config"`
+	CreatedAt   pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt   pgtype.Timestamptz `json:"updated_at"`
+}
+
+type IamUserProviderOauthToken struct {
+	ID               pgtype.UUID        `json:"id"`
+	ProviderID       pgtype.UUID        `json:"provider_id"`
+	UserID           pgtype.UUID        `json:"user_id"`
+	AccessToken      string             `json:"access_token"`
+	RefreshToken     string             `json:"refresh_token"`
+	ExpiresAt        pgtype.Timestamptz `json:"expires_at"`
+	Scope            string             `json:"scope"`
+	TokenType        string             `json:"token_type"`
+	State            string             `json:"state"`
+	PkceCodeVerifier string             `json:"pkce_code_verifier"`
+	Metadata         []byte             `json:"metadata"`
+	CreatedAt        pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt        pgtype.Timestamptz `json:"updated_at"`
+}
+
 type LifecycleEvent struct {
 	ID          string             `json:"id"`
 	ContainerID string             `json:"container_id"`
@@ -533,45 +697,3 @@ type TtsProvider struct {
 	UpdatedAt pgtype.Timestamptz `json:"updated_at"`
 	Enable    bool               `json:"enable"`
 }
-
-type User struct {
-	ID           pgtype.UUID        `json:"id"`
-	Username     pgtype.Text        `json:"username"`
-	Email        pgtype.Text        `json:"email"`
-	PasswordHash pgtype.Text        `json:"password_hash"`
-	Role         string             `json:"role"`
-	DisplayName  pgtype.Text        `json:"display_name"`
-	AvatarUrl    pgtype.Text        `json:"avatar_url"`
-	Timezone     string             `json:"timezone"`
-	DataRoot     pgtype.Text        `json:"data_root"`
-	LastLoginAt  pgtype.Timestamptz `json:"last_login_at"`
-	IsActive     bool               `json:"is_active"`
-	Metadata     []byte             `json:"metadata"`
-	CreatedAt    pgtype.Timestamptz `json:"created_at"`
-	UpdatedAt    pgtype.Timestamptz `json:"updated_at"`
-}
-
-type UserChannelBinding struct {
-	ID          pgtype.UUID        `json:"id"`
-	UserID      pgtype.UUID        `json:"user_id"`
-	ChannelType string             `json:"channel_type"`
-	Config      []byte             `json:"config"`
-	CreatedAt   pgtype.Timestamptz `json:"created_at"`
-	UpdatedAt   pgtype.Timestamptz `json:"updated_at"`
-}
-
-type UserProviderOauthToken struct {
-	ID               pgtype.UUID        `json:"id"`
-	ProviderID       pgtype.UUID        `json:"provider_id"`
-	UserID           pgtype.UUID        `json:"user_id"`
-	AccessToken      string             `json:"access_token"`
-	RefreshToken     string             `json:"refresh_token"`
-	ExpiresAt        pgtype.Timestamptz `json:"expires_at"`
-	Scope            string             `json:"scope"`
-	TokenType        string             `json:"token_type"`
-	State            string             `json:"state"`
-	PkceCodeVerifier string             `json:"pkce_code_verifier"`
-	Metadata         []byte             `json:"metadata"`
-	CreatedAt        pgtype.Timestamptz `json:"created_at"`
-	UpdatedAt        pgtype.Timestamptz `json:"updated_at"`
-}
diff --git a/internal/db/postgres/sqlc/models.sql.go b/internal/db/postgres/sqlc/models.sql.go
index 8b0bbde98..e665fcef3 100644
--- a/internal/db/postgres/sqlc/models.sql.go
+++ b/internal/db/postgres/sqlc/models.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: models.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/network.sql.go b/internal/db/postgres/sqlc/network.sql.go
index d81339175..b8dc03232 100644
--- a/internal/db/postgres/sqlc/network.sql.go
+++ b/internal/db/postgres/sqlc/network.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: network.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/provider_oauth.sql.go b/internal/db/postgres/sqlc/provider_oauth.sql.go
index 49414e7c1..3387303bc 100644
--- a/internal/db/postgres/sqlc/provider_oauth.sql.go
+++ b/internal/db/postgres/sqlc/provider_oauth.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: provider_oauth.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/schedule.sql.go b/internal/db/postgres/sqlc/schedule.sql.go
index 06fc1d071..3101196c4 100644
--- a/internal/db/postgres/sqlc/schedule.sql.go
+++ b/internal/db/postgres/sqlc/schedule.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: schedule.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/schedule_logs.sql.go b/internal/db/postgres/sqlc/schedule_logs.sql.go
index 1717fc9da..609cbc693 100644
--- a/internal/db/postgres/sqlc/schedule_logs.sql.go
+++ b/internal/db/postgres/sqlc/schedule_logs.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: schedule_logs.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/search_providers.sql.go b/internal/db/postgres/sqlc/search_providers.sql.go
index 34fbc8b9b..d2dc77570 100644
--- a/internal/db/postgres/sqlc/search_providers.sql.go
+++ b/internal/db/postgres/sqlc/search_providers.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: search_providers.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/session_events.sql.go b/internal/db/postgres/sqlc/session_events.sql.go
index 12ff67db6..437fd7fc8 100644
--- a/internal/db/postgres/sqlc/session_events.sql.go
+++ b/internal/db/postgres/sqlc/session_events.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: session_events.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/session_info.sql.go b/internal/db/postgres/sqlc/session_info.sql.go
index 875a77455..09a48d05e 100644
--- a/internal/db/postgres/sqlc/session_info.sql.go
+++ b/internal/db/postgres/sqlc/session_info.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: session_info.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/sessions.sql.go b/internal/db/postgres/sqlc/sessions.sql.go
index 259ea2f07..b97932ca8 100644
--- a/internal/db/postgres/sqlc/sessions.sql.go
+++ b/internal/db/postgres/sqlc/sessions.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: sessions.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/settings.sql.go b/internal/db/postgres/sqlc/settings.sql.go
index 05028fa65..e740daa41 100644
--- a/internal/db/postgres/sqlc/settings.sql.go
+++ b/internal/db/postgres/sqlc/settings.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: settings.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/snapshots.sql.go b/internal/db/postgres/sqlc/snapshots.sql.go
index bbe07e667..a90064d58 100644
--- a/internal/db/postgres/sqlc/snapshots.sql.go
+++ b/internal/db/postgres/sqlc/snapshots.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: snapshots.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/token_usage.sql.go b/internal/db/postgres/sqlc/token_usage.sql.go
index 9fad06399..ff559da5d 100644
--- a/internal/db/postgres/sqlc/token_usage.sql.go
+++ b/internal/db/postgres/sqlc/token_usage.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: token_usage.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/tool_approval.sql.go b/internal/db/postgres/sqlc/tool_approval.sql.go
index 053c64588..11e81f975 100644
--- a/internal/db/postgres/sqlc/tool_approval.sql.go
+++ b/internal/db/postgres/sqlc/tool_approval.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: tool_approval.sql
 
 package sqlc
diff --git a/internal/db/postgres/sqlc/user_provider_oauth.sql.go b/internal/db/postgres/sqlc/user_provider_oauth.sql.go
index 5a2ac00ea..0809833f0 100644
--- a/internal/db/postgres/sqlc/user_provider_oauth.sql.go
+++ b/internal/db/postgres/sqlc/user_provider_oauth.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: user_provider_oauth.sql
 
 package sqlc
@@ -12,7 +12,7 @@ import (
 )
 
 const deleteUserProviderOAuthToken = `-- name: DeleteUserProviderOAuthToken :exec
-DELETE FROM user_provider_oauth_tokens
+DELETE FROM iam_user_provider_oauth_tokens
 WHERE provider_id = $1
   AND user_id = $2
 `
@@ -28,7 +28,7 @@ func (q *Queries) DeleteUserProviderOAuthToken(ctx context.Context, arg DeleteUs
 }
 
 const getUserProviderOAuthToken = `-- name: GetUserProviderOAuthToken :one
-SELECT id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata, created_at, updated_at FROM user_provider_oauth_tokens
+SELECT id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata, created_at, updated_at FROM iam_user_provider_oauth_tokens
 WHERE provider_id = $1
   AND user_id = $2
 `
@@ -38,9 +38,9 @@ type GetUserProviderOAuthTokenParams struct {
 	UserID     pgtype.UUID `json:"user_id"`
 }
 
-func (q *Queries) GetUserProviderOAuthToken(ctx context.Context, arg GetUserProviderOAuthTokenParams) (UserProviderOauthToken, error) {
+func (q *Queries) GetUserProviderOAuthToken(ctx context.Context, arg GetUserProviderOAuthTokenParams) (IamUserProviderOauthToken, error) {
 	row := q.db.QueryRow(ctx, getUserProviderOAuthToken, arg.ProviderID, arg.UserID)
-	var i UserProviderOauthToken
+	var i IamUserProviderOauthToken
 	err := row.Scan(
 		&i.ID,
 		&i.ProviderID,
@@ -60,14 +60,14 @@ func (q *Queries) GetUserProviderOAuthToken(ctx context.Context, arg GetUserProv
 }
 
 const getUserProviderOAuthTokenByState = `-- name: GetUserProviderOAuthTokenByState :one
-SELECT id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata, created_at, updated_at FROM user_provider_oauth_tokens
+SELECT id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata, created_at, updated_at FROM iam_user_provider_oauth_tokens
 WHERE state = $1
   AND state != ''
 `
 
-func (q *Queries) GetUserProviderOAuthTokenByState(ctx context.Context, state string) (UserProviderOauthToken, error) {
+func (q *Queries) GetUserProviderOAuthTokenByState(ctx context.Context, state string) (IamUserProviderOauthToken, error) {
 	row := q.db.QueryRow(ctx, getUserProviderOAuthTokenByState, state)
-	var i UserProviderOauthToken
+	var i IamUserProviderOauthToken
 	err := row.Scan(
 		&i.ID,
 		&i.ProviderID,
@@ -87,7 +87,7 @@ func (q *Queries) GetUserProviderOAuthTokenByState(ctx context.Context, state st
 }
 
 const updateUserProviderOAuthState = `-- name: UpdateUserProviderOAuthState :exec
-INSERT INTO user_provider_oauth_tokens (provider_id, user_id, state, pkce_code_verifier, metadata)
+INSERT INTO iam_user_provider_oauth_tokens (provider_id, user_id, state, pkce_code_verifier, metadata)
 VALUES (
   $1,
   $2,
@@ -122,7 +122,7 @@ func (q *Queries) UpdateUserProviderOAuthState(ctx context.Context, arg UpdateUs
 }
 
 const upsertUserProviderOAuthToken = `-- name: UpsertUserProviderOAuthToken :one
-INSERT INTO user_provider_oauth_tokens (
+INSERT INTO iam_user_provider_oauth_tokens (
   provider_id,
   user_id,
   access_token,
@@ -172,7 +172,7 @@ type UpsertUserProviderOAuthTokenParams struct {
 	Metadata         []byte             `json:"metadata"`
 }
 
-func (q *Queries) UpsertUserProviderOAuthToken(ctx context.Context, arg UpsertUserProviderOAuthTokenParams) (UserProviderOauthToken, error) {
+func (q *Queries) UpsertUserProviderOAuthToken(ctx context.Context, arg UpsertUserProviderOAuthTokenParams) (IamUserProviderOauthToken, error) {
 	row := q.db.QueryRow(ctx, upsertUserProviderOAuthToken,
 		arg.ProviderID,
 		arg.UserID,
@@ -185,7 +185,7 @@ func (q *Queries) UpsertUserProviderOAuthToken(ctx context.Context, arg UpsertUs
 		arg.PkceCodeVerifier,
 		arg.Metadata,
 	)
-	var i UserProviderOauthToken
+	var i IamUserProviderOauthToken
 	err := row.Scan(
 		&i.ID,
 		&i.ProviderID,
diff --git a/internal/db/postgres/sqlc/users.sql.go b/internal/db/postgres/sqlc/users.sql.go
index f14b58b8a..4c9cb7adc 100644
--- a/internal/db/postgres/sqlc/users.sql.go
+++ b/internal/db/postgres/sqlc/users.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: users.sql
 
 package sqlc
@@ -12,10 +12,10 @@ import (
 )
 
 const countAccounts = `-- name: CountAccounts :one
-SELECT COUNT(*)::bigint AS count
-FROM users
-WHERE username IS NOT NULL
-  AND password_hash IS NOT NULL
+SELECT COUNT(DISTINCT u.id)::bigint AS count
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password'
 `
 
 func (q *Queries) CountAccounts(ctx context.Context) (int64, error) {
@@ -26,51 +26,43 @@ func (q *Queries) CountAccounts(ctx context.Context) (int64, error) {
 }
 
 const createAccount = `-- name: CreateAccount :one
-UPDATE users
+UPDATE iam_users
 SET username = $1,
     email = $2,
-    password_hash = $3,
-    role = $4::user_role,
-    display_name = $5,
-    avatar_url = $6,
-    is_active = $7,
-    data_root = $8,
+    display_name = $3,
+    avatar_url = $4,
+    is_active = $5,
+    data_root = $6,
     updated_at = now()
-WHERE id = $9
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+WHERE id = $7
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
 type CreateAccountParams struct {
-	Username     pgtype.Text `json:"username"`
-	Email        pgtype.Text `json:"email"`
-	PasswordHash pgtype.Text `json:"password_hash"`
-	Role         string      `json:"role"`
-	DisplayName  pgtype.Text `json:"display_name"`
-	AvatarUrl    pgtype.Text `json:"avatar_url"`
-	IsActive     bool        `json:"is_active"`
-	DataRoot     pgtype.Text `json:"data_root"`
-	UserID       pgtype.UUID `json:"user_id"`
+	Username    pgtype.Text `json:"username"`
+	Email       pgtype.Text `json:"email"`
+	DisplayName pgtype.Text `json:"display_name"`
+	AvatarUrl   pgtype.Text `json:"avatar_url"`
+	IsActive    bool        `json:"is_active"`
+	DataRoot    pgtype.Text `json:"data_root"`
+	UserID      pgtype.UUID `json:"user_id"`
 }
 
-func (q *Queries) CreateAccount(ctx context.Context, arg CreateAccountParams) (User, error) {
+func (q *Queries) CreateAccount(ctx context.Context, arg CreateAccountParams) (IamUser, error) {
 	row := q.db.QueryRow(ctx, createAccount,
 		arg.Username,
 		arg.Email,
-		arg.PasswordHash,
-		arg.Role,
 		arg.DisplayName,
 		arg.AvatarUrl,
 		arg.IsActive,
 		arg.DataRoot,
 		arg.UserID,
 	)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -85,9 +77,9 @@ func (q *Queries) CreateAccount(ctx context.Context, arg CreateAccountParams) (U
 }
 
 const createUser = `-- name: CreateUser :one
-INSERT INTO users (is_active, metadata)
+INSERT INTO iam_users (is_active, metadata)
 VALUES ($1, $2)
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
 type CreateUserParams struct {
@@ -95,15 +87,13 @@ type CreateUserParams struct {
 	Metadata []byte `json:"metadata"`
 }
 
-func (q *Queries) CreateUser(ctx context.Context, arg CreateUserParams) (User, error) {
+func (q *Queries) CreateUser(ctx context.Context, arg CreateUserParams) (IamUser, error) {
 	row := q.db.QueryRow(ctx, createUser, arg.IsActive, arg.Metadata)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -118,18 +108,21 @@ func (q *Queries) CreateUser(ctx context.Context, arg CreateUserParams) (User, e
 }
 
 const getAccountByIdentity = `-- name: GetAccountByIdentity :one
-SELECT id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at FROM users WHERE username = $1 OR email = $1
+SELECT u.id, u.username, u.email, u.display_name, u.avatar_url, u.timezone, u.data_root, u.last_login_at, u.is_active, u.metadata, u.created_at, u.updated_at
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password'
+  AND (i.subject = lower($1::text) OR lower(COALESCE(i.email, '')) = lower($1::text))
+LIMIT 1
 `
 
-func (q *Queries) GetAccountByIdentity(ctx context.Context, identity pgtype.Text) (User, error) {
+func (q *Queries) GetAccountByIdentity(ctx context.Context, identity string) (IamUser, error) {
 	row := q.db.QueryRow(ctx, getAccountByIdentity, identity)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -144,18 +137,16 @@ func (q *Queries) GetAccountByIdentity(ctx context.Context, identity pgtype.Text
 }
 
 const getAccountByUserID = `-- name: GetAccountByUserID :one
-SELECT id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at FROM users WHERE id = $1
+SELECT id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at FROM iam_users WHERE id = $1
 `
 
-func (q *Queries) GetAccountByUserID(ctx context.Context, userID pgtype.UUID) (User, error) {
+func (q *Queries) GetAccountByUserID(ctx context.Context, userID pgtype.UUID) (IamUser, error) {
 	row := q.db.QueryRow(ctx, getAccountByUserID, userID)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -170,20 +161,18 @@ func (q *Queries) GetAccountByUserID(ctx context.Context, userID pgtype.UUID) (U
 }
 
 const getUserByID = `-- name: GetUserByID :one
-SELECT id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
-FROM users
+SELECT id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+FROM iam_users
 WHERE id = $1
 `
 
-func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (User, error) {
+func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (IamUser, error) {
 	row := q.db.QueryRow(ctx, getUserByID, id)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -198,26 +187,26 @@ func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (User, error)
 }
 
 const listAccounts = `-- name: ListAccounts :many
-SELECT id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at FROM users
-WHERE username IS NOT NULL
-ORDER BY created_at DESC
+SELECT DISTINCT u.id, u.username, u.email, u.display_name, u.avatar_url, u.timezone, u.data_root, u.last_login_at, u.is_active, u.metadata, u.created_at, u.updated_at
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password'
+ORDER BY u.created_at DESC
 `
 
-func (q *Queries) ListAccounts(ctx context.Context) ([]User, error) {
+func (q *Queries) ListAccounts(ctx context.Context) ([]IamUser, error) {
 	rows, err := q.db.Query(ctx, listAccounts)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
-	var items []User
+	var items []IamUser
 	for rows.Next() {
-		var i User
+		var i IamUser
 		if err := rows.Scan(
 			&i.ID,
 			&i.Username,
 			&i.Email,
-			&i.PasswordHash,
-			&i.Role,
 			&i.DisplayName,
 			&i.AvatarUrl,
 			&i.Timezone,
@@ -239,16 +228,17 @@ func (q *Queries) ListAccounts(ctx context.Context) ([]User, error) {
 }
 
 const searchAccounts = `-- name: SearchAccounts :many
-SELECT id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
-FROM users
-WHERE username IS NOT NULL
+SELECT DISTINCT u.id, u.username, u.email, u.display_name, u.avatar_url, u.timezone, u.data_root, u.last_login_at, u.is_active, u.metadata, u.created_at, u.updated_at
+FROM iam_users u
+LEFT JOIN iam_identities i ON i.user_id = u.id AND i.provider_type = 'password'
+WHERE i.id IS NOT NULL
   AND (
     $1::text = ''
-    OR username ILIKE '%' || $1::text || '%'
-    OR COALESCE(display_name, '') ILIKE '%' || $1::text || '%'
-    OR COALESCE(email, '') ILIKE '%' || $1::text || '%'
+    OR u.username ILIKE '%' || $1::text || '%'
+    OR COALESCE(u.display_name, '') ILIKE '%' || $1::text || '%'
+    OR COALESCE(u.email, '') ILIKE '%' || $1::text || '%'
   )
-ORDER BY last_login_at DESC NULLS LAST, created_at DESC
+ORDER BY u.last_login_at DESC NULLS LAST, u.created_at DESC
 LIMIT $2
 `
 
@@ -257,21 +247,19 @@ type SearchAccountsParams struct {
 	LimitCount int32  `json:"limit_count"`
 }
 
-func (q *Queries) SearchAccounts(ctx context.Context, arg SearchAccountsParams) ([]User, error) {
+func (q *Queries) SearchAccounts(ctx context.Context, arg SearchAccountsParams) ([]IamUser, error) {
 	rows, err := q.db.Query(ctx, searchAccounts, arg.Query, arg.LimitCount)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
-	var items []User
+	var items []IamUser
 	for rows.Next() {
-		var i User
+		var i IamUser
 		if err := rows.Scan(
 			&i.ID,
 			&i.Username,
 			&i.Email,
-			&i.PasswordHash,
-			&i.Role,
 			&i.DisplayName,
 			&i.AvatarUrl,
 			&i.Timezone,
@@ -293,39 +281,34 @@ func (q *Queries) SearchAccounts(ctx context.Context, arg SearchAccountsParams)
 }
 
 const updateAccountAdmin = `-- name: UpdateAccountAdmin :one
-UPDATE users
-SET role = $1::user_role,
-    display_name = $2,
-    avatar_url = $3,
-    is_active = $4,
+UPDATE iam_users
+SET display_name = $1,
+    avatar_url = $2,
+    is_active = $3,
     updated_at = now()
-WHERE id = $5
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+WHERE id = $4
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
 type UpdateAccountAdminParams struct {
-	Role        string      `json:"role"`
 	DisplayName pgtype.Text `json:"display_name"`
 	AvatarUrl   pgtype.Text `json:"avatar_url"`
 	IsActive    bool        `json:"is_active"`
 	UserID      pgtype.UUID `json:"user_id"`
 }
 
-func (q *Queries) UpdateAccountAdmin(ctx context.Context, arg UpdateAccountAdminParams) (User, error) {
+func (q *Queries) UpdateAccountAdmin(ctx context.Context, arg UpdateAccountAdminParams) (IamUser, error) {
 	row := q.db.QueryRow(ctx, updateAccountAdmin,
-		arg.Role,
 		arg.DisplayName,
 		arg.AvatarUrl,
 		arg.IsActive,
 		arg.UserID,
 	)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -340,22 +323,20 @@ func (q *Queries) UpdateAccountAdmin(ctx context.Context, arg UpdateAccountAdmin
 }
 
 const updateAccountLastLogin = `-- name: UpdateAccountLastLogin :one
-UPDATE users
+UPDATE iam_users
 SET last_login_at = now(),
     updated_at = now()
 WHERE id = $1
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
-func (q *Queries) UpdateAccountLastLogin(ctx context.Context, id pgtype.UUID) (User, error) {
+func (q *Queries) UpdateAccountLastLogin(ctx context.Context, id pgtype.UUID) (IamUser, error) {
 	row := q.db.QueryRow(ctx, updateAccountLastLogin, id)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -370,27 +351,31 @@ func (q *Queries) UpdateAccountLastLogin(ctx context.Context, id pgtype.UUID) (U
 }
 
 const updateAccountPassword = `-- name: UpdateAccountPassword :one
-UPDATE users
-SET password_hash = $2,
-    updated_at = now()
-WHERE id = $1
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+WITH updated AS (
+  UPDATE iam_identities
+  SET credential_secret = $1,
+      updated_at = now()
+  WHERE user_id = $2
+    AND provider_type = 'password'
+  RETURNING user_id
+)
+SELECT u.id, u.username, u.email, u.display_name, u.avatar_url, u.timezone, u.data_root, u.last_login_at, u.is_active, u.metadata, u.created_at, u.updated_at
+FROM iam_users u
+JOIN updated ON updated.user_id = u.id
 `
 
 type UpdateAccountPasswordParams struct {
-	ID           pgtype.UUID `json:"id"`
 	PasswordHash pgtype.Text `json:"password_hash"`
+	UserID       pgtype.UUID `json:"user_id"`
 }
 
-func (q *Queries) UpdateAccountPassword(ctx context.Context, arg UpdateAccountPasswordParams) (User, error) {
-	row := q.db.QueryRow(ctx, updateAccountPassword, arg.ID, arg.PasswordHash)
-	var i User
+func (q *Queries) UpdateAccountPassword(ctx context.Context, arg UpdateAccountPasswordParams) (IamUser, error) {
+	row := q.db.QueryRow(ctx, updateAccountPassword, arg.PasswordHash, arg.UserID)
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -405,14 +390,14 @@ func (q *Queries) UpdateAccountPassword(ctx context.Context, arg UpdateAccountPa
 }
 
 const updateAccountProfile = `-- name: UpdateAccountProfile :one
-UPDATE users
+UPDATE iam_users
 SET display_name = $2,
     avatar_url = $3,
     timezone = $4,
     is_active = $5,
     updated_at = now()
 WHERE id = $1
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
 type UpdateAccountProfileParams struct {
@@ -423,7 +408,7 @@ type UpdateAccountProfileParams struct {
 	IsActive    bool        `json:"is_active"`
 }
 
-func (q *Queries) UpdateAccountProfile(ctx context.Context, arg UpdateAccountProfileParams) (User, error) {
+func (q *Queries) UpdateAccountProfile(ctx context.Context, arg UpdateAccountProfileParams) (IamUser, error) {
 	row := q.db.QueryRow(ctx, updateAccountProfile,
 		arg.ID,
 		arg.DisplayName,
@@ -431,13 +416,11 @@ func (q *Queries) UpdateAccountProfile(ctx context.Context, arg UpdateAccountPro
 		arg.Timezone,
 		arg.IsActive,
 	)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -452,62 +435,52 @@ func (q *Queries) UpdateAccountProfile(ctx context.Context, arg UpdateAccountPro
 }
 
 const upsertAccountByUsername = `-- name: UpsertAccountByUsername :one
-INSERT INTO users (id, username, email, password_hash, role, display_name, avatar_url, is_active, data_root, metadata)
+INSERT INTO iam_users (id, username, email, display_name, avatar_url, is_active, data_root, metadata)
 VALUES (
   $1,
   $2,
   $3,
   $4,
-  $5::user_role,
+  $5,
   $6,
   $7,
-  $8,
-  $9,
   '{}'::jsonb
 )
 ON CONFLICT (username) DO UPDATE SET
   email = EXCLUDED.email,
-  password_hash = EXCLUDED.password_hash,
-  role = EXCLUDED.role,
   display_name = EXCLUDED.display_name,
   avatar_url = EXCLUDED.avatar_url,
   is_active = EXCLUDED.is_active,
   data_root = EXCLUDED.data_root,
   updated_at = now()
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
 type UpsertAccountByUsernameParams struct {
-	UserID       pgtype.UUID `json:"user_id"`
-	Username     pgtype.Text `json:"username"`
-	Email        pgtype.Text `json:"email"`
-	PasswordHash pgtype.Text `json:"password_hash"`
-	Role         string      `json:"role"`
-	DisplayName  pgtype.Text `json:"display_name"`
-	AvatarUrl    pgtype.Text `json:"avatar_url"`
-	IsActive     bool        `json:"is_active"`
-	DataRoot     pgtype.Text `json:"data_root"`
+	UserID      pgtype.UUID `json:"user_id"`
+	Username    pgtype.Text `json:"username"`
+	Email       pgtype.Text `json:"email"`
+	DisplayName pgtype.Text `json:"display_name"`
+	AvatarUrl   pgtype.Text `json:"avatar_url"`
+	IsActive    bool        `json:"is_active"`
+	DataRoot    pgtype.Text `json:"data_root"`
 }
 
-func (q *Queries) UpsertAccountByUsername(ctx context.Context, arg UpsertAccountByUsernameParams) (User, error) {
+func (q *Queries) UpsertAccountByUsername(ctx context.Context, arg UpsertAccountByUsernameParams) (IamUser, error) {
 	row := q.db.QueryRow(ctx, upsertAccountByUsername,
 		arg.UserID,
 		arg.Username,
 		arg.Email,
-		arg.PasswordHash,
-		arg.Role,
 		arg.DisplayName,
 		arg.AvatarUrl,
 		arg.IsActive,
 		arg.DataRoot,
 	)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
diff --git a/internal/db/postgres/sqlc/versions.sql.go b/internal/db/postgres/sqlc/versions.sql.go
index 91d67a13b..846f3444f 100644
--- a/internal/db/postgres/sqlc/versions.sql.go
+++ b/internal/db/postgres/sqlc/versions.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: versions.sql
 
 package sqlc
diff --git a/internal/db/postgres/store/accounts.go b/internal/db/postgres/store/accounts.go
index 1168eb4e6..b99e79b81 100644
--- a/internal/db/postgres/store/accounts.go
+++ b/internal/db/postgres/store/accounts.go
@@ -25,15 +25,15 @@ func (s *Store) GetByUserID(ctx context.Context, userID string) (dbstore.Account
 	if err != nil {
 		return dbstore.AccountRecord{}, mapQueryErr(err)
 	}
-	return accountRecord(row), nil
+	return s.accountRecord(ctx, row), nil
 }
 
 func (s *Store) GetByIdentity(ctx context.Context, identity string) (dbstore.AccountRecord, error) {
-	row, err := s.queries.GetAccountByIdentity(ctx, pgtype.Text{String: identity, Valid: identity != ""})
+	row, err := s.queries.GetAccountByIdentity(ctx, identity)
 	if err != nil {
 		return dbstore.AccountRecord{}, mapQueryErr(err)
 	}
-	return accountRecord(row), nil
+	return s.accountRecord(ctx, row), nil
 }
 
 func (s *Store) List(ctx context.Context) ([]dbstore.AccountRecord, error) {
@@ -41,7 +41,7 @@ func (s *Store) List(ctx context.Context) ([]dbstore.AccountRecord, error) {
 	if err != nil {
 		return nil, err
 	}
-	return accountRecords(rows), nil
+	return s.accountRecords(ctx, rows), nil
 }
 
 func (s *Store) Search(ctx context.Context, query string, limit int32) ([]dbstore.AccountRecord, error) {
@@ -52,7 +52,7 @@ func (s *Store) Search(ctx context.Context, query string, limit int32) ([]dbstor
 	if err != nil {
 		return nil, err
 	}
-	return accountRecords(rows), nil
+	return s.accountRecords(ctx, rows), nil
 }
 
 func (s *Store) CreateUser(ctx context.Context, input dbstore.CreateUserInput) (dbstore.AccountRecord, error) {
@@ -63,7 +63,7 @@ func (s *Store) CreateUser(ctx context.Context, input dbstore.CreateUserInput) (
 	if err != nil {
 		return dbstore.AccountRecord{}, err
 	}
-	return accountRecord(row), nil
+	return baseAccountRecord(row), nil
 }
 
 func (s *Store) CreateAccount(ctx context.Context, input dbstore.CreateAccountInput) (dbstore.AccountRecord, error) {
@@ -72,20 +72,30 @@ func (s *Store) CreateAccount(ctx context.Context, input dbstore.CreateAccountIn
 		return dbstore.AccountRecord{}, err
 	}
 	row, err := s.queries.CreateAccount(ctx, dbsqlc.CreateAccountParams{
-		UserID:       userID,
-		Username:     text(input.Username),
-		Email:        optionalText(input.Email),
-		PasswordHash: text(input.PasswordHash),
-		Role:         input.Role,
-		DisplayName:  optionalText(input.DisplayName),
-		AvatarUrl:    optionalText(input.AvatarURL),
-		IsActive:     input.IsActive,
-		DataRoot:     optionalText(input.DataRoot),
+		UserID:      userID,
+		Username:    text(input.Username),
+		Email:       optionalText(input.Email),
+		DisplayName: optionalText(input.DisplayName),
+		AvatarUrl:   optionalText(input.AvatarURL),
+		IsActive:    input.IsActive,
+		DataRoot:    optionalText(input.DataRoot),
 	})
 	if err != nil {
 		return dbstore.AccountRecord{}, err
 	}
-	return accountRecord(row), nil
+	_, err = s.queries.CreatePasswordIdentity(ctx, dbsqlc.CreatePasswordIdentityParams{
+		UserID:           userID,
+		Subject:          input.Username,
+		CredentialSecret: text(input.PasswordHash),
+		Email:            optionalText(input.Email),
+		Username:         text(input.Username),
+		DisplayName:      optionalText(input.DisplayName),
+		AvatarUrl:        optionalText(input.AvatarURL),
+	})
+	if err != nil {
+		return dbstore.AccountRecord{}, err
+	}
+	return s.accountRecord(ctx, row), nil
 }
 
 func (s *Store) UpdateLastLogin(ctx context.Context, accountID string) error {
@@ -104,7 +114,6 @@ func (s *Store) UpdateAdmin(ctx context.Context, input dbstore.UpdateAccountAdmi
 	}
 	row, err := s.queries.UpdateAccountAdmin(ctx, dbsqlc.UpdateAccountAdminParams{
 		UserID:      userID,
-		Role:        input.Role,
 		DisplayName: optionalText(input.DisplayName),
 		AvatarUrl:   optionalText(input.AvatarURL),
 		IsActive:    input.IsActive,
@@ -112,7 +121,7 @@ func (s *Store) UpdateAdmin(ctx context.Context, input dbstore.UpdateAccountAdmi
 	if err != nil {
 		return dbstore.AccountRecord{}, mapQueryErr(err)
 	}
-	return accountRecord(row), nil
+	return s.accountRecord(ctx, row), nil
 }
 
 func (s *Store) UpdateProfile(ctx context.Context, input dbstore.UpdateAccountProfileInput) (dbstore.AccountRecord, error) {
@@ -130,7 +139,7 @@ func (s *Store) UpdateProfile(ctx context.Context, input dbstore.UpdateAccountPr
 	if err != nil {
 		return dbstore.AccountRecord{}, mapQueryErr(err)
 	}
-	return accountRecord(row), nil
+	return s.accountRecord(ctx, row), nil
 }
 
 func (s *Store) UpdatePassword(ctx context.Context, input dbstore.UpdateAccountPasswordInput) error {
@@ -139,7 +148,7 @@ func (s *Store) UpdatePassword(ctx context.Context, input dbstore.UpdateAccountP
 		return err
 	}
 	_, err = s.queries.UpdateAccountPassword(ctx, dbsqlc.UpdateAccountPasswordParams{
-		ID:           userID,
+		UserID:       userID,
 		PasswordHash: text(input.PasswordHash),
 	})
 	return mapQueryErr(err)
@@ -160,26 +169,35 @@ func optionalText(value string) pgtype.Text {
 	return pgtype.Text{String: value, Valid: value != ""}
 }
 
-func accountRecords(rows []dbsqlc.User) []dbstore.AccountRecord {
+func (s *Store) accountRecords(ctx context.Context, rows []dbsqlc.IamUser) []dbstore.AccountRecord {
 	items := make([]dbstore.AccountRecord, 0, len(rows))
 	for _, row := range rows {
-		items = append(items, accountRecord(row))
+		items = append(items, s.accountRecord(ctx, row))
 	}
 	return items
 }
 
-func accountRecord(row dbsqlc.User) dbstore.AccountRecord {
+func (s *Store) accountRecord(ctx context.Context, row dbsqlc.IamUser) dbstore.AccountRecord {
+	rec := baseAccountRecord(row)
+	if row.Username.Valid {
+		identity, err := s.queries.GetPasswordIdentityBySubject(ctx, row.Username.String)
+		if err == nil {
+			rec.PasswordHash = identity.CredentialSecret.String
+			rec.HasPasswordHash = identity.CredentialSecret.Valid
+		}
+	}
+	return rec
+}
+
+func baseAccountRecord(row dbsqlc.IamUser) dbstore.AccountRecord {
 	rec := dbstore.AccountRecord{
-		ID:              row.ID.String(),
-		Username:        row.Username.String,
-		Email:           row.Email.String,
-		Role:            row.Role,
-		DisplayName:     row.DisplayName.String,
-		AvatarURL:       row.AvatarUrl.String,
-		Timezone:        row.Timezone,
-		PasswordHash:    row.PasswordHash.String,
-		HasPasswordHash: row.PasswordHash.Valid,
-		IsActive:        row.IsActive,
+		ID:          row.ID.String(),
+		Username:    row.Username.String,
+		Email:       row.Email.String,
+		DisplayName: row.DisplayName.String,
+		AvatarURL:   row.AvatarUrl.String,
+		Timezone:    row.Timezone,
+		IsActive:    row.IsActive,
 	}
 	if row.CreatedAt.Valid {
 		rec.CreatedAt = row.CreatedAt.Time
diff --git a/internal/db/sqlite/sqlc/acl.sql.go b/internal/db/sqlite/sqlc/acl.sql.go
index 24dab947e..a3b8d8c7b 100644
--- a/internal/db/sqlite/sqlc/acl.sql.go
+++ b/internal/db/sqlite/sqlc/acl.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: acl.sql
 
 package sqlc
@@ -190,8 +190,8 @@ SELECT
   linked.display_name AS linked_user_display_name,
   linked.avatar_url AS linked_user_avatar_url
 FROM bot_acl_rules r
-LEFT JOIN channel_identities ci ON ci.id = r.channel_identity_id
-LEFT JOIN users linked ON linked.id = ci.user_id
+LEFT JOIN iam_channel_identities ci ON ci.id = r.channel_identity_id
+LEFT JOIN iam_users linked ON linked.id = ci.user_id
 WHERE r.bot_id = ?1
   AND r.action = 'chat.trigger'
 ORDER BY r.priority ASC, r.created_at ASC
diff --git a/internal/db/sqlite/sqlc/bind.sql.go b/internal/db/sqlite/sqlc/bind.sql.go
index 54cdf55d6..8ca2590d3 100644
--- a/internal/db/sqlite/sqlc/bind.sql.go
+++ b/internal/db/sqlite/sqlc/bind.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: bind.sql
 
 package sqlc
@@ -11,7 +11,7 @@ import (
 )
 
 const createBindCode = `-- name: CreateBindCode :one
-INSERT INTO channel_identity_bind_codes (id, token, issued_by_user_id, channel_type, expires_at)
+INSERT INTO iam_channel_identity_bind_codes (id, token, issued_by_user_id, channel_type, expires_at)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -33,14 +33,14 @@ type CreateBindCodeParams struct {
 	ExpiresAt      sql.NullString `json:"expires_at"`
 }
 
-func (q *Queries) CreateBindCode(ctx context.Context, arg CreateBindCodeParams) (ChannelIdentityBindCode, error) {
+func (q *Queries) CreateBindCode(ctx context.Context, arg CreateBindCodeParams) (IamChannelIdentityBindCode, error) {
 	row := q.db.QueryRowContext(ctx, createBindCode,
 		arg.Token,
 		arg.IssuedByUserID,
 		arg.ChannelType,
 		arg.ExpiresAt,
 	)
-	var i ChannelIdentityBindCode
+	var i IamChannelIdentityBindCode
 	err := row.Scan(
 		&i.ID,
 		&i.Token,
@@ -56,13 +56,13 @@ func (q *Queries) CreateBindCode(ctx context.Context, arg CreateBindCodeParams)
 
 const getBindCode = `-- name: GetBindCode :one
 SELECT id, token, issued_by_user_id, channel_type, expires_at, used_at, used_by_channel_identity_id, created_at
-FROM channel_identity_bind_codes
+FROM iam_channel_identity_bind_codes
 WHERE token = ?1
 `
 
-func (q *Queries) GetBindCode(ctx context.Context, token string) (ChannelIdentityBindCode, error) {
+func (q *Queries) GetBindCode(ctx context.Context, token string) (IamChannelIdentityBindCode, error) {
 	row := q.db.QueryRowContext(ctx, getBindCode, token)
-	var i ChannelIdentityBindCode
+	var i IamChannelIdentityBindCode
 	err := row.Scan(
 		&i.ID,
 		&i.Token,
@@ -78,13 +78,13 @@ func (q *Queries) GetBindCode(ctx context.Context, token string) (ChannelIdentit
 
 const getBindCodeForUpdate = `-- name: GetBindCodeForUpdate :one
 SELECT id, token, issued_by_user_id, channel_type, expires_at, used_at, used_by_channel_identity_id, created_at
-FROM channel_identity_bind_codes
+FROM iam_channel_identity_bind_codes
 WHERE token = ?1
 `
 
-func (q *Queries) GetBindCodeForUpdate(ctx context.Context, token string) (ChannelIdentityBindCode, error) {
+func (q *Queries) GetBindCodeForUpdate(ctx context.Context, token string) (IamChannelIdentityBindCode, error) {
 	row := q.db.QueryRowContext(ctx, getBindCodeForUpdate, token)
-	var i ChannelIdentityBindCode
+	var i IamChannelIdentityBindCode
 	err := row.Scan(
 		&i.ID,
 		&i.Token,
@@ -99,7 +99,7 @@ func (q *Queries) GetBindCodeForUpdate(ctx context.Context, token string) (Chann
 }
 
 const markBindCodeUsed = `-- name: MarkBindCodeUsed :one
-UPDATE channel_identity_bind_codes
+UPDATE iam_channel_identity_bind_codes
 SET used_at = CURRENT_TIMESTAMP, used_by_channel_identity_id = ?1
 WHERE id = ?2
   AND used_at IS NULL
@@ -111,9 +111,9 @@ type MarkBindCodeUsedParams struct {
 	ID                      string         `json:"id"`
 }
 
-func (q *Queries) MarkBindCodeUsed(ctx context.Context, arg MarkBindCodeUsedParams) (ChannelIdentityBindCode, error) {
+func (q *Queries) MarkBindCodeUsed(ctx context.Context, arg MarkBindCodeUsedParams) (IamChannelIdentityBindCode, error) {
 	row := q.db.QueryRowContext(ctx, markBindCodeUsed, arg.UsedByChannelIdentityID, arg.ID)
-	var i ChannelIdentityBindCode
+	var i IamChannelIdentityBindCode
 	err := row.Scan(
 		&i.ID,
 		&i.Token,
diff --git a/internal/db/sqlite/sqlc/bots.sql.go b/internal/db/sqlite/sqlc/bots.sql.go
index 3ed00058d..884d65653 100644
--- a/internal/db/sqlite/sqlc/bots.sql.go
+++ b/internal/db/sqlite/sqlc/bots.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: bots.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/browser_contexts.sql.go b/internal/db/sqlite/sqlc/browser_contexts.sql.go
index 05c9724d4..bcde31e72 100644
--- a/internal/db/sqlite/sqlc/browser_contexts.sql.go
+++ b/internal/db/sqlite/sqlc/browser_contexts.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: browser_contexts.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/channel_identities.sql.go b/internal/db/sqlite/sqlc/channel_identities.sql.go
index e21dc5f75..e1d4fff42 100644
--- a/internal/db/sqlite/sqlc/channel_identities.sql.go
+++ b/internal/db/sqlite/sqlc/channel_identities.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: channel_identities.sql
 
 package sqlc
@@ -11,7 +11,7 @@ import (
 )
 
 const createChannelIdentity = `-- name: CreateChannelIdentity :one
-INSERT INTO channel_identities (id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
+INSERT INTO iam_channel_identities (id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -37,7 +37,7 @@ type CreateChannelIdentityParams struct {
 	Metadata         string         `json:"metadata"`
 }
 
-func (q *Queries) CreateChannelIdentity(ctx context.Context, arg CreateChannelIdentityParams) (ChannelIdentity, error) {
+func (q *Queries) CreateChannelIdentity(ctx context.Context, arg CreateChannelIdentityParams) (IamChannelIdentity, error) {
 	row := q.db.QueryRowContext(ctx, createChannelIdentity,
 		arg.UserID,
 		arg.ChannelType,
@@ -46,7 +46,7 @@ func (q *Queries) CreateChannelIdentity(ctx context.Context, arg CreateChannelId
 		arg.AvatarUrl,
 		arg.Metadata,
 	)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -63,7 +63,7 @@ func (q *Queries) CreateChannelIdentity(ctx context.Context, arg CreateChannelId
 
 const getChannelIdentityByChannelSubject = `-- name: GetChannelIdentityByChannelSubject :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE channel_type = ?1 AND channel_subject_id = ?2
 `
 
@@ -72,9 +72,9 @@ type GetChannelIdentityByChannelSubjectParams struct {
 	ChannelSubjectID string `json:"channel_subject_id"`
 }
 
-func (q *Queries) GetChannelIdentityByChannelSubject(ctx context.Context, arg GetChannelIdentityByChannelSubjectParams) (ChannelIdentity, error) {
+func (q *Queries) GetChannelIdentityByChannelSubject(ctx context.Context, arg GetChannelIdentityByChannelSubjectParams) (IamChannelIdentity, error) {
 	row := q.db.QueryRowContext(ctx, getChannelIdentityByChannelSubject, arg.ChannelType, arg.ChannelSubjectID)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -91,13 +91,13 @@ func (q *Queries) GetChannelIdentityByChannelSubject(ctx context.Context, arg Ge
 
 const getChannelIdentityByID = `-- name: GetChannelIdentityByID :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE id = ?1
 `
 
-func (q *Queries) GetChannelIdentityByID(ctx context.Context, id string) (ChannelIdentity, error) {
+func (q *Queries) GetChannelIdentityByID(ctx context.Context, id string) (IamChannelIdentity, error) {
 	row := q.db.QueryRowContext(ctx, getChannelIdentityByID, id)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -114,13 +114,13 @@ func (q *Queries) GetChannelIdentityByID(ctx context.Context, id string) (Channe
 
 const getChannelIdentityByIDForUpdate = `-- name: GetChannelIdentityByIDForUpdate :one
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE id = ?1
 `
 
-func (q *Queries) GetChannelIdentityByIDForUpdate(ctx context.Context, id string) (ChannelIdentity, error) {
+func (q *Queries) GetChannelIdentityByIDForUpdate(ctx context.Context, id string) (IamChannelIdentity, error) {
 	row := q.db.QueryRowContext(ctx, getChannelIdentityByIDForUpdate, id)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -137,20 +137,20 @@ func (q *Queries) GetChannelIdentityByIDForUpdate(ctx context.Context, id string
 
 const listChannelIdentitiesByUserID = `-- name: ListChannelIdentitiesByUserID :many
 SELECT id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
-FROM channel_identities
+FROM iam_channel_identities
 WHERE user_id = ?1
 ORDER BY created_at DESC
 `
 
-func (q *Queries) ListChannelIdentitiesByUserID(ctx context.Context, userID sql.NullString) ([]ChannelIdentity, error) {
+func (q *Queries) ListChannelIdentitiesByUserID(ctx context.Context, userID sql.NullString) ([]IamChannelIdentity, error) {
 	rows, err := q.db.QueryContext(ctx, listChannelIdentitiesByUserID, userID)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
-	var items []ChannelIdentity
+	var items []IamChannelIdentity
 	for rows.Next() {
-		var i ChannelIdentity
+		var i IamChannelIdentity
 		if err := rows.Scan(
 			&i.ID,
 			&i.UserID,
@@ -189,8 +189,8 @@ SELECT
   u.username AS linked_username,
   u.display_name AS linked_display_name,
   u.avatar_url AS linked_avatar_url
-FROM channel_identities ci
-LEFT JOIN users u ON u.id = ci.user_id
+FROM iam_channel_identities ci
+LEFT JOIN iam_users u ON u.id = ci.user_id
 WHERE
   ?1 = ''
   OR lower(ci.channel_type) LIKE '%' || lower(?1) || '%'
@@ -259,7 +259,7 @@ func (q *Queries) SearchChannelIdentities(ctx context.Context, arg SearchChannel
 }
 
 const setChannelIdentityLinkedUser = `-- name: SetChannelIdentityLinkedUser :one
-UPDATE channel_identities
+UPDATE iam_channel_identities
 SET user_id = ?1, updated_at = CURRENT_TIMESTAMP
 WHERE id = ?2
 RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
@@ -270,9 +270,9 @@ type SetChannelIdentityLinkedUserParams struct {
 	ID     string         `json:"id"`
 }
 
-func (q *Queries) SetChannelIdentityLinkedUser(ctx context.Context, arg SetChannelIdentityLinkedUserParams) (ChannelIdentity, error) {
+func (q *Queries) SetChannelIdentityLinkedUser(ctx context.Context, arg SetChannelIdentityLinkedUserParams) (IamChannelIdentity, error) {
 	row := q.db.QueryRowContext(ctx, setChannelIdentityLinkedUser, arg.UserID, arg.ID)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -288,7 +288,7 @@ func (q *Queries) SetChannelIdentityLinkedUser(ctx context.Context, arg SetChann
 }
 
 const upsertChannelIdentityByChannelSubject = `-- name: UpsertChannelIdentityByChannelSubject :one
-INSERT INTO channel_identities (id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
+INSERT INTO iam_channel_identities (id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -304,10 +304,10 @@ VALUES (
 )
 ON CONFLICT (channel_type, channel_subject_id)
 DO UPDATE SET
-  display_name = COALESCE(NULLIF(EXCLUDED.display_name, ''), channel_identities.display_name),
-  avatar_url = COALESCE(NULLIF(EXCLUDED.avatar_url, ''), channel_identities.avatar_url),
+  display_name = COALESCE(NULLIF(EXCLUDED.display_name, ''), iam_channel_identities.display_name),
+  avatar_url = COALESCE(NULLIF(EXCLUDED.avatar_url, ''), iam_channel_identities.avatar_url),
   metadata = EXCLUDED.metadata,
-  user_id = COALESCE(channel_identities.user_id, EXCLUDED.user_id),
+  user_id = COALESCE(iam_channel_identities.user_id, EXCLUDED.user_id),
   updated_at = CURRENT_TIMESTAMP
 RETURNING id, user_id, channel_type, channel_subject_id, display_name, avatar_url, metadata, created_at, updated_at
 `
@@ -321,7 +321,7 @@ type UpsertChannelIdentityByChannelSubjectParams struct {
 	Metadata         string         `json:"metadata"`
 }
 
-func (q *Queries) UpsertChannelIdentityByChannelSubject(ctx context.Context, arg UpsertChannelIdentityByChannelSubjectParams) (ChannelIdentity, error) {
+func (q *Queries) UpsertChannelIdentityByChannelSubject(ctx context.Context, arg UpsertChannelIdentityByChannelSubjectParams) (IamChannelIdentity, error) {
 	row := q.db.QueryRowContext(ctx, upsertChannelIdentityByChannelSubject,
 		arg.UserID,
 		arg.ChannelType,
@@ -330,7 +330,7 @@ func (q *Queries) UpsertChannelIdentityByChannelSubject(ctx context.Context, arg
 		arg.AvatarUrl,
 		arg.Metadata,
 	)
-	var i ChannelIdentity
+	var i IamChannelIdentity
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
diff --git a/internal/db/sqlite/sqlc/channel_routes.sql.go b/internal/db/sqlite/sqlc/channel_routes.sql.go
index c8c140622..c922e1be1 100644
--- a/internal/db/sqlite/sqlc/channel_routes.sql.go
+++ b/internal/db/sqlite/sqlc/channel_routes.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: channel_routes.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/channels.sql.go b/internal/db/sqlite/sqlc/channels.sql.go
index a2e4af5c0..e7b74f36c 100644
--- a/internal/db/sqlite/sqlc/channels.sql.go
+++ b/internal/db/sqlite/sqlc/channels.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: channels.sql
 
 package sqlc
@@ -91,7 +91,7 @@ func (q *Queries) GetBotChannelConfigByExternalIdentity(ctx context.Context, arg
 
 const getUserChannelBinding = `-- name: GetUserChannelBinding :one
 SELECT id, user_id, channel_type, config, created_at, updated_at
-FROM user_channel_bindings
+FROM iam_user_channel_bindings
 WHERE user_id = ?1 AND channel_type = ?2
 LIMIT 1
 `
@@ -101,9 +101,9 @@ type GetUserChannelBindingParams struct {
 	ChannelType string `json:"channel_type"`
 }
 
-func (q *Queries) GetUserChannelBinding(ctx context.Context, arg GetUserChannelBindingParams) (UserChannelBinding, error) {
+func (q *Queries) GetUserChannelBinding(ctx context.Context, arg GetUserChannelBindingParams) (IamUserChannelBinding, error) {
 	row := q.db.QueryRowContext(ctx, getUserChannelBinding, arg.UserID, arg.ChannelType)
-	var i UserChannelBinding
+	var i IamUserChannelBinding
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
@@ -160,20 +160,20 @@ func (q *Queries) ListBotChannelConfigsByType(ctx context.Context, channelType s
 
 const listUserChannelBindingsByPlatform = `-- name: ListUserChannelBindingsByPlatform :many
 SELECT id, user_id, channel_type, config, created_at, updated_at
-FROM user_channel_bindings
+FROM iam_user_channel_bindings
 WHERE channel_type = ?1
 ORDER BY created_at DESC
 `
 
-func (q *Queries) ListUserChannelBindingsByPlatform(ctx context.Context, channelType string) ([]UserChannelBinding, error) {
+func (q *Queries) ListUserChannelBindingsByPlatform(ctx context.Context, channelType string) ([]IamUserChannelBinding, error) {
 	rows, err := q.db.QueryContext(ctx, listUserChannelBindingsByPlatform, channelType)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
-	var items []UserChannelBinding
+	var items []IamUserChannelBinding
 	for rows.Next() {
-		var i UserChannelBinding
+		var i IamUserChannelBinding
 		if err := rows.Scan(
 			&i.ID,
 			&i.UserID,
@@ -326,7 +326,7 @@ func (q *Queries) UpsertBotChannelConfig(ctx context.Context, arg UpsertBotChann
 }
 
 const upsertUserChannelBinding = `-- name: UpsertUserChannelBinding :one
-INSERT INTO user_channel_bindings (id, user_id, channel_type, config)
+INSERT INTO iam_user_channel_bindings (id, user_id, channel_type, config)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -350,9 +350,9 @@ type UpsertUserChannelBindingParams struct {
 	Config      string `json:"config"`
 }
 
-func (q *Queries) UpsertUserChannelBinding(ctx context.Context, arg UpsertUserChannelBindingParams) (UserChannelBinding, error) {
+func (q *Queries) UpsertUserChannelBinding(ctx context.Context, arg UpsertUserChannelBindingParams) (IamUserChannelBinding, error) {
 	row := q.db.QueryRowContext(ctx, upsertUserChannelBinding, arg.UserID, arg.ChannelType, arg.Config)
-	var i UserChannelBinding
+	var i IamUserChannelBinding
 	err := row.Scan(
 		&i.ID,
 		&i.UserID,
diff --git a/internal/db/sqlite/sqlc/compaction_logs.sql.go b/internal/db/sqlite/sqlc/compaction_logs.sql.go
index aa93a1224..810e12a87 100644
--- a/internal/db/sqlite/sqlc/compaction_logs.sql.go
+++ b/internal/db/sqlite/sqlc/compaction_logs.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: compaction_logs.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/containers.sql.go b/internal/db/sqlite/sqlc/containers.sql.go
index fb62ffebf..6938fbf23 100644
--- a/internal/db/sqlite/sqlc/containers.sql.go
+++ b/internal/db/sqlite/sqlc/containers.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: containers.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/conversations.sql.go b/internal/db/sqlite/sqlc/conversations.sql.go
index b08dfde3f..8c71584d4 100644
--- a/internal/db/sqlite/sqlc/conversations.sql.go
+++ b/internal/db/sqlite/sqlc/conversations.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: conversations.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/db.go b/internal/db/sqlite/sqlc/db.go
index 3af1d5ebc..a34fc7985 100644
--- a/internal/db/sqlite/sqlc/db.go
+++ b/internal/db/sqlite/sqlc/db.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 
 package sqlc
 
diff --git a/internal/db/sqlite/sqlc/email_bindings.sql.go b/internal/db/sqlite/sqlc/email_bindings.sql.go
index 1e0129c3a..4f6e8bf28 100644
--- a/internal/db/sqlite/sqlc/email_bindings.sql.go
+++ b/internal/db/sqlite/sqlc/email_bindings.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: email_bindings.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/email_oauth_tokens.sql.go b/internal/db/sqlite/sqlc/email_oauth_tokens.sql.go
index d3423862d..e57502ac7 100644
--- a/internal/db/sqlite/sqlc/email_oauth_tokens.sql.go
+++ b/internal/db/sqlite/sqlc/email_oauth_tokens.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: email_oauth_tokens.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/email_outbox.sql.go b/internal/db/sqlite/sqlc/email_outbox.sql.go
index 80acb6c4d..cc9cb38c9 100644
--- a/internal/db/sqlite/sqlc/email_outbox.sql.go
+++ b/internal/db/sqlite/sqlc/email_outbox.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: email_outbox.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/email_providers.sql.go b/internal/db/sqlite/sqlc/email_providers.sql.go
index 0e148f3fe..3b0f74e4d 100644
--- a/internal/db/sqlite/sqlc/email_providers.sql.go
+++ b/internal/db/sqlite/sqlc/email_providers.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: email_providers.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/events.sql.go b/internal/db/sqlite/sqlc/events.sql.go
index 5096ce137..280217b53 100644
--- a/internal/db/sqlite/sqlc/events.sql.go
+++ b/internal/db/sqlite/sqlc/events.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: events.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/heartbeat_logs.sql.go b/internal/db/sqlite/sqlc/heartbeat_logs.sql.go
index 94f153bc4..25af0e9ec 100644
--- a/internal/db/sqlite/sqlc/heartbeat_logs.sql.go
+++ b/internal/db/sqlite/sqlc/heartbeat_logs.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: heartbeat_logs.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/iam.sql.go b/internal/db/sqlite/sqlc/iam.sql.go
new file mode 100644
index 000000000..28d7c1810
--- /dev/null
+++ b/internal/db/sqlite/sqlc/iam.sql.go
@@ -0,0 +1,1262 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.31.0
+// source: iam.sql
+
+package sqlc
+
+import (
+	"context"
+	"database/sql"
+)
+
+const addSSOGroupMembership = `-- name: AddSSOGroupMembership :exec
+INSERT OR IGNORE INTO iam_group_members (user_id, group_id, source, provider_id)
+VALUES (?1, ?2, 'sso', ?3)
+`
+
+type AddSSOGroupMembershipParams struct {
+	UserID     string         `json:"user_id"`
+	GroupID    string         `json:"group_id"`
+	ProviderID sql.NullString `json:"provider_id"`
+}
+
+func (q *Queries) AddSSOGroupMembership(ctx context.Context, arg AddSSOGroupMembershipParams) error {
+	_, err := q.db.ExecContext(ctx, addSSOGroupMembership, arg.UserID, arg.GroupID, arg.ProviderID)
+	return err
+}
+
+const assignPrincipalRole = `-- name: AssignPrincipalRole :one
+INSERT INTO iam_principal_roles (
+  id, principal_type, principal_id, role_id, resource_type, resource_id, source, provider_id
+)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  ?1, ?2, ?3, ?4,
+  ?5, ?6, ?7
+)
+ON CONFLICT DO NOTHING
+RETURNING id, principal_type, principal_id, role_id, resource_type, resource_id, source, provider_id, created_at, updated_at
+`
+
+type AssignPrincipalRoleParams struct {
+	PrincipalType string         `json:"principal_type"`
+	PrincipalID   string         `json:"principal_id"`
+	RoleID        string         `json:"role_id"`
+	ResourceType  string         `json:"resource_type"`
+	ResourceID    sql.NullString `json:"resource_id"`
+	Source        string         `json:"source"`
+	ProviderID    sql.NullString `json:"provider_id"`
+}
+
+func (q *Queries) AssignPrincipalRole(ctx context.Context, arg AssignPrincipalRoleParams) (IamPrincipalRole, error) {
+	row := q.db.QueryRowContext(ctx, assignPrincipalRole,
+		arg.PrincipalType,
+		arg.PrincipalID,
+		arg.RoleID,
+		arg.ResourceType,
+		arg.ResourceID,
+		arg.Source,
+		arg.ProviderID,
+	)
+	var i IamPrincipalRole
+	err := row.Scan(
+		&i.ID,
+		&i.PrincipalType,
+		&i.PrincipalID,
+		&i.RoleID,
+		&i.ResourceType,
+		&i.ResourceID,
+		&i.Source,
+		&i.ProviderID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const clearSSOGroupMemberships = `-- name: ClearSSOGroupMemberships :exec
+DELETE FROM iam_group_members
+WHERE user_id = ?1
+  AND source = 'sso'
+  AND provider_id = ?2
+`
+
+type ClearSSOGroupMembershipsParams struct {
+	UserID     string         `json:"user_id"`
+	ProviderID sql.NullString `json:"provider_id"`
+}
+
+func (q *Queries) ClearSSOGroupMemberships(ctx context.Context, arg ClearSSOGroupMembershipsParams) error {
+	_, err := q.db.ExecContext(ctx, clearSSOGroupMemberships, arg.UserID, arg.ProviderID)
+	return err
+}
+
+const createIAMLoginCode = `-- name: CreateIAMLoginCode :one
+INSERT INTO iam_login_codes (id, code_hash, user_id, identity_id, session_id, expires_at)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  ?1, ?2, ?3, ?4, ?5
+)
+RETURNING id, code_hash, user_id, identity_id, session_id, expires_at, used_at, created_at
+`
+
+type CreateIAMLoginCodeParams struct {
+	CodeHash   string         `json:"code_hash"`
+	UserID     string         `json:"user_id"`
+	IdentityID sql.NullString `json:"identity_id"`
+	SessionID  string         `json:"session_id"`
+	ExpiresAt  string         `json:"expires_at"`
+}
+
+func (q *Queries) CreateIAMLoginCode(ctx context.Context, arg CreateIAMLoginCodeParams) (IamLoginCode, error) {
+	row := q.db.QueryRowContext(ctx, createIAMLoginCode,
+		arg.CodeHash,
+		arg.UserID,
+		arg.IdentityID,
+		arg.SessionID,
+		arg.ExpiresAt,
+	)
+	var i IamLoginCode
+	err := row.Scan(
+		&i.ID,
+		&i.CodeHash,
+		&i.UserID,
+		&i.IdentityID,
+		&i.SessionID,
+		&i.ExpiresAt,
+		&i.UsedAt,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const createIAMSession = `-- name: CreateIAMSession :one
+INSERT INTO iam_sessions (id, user_id, identity_id, expires_at, ip_address, user_agent, metadata)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  ?1, ?2, ?3, ?4, ?5, ?6
+)
+RETURNING id, user_id, identity_id, issued_at, expires_at, revoked_at, ip_address, user_agent, metadata, created_at, updated_at
+`
+
+type CreateIAMSessionParams struct {
+	UserID     string         `json:"user_id"`
+	IdentityID sql.NullString `json:"identity_id"`
+	ExpiresAt  string         `json:"expires_at"`
+	IpAddress  sql.NullString `json:"ip_address"`
+	UserAgent  sql.NullString `json:"user_agent"`
+	Metadata   string         `json:"metadata"`
+}
+
+func (q *Queries) CreateIAMSession(ctx context.Context, arg CreateIAMSessionParams) (IamSession, error) {
+	row := q.db.QueryRowContext(ctx, createIAMSession,
+		arg.UserID,
+		arg.IdentityID,
+		arg.ExpiresAt,
+		arg.IpAddress,
+		arg.UserAgent,
+		arg.Metadata,
+	)
+	var i IamSession
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.IdentityID,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.RevokedAt,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.Metadata,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const createPasswordIdentity = `-- name: CreatePasswordIdentity :one
+INSERT INTO iam_identities (
+  id, user_id, provider_type, provider_id, subject, credential_secret, email, username,
+  display_name, avatar_url, raw_claims
+)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  ?1, 'password', NULL, lower(?2), ?3,
+  ?4, ?5, ?6, ?7, '{}'
+)
+ON CONFLICT DO UPDATE SET
+  credential_secret = EXCLUDED.credential_secret,
+  email = EXCLUDED.email,
+  username = EXCLUDED.username,
+  display_name = EXCLUDED.display_name,
+  avatar_url = EXCLUDED.avatar_url,
+  updated_at = CURRENT_TIMESTAMP
+RETURNING id, user_id, provider_type, provider_id, subject, credential_secret, email, username, display_name, avatar_url, raw_claims, last_login_at, created_at, updated_at
+`
+
+type CreatePasswordIdentityParams struct {
+	UserID           string         `json:"user_id"`
+	Subject          string         `json:"subject"`
+	CredentialSecret sql.NullString `json:"credential_secret"`
+	Email            sql.NullString `json:"email"`
+	Username         sql.NullString `json:"username"`
+	DisplayName      sql.NullString `json:"display_name"`
+	AvatarUrl        sql.NullString `json:"avatar_url"`
+}
+
+func (q *Queries) CreatePasswordIdentity(ctx context.Context, arg CreatePasswordIdentityParams) (IamIdentity, error) {
+	row := q.db.QueryRowContext(ctx, createPasswordIdentity,
+		arg.UserID,
+		arg.Subject,
+		arg.CredentialSecret,
+		arg.Email,
+		arg.Username,
+		arg.DisplayName,
+		arg.AvatarUrl,
+	)
+	var i IamIdentity
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.ProviderType,
+		&i.ProviderID,
+		&i.Subject,
+		&i.CredentialSecret,
+		&i.Email,
+		&i.Username,
+		&i.DisplayName,
+		&i.AvatarUrl,
+		&i.RawClaims,
+		&i.LastLoginAt,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const deleteIAMGroup = `-- name: DeleteIAMGroup :exec
+DELETE FROM iam_groups
+WHERE id = ?1
+`
+
+func (q *Queries) DeleteIAMGroup(ctx context.Context, id string) error {
+	_, err := q.db.ExecContext(ctx, deleteIAMGroup, id)
+	return err
+}
+
+const deleteIAMGroupMember = `-- name: DeleteIAMGroupMember :exec
+DELETE FROM iam_group_members
+WHERE user_id = ?1
+  AND group_id = ?2
+`
+
+type DeleteIAMGroupMemberParams struct {
+	UserID  string `json:"user_id"`
+	GroupID string `json:"group_id"`
+}
+
+func (q *Queries) DeleteIAMGroupMember(ctx context.Context, arg DeleteIAMGroupMemberParams) error {
+	_, err := q.db.ExecContext(ctx, deleteIAMGroupMember, arg.UserID, arg.GroupID)
+	return err
+}
+
+const deletePrincipalRole = `-- name: DeletePrincipalRole :exec
+DELETE FROM iam_principal_roles
+WHERE id = ?1
+`
+
+func (q *Queries) DeletePrincipalRole(ctx context.Context, id string) error {
+	_, err := q.db.ExecContext(ctx, deletePrincipalRole, id)
+	return err
+}
+
+const deletePrincipalRoleAssignment = `-- name: DeletePrincipalRoleAssignment :exec
+DELETE FROM iam_principal_roles
+WHERE principal_type = ?1
+  AND principal_id = ?2
+  AND resource_type = ?3
+  AND resource_id = ?4
+  AND role_id = (
+    SELECT id FROM iam_roles WHERE key = ?5
+  )
+`
+
+type DeletePrincipalRoleAssignmentParams struct {
+	PrincipalType string         `json:"principal_type"`
+	PrincipalID   string         `json:"principal_id"`
+	ResourceType  string         `json:"resource_type"`
+	ResourceID    sql.NullString `json:"resource_id"`
+	RoleKey       string         `json:"role_key"`
+}
+
+func (q *Queries) DeletePrincipalRoleAssignment(ctx context.Context, arg DeletePrincipalRoleAssignmentParams) error {
+	_, err := q.db.ExecContext(ctx, deletePrincipalRoleAssignment,
+		arg.PrincipalType,
+		arg.PrincipalID,
+		arg.ResourceType,
+		arg.ResourceID,
+		arg.RoleKey,
+	)
+	return err
+}
+
+const deleteSSOGroupMapping = `-- name: DeleteSSOGroupMapping :exec
+DELETE FROM iam_sso_group_mappings
+WHERE provider_id = ?1
+  AND external_group = ?2
+`
+
+type DeleteSSOGroupMappingParams struct {
+	ProviderID    string `json:"provider_id"`
+	ExternalGroup string `json:"external_group"`
+}
+
+func (q *Queries) DeleteSSOGroupMapping(ctx context.Context, arg DeleteSSOGroupMappingParams) error {
+	_, err := q.db.ExecContext(ctx, deleteSSOGroupMapping, arg.ProviderID, arg.ExternalGroup)
+	return err
+}
+
+const deleteSSOProvider = `-- name: DeleteSSOProvider :exec
+DELETE FROM iam_sso_providers WHERE id = ?1
+`
+
+func (q *Queries) DeleteSSOProvider(ctx context.Context, id string) error {
+	_, err := q.db.ExecContext(ctx, deleteSSOProvider, id)
+	return err
+}
+
+const extendIAMSession = `-- name: ExtendIAMSession :one
+UPDATE iam_sessions
+SET expires_at = ?1, updated_at = CURRENT_TIMESTAMP
+WHERE id = ?2
+  AND revoked_at IS NULL
+RETURNING id, user_id, identity_id, issued_at, expires_at, revoked_at, ip_address, user_agent, metadata, created_at, updated_at
+`
+
+type ExtendIAMSessionParams struct {
+	ExpiresAt string `json:"expires_at"`
+	ID        string `json:"id"`
+}
+
+func (q *Queries) ExtendIAMSession(ctx context.Context, arg ExtendIAMSessionParams) (IamSession, error) {
+	row := q.db.QueryRowContext(ctx, extendIAMSession, arg.ExpiresAt, arg.ID)
+	var i IamSession
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.IdentityID,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.RevokedAt,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.Metadata,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getIAMGroupByID = `-- name: GetIAMGroupByID :one
+SELECT id, "key", display_name, source, external_id, metadata, created_at, updated_at
+FROM iam_groups
+WHERE id = ?1
+`
+
+func (q *Queries) GetIAMGroupByID(ctx context.Context, id string) (IamGroup, error) {
+	row := q.db.QueryRowContext(ctx, getIAMGroupByID, id)
+	var i IamGroup
+	err := row.Scan(
+		&i.ID,
+		&i.Key,
+		&i.DisplayName,
+		&i.Source,
+		&i.ExternalID,
+		&i.Metadata,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getIAMSessionByID = `-- name: GetIAMSessionByID :one
+SELECT s.id, s.user_id, s.identity_id, s.issued_at, s.expires_at, s.revoked_at, s.ip_address, s.user_agent, s.metadata, s.created_at, s.updated_at, u.is_active AS user_is_active
+FROM iam_sessions s
+JOIN iam_users u ON u.id = s.user_id
+WHERE s.id = ?1
+`
+
+type GetIAMSessionByIDRow struct {
+	ID           string         `json:"id"`
+	UserID       string         `json:"user_id"`
+	IdentityID   sql.NullString `json:"identity_id"`
+	IssuedAt     string         `json:"issued_at"`
+	ExpiresAt    string         `json:"expires_at"`
+	RevokedAt    sql.NullString `json:"revoked_at"`
+	IpAddress    sql.NullString `json:"ip_address"`
+	UserAgent    sql.NullString `json:"user_agent"`
+	Metadata     string         `json:"metadata"`
+	CreatedAt    string         `json:"created_at"`
+	UpdatedAt    string         `json:"updated_at"`
+	UserIsActive int64          `json:"user_is_active"`
+}
+
+func (q *Queries) GetIAMSessionByID(ctx context.Context, id string) (GetIAMSessionByIDRow, error) {
+	row := q.db.QueryRowContext(ctx, getIAMSessionByID, id)
+	var i GetIAMSessionByIDRow
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.IdentityID,
+		&i.IssuedAt,
+		&i.ExpiresAt,
+		&i.RevokedAt,
+		&i.IpAddress,
+		&i.UserAgent,
+		&i.Metadata,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+		&i.UserIsActive,
+	)
+	return i, err
+}
+
+const getIdentityByProviderSubject = `-- name: GetIdentityByProviderSubject :one
+SELECT id, user_id, provider_type, provider_id, subject, credential_secret, email, username, display_name, avatar_url, raw_claims, last_login_at, created_at, updated_at
+FROM iam_identities
+WHERE provider_type = ?1
+  AND COALESCE(provider_id, '') = COALESCE(?2, '')
+  AND subject = ?3
+`
+
+type GetIdentityByProviderSubjectParams struct {
+	ProviderType string         `json:"provider_type"`
+	ProviderID   sql.NullString `json:"provider_id"`
+	Subject      string         `json:"subject"`
+}
+
+func (q *Queries) GetIdentityByProviderSubject(ctx context.Context, arg GetIdentityByProviderSubjectParams) (IamIdentity, error) {
+	row := q.db.QueryRowContext(ctx, getIdentityByProviderSubject, arg.ProviderType, arg.ProviderID, arg.Subject)
+	var i IamIdentity
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.ProviderType,
+		&i.ProviderID,
+		&i.Subject,
+		&i.CredentialSecret,
+		&i.Email,
+		&i.Username,
+		&i.DisplayName,
+		&i.AvatarUrl,
+		&i.RawClaims,
+		&i.LastLoginAt,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getPasswordIdentityBySubject = `-- name: GetPasswordIdentityBySubject :one
+SELECT id, user_id, provider_type, provider_id, subject, credential_secret, email, username, display_name, avatar_url, raw_claims, last_login_at, created_at, updated_at
+FROM iam_identities
+WHERE provider_type = 'password'
+  AND subject = lower(?1)
+`
+
+func (q *Queries) GetPasswordIdentityBySubject(ctx context.Context, subject string) (IamIdentity, error) {
+	row := q.db.QueryRowContext(ctx, getPasswordIdentityBySubject, subject)
+	var i IamIdentity
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.ProviderType,
+		&i.ProviderID,
+		&i.Subject,
+		&i.CredentialSecret,
+		&i.Email,
+		&i.Username,
+		&i.DisplayName,
+		&i.AvatarUrl,
+		&i.RawClaims,
+		&i.LastLoginAt,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getRoleByKey = `-- name: GetRoleByKey :one
+SELECT id, "key", scope, description, is_system, created_at, updated_at
+FROM iam_roles
+WHERE key = ?1
+`
+
+func (q *Queries) GetRoleByKey(ctx context.Context, key string) (IamRole, error) {
+	row := q.db.QueryRowContext(ctx, getRoleByKey, key)
+	var i IamRole
+	err := row.Scan(
+		&i.ID,
+		&i.Key,
+		&i.Scope,
+		&i.Description,
+		&i.IsSystem,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getSSOProviderByID = `-- name: GetSSOProviderByID :one
+SELECT id, type, "key", name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email, created_at, updated_at
+FROM iam_sso_providers
+WHERE id = ?1
+`
+
+func (q *Queries) GetSSOProviderByID(ctx context.Context, id string) (IamSsoProvider, error) {
+	row := q.db.QueryRowContext(ctx, getSSOProviderByID, id)
+	var i IamSsoProvider
+	err := row.Scan(
+		&i.ID,
+		&i.Type,
+		&i.Key,
+		&i.Name,
+		&i.Enabled,
+		&i.Config,
+		&i.AttributeMapping,
+		&i.JitEnabled,
+		&i.EmailLinkingPolicy,
+		&i.TrustEmail,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getSSOProviderByKey = `-- name: GetSSOProviderByKey :one
+SELECT id, type, "key", name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email, created_at, updated_at
+FROM iam_sso_providers
+WHERE key = ?1
+`
+
+func (q *Queries) GetSSOProviderByKey(ctx context.Context, key string) (IamSsoProvider, error) {
+	row := q.db.QueryRowContext(ctx, getSSOProviderByKey, key)
+	var i IamSsoProvider
+	err := row.Scan(
+		&i.ID,
+		&i.Type,
+		&i.Key,
+		&i.Name,
+		&i.Enabled,
+		&i.Config,
+		&i.AttributeMapping,
+		&i.JitEnabled,
+		&i.EmailLinkingPolicy,
+		&i.TrustEmail,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const hasPermission = `-- name: HasPermission :one
+SELECT EXISTS (
+  SELECT 1
+  FROM iam_principal_roles pr
+  JOIN iam_roles r ON r.id = pr.role_id
+  JOIN iam_role_permissions rp ON rp.role_id = r.id
+  JOIN iam_permissions p ON p.id = rp.permission_id
+  WHERE p.key = ?1
+    AND pr.resource_type = ?2
+    AND (pr.resource_id = ?3 OR pr.resource_id IS NULL)
+    AND (
+      (pr.principal_type = 'user' AND pr.principal_id = ?4)
+      OR (
+        pr.principal_type = 'group'
+        AND pr.principal_id IN (
+          SELECT group_id FROM iam_group_members WHERE user_id = ?4
+        )
+      )
+    )
+) AS allowed
+`
+
+type HasPermissionParams struct {
+	PermissionKey string         `json:"permission_key"`
+	ResourceType  string         `json:"resource_type"`
+	ResourceID    sql.NullString `json:"resource_id"`
+	UserID        string         `json:"user_id"`
+}
+
+func (q *Queries) HasPermission(ctx context.Context, arg HasPermissionParams) (bool, error) {
+	row := q.db.QueryRowContext(ctx, hasPermission,
+		arg.PermissionKey,
+		arg.ResourceType,
+		arg.ResourceID,
+		arg.UserID,
+	)
+	var allowed bool
+	err := row.Scan(&allowed)
+	return allowed, err
+}
+
+const listEnabledSSOProviders = `-- name: ListEnabledSSOProviders :many
+SELECT id, type, "key", name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email, created_at, updated_at
+FROM iam_sso_providers
+WHERE enabled = 1
+ORDER BY name ASC
+`
+
+func (q *Queries) ListEnabledSSOProviders(ctx context.Context) ([]IamSsoProvider, error) {
+	rows, err := q.db.QueryContext(ctx, listEnabledSSOProviders)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []IamSsoProvider
+	for rows.Next() {
+		var i IamSsoProvider
+		if err := rows.Scan(
+			&i.ID,
+			&i.Type,
+			&i.Key,
+			&i.Name,
+			&i.Enabled,
+			&i.Config,
+			&i.AttributeMapping,
+			&i.JitEnabled,
+			&i.EmailLinkingPolicy,
+			&i.TrustEmail,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listIAMGroupMembers = `-- name: ListIAMGroupMembers :many
+SELECT gm.user_id, gm.group_id, gm.source, gm.provider_id, gm.created_at, gm.updated_at, u.username, u.email, u.display_name
+FROM iam_group_members gm
+JOIN iam_users u ON u.id = gm.user_id
+WHERE gm.group_id = ?1
+ORDER BY u.username ASC, u.email ASC
+`
+
+type ListIAMGroupMembersRow struct {
+	UserID      string         `json:"user_id"`
+	GroupID     string         `json:"group_id"`
+	Source      string         `json:"source"`
+	ProviderID  sql.NullString `json:"provider_id"`
+	CreatedAt   string         `json:"created_at"`
+	UpdatedAt   string         `json:"updated_at"`
+	Username    sql.NullString `json:"username"`
+	Email       sql.NullString `json:"email"`
+	DisplayName sql.NullString `json:"display_name"`
+}
+
+func (q *Queries) ListIAMGroupMembers(ctx context.Context, groupID string) ([]ListIAMGroupMembersRow, error) {
+	rows, err := q.db.QueryContext(ctx, listIAMGroupMembers, groupID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListIAMGroupMembersRow
+	for rows.Next() {
+		var i ListIAMGroupMembersRow
+		if err := rows.Scan(
+			&i.UserID,
+			&i.GroupID,
+			&i.Source,
+			&i.ProviderID,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			&i.Username,
+			&i.Email,
+			&i.DisplayName,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listIAMGroups = `-- name: ListIAMGroups :many
+SELECT id, "key", display_name, source, external_id, metadata, created_at, updated_at
+FROM iam_groups
+ORDER BY key ASC
+`
+
+func (q *Queries) ListIAMGroups(ctx context.Context) ([]IamGroup, error) {
+	rows, err := q.db.QueryContext(ctx, listIAMGroups)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []IamGroup
+	for rows.Next() {
+		var i IamGroup
+		if err := rows.Scan(
+			&i.ID,
+			&i.Key,
+			&i.DisplayName,
+			&i.Source,
+			&i.ExternalID,
+			&i.Metadata,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listPrincipalRoles = `-- name: ListPrincipalRoles :many
+SELECT
+  pr.id, pr.principal_type, pr.principal_id, pr.role_id, pr.resource_type, pr.resource_id, pr.source, pr.provider_id, pr.created_at, pr.updated_at,
+  r.key AS role_key,
+  r.scope AS role_scope,
+  u.username AS user_username,
+  u.email AS user_email,
+  u.display_name AS user_display_name,
+  g.key AS group_key,
+  g.display_name AS group_display_name
+FROM iam_principal_roles pr
+JOIN iam_roles r ON r.id = pr.role_id
+LEFT JOIN iam_users u ON pr.principal_type = 'user' AND u.id = pr.principal_id
+LEFT JOIN iam_groups g ON pr.principal_type = 'group' AND g.id = pr.principal_id
+WHERE pr.resource_type = ?1
+  AND COALESCE(pr.resource_id, '') = COALESCE(?2, '')
+ORDER BY r.key ASC, pr.principal_type ASC, user_username ASC, group_key ASC
+`
+
+type ListPrincipalRolesParams struct {
+	ResourceType string         `json:"resource_type"`
+	ResourceID   sql.NullString `json:"resource_id"`
+}
+
+type ListPrincipalRolesRow struct {
+	ID               string         `json:"id"`
+	PrincipalType    string         `json:"principal_type"`
+	PrincipalID      string         `json:"principal_id"`
+	RoleID           string         `json:"role_id"`
+	ResourceType     string         `json:"resource_type"`
+	ResourceID       sql.NullString `json:"resource_id"`
+	Source           string         `json:"source"`
+	ProviderID       sql.NullString `json:"provider_id"`
+	CreatedAt        string         `json:"created_at"`
+	UpdatedAt        string         `json:"updated_at"`
+	RoleKey          string         `json:"role_key"`
+	RoleScope        string         `json:"role_scope"`
+	UserUsername     sql.NullString `json:"user_username"`
+	UserEmail        sql.NullString `json:"user_email"`
+	UserDisplayName  sql.NullString `json:"user_display_name"`
+	GroupKey         sql.NullString `json:"group_key"`
+	GroupDisplayName sql.NullString `json:"group_display_name"`
+}
+
+func (q *Queries) ListPrincipalRoles(ctx context.Context, arg ListPrincipalRolesParams) ([]ListPrincipalRolesRow, error) {
+	rows, err := q.db.QueryContext(ctx, listPrincipalRoles, arg.ResourceType, arg.ResourceID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListPrincipalRolesRow
+	for rows.Next() {
+		var i ListPrincipalRolesRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.PrincipalType,
+			&i.PrincipalID,
+			&i.RoleID,
+			&i.ResourceType,
+			&i.ResourceID,
+			&i.Source,
+			&i.ProviderID,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			&i.RoleKey,
+			&i.RoleScope,
+			&i.UserUsername,
+			&i.UserEmail,
+			&i.UserDisplayName,
+			&i.GroupKey,
+			&i.GroupDisplayName,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listRoles = `-- name: ListRoles :many
+SELECT id, "key", scope, description, is_system, created_at, updated_at
+FROM iam_roles
+ORDER BY scope ASC, key ASC
+`
+
+func (q *Queries) ListRoles(ctx context.Context) ([]IamRole, error) {
+	rows, err := q.db.QueryContext(ctx, listRoles)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []IamRole
+	for rows.Next() {
+		var i IamRole
+		if err := rows.Scan(
+			&i.ID,
+			&i.Key,
+			&i.Scope,
+			&i.Description,
+			&i.IsSystem,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listSSOGroupMappingsByProvider = `-- name: ListSSOGroupMappingsByProvider :many
+SELECT m.id, m.provider_id, m.external_group, m.group_id, m.created_at, m.updated_at, g.key AS group_key, g.display_name AS group_display_name
+FROM iam_sso_group_mappings m
+JOIN iam_groups g ON g.id = m.group_id
+WHERE m.provider_id = ?1
+ORDER BY m.external_group ASC
+`
+
+type ListSSOGroupMappingsByProviderRow struct {
+	ID               string `json:"id"`
+	ProviderID       string `json:"provider_id"`
+	ExternalGroup    string `json:"external_group"`
+	GroupID          string `json:"group_id"`
+	CreatedAt        string `json:"created_at"`
+	UpdatedAt        string `json:"updated_at"`
+	GroupKey         string `json:"group_key"`
+	GroupDisplayName string `json:"group_display_name"`
+}
+
+func (q *Queries) ListSSOGroupMappingsByProvider(ctx context.Context, providerID string) ([]ListSSOGroupMappingsByProviderRow, error) {
+	rows, err := q.db.QueryContext(ctx, listSSOGroupMappingsByProvider, providerID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListSSOGroupMappingsByProviderRow
+	for rows.Next() {
+		var i ListSSOGroupMappingsByProviderRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.ProviderID,
+			&i.ExternalGroup,
+			&i.GroupID,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			&i.GroupKey,
+			&i.GroupDisplayName,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listSSOProviders = `-- name: ListSSOProviders :many
+SELECT id, type, "key", name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email, created_at, updated_at
+FROM iam_sso_providers
+ORDER BY created_at DESC
+`
+
+func (q *Queries) ListSSOProviders(ctx context.Context) ([]IamSsoProvider, error) {
+	rows, err := q.db.QueryContext(ctx, listSSOProviders)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []IamSsoProvider
+	for rows.Next() {
+		var i IamSsoProvider
+		if err := rows.Scan(
+			&i.ID,
+			&i.Type,
+			&i.Key,
+			&i.Name,
+			&i.Enabled,
+			&i.Config,
+			&i.AttributeMapping,
+			&i.JitEnabled,
+			&i.EmailLinkingPolicy,
+			&i.TrustEmail,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const revokeIAMSession = `-- name: RevokeIAMSession :exec
+UPDATE iam_sessions
+SET revoked_at = CURRENT_TIMESTAMP, updated_at = CURRENT_TIMESTAMP
+WHERE id = ?1
+  AND revoked_at IS NULL
+`
+
+func (q *Queries) RevokeIAMSession(ctx context.Context, id string) error {
+	_, err := q.db.ExecContext(ctx, revokeIAMSession, id)
+	return err
+}
+
+const updateIdentityLastLogin = `-- name: UpdateIdentityLastLogin :exec
+UPDATE iam_identities
+SET last_login_at = CURRENT_TIMESTAMP, updated_at = CURRENT_TIMESTAMP
+WHERE id = ?1
+`
+
+func (q *Queries) UpdateIdentityLastLogin(ctx context.Context, id string) error {
+	_, err := q.db.ExecContext(ctx, updateIdentityLastLogin, id)
+	return err
+}
+
+const upsertExternalIdentity = `-- name: UpsertExternalIdentity :one
+INSERT INTO iam_identities (
+  id, user_id, provider_type, provider_id, subject, email, username, display_name, avatar_url, raw_claims
+)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  ?1, ?2, ?3, ?4,
+  ?5, ?6, ?7, ?8, ?9
+)
+ON CONFLICT DO UPDATE SET
+  user_id = EXCLUDED.user_id,
+  email = EXCLUDED.email,
+  username = EXCLUDED.username,
+  display_name = EXCLUDED.display_name,
+  avatar_url = EXCLUDED.avatar_url,
+  raw_claims = EXCLUDED.raw_claims,
+  updated_at = CURRENT_TIMESTAMP
+RETURNING id, user_id, provider_type, provider_id, subject, credential_secret, email, username, display_name, avatar_url, raw_claims, last_login_at, created_at, updated_at
+`
+
+type UpsertExternalIdentityParams struct {
+	UserID       string         `json:"user_id"`
+	ProviderType string         `json:"provider_type"`
+	ProviderID   sql.NullString `json:"provider_id"`
+	Subject      string         `json:"subject"`
+	Email        sql.NullString `json:"email"`
+	Username     sql.NullString `json:"username"`
+	DisplayName  sql.NullString `json:"display_name"`
+	AvatarUrl    sql.NullString `json:"avatar_url"`
+	RawClaims    string         `json:"raw_claims"`
+}
+
+func (q *Queries) UpsertExternalIdentity(ctx context.Context, arg UpsertExternalIdentityParams) (IamIdentity, error) {
+	row := q.db.QueryRowContext(ctx, upsertExternalIdentity,
+		arg.UserID,
+		arg.ProviderType,
+		arg.ProviderID,
+		arg.Subject,
+		arg.Email,
+		arg.Username,
+		arg.DisplayName,
+		arg.AvatarUrl,
+		arg.RawClaims,
+	)
+	var i IamIdentity
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.ProviderType,
+		&i.ProviderID,
+		&i.Subject,
+		&i.CredentialSecret,
+		&i.Email,
+		&i.Username,
+		&i.DisplayName,
+		&i.AvatarUrl,
+		&i.RawClaims,
+		&i.LastLoginAt,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const upsertIAMGroup = `-- name: UpsertIAMGroup :one
+INSERT INTO iam_groups (id, key, display_name, source, external_id, metadata)
+VALUES (?1, ?2, ?3, ?4, ?5, ?6)
+ON CONFLICT (key) DO UPDATE SET
+  display_name = EXCLUDED.display_name,
+  source = EXCLUDED.source,
+  external_id = EXCLUDED.external_id,
+  metadata = EXCLUDED.metadata,
+  updated_at = CURRENT_TIMESTAMP
+RETURNING id, "key", display_name, source, external_id, metadata, created_at, updated_at
+`
+
+type UpsertIAMGroupParams struct {
+	ID          string         `json:"id"`
+	Key         string         `json:"key"`
+	DisplayName string         `json:"display_name"`
+	Source      string         `json:"source"`
+	ExternalID  sql.NullString `json:"external_id"`
+	Metadata    string         `json:"metadata"`
+}
+
+func (q *Queries) UpsertIAMGroup(ctx context.Context, arg UpsertIAMGroupParams) (IamGroup, error) {
+	row := q.db.QueryRowContext(ctx, upsertIAMGroup,
+		arg.ID,
+		arg.Key,
+		arg.DisplayName,
+		arg.Source,
+		arg.ExternalID,
+		arg.Metadata,
+	)
+	var i IamGroup
+	err := row.Scan(
+		&i.ID,
+		&i.Key,
+		&i.DisplayName,
+		&i.Source,
+		&i.ExternalID,
+		&i.Metadata,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const upsertIAMGroupMember = `-- name: UpsertIAMGroupMember :one
+INSERT INTO iam_group_members (user_id, group_id, source, provider_id)
+VALUES (?1, ?2, ?3, ?4)
+ON CONFLICT (user_id, group_id, source, provider_id) DO UPDATE SET
+  updated_at = CURRENT_TIMESTAMP
+RETURNING user_id, group_id, source, provider_id, created_at, updated_at
+`
+
+type UpsertIAMGroupMemberParams struct {
+	UserID     string         `json:"user_id"`
+	GroupID    string         `json:"group_id"`
+	Source     string         `json:"source"`
+	ProviderID sql.NullString `json:"provider_id"`
+}
+
+func (q *Queries) UpsertIAMGroupMember(ctx context.Context, arg UpsertIAMGroupMemberParams) (IamGroupMember, error) {
+	row := q.db.QueryRowContext(ctx, upsertIAMGroupMember,
+		arg.UserID,
+		arg.GroupID,
+		arg.Source,
+		arg.ProviderID,
+	)
+	var i IamGroupMember
+	err := row.Scan(
+		&i.UserID,
+		&i.GroupID,
+		&i.Source,
+		&i.ProviderID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const upsertSSOGroupMapping = `-- name: UpsertSSOGroupMapping :one
+INSERT INTO iam_sso_group_mappings (id, provider_id, external_group, group_id)
+VALUES (
+  lower(hex(randomblob(4))) || '-' ||
+  lower(hex(randomblob(2))) || '-' ||
+  '4' || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  substr('89ab', abs(random()) % 4 + 1, 1) || substr(lower(hex(randomblob(2))), 2) || '-' ||
+  lower(hex(randomblob(6))),
+  ?1, ?2, ?3
+)
+ON CONFLICT (provider_id, external_group) DO UPDATE SET
+  group_id = EXCLUDED.group_id,
+  updated_at = CURRENT_TIMESTAMP
+RETURNING id, provider_id, external_group, group_id, created_at, updated_at
+`
+
+type UpsertSSOGroupMappingParams struct {
+	ProviderID    string `json:"provider_id"`
+	ExternalGroup string `json:"external_group"`
+	GroupID       string `json:"group_id"`
+}
+
+func (q *Queries) UpsertSSOGroupMapping(ctx context.Context, arg UpsertSSOGroupMappingParams) (IamSsoGroupMapping, error) {
+	row := q.db.QueryRowContext(ctx, upsertSSOGroupMapping, arg.ProviderID, arg.ExternalGroup, arg.GroupID)
+	var i IamSsoGroupMapping
+	err := row.Scan(
+		&i.ID,
+		&i.ProviderID,
+		&i.ExternalGroup,
+		&i.GroupID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const upsertSSOProvider = `-- name: UpsertSSOProvider :one
+INSERT INTO iam_sso_providers (
+  id, type, key, name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email
+)
+VALUES (
+  ?1, ?2, ?3, ?4, ?5, ?6,
+  ?7, ?8, ?9, ?10
+)
+ON CONFLICT (key) DO UPDATE SET
+  type = EXCLUDED.type,
+  name = EXCLUDED.name,
+  enabled = EXCLUDED.enabled,
+  config = EXCLUDED.config,
+  attribute_mapping = EXCLUDED.attribute_mapping,
+  jit_enabled = EXCLUDED.jit_enabled,
+  email_linking_policy = EXCLUDED.email_linking_policy,
+  trust_email = EXCLUDED.trust_email,
+  updated_at = CURRENT_TIMESTAMP
+RETURNING id, type, "key", name, enabled, config, attribute_mapping, jit_enabled, email_linking_policy, trust_email, created_at, updated_at
+`
+
+type UpsertSSOProviderParams struct {
+	ID                 string `json:"id"`
+	Type               string `json:"type"`
+	Key                string `json:"key"`
+	Name               string `json:"name"`
+	Enabled            int64  `json:"enabled"`
+	Config             string `json:"config"`
+	AttributeMapping   string `json:"attribute_mapping"`
+	JitEnabled         int64  `json:"jit_enabled"`
+	EmailLinkingPolicy string `json:"email_linking_policy"`
+	TrustEmail         int64  `json:"trust_email"`
+}
+
+func (q *Queries) UpsertSSOProvider(ctx context.Context, arg UpsertSSOProviderParams) (IamSsoProvider, error) {
+	row := q.db.QueryRowContext(ctx, upsertSSOProvider,
+		arg.ID,
+		arg.Type,
+		arg.Key,
+		arg.Name,
+		arg.Enabled,
+		arg.Config,
+		arg.AttributeMapping,
+		arg.JitEnabled,
+		arg.EmailLinkingPolicy,
+		arg.TrustEmail,
+	)
+	var i IamSsoProvider
+	err := row.Scan(
+		&i.ID,
+		&i.Type,
+		&i.Key,
+		&i.Name,
+		&i.Enabled,
+		&i.Config,
+		&i.AttributeMapping,
+		&i.JitEnabled,
+		&i.EmailLinkingPolicy,
+		&i.TrustEmail,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const useIAMLoginCode = `-- name: UseIAMLoginCode :one
+UPDATE iam_login_codes
+SET used_at = CURRENT_TIMESTAMP
+WHERE code_hash = ?1
+  AND used_at IS NULL
+  AND expires_at > CURRENT_TIMESTAMP
+RETURNING id, code_hash, user_id, identity_id, session_id, expires_at, used_at, created_at
+`
+
+func (q *Queries) UseIAMLoginCode(ctx context.Context, codeHash string) (IamLoginCode, error) {
+	row := q.db.QueryRowContext(ctx, useIAMLoginCode, codeHash)
+	var i IamLoginCode
+	err := row.Scan(
+		&i.ID,
+		&i.CodeHash,
+		&i.UserID,
+		&i.IdentityID,
+		&i.SessionID,
+		&i.ExpiresAt,
+		&i.UsedAt,
+		&i.CreatedAt,
+	)
+	return i, err
+}
diff --git a/internal/db/sqlite/sqlc/mcp.sql.go b/internal/db/sqlite/sqlc/mcp.sql.go
index 9611eff9a..58e12c26f 100644
--- a/internal/db/sqlite/sqlc/mcp.sql.go
+++ b/internal/db/sqlite/sqlc/mcp.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: mcp.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/mcp_oauth.sql.go b/internal/db/sqlite/sqlc/mcp_oauth.sql.go
index 2f9a24a29..b3dbcf40d 100644
--- a/internal/db/sqlite/sqlc/mcp_oauth.sql.go
+++ b/internal/db/sqlite/sqlc/mcp_oauth.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: mcp_oauth.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/media.sql.go b/internal/db/sqlite/sqlc/media.sql.go
index d1404b0b3..aae2c7c95 100644
--- a/internal/db/sqlite/sqlc/media.sql.go
+++ b/internal/db/sqlite/sqlc/media.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: media.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/memory_providers.sql.go b/internal/db/sqlite/sqlc/memory_providers.sql.go
index 48b3c1304..9d0c4d492 100644
--- a/internal/db/sqlite/sqlc/memory_providers.sql.go
+++ b/internal/db/sqlite/sqlc/memory_providers.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: memory_providers.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/messages.sql.go b/internal/db/sqlite/sqlc/messages.sql.go
index 065a571fb..2e0058cd7 100644
--- a/internal/db/sqlite/sqlc/messages.sql.go
+++ b/internal/db/sqlite/sqlc/messages.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: messages.sql
 
 package sqlc
@@ -145,7 +145,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = ?1
   AND m.created_at >= ?2
@@ -232,7 +232,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = ?1
   AND m.created_at >= ?2
@@ -319,7 +319,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = ?1
 ORDER BY m.created_at ASC
@@ -398,7 +398,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = ?1
   AND m.created_at < ?2
@@ -484,7 +484,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = ?1
   AND m.created_at < ?2
@@ -570,7 +570,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = ?1
 ORDER BY m.created_at ASC
@@ -649,7 +649,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = ?1
 ORDER BY m.created_at DESC
@@ -733,7 +733,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = ?1
 ORDER BY m.created_at DESC
@@ -817,7 +817,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = ?1
   AND m.created_at >= ?2
@@ -901,7 +901,7 @@ SELECT
   ci.avatar_url AS sender_avatar_url,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.session_id = ?1
   AND m.created_at >= ?2
@@ -1220,7 +1220,7 @@ SELECT
   ci.display_name AS sender_display_name,
   s.channel_type AS platform
 FROM bot_history_messages m
-LEFT JOIN channel_identities ci ON ci.id = m.sender_channel_identity_id
+LEFT JOIN iam_channel_identities ci ON ci.id = m.sender_channel_identity_id
 LEFT JOIN bot_sessions s ON s.id = m.session_id
 WHERE m.bot_id = ?1
   AND (?2 IS NULL OR m.session_id = ?2)
diff --git a/internal/db/sqlite/sqlc/models.go b/internal/db/sqlite/sqlc/models.go
index e7b523190..5a9c4bfa4 100644
--- a/internal/db/sqlite/sqlc/models.go
+++ b/internal/db/sqlite/sqlc/models.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 
 package sqlc
 
@@ -212,29 +212,6 @@ type BrowserContext struct {
 	UpdatedAt string `json:"updated_at"`
 }
 
-type ChannelIdentity struct {
-	ID               string         `json:"id"`
-	UserID           sql.NullString `json:"user_id"`
-	ChannelType      string         `json:"channel_type"`
-	ChannelSubjectID string         `json:"channel_subject_id"`
-	DisplayName      sql.NullString `json:"display_name"`
-	AvatarUrl        sql.NullString `json:"avatar_url"`
-	Metadata         string         `json:"metadata"`
-	CreatedAt        string         `json:"created_at"`
-	UpdatedAt        string         `json:"updated_at"`
-}
-
-type ChannelIdentityBindCode struct {
-	ID                      string         `json:"id"`
-	Token                   string         `json:"token"`
-	IssuedByUserID          string         `json:"issued_by_user_id"`
-	ChannelType             sql.NullString `json:"channel_type"`
-	ExpiresAt               sql.NullString `json:"expires_at"`
-	UsedAt                  sql.NullString `json:"used_at"`
-	UsedByChannelIdentityID sql.NullString `json:"used_by_channel_identity_id"`
-	CreatedAt               string         `json:"created_at"`
-}
-
 type Container struct {
 	ID               string         `json:"id"`
 	BotID            string         `json:"bot_id"`
@@ -299,6 +276,193 @@ type EmailProvider struct {
 	UpdatedAt string `json:"updated_at"`
 }
 
+type IamChannelIdentity struct {
+	ID               string         `json:"id"`
+	UserID           sql.NullString `json:"user_id"`
+	ChannelType      string         `json:"channel_type"`
+	ChannelSubjectID string         `json:"channel_subject_id"`
+	DisplayName      sql.NullString `json:"display_name"`
+	AvatarUrl        sql.NullString `json:"avatar_url"`
+	Metadata         string         `json:"metadata"`
+	CreatedAt        string         `json:"created_at"`
+	UpdatedAt        string         `json:"updated_at"`
+}
+
+type IamChannelIdentityBindCode struct {
+	ID                      string         `json:"id"`
+	Token                   string         `json:"token"`
+	IssuedByUserID          string         `json:"issued_by_user_id"`
+	ChannelType             sql.NullString `json:"channel_type"`
+	ExpiresAt               sql.NullString `json:"expires_at"`
+	UsedAt                  sql.NullString `json:"used_at"`
+	UsedByChannelIdentityID sql.NullString `json:"used_by_channel_identity_id"`
+	CreatedAt               string         `json:"created_at"`
+}
+
+type IamGroup struct {
+	ID          string         `json:"id"`
+	Key         string         `json:"key"`
+	DisplayName string         `json:"display_name"`
+	Source      string         `json:"source"`
+	ExternalID  sql.NullString `json:"external_id"`
+	Metadata    string         `json:"metadata"`
+	CreatedAt   string         `json:"created_at"`
+	UpdatedAt   string         `json:"updated_at"`
+}
+
+type IamGroupMember struct {
+	UserID     string         `json:"user_id"`
+	GroupID    string         `json:"group_id"`
+	Source     string         `json:"source"`
+	ProviderID sql.NullString `json:"provider_id"`
+	CreatedAt  string         `json:"created_at"`
+	UpdatedAt  string         `json:"updated_at"`
+}
+
+type IamIdentity struct {
+	ID               string         `json:"id"`
+	UserID           string         `json:"user_id"`
+	ProviderType     string         `json:"provider_type"`
+	ProviderID       sql.NullString `json:"provider_id"`
+	Subject          string         `json:"subject"`
+	CredentialSecret sql.NullString `json:"credential_secret"`
+	Email            sql.NullString `json:"email"`
+	Username         sql.NullString `json:"username"`
+	DisplayName      sql.NullString `json:"display_name"`
+	AvatarUrl        sql.NullString `json:"avatar_url"`
+	RawClaims        string         `json:"raw_claims"`
+	LastLoginAt      sql.NullString `json:"last_login_at"`
+	CreatedAt        string         `json:"created_at"`
+	UpdatedAt        string         `json:"updated_at"`
+}
+
+type IamLoginCode struct {
+	ID         string         `json:"id"`
+	CodeHash   string         `json:"code_hash"`
+	UserID     string         `json:"user_id"`
+	IdentityID sql.NullString `json:"identity_id"`
+	SessionID  string         `json:"session_id"`
+	ExpiresAt  string         `json:"expires_at"`
+	UsedAt     sql.NullString `json:"used_at"`
+	CreatedAt  string         `json:"created_at"`
+}
+
+type IamPermission struct {
+	ID          string `json:"id"`
+	Key         string `json:"key"`
+	Description string `json:"description"`
+	IsSystem    int64  `json:"is_system"`
+	CreatedAt   string `json:"created_at"`
+	UpdatedAt   string `json:"updated_at"`
+}
+
+type IamPrincipalRole struct {
+	ID            string         `json:"id"`
+	PrincipalType string         `json:"principal_type"`
+	PrincipalID   string         `json:"principal_id"`
+	RoleID        string         `json:"role_id"`
+	ResourceType  string         `json:"resource_type"`
+	ResourceID    sql.NullString `json:"resource_id"`
+	Source        string         `json:"source"`
+	ProviderID    sql.NullString `json:"provider_id"`
+	CreatedAt     string         `json:"created_at"`
+	UpdatedAt     string         `json:"updated_at"`
+}
+
+type IamRole struct {
+	ID          string `json:"id"`
+	Key         string `json:"key"`
+	Scope       string `json:"scope"`
+	Description string `json:"description"`
+	IsSystem    int64  `json:"is_system"`
+	CreatedAt   string `json:"created_at"`
+	UpdatedAt   string `json:"updated_at"`
+}
+
+type IamRolePermission struct {
+	RoleID       string `json:"role_id"`
+	PermissionID string `json:"permission_id"`
+	CreatedAt    string `json:"created_at"`
+}
+
+type IamSession struct {
+	ID         string         `json:"id"`
+	UserID     string         `json:"user_id"`
+	IdentityID sql.NullString `json:"identity_id"`
+	IssuedAt   string         `json:"issued_at"`
+	ExpiresAt  string         `json:"expires_at"`
+	RevokedAt  sql.NullString `json:"revoked_at"`
+	IpAddress  sql.NullString `json:"ip_address"`
+	UserAgent  sql.NullString `json:"user_agent"`
+	Metadata   string         `json:"metadata"`
+	CreatedAt  string         `json:"created_at"`
+	UpdatedAt  string         `json:"updated_at"`
+}
+
+type IamSsoGroupMapping struct {
+	ID            string `json:"id"`
+	ProviderID    string `json:"provider_id"`
+	ExternalGroup string `json:"external_group"`
+	GroupID       string `json:"group_id"`
+	CreatedAt     string `json:"created_at"`
+	UpdatedAt     string `json:"updated_at"`
+}
+
+type IamSsoProvider struct {
+	ID                 string `json:"id"`
+	Type               string `json:"type"`
+	Key                string `json:"key"`
+	Name               string `json:"name"`
+	Enabled            int64  `json:"enabled"`
+	Config             string `json:"config"`
+	AttributeMapping   string `json:"attribute_mapping"`
+	JitEnabled         int64  `json:"jit_enabled"`
+	EmailLinkingPolicy string `json:"email_linking_policy"`
+	TrustEmail         int64  `json:"trust_email"`
+	CreatedAt          string `json:"created_at"`
+	UpdatedAt          string `json:"updated_at"`
+}
+
+type IamUser struct {
+	ID          string         `json:"id"`
+	Username    sql.NullString `json:"username"`
+	Email       sql.NullString `json:"email"`
+	DisplayName sql.NullString `json:"display_name"`
+	AvatarUrl   sql.NullString `json:"avatar_url"`
+	Timezone    string         `json:"timezone"`
+	DataRoot    sql.NullString `json:"data_root"`
+	LastLoginAt sql.NullString `json:"last_login_at"`
+	IsActive    int64          `json:"is_active"`
+	Metadata    string         `json:"metadata"`
+	CreatedAt   string         `json:"created_at"`
+	UpdatedAt   string         `json:"updated_at"`
+}
+
+type IamUserChannelBinding struct {
+	ID          string `json:"id"`
+	UserID      string `json:"user_id"`
+	ChannelType string `json:"channel_type"`
+	Config      string `json:"config"`
+	CreatedAt   string `json:"created_at"`
+	UpdatedAt   string `json:"updated_at"`
+}
+
+type IamUserProviderOauthToken struct {
+	ID               string         `json:"id"`
+	ProviderID       string         `json:"provider_id"`
+	UserID           string         `json:"user_id"`
+	AccessToken      string         `json:"access_token"`
+	RefreshToken     string         `json:"refresh_token"`
+	ExpiresAt        sql.NullString `json:"expires_at"`
+	Scope            string         `json:"scope"`
+	TokenType        string         `json:"token_type"`
+	State            string         `json:"state"`
+	PkceCodeVerifier string         `json:"pkce_code_verifier"`
+	Metadata         string         `json:"metadata"`
+	CreatedAt        string         `json:"created_at"`
+	UpdatedAt        string         `json:"updated_at"`
+}
+
 type LifecycleEvent struct {
 	ID          string `json:"id"`
 	ContainerID string `json:"container_id"`
@@ -485,45 +649,3 @@ type ToolApprovalRequest struct {
 	CreatedAt                    string         `json:"created_at"`
 	DecidedAt                    sql.NullString `json:"decided_at"`
 }
-
-type User struct {
-	ID           string         `json:"id"`
-	Username     sql.NullString `json:"username"`
-	Email        sql.NullString `json:"email"`
-	PasswordHash sql.NullString `json:"password_hash"`
-	Role         string         `json:"role"`
-	DisplayName  sql.NullString `json:"display_name"`
-	AvatarUrl    sql.NullString `json:"avatar_url"`
-	Timezone     string         `json:"timezone"`
-	DataRoot     sql.NullString `json:"data_root"`
-	LastLoginAt  sql.NullString `json:"last_login_at"`
-	IsActive     int64          `json:"is_active"`
-	Metadata     string         `json:"metadata"`
-	CreatedAt    string         `json:"created_at"`
-	UpdatedAt    string         `json:"updated_at"`
-}
-
-type UserChannelBinding struct {
-	ID          string `json:"id"`
-	UserID      string `json:"user_id"`
-	ChannelType string `json:"channel_type"`
-	Config      string `json:"config"`
-	CreatedAt   string `json:"created_at"`
-	UpdatedAt   string `json:"updated_at"`
-}
-
-type UserProviderOauthToken struct {
-	ID               string         `json:"id"`
-	ProviderID       string         `json:"provider_id"`
-	UserID           string         `json:"user_id"`
-	AccessToken      string         `json:"access_token"`
-	RefreshToken     string         `json:"refresh_token"`
-	ExpiresAt        sql.NullString `json:"expires_at"`
-	Scope            string         `json:"scope"`
-	TokenType        string         `json:"token_type"`
-	State            string         `json:"state"`
-	PkceCodeVerifier string         `json:"pkce_code_verifier"`
-	Metadata         string         `json:"metadata"`
-	CreatedAt        string         `json:"created_at"`
-	UpdatedAt        string         `json:"updated_at"`
-}
diff --git a/internal/db/sqlite/sqlc/models.sql.go b/internal/db/sqlite/sqlc/models.sql.go
index c102c088a..2750c0d88 100644
--- a/internal/db/sqlite/sqlc/models.sql.go
+++ b/internal/db/sqlite/sqlc/models.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: models.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/network.sql.go b/internal/db/sqlite/sqlc/network.sql.go
index f9f6fdb14..305b3cad9 100644
--- a/internal/db/sqlite/sqlc/network.sql.go
+++ b/internal/db/sqlite/sqlc/network.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: network.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/provider_oauth.sql.go b/internal/db/sqlite/sqlc/provider_oauth.sql.go
index 335ecad32..e51e7167c 100644
--- a/internal/db/sqlite/sqlc/provider_oauth.sql.go
+++ b/internal/db/sqlite/sqlc/provider_oauth.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: provider_oauth.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/schedule.sql.go b/internal/db/sqlite/sqlc/schedule.sql.go
index 36d48f8c4..11cc27ca3 100644
--- a/internal/db/sqlite/sqlc/schedule.sql.go
+++ b/internal/db/sqlite/sqlc/schedule.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: schedule.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/schedule_logs.sql.go b/internal/db/sqlite/sqlc/schedule_logs.sql.go
index 64a35dd91..587789245 100644
--- a/internal/db/sqlite/sqlc/schedule_logs.sql.go
+++ b/internal/db/sqlite/sqlc/schedule_logs.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: schedule_logs.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/search_providers.sql.go b/internal/db/sqlite/sqlc/search_providers.sql.go
index a74bf33e1..76e68089b 100644
--- a/internal/db/sqlite/sqlc/search_providers.sql.go
+++ b/internal/db/sqlite/sqlc/search_providers.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: search_providers.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/session_events.sql.go b/internal/db/sqlite/sqlc/session_events.sql.go
index 7a6e68fe7..ec93fd3eb 100644
--- a/internal/db/sqlite/sqlc/session_events.sql.go
+++ b/internal/db/sqlite/sqlc/session_events.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: session_events.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/session_info.sql.go b/internal/db/sqlite/sqlc/session_info.sql.go
index 1594ca029..b4d3860dd 100644
--- a/internal/db/sqlite/sqlc/session_info.sql.go
+++ b/internal/db/sqlite/sqlc/session_info.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: session_info.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/sessions.sql.go b/internal/db/sqlite/sqlc/sessions.sql.go
index 75f76eaf4..39c179332 100644
--- a/internal/db/sqlite/sqlc/sessions.sql.go
+++ b/internal/db/sqlite/sqlc/sessions.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: sessions.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/settings.sql.go b/internal/db/sqlite/sqlc/settings.sql.go
index d68e9347b..310ec2e71 100644
--- a/internal/db/sqlite/sqlc/settings.sql.go
+++ b/internal/db/sqlite/sqlc/settings.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: settings.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/snapshots.sql.go b/internal/db/sqlite/sqlc/snapshots.sql.go
index ef1e67224..8882e666d 100644
--- a/internal/db/sqlite/sqlc/snapshots.sql.go
+++ b/internal/db/sqlite/sqlc/snapshots.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: snapshots.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/token_usage.sql.go b/internal/db/sqlite/sqlc/token_usage.sql.go
index f691e14cd..e1ee2871b 100644
--- a/internal/db/sqlite/sqlc/token_usage.sql.go
+++ b/internal/db/sqlite/sqlc/token_usage.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: token_usage.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/tool_approval.sql.go b/internal/db/sqlite/sqlc/tool_approval.sql.go
index af93494d6..c7167430c 100644
--- a/internal/db/sqlite/sqlc/tool_approval.sql.go
+++ b/internal/db/sqlite/sqlc/tool_approval.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: tool_approval.sql
 
 package sqlc
diff --git a/internal/db/sqlite/sqlc/user_provider_oauth.sql.go b/internal/db/sqlite/sqlc/user_provider_oauth.sql.go
index 15258bb5e..667df0ef1 100644
--- a/internal/db/sqlite/sqlc/user_provider_oauth.sql.go
+++ b/internal/db/sqlite/sqlc/user_provider_oauth.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: user_provider_oauth.sql
 
 package sqlc
@@ -11,7 +11,7 @@ import (
 )
 
 const deleteUserProviderOAuthToken = `-- name: DeleteUserProviderOAuthToken :exec
-DELETE FROM user_provider_oauth_tokens
+DELETE FROM iam_user_provider_oauth_tokens
 WHERE provider_id = ?1
   AND user_id = ?2
 `
@@ -27,7 +27,7 @@ func (q *Queries) DeleteUserProviderOAuthToken(ctx context.Context, arg DeleteUs
 }
 
 const getUserProviderOAuthToken = `-- name: GetUserProviderOAuthToken :one
-SELECT id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata, created_at, updated_at FROM user_provider_oauth_tokens
+SELECT id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata, created_at, updated_at FROM iam_user_provider_oauth_tokens
 WHERE provider_id = ?1
   AND user_id = ?2
 `
@@ -37,9 +37,9 @@ type GetUserProviderOAuthTokenParams struct {
 	UserID     string `json:"user_id"`
 }
 
-func (q *Queries) GetUserProviderOAuthToken(ctx context.Context, arg GetUserProviderOAuthTokenParams) (UserProviderOauthToken, error) {
+func (q *Queries) GetUserProviderOAuthToken(ctx context.Context, arg GetUserProviderOAuthTokenParams) (IamUserProviderOauthToken, error) {
 	row := q.db.QueryRowContext(ctx, getUserProviderOAuthToken, arg.ProviderID, arg.UserID)
-	var i UserProviderOauthToken
+	var i IamUserProviderOauthToken
 	err := row.Scan(
 		&i.ID,
 		&i.ProviderID,
@@ -59,14 +59,14 @@ func (q *Queries) GetUserProviderOAuthToken(ctx context.Context, arg GetUserProv
 }
 
 const getUserProviderOAuthTokenByState = `-- name: GetUserProviderOAuthTokenByState :one
-SELECT id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata, created_at, updated_at FROM user_provider_oauth_tokens
+SELECT id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata, created_at, updated_at FROM iam_user_provider_oauth_tokens
 WHERE state = ?1
   AND state != ''
 `
 
-func (q *Queries) GetUserProviderOAuthTokenByState(ctx context.Context, state string) (UserProviderOauthToken, error) {
+func (q *Queries) GetUserProviderOAuthTokenByState(ctx context.Context, state string) (IamUserProviderOauthToken, error) {
 	row := q.db.QueryRowContext(ctx, getUserProviderOAuthTokenByState, state)
-	var i UserProviderOauthToken
+	var i IamUserProviderOauthToken
 	err := row.Scan(
 		&i.ID,
 		&i.ProviderID,
@@ -86,7 +86,7 @@ func (q *Queries) GetUserProviderOAuthTokenByState(ctx context.Context, state st
 }
 
 const updateUserProviderOAuthState = `-- name: UpdateUserProviderOAuthState :exec
-INSERT INTO user_provider_oauth_tokens (id, provider_id, user_id, state, pkce_code_verifier, metadata)
+INSERT INTO iam_user_provider_oauth_tokens (id, provider_id, user_id, state, pkce_code_verifier, metadata)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -126,7 +126,7 @@ func (q *Queries) UpdateUserProviderOAuthState(ctx context.Context, arg UpdateUs
 }
 
 const upsertUserProviderOAuthToken = `-- name: UpsertUserProviderOAuthToken :one
-INSERT INTO user_provider_oauth_tokens (id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata)
+INSERT INTO iam_user_provider_oauth_tokens (id, provider_id, user_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, metadata)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -170,7 +170,7 @@ type UpsertUserProviderOAuthTokenParams struct {
 	Metadata         string         `json:"metadata"`
 }
 
-func (q *Queries) UpsertUserProviderOAuthToken(ctx context.Context, arg UpsertUserProviderOAuthTokenParams) (UserProviderOauthToken, error) {
+func (q *Queries) UpsertUserProviderOAuthToken(ctx context.Context, arg UpsertUserProviderOAuthTokenParams) (IamUserProviderOauthToken, error) {
 	row := q.db.QueryRowContext(ctx, upsertUserProviderOAuthToken,
 		arg.ProviderID,
 		arg.UserID,
@@ -183,7 +183,7 @@ func (q *Queries) UpsertUserProviderOAuthToken(ctx context.Context, arg UpsertUs
 		arg.PkceCodeVerifier,
 		arg.Metadata,
 	)
-	var i UserProviderOauthToken
+	var i IamUserProviderOauthToken
 	err := row.Scan(
 		&i.ID,
 		&i.ProviderID,
diff --git a/internal/db/sqlite/sqlc/users.sql.go b/internal/db/sqlite/sqlc/users.sql.go
index 1c80d0ddb..4392505b3 100644
--- a/internal/db/sqlite/sqlc/users.sql.go
+++ b/internal/db/sqlite/sqlc/users.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: users.sql
 
 package sqlc
@@ -11,10 +11,10 @@ import (
 )
 
 const countAccounts = `-- name: CountAccounts :one
-SELECT COUNT(*) AS count
-FROM users
-WHERE username IS NOT NULL
-  AND password_hash IS NOT NULL
+SELECT COUNT(DISTINCT u.id) AS count
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password'
 `
 
 func (q *Queries) CountAccounts(ctx context.Context) (int64, error) {
@@ -25,51 +25,43 @@ func (q *Queries) CountAccounts(ctx context.Context) (int64, error) {
 }
 
 const createAccount = `-- name: CreateAccount :one
-UPDATE users
+UPDATE iam_users
 SET username = ?1,
     email = ?2,
-    password_hash = ?3,
-    role = ?4,
-    display_name = ?5,
-    avatar_url = ?6,
-    is_active = ?7,
-    data_root = ?8,
+    display_name = ?3,
+    avatar_url = ?4,
+    is_active = ?5,
+    data_root = ?6,
     updated_at = CURRENT_TIMESTAMP
-WHERE id = ?9
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+WHERE id = ?7
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
 type CreateAccountParams struct {
-	Username     sql.NullString `json:"username"`
-	Email        sql.NullString `json:"email"`
-	PasswordHash sql.NullString `json:"password_hash"`
-	Role         string         `json:"role"`
-	DisplayName  sql.NullString `json:"display_name"`
-	AvatarUrl    sql.NullString `json:"avatar_url"`
-	IsActive     int64          `json:"is_active"`
-	DataRoot     sql.NullString `json:"data_root"`
-	UserID       string         `json:"user_id"`
+	Username    sql.NullString `json:"username"`
+	Email       sql.NullString `json:"email"`
+	DisplayName sql.NullString `json:"display_name"`
+	AvatarUrl   sql.NullString `json:"avatar_url"`
+	IsActive    int64          `json:"is_active"`
+	DataRoot    sql.NullString `json:"data_root"`
+	UserID      string         `json:"user_id"`
 }
 
-func (q *Queries) CreateAccount(ctx context.Context, arg CreateAccountParams) (User, error) {
+func (q *Queries) CreateAccount(ctx context.Context, arg CreateAccountParams) (IamUser, error) {
 	row := q.db.QueryRowContext(ctx, createAccount,
 		arg.Username,
 		arg.Email,
-		arg.PasswordHash,
-		arg.Role,
 		arg.DisplayName,
 		arg.AvatarUrl,
 		arg.IsActive,
 		arg.DataRoot,
 		arg.UserID,
 	)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -84,7 +76,7 @@ func (q *Queries) CreateAccount(ctx context.Context, arg CreateAccountParams) (U
 }
 
 const createUser = `-- name: CreateUser :one
-INSERT INTO users (id, is_active, metadata)
+INSERT INTO iam_users (id, is_active, metadata)
 VALUES (
   lower(hex(randomblob(4))) || '-' ||
   lower(hex(randomblob(2))) || '-' ||
@@ -94,7 +86,7 @@ VALUES (
   ?1,
   ?2
 )
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
 type CreateUserParams struct {
@@ -102,15 +94,13 @@ type CreateUserParams struct {
 	Metadata string `json:"metadata"`
 }
 
-func (q *Queries) CreateUser(ctx context.Context, arg CreateUserParams) (User, error) {
+func (q *Queries) CreateUser(ctx context.Context, arg CreateUserParams) (IamUser, error) {
 	row := q.db.QueryRowContext(ctx, createUser, arg.IsActive, arg.Metadata)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -125,18 +115,21 @@ func (q *Queries) CreateUser(ctx context.Context, arg CreateUserParams) (User, e
 }
 
 const getAccountByIdentity = `-- name: GetAccountByIdentity :one
-SELECT id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at FROM users WHERE username = ?1 OR email = ?1
+SELECT u.id, u.username, u.email, u.display_name, u.avatar_url, u.timezone, u.data_root, u.last_login_at, u.is_active, u.metadata, u.created_at, u.updated_at
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password'
+  AND (i.subject = lower(?1) OR lower(COALESCE(i.email, '')) = lower(?1))
+LIMIT 1
 `
 
-func (q *Queries) GetAccountByIdentity(ctx context.Context, identity sql.NullString) (User, error) {
+func (q *Queries) GetAccountByIdentity(ctx context.Context, identity string) (IamUser, error) {
 	row := q.db.QueryRowContext(ctx, getAccountByIdentity, identity)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -151,18 +144,16 @@ func (q *Queries) GetAccountByIdentity(ctx context.Context, identity sql.NullStr
 }
 
 const getAccountByUserID = `-- name: GetAccountByUserID :one
-SELECT id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at FROM users WHERE id = ?1
+SELECT id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at FROM iam_users WHERE id = ?1
 `
 
-func (q *Queries) GetAccountByUserID(ctx context.Context, userID string) (User, error) {
+func (q *Queries) GetAccountByUserID(ctx context.Context, userID string) (IamUser, error) {
 	row := q.db.QueryRowContext(ctx, getAccountByUserID, userID)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -177,20 +168,18 @@ func (q *Queries) GetAccountByUserID(ctx context.Context, userID string) (User,
 }
 
 const getUserByID = `-- name: GetUserByID :one
-SELECT id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
-FROM users
+SELECT id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+FROM iam_users
 WHERE id = ?1
 `
 
-func (q *Queries) GetUserByID(ctx context.Context, id string) (User, error) {
+func (q *Queries) GetUserByID(ctx context.Context, id string) (IamUser, error) {
 	row := q.db.QueryRowContext(ctx, getUserByID, id)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -205,26 +194,26 @@ func (q *Queries) GetUserByID(ctx context.Context, id string) (User, error) {
 }
 
 const listAccounts = `-- name: ListAccounts :many
-SELECT id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at FROM users
-WHERE username IS NOT NULL
-ORDER BY created_at DESC
+SELECT DISTINCT u.id, u.username, u.email, u.display_name, u.avatar_url, u.timezone, u.data_root, u.last_login_at, u.is_active, u.metadata, u.created_at, u.updated_at
+FROM iam_users u
+JOIN iam_identities i ON i.user_id = u.id
+WHERE i.provider_type = 'password'
+ORDER BY u.created_at DESC
 `
 
-func (q *Queries) ListAccounts(ctx context.Context) ([]User, error) {
+func (q *Queries) ListAccounts(ctx context.Context) ([]IamUser, error) {
 	rows, err := q.db.QueryContext(ctx, listAccounts)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
-	var items []User
+	var items []IamUser
 	for rows.Next() {
-		var i User
+		var i IamUser
 		if err := rows.Scan(
 			&i.ID,
 			&i.Username,
 			&i.Email,
-			&i.PasswordHash,
-			&i.Role,
 			&i.DisplayName,
 			&i.AvatarUrl,
 			&i.Timezone,
@@ -249,16 +238,17 @@ func (q *Queries) ListAccounts(ctx context.Context) ([]User, error) {
 }
 
 const searchAccounts = `-- name: SearchAccounts :many
-SELECT id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
-FROM users
-WHERE username IS NOT NULL
+SELECT DISTINCT u.id, u.username, u.email, u.display_name, u.avatar_url, u.timezone, u.data_root, u.last_login_at, u.is_active, u.metadata, u.created_at, u.updated_at
+FROM iam_users u
+LEFT JOIN iam_identities i ON i.user_id = u.id AND i.provider_type = 'password'
+WHERE i.id IS NOT NULL
   AND (
     ?1 = ''
-    OR lower(username) LIKE '%' || lower(?1) || '%'
-    OR lower(COALESCE(display_name, '')) LIKE '%' || lower(?1) || '%'
-    OR lower(COALESCE(email, '')) LIKE '%' || lower(?1) || '%'
+    OR lower(u.username) LIKE '%' || lower(?1) || '%'
+    OR lower(COALESCE(u.display_name, '')) LIKE '%' || lower(?1) || '%'
+    OR lower(COALESCE(u.email, '')) LIKE '%' || lower(?1) || '%'
   )
-ORDER BY last_login_at DESC, created_at DESC
+ORDER BY u.last_login_at DESC, u.created_at DESC
 LIMIT ?2
 `
 
@@ -267,21 +257,19 @@ type SearchAccountsParams struct {
 	LimitCount int64       `json:"limit_count"`
 }
 
-func (q *Queries) SearchAccounts(ctx context.Context, arg SearchAccountsParams) ([]User, error) {
+func (q *Queries) SearchAccounts(ctx context.Context, arg SearchAccountsParams) ([]IamUser, error) {
 	rows, err := q.db.QueryContext(ctx, searchAccounts, arg.Query, arg.LimitCount)
 	if err != nil {
 		return nil, err
 	}
 	defer rows.Close()
-	var items []User
+	var items []IamUser
 	for rows.Next() {
-		var i User
+		var i IamUser
 		if err := rows.Scan(
 			&i.ID,
 			&i.Username,
 			&i.Email,
-			&i.PasswordHash,
-			&i.Role,
 			&i.DisplayName,
 			&i.AvatarUrl,
 			&i.Timezone,
@@ -306,39 +294,34 @@ func (q *Queries) SearchAccounts(ctx context.Context, arg SearchAccountsParams)
 }
 
 const updateAccountAdmin = `-- name: UpdateAccountAdmin :one
-UPDATE users
-SET role = ?1,
-    display_name = ?2,
-    avatar_url = ?3,
-    is_active = ?4,
+UPDATE iam_users
+SET display_name = ?1,
+    avatar_url = ?2,
+    is_active = ?3,
     updated_at = CURRENT_TIMESTAMP
-WHERE id = ?5
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+WHERE id = ?4
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
 type UpdateAccountAdminParams struct {
-	Role        string         `json:"role"`
 	DisplayName sql.NullString `json:"display_name"`
 	AvatarUrl   sql.NullString `json:"avatar_url"`
 	IsActive    int64          `json:"is_active"`
 	UserID      string         `json:"user_id"`
 }
 
-func (q *Queries) UpdateAccountAdmin(ctx context.Context, arg UpdateAccountAdminParams) (User, error) {
+func (q *Queries) UpdateAccountAdmin(ctx context.Context, arg UpdateAccountAdminParams) (IamUser, error) {
 	row := q.db.QueryRowContext(ctx, updateAccountAdmin,
-		arg.Role,
 		arg.DisplayName,
 		arg.AvatarUrl,
 		arg.IsActive,
 		arg.UserID,
 	)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -353,22 +336,20 @@ func (q *Queries) UpdateAccountAdmin(ctx context.Context, arg UpdateAccountAdmin
 }
 
 const updateAccountLastLogin = `-- name: UpdateAccountLastLogin :one
-UPDATE users
+UPDATE iam_users
 SET last_login_at = CURRENT_TIMESTAMP,
     updated_at = CURRENT_TIMESTAMP
 WHERE id = ?1
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
-func (q *Queries) UpdateAccountLastLogin(ctx context.Context, id string) (User, error) {
+func (q *Queries) UpdateAccountLastLogin(ctx context.Context, id string) (IamUser, error) {
 	row := q.db.QueryRowContext(ctx, updateAccountLastLogin, id)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -383,27 +364,61 @@ func (q *Queries) UpdateAccountLastLogin(ctx context.Context, id string) (User,
 }
 
 const updateAccountPassword = `-- name: UpdateAccountPassword :one
-UPDATE users
-SET password_hash = ?1,
+UPDATE iam_identities
+SET credential_secret = ?1,
     updated_at = CURRENT_TIMESTAMP
-WHERE id = ?2
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+WHERE user_id = ?2
+  AND provider_type = 'password'
+RETURNING (
+  SELECT id FROM iam_users WHERE id = iam_identities.user_id
+) AS id,
+(
+  SELECT username FROM iam_users WHERE id = iam_identities.user_id
+) AS username,
+(
+  SELECT email FROM iam_users WHERE id = iam_identities.user_id
+) AS email,
+(
+  SELECT display_name FROM iam_users WHERE id = iam_identities.user_id
+) AS display_name,
+(
+  SELECT avatar_url FROM iam_users WHERE id = iam_identities.user_id
+) AS avatar_url,
+(
+  SELECT timezone FROM iam_users WHERE id = iam_identities.user_id
+) AS timezone,
+(
+  SELECT data_root FROM iam_users WHERE id = iam_identities.user_id
+) AS data_root,
+(
+  SELECT last_login_at FROM iam_users WHERE id = iam_identities.user_id
+) AS last_login_at,
+(
+  SELECT is_active FROM iam_users WHERE id = iam_identities.user_id
+) AS is_active,
+(
+  SELECT metadata FROM iam_users WHERE id = iam_identities.user_id
+) AS metadata,
+(
+  SELECT created_at FROM iam_users WHERE id = iam_identities.user_id
+) AS created_at,
+(
+  SELECT updated_at FROM iam_users WHERE id = iam_identities.user_id
+) AS updated_at
 `
 
 type UpdateAccountPasswordParams struct {
 	PasswordHash sql.NullString `json:"password_hash"`
-	ID           string         `json:"id"`
+	UserID       string         `json:"user_id"`
 }
 
-func (q *Queries) UpdateAccountPassword(ctx context.Context, arg UpdateAccountPasswordParams) (User, error) {
-	row := q.db.QueryRowContext(ctx, updateAccountPassword, arg.PasswordHash, arg.ID)
-	var i User
+func (q *Queries) UpdateAccountPassword(ctx context.Context, arg UpdateAccountPasswordParams) (IamUser, error) {
+	row := q.db.QueryRowContext(ctx, updateAccountPassword, arg.PasswordHash, arg.UserID)
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -418,14 +433,14 @@ func (q *Queries) UpdateAccountPassword(ctx context.Context, arg UpdateAccountPa
 }
 
 const updateAccountProfile = `-- name: UpdateAccountProfile :one
-UPDATE users
+UPDATE iam_users
 SET display_name = ?1,
     avatar_url = ?2,
     timezone = ?3,
     is_active = ?4,
     updated_at = CURRENT_TIMESTAMP
 WHERE id = ?5
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
 type UpdateAccountProfileParams struct {
@@ -436,7 +451,7 @@ type UpdateAccountProfileParams struct {
 	ID          string         `json:"id"`
 }
 
-func (q *Queries) UpdateAccountProfile(ctx context.Context, arg UpdateAccountProfileParams) (User, error) {
+func (q *Queries) UpdateAccountProfile(ctx context.Context, arg UpdateAccountProfileParams) (IamUser, error) {
 	row := q.db.QueryRowContext(ctx, updateAccountProfile,
 		arg.DisplayName,
 		arg.AvatarUrl,
@@ -444,13 +459,11 @@ func (q *Queries) UpdateAccountProfile(ctx context.Context, arg UpdateAccountPro
 		arg.IsActive,
 		arg.ID,
 	)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
@@ -465,7 +478,7 @@ func (q *Queries) UpdateAccountProfile(ctx context.Context, arg UpdateAccountPro
 }
 
 const upsertAccountByUsername = `-- name: UpsertAccountByUsername :one
-INSERT INTO users (id, username, email, password_hash, role, display_name, avatar_url, is_active, data_root, metadata)
+INSERT INTO iam_users (id, username, email, display_name, avatar_url, is_active, data_root, metadata)
 VALUES (
   ?1,
   ?2,
@@ -474,53 +487,43 @@ VALUES (
   ?5,
   ?6,
   ?7,
-  ?8,
-  ?9,
   '{}'
 )
 ON CONFLICT (username) DO UPDATE SET
   email = EXCLUDED.email,
-  password_hash = EXCLUDED.password_hash,
-  role = EXCLUDED.role,
   display_name = EXCLUDED.display_name,
   avatar_url = EXCLUDED.avatar_url,
   is_active = EXCLUDED.is_active,
   data_root = EXCLUDED.data_root,
   updated_at = CURRENT_TIMESTAMP
-RETURNING id, username, email, password_hash, role, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
+RETURNING id, username, email, display_name, avatar_url, timezone, data_root, last_login_at, is_active, metadata, created_at, updated_at
 `
 
 type UpsertAccountByUsernameParams struct {
-	UserID       string         `json:"user_id"`
-	Username     sql.NullString `json:"username"`
-	Email        sql.NullString `json:"email"`
-	PasswordHash sql.NullString `json:"password_hash"`
-	Role         string         `json:"role"`
-	DisplayName  sql.NullString `json:"display_name"`
-	AvatarUrl    sql.NullString `json:"avatar_url"`
-	IsActive     int64          `json:"is_active"`
-	DataRoot     sql.NullString `json:"data_root"`
+	UserID      string         `json:"user_id"`
+	Username    sql.NullString `json:"username"`
+	Email       sql.NullString `json:"email"`
+	DisplayName sql.NullString `json:"display_name"`
+	AvatarUrl   sql.NullString `json:"avatar_url"`
+	IsActive    int64          `json:"is_active"`
+	DataRoot    sql.NullString `json:"data_root"`
 }
 
-func (q *Queries) UpsertAccountByUsername(ctx context.Context, arg UpsertAccountByUsernameParams) (User, error) {
+func (q *Queries) UpsertAccountByUsername(ctx context.Context, arg UpsertAccountByUsernameParams) (IamUser, error) {
 	row := q.db.QueryRowContext(ctx, upsertAccountByUsername,
 		arg.UserID,
 		arg.Username,
 		arg.Email,
-		arg.PasswordHash,
-		arg.Role,
 		arg.DisplayName,
 		arg.AvatarUrl,
 		arg.IsActive,
 		arg.DataRoot,
 	)
-	var i User
+	var i IamUser
 	err := row.Scan(
 		&i.ID,
 		&i.Username,
 		&i.Email,
-		&i.PasswordHash,
-		&i.Role,
 		&i.DisplayName,
 		&i.AvatarUrl,
 		&i.Timezone,
diff --git a/internal/db/sqlite/sqlc/versions.sql.go b/internal/db/sqlite/sqlc/versions.sql.go
index 9d214e39c..b9b4593b2 100644
--- a/internal/db/sqlite/sqlc/versions.sql.go
+++ b/internal/db/sqlite/sqlc/versions.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.30.0
+//   sqlc v1.31.0
 // source: versions.sql
 
 package sqlc
diff --git a/internal/db/sqlite/store/accounts.go b/internal/db/sqlite/store/accounts.go
index eaffb86d4..e9d000bdb 100644
--- a/internal/db/sqlite/store/accounts.go
+++ b/internal/db/sqlite/store/accounts.go
@@ -22,15 +22,15 @@ func (s *Store) GetByUserID(ctx context.Context, userID string) (dbstore.Account
 	if err != nil {
 		return dbstore.AccountRecord{}, mapQueryErr(err)
 	}
-	return accountRecord(row), nil
+	return s.accountRecord(ctx, row), nil
 }
 
 func (s *Store) GetByIdentity(ctx context.Context, identity string) (dbstore.AccountRecord, error) {
-	row, err := s.queries.GetAccountByIdentity(ctx, nullable(identity))
+	row, err := s.queries.GetAccountByIdentity(ctx, identity)
 	if err != nil {
 		return dbstore.AccountRecord{}, mapQueryErr(err)
 	}
-	return accountRecord(row), nil
+	return s.accountRecord(ctx, row), nil
 }
 
 func (s *Store) List(ctx context.Context) ([]dbstore.AccountRecord, error) {
@@ -38,7 +38,7 @@ func (s *Store) List(ctx context.Context) ([]dbstore.AccountRecord, error) {
 	if err != nil {
 		return nil, err
 	}
-	return accountRecords(rows), nil
+	return s.accountRecords(ctx, rows), nil
 }
 
 func (s *Store) Search(ctx context.Context, query string, limit int32) ([]dbstore.AccountRecord, error) {
@@ -49,7 +49,7 @@ func (s *Store) Search(ctx context.Context, query string, limit int32) ([]dbstor
 	if err != nil {
 		return nil, err
 	}
-	return accountRecords(rows), nil
+	return s.accountRecords(ctx, rows), nil
 }
 
 func (s *Store) CreateUser(ctx context.Context, input dbstore.CreateUserInput) (dbstore.AccountRecord, error) {
@@ -60,25 +60,35 @@ func (s *Store) CreateUser(ctx context.Context, input dbstore.CreateUserInput) (
 	if err != nil {
 		return dbstore.AccountRecord{}, err
 	}
-	return accountRecord(row), nil
+	return baseAccountRecord(row), nil
 }
 
 func (s *Store) CreateAccount(ctx context.Context, input dbstore.CreateAccountInput) (dbstore.AccountRecord, error) {
 	row, err := s.queries.CreateAccount(ctx, sqlitesqlc.CreateAccountParams{
-		UserID:       input.UserID,
-		Username:     nullable(input.Username),
-		Email:        nullable(input.Email),
-		PasswordHash: nullable(input.PasswordHash),
-		Role:         input.Role,
-		DisplayName:  nullable(input.DisplayName),
-		AvatarUrl:    nullable(input.AvatarURL),
-		IsActive:     boolInt(input.IsActive),
-		DataRoot:     nullable(input.DataRoot),
+		UserID:      input.UserID,
+		Username:    nullable(input.Username),
+		Email:       nullable(input.Email),
+		DisplayName: nullable(input.DisplayName),
+		AvatarUrl:   nullable(input.AvatarURL),
+		IsActive:    boolInt(input.IsActive),
+		DataRoot:    nullable(input.DataRoot),
 	})
 	if err != nil {
 		return dbstore.AccountRecord{}, err
 	}
-	return accountRecord(row), nil
+	_, err = s.queries.CreatePasswordIdentity(ctx, sqlitesqlc.CreatePasswordIdentityParams{
+		UserID:           input.UserID,
+		Subject:          input.Username,
+		CredentialSecret: nullable(input.PasswordHash),
+		Email:            nullable(input.Email),
+		Username:         nullable(input.Username),
+		DisplayName:      nullable(input.DisplayName),
+		AvatarUrl:        nullable(input.AvatarURL),
+	})
+	if err != nil {
+		return dbstore.AccountRecord{}, err
+	}
+	return s.accountRecord(ctx, row), nil
 }
 
 func (s *Store) UpdateLastLogin(ctx context.Context, accountID string) error {
@@ -89,7 +99,6 @@ func (s *Store) UpdateLastLogin(ctx context.Context, accountID string) error {
 func (s *Store) UpdateAdmin(ctx context.Context, input dbstore.UpdateAccountAdminInput) (dbstore.AccountRecord, error) {
 	row, err := s.queries.UpdateAccountAdmin(ctx, sqlitesqlc.UpdateAccountAdminParams{
 		UserID:      input.UserID,
-		Role:        input.Role,
 		DisplayName: nullable(input.DisplayName),
 		AvatarUrl:   nullable(input.AvatarURL),
 		IsActive:    boolInt(input.IsActive),
@@ -97,7 +106,7 @@ func (s *Store) UpdateAdmin(ctx context.Context, input dbstore.UpdateAccountAdmi
 	if err != nil {
 		return dbstore.AccountRecord{}, mapQueryErr(err)
 	}
-	return accountRecord(row), nil
+	return s.accountRecord(ctx, row), nil
 }
 
 func (s *Store) UpdateProfile(ctx context.Context, input dbstore.UpdateAccountProfileInput) (dbstore.AccountRecord, error) {
@@ -111,12 +120,12 @@ func (s *Store) UpdateProfile(ctx context.Context, input dbstore.UpdateAccountPr
 	if err != nil {
 		return dbstore.AccountRecord{}, mapQueryErr(err)
 	}
-	return accountRecord(row), nil
+	return s.accountRecord(ctx, row), nil
 }
 
 func (s *Store) UpdatePassword(ctx context.Context, input dbstore.UpdateAccountPasswordInput) error {
 	_, err := s.queries.UpdateAccountPassword(ctx, sqlitesqlc.UpdateAccountPasswordParams{
-		ID:           input.UserID,
+		UserID:       input.UserID,
 		PasswordHash: nullable(input.PasswordHash),
 	})
 	return mapQueryErr(err)
@@ -140,29 +149,38 @@ func boolInt(value bool) int64 {
 	return 0
 }
 
-func accountRecords(rows []sqlitesqlc.User) []dbstore.AccountRecord {
+func (s *Store) accountRecords(ctx context.Context, rows []sqlitesqlc.IamUser) []dbstore.AccountRecord {
 	items := make([]dbstore.AccountRecord, 0, len(rows))
 	for _, row := range rows {
-		items = append(items, accountRecord(row))
+		items = append(items, s.accountRecord(ctx, row))
 	}
 	return items
 }
 
-func accountRecord(row sqlitesqlc.User) dbstore.AccountRecord {
+func (s *Store) accountRecord(ctx context.Context, row sqlitesqlc.IamUser) dbstore.AccountRecord {
+	rec := baseAccountRecord(row)
+	if row.Username.Valid {
+		identity, err := s.queries.GetPasswordIdentityBySubject(ctx, row.Username.String)
+		if err == nil {
+			rec.PasswordHash = identity.CredentialSecret.String
+			rec.HasPasswordHash = identity.CredentialSecret.Valid
+		}
+	}
+	return rec
+}
+
+func baseAccountRecord(row sqlitesqlc.IamUser) dbstore.AccountRecord {
 	return dbstore.AccountRecord{
-		ID:              row.ID,
-		Username:        row.Username.String,
-		Email:           row.Email.String,
-		Role:            row.Role,
-		DisplayName:     row.DisplayName.String,
-		AvatarURL:       row.AvatarUrl.String,
-		Timezone:        row.Timezone,
-		PasswordHash:    row.PasswordHash.String,
-		HasPasswordHash: row.PasswordHash.Valid,
-		IsActive:        row.IsActive != 0,
-		CreatedAt:       parseTime(row.CreatedAt),
-		UpdatedAt:       parseTime(row.UpdatedAt),
-		LastLoginAt:     parseTime(row.LastLoginAt.String),
+		ID:          row.ID,
+		Username:    row.Username.String,
+		Email:       row.Email.String,
+		DisplayName: row.DisplayName.String,
+		AvatarURL:   row.AvatarUrl.String,
+		Timezone:    row.Timezone,
+		IsActive:    row.IsActive != 0,
+		CreatedAt:   parseTime(row.CreatedAt),
+		UpdatedAt:   parseTime(row.UpdatedAt),
+		LastLoginAt: parseTime(row.LastLoginAt.String),
 	}
 }
 
diff --git a/internal/db/sqlite/store/iam_queries.go b/internal/db/sqlite/store/iam_queries.go
new file mode 100644
index 000000000..013e86486
--- /dev/null
+++ b/internal/db/sqlite/store/iam_queries.go
@@ -0,0 +1,414 @@
+package store
+
+import (
+	"context"
+	"database/sql"
+
+	"github.com/jackc/pgx/v5/pgtype"
+
+	pgsqlc "github.com/memohai/memoh/internal/db/postgres/sqlc"
+	sqlitesqlc "github.com/memohai/memoh/internal/db/sqlite/sqlc"
+)
+
+func (q *Queries) AssignPrincipalRole(ctx context.Context, arg pgsqlc.AssignPrincipalRoleParams) (pgsqlc.IamPrincipalRole, error) {
+	var sqliteArg sqlitesqlc.AssignPrincipalRoleParams
+	var result pgsqlc.IamPrincipalRole
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.AssignPrincipalRole(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) CreateIAMLoginCode(ctx context.Context, arg pgsqlc.CreateIAMLoginCodeParams) (pgsqlc.IamLoginCode, error) {
+	var sqliteArg sqlitesqlc.CreateIAMLoginCodeParams
+	var result pgsqlc.IamLoginCode
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.CreateIAMLoginCode(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) CreateIAMSession(ctx context.Context, arg pgsqlc.CreateIAMSessionParams) (pgsqlc.IamSession, error) {
+	var sqliteArg sqlitesqlc.CreateIAMSessionParams
+	var result pgsqlc.IamSession
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.CreateIAMSession(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) CreatePasswordIdentity(ctx context.Context, arg pgsqlc.CreatePasswordIdentityParams) (pgsqlc.IamIdentity, error) {
+	var sqliteArg sqlitesqlc.CreatePasswordIdentityParams
+	var result pgsqlc.IamIdentity
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.CreatePasswordIdentity(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) DeletePrincipalRole(ctx context.Context, id pgtype.UUID) error {
+	var sqliteID string
+	if err := q.convertArg(id, &sqliteID); err != nil {
+		return err
+	}
+	return mapQueryErr(q.store.queries.DeletePrincipalRole(ctx, sqliteID))
+}
+
+func (q *Queries) DeletePrincipalRoleAssignment(ctx context.Context, arg pgsqlc.DeletePrincipalRoleAssignmentParams) error {
+	var sqliteArg sqlitesqlc.DeletePrincipalRoleAssignmentParams
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return err
+	}
+	return mapQueryErr(q.store.queries.DeletePrincipalRoleAssignment(ctx, sqliteArg))
+}
+
+func (q *Queries) DeleteIAMGroup(ctx context.Context, id pgtype.UUID) error {
+	var sqliteID string
+	if err := q.convertArg(id, &sqliteID); err != nil {
+		return err
+	}
+	return mapQueryErr(q.store.queries.DeleteIAMGroup(ctx, sqliteID))
+}
+
+func (q *Queries) DeleteIAMGroupMember(ctx context.Context, arg pgsqlc.DeleteIAMGroupMemberParams) error {
+	var sqliteArg sqlitesqlc.DeleteIAMGroupMemberParams
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return err
+	}
+	return mapQueryErr(q.store.queries.DeleteIAMGroupMember(ctx, sqliteArg))
+}
+
+func (q *Queries) DeleteSSOGroupMapping(ctx context.Context, arg pgsqlc.DeleteSSOGroupMappingParams) error {
+	var sqliteArg sqlitesqlc.DeleteSSOGroupMappingParams
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return err
+	}
+	return mapQueryErr(q.store.queries.DeleteSSOGroupMapping(ctx, sqliteArg))
+}
+
+func (q *Queries) DeleteSSOProvider(ctx context.Context, id pgtype.UUID) error {
+	var sqliteID string
+	if err := q.convertArg(id, &sqliteID); err != nil {
+		return err
+	}
+	return mapQueryErr(q.store.queries.DeleteSSOProvider(ctx, sqliteID))
+}
+
+func (q *Queries) ExtendIAMSession(ctx context.Context, arg pgsqlc.ExtendIAMSessionParams) (pgsqlc.IamSession, error) {
+	var sqliteArg sqlitesqlc.ExtendIAMSessionParams
+	var result pgsqlc.IamSession
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.ExtendIAMSession(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) GetIAMSessionByID(ctx context.Context, id pgtype.UUID) (pgsqlc.GetIAMSessionByIDRow, error) {
+	var sqliteID string
+	var result pgsqlc.GetIAMSessionByIDRow
+	if err := q.convertArg(id, &sqliteID); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.GetIAMSessionByID(ctx, sqliteID)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) GetIAMGroupByID(ctx context.Context, id pgtype.UUID) (pgsqlc.IamGroup, error) {
+	var sqliteID string
+	var result pgsqlc.IamGroup
+	if err := q.convertArg(id, &sqliteID); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.GetIAMGroupByID(ctx, sqliteID)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) GetIdentityByProviderSubject(ctx context.Context, arg pgsqlc.GetIdentityByProviderSubjectParams) (pgsqlc.IamIdentity, error) {
+	var sqliteArg sqlitesqlc.GetIdentityByProviderSubjectParams
+	var result pgsqlc.IamIdentity
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.GetIdentityByProviderSubject(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) GetPasswordIdentityBySubject(ctx context.Context, subject string) (pgsqlc.IamIdentity, error) {
+	var result pgsqlc.IamIdentity
+	out, err := q.store.queries.GetPasswordIdentityBySubject(ctx, subject)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) GetRoleByKey(ctx context.Context, key string) (pgsqlc.IamRole, error) {
+	var result pgsqlc.IamRole
+	out, err := q.store.queries.GetRoleByKey(ctx, key)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) GetSSOProviderByID(ctx context.Context, id pgtype.UUID) (pgsqlc.IamSsoProvider, error) {
+	var sqliteID string
+	var result pgsqlc.IamSsoProvider
+	if err := q.convertArg(id, &sqliteID); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.GetSSOProviderByID(ctx, sqliteID)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) GetSSOProviderByKey(ctx context.Context, key string) (pgsqlc.IamSsoProvider, error) {
+	var result pgsqlc.IamSsoProvider
+	out, err := q.store.queries.GetSSOProviderByKey(ctx, key)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) HasPermission(ctx context.Context, arg pgsqlc.HasPermissionParams) (bool, error) {
+	var sqliteArg sqlitesqlc.HasPermissionParams
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return false, err
+	}
+	return q.store.queries.HasPermission(ctx, sqliteArg)
+}
+
+func (q *Queries) ListEnabledSSOProviders(ctx context.Context) ([]pgsqlc.IamSsoProvider, error) {
+	out, err := q.store.queries.ListEnabledSSOProviders(ctx)
+	if err != nil {
+		return nil, mapQueryErr(err)
+	}
+	var result []pgsqlc.IamSsoProvider
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) ListIAMGroups(ctx context.Context) ([]pgsqlc.IamGroup, error) {
+	out, err := q.store.queries.ListIAMGroups(ctx)
+	if err != nil {
+		return nil, mapQueryErr(err)
+	}
+	var result []pgsqlc.IamGroup
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) ListIAMGroupMembers(ctx context.Context, groupID pgtype.UUID) ([]pgsqlc.ListIAMGroupMembersRow, error) {
+	var sqliteGroupID string
+	if err := q.convertArg(groupID, &sqliteGroupID); err != nil {
+		return nil, err
+	}
+	out, err := q.store.queries.ListIAMGroupMembers(ctx, sqliteGroupID)
+	if err != nil {
+		return nil, mapQueryErr(err)
+	}
+	var result []pgsqlc.ListIAMGroupMembersRow
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) ListRoles(ctx context.Context) ([]pgsqlc.IamRole, error) {
+	out, err := q.store.queries.ListRoles(ctx)
+	if err != nil {
+		return nil, mapQueryErr(err)
+	}
+	var result []pgsqlc.IamRole
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) ListSSOGroupMappingsByProvider(ctx context.Context, providerID pgtype.UUID) ([]pgsqlc.ListSSOGroupMappingsByProviderRow, error) {
+	var sqliteProviderID string
+	if err := q.convertArg(providerID, &sqliteProviderID); err != nil {
+		return nil, err
+	}
+	out, err := q.store.queries.ListSSOGroupMappingsByProvider(ctx, sqliteProviderID)
+	if err != nil {
+		return nil, mapQueryErr(err)
+	}
+	var result []pgsqlc.ListSSOGroupMappingsByProviderRow
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) ListSSOProviders(ctx context.Context) ([]pgsqlc.IamSsoProvider, error) {
+	out, err := q.store.queries.ListSSOProviders(ctx)
+	if err != nil {
+		return nil, mapQueryErr(err)
+	}
+	var result []pgsqlc.IamSsoProvider
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) ListPrincipalRoles(ctx context.Context, arg pgsqlc.ListPrincipalRolesParams) ([]pgsqlc.ListPrincipalRolesRow, error) {
+	var sqliteArg sqlitesqlc.ListPrincipalRolesParams
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return nil, err
+	}
+	out, err := q.store.queries.ListPrincipalRoles(ctx, sqliteArg)
+	if err != nil {
+		return nil, mapQueryErr(err)
+	}
+	var result []pgsqlc.ListPrincipalRolesRow
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) ReplaceSSOGroupMemberships(ctx context.Context, arg pgsqlc.ReplaceSSOGroupMembershipsParams) error {
+	var userID string
+	var providerID string
+	if err := q.convertArg(arg.UserID, &userID); err != nil {
+		return err
+	}
+	if err := q.convertArg(arg.ProviderID, &providerID); err != nil {
+		return err
+	}
+	if err := q.store.queries.ClearSSOGroupMemberships(ctx, sqlitesqlc.ClearSSOGroupMembershipsParams{
+		UserID:     userID,
+		ProviderID: sql.NullString{String: providerID, Valid: providerID != ""},
+	}); err != nil {
+		return mapQueryErr(err)
+	}
+	for _, groupID := range arg.GroupIds {
+		var sqliteGroupID string
+		if err := q.convertArg(groupID, &sqliteGroupID); err != nil {
+			return err
+		}
+		if err := q.store.queries.AddSSOGroupMembership(ctx, sqlitesqlc.AddSSOGroupMembershipParams{
+			UserID:     userID,
+			GroupID:    sqliteGroupID,
+			ProviderID: sql.NullString{String: providerID, Valid: providerID != ""},
+		}); err != nil {
+			return mapQueryErr(err)
+		}
+	}
+	return nil
+}
+
+func (q *Queries) RevokeIAMSession(ctx context.Context, id pgtype.UUID) error {
+	var sqliteID string
+	if err := q.convertArg(id, &sqliteID); err != nil {
+		return err
+	}
+	return mapQueryErr(q.store.queries.RevokeIAMSession(ctx, sqliteID))
+}
+
+func (q *Queries) UpdateIdentityLastLogin(ctx context.Context, id pgtype.UUID) error {
+	var sqliteID string
+	if err := q.convertArg(id, &sqliteID); err != nil {
+		return err
+	}
+	return mapQueryErr(q.store.queries.UpdateIdentityLastLogin(ctx, sqliteID))
+}
+
+func (q *Queries) UpsertExternalIdentity(ctx context.Context, arg pgsqlc.UpsertExternalIdentityParams) (pgsqlc.IamIdentity, error) {
+	var sqliteArg sqlitesqlc.UpsertExternalIdentityParams
+	var result pgsqlc.IamIdentity
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.UpsertExternalIdentity(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) UpsertIAMGroup(ctx context.Context, arg pgsqlc.UpsertIAMGroupParams) (pgsqlc.IamGroup, error) {
+	var sqliteArg sqlitesqlc.UpsertIAMGroupParams
+	var result pgsqlc.IamGroup
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.UpsertIAMGroup(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) UpsertIAMGroupMember(ctx context.Context, arg pgsqlc.UpsertIAMGroupMemberParams) (pgsqlc.IamGroupMember, error) {
+	var sqliteArg sqlitesqlc.UpsertIAMGroupMemberParams
+	var result pgsqlc.IamGroupMember
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.UpsertIAMGroupMember(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) UpsertSSOGroupMapping(ctx context.Context, arg pgsqlc.UpsertSSOGroupMappingParams) (pgsqlc.IamSsoGroupMapping, error) {
+	var sqliteArg sqlitesqlc.UpsertSSOGroupMappingParams
+	var result pgsqlc.IamSsoGroupMapping
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.UpsertSSOGroupMapping(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) UpsertSSOProvider(ctx context.Context, arg pgsqlc.UpsertSSOProviderParams) (pgsqlc.IamSsoProvider, error) {
+	var sqliteArg sqlitesqlc.UpsertSSOProviderParams
+	var result pgsqlc.IamSsoProvider
+	if err := q.convertArg(arg, &sqliteArg); err != nil {
+		return result, err
+	}
+	out, err := q.store.queries.UpsertSSOProvider(ctx, sqliteArg)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) UseIAMLoginCode(ctx context.Context, codeHash string) (pgsqlc.IamLoginCode, error) {
+	var result pgsqlc.IamLoginCode
+	out, err := q.store.queries.UseIAMLoginCode(ctx, codeHash)
+	if err != nil {
+		return result, mapQueryErr(err)
+	}
+	return result, convertValue(out, &result)
+}
+
+func (q *Queries) convertArg(src any, dst any) error {
+	if q == nil || q.store == nil || q.store.queries == nil {
+		return errSQLiteQueriesNotConfigured
+	}
+	return convertValue(src, dst)
+}
diff --git a/internal/db/sqlite/store/queries.go b/internal/db/sqlite/store/queries.go
index 688d5d574..fe5cf051e 100644
--- a/internal/db/sqlite/store/queries.go
+++ b/internal/db/sqlite/store/queries.go
@@ -346,40 +346,40 @@ func (q *Queries) CountTokenUsageRecords(ctx context.Context, arg pgsqlc.CountTo
 	return result, nil
 }
 
-func (q *Queries) CreateAccount(ctx context.Context, arg pgsqlc.CreateAccountParams) (pgsqlc.User, error) {
+func (q *Queries) CreateAccount(ctx context.Context, arg pgsqlc.CreateAccountParams) (pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.User{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUser{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.CreateAccountParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	out, err := q.store.queries.CreateAccount(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.User{}, mapQueryErr(err)
+		return pgsqlc.IamUser{}, mapQueryErr(err)
 	}
-	var result pgsqlc.User
+	var result pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) CreateBindCode(ctx context.Context, arg pgsqlc.CreateBindCodeParams) (pgsqlc.ChannelIdentityBindCode, error) {
+func (q *Queries) CreateBindCode(ctx context.Context, arg pgsqlc.CreateBindCodeParams) (pgsqlc.IamChannelIdentityBindCode, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.ChannelIdentityBindCode{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamChannelIdentityBindCode{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.CreateBindCodeParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, err
+		return pgsqlc.IamChannelIdentityBindCode{}, err
 	}
 	out, err := q.store.queries.CreateBindCode(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, mapQueryErr(err)
+		return pgsqlc.IamChannelIdentityBindCode{}, mapQueryErr(err)
 	}
-	var result pgsqlc.ChannelIdentityBindCode
+	var result pgsqlc.IamChannelIdentityBindCode
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, err
+		return pgsqlc.IamChannelIdentityBindCode{}, err
 	}
 	return result, nil
 }
@@ -460,21 +460,21 @@ func (q *Queries) CreateBrowserContext(ctx context.Context, arg pgsqlc.CreateBro
 	return result, nil
 }
 
-func (q *Queries) CreateChannelIdentity(ctx context.Context, arg pgsqlc.CreateChannelIdentityParams) (pgsqlc.ChannelIdentity, error) {
+func (q *Queries) CreateChannelIdentity(ctx context.Context, arg pgsqlc.CreateChannelIdentityParams) (pgsqlc.IamChannelIdentity, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.ChannelIdentity{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamChannelIdentity{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.CreateChannelIdentityParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	out, err := q.store.queries.CreateChannelIdentity(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.ChannelIdentity{}, mapQueryErr(err)
+		return pgsqlc.IamChannelIdentity{}, mapQueryErr(err)
 	}
-	var result pgsqlc.ChannelIdentity
+	var result pgsqlc.IamChannelIdentity
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	return result, nil
 }
@@ -859,21 +859,21 @@ func (q *Queries) CreateToolApprovalRequest(ctx context.Context, arg pgsqlc.Crea
 	return result, nil
 }
 
-func (q *Queries) CreateUser(ctx context.Context, arg pgsqlc.CreateUserParams) (pgsqlc.User, error) {
+func (q *Queries) CreateUser(ctx context.Context, arg pgsqlc.CreateUserParams) (pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.User{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUser{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.CreateUserParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	out, err := q.store.queries.CreateUser(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.User{}, mapQueryErr(err)
+		return pgsqlc.IamUser{}, mapQueryErr(err)
 	}
-	var result pgsqlc.User
+	var result pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	return result, nil
 }
@@ -1276,40 +1276,36 @@ func (q *Queries) FindChatRoute(ctx context.Context, arg pgsqlc.FindChatRoutePar
 	return result, nil
 }
 
-func (q *Queries) GetAccountByIdentity(ctx context.Context, identity pgtype.Text) (pgsqlc.User, error) {
+func (q *Queries) GetAccountByIdentity(ctx context.Context, identity string) (pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.User{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUser{}, errSQLiteQueriesNotConfigured
 	}
-	var sqliteIdentity sql.NullString
-	if err := convertValue(identity, &sqliteIdentity); err != nil {
-		return pgsqlc.User{}, err
-	}
-	out, err := q.store.queries.GetAccountByIdentity(ctx, sqliteIdentity)
+	out, err := q.store.queries.GetAccountByIdentity(ctx, identity)
 	if err != nil {
-		return pgsqlc.User{}, mapQueryErr(err)
+		return pgsqlc.IamUser{}, mapQueryErr(err)
 	}
-	var result pgsqlc.User
+	var result pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) GetAccountByUserID(ctx context.Context, userID pgtype.UUID) (pgsqlc.User, error) {
+func (q *Queries) GetAccountByUserID(ctx context.Context, userID pgtype.UUID) (pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.User{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUser{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteUserID string
 	if err := convertValue(userID, &sqliteUserID); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	out, err := q.store.queries.GetAccountByUserID(ctx, sqliteUserID)
 	if err != nil {
-		return pgsqlc.User{}, mapQueryErr(err)
+		return pgsqlc.IamUser{}, mapQueryErr(err)
 	}
-	var result pgsqlc.User
+	var result pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	return result, nil
 }
@@ -1333,40 +1329,40 @@ func (q *Queries) GetActiveSessionForRoute(ctx context.Context, routeID pgtype.U
 	return result, nil
 }
 
-func (q *Queries) GetBindCode(ctx context.Context, token string) (pgsqlc.ChannelIdentityBindCode, error) {
+func (q *Queries) GetBindCode(ctx context.Context, token string) (pgsqlc.IamChannelIdentityBindCode, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.ChannelIdentityBindCode{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamChannelIdentityBindCode{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteToken string
 	if err := convertValue(token, &sqliteToken); err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, err
+		return pgsqlc.IamChannelIdentityBindCode{}, err
 	}
 	out, err := q.store.queries.GetBindCode(ctx, sqliteToken)
 	if err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, mapQueryErr(err)
+		return pgsqlc.IamChannelIdentityBindCode{}, mapQueryErr(err)
 	}
-	var result pgsqlc.ChannelIdentityBindCode
+	var result pgsqlc.IamChannelIdentityBindCode
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, err
+		return pgsqlc.IamChannelIdentityBindCode{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) GetBindCodeForUpdate(ctx context.Context, token string) (pgsqlc.ChannelIdentityBindCode, error) {
+func (q *Queries) GetBindCodeForUpdate(ctx context.Context, token string) (pgsqlc.IamChannelIdentityBindCode, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.ChannelIdentityBindCode{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamChannelIdentityBindCode{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteToken string
 	if err := convertValue(token, &sqliteToken); err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, err
+		return pgsqlc.IamChannelIdentityBindCode{}, err
 	}
 	out, err := q.store.queries.GetBindCodeForUpdate(ctx, sqliteToken)
 	if err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, mapQueryErr(err)
+		return pgsqlc.IamChannelIdentityBindCode{}, mapQueryErr(err)
 	}
-	var result pgsqlc.ChannelIdentityBindCode
+	var result pgsqlc.IamChannelIdentityBindCode
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, err
+		return pgsqlc.IamChannelIdentityBindCode{}, err
 	}
 	return result, nil
 }
@@ -1542,59 +1538,59 @@ func (q *Queries) GetBrowserContextByID(ctx context.Context, id pgtype.UUID) (pg
 	return result, nil
 }
 
-func (q *Queries) GetChannelIdentityByChannelSubject(ctx context.Context, arg pgsqlc.GetChannelIdentityByChannelSubjectParams) (pgsqlc.ChannelIdentity, error) {
+func (q *Queries) GetChannelIdentityByChannelSubject(ctx context.Context, arg pgsqlc.GetChannelIdentityByChannelSubjectParams) (pgsqlc.IamChannelIdentity, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.ChannelIdentity{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamChannelIdentity{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.GetChannelIdentityByChannelSubjectParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	out, err := q.store.queries.GetChannelIdentityByChannelSubject(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.ChannelIdentity{}, mapQueryErr(err)
+		return pgsqlc.IamChannelIdentity{}, mapQueryErr(err)
 	}
-	var result pgsqlc.ChannelIdentity
+	var result pgsqlc.IamChannelIdentity
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) GetChannelIdentityByID(ctx context.Context, id pgtype.UUID) (pgsqlc.ChannelIdentity, error) {
+func (q *Queries) GetChannelIdentityByID(ctx context.Context, id pgtype.UUID) (pgsqlc.IamChannelIdentity, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.ChannelIdentity{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamChannelIdentity{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteId string
 	if err := convertValue(id, &sqliteId); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	out, err := q.store.queries.GetChannelIdentityByID(ctx, sqliteId)
 	if err != nil {
-		return pgsqlc.ChannelIdentity{}, mapQueryErr(err)
+		return pgsqlc.IamChannelIdentity{}, mapQueryErr(err)
 	}
-	var result pgsqlc.ChannelIdentity
+	var result pgsqlc.IamChannelIdentity
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) GetChannelIdentityByIDForUpdate(ctx context.Context, id pgtype.UUID) (pgsqlc.ChannelIdentity, error) {
+func (q *Queries) GetChannelIdentityByIDForUpdate(ctx context.Context, id pgtype.UUID) (pgsqlc.IamChannelIdentity, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.ChannelIdentity{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamChannelIdentity{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteId string
 	if err := convertValue(id, &sqliteId); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	out, err := q.store.queries.GetChannelIdentityByIDForUpdate(ctx, sqliteId)
 	if err != nil {
-		return pgsqlc.ChannelIdentity{}, mapQueryErr(err)
+		return pgsqlc.IamChannelIdentity{}, mapQueryErr(err)
 	}
-	var result pgsqlc.ChannelIdentity
+	var result pgsqlc.IamChannelIdentity
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	return result, nil
 }
@@ -2450,78 +2446,78 @@ func (q *Queries) GetTranscriptionModelWithProvider(ctx context.Context, id pgty
 	return result, nil
 }
 
-func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (pgsqlc.User, error) {
+func (q *Queries) GetUserByID(ctx context.Context, id pgtype.UUID) (pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.User{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUser{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteId string
 	if err := convertValue(id, &sqliteId); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	out, err := q.store.queries.GetUserByID(ctx, sqliteId)
 	if err != nil {
-		return pgsqlc.User{}, mapQueryErr(err)
+		return pgsqlc.IamUser{}, mapQueryErr(err)
 	}
-	var result pgsqlc.User
+	var result pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) GetUserChannelBinding(ctx context.Context, arg pgsqlc.GetUserChannelBindingParams) (pgsqlc.UserChannelBinding, error) {
+func (q *Queries) GetUserChannelBinding(ctx context.Context, arg pgsqlc.GetUserChannelBindingParams) (pgsqlc.IamUserChannelBinding, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.UserChannelBinding{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUserChannelBinding{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.GetUserChannelBindingParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.UserChannelBinding{}, err
+		return pgsqlc.IamUserChannelBinding{}, err
 	}
 	out, err := q.store.queries.GetUserChannelBinding(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.UserChannelBinding{}, mapQueryErr(err)
+		return pgsqlc.IamUserChannelBinding{}, mapQueryErr(err)
 	}
-	var result pgsqlc.UserChannelBinding
+	var result pgsqlc.IamUserChannelBinding
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.UserChannelBinding{}, err
+		return pgsqlc.IamUserChannelBinding{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) GetUserProviderOAuthToken(ctx context.Context, arg pgsqlc.GetUserProviderOAuthTokenParams) (pgsqlc.UserProviderOauthToken, error) {
+func (q *Queries) GetUserProviderOAuthToken(ctx context.Context, arg pgsqlc.GetUserProviderOAuthTokenParams) (pgsqlc.IamUserProviderOauthToken, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.UserProviderOauthToken{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUserProviderOauthToken{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.GetUserProviderOAuthTokenParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.UserProviderOauthToken{}, err
+		return pgsqlc.IamUserProviderOauthToken{}, err
 	}
 	out, err := q.store.queries.GetUserProviderOAuthToken(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.UserProviderOauthToken{}, mapQueryErr(err)
+		return pgsqlc.IamUserProviderOauthToken{}, mapQueryErr(err)
 	}
-	var result pgsqlc.UserProviderOauthToken
+	var result pgsqlc.IamUserProviderOauthToken
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.UserProviderOauthToken{}, err
+		return pgsqlc.IamUserProviderOauthToken{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) GetUserProviderOAuthTokenByState(ctx context.Context, state string) (pgsqlc.UserProviderOauthToken, error) {
+func (q *Queries) GetUserProviderOAuthTokenByState(ctx context.Context, state string) (pgsqlc.IamUserProviderOauthToken, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.UserProviderOauthToken{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUserProviderOauthToken{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteState string
 	if err := convertValue(state, &sqliteState); err != nil {
-		return pgsqlc.UserProviderOauthToken{}, err
+		return pgsqlc.IamUserProviderOauthToken{}, err
 	}
 	out, err := q.store.queries.GetUserProviderOAuthTokenByState(ctx, sqliteState)
 	if err != nil {
-		return pgsqlc.UserProviderOauthToken{}, mapQueryErr(err)
+		return pgsqlc.IamUserProviderOauthToken{}, mapQueryErr(err)
 	}
-	var result pgsqlc.UserProviderOauthToken
+	var result pgsqlc.IamUserProviderOauthToken
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.UserProviderOauthToken{}, err
+		return pgsqlc.IamUserProviderOauthToken{}, err
 	}
 	return result, nil
 }
@@ -2595,7 +2591,7 @@ func (q *Queries) InsertVersion(ctx context.Context, arg pgsqlc.InsertVersionPar
 	return result, nil
 }
 
-func (q *Queries) ListAccounts(ctx context.Context) ([]pgsqlc.User, error) {
+func (q *Queries) ListAccounts(ctx context.Context) ([]pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
 		return nil, errSQLiteQueriesNotConfigured
 	}
@@ -2603,7 +2599,7 @@ func (q *Queries) ListAccounts(ctx context.Context) ([]pgsqlc.User, error) {
 	if err != nil {
 		return nil, mapQueryErr(err)
 	}
-	var result []pgsqlc.User
+	var result []pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
 		return nil, err
 	}
@@ -2773,7 +2769,7 @@ func (q *Queries) ListBrowserContexts(ctx context.Context) ([]pgsqlc.BrowserCont
 	return result, nil
 }
 
-func (q *Queries) ListChannelIdentitiesByUserID(ctx context.Context, userID pgtype.UUID) ([]pgsqlc.ChannelIdentity, error) {
+func (q *Queries) ListChannelIdentitiesByUserID(ctx context.Context, userID pgtype.UUID) ([]pgsqlc.IamChannelIdentity, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
 		return nil, errSQLiteQueriesNotConfigured
 	}
@@ -2785,7 +2781,7 @@ func (q *Queries) ListChannelIdentitiesByUserID(ctx context.Context, userID pgty
 	if err != nil {
 		return nil, mapQueryErr(err)
 	}
-	var result []pgsqlc.ChannelIdentity
+	var result []pgsqlc.IamChannelIdentity
 	if err := convertValue(out, &result); err != nil {
 		return nil, err
 	}
@@ -3899,7 +3895,7 @@ func (q *Queries) ListUncompactedMessagesBySession(ctx context.Context, sessionI
 	return result, nil
 }
 
-func (q *Queries) ListUserChannelBindingsByPlatform(ctx context.Context, channelType string) ([]pgsqlc.UserChannelBinding, error) {
+func (q *Queries) ListUserChannelBindingsByPlatform(ctx context.Context, channelType string) ([]pgsqlc.IamUserChannelBinding, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
 		return nil, errSQLiteQueriesNotConfigured
 	}
@@ -3911,7 +3907,7 @@ func (q *Queries) ListUserChannelBindingsByPlatform(ctx context.Context, channel
 	if err != nil {
 		return nil, mapQueryErr(err)
 	}
-	var result []pgsqlc.UserChannelBinding
+	var result []pgsqlc.IamUserChannelBinding
 	if err := convertValue(out, &result); err != nil {
 		return nil, err
 	}
@@ -3956,21 +3952,21 @@ func (q *Queries) ListVisibleChatsByBotAndUser(ctx context.Context, arg pgsqlc.L
 	return result, nil
 }
 
-func (q *Queries) MarkBindCodeUsed(ctx context.Context, arg pgsqlc.MarkBindCodeUsedParams) (pgsqlc.ChannelIdentityBindCode, error) {
+func (q *Queries) MarkBindCodeUsed(ctx context.Context, arg pgsqlc.MarkBindCodeUsedParams) (pgsqlc.IamChannelIdentityBindCode, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.ChannelIdentityBindCode{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamChannelIdentityBindCode{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.MarkBindCodeUsedParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, err
+		return pgsqlc.IamChannelIdentityBindCode{}, err
 	}
 	out, err := q.store.queries.MarkBindCodeUsed(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, mapQueryErr(err)
+		return pgsqlc.IamChannelIdentityBindCode{}, mapQueryErr(err)
 	}
-	var result pgsqlc.ChannelIdentityBindCode
+	var result pgsqlc.IamChannelIdentityBindCode
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.ChannelIdentityBindCode{}, err
+		return pgsqlc.IamChannelIdentityBindCode{}, err
 	}
 	return result, nil
 }
@@ -4056,7 +4052,7 @@ func (q *Queries) SaveMatrixSyncSinceToken(ctx context.Context, arg pgsqlc.SaveM
 	return result, nil
 }
 
-func (q *Queries) SearchAccounts(ctx context.Context, arg pgsqlc.SearchAccountsParams) ([]pgsqlc.User, error) {
+func (q *Queries) SearchAccounts(ctx context.Context, arg pgsqlc.SearchAccountsParams) ([]pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
 		return nil, errSQLiteQueriesNotConfigured
 	}
@@ -4068,7 +4064,7 @@ func (q *Queries) SearchAccounts(ctx context.Context, arg pgsqlc.SearchAccountsP
 	if err != nil {
 		return nil, mapQueryErr(err)
 	}
-	var result []pgsqlc.User
+	var result []pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
 		return nil, err
 	}
@@ -4125,21 +4121,21 @@ func (q *Queries) SetBotACLDefaultEffect(ctx context.Context, arg pgsqlc.SetBotA
 	return mapQueryErr(err)
 }
 
-func (q *Queries) SetChannelIdentityLinkedUser(ctx context.Context, arg pgsqlc.SetChannelIdentityLinkedUserParams) (pgsqlc.ChannelIdentity, error) {
+func (q *Queries) SetChannelIdentityLinkedUser(ctx context.Context, arg pgsqlc.SetChannelIdentityLinkedUserParams) (pgsqlc.IamChannelIdentity, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.ChannelIdentity{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamChannelIdentity{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.SetChannelIdentityLinkedUserParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	out, err := q.store.queries.SetChannelIdentityLinkedUser(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.ChannelIdentity{}, mapQueryErr(err)
+		return pgsqlc.IamChannelIdentity{}, mapQueryErr(err)
 	}
-	var result pgsqlc.ChannelIdentity
+	var result pgsqlc.IamChannelIdentity
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	return result, nil
 }
@@ -4204,78 +4200,78 @@ func (q *Queries) TouchSession(ctx context.Context, id pgtype.UUID) error {
 	return mapQueryErr(err)
 }
 
-func (q *Queries) UpdateAccountAdmin(ctx context.Context, arg pgsqlc.UpdateAccountAdminParams) (pgsqlc.User, error) {
+func (q *Queries) UpdateAccountAdmin(ctx context.Context, arg pgsqlc.UpdateAccountAdminParams) (pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.User{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUser{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.UpdateAccountAdminParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	out, err := q.store.queries.UpdateAccountAdmin(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.User{}, mapQueryErr(err)
+		return pgsqlc.IamUser{}, mapQueryErr(err)
 	}
-	var result pgsqlc.User
+	var result pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) UpdateAccountLastLogin(ctx context.Context, id pgtype.UUID) (pgsqlc.User, error) {
+func (q *Queries) UpdateAccountLastLogin(ctx context.Context, id pgtype.UUID) (pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.User{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUser{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteId string
 	if err := convertValue(id, &sqliteId); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	out, err := q.store.queries.UpdateAccountLastLogin(ctx, sqliteId)
 	if err != nil {
-		return pgsqlc.User{}, mapQueryErr(err)
+		return pgsqlc.IamUser{}, mapQueryErr(err)
 	}
-	var result pgsqlc.User
+	var result pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) UpdateAccountPassword(ctx context.Context, arg pgsqlc.UpdateAccountPasswordParams) (pgsqlc.User, error) {
+func (q *Queries) UpdateAccountPassword(ctx context.Context, arg pgsqlc.UpdateAccountPasswordParams) (pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.User{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUser{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.UpdateAccountPasswordParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	out, err := q.store.queries.UpdateAccountPassword(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.User{}, mapQueryErr(err)
+		return pgsqlc.IamUser{}, mapQueryErr(err)
 	}
-	var result pgsqlc.User
+	var result pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) UpdateAccountProfile(ctx context.Context, arg pgsqlc.UpdateAccountProfileParams) (pgsqlc.User, error) {
+func (q *Queries) UpdateAccountProfile(ctx context.Context, arg pgsqlc.UpdateAccountProfileParams) (pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.User{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUser{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.UpdateAccountProfileParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	out, err := q.store.queries.UpdateAccountProfile(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.User{}, mapQueryErr(err)
+		return pgsqlc.IamUser{}, mapQueryErr(err)
 	}
-	var result pgsqlc.User
+	var result pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	return result, nil
 }
@@ -4807,21 +4803,21 @@ func (q *Queries) UpdateUserProviderOAuthState(ctx context.Context, arg pgsqlc.U
 	return mapQueryErr(err)
 }
 
-func (q *Queries) UpsertAccountByUsername(ctx context.Context, arg pgsqlc.UpsertAccountByUsernameParams) (pgsqlc.User, error) {
+func (q *Queries) UpsertAccountByUsername(ctx context.Context, arg pgsqlc.UpsertAccountByUsernameParams) (pgsqlc.IamUser, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.User{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUser{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.UpsertAccountByUsernameParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	out, err := q.store.queries.UpsertAccountByUsername(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.User{}, mapQueryErr(err)
+		return pgsqlc.IamUser{}, mapQueryErr(err)
 	}
-	var result pgsqlc.User
+	var result pgsqlc.IamUser
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.User{}, err
+		return pgsqlc.IamUser{}, err
 	}
 	return result, nil
 }
@@ -4883,21 +4879,21 @@ func (q *Queries) UpsertBotStorageBinding(ctx context.Context, arg pgsqlc.Upsert
 	return result, nil
 }
 
-func (q *Queries) UpsertChannelIdentityByChannelSubject(ctx context.Context, arg pgsqlc.UpsertChannelIdentityByChannelSubjectParams) (pgsqlc.ChannelIdentity, error) {
+func (q *Queries) UpsertChannelIdentityByChannelSubject(ctx context.Context, arg pgsqlc.UpsertChannelIdentityByChannelSubjectParams) (pgsqlc.IamChannelIdentity, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.ChannelIdentity{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamChannelIdentity{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.UpsertChannelIdentityByChannelSubjectParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	out, err := q.store.queries.UpsertChannelIdentityByChannelSubject(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.ChannelIdentity{}, mapQueryErr(err)
+		return pgsqlc.IamChannelIdentity{}, mapQueryErr(err)
 	}
-	var result pgsqlc.ChannelIdentity
+	var result pgsqlc.IamChannelIdentity
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.ChannelIdentity{}, err
+		return pgsqlc.IamChannelIdentity{}, err
 	}
 	return result, nil
 }
@@ -5066,40 +5062,40 @@ func (q *Queries) UpsertSnapshot(ctx context.Context, arg pgsqlc.UpsertSnapshotP
 	return result, nil
 }
 
-func (q *Queries) UpsertUserChannelBinding(ctx context.Context, arg pgsqlc.UpsertUserChannelBindingParams) (pgsqlc.UserChannelBinding, error) {
+func (q *Queries) UpsertUserChannelBinding(ctx context.Context, arg pgsqlc.UpsertUserChannelBindingParams) (pgsqlc.IamUserChannelBinding, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.UserChannelBinding{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUserChannelBinding{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.UpsertUserChannelBindingParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.UserChannelBinding{}, err
+		return pgsqlc.IamUserChannelBinding{}, err
 	}
 	out, err := q.store.queries.UpsertUserChannelBinding(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.UserChannelBinding{}, mapQueryErr(err)
+		return pgsqlc.IamUserChannelBinding{}, mapQueryErr(err)
 	}
-	var result pgsqlc.UserChannelBinding
+	var result pgsqlc.IamUserChannelBinding
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.UserChannelBinding{}, err
+		return pgsqlc.IamUserChannelBinding{}, err
 	}
 	return result, nil
 }
 
-func (q *Queries) UpsertUserProviderOAuthToken(ctx context.Context, arg pgsqlc.UpsertUserProviderOAuthTokenParams) (pgsqlc.UserProviderOauthToken, error) {
+func (q *Queries) UpsertUserProviderOAuthToken(ctx context.Context, arg pgsqlc.UpsertUserProviderOAuthTokenParams) (pgsqlc.IamUserProviderOauthToken, error) {
 	if q == nil || q.store == nil || q.store.queries == nil {
-		return pgsqlc.UserProviderOauthToken{}, errSQLiteQueriesNotConfigured
+		return pgsqlc.IamUserProviderOauthToken{}, errSQLiteQueriesNotConfigured
 	}
 	var sqliteArg sqlitesqlc.UpsertUserProviderOAuthTokenParams
 	if err := convertValue(arg, &sqliteArg); err != nil {
-		return pgsqlc.UserProviderOauthToken{}, err
+		return pgsqlc.IamUserProviderOauthToken{}, err
 	}
 	out, err := q.store.queries.UpsertUserProviderOAuthToken(ctx, sqliteArg)
 	if err != nil {
-		return pgsqlc.UserProviderOauthToken{}, mapQueryErr(err)
+		return pgsqlc.IamUserProviderOauthToken{}, mapQueryErr(err)
 	}
-	var result pgsqlc.UserProviderOauthToken
+	var result pgsqlc.IamUserProviderOauthToken
 	if err := convertValue(out, &result); err != nil {
-		return pgsqlc.UserProviderOauthToken{}, err
+		return pgsqlc.IamUserProviderOauthToken{}, err
 	}
 	return result, nil
 }
diff --git a/internal/db/store/contracts.go b/internal/db/store/contracts.go
index 7070bf166..83b389292 100644
--- a/internal/db/store/contracts.go
+++ b/internal/db/store/contracts.go
@@ -23,7 +23,6 @@ type AccountRecord struct {
 	ID              string
 	Username        string
 	Email           string
-	Role            string
 	DisplayName     string
 	AvatarURL       string
 	Timezone        string
@@ -45,7 +44,6 @@ type CreateAccountInput struct {
 	Username     string
 	Email        string
 	PasswordHash string
-	Role         string
 	DisplayName  string
 	AvatarURL    string
 	IsActive     bool
@@ -54,7 +52,6 @@ type CreateAccountInput struct {
 
 type UpdateAccountAdminInput struct {
 	UserID      string
-	Role        string
 	DisplayName string
 	AvatarURL   string
 	IsActive    bool
diff --git a/internal/db/store/queries.go b/internal/db/store/queries.go
index 715bdfd06..f5306c636 100644
--- a/internal/db/store/queries.go
+++ b/internal/db/store/queries.go
@@ -30,13 +30,14 @@ type Queries interface {
 	CountScheduleLogsBySchedule(ctx context.Context, scheduleID pgtype.UUID) (int64, error)
 	CountSessionEvents(ctx context.Context, sessionID pgtype.UUID) (int64, error)
 	CountTokenUsageRecords(ctx context.Context, arg dbsqlc.CountTokenUsageRecordsParams) (int64, error)
-	CreateAccount(ctx context.Context, arg dbsqlc.CreateAccountParams) (dbsqlc.User, error)
-	CreateBindCode(ctx context.Context, arg dbsqlc.CreateBindCodeParams) (dbsqlc.ChannelIdentityBindCode, error)
+	AssignPrincipalRole(ctx context.Context, arg dbsqlc.AssignPrincipalRoleParams) (dbsqlc.IamPrincipalRole, error)
+	CreateAccount(ctx context.Context, arg dbsqlc.CreateAccountParams) (dbsqlc.IamUser, error)
+	CreateBindCode(ctx context.Context, arg dbsqlc.CreateBindCodeParams) (dbsqlc.IamChannelIdentityBindCode, error)
 	CreateBot(ctx context.Context, arg dbsqlc.CreateBotParams) (dbsqlc.CreateBotRow, error)
 	CreateBotACLRule(ctx context.Context, arg dbsqlc.CreateBotACLRuleParams) (dbsqlc.CreateBotACLRuleRow, error)
 	CreateBotEmailBinding(ctx context.Context, arg dbsqlc.CreateBotEmailBindingParams) (dbsqlc.BotEmailBinding, error)
 	CreateBrowserContext(ctx context.Context, arg dbsqlc.CreateBrowserContextParams) (dbsqlc.BrowserContext, error)
-	CreateChannelIdentity(ctx context.Context, arg dbsqlc.CreateChannelIdentityParams) (dbsqlc.ChannelIdentity, error)
+	CreateChannelIdentity(ctx context.Context, arg dbsqlc.CreateChannelIdentityParams) (dbsqlc.IamChannelIdentity, error)
 	CreateChat(ctx context.Context, arg dbsqlc.CreateChatParams) (dbsqlc.CreateChatRow, error)
 	CreateChatRoute(ctx context.Context, arg dbsqlc.CreateChatRouteParams) (dbsqlc.CreateChatRouteRow, error)
 	CreateCompactionLog(ctx context.Context, arg dbsqlc.CreateCompactionLogParams) (dbsqlc.BotHistoryMessageCompact, error)
@@ -57,7 +58,10 @@ type Queries interface {
 	CreateSessionEvent(ctx context.Context, arg dbsqlc.CreateSessionEventParams) (pgtype.UUID, error)
 	CreateStorageProvider(ctx context.Context, arg dbsqlc.CreateStorageProviderParams) (dbsqlc.StorageProvider, error)
 	CreateToolApprovalRequest(ctx context.Context, arg dbsqlc.CreateToolApprovalRequestParams) (dbsqlc.ToolApprovalRequest, error)
-	CreateUser(ctx context.Context, arg dbsqlc.CreateUserParams) (dbsqlc.User, error)
+	CreateIAMLoginCode(ctx context.Context, arg dbsqlc.CreateIAMLoginCodeParams) (dbsqlc.IamLoginCode, error)
+	CreateIAMSession(ctx context.Context, arg dbsqlc.CreateIAMSessionParams) (dbsqlc.IamSession, error)
+	CreatePasswordIdentity(ctx context.Context, arg dbsqlc.CreatePasswordIdentityParams) (dbsqlc.IamIdentity, error)
+	CreateUser(ctx context.Context, arg dbsqlc.CreateUserParams) (dbsqlc.IamUser, error)
 	DeleteBotACLRuleByID(ctx context.Context, id pgtype.UUID) error
 	DeleteBotByID(ctx context.Context, id pgtype.UUID) error
 	DeleteBotChannelConfig(ctx context.Context, arg dbsqlc.DeleteBotChannelConfigParams) error
@@ -70,6 +74,8 @@ type Queries interface {
 	DeleteEmailOAuthToken(ctx context.Context, emailProviderID pgtype.UUID) error
 	DeleteEmailProvider(ctx context.Context, id pgtype.UUID) error
 	DeleteHeartbeatLogsByBot(ctx context.Context, botID pgtype.UUID) error
+	DeleteIAMGroup(ctx context.Context, id pgtype.UUID) error
+	DeleteIAMGroupMember(ctx context.Context, arg dbsqlc.DeleteIAMGroupMemberParams) error
 	DeleteMCPConnection(ctx context.Context, arg dbsqlc.DeleteMCPConnectionParams) error
 	DeleteMCPOAuthToken(ctx context.Context, connectionID pgtype.UUID) error
 	DeleteMemoryProvider(ctx context.Context, id pgtype.UUID) error
@@ -82,19 +88,24 @@ type Queries interface {
 	DeleteModelByProviderIDAndModelID(ctx context.Context, arg dbsqlc.DeleteModelByProviderIDAndModelIDParams) error
 	DeleteProvider(ctx context.Context, id pgtype.UUID) error
 	DeleteProviderOAuthToken(ctx context.Context, providerID pgtype.UUID) error
+	DeletePrincipalRole(ctx context.Context, id pgtype.UUID) error
+	DeletePrincipalRoleAssignment(ctx context.Context, arg dbsqlc.DeletePrincipalRoleAssignmentParams) error
 	DeleteSchedule(ctx context.Context, id pgtype.UUID) error
 	DeleteScheduleLogsByBot(ctx context.Context, botID pgtype.UUID) error
 	DeleteScheduleLogsBySchedule(ctx context.Context, scheduleID pgtype.UUID) error
 	DeleteSearchProvider(ctx context.Context, id pgtype.UUID) error
 	DeleteSettingsByBotID(ctx context.Context, id pgtype.UUID) error
+	DeleteSSOGroupMapping(ctx context.Context, arg dbsqlc.DeleteSSOGroupMappingParams) error
+	DeleteSSOProvider(ctx context.Context, id pgtype.UUID) error
 	DeleteUserProviderOAuthToken(ctx context.Context, arg dbsqlc.DeleteUserProviderOAuthTokenParams) error
 	EvaluateBotACLRule(ctx context.Context, arg dbsqlc.EvaluateBotACLRuleParams) (string, error)
+	ExtendIAMSession(ctx context.Context, arg dbsqlc.ExtendIAMSessionParams) (dbsqlc.IamSession, error)
 	FindChatRoute(ctx context.Context, arg dbsqlc.FindChatRouteParams) (dbsqlc.FindChatRouteRow, error)
-	GetAccountByIdentity(ctx context.Context, identity pgtype.Text) (dbsqlc.User, error)
-	GetAccountByUserID(ctx context.Context, userID pgtype.UUID) (dbsqlc.User, error)
+	GetAccountByIdentity(ctx context.Context, identity string) (dbsqlc.IamUser, error)
+	GetAccountByUserID(ctx context.Context, userID pgtype.UUID) (dbsqlc.IamUser, error)
 	GetActiveSessionForRoute(ctx context.Context, routeID pgtype.UUID) (dbsqlc.BotSession, error)
-	GetBindCode(ctx context.Context, token string) (dbsqlc.ChannelIdentityBindCode, error)
-	GetBindCodeForUpdate(ctx context.Context, token string) (dbsqlc.ChannelIdentityBindCode, error)
+	GetBindCode(ctx context.Context, token string) (dbsqlc.IamChannelIdentityBindCode, error)
+	GetBindCodeForUpdate(ctx context.Context, token string) (dbsqlc.IamChannelIdentityBindCode, error)
 	GetBotACLDefaultEffect(ctx context.Context, id pgtype.UUID) (string, error)
 	GetBotByID(ctx context.Context, id pgtype.UUID) (dbsqlc.GetBotByIDRow, error)
 	GetBotChannelConfig(ctx context.Context, arg dbsqlc.GetBotChannelConfigParams) (dbsqlc.BotChannelConfig, error)
@@ -104,9 +115,9 @@ type Queries interface {
 	GetBotOverlayConfig(ctx context.Context, id pgtype.UUID) (dbsqlc.GetBotOverlayConfigRow, error)
 	GetBotStorageBinding(ctx context.Context, botID pgtype.UUID) (dbsqlc.BotStorageBinding, error)
 	GetBrowserContextByID(ctx context.Context, id pgtype.UUID) (dbsqlc.BrowserContext, error)
-	GetChannelIdentityByChannelSubject(ctx context.Context, arg dbsqlc.GetChannelIdentityByChannelSubjectParams) (dbsqlc.ChannelIdentity, error)
-	GetChannelIdentityByID(ctx context.Context, id pgtype.UUID) (dbsqlc.ChannelIdentity, error)
-	GetChannelIdentityByIDForUpdate(ctx context.Context, id pgtype.UUID) (dbsqlc.ChannelIdentity, error)
+	GetChannelIdentityByChannelSubject(ctx context.Context, arg dbsqlc.GetChannelIdentityByChannelSubjectParams) (dbsqlc.IamChannelIdentity, error)
+	GetChannelIdentityByID(ctx context.Context, id pgtype.UUID) (dbsqlc.IamChannelIdentity, error)
+	GetChannelIdentityByIDForUpdate(ctx context.Context, id pgtype.UUID) (dbsqlc.IamChannelIdentity, error)
 	GetChatByID(ctx context.Context, id pgtype.UUID) (dbsqlc.GetChatByIDRow, error)
 	GetChatParticipant(ctx context.Context, arg dbsqlc.GetChatParticipantParams) (dbsqlc.GetChatParticipantRow, error)
 	GetChatReadAccessByUser(ctx context.Context, arg dbsqlc.GetChatReadAccessByUserParams) (dbsqlc.GetChatReadAccessByUserRow, error)
@@ -120,6 +131,10 @@ type Queries interface {
 	GetEmailOutboxByID(ctx context.Context, id pgtype.UUID) (dbsqlc.EmailOutbox, error)
 	GetEmailProviderByID(ctx context.Context, id pgtype.UUID) (dbsqlc.EmailProvider, error)
 	GetEmailProviderByName(ctx context.Context, name string) (dbsqlc.EmailProvider, error)
+	GetIAMGroupByID(ctx context.Context, id pgtype.UUID) (dbsqlc.IamGroup, error)
+	GetIAMSessionByID(ctx context.Context, id pgtype.UUID) (dbsqlc.GetIAMSessionByIDRow, error)
+	GetIdentityByProviderSubject(ctx context.Context, arg dbsqlc.GetIdentityByProviderSubjectParams) (dbsqlc.IamIdentity, error)
+	GetPasswordIdentityBySubject(ctx context.Context, subject string) (dbsqlc.IamIdentity, error)
 	GetLatestAssistantUsage(ctx context.Context, sessionID pgtype.UUID) (int64, error)
 	GetLatestPendingToolApprovalBySession(ctx context.Context, arg dbsqlc.GetLatestPendingToolApprovalBySessionParams) (dbsqlc.ToolApprovalRequest, error)
 	GetLatestSessionIDByBot(ctx context.Context, botID pgtype.UUID) (pgtype.UUID, error)
@@ -137,6 +152,7 @@ type Queries interface {
 	GetProviderByName(ctx context.Context, name string) (dbsqlc.Provider, error)
 	GetProviderOAuthTokenByProvider(ctx context.Context, providerID pgtype.UUID) (dbsqlc.ProviderOauthToken, error)
 	GetProviderOAuthTokenByState(ctx context.Context, state string) (dbsqlc.ProviderOauthToken, error)
+	GetRoleByKey(ctx context.Context, key string) (dbsqlc.IamRole, error)
 	GetScheduleByID(ctx context.Context, id pgtype.UUID) (dbsqlc.Schedule, error)
 	GetSearchProviderByID(ctx context.Context, id pgtype.UUID) (dbsqlc.SearchProvider, error)
 	GetSearchProviderByName(ctx context.Context, name string) (dbsqlc.SearchProvider, error)
@@ -146,21 +162,24 @@ type Queries interface {
 	GetSettingsByBotID(ctx context.Context, id pgtype.UUID) (dbsqlc.GetSettingsByBotIDRow, error)
 	GetSnapshotByContainerAndRuntimeName(ctx context.Context, arg dbsqlc.GetSnapshotByContainerAndRuntimeNameParams) (dbsqlc.Snapshot, error)
 	GetSpeechModelWithProvider(ctx context.Context, id pgtype.UUID) (dbsqlc.GetSpeechModelWithProviderRow, error)
+	GetSSOProviderByID(ctx context.Context, id pgtype.UUID) (dbsqlc.IamSsoProvider, error)
+	GetSSOProviderByKey(ctx context.Context, key string) (dbsqlc.IamSsoProvider, error)
 	GetStorageProviderByID(ctx context.Context, id pgtype.UUID) (dbsqlc.StorageProvider, error)
 	GetStorageProviderByName(ctx context.Context, name string) (dbsqlc.StorageProvider, error)
 	GetTokenUsageByDayAndType(ctx context.Context, arg dbsqlc.GetTokenUsageByDayAndTypeParams) ([]dbsqlc.GetTokenUsageByDayAndTypeRow, error)
 	GetTokenUsageByModel(ctx context.Context, arg dbsqlc.GetTokenUsageByModelParams) ([]dbsqlc.GetTokenUsageByModelRow, error)
 	GetToolApprovalRequest(ctx context.Context, id pgtype.UUID) (dbsqlc.ToolApprovalRequest, error)
 	GetTranscriptionModelWithProvider(ctx context.Context, id pgtype.UUID) (dbsqlc.GetTranscriptionModelWithProviderRow, error)
-	GetUserByID(ctx context.Context, id pgtype.UUID) (dbsqlc.User, error)
-	GetUserChannelBinding(ctx context.Context, arg dbsqlc.GetUserChannelBindingParams) (dbsqlc.UserChannelBinding, error)
-	GetUserProviderOAuthToken(ctx context.Context, arg dbsqlc.GetUserProviderOAuthTokenParams) (dbsqlc.UserProviderOauthToken, error)
-	GetUserProviderOAuthTokenByState(ctx context.Context, state string) (dbsqlc.UserProviderOauthToken, error)
+	GetUserByID(ctx context.Context, id pgtype.UUID) (dbsqlc.IamUser, error)
+	GetUserChannelBinding(ctx context.Context, arg dbsqlc.GetUserChannelBindingParams) (dbsqlc.IamUserChannelBinding, error)
+	GetUserProviderOAuthToken(ctx context.Context, arg dbsqlc.GetUserProviderOAuthTokenParams) (dbsqlc.IamUserProviderOauthToken, error)
+	GetUserProviderOAuthTokenByState(ctx context.Context, state string) (dbsqlc.IamUserProviderOauthToken, error)
 	GetVersionSnapshotRuntimeName(ctx context.Context, arg dbsqlc.GetVersionSnapshotRuntimeNameParams) (string, error)
+	HasPermission(ctx context.Context, arg dbsqlc.HasPermissionParams) (bool, error)
 	IncrementScheduleCalls(ctx context.Context, id pgtype.UUID) (dbsqlc.Schedule, error)
 	InsertLifecycleEvent(ctx context.Context, arg dbsqlc.InsertLifecycleEventParams) error
 	InsertVersion(ctx context.Context, arg dbsqlc.InsertVersionParams) (dbsqlc.ContainerVersion, error)
-	ListAccounts(ctx context.Context) ([]dbsqlc.User, error)
+	ListAccounts(ctx context.Context) ([]dbsqlc.IamUser, error)
 	ListActiveMessagesSince(ctx context.Context, arg dbsqlc.ListActiveMessagesSinceParams) ([]dbsqlc.ListActiveMessagesSinceRow, error)
 	ListActiveMessagesSinceBySession(ctx context.Context, arg dbsqlc.ListActiveMessagesSinceBySessionParams) ([]dbsqlc.ListActiveMessagesSinceBySessionRow, error)
 	ListAutoStartContainers(ctx context.Context) ([]dbsqlc.Container, error)
@@ -170,7 +189,7 @@ type Queries interface {
 	ListBotEmailBindingsByProvider(ctx context.Context, emailProviderID pgtype.UUID) ([]dbsqlc.BotEmailBinding, error)
 	ListBotsByOwner(ctx context.Context, ownerUserID pgtype.UUID) ([]dbsqlc.ListBotsByOwnerRow, error)
 	ListBrowserContexts(ctx context.Context) ([]dbsqlc.BrowserContext, error)
-	ListChannelIdentitiesByUserID(ctx context.Context, userID pgtype.UUID) ([]dbsqlc.ChannelIdentity, error)
+	ListChannelIdentitiesByUserID(ctx context.Context, userID pgtype.UUID) ([]dbsqlc.IamChannelIdentity, error)
 	ListChatParticipants(ctx context.Context, chatID pgtype.UUID) ([]dbsqlc.ListChatParticipantsRow, error)
 	ListChatRoutes(ctx context.Context, chatID pgtype.UUID) ([]dbsqlc.ListChatRoutesRow, error)
 	ListChatsByBotAndUser(ctx context.Context, arg dbsqlc.ListChatsByBotAndUserParams) ([]dbsqlc.ListChatsByBotAndUserRow, error)
@@ -183,8 +202,11 @@ type Queries interface {
 	ListEnabledModelsByProviderClientType(ctx context.Context, clientType string) ([]dbsqlc.Model, error)
 	ListEnabledModelsByType(ctx context.Context, type_ string) ([]dbsqlc.Model, error)
 	ListEnabledSchedules(ctx context.Context) ([]dbsqlc.Schedule, error)
+	ListEnabledSSOProviders(ctx context.Context) ([]dbsqlc.IamSsoProvider, error)
 	ListHeartbeatEnabledBots(ctx context.Context) ([]dbsqlc.ListHeartbeatEnabledBotsRow, error)
 	ListHeartbeatLogsByBot(ctx context.Context, arg dbsqlc.ListHeartbeatLogsByBotParams) ([]dbsqlc.ListHeartbeatLogsByBotRow, error)
+	ListIAMGroupMembers(ctx context.Context, groupID pgtype.UUID) ([]dbsqlc.ListIAMGroupMembersRow, error)
+	ListIAMGroups(ctx context.Context) ([]dbsqlc.IamGroup, error)
 	ListMCPConnectionsByBotID(ctx context.Context, botID pgtype.UUID) ([]dbsqlc.McpConnection, error)
 	ListMemoryProviders(ctx context.Context) ([]dbsqlc.MemoryProvider, error)
 	ListMessageAssets(ctx context.Context, messageID pgtype.UUID) ([]dbsqlc.ListMessageAssetsRow, error)
@@ -207,8 +229,10 @@ type Queries interface {
 	ListObservedConversationsByChannelIdentity(ctx context.Context, arg dbsqlc.ListObservedConversationsByChannelIdentityParams) ([]dbsqlc.ListObservedConversationsByChannelIdentityRow, error)
 	ListObservedConversationsByChannelType(ctx context.Context, arg dbsqlc.ListObservedConversationsByChannelTypeParams) ([]dbsqlc.ListObservedConversationsByChannelTypeRow, error)
 	ListPendingToolApprovalsBySession(ctx context.Context, arg dbsqlc.ListPendingToolApprovalsBySessionParams) ([]dbsqlc.ToolApprovalRequest, error)
+	ListPrincipalRoles(ctx context.Context, arg dbsqlc.ListPrincipalRolesParams) ([]dbsqlc.ListPrincipalRolesRow, error)
 	ListProviders(ctx context.Context) ([]dbsqlc.Provider, error)
 	ListReadableBindingsByProvider(ctx context.Context, emailProviderID pgtype.UUID) ([]dbsqlc.BotEmailBinding, error)
+	ListRoles(ctx context.Context) ([]dbsqlc.IamRole, error)
 	ListScheduleLogsByBot(ctx context.Context, arg dbsqlc.ListScheduleLogsByBotParams) ([]dbsqlc.ListScheduleLogsByBotRow, error)
 	ListScheduleLogsBySchedule(ctx context.Context, arg dbsqlc.ListScheduleLogsByScheduleParams) ([]dbsqlc.ListScheduleLogsByScheduleRow, error)
 	ListSchedulesByBot(ctx context.Context, botID pgtype.UUID) ([]dbsqlc.Schedule, error)
@@ -223,6 +247,8 @@ type Queries interface {
 	ListSpeechModels(ctx context.Context) ([]dbsqlc.ListSpeechModelsRow, error)
 	ListSpeechModelsByProviderID(ctx context.Context, providerID pgtype.UUID) ([]dbsqlc.Model, error)
 	ListSpeechProviders(ctx context.Context) ([]dbsqlc.Provider, error)
+	ListSSOGroupMappingsByProvider(ctx context.Context, providerID pgtype.UUID) ([]dbsqlc.ListSSOGroupMappingsByProviderRow, error)
+	ListSSOProviders(ctx context.Context) ([]dbsqlc.IamSsoProvider, error)
 	ListStorageProviders(ctx context.Context) ([]dbsqlc.StorageProvider, error)
 	ListSubagentSessionsByParent(ctx context.Context, parentSessionID pgtype.UUID) ([]dbsqlc.BotSession, error)
 	ListThreadsByParent(ctx context.Context, id pgtype.UUID) ([]dbsqlc.ListThreadsByParentRow, error)
@@ -232,29 +258,31 @@ type Queries interface {
 	ListTranscriptionModelsByProviderID(ctx context.Context, providerID pgtype.UUID) ([]dbsqlc.Model, error)
 	ListTranscriptionProviders(ctx context.Context) ([]dbsqlc.Provider, error)
 	ListUncompactedMessagesBySession(ctx context.Context, sessionID pgtype.UUID) ([]dbsqlc.ListUncompactedMessagesBySessionRow, error)
-	ListUserChannelBindingsByPlatform(ctx context.Context, channelType string) ([]dbsqlc.UserChannelBinding, error)
+	ListUserChannelBindingsByPlatform(ctx context.Context, channelType string) ([]dbsqlc.IamUserChannelBinding, error)
 	ListVersionsByContainerID(ctx context.Context, containerID string) ([]dbsqlc.ListVersionsByContainerIDRow, error)
 	ListVisibleChatsByBotAndUser(ctx context.Context, arg dbsqlc.ListVisibleChatsByBotAndUserParams) ([]dbsqlc.ListVisibleChatsByBotAndUserRow, error)
-	MarkBindCodeUsed(ctx context.Context, arg dbsqlc.MarkBindCodeUsedParams) (dbsqlc.ChannelIdentityBindCode, error)
+	MarkBindCodeUsed(ctx context.Context, arg dbsqlc.MarkBindCodeUsedParams) (dbsqlc.IamChannelIdentityBindCode, error)
 	MarkMessagesCompacted(ctx context.Context, arg dbsqlc.MarkMessagesCompactedParams) error
 	NextVersion(ctx context.Context, containerID string) (int32, error)
 	RejectToolApprovalRequest(ctx context.Context, arg dbsqlc.RejectToolApprovalRequestParams) (dbsqlc.ToolApprovalRequest, error)
 	RemoveChatParticipant(ctx context.Context, arg dbsqlc.RemoveChatParticipantParams) error
+	ReplaceSSOGroupMemberships(ctx context.Context, arg dbsqlc.ReplaceSSOGroupMembershipsParams) error
+	RevokeIAMSession(ctx context.Context, id pgtype.UUID) error
 	SaveMatrixSyncSinceToken(ctx context.Context, arg dbsqlc.SaveMatrixSyncSinceTokenParams) (int64, error)
-	SearchAccounts(ctx context.Context, arg dbsqlc.SearchAccountsParams) ([]dbsqlc.User, error)
+	SearchAccounts(ctx context.Context, arg dbsqlc.SearchAccountsParams) ([]dbsqlc.IamUser, error)
 	SearchChannelIdentities(ctx context.Context, arg dbsqlc.SearchChannelIdentitiesParams) ([]dbsqlc.SearchChannelIdentitiesRow, error)
 	SearchMessages(ctx context.Context, arg dbsqlc.SearchMessagesParams) ([]dbsqlc.SearchMessagesRow, error)
 	SetBotACLDefaultEffect(ctx context.Context, arg dbsqlc.SetBotACLDefaultEffectParams) error
-	SetChannelIdentityLinkedUser(ctx context.Context, arg dbsqlc.SetChannelIdentityLinkedUserParams) (dbsqlc.ChannelIdentity, error)
+	SetChannelIdentityLinkedUser(ctx context.Context, arg dbsqlc.SetChannelIdentityLinkedUserParams) (dbsqlc.IamChannelIdentity, error)
 	SetRouteActiveSession(ctx context.Context, arg dbsqlc.SetRouteActiveSessionParams) error
 	SoftDeleteSession(ctx context.Context, id pgtype.UUID) error
 	SoftDeleteSessionsByBot(ctx context.Context, botID pgtype.UUID) error
 	TouchChat(ctx context.Context, chatID pgtype.UUID) error
 	TouchSession(ctx context.Context, id pgtype.UUID) error
-	UpdateAccountAdmin(ctx context.Context, arg dbsqlc.UpdateAccountAdminParams) (dbsqlc.User, error)
-	UpdateAccountLastLogin(ctx context.Context, id pgtype.UUID) (dbsqlc.User, error)
-	UpdateAccountPassword(ctx context.Context, arg dbsqlc.UpdateAccountPasswordParams) (dbsqlc.User, error)
-	UpdateAccountProfile(ctx context.Context, arg dbsqlc.UpdateAccountProfileParams) (dbsqlc.User, error)
+	UpdateAccountAdmin(ctx context.Context, arg dbsqlc.UpdateAccountAdminParams) (dbsqlc.IamUser, error)
+	UpdateAccountLastLogin(ctx context.Context, id pgtype.UUID) (dbsqlc.IamUser, error)
+	UpdateAccountPassword(ctx context.Context, arg dbsqlc.UpdateAccountPasswordParams) (dbsqlc.IamUser, error)
+	UpdateAccountProfile(ctx context.Context, arg dbsqlc.UpdateAccountProfileParams) (dbsqlc.IamUser, error)
 	UpdateBotACLRule(ctx context.Context, arg dbsqlc.UpdateBotACLRuleParams) (dbsqlc.UpdateBotACLRuleRow, error)
 	UpdateBotACLRulePriority(ctx context.Context, arg dbsqlc.UpdateBotACLRulePriorityParams) error
 	UpdateBotChannelConfigDisabled(ctx context.Context, arg dbsqlc.UpdateBotChannelConfigDisabledParams) (dbsqlc.BotChannelConfig, error)
@@ -273,6 +301,7 @@ type Queries interface {
 	UpdateEmailOutboxFailed(ctx context.Context, arg dbsqlc.UpdateEmailOutboxFailedParams) error
 	UpdateEmailOutboxSent(ctx context.Context, arg dbsqlc.UpdateEmailOutboxSentParams) error
 	UpdateEmailProvider(ctx context.Context, arg dbsqlc.UpdateEmailProviderParams) (dbsqlc.EmailProvider, error)
+	UpdateIdentityLastLogin(ctx context.Context, id pgtype.UUID) error
 	UpdateMCPConnection(ctx context.Context, arg dbsqlc.UpdateMCPConnectionParams) (dbsqlc.McpConnection, error)
 	UpdateMCPConnectionAuthType(ctx context.Context, arg dbsqlc.UpdateMCPConnectionAuthTypeParams) error
 	UpdateMCPConnectionProbeResult(ctx context.Context, arg dbsqlc.UpdateMCPConnectionProbeResultParams) error
@@ -289,11 +318,14 @@ type Queries interface {
 	UpdateSessionTitle(ctx context.Context, arg dbsqlc.UpdateSessionTitleParams) (dbsqlc.BotSession, error)
 	UpdateToolApprovalPromptMessage(ctx context.Context, arg dbsqlc.UpdateToolApprovalPromptMessageParams) (dbsqlc.ToolApprovalRequest, error)
 	UpdateUserProviderOAuthState(ctx context.Context, arg dbsqlc.UpdateUserProviderOAuthStateParams) error
-	UpsertAccountByUsername(ctx context.Context, arg dbsqlc.UpsertAccountByUsernameParams) (dbsqlc.User, error)
+	UpsertExternalIdentity(ctx context.Context, arg dbsqlc.UpsertExternalIdentityParams) (dbsqlc.IamIdentity, error)
+	UpsertIAMGroup(ctx context.Context, arg dbsqlc.UpsertIAMGroupParams) (dbsqlc.IamGroup, error)
+	UpsertIAMGroupMember(ctx context.Context, arg dbsqlc.UpsertIAMGroupMemberParams) (dbsqlc.IamGroupMember, error)
+	UpsertAccountByUsername(ctx context.Context, arg dbsqlc.UpsertAccountByUsernameParams) (dbsqlc.IamUser, error)
 	UpsertBotChannelConfig(ctx context.Context, arg dbsqlc.UpsertBotChannelConfigParams) (dbsqlc.BotChannelConfig, error)
 	UpsertBotSettings(ctx context.Context, arg dbsqlc.UpsertBotSettingsParams) (dbsqlc.UpsertBotSettingsRow, error)
 	UpsertBotStorageBinding(ctx context.Context, arg dbsqlc.UpsertBotStorageBindingParams) (dbsqlc.BotStorageBinding, error)
-	UpsertChannelIdentityByChannelSubject(ctx context.Context, arg dbsqlc.UpsertChannelIdentityByChannelSubjectParams) (dbsqlc.ChannelIdentity, error)
+	UpsertChannelIdentityByChannelSubject(ctx context.Context, arg dbsqlc.UpsertChannelIdentityByChannelSubjectParams) (dbsqlc.IamChannelIdentity, error)
 	UpsertChatSettings(ctx context.Context, arg dbsqlc.UpsertChatSettingsParams) (dbsqlc.UpsertChatSettingsRow, error)
 	UpsertContainer(ctx context.Context, arg dbsqlc.UpsertContainerParams) error
 	UpsertEmailOAuthToken(ctx context.Context, arg dbsqlc.UpsertEmailOAuthTokenParams) (dbsqlc.EmailOauthToken, error)
@@ -303,7 +335,10 @@ type Queries interface {
 	UpsertRegistryModel(ctx context.Context, arg dbsqlc.UpsertRegistryModelParams) (dbsqlc.Model, error)
 	UpsertRegistryProvider(ctx context.Context, arg dbsqlc.UpsertRegistryProviderParams) (dbsqlc.Provider, error)
 	UpsertSnapshot(ctx context.Context, arg dbsqlc.UpsertSnapshotParams) (dbsqlc.Snapshot, error)
-	UpsertUserChannelBinding(ctx context.Context, arg dbsqlc.UpsertUserChannelBindingParams) (dbsqlc.UserChannelBinding, error)
-	UpsertUserProviderOAuthToken(ctx context.Context, arg dbsqlc.UpsertUserProviderOAuthTokenParams) (dbsqlc.UserProviderOauthToken, error)
+	UpsertSSOGroupMapping(ctx context.Context, arg dbsqlc.UpsertSSOGroupMappingParams) (dbsqlc.IamSsoGroupMapping, error)
+	UpsertSSOProvider(ctx context.Context, arg dbsqlc.UpsertSSOProviderParams) (dbsqlc.IamSsoProvider, error)
+	UpsertUserChannelBinding(ctx context.Context, arg dbsqlc.UpsertUserChannelBindingParams) (dbsqlc.IamUserChannelBinding, error)
+	UpsertUserProviderOAuthToken(ctx context.Context, arg dbsqlc.UpsertUserProviderOAuthTokenParams) (dbsqlc.IamUserProviderOauthToken, error)
+	UseIAMLoginCode(ctx context.Context, codeHash string) (dbsqlc.IamLoginCode, error)
 	WithTx(tx pgx.Tx) Queries
 }
diff --git a/internal/handlers/auth.go b/internal/handlers/auth.go
index cd080f1c2..04fec3397 100644
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -1,25 +1,68 @@
 package handlers
 
 import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
 	"errors"
 	"log/slog"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"
 
 	"github.com/labstack/echo/v4"
 
 	"github.com/memohai/memoh/internal/accounts"
-	"github.com/memohai/memoh/internal/auth"
+	iamaccounts "github.com/memohai/memoh/internal/iam/accounts"
+	iamauth "github.com/memohai/memoh/internal/iam/auth"
+	"github.com/memohai/memoh/internal/iam/sso"
 )
 
 type AuthHandler struct {
-	accountService *accounts.Service
+	accountService AuthAccountService
+	sessionStore   AuthSessionStore
+	ssoService     AuthSSOService
 	jwtSecret      string
 	expiresIn      time.Duration
 	logger         *slog.Logger
 }
 
+type AuthAccountService interface {
+	Login(ctx context.Context, identity string, password string) (accounts.Account, error)
+}
+
+type AuthSessionStore interface {
+	CreateSession(ctx context.Context, input AuthSessionInput) (AuthSession, error)
+	ValidateSession(ctx context.Context, userID string, sessionID string) error
+	RevokeSession(ctx context.Context, sessionID string) error
+}
+
+type AuthSessionInput struct {
+	UserID     string
+	IdentityID string
+	ExpiresAt  time.Time
+	IPAddress  string
+	UserAgent  string
+}
+
+type AuthSession struct {
+	ID        string
+	UserID    string
+	ExpiresAt time.Time
+}
+
+type AuthSSOService interface {
+	ListEnabledProviders(ctx context.Context) ([]sso.Provider, error)
+	GetProvider(ctx context.Context, providerID string) (sso.Provider, error)
+	BuildOIDCAuthRedirect(ctx context.Context, provider sso.Provider, state string, nonce string, codeVerifier string) (sso.OIDCAuthRedirect, error)
+	CompleteOIDCCallback(ctx context.Context, provider sso.Provider, code string, state sso.OIDCState) (sso.LoginCode, error)
+	BuildSAMLAuthRedirect(ctx context.Context, provider sso.Provider) (sso.SAMLAuthRedirect, error)
+	CompleteSAMLACS(ctx context.Context, provider sso.Provider, r *http.Request, state sso.SAMLState) (sso.LoginCode, error)
+	BuildSAMLMetadata(ctx context.Context, provider sso.Provider) (string, error)
+	ExchangeLoginCode(ctx context.Context, code string) (sso.LoginCode, error)
+}
+
 type LoginRequest struct {
 	Username string `json:"username"`
 	Password string `json:"password"` //nolint:gosec // intentional: JSON request field carrying a user-supplied credential
@@ -30,13 +73,16 @@ type LoginResponse struct {
 	TokenType   string `json:"token_type"`
 	ExpiresAt   string `json:"expires_at"`
 	UserID      string `json:"user_id"`
-	Role        string `json:"role"`
+	SessionID   string `json:"session_id"`
 	DisplayName string `json:"display_name"`
 	Username    string `json:"username"`
 	Timezone    string `json:"timezone,omitempty"`
 }
 
-func NewAuthHandler(log *slog.Logger, accountService *accounts.Service, jwtSecret string, expiresIn time.Duration) *AuthHandler {
+func NewAuthHandler(log *slog.Logger, accountService AuthAccountService, jwtSecret string, expiresIn time.Duration) *AuthHandler {
+	if log == nil {
+		log = slog.Default()
+	}
 	return &AuthHandler{
 		accountService: accountService,
 		jwtSecret:      jwtSecret,
@@ -45,9 +91,52 @@ func NewAuthHandler(log *slog.Logger, accountService *accounts.Service, jwtSecre
 	}
 }
 
+type IAMAccountServiceAdapter struct {
+	service *iamaccounts.Service
+}
+
+func NewIAMAccountServiceAdapter(service *iamaccounts.Service) *IAMAccountServiceAdapter {
+	return &IAMAccountServiceAdapter{service: service}
+}
+
+func (a *IAMAccountServiceAdapter) Login(ctx context.Context, identity string, password string) (accounts.Account, error) {
+	account, err := a.service.Login(ctx, identity, password)
+	if err != nil {
+		return accounts.Account{}, err
+	}
+	return accounts.Account{
+		ID:          account.ID,
+		Username:    account.Username,
+		Email:       account.Email,
+		DisplayName: account.DisplayName,
+		AvatarURL:   account.AvatarURL,
+		Timezone:    account.Timezone,
+		IsActive:    account.IsActive,
+		CreatedAt:   account.CreatedAt,
+		UpdatedAt:   account.UpdatedAt,
+		LastLoginAt: account.LastLoginAt,
+	}, nil
+}
+
+func (h *AuthHandler) SetSessionStore(store AuthSessionStore) {
+	h.sessionStore = store
+}
+
+func (h *AuthHandler) SetSSOService(service AuthSSOService) {
+	h.ssoService = service
+}
+
 func (h *AuthHandler) Register(e *echo.Echo) {
 	e.POST("/auth/login", h.Login)
+	e.POST("/auth/logout", h.Logout)
 	e.POST("/auth/refresh", h.Refresh)
+	e.GET("/auth/sso/providers", h.ListSSOProviders)
+	e.GET("/auth/sso/:provider_id/start", h.StartOIDC)
+	e.GET("/auth/sso/:provider_id/callback", h.OIDCCallback)
+	e.GET("/auth/sso/:provider_id/saml/start", h.StartSAML)
+	e.POST("/auth/sso/:provider_id/saml/acs", h.SAMLACS)
+	e.GET("/auth/sso/:provider_id/saml/metadata", h.SAMLMetadata)
+	e.POST("/auth/sso/exchange", h.ExchangeSSOCode)
 }
 
 // Login godoc
@@ -70,6 +159,9 @@ func (h *AuthHandler) Login(c echo.Context) error {
 	if h.expiresIn <= 0 {
 		return echo.NewHTTPError(http.StatusInternalServerError, "jwt expiry not configured")
 	}
+	if h.sessionStore == nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "session store not configured")
+	}
 
 	var req LoginRequest
 	if err := c.Bind(&req); err != nil {
@@ -82,15 +174,24 @@ func (h *AuthHandler) Login(c echo.Context) error {
 
 	account, err := h.accountService.Login(c.Request().Context(), req.Username, req.Password)
 	if err != nil {
-		if errors.Is(err, accounts.ErrInvalidCredentials) {
+		if isInvalidCredentials(err) {
 			return echo.NewHTTPError(http.StatusUnauthorized, "invalid credentials")
 		}
-		if errors.Is(err, accounts.ErrInactiveAccount) {
+		if isInactiveAccount(err) {
 			return echo.NewHTTPError(http.StatusUnauthorized, "user is inactive")
 		}
 		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 	}
-	token, expiresAt, err := auth.GenerateToken(account.ID, h.jwtSecret, h.expiresIn)
+	session, err := h.sessionStore.CreateSession(c.Request().Context(), AuthSessionInput{
+		UserID:    account.ID,
+		ExpiresAt: time.Now().UTC().Add(h.expiresIn),
+		IPAddress: c.RealIP(),
+		UserAgent: c.Request().UserAgent(),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	token, expiresAt, err := iamauth.GenerateToken(account.ID, session.ID, h.jwtSecret, h.expiresIn)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 	}
@@ -100,22 +201,50 @@ func (h *AuthHandler) Login(c echo.Context) error {
 		TokenType:   "Bearer",
 		ExpiresAt:   expiresAt.Format(time.RFC3339),
 		UserID:      account.ID,
+		SessionID:   session.ID,
 		Username:    account.Username,
-		Role:        account.Role,
 		DisplayName: account.DisplayName,
 		Timezone:    account.Timezone,
 	})
 }
 
+func isInvalidCredentials(err error) bool {
+	return errors.Is(err, accounts.ErrInvalidCredentials) || errors.Is(err, iamaccounts.ErrInvalidCredentials)
+}
+
+func isInactiveAccount(err error) bool {
+	return errors.Is(err, accounts.ErrInactiveAccount) || errors.Is(err, iamaccounts.ErrInactiveAccount)
+}
+
 type RefreshResponse struct {
 	AccessToken string `json:"access_token"` //nolint:gosec // intentional: JWT is the purpose of this response field
 	TokenType   string `json:"token_type"`
 	ExpiresAt   string `json:"expires_at"`
 }
 
+type ExchangeSSOCodeRequest struct {
+	Code string `json:"code"`
+}
+
+type SSOProviderResponse struct {
+	ID      string           `json:"id"`
+	Type    sso.ProviderType `json:"type"`
+	Key     string           `json:"key"`
+	Name    string           `json:"name"`
+	Enabled bool             `json:"enabled"`
+}
+
+type ListSSOProvidersResponse struct {
+	Items []SSOProviderResponse `json:"items"`
+}
+
+type OIDCStartResponse struct {
+	RedirectURL string `json:"redirect_url"`
+}
+
 // Refresh godoc
 // @Summary Refresh Token
-// @Description Issue a new JWT using the existing claims with updated expiration
+// @Description Issue a new JWT after validating the active IAM session
 // @Tags auth
 // @Security BearerAuth
 // @Success 200 {object} RefreshResponse
@@ -126,11 +255,28 @@ func (h *AuthHandler) Refresh(c echo.Context) error {
 	if strings.TrimSpace(h.jwtSecret) == "" {
 		return echo.NewHTTPError(http.StatusInternalServerError, "jwt secret not configured")
 	}
+	if h.expiresIn <= 0 {
+		return echo.NewHTTPError(http.StatusInternalServerError, "jwt expiry not configured")
+	}
+	if h.sessionStore == nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "session store not configured")
+	}
 
-	token, expiresAt, err := auth.RefreshTokenFromContext(c, h.jwtSecret, h.expiresIn)
+	userID, err := iamauth.UserIDFromContext(c)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, err.Error())
+	}
+	sessionID, err := iamauth.SessionIDFromContext(c)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusUnauthorized, err.Error())
 	}
+	if err := h.sessionStore.ValidateSession(c.Request().Context(), userID, sessionID); err != nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "invalid session")
+	}
+	token, expiresAt, err := iamauth.GenerateToken(userID, sessionID, h.jwtSecret, h.expiresIn)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
 
 	return c.JSON(http.StatusOK, RefreshResponse{
 		AccessToken: token,
@@ -138,3 +284,322 @@ func (h *AuthHandler) Refresh(c echo.Context) error {
 		ExpiresAt:   expiresAt.Format(time.RFC3339),
 	})
 }
+
+func (h *AuthHandler) Logout(c echo.Context) error {
+	if h.sessionStore == nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "session store not configured")
+	}
+	sessionID, err := iamauth.SessionIDFromContext(c)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, err.Error())
+	}
+	if err := h.sessionStore.RevokeSession(c.Request().Context(), sessionID); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	return c.NoContent(http.StatusNoContent)
+}
+
+// ListSSOProviders godoc
+// @Summary List SSO providers
+// @Description List enabled OIDC and SAML SSO providers available for login
+// @Tags auth
+// @Success 200 {object} ListSSOProvidersResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /auth/sso/providers [get].
+func (h *AuthHandler) ListSSOProviders(c echo.Context) error {
+	if h.ssoService == nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "sso service not configured")
+	}
+	providers, err := h.ssoService.ListEnabledProviders(c.Request().Context())
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	items := make([]SSOProviderResponse, 0, len(providers))
+	for _, provider := range providers {
+		if !provider.Enabled {
+			continue
+		}
+		items = append(items, SSOProviderResponse{
+			ID:      provider.ID,
+			Type:    provider.Type,
+			Key:     provider.Key,
+			Name:    provider.Name,
+			Enabled: provider.Enabled,
+		})
+	}
+	return c.JSON(http.StatusOK, ListSSOProvidersResponse{Items: items})
+}
+
+// StartOIDC godoc
+// @Summary Start OIDC login
+// @Description Build the provider authorization URL and set the transient OIDC state cookie
+// @Tags auth
+// @Param provider_id path string true "SSO provider ID or key"
+// @Success 200 {object} OIDCStartResponse
+// @Failure 400 {object} ErrorResponse
+// @Failure 404 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /auth/sso/{provider_id}/start [get].
+func (h *AuthHandler) StartOIDC(c echo.Context) error {
+	provider, err := h.ssoProvider(c)
+	if err != nil {
+		return err
+	}
+	if provider.Type != sso.ProviderTypeOIDC {
+		return echo.NewHTTPError(http.StatusBadRequest, "provider is not oidc")
+	}
+	state, err := randomURLToken(32)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	nonce, err := randomURLToken(32)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	codeVerifier, err := randomURLToken(64)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	redirect, err := h.ssoService.BuildOIDCAuthRedirect(c.Request().Context(), provider, state, nonce, codeVerifier)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	now := time.Now().UTC()
+	if err := sso.SetOIDCStateCookie(c.Response(), sso.OIDCState{
+		State:        state,
+		Nonce:        nonce,
+		CodeVerifier: codeVerifier,
+		CreatedAt:    now,
+	}, now); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	return c.JSON(http.StatusOK, OIDCStartResponse{RedirectURL: redirect.URL})
+}
+
+// OIDCCallback godoc
+// @Summary Complete OIDC login
+// @Description Exchange the provider code, create an IAM session, and redirect to the web login callback with a short-lived login code
+// @Tags auth
+// @Param provider_id path string true "SSO provider ID or key"
+// @Param code query string true "OIDC authorization code"
+// @Param state query string true "OIDC state"
+// @Success 302
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 404 {object} ErrorResponse
+// @Router /auth/sso/{provider_id}/callback [get].
+func (h *AuthHandler) OIDCCallback(c echo.Context) error {
+	provider, err := h.ssoProvider(c)
+	if err != nil {
+		return err
+	}
+	if provider.Type != sso.ProviderTypeOIDC {
+		return echo.NewHTTPError(http.StatusBadRequest, "provider is not oidc")
+	}
+	state, err := sso.ReadAndClearOIDCStateCookie(c.Response(), c.Request(), time.Now().UTC())
+	if err != nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "invalid oidc state")
+	}
+	if c.QueryParam("state") != state.State {
+		return echo.NewHTTPError(http.StatusUnauthorized, "invalid oidc state")
+	}
+	code := strings.TrimSpace(c.QueryParam("code"))
+	if code == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "code is required")
+	}
+	loginCode, err := h.ssoService.CompleteOIDCCallback(c.Request().Context(), provider, code, state)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, err.Error())
+	}
+	return h.redirectWithLoginCode(c, loginCode)
+}
+
+// StartSAML godoc
+// @Summary Start SAML login
+// @Description Create a SAML AuthnRequest, set the transient SAML state cookie, and redirect to the IdP
+// @Tags auth
+// @Param provider_id path string true "SSO provider ID or key"
+// @Success 302
+// @Failure 400 {object} ErrorResponse
+// @Failure 404 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /auth/sso/{provider_id}/saml/start [get].
+func (h *AuthHandler) StartSAML(c echo.Context) error {
+	provider, err := h.ssoProvider(c)
+	if err != nil {
+		return err
+	}
+	if provider.Type != sso.ProviderTypeSAML {
+		return echo.NewHTTPError(http.StatusBadRequest, "provider is not saml")
+	}
+	redirect, err := h.ssoService.BuildSAMLAuthRedirect(c.Request().Context(), provider)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	now := time.Now().UTC()
+	if err := sso.SetSAMLStateCookie(c.Response(), sso.SAMLState{
+		RelayState: redirect.RelayState,
+		RequestID:  redirect.RequestID,
+		CreatedAt:  now,
+	}, now); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	return c.Redirect(http.StatusFound, redirect.URL)
+}
+
+// SAMLACS godoc
+// @Summary Complete SAML login
+// @Description Validate the SAML response, create an IAM session, and redirect to the web login callback with a short-lived login code
+// @Tags auth
+// @Param provider_id path string true "SSO provider ID or key"
+// @Success 302
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 404 {object} ErrorResponse
+// @Router /auth/sso/{provider_id}/saml/acs [post].
+func (h *AuthHandler) SAMLACS(c echo.Context) error {
+	provider, err := h.ssoProvider(c)
+	if err != nil {
+		return err
+	}
+	if provider.Type != sso.ProviderTypeSAML {
+		return echo.NewHTTPError(http.StatusBadRequest, "provider is not saml")
+	}
+	state, err := sso.ReadAndClearSAMLStateCookie(c.Response(), c.Request(), time.Now().UTC())
+	if err != nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "invalid saml state")
+	}
+	loginCode, err := h.ssoService.CompleteSAMLACS(c.Request().Context(), provider, c.Request(), state)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, err.Error())
+	}
+	return h.redirectWithLoginCode(c, loginCode)
+}
+
+// SAMLMetadata godoc
+// @Summary Get SAML SP metadata
+// @Description Return the SAML service provider metadata XML for an SSO provider
+// @Tags auth
+// @Param provider_id path string true "SSO provider ID or key"
+// @Success 200 {string} string
+// @Failure 400 {object} ErrorResponse
+// @Failure 404 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /auth/sso/{provider_id}/saml/metadata [get].
+func (h *AuthHandler) SAMLMetadata(c echo.Context) error {
+	provider, err := h.ssoProvider(c)
+	if err != nil {
+		return err
+	}
+	if provider.Type != sso.ProviderTypeSAML {
+		return echo.NewHTTPError(http.StatusBadRequest, "provider is not saml")
+	}
+	metadata, err := h.ssoService.BuildSAMLMetadata(c.Request().Context(), provider)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	return c.Blob(http.StatusOK, "application/samlmetadata+xml", []byte(metadata))
+}
+
+// ExchangeSSOCode godoc
+// @Summary Exchange SSO login code
+// @Description Exchange a one-time SSO login code for a session JWT
+// @Tags auth
+// @Param payload body ExchangeSSOCodeRequest true "SSO exchange request"
+// @Success 200 {object} LoginResponse
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /auth/sso/exchange [post].
+func (h *AuthHandler) ExchangeSSOCode(c echo.Context) error {
+	if strings.TrimSpace(h.jwtSecret) == "" {
+		return echo.NewHTTPError(http.StatusInternalServerError, "jwt secret not configured")
+	}
+	if h.expiresIn <= 0 {
+		return echo.NewHTTPError(http.StatusInternalServerError, "jwt expiry not configured")
+	}
+	if h.ssoService == nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "sso service not configured")
+	}
+	var req ExchangeSSOCodeRequest
+	if err := c.Bind(&req); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	code := strings.TrimSpace(req.Code)
+	if code == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "code is required")
+	}
+	loginCode, err := h.ssoService.ExchangeLoginCode(c.Request().Context(), code)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, err.Error())
+	}
+	return h.issueLoginCodeToken(c, loginCode)
+}
+
+func (h *AuthHandler) ssoProvider(c echo.Context) (sso.Provider, error) {
+	if h.ssoService == nil {
+		return sso.Provider{}, echo.NewHTTPError(http.StatusInternalServerError, "sso service not configured")
+	}
+	providerID := strings.TrimSpace(c.Param("provider_id"))
+	if providerID == "" {
+		return sso.Provider{}, echo.NewHTTPError(http.StatusBadRequest, "provider_id is required")
+	}
+	provider, err := h.ssoService.GetProvider(c.Request().Context(), providerID)
+	if err != nil {
+		return sso.Provider{}, echo.NewHTTPError(http.StatusNotFound, "sso provider not found")
+	}
+	if !provider.Enabled {
+		return sso.Provider{}, echo.NewHTTPError(http.StatusNotFound, "sso provider not found")
+	}
+	return provider, nil
+}
+
+func (*AuthHandler) redirectWithLoginCode(c echo.Context, loginCode sso.LoginCode) error {
+	if strings.TrimSpace(loginCode.Code) == "" {
+		return echo.NewHTTPError(http.StatusInternalServerError, "sso login code missing")
+	}
+	target := strings.TrimSpace(loginCode.RedirectURL)
+	if target == "" {
+		target = "/login/sso/callback"
+	}
+	parsed, err := url.Parse(target)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	values := parsed.Query()
+	values.Set("code", loginCode.Code)
+	parsed.RawQuery = values.Encode()
+	return c.Redirect(http.StatusFound, parsed.String())
+}
+
+func (h *AuthHandler) issueLoginCodeToken(c echo.Context, loginCode sso.LoginCode) error {
+	userID := strings.TrimSpace(loginCode.UserID)
+	sessionID := strings.TrimSpace(loginCode.SessionID)
+	if userID == "" || sessionID == "" {
+		return echo.NewHTTPError(http.StatusUnauthorized, "invalid login code")
+	}
+	if h.sessionStore != nil {
+		if err := h.sessionStore.ValidateSession(c.Request().Context(), userID, sessionID); err != nil {
+			return echo.NewHTTPError(http.StatusUnauthorized, "invalid session")
+		}
+	}
+	token, expiresAt, err := iamauth.GenerateToken(userID, sessionID, h.jwtSecret, h.expiresIn)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	return c.JSON(http.StatusOK, LoginResponse{
+		AccessToken: token,
+		TokenType:   "Bearer",
+		ExpiresAt:   expiresAt.Format(time.RFC3339),
+		UserID:      userID,
+		SessionID:   sessionID,
+	})
+}
+
+func randomURLToken(size int) (string, error) {
+	buf := make([]byte, size)
+	if _, err := rand.Read(buf); err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(buf), nil
+}
diff --git a/internal/handlers/auth_session_store.go b/internal/handlers/auth_session_store.go
new file mode 100644
index 000000000..e22002191
--- /dev/null
+++ b/internal/handlers/auth_session_store.go
@@ -0,0 +1,81 @@
+package handlers
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgtype"
+
+	"github.com/memohai/memoh/internal/db"
+	"github.com/memohai/memoh/internal/db/postgres/sqlc"
+	dbstore "github.com/memohai/memoh/internal/db/store"
+)
+
+type DBAuthSessionStore struct {
+	queries dbstore.Queries
+}
+
+func NewDBAuthSessionStore(queries dbstore.Queries) *DBAuthSessionStore {
+	return &DBAuthSessionStore{queries: queries}
+}
+
+func (s *DBAuthSessionStore) CreateSession(ctx context.Context, input AuthSessionInput) (AuthSession, error) {
+	userID, err := db.ParseUUID(input.UserID)
+	if err != nil {
+		return AuthSession{}, err
+	}
+	var identityID pgtype.UUID
+	if input.IdentityID != "" {
+		identityID, err = db.ParseUUID(input.IdentityID)
+		if err != nil {
+			return AuthSession{}, err
+		}
+	}
+	row, err := s.queries.CreateIAMSession(ctx, sqlc.CreateIAMSessionParams{
+		UserID:     userID,
+		IdentityID: identityID,
+		ExpiresAt:  pgtype.Timestamptz{Time: input.ExpiresAt.UTC(), Valid: true},
+		IpAddress:  pgtype.Text{String: input.IPAddress, Valid: input.IPAddress != ""},
+		UserAgent:  pgtype.Text{String: input.UserAgent, Valid: input.UserAgent != ""},
+		Metadata:   []byte("{}"),
+	})
+	if err != nil {
+		return AuthSession{}, err
+	}
+	return AuthSession{
+		ID:        row.ID.String(),
+		UserID:    row.UserID.String(),
+		ExpiresAt: row.ExpiresAt.Time,
+	}, nil
+}
+
+func (s *DBAuthSessionStore) ValidateSession(ctx context.Context, userID string, sessionID string) error {
+	pgSessionID, err := db.ParseUUID(sessionID)
+	if err != nil {
+		return err
+	}
+	row, err := s.queries.GetIAMSessionByID(ctx, pgSessionID)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) || errors.Is(err, db.ErrNotFound) {
+			return db.ErrNotFound
+		}
+		return err
+	}
+	if row.UserID.String() != userID {
+		return db.ErrNotFound
+	}
+	if !row.UserIsActive || row.RevokedAt.Valid || !row.ExpiresAt.Valid || !row.ExpiresAt.Time.After(time.Now().UTC()) {
+		return db.ErrNotFound
+	}
+	return nil
+}
+
+func (s *DBAuthSessionStore) RevokeSession(ctx context.Context, sessionID string) error {
+	pgSessionID, err := db.ParseUUID(sessionID)
+	if err != nil {
+		return err
+	}
+	return s.queries.RevokeIAMSession(ctx, pgSessionID)
+}
diff --git a/internal/handlers/auth_test.go b/internal/handlers/auth_test.go
new file mode 100644
index 000000000..f38798aef
--- /dev/null
+++ b/internal/handlers/auth_test.go
@@ -0,0 +1,357 @@
+package handlers
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"log/slog"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/labstack/echo/v4"
+	"golang.org/x/crypto/bcrypt"
+
+	"github.com/memohai/memoh/internal/iam/accounts"
+	iamauth "github.com/memohai/memoh/internal/iam/auth"
+	"github.com/memohai/memoh/internal/iam/sso"
+)
+
+func TestPasswordLoginReturnsSessionTokenWithoutRole(t *testing.T) {
+	handler, sessionStore, _ := newTestAuthHandler(t)
+	e := echo.New()
+	handler.Register(e)
+
+	req := httptest.NewRequest(http.MethodPost, "/auth/login", strings.NewReader(`{"username":"alice","password":"secret"}`))
+	req.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	rec := httptest.NewRecorder()
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d body = %s", rec.Code, rec.Body.String())
+	}
+	var raw map[string]any
+	if err := json.Unmarshal(rec.Body.Bytes(), &raw); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if _, ok := raw["role"]; ok {
+		t.Fatalf("login response contains role: %v", raw)
+	}
+	if raw["session_id"] != "session-1" {
+		t.Fatalf("session_id = %v, want session-1", raw["session_id"])
+	}
+	if sessionStore.created.UserID != "user-1" {
+		t.Fatalf("created session user = %q, want user-1", sessionStore.created.UserID)
+	}
+
+	claims := parseTokenClaims(t, raw["access_token"].(string))
+	if claims["user_id"] != "user-1" || claims["sub"] != "user-1" {
+		t.Fatalf("user claims = %v", claims)
+	}
+	if claims["session_id"] != "session-1" {
+		t.Fatalf("session_id claim = %v, want session-1", claims["session_id"])
+	}
+	if _, ok := claims["iat"]; !ok {
+		t.Fatalf("iat claim missing: %v", claims)
+	}
+	if _, ok := claims["exp"]; !ok {
+		t.Fatalf("exp claim missing: %v", claims)
+	}
+}
+
+func TestRefreshValidatesSessionAndLogoutRevokesSession(t *testing.T) {
+	handler, sessionStore, _ := newTestAuthHandler(t)
+	token, _, err := iamauth.GenerateToken("user-1", "session-1", "test-secret", time.Hour)
+	if err != nil {
+		t.Fatalf("GenerateToken: %v", err)
+	}
+	e := echo.New()
+	e.Use(iamauth.JWTMiddleware("test-secret", func(c echo.Context) bool {
+		return c.Path() == "/auth/login"
+	}))
+	handler.Register(e)
+
+	req := httptest.NewRequest(http.MethodPost, "/auth/refresh", nil)
+	req.Header.Set(echo.HeaderAuthorization, "Bearer "+token)
+	rec := httptest.NewRecorder()
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("refresh status = %d body = %s", rec.Code, rec.Body.String())
+	}
+	if sessionStore.validatedUserID != "user-1" || sessionStore.validatedSessionID != "session-1" {
+		t.Fatalf("validated = (%q, %q)", sessionStore.validatedUserID, sessionStore.validatedSessionID)
+	}
+
+	req = httptest.NewRequest(http.MethodPost, "/auth/logout", nil)
+	req.Header.Set(echo.HeaderAuthorization, "Bearer "+token)
+	rec = httptest.NewRecorder()
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusNoContent {
+		t.Fatalf("logout status = %d body = %s", rec.Code, rec.Body.String())
+	}
+	if sessionStore.revokedSessionID != "session-1" {
+		t.Fatalf("revoked session = %q, want session-1", sessionStore.revokedSessionID)
+	}
+}
+
+func TestSSOCallbackRedirectsWithLoginCodeOnlyAndExchangeReturnsToken(t *testing.T) {
+	handler, _, ssoService := newTestAuthHandler(t)
+	e := echo.New()
+	handler.Register(e)
+
+	startReq := httptest.NewRequest(http.MethodGet, "/auth/sso/google/start", nil)
+	startRec := httptest.NewRecorder()
+	e.ServeHTTP(startRec, startReq)
+	if startRec.Code != http.StatusOK {
+		t.Fatalf("start status = %d body = %s", startRec.Code, startRec.Body.String())
+	}
+	stateCookie := firstCookie(startRec.Result().Cookies(), sso.OIDCStateCookieName)
+	if stateCookie == nil {
+		t.Fatalf("oidc state cookie missing")
+	}
+
+	callbackReq := httptest.NewRequest(http.MethodGet, "/auth/sso/google/callback?code=idp-code&state="+ssoService.startedState, nil)
+	callbackReq.AddCookie(stateCookie)
+	callbackRec := httptest.NewRecorder()
+	e.ServeHTTP(callbackRec, callbackReq)
+	if callbackRec.Code != http.StatusFound {
+		t.Fatalf("callback status = %d body = %s", callbackRec.Code, callbackRec.Body.String())
+	}
+	location := callbackRec.Header().Get(echo.HeaderLocation)
+	if !strings.Contains(location, "code=sso-code") {
+		t.Fatalf("callback location = %q, want login code", location)
+	}
+	if strings.Contains(location, "access_token") || strings.Contains(location, "token=") {
+		t.Fatalf("callback leaked token in url: %q", location)
+	}
+
+	exchangeReq := httptest.NewRequest(http.MethodPost, "/auth/sso/exchange", strings.NewReader(`{"code":"sso-code"}`))
+	exchangeReq.Header.Set(echo.HeaderContentType, echo.MIMEApplicationJSON)
+	exchangeRec := httptest.NewRecorder()
+	e.ServeHTTP(exchangeRec, exchangeReq)
+	if exchangeRec.Code != http.StatusOK {
+		t.Fatalf("exchange status = %d body = %s", exchangeRec.Code, exchangeRec.Body.String())
+	}
+	var raw map[string]any
+	if err := json.Unmarshal(exchangeRec.Body.Bytes(), &raw); err != nil {
+		t.Fatalf("decode exchange: %v", err)
+	}
+	if _, ok := raw["role"]; ok {
+		t.Fatalf("exchange response contains role: %v", raw)
+	}
+	if raw["access_token"] == "" || raw["session_id"] != "session-1" {
+		t.Fatalf("exchange response = %v", raw)
+	}
+	parseTokenClaims(t, raw["access_token"].(string))
+}
+
+func newTestAuthHandler(t *testing.T) (*AuthHandler, *fakeAuthSessionStore, *fakeAuthSSOService) {
+	t.Helper()
+	accountStore := newFakeAccountStore(t)
+	sessionStore := &fakeAuthSessionStore{}
+	ssoService := &fakeAuthSSOService{}
+	handler := NewAuthHandler(slog.New(slog.DiscardHandler), NewIAMAccountServiceAdapter(accounts.NewService(slog.Default(), accountStore)), "test-secret", time.Hour)
+	handler.SetSessionStore(sessionStore)
+	handler.SetSSOService(ssoService)
+	return handler, sessionStore, ssoService
+}
+
+func parseTokenClaims(t *testing.T, tokenString string) jwt.MapClaims {
+	t.Helper()
+	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (any, error) {
+		if token.Method != jwt.SigningMethodHS256 {
+			return nil, errors.New("unexpected signing method")
+		}
+		return []byte("test-secret"), nil
+	})
+	if err != nil {
+		t.Fatalf("parse token: %v", err)
+	}
+	if !token.Valid {
+		t.Fatalf("token invalid")
+	}
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		t.Fatalf("claims type = %T", token.Claims)
+	}
+	return claims
+}
+
+func firstCookie(cookies []*http.Cookie, name string) *http.Cookie {
+	for _, cookie := range cookies {
+		if cookie.Name == name {
+			return cookie
+		}
+	}
+	return nil
+}
+
+type fakeAccountStore struct {
+	account  accounts.Account
+	identity accounts.PasswordIdentity
+}
+
+func newFakeAccountStore(t *testing.T) *fakeAccountStore {
+	t.Helper()
+	hash, err := bcrypt.GenerateFromPassword([]byte("secret"), bcrypt.MinCost)
+	if err != nil {
+		t.Fatalf("bcrypt: %v", err)
+	}
+	return &fakeAccountStore{
+		account: accounts.Account{
+			ID:          "user-1",
+			Username:    "alice",
+			DisplayName: "Alice",
+			IsActive:    true,
+		},
+		identity: accounts.PasswordIdentity{
+			ID:               "identity-1",
+			UserID:           "user-1",
+			Subject:          "alice",
+			Username:         "alice",
+			CredentialSecret: string(hash),
+		},
+	}
+}
+
+func (s *fakeAccountStore) Get(_ context.Context, userID string) (accounts.Account, error) {
+	if userID == s.account.ID {
+		return s.account, nil
+	}
+	return accounts.Account{}, accounts.ErrNotFound
+}
+
+func (s *fakeAccountStore) GetPasswordIdentityBySubject(_ context.Context, subject string) (accounts.PasswordIdentity, error) {
+	if subject == s.identity.Subject {
+		return s.identity, nil
+	}
+	return accounts.PasswordIdentity{}, accounts.ErrNotFound
+}
+
+func (*fakeAccountStore) GetPasswordIdentityByEmail(_ context.Context, _ string) (accounts.PasswordIdentity, error) {
+	return accounts.PasswordIdentity{}, accounts.ErrNotFound
+}
+
+func (s *fakeAccountStore) GetPasswordIdentityByUserID(_ context.Context, userID string) (accounts.PasswordIdentity, error) {
+	if userID == s.identity.UserID {
+		return s.identity, nil
+	}
+	return accounts.PasswordIdentity{}, accounts.ErrNotFound
+}
+
+func (s *fakeAccountStore) ListAccounts(context.Context) ([]accounts.Account, error) {
+	return []accounts.Account{s.account}, nil
+}
+
+func (s *fakeAccountStore) SearchAccounts(context.Context, string, int) ([]accounts.Account, error) {
+	return []accounts.Account{s.account}, nil
+}
+
+func (s *fakeAccountStore) UpsertAccount(context.Context, accounts.UpsertAccountInput) (accounts.Account, error) {
+	return s.account, nil
+}
+
+func (s *fakeAccountStore) CreateHuman(context.Context, accounts.CreateHumanInput) (accounts.Account, error) {
+	return s.account, nil
+}
+
+func (s *fakeAccountStore) UpsertPasswordIdentity(context.Context, accounts.UpsertPasswordIdentityInput) (accounts.PasswordIdentity, error) {
+	return s.identity, nil
+}
+
+func (s *fakeAccountStore) UpdateAdmin(context.Context, accounts.UpdateAdminInput) (accounts.Account, error) {
+	return s.account, nil
+}
+
+func (s *fakeAccountStore) UpdateProfile(context.Context, accounts.UpdateProfileInput) (accounts.Account, error) {
+	return s.account, nil
+}
+
+func (*fakeAccountStore) UpdatePasswordIdentity(context.Context, string, string) error {
+	return nil
+}
+
+func (*fakeAccountStore) TouchLogin(context.Context, string, string) error {
+	return nil
+}
+
+type fakeAuthSessionStore struct {
+	created            AuthSessionInput
+	validatedUserID    string
+	validatedSessionID string
+	revokedSessionID   string
+}
+
+func (s *fakeAuthSessionStore) CreateSession(_ context.Context, input AuthSessionInput) (AuthSession, error) {
+	s.created = input
+	return AuthSession{ID: "session-1", UserID: input.UserID, ExpiresAt: input.ExpiresAt}, nil
+}
+
+func (s *fakeAuthSessionStore) ValidateSession(_ context.Context, userID string, sessionID string) error {
+	s.validatedUserID = userID
+	s.validatedSessionID = sessionID
+	if userID != "user-1" || sessionID != "session-1" {
+		return errors.New("invalid session")
+	}
+	return nil
+}
+
+func (s *fakeAuthSessionStore) RevokeSession(_ context.Context, sessionID string) error {
+	s.revokedSessionID = sessionID
+	return nil
+}
+
+type fakeAuthSSOService struct {
+	startedState string
+}
+
+func (s *fakeAuthSSOService) ListEnabledProviders(context.Context) ([]sso.Provider, error) {
+	return []sso.Provider{s.provider()}, nil
+}
+
+func (s *fakeAuthSSOService) GetProvider(context.Context, string) (sso.Provider, error) {
+	return s.provider(), nil
+}
+
+func (s *fakeAuthSSOService) BuildOIDCAuthRedirect(_ context.Context, _ sso.Provider, state string, _ string, _ string) (sso.OIDCAuthRedirect, error) {
+	s.startedState = state
+	return sso.OIDCAuthRedirect{URL: "https://idp.example.com/auth?state=" + state}, nil
+}
+
+func (*fakeAuthSSOService) CompleteOIDCCallback(_ context.Context, _ sso.Provider, _ string, _ sso.OIDCState) (sso.LoginCode, error) {
+	return sso.LoginCode{Code: "sso-code", UserID: "user-1", SessionID: "session-1"}, nil
+}
+
+func (*fakeAuthSSOService) BuildSAMLAuthRedirect(context.Context, sso.Provider) (sso.SAMLAuthRedirect, error) {
+	return sso.SAMLAuthRedirect{URL: "https://idp.example.com/saml", RelayState: "relay-1", RequestID: "request-1"}, nil
+}
+
+func (*fakeAuthSSOService) CompleteSAMLACS(context.Context, sso.Provider, *http.Request, sso.SAMLState) (sso.LoginCode, error) {
+	return sso.LoginCode{Code: "sso-code", UserID: "user-1", SessionID: "session-1"}, nil
+}
+
+func (*fakeAuthSSOService) BuildSAMLMetadata(context.Context, sso.Provider) (string, error) {
+	return "<EntityDescriptor/>", nil
+}
+
+func (*fakeAuthSSOService) ExchangeLoginCode(_ context.Context, code string) (sso.LoginCode, error) {
+	if code != "sso-code" {
+		return sso.LoginCode{}, errors.New("invalid code")
+	}
+	return sso.LoginCode{Code: code, UserID: "user-1", SessionID: "session-1"}, nil
+}
+
+func (*fakeAuthSSOService) provider() sso.Provider {
+	return sso.Provider{
+		ID:      "provider-1",
+		Key:     "google",
+		Name:    "Google",
+		Type:    sso.ProviderTypeOIDC,
+		Enabled: true,
+	}
+}
diff --git a/internal/handlers/handler_helpers.go b/internal/handlers/handler_helpers.go
index 040ab26ed..9d8d8911f 100644
--- a/internal/handlers/handler_helpers.go
+++ b/internal/handlers/handler_helpers.go
@@ -27,16 +27,12 @@ func RequireChannelIdentityID(c echo.Context) (string, error) {
 	return channelIdentityID, nil
 }
 
-// AuthorizeBotAccess validates that the given identity has owner/admin access to the specified bot.
+// AuthorizeBotAccess validates that the given identity can read the specified bot.
 func AuthorizeBotAccess(ctx context.Context, botService *bots.Service, accountService *accounts.Service, channelIdentityID, botID string) (bots.Bot, error) {
 	if botService == nil || accountService == nil {
 		return bots.Bot{}, echo.NewHTTPError(http.StatusInternalServerError, "bot services not configured")
 	}
-	isAdmin, err := accountService.IsAdmin(ctx, channelIdentityID)
-	if err != nil {
-		return bots.Bot{}, echo.NewHTTPError(http.StatusInternalServerError, err.Error())
-	}
-	bot, err := botService.AuthorizeAccess(ctx, channelIdentityID, botID, isAdmin)
+	bot, err := botService.AuthorizeAccess(ctx, channelIdentityID, botID, false)
 	if err != nil {
 		if errors.Is(err, bots.ErrBotNotFound) {
 			return bots.Bot{}, echo.NewHTTPError(http.StatusNotFound, "bot not found")
diff --git a/internal/handlers/iam.go b/internal/handlers/iam.go
new file mode 100644
index 000000000..cac2cf7af
--- /dev/null
+++ b/internal/handlers/iam.go
@@ -0,0 +1,973 @@
+package handlers
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgtype"
+	"github.com/labstack/echo/v4"
+
+	"github.com/memohai/memoh/internal/db"
+	"github.com/memohai/memoh/internal/db/postgres/sqlc"
+	dbstore "github.com/memohai/memoh/internal/db/store"
+	"github.com/memohai/memoh/internal/iam/rbac"
+)
+
+type IAMHandler struct {
+	queries dbstore.Queries
+	rbac    *rbac.Service
+}
+
+func NewIAMHandler(queries dbstore.Queries, rbacService *rbac.Service) *IAMHandler {
+	return &IAMHandler{queries: queries, rbac: rbacService}
+}
+
+func (h *IAMHandler) Register(e *echo.Echo) {
+	g := e.Group("/iam")
+	g.GET("/roles", h.ListRoles)
+	g.GET("/groups", h.ListGroups)
+	g.POST("/groups", h.UpsertGroup)
+	g.PUT("/groups/:id", h.UpsertGroup)
+	g.DELETE("/groups/:id", h.DeleteGroup)
+	g.GET("/groups/:id/members", h.ListGroupMembers)
+	g.POST("/groups/:id/members", h.UpsertGroupMember)
+	g.DELETE("/groups/:id/members/:user_id", h.DeleteGroupMember)
+	g.GET("/sso/providers", h.ListSSOProviders)
+	g.POST("/sso/providers", h.UpsertSSOProvider)
+	g.PUT("/sso/providers/:id", h.UpsertSSOProvider)
+	g.DELETE("/sso/providers/:id", h.DeleteSSOProvider)
+	g.GET("/sso/providers/:id/group-mappings", h.ListSSOGroupMappings)
+	g.POST("/sso/providers/:id/group-mappings", h.UpsertSSOGroupMapping)
+	g.DELETE("/sso/providers/:id/group-mappings/:external_group", h.DeleteSSOGroupMapping)
+	g.GET("/bots/:bot_id/principal-roles", h.ListBotPrincipalRoles)
+	g.POST("/bots/:bot_id/principal-roles", h.AssignBotPrincipalRole)
+	g.DELETE("/principal-roles/:id", h.DeletePrincipalRole)
+}
+
+type IAMListRolesResponse struct {
+	Items []IAMRoleResponse `json:"items"`
+}
+
+type IAMRoleResponse struct {
+	ID        string `json:"id"`
+	Key       string `json:"key"`
+	Scope     string `json:"scope"`
+	IsSystem  bool   `json:"is_system"`
+	CreatedAt string `json:"created_at"`
+}
+
+type IAMListGroupsResponse struct {
+	Items []IAMGroupResponse `json:"items"`
+}
+
+type IAMGroupResponse struct {
+	ID          string          `json:"id"`
+	Key         string          `json:"key"`
+	DisplayName string          `json:"display_name"`
+	Source      string          `json:"source"`
+	ExternalID  string          `json:"external_id,omitempty"`
+	Metadata    json.RawMessage `json:"metadata,omitempty"`
+	CreatedAt   string          `json:"created_at"`
+	UpdatedAt   string          `json:"updated_at"`
+}
+
+type IAMGroupRequest struct {
+	Key         string          `json:"key"`
+	DisplayName string          `json:"display_name"`
+	Source      string          `json:"source,omitempty"`
+	ExternalID  string          `json:"external_id,omitempty"`
+	Metadata    json.RawMessage `json:"metadata,omitempty"`
+}
+
+type IAMListGroupMembersResponse struct {
+	Items []IAMGroupMemberResponse `json:"items"`
+}
+
+type IAMGroupMemberResponse struct {
+	UserID      string `json:"user_id"`
+	GroupID     string `json:"group_id"`
+	Source      string `json:"source"`
+	ProviderID  string `json:"provider_id,omitempty"`
+	Username    string `json:"username,omitempty"`
+	Email       string `json:"email,omitempty"`
+	DisplayName string `json:"display_name,omitempty"`
+	CreatedAt   string `json:"created_at"`
+}
+
+type IAMGroupMemberRequest struct {
+	UserID     string `json:"user_id"`
+	Source     string `json:"source,omitempty"`
+	ProviderID string `json:"provider_id,omitempty"`
+}
+
+type IAMListSSOProvidersResponse struct {
+	Items []IAMSSOProviderResponse `json:"items"`
+}
+
+type IAMSSOProviderResponse struct {
+	ID                 string          `json:"id"`
+	Type               string          `json:"type"`
+	Key                string          `json:"key"`
+	Name               string          `json:"name"`
+	Enabled            bool            `json:"enabled"`
+	Config             json.RawMessage `json:"config"`
+	AttributeMapping   json.RawMessage `json:"attribute_mapping"`
+	JITEnabled         bool            `json:"jit_enabled"`
+	EmailLinkingPolicy string          `json:"email_linking_policy"`
+	TrustEmail         bool            `json:"trust_email"`
+	CreatedAt          string          `json:"created_at"`
+	UpdatedAt          string          `json:"updated_at"`
+}
+
+type IAMSSOProviderRequest struct {
+	Type               string          `json:"type"`
+	Key                string          `json:"key"`
+	Name               string          `json:"name"`
+	Enabled            bool            `json:"enabled"`
+	Config             json.RawMessage `json:"config"`
+	AttributeMapping   json.RawMessage `json:"attribute_mapping"`
+	JITEnabled         *bool           `json:"jit_enabled,omitempty"`
+	EmailLinkingPolicy string          `json:"email_linking_policy,omitempty"`
+	TrustEmail         bool            `json:"trust_email"`
+}
+
+type IAMListSSOGroupMappingsResponse struct {
+	Items []IAMSSOGroupMappingResponse `json:"items"`
+}
+
+type IAMSSOGroupMappingResponse struct {
+	ProviderID       string `json:"provider_id"`
+	ExternalGroup    string `json:"external_group"`
+	GroupID          string `json:"group_id"`
+	GroupKey         string `json:"group_key"`
+	GroupDisplayName string `json:"group_display_name"`
+	CreatedAt        string `json:"created_at"`
+}
+
+type IAMSSOGroupMappingRequest struct {
+	ExternalGroup string `json:"external_group"`
+	GroupID       string `json:"group_id"`
+}
+
+type IAMListPrincipalRolesResponse struct {
+	Items []IAMPrincipalRoleResponse `json:"items"`
+}
+
+type IAMPrincipalRoleResponse struct {
+	ID               string `json:"id"`
+	PrincipalType    string `json:"principal_type"`
+	PrincipalID      string `json:"principal_id"`
+	RoleID           string `json:"role_id"`
+	RoleKey          string `json:"role_key"`
+	RoleScope        string `json:"role_scope"`
+	ResourceType     string `json:"resource_type"`
+	ResourceID       string `json:"resource_id,omitempty"`
+	Source           string `json:"source"`
+	ProviderID       string `json:"provider_id,omitempty"`
+	UserUsername     string `json:"user_username,omitempty"`
+	UserEmail        string `json:"user_email,omitempty"`
+	UserDisplayName  string `json:"user_display_name,omitempty"`
+	GroupKey         string `json:"group_key,omitempty"`
+	GroupDisplayName string `json:"group_display_name,omitempty"`
+	CreatedAt        string `json:"created_at"`
+}
+
+type IAMPrincipalRoleRequest struct {
+	PrincipalType string `json:"principal_type"`
+	PrincipalID   string `json:"principal_id"`
+	RoleKey       string `json:"role_key"`
+}
+
+// ListRoles godoc
+// @Summary List IAM roles
+// @Description List built-in IAM roles
+// @Tags iam
+// @Security BearerAuth
+// @Success 200 {object} IAMListRolesResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/roles [get].
+func (h *IAMHandler) ListRoles(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	rows, err := h.queries.ListRoles(c.Request().Context())
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	items := make([]IAMRoleResponse, 0, len(rows))
+	for _, row := range rows {
+		items = append(items, iamRoleResponse(row))
+	}
+	return c.JSON(http.StatusOK, IAMListRolesResponse{Items: items})
+}
+
+// ListGroups godoc
+// @Summary List IAM groups
+// @Description List IAM groups
+// @Tags iam
+// @Security BearerAuth
+// @Success 200 {object} IAMListGroupsResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/groups [get].
+func (h *IAMHandler) ListGroups(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	rows, err := h.queries.ListIAMGroups(c.Request().Context())
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	items := make([]IAMGroupResponse, 0, len(rows))
+	for _, row := range rows {
+		items = append(items, iamGroupResponse(row))
+	}
+	return c.JSON(http.StatusOK, IAMListGroupsResponse{Items: items})
+}
+
+// UpsertGroup godoc
+// @Summary Upsert IAM group
+// @Description Create or update an IAM group
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string false "Group ID"
+// @Param payload body IAMGroupRequest true "Group payload"
+// @Success 200 {object} IAMGroupResponse
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/groups [post]
+// @Router /iam/groups/{id} [put].
+func (h *IAMHandler) UpsertGroup(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	var req IAMGroupRequest
+	if err := c.Bind(&req); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	key := strings.TrimSpace(req.Key)
+	if key == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "key is required")
+	}
+	source := strings.TrimSpace(req.Source)
+	if source == "" {
+		source = string(rbac.SourceManual)
+	}
+	metadata := req.Metadata
+	if len(metadata) == 0 {
+		metadata = json.RawMessage(`{}`)
+	}
+	id, err := requestID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	row, err := h.queries.UpsertIAMGroup(c.Request().Context(), sqlc.UpsertIAMGroupParams{
+		ID:          id,
+		Key:         key,
+		DisplayName: strings.TrimSpace(req.DisplayName),
+		Source:      source,
+		ExternalID:  textValue(req.ExternalID),
+		Metadata:    []byte(metadata),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	h.rbac.ClearCache()
+	return c.JSON(http.StatusOK, iamGroupResponse(row))
+}
+
+// DeleteGroup godoc
+// @Summary Delete IAM group
+// @Description Delete an IAM group
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string true "Group ID"
+// @Success 204
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/groups/{id} [delete].
+func (h *IAMHandler) DeleteGroup(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	id, err := db.ParseUUID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	if err := h.queries.DeleteIAMGroup(c.Request().Context(), id); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	h.rbac.ClearCache()
+	return c.NoContent(http.StatusNoContent)
+}
+
+// ListGroupMembers godoc
+// @Summary List IAM group members
+// @Description List members of an IAM group
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string true "Group ID"
+// @Success 200 {object} IAMListGroupMembersResponse
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/groups/{id}/members [get].
+func (h *IAMHandler) ListGroupMembers(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	groupID, err := db.ParseUUID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	rows, err := h.queries.ListIAMGroupMembers(c.Request().Context(), groupID)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	items := make([]IAMGroupMemberResponse, 0, len(rows))
+	for _, row := range rows {
+		items = append(items, iamGroupMemberResponse(row))
+	}
+	return c.JSON(http.StatusOK, IAMListGroupMembersResponse{Items: items})
+}
+
+// UpsertGroupMember godoc
+// @Summary Add IAM group member
+// @Description Add a user to an IAM group
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string true "Group ID"
+// @Param payload body IAMGroupMemberRequest true "Group member payload"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/groups/{id}/members [post].
+func (h *IAMHandler) UpsertGroupMember(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	groupID, err := db.ParseUUID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	var req IAMGroupMemberRequest
+	if err := c.Bind(&req); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	userID, err := db.ParseUUID(req.UserID)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	source := strings.TrimSpace(req.Source)
+	if source == "" {
+		source = string(rbac.SourceManual)
+	}
+	row, err := h.queries.UpsertIAMGroupMember(c.Request().Context(), sqlc.UpsertIAMGroupMemberParams{
+		UserID:     userID,
+		GroupID:    groupID,
+		Source:     source,
+		ProviderID: db.ParseUUIDOrEmpty(req.ProviderID),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	h.rbac.ClearCache()
+	return c.JSON(http.StatusOK, map[string]string{
+		"user_id":  row.UserID.String(),
+		"group_id": row.GroupID.String(),
+		"source":   row.Source,
+	})
+}
+
+// DeleteGroupMember godoc
+// @Summary Delete IAM group member
+// @Description Remove a user from an IAM group
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string true "Group ID"
+// @Param user_id path string true "User ID"
+// @Success 204
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/groups/{id}/members/{user_id} [delete].
+func (h *IAMHandler) DeleteGroupMember(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	groupID, err := db.ParseUUID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	userID, err := db.ParseUUID(c.Param("user_id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	if err := h.queries.DeleteIAMGroupMember(c.Request().Context(), sqlc.DeleteIAMGroupMemberParams{UserID: userID, GroupID: groupID}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	h.rbac.ClearCache()
+	return c.NoContent(http.StatusNoContent)
+}
+
+// ListSSOProviders godoc
+// @Summary List IAM SSO providers
+// @Description List all IAM SSO providers for administration
+// @Tags iam
+// @Security BearerAuth
+// @Success 200 {object} IAMListSSOProvidersResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/sso/providers [get].
+func (h *IAMHandler) ListSSOProviders(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	rows, err := h.queries.ListSSOProviders(c.Request().Context())
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	items := make([]IAMSSOProviderResponse, 0, len(rows))
+	for _, row := range rows {
+		items = append(items, iamSSOProviderResponse(row))
+	}
+	return c.JSON(http.StatusOK, IAMListSSOProvidersResponse{Items: items})
+}
+
+// UpsertSSOProvider godoc
+// @Summary Upsert IAM SSO provider
+// @Description Create or update an IAM SSO provider
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string false "SSO provider ID"
+// @Param payload body IAMSSOProviderRequest true "SSO provider payload"
+// @Success 200 {object} IAMSSOProviderResponse
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/sso/providers [post]
+// @Router /iam/sso/providers/{id} [put].
+func (h *IAMHandler) UpsertSSOProvider(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	var req IAMSSOProviderRequest
+	if err := c.Bind(&req); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	if strings.TrimSpace(req.Type) != "oidc" && strings.TrimSpace(req.Type) != "saml" {
+		return echo.NewHTTPError(http.StatusBadRequest, "type must be oidc or saml")
+	}
+	if strings.TrimSpace(req.Key) == "" || strings.TrimSpace(req.Name) == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "key and name are required")
+	}
+	id, err := requestID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	config := req.Config
+	if len(config) == 0 {
+		config = json.RawMessage(`{}`)
+	}
+	config, err = mergeMaskedSSOConfig(c.Request().Context(), h.queries, id, strings.TrimSpace(req.Type), config)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	attributeMapping := req.AttributeMapping
+	if len(attributeMapping) == 0 {
+		attributeMapping = json.RawMessage(`{}`)
+	}
+	jit := true
+	if req.JITEnabled != nil {
+		jit = *req.JITEnabled
+	}
+	policy := strings.TrimSpace(req.EmailLinkingPolicy)
+	if policy == "" {
+		policy = "link_existing"
+	}
+	row, err := h.queries.UpsertSSOProvider(c.Request().Context(), sqlc.UpsertSSOProviderParams{
+		ID:                 id,
+		Type:               strings.TrimSpace(req.Type),
+		Key:                strings.TrimSpace(req.Key),
+		Name:               strings.TrimSpace(req.Name),
+		Enabled:            req.Enabled,
+		Config:             []byte(config),
+		AttributeMapping:   []byte(attributeMapping),
+		JitEnabled:         jit,
+		EmailLinkingPolicy: policy,
+		TrustEmail:         req.TrustEmail,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	return c.JSON(http.StatusOK, iamSSOProviderResponse(row))
+}
+
+// DeleteSSOProvider godoc
+// @Summary Delete IAM SSO provider
+// @Description Delete an IAM SSO provider
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string true "SSO provider ID"
+// @Success 204
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/sso/providers/{id} [delete].
+func (h *IAMHandler) DeleteSSOProvider(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	id, err := db.ParseUUID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	if err := h.queries.DeleteSSOProvider(c.Request().Context(), id); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	h.rbac.ClearCache()
+	return c.NoContent(http.StatusNoContent)
+}
+
+// ListSSOGroupMappings godoc
+// @Summary List SSO group mappings
+// @Description List external group to IAM group mappings for an SSO provider
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string true "SSO provider ID"
+// @Success 200 {object} IAMListSSOGroupMappingsResponse
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/sso/providers/{id}/group-mappings [get].
+func (h *IAMHandler) ListSSOGroupMappings(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	providerID, err := db.ParseUUID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	rows, err := h.queries.ListSSOGroupMappingsByProvider(c.Request().Context(), providerID)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	items := make([]IAMSSOGroupMappingResponse, 0, len(rows))
+	for _, row := range rows {
+		items = append(items, iamSSOGroupMappingResponse(row))
+	}
+	return c.JSON(http.StatusOK, IAMListSSOGroupMappingsResponse{Items: items})
+}
+
+// UpsertSSOGroupMapping godoc
+// @Summary Upsert SSO group mapping
+// @Description Create or update an external group to IAM group mapping
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string true "SSO provider ID"
+// @Param payload body IAMSSOGroupMappingRequest true "SSO group mapping payload"
+// @Success 200 {object} map[string]string
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/sso/providers/{id}/group-mappings [post].
+func (h *IAMHandler) UpsertSSOGroupMapping(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	providerID, err := db.ParseUUID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	var req IAMSSOGroupMappingRequest
+	if err := c.Bind(&req); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	if strings.TrimSpace(req.ExternalGroup) == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "external_group is required")
+	}
+	groupID, err := db.ParseUUID(req.GroupID)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	row, err := h.queries.UpsertSSOGroupMapping(c.Request().Context(), sqlc.UpsertSSOGroupMappingParams{
+		ProviderID:    providerID,
+		ExternalGroup: strings.TrimSpace(req.ExternalGroup),
+		GroupID:       groupID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	h.rbac.ClearCache()
+	return c.JSON(http.StatusOK, map[string]string{
+		"provider_id":    row.ProviderID.String(),
+		"external_group": row.ExternalGroup,
+		"group_id":       row.GroupID.String(),
+	})
+}
+
+// DeleteSSOGroupMapping godoc
+// @Summary Delete SSO group mapping
+// @Description Delete an external group mapping from an SSO provider
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string true "SSO provider ID"
+// @Param external_group path string true "External group"
+// @Success 204
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/sso/providers/{id}/group-mappings/{external_group} [delete].
+func (h *IAMHandler) DeleteSSOGroupMapping(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	providerID, err := db.ParseUUID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	externalGroup, err := url.PathUnescape(c.Param("external_group"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	if err := h.queries.DeleteSSOGroupMapping(c.Request().Context(), sqlc.DeleteSSOGroupMappingParams{
+		ProviderID:    providerID,
+		ExternalGroup: strings.TrimSpace(externalGroup),
+	}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	h.rbac.ClearCache()
+	return c.NoContent(http.StatusNoContent)
+}
+
+// ListBotPrincipalRoles godoc
+// @Summary List bot role assignments
+// @Description List user and group role assignments for a bot
+// @Tags iam
+// @Security BearerAuth
+// @Param bot_id path string true "Bot ID"
+// @Success 200 {object} IAMListPrincipalRolesResponse
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/bots/{bot_id}/principal-roles [get].
+func (h *IAMHandler) ListBotPrincipalRoles(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	botID, err := db.ParseUUID(c.Param("bot_id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	rows, err := h.queries.ListPrincipalRoles(c.Request().Context(), sqlc.ListPrincipalRolesParams{
+		ResourceType: string(rbac.ResourceBot),
+		ResourceID:   botID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	items := make([]IAMPrincipalRoleResponse, 0, len(rows))
+	for _, row := range rows {
+		items = append(items, iamPrincipalRoleResponse(row))
+	}
+	return c.JSON(http.StatusOK, IAMListPrincipalRolesResponse{Items: items})
+}
+
+// AssignBotPrincipalRole godoc
+// @Summary Assign bot role
+// @Description Assign a bot-scoped role to a user or group
+// @Tags iam
+// @Security BearerAuth
+// @Param bot_id path string true "Bot ID"
+// @Param payload body IAMPrincipalRoleRequest true "Principal role payload"
+// @Success 200 {object} map[string]string
+// @Success 204
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/bots/{bot_id}/principal-roles [post].
+func (h *IAMHandler) AssignBotPrincipalRole(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	botID, err := db.ParseUUID(c.Param("bot_id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	var req IAMPrincipalRoleRequest
+	if err := c.Bind(&req); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	principalType := strings.TrimSpace(req.PrincipalType)
+	if principalType != string(rbac.PrincipalUser) && principalType != string(rbac.PrincipalGroup) {
+		return echo.NewHTTPError(http.StatusBadRequest, "principal_type must be user or group")
+	}
+	principalID, err := db.ParseUUID(req.PrincipalID)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	role, err := h.queries.GetRoleByKey(c.Request().Context(), strings.TrimSpace(req.RoleKey))
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return echo.NewHTTPError(http.StatusBadRequest, "role not found")
+		}
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	if role.Scope != string(rbac.ResourceBot) {
+		return echo.NewHTTPError(http.StatusBadRequest, "role must be bot-scoped")
+	}
+	row, err := h.queries.AssignPrincipalRole(c.Request().Context(), sqlc.AssignPrincipalRoleParams{
+		PrincipalType: principalType,
+		PrincipalID:   principalID,
+		RoleID:        role.ID,
+		ResourceType:  string(rbac.ResourceBot),
+		ResourceID:    botID,
+		Source:        string(rbac.SourceManual),
+	})
+	if errors.Is(err, pgx.ErrNoRows) {
+		return c.NoContent(http.StatusNoContent)
+	}
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	h.rbac.ClearCache()
+	return c.JSON(http.StatusOK, map[string]string{"id": row.ID.String()})
+}
+
+// DeletePrincipalRole godoc
+// @Summary Delete role assignment
+// @Description Delete a user or group role assignment
+// @Tags iam
+// @Security BearerAuth
+// @Param id path string true "Principal role assignment ID"
+// @Success 204
+// @Failure 400 {object} ErrorResponse
+// @Failure 401 {object} ErrorResponse
+// @Failure 403 {object} ErrorResponse
+// @Failure 500 {object} ErrorResponse
+// @Router /iam/principal-roles/{id} [delete].
+func (h *IAMHandler) DeletePrincipalRole(c echo.Context) error {
+	if err := h.requireSystemAdmin(c); err != nil {
+		return err
+	}
+	id, err := db.ParseUUID(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, err.Error())
+	}
+	if err := h.queries.DeletePrincipalRole(c.Request().Context(), id); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	h.rbac.ClearCache()
+	return c.NoContent(http.StatusNoContent)
+}
+
+func (h *IAMHandler) requireSystemAdmin(c echo.Context) error {
+	if h.queries == nil || h.rbac == nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "iam service not configured")
+	}
+	userID, err := RequireChannelIdentityID(c)
+	if err != nil {
+		return err
+	}
+	allowed, err := h.rbac.HasPermission(c.Request().Context(), rbac.Check{
+		UserID:        userID,
+		PermissionKey: rbac.PermissionSystemAdmin,
+		ResourceType:  rbac.ResourceSystem,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
+	}
+	if !allowed {
+		return echo.NewHTTPError(http.StatusForbidden, "system admin required")
+	}
+	return nil
+}
+
+func requestID(raw string) (pgtype.UUID, error) {
+	raw = strings.TrimSpace(raw)
+	if raw == "" {
+		raw = uuid.NewString()
+	}
+	return db.ParseUUID(raw)
+}
+
+func textValue(value string) pgtype.Text {
+	value = strings.TrimSpace(value)
+	return pgtype.Text{String: value, Valid: value != ""}
+}
+
+func nullUUIDString(value pgtype.UUID) string {
+	if !value.Valid {
+		return ""
+	}
+	return value.String()
+}
+
+func timeString(value pgtype.Timestamptz) string {
+	if !value.Valid {
+		return ""
+	}
+	return value.Time.UTC().Format("2006-01-02T15:04:05Z07:00")
+}
+
+func iamRoleResponse(row sqlc.IamRole) IAMRoleResponse {
+	return IAMRoleResponse{ID: row.ID.String(), Key: row.Key, Scope: row.Scope, IsSystem: row.IsSystem, CreatedAt: timeString(row.CreatedAt)}
+}
+
+func iamGroupResponse(row sqlc.IamGroup) IAMGroupResponse {
+	return IAMGroupResponse{
+		ID:          row.ID.String(),
+		Key:         row.Key,
+		DisplayName: row.DisplayName,
+		Source:      row.Source,
+		ExternalID:  db.TextToString(row.ExternalID),
+		Metadata:    json.RawMessage(row.Metadata),
+		CreatedAt:   timeString(row.CreatedAt),
+		UpdatedAt:   timeString(row.UpdatedAt),
+	}
+}
+
+func iamGroupMemberResponse(row sqlc.ListIAMGroupMembersRow) IAMGroupMemberResponse {
+	return IAMGroupMemberResponse{
+		UserID:      row.UserID.String(),
+		GroupID:     row.GroupID.String(),
+		Source:      row.Source,
+		ProviderID:  nullUUIDString(row.ProviderID),
+		Username:    db.TextToString(row.Username),
+		Email:       db.TextToString(row.Email),
+		DisplayName: db.TextToString(row.DisplayName),
+		CreatedAt:   timeString(row.CreatedAt),
+	}
+}
+
+func iamSSOProviderResponse(row sqlc.IamSsoProvider) IAMSSOProviderResponse {
+	return IAMSSOProviderResponse{
+		ID:                 row.ID.String(),
+		Type:               row.Type,
+		Key:                row.Key,
+		Name:               row.Name,
+		Enabled:            row.Enabled,
+		Config:             maskSSOConfig(row.Type, json.RawMessage(row.Config)),
+		AttributeMapping:   json.RawMessage(row.AttributeMapping),
+		JITEnabled:         row.JitEnabled,
+		EmailLinkingPolicy: row.EmailLinkingPolicy,
+		TrustEmail:         row.TrustEmail,
+		CreatedAt:          timeString(row.CreatedAt),
+		UpdatedAt:          timeString(row.UpdatedAt),
+	}
+}
+
+func mergeMaskedSSOConfig(ctx context.Context, queries dbstore.Queries, id pgtype.UUID, providerType string, raw json.RawMessage) (json.RawMessage, error) {
+	cfg, err := parseObjectJSON(raw, "config")
+	if err != nil {
+		return nil, err
+	}
+	if providerType != "oidc" || cfg["client_secret"] != "********" {
+		return raw, nil
+	}
+	row, err := queries.GetSSOProviderByID(ctx, id)
+	if err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return raw, nil
+		}
+		return nil, err
+	}
+	existing, err := parseObjectJSON(json.RawMessage(row.Config), "config")
+	if err != nil {
+		return nil, err
+	}
+	if secret, ok := existing["client_secret"]; ok {
+		cfg["client_secret"] = secret
+	}
+	merged, err := json.Marshal(cfg)
+	if err != nil {
+		return nil, err
+	}
+	return json.RawMessage(merged), nil
+}
+
+func maskSSOConfig(providerType string, raw json.RawMessage) json.RawMessage {
+	if providerType != "oidc" {
+		return raw
+	}
+	cfg, err := parseObjectJSON(raw, "config")
+	if err != nil {
+		return raw
+	}
+	if _, ok := cfg["client_secret"]; ok {
+		cfg["client_secret"] = "********"
+	}
+	masked, err := json.Marshal(cfg)
+	if err != nil {
+		return raw
+	}
+	return json.RawMessage(masked)
+}
+
+func parseObjectJSON(raw json.RawMessage, field string) (map[string]any, error) {
+	var value map[string]any
+	if err := json.Unmarshal(raw, &value); err != nil {
+		return nil, errors.New(field + " must be a JSON object")
+	}
+	if value == nil {
+		value = map[string]any{}
+	}
+	return value, nil
+}
+
+func iamSSOGroupMappingResponse(row sqlc.ListSSOGroupMappingsByProviderRow) IAMSSOGroupMappingResponse {
+	return IAMSSOGroupMappingResponse{
+		ProviderID:       row.ProviderID.String(),
+		ExternalGroup:    row.ExternalGroup,
+		GroupID:          row.GroupID.String(),
+		GroupKey:         row.GroupKey,
+		GroupDisplayName: row.GroupDisplayName,
+		CreatedAt:        timeString(row.CreatedAt),
+	}
+}
+
+func iamPrincipalRoleResponse(row sqlc.ListPrincipalRolesRow) IAMPrincipalRoleResponse {
+	return IAMPrincipalRoleResponse{
+		ID:               row.ID.String(),
+		PrincipalType:    row.PrincipalType,
+		PrincipalID:      row.PrincipalID.String(),
+		RoleID:           row.RoleID.String(),
+		RoleKey:          row.RoleKey,
+		RoleScope:        row.RoleScope,
+		ResourceType:     row.ResourceType,
+		ResourceID:       nullUUIDString(row.ResourceID),
+		Source:           row.Source,
+		ProviderID:       nullUUIDString(row.ProviderID),
+		UserUsername:     db.TextToString(row.UserUsername),
+		UserEmail:        db.TextToString(row.UserEmail),
+		UserDisplayName:  db.TextToString(row.UserDisplayName),
+		GroupKey:         db.TextToString(row.GroupKey),
+		GroupDisplayName: db.TextToString(row.GroupDisplayName),
+		CreatedAt:        timeString(row.CreatedAt),
+	}
+}
diff --git a/internal/handlers/message.go b/internal/handlers/message.go
index ddd03c218..2e4830182 100644
--- a/internal/handlers/message.go
+++ b/internal/handlers/message.go
@@ -18,6 +18,7 @@ import (
 	"github.com/memohai/memoh/internal/accounts"
 	"github.com/memohai/memoh/internal/bots"
 	"github.com/memohai/memoh/internal/conversation"
+	"github.com/memohai/memoh/internal/iam/rbac"
 	"github.com/memohai/memoh/internal/media"
 	messagepkg "github.com/memohai/memoh/internal/message"
 	messageevent "github.com/memohai/memoh/internal/message/event"
@@ -32,6 +33,7 @@ type MessageHandler struct {
 	mediaService        *media.Service
 	botService          *bots.Service
 	accountService      *accounts.Service
+	rbacService         SystemPermissionService
 	toolApproval        *toolapproval.Service
 	logger              *slog.Logger
 }
@@ -61,6 +63,10 @@ func (h *MessageHandler) SetToolApprovalService(svc *toolapproval.Service) {
 	h.toolApproval = svc
 }
 
+func (h *MessageHandler) SetRBACService(svc SystemPermissionService) {
+	h.rbacService = svc
+}
+
 // Register registers all conversation routes.
 func (h *MessageHandler) Register(e *echo.Echo) {
 	// Bot-scoped message container (single shared history per bot).
@@ -452,9 +458,12 @@ func (h *MessageHandler) requireReadable(ctx context.Context, conversationID, ch
 	if h.conversationService == nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, "conversation service not configured")
 	}
-	// Admin bypass.
-	if h.accountService != nil {
-		isAdmin, err := h.accountService.IsAdmin(ctx, channelIdentityID)
+	if h.rbacService != nil {
+		isAdmin, err := h.rbacService.HasPermission(ctx, rbac.Check{
+			UserID:        channelIdentityID,
+			PermissionKey: rbac.PermissionSystemAdmin,
+			ResourceType:  rbac.ResourceSystem,
+		})
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 		}
diff --git a/internal/handlers/skills_test.go b/internal/handlers/skills_test.go
index 23deb7b98..629e91734 100644
--- a/internal/handlers/skills_test.go
+++ b/internal/handlers/skills_test.go
@@ -32,6 +32,7 @@ import (
 	"github.com/memohai/memoh/internal/config"
 	"github.com/memohai/memoh/internal/db/postgres/sqlc"
 	postgresstore "github.com/memohai/memoh/internal/db/postgres/store"
+	"github.com/memohai/memoh/internal/iam/rbac"
 	skillset "github.com/memohai/memoh/internal/skills"
 	"github.com/memohai/memoh/internal/workspace"
 	pb "github.com/memohai/memoh/internal/workspace/bridgepb"
@@ -345,12 +346,14 @@ func newSkillsTestEnvWithMetadata(t *testing.T, metadata map[string]any) *skills
 	queries := postgresstore.NewQueries(sqlc.New(db))
 	accountStore := postgresstore.NewWithQueries(sqlc.New(db))
 	manager := workspace.NewManager(slog.Default(), nil, nil, cfg, "", nil, queries)
+	botService := bots.NewService(slog.Default(), queries)
+	botService.SetRBACService(&skillsTestRBAC{allowed: true})
 	handler := NewContainerdHandler(
 		slog.Default(),
 		manager,
 		cfg,
 		"",
-		bots.NewService(slog.Default(), queries),
+		botService,
 		accounts.NewService(slog.Default(), accountStore),
 		nil,
 	)
@@ -453,7 +456,7 @@ func (*skillsTestDB) Query(context.Context, string, ...interface{}) (pgx.Rows, e
 
 func (d *skillsTestDB) QueryRow(_ context.Context, sql string, _ ...interface{}) pgx.Row {
 	switch {
-	case strings.Contains(sql, "FROM users WHERE id = $1"):
+	case strings.Contains(sql, "FROM iam_users") && strings.Contains(sql, "WHERE id = $1"):
 		return makeUserRow(mustParseUUID(d.userID), "user")
 	case strings.Contains(sql, "FROM bots"):
 		return makeBotRow(mustParseUUID(d.botID), mustParseUUID(d.userID), d.metadataJSON)
@@ -462,6 +465,14 @@ func (d *skillsTestDB) QueryRow(_ context.Context, sql string, _ ...interface{})
 	}
 }
 
+type skillsTestRBAC struct {
+	allowed bool
+}
+
+func (s *skillsTestRBAC) HasPermission(context.Context, rbac.Check) (bool, error) {
+	return s.allowed, nil
+}
+
 type skillsTestRow struct {
 	scanFunc func(dest ...any) error
 }
diff --git a/internal/handlers/users.go b/internal/handlers/users.go
index 9e7d0df80..955108fdc 100644
--- a/internal/handlers/users.go
+++ b/internal/handlers/users.go
@@ -17,6 +17,7 @@ import (
 	"github.com/memohai/memoh/internal/channel"
 	"github.com/memohai/memoh/internal/channel/identities"
 	"github.com/memohai/memoh/internal/channel/route"
+	"github.com/memohai/memoh/internal/iam/rbac"
 	"github.com/memohai/memoh/internal/identity"
 )
 
@@ -30,16 +31,21 @@ type UsersHandler struct {
 	channelLifecycle       *channel.Lifecycle
 	channelManager         *channel.Manager
 	registry               *channel.Registry
+	rbacService            SystemPermissionService
 	logger                 *slog.Logger
 }
 
+type SystemPermissionService interface {
+	HasPermission(ctx context.Context, check rbac.Check) (bool, error)
+}
+
 type listMyIdentitiesResponse struct {
 	UserID string                       `json:"user_id"`
 	Items  []identities.ChannelIdentity `json:"items"`
 }
 
 // NewUsersHandler creates a UsersHandler with channel identity support.
-func NewUsersHandler(log *slog.Logger, service *accounts.Service, channelIdentityService *identities.Service, botService *bots.Service, routeService route.Service, channelStore *channel.Store, channelLifecycle *channel.Lifecycle, channelManager *channel.Manager, registry *channel.Registry) *UsersHandler {
+func NewUsersHandler(log *slog.Logger, service *accounts.Service, channelIdentityService *identities.Service, botService *bots.Service, routeService route.Service, channelStore *channel.Store, channelLifecycle *channel.Lifecycle, channelManager *channel.Manager, registry *channel.Registry, rbacService SystemPermissionService) *UsersHandler {
 	if log == nil {
 		log = slog.Default()
 	}
@@ -52,6 +58,7 @@ func NewUsersHandler(log *slog.Logger, service *accounts.Service, channelIdentit
 		channelLifecycle:       channelLifecycle,
 		channelManager:         channelManager,
 		registry:               registry,
+		rbacService:            rbacService,
 		logger:                 log.With(slog.String("handler", "users")),
 	}
 }
@@ -197,12 +204,12 @@ func (h *UsersHandler) ListUsers(c echo.Context) error {
 	if err != nil {
 		return err
 	}
-	isAdmin, err := h.service.IsAdmin(c.Request().Context(), channelIdentityID)
+	isAdmin, err := h.hasSystemAdmin(c.Request().Context(), channelIdentityID)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 	}
 	if !isAdmin {
-		return echo.NewHTTPError(http.StatusForbidden, "admin role required")
+		return echo.NewHTTPError(http.StatusForbidden, "system admin required")
 	}
 	if strings.TrimSpace(c.QueryParam("user_type")) != "" || strings.TrimSpace(c.QueryParam("owner_id")) != "" {
 		return echo.NewHTTPError(http.StatusBadRequest, "user_type and owner_id are not supported")
@@ -235,7 +242,7 @@ func (h *UsersHandler) GetUser(c echo.Context) error {
 		return echo.NewHTTPError(http.StatusBadRequest, "user id is required")
 	}
 	if targetID != channelIdentityID {
-		isAdmin, err := h.service.IsAdmin(c.Request().Context(), channelIdentityID)
+		isAdmin, err := h.hasSystemAdmin(c.Request().Context(), channelIdentityID)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 		}
@@ -270,12 +277,12 @@ func (h *UsersHandler) UpdateUser(c echo.Context) error {
 	if err != nil {
 		return err
 	}
-	isAdmin, err := h.service.IsAdmin(c.Request().Context(), channelIdentityID)
+	isAdmin, err := h.hasSystemAdmin(c.Request().Context(), channelIdentityID)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 	}
 	if !isAdmin {
-		return echo.NewHTTPError(http.StatusForbidden, "admin role required")
+		return echo.NewHTTPError(http.StatusForbidden, "system admin required")
 	}
 	targetID := strings.TrimSpace(c.Param("id"))
 	if targetID == "" {
@@ -316,12 +323,12 @@ func (h *UsersHandler) ResetUserPassword(c echo.Context) error {
 	if err != nil {
 		return err
 	}
-	isAdmin, err := h.service.IsAdmin(c.Request().Context(), channelIdentityID)
+	isAdmin, err := h.hasSystemAdmin(c.Request().Context(), channelIdentityID)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 	}
 	if !isAdmin {
-		return echo.NewHTTPError(http.StatusForbidden, "admin role required")
+		return echo.NewHTTPError(http.StatusForbidden, "system admin required")
 	}
 	targetID := strings.TrimSpace(c.Param("id"))
 	if targetID == "" {
@@ -358,12 +365,12 @@ func (h *UsersHandler) CreateUser(c echo.Context) error {
 	if err != nil {
 		return err
 	}
-	isAdmin, err := h.service.IsAdmin(c.Request().Context(), channelIdentityID)
+	isAdmin, err := h.hasSystemAdmin(c.Request().Context(), channelIdentityID)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 	}
 	if !isAdmin {
-		return echo.NewHTTPError(http.StatusForbidden, "admin role required")
+		return echo.NewHTTPError(http.StatusForbidden, "system admin required")
 	}
 	var req accounts.CreateAccountRequest
 	if err := c.Bind(&req); err != nil {
@@ -399,12 +406,12 @@ func (h *UsersHandler) CreateBot(c echo.Context) error {
 	ownerID := channelIdentityID
 	ownerFromToken := true
 	if raw := strings.TrimSpace(c.QueryParam("owner_id")); raw != "" {
-		isAdmin, err := h.service.IsAdmin(c.Request().Context(), channelIdentityID)
+		isAdmin, err := h.hasSystemAdmin(c.Request().Context(), channelIdentityID)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 		}
 		if !isAdmin {
-			return echo.NewHTTPError(http.StatusForbidden, "admin role required for owner override")
+			return echo.NewHTTPError(http.StatusForbidden, "system admin required for owner override")
 		}
 		if err := identity.ValidateChannelIdentityID(raw); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, err.Error())
@@ -415,21 +422,7 @@ func (h *UsersHandler) CreateBot(c echo.Context) error {
 	if ownerFromToken {
 		if _, err := h.service.Get(c.Request().Context(), ownerID); err != nil {
 			if errors.Is(err, pgx.ErrNoRows) {
-				// Backward-compatible token path: token user_id might be a channel identity ID.
-				// Try to resolve to linked user first; if still missing, force re-login.
-				linkedUserID := ""
-				if h.channelIdentityService != nil {
-					linkedUserID, err = h.channelIdentityService.GetLinkedUserID(c.Request().Context(), ownerID)
-					if err != nil {
-						return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
-					}
-				}
-				linkedUserID = strings.TrimSpace(linkedUserID)
-				if linkedUserID != "" {
-					ownerID = linkedUserID
-				} else {
-					return echo.NewHTTPError(http.StatusUnauthorized, "owner user not found, please login again")
-				}
+				return echo.NewHTTPError(http.StatusUnauthorized, "owner user not found, please login again")
 			} else {
 				return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 			}
@@ -468,12 +461,12 @@ func (h *UsersHandler) ListBots(c echo.Context) error {
 	}
 	ownerID := strings.TrimSpace(c.QueryParam("owner_id"))
 	if ownerID != "" {
-		isAdmin, err := h.service.IsAdmin(c.Request().Context(), channelIdentityID)
+		isAdmin, err := h.hasSystemAdmin(c.Request().Context(), channelIdentityID)
 		if err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 		}
 		if !isAdmin {
-			return echo.NewHTTPError(http.StatusForbidden, "admin role required for owner filter")
+			return echo.NewHTTPError(http.StatusForbidden, "system admin required for owner filter")
 		}
 		items, err := h.botService.ListByOwner(c.Request().Context(), ownerID)
 		if err != nil {
@@ -490,7 +483,7 @@ func (h *UsersHandler) ListBots(c echo.Context) error {
 
 // GetBot godoc
 // @Summary Get bot details
-// @Description Get a bot by ID (owner/admin only)
+// @Description Get a bot by ID when the current user has bot.read
 // @Tags bots
 // @Param id path string true "Bot ID"
 // @Success 200 {object} bots.Bot
@@ -550,7 +543,7 @@ func (h *UsersHandler) ListBotChecks(c echo.Context) error {
 
 // UpdateBot godoc
 // @Summary Update bot details
-// @Description Update bot profile (owner/admin only)
+// @Description Update bot profile when the current user has bot.update
 // @Tags bots
 // @Param id path string true "Bot ID"
 // @Param payload body bots.UpdateBotRequest true "Bot update payload"
@@ -584,7 +577,7 @@ func (h *UsersHandler) UpdateBot(c echo.Context) error {
 }
 
 // TransferBotOwner godoc
-// @Summary Transfer bot owner (admin only)
+// @Summary Transfer bot owner (system admin only)
 // @Description Transfer bot ownership to another human user
 // @Tags bots
 // @Param id path string true "Bot ID"
@@ -600,12 +593,12 @@ func (h *UsersHandler) TransferBotOwner(c echo.Context) error {
 	if err != nil {
 		return err
 	}
-	isAdmin, err := h.service.IsAdmin(c.Request().Context(), channelIdentityID)
+	isAdmin, err := h.hasSystemAdmin(c.Request().Context(), channelIdentityID)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
 	}
 	if !isAdmin {
-		return echo.NewHTTPError(http.StatusForbidden, "admin role required")
+		return echo.NewHTTPError(http.StatusForbidden, "system admin required")
 	}
 	botID := strings.TrimSpace(c.Param("id"))
 	if botID == "" {
@@ -630,7 +623,7 @@ func (h *UsersHandler) TransferBotOwner(c echo.Context) error {
 
 // DeleteBot godoc
 // @Summary Delete bot
-// @Description Delete a bot user (owner/admin only)
+// @Description Delete a bot user when the current user has bot.delete
 // @Tags bots
 // @Param id path string true "Bot ID"
 // @Success 202 {object} map[string]string
@@ -945,6 +938,17 @@ func (h *UsersHandler) authorizeBotAccess(ctx context.Context, channelIdentityID
 	return AuthorizeBotAccess(ctx, h.botService, h.service, channelIdentityID, botID)
 }
 
+func (h *UsersHandler) hasSystemAdmin(ctx context.Context, userID string) (bool, error) {
+	if h.rbacService == nil {
+		return false, errors.New("rbac service not configured")
+	}
+	return h.rbacService.HasPermission(ctx, rbac.Check{
+		UserID:        userID,
+		PermissionKey: rbac.PermissionSystemAdmin,
+		ResourceType:  rbac.ResourceSystem,
+	})
+}
+
 func (*UsersHandler) requireChannelIdentityID(c echo.Context) (string, error) {
 	return RequireChannelIdentityID(c)
 }
diff --git a/internal/iam/accounts/service.go b/internal/iam/accounts/service.go
new file mode 100644
index 000000000..f87e037dc
--- /dev/null
+++ b/internal/iam/accounts/service.go
@@ -0,0 +1,380 @@
+package accounts
+
+import (
+	"context"
+	"errors"
+	"log/slog"
+	"strings"
+
+	"golang.org/x/crypto/bcrypt"
+
+	tzutil "github.com/memohai/memoh/internal/timezone"
+)
+
+type Store interface {
+	Get(ctx context.Context, userID string) (Account, error)
+	GetPasswordIdentityBySubject(ctx context.Context, subject string) (PasswordIdentity, error)
+	GetPasswordIdentityByEmail(ctx context.Context, email string) (PasswordIdentity, error)
+	GetPasswordIdentityByUserID(ctx context.Context, userID string) (PasswordIdentity, error)
+	ListAccounts(ctx context.Context) ([]Account, error)
+	SearchAccounts(ctx context.Context, query string, limit int) ([]Account, error)
+	UpsertAccount(ctx context.Context, input UpsertAccountInput) (Account, error)
+	CreateHuman(ctx context.Context, input CreateHumanInput) (Account, error)
+	UpsertPasswordIdentity(ctx context.Context, input UpsertPasswordIdentityInput) (PasswordIdentity, error)
+	UpdateAdmin(ctx context.Context, input UpdateAdminInput) (Account, error)
+	UpdateProfile(ctx context.Context, input UpdateProfileInput) (Account, error)
+	UpdatePasswordIdentity(ctx context.Context, identityID string, credentialSecret string) error
+	TouchLogin(ctx context.Context, userID string, identityID string) error
+}
+
+type Service struct {
+	store  Store
+	logger *slog.Logger
+}
+
+var (
+	ErrNotFound           = errors.New("account not found")
+	ErrInvalidPassword    = errors.New("invalid password")
+	ErrInvalidCredentials = errors.New("invalid credentials")
+	ErrInactiveAccount    = errors.New("account is inactive")
+)
+
+func NewService(log *slog.Logger, store Store) *Service {
+	if log == nil {
+		log = slog.Default()
+	}
+	return &Service{
+		store:  store,
+		logger: log.With(slog.String("service", "iam.accounts")),
+	}
+}
+
+func (s *Service) Get(ctx context.Context, userID string) (Account, error) {
+	if s.store == nil {
+		return Account{}, errors.New("account store not configured")
+	}
+	return s.store.Get(ctx, strings.TrimSpace(userID))
+}
+
+func (s *Service) Login(ctx context.Context, identity, password string) (Account, error) {
+	if s.store == nil {
+		return Account{}, errors.New("account store not configured")
+	}
+	identity = strings.TrimSpace(identity)
+	if identity == "" || strings.TrimSpace(password) == "" {
+		return Account{}, ErrInvalidCredentials
+	}
+
+	passwordIdentity, err := s.lookupPasswordIdentity(ctx, identity)
+	if err != nil {
+		if errors.Is(err, ErrNotFound) {
+			return Account{}, ErrInvalidCredentials
+		}
+		return Account{}, err
+	}
+	if strings.TrimSpace(passwordIdentity.CredentialSecret) == "" {
+		return Account{}, ErrInvalidCredentials
+	}
+	if err := bcrypt.CompareHashAndPassword([]byte(passwordIdentity.CredentialSecret), []byte(password)); err != nil {
+		return Account{}, ErrInvalidCredentials
+	}
+
+	account, err := s.store.Get(ctx, passwordIdentity.UserID)
+	if err != nil {
+		if errors.Is(err, ErrNotFound) {
+			return Account{}, ErrInvalidCredentials
+		}
+		return Account{}, err
+	}
+	if !account.IsActive {
+		return Account{}, ErrInactiveAccount
+	}
+	if err := s.store.TouchLogin(ctx, account.ID, passwordIdentity.ID); err != nil && s.logger != nil {
+		s.logger.Warn("touch login failed", slog.Any("error", err))
+	}
+	return normalizeAccount(account), nil
+}
+
+func (s *Service) ListAccounts(ctx context.Context) ([]Account, error) {
+	if s.store == nil {
+		return nil, errors.New("account store not configured")
+	}
+	accounts, err := s.store.ListAccounts(ctx)
+	if err != nil {
+		return nil, err
+	}
+	for i := range accounts {
+		accounts[i] = normalizeAccount(accounts[i])
+	}
+	return accounts, nil
+}
+
+func (s *Service) SearchAccounts(ctx context.Context, query string, limit int) ([]Account, error) {
+	if s.store == nil {
+		return nil, errors.New("account store not configured")
+	}
+	if limit <= 0 {
+		limit = 50
+	}
+	accounts, err := s.store.SearchAccounts(ctx, strings.TrimSpace(query), limit)
+	if err != nil {
+		return nil, err
+	}
+	for i := range accounts {
+		accounts[i] = normalizeAccount(accounts[i])
+	}
+	return accounts, nil
+}
+
+func (s *Service) Create(ctx context.Context, userID string, req CreateAccountRequest) (Account, error) {
+	if s.store == nil {
+		return Account{}, errors.New("account store not configured")
+	}
+	input, passwordHash, err := prepareCreate(req)
+	if err != nil {
+		return Account{}, err
+	}
+	input.UserID = strings.TrimSpace(userID)
+	account, err := s.store.UpsertAccount(ctx, input)
+	if err != nil {
+		return Account{}, err
+	}
+	if _, err := s.store.UpsertPasswordIdentity(ctx, passwordIdentityInput(account, passwordHash)); err != nil {
+		return Account{}, err
+	}
+	return normalizeAccount(account), nil
+}
+
+func (s *Service) CreateHuman(ctx context.Context, userID string, req CreateAccountRequest) (Account, error) {
+	if s.store == nil {
+		return Account{}, errors.New("account store not configured")
+	}
+	input, passwordHash, err := prepareCreate(req)
+	if err != nil {
+		return Account{}, err
+	}
+
+	var account Account
+	if strings.TrimSpace(userID) == "" {
+		account, err = s.store.CreateHuman(ctx, CreateHumanInput{
+			Username:    input.Username,
+			Email:       input.Email,
+			DisplayName: input.DisplayName,
+			AvatarURL:   input.AvatarURL,
+			IsActive:    input.IsActive,
+		})
+	} else {
+		input.UserID = strings.TrimSpace(userID)
+		account, err = s.store.UpsertAccount(ctx, input)
+	}
+	if err != nil {
+		return Account{}, err
+	}
+	if _, err := s.store.UpsertPasswordIdentity(ctx, passwordIdentityInput(account, passwordHash)); err != nil {
+		return Account{}, err
+	}
+	return normalizeAccount(account), nil
+}
+
+func (s *Service) UpdateAdmin(ctx context.Context, userID string, req UpdateAccountRequest) (Account, error) {
+	if s.store == nil {
+		return Account{}, errors.New("account store not configured")
+	}
+	existing, err := s.store.Get(ctx, strings.TrimSpace(userID))
+	if err != nil {
+		return Account{}, err
+	}
+	displayName := strings.TrimSpace(existing.DisplayName)
+	if req.DisplayName != nil {
+		displayName = strings.TrimSpace(*req.DisplayName)
+	}
+	if displayName == "" {
+		displayName = strings.TrimSpace(existing.Username)
+	}
+	avatarURL := strings.TrimSpace(existing.AvatarURL)
+	if req.AvatarURL != nil {
+		avatarURL = strings.TrimSpace(*req.AvatarURL)
+	}
+	isActive := existing.IsActive
+	if req.IsActive != nil {
+		isActive = *req.IsActive
+	}
+	account, err := s.store.UpdateAdmin(ctx, UpdateAdminInput{
+		UserID:      existing.ID,
+		DisplayName: displayName,
+		AvatarURL:   avatarURL,
+		IsActive:    isActive,
+	})
+	if err != nil {
+		return Account{}, err
+	}
+	return normalizeAccount(account), nil
+}
+
+func (s *Service) UpdateProfile(ctx context.Context, userID string, req UpdateProfileRequest) (Account, error) {
+	if s.store == nil {
+		return Account{}, errors.New("account store not configured")
+	}
+	existing, err := s.store.Get(ctx, strings.TrimSpace(userID))
+	if err != nil {
+		return Account{}, err
+	}
+	displayName := strings.TrimSpace(existing.DisplayName)
+	if req.DisplayName != nil {
+		displayName = strings.TrimSpace(*req.DisplayName)
+	}
+	if displayName == "" {
+		displayName = strings.TrimSpace(existing.Username)
+	}
+	avatarURL := strings.TrimSpace(existing.AvatarURL)
+	if req.AvatarURL != nil {
+		avatarURL = strings.TrimSpace(*req.AvatarURL)
+	}
+	timezone := strings.TrimSpace(existing.Timezone)
+	if req.Timezone != nil {
+		resolved, _, err := tzutil.Resolve(*req.Timezone)
+		if err != nil {
+			return Account{}, err
+		}
+		timezone = resolved.String()
+	}
+	if timezone == "" {
+		timezone = "UTC"
+	}
+	account, err := s.store.UpdateProfile(ctx, UpdateProfileInput{
+		UserID:      existing.ID,
+		DisplayName: displayName,
+		AvatarURL:   avatarURL,
+		Timezone:    timezone,
+	})
+	if err != nil {
+		return Account{}, err
+	}
+	return normalizeAccount(account), nil
+}
+
+func (s *Service) UpdatePassword(ctx context.Context, userID, currentPassword, newPassword string) error {
+	if s.store == nil {
+		return errors.New("account store not configured")
+	}
+	if strings.TrimSpace(newPassword) == "" {
+		return errors.New("new password is required")
+	}
+	identity, err := s.store.GetPasswordIdentityByUserID(ctx, strings.TrimSpace(userID))
+	if err != nil {
+		if errors.Is(err, ErrNotFound) {
+			return ErrInvalidPassword
+		}
+		return err
+	}
+	if strings.TrimSpace(currentPassword) == "" || strings.TrimSpace(identity.CredentialSecret) == "" {
+		return ErrInvalidPassword
+	}
+	if err := bcrypt.CompareHashAndPassword([]byte(identity.CredentialSecret), []byte(currentPassword)); err != nil {
+		return ErrInvalidPassword
+	}
+	passwordHash, err := hashPassword(newPassword)
+	if err != nil {
+		return err
+	}
+	return s.store.UpdatePasswordIdentity(ctx, identity.ID, passwordHash)
+}
+
+func (s *Service) ResetPassword(ctx context.Context, userID, newPassword string) error {
+	if s.store == nil {
+		return errors.New("account store not configured")
+	}
+	if strings.TrimSpace(newPassword) == "" {
+		return errors.New("new password is required")
+	}
+	identity, err := s.store.GetPasswordIdentityByUserID(ctx, strings.TrimSpace(userID))
+	if err != nil {
+		return err
+	}
+	passwordHash, err := hashPassword(newPassword)
+	if err != nil {
+		return err
+	}
+	return s.store.UpdatePasswordIdentity(ctx, identity.ID, passwordHash)
+}
+
+func (s *Service) lookupPasswordIdentity(ctx context.Context, identity string) (PasswordIdentity, error) {
+	subject := normalizeSubject(identity)
+	passwordIdentity, err := s.store.GetPasswordIdentityBySubject(ctx, subject)
+	if err == nil {
+		return passwordIdentity, nil
+	}
+	if !errors.Is(err, ErrNotFound) {
+		return PasswordIdentity{}, err
+	}
+	return s.store.GetPasswordIdentityByEmail(ctx, normalizeEmail(identity))
+}
+
+func prepareCreate(req CreateAccountRequest) (UpsertAccountInput, string, error) {
+	username := strings.TrimSpace(req.Username)
+	if username == "" {
+		return UpsertAccountInput{}, "", errors.New("username is required")
+	}
+	if strings.TrimSpace(req.Password) == "" {
+		return UpsertAccountInput{}, "", errors.New("password is required")
+	}
+	passwordHash, err := hashPassword(req.Password)
+	if err != nil {
+		return UpsertAccountInput{}, "", err
+	}
+	displayName := strings.TrimSpace(req.DisplayName)
+	if displayName == "" {
+		displayName = username
+	}
+	isActive := true
+	if req.IsActive != nil {
+		isActive = *req.IsActive
+	}
+	return UpsertAccountInput{
+		Username:    username,
+		Email:       normalizeEmail(req.Email),
+		DisplayName: displayName,
+		AvatarURL:   strings.TrimSpace(req.AvatarURL),
+		IsActive:    isActive,
+	}, passwordHash, nil
+}
+
+func passwordIdentityInput(account Account, passwordHash string) UpsertPasswordIdentityInput {
+	return UpsertPasswordIdentityInput{
+		UserID:           account.ID,
+		Subject:          normalizeSubject(account.Username),
+		Email:            normalizeEmail(account.Email),
+		Username:         strings.TrimSpace(account.Username),
+		DisplayName:      strings.TrimSpace(account.DisplayName),
+		AvatarURL:        strings.TrimSpace(account.AvatarURL),
+		CredentialSecret: passwordHash,
+	}
+}
+
+func hashPassword(password string) (string, error) {
+	hashed, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+	return string(hashed), nil
+}
+
+func normalizeAccount(account Account) Account {
+	account.Username = strings.TrimSpace(account.Username)
+	account.Email = normalizeEmail(account.Email)
+	account.DisplayName = strings.TrimSpace(account.DisplayName)
+	if account.DisplayName == "" {
+		account.DisplayName = account.Username
+	}
+	account.AvatarURL = strings.TrimSpace(account.AvatarURL)
+	account.Timezone = strings.TrimSpace(account.Timezone)
+	return account
+}
+
+func normalizeSubject(subject string) string {
+	return strings.ToLower(strings.TrimSpace(subject))
+}
+
+func normalizeEmail(email string) string {
+	return strings.ToLower(strings.TrimSpace(email))
+}
diff --git a/internal/iam/accounts/service_test.go b/internal/iam/accounts/service_test.go
new file mode 100644
index 000000000..194d0667f
--- /dev/null
+++ b/internal/iam/accounts/service_test.go
@@ -0,0 +1,286 @@
+package accounts
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+func TestLoginSuccess(t *testing.T) {
+	store := newFakeStore(t)
+	service := NewService(nil, store)
+
+	account, err := service.Login(context.Background(), "alice", "secret")
+	if err != nil {
+		t.Fatalf("Login() error = %v", err)
+	}
+	if account.ID != "user-1" {
+		t.Fatalf("Login() account ID = %q, want user-1", account.ID)
+	}
+	if store.touchUserID != "user-1" || store.touchIdentityID != "identity-1" {
+		t.Fatalf("TouchLogin() = (%q, %q), want (user-1, identity-1)", store.touchUserID, store.touchIdentityID)
+	}
+}
+
+func TestLoginInvalidPassword(t *testing.T) {
+	store := newFakeStore(t)
+	service := NewService(nil, store)
+
+	_, err := service.Login(context.Background(), "alice", "wrong")
+	if !errors.Is(err, ErrInvalidCredentials) {
+		t.Fatalf("Login() error = %v, want %v", err, ErrInvalidCredentials)
+	}
+}
+
+func TestLoginInactive(t *testing.T) {
+	store := newFakeStore(t)
+	account := store.accounts["user-1"]
+	account.IsActive = false
+	store.accounts["user-1"] = account
+	service := NewService(nil, store)
+
+	_, err := service.Login(context.Background(), "alice", "secret")
+	if !errors.Is(err, ErrInactiveAccount) {
+		t.Fatalf("Login() error = %v, want %v", err, ErrInactiveAccount)
+	}
+}
+
+func TestLoginNoPasswordIdentity(t *testing.T) {
+	store := newFakeStore(t)
+	delete(store.identitiesBySubject, "alice")
+	service := NewService(nil, store)
+
+	_, err := service.Login(context.Background(), "alice", "secret")
+	if !errors.Is(err, ErrInvalidCredentials) {
+		t.Fatalf("Login() error = %v, want %v", err, ErrInvalidCredentials)
+	}
+}
+
+func TestCreateWritesPasswordIdentity(t *testing.T) {
+	store := &fakeStore{
+		accounts:            map[string]Account{},
+		identitiesBySubject: map[string]PasswordIdentity{},
+		identitiesByEmail:   map[string]PasswordIdentity{},
+		identitiesByUserID:  map[string]PasswordIdentity{},
+	}
+	service := NewService(nil, store)
+
+	account, err := service.Create(context.Background(), "user-2", CreateAccountRequest{
+		Username: "bob",
+		Password: "secret",
+		Email:    "BOB@example.com",
+	})
+	if err != nil {
+		t.Fatalf("Create() error = %v", err)
+	}
+	if account.DisplayName != "bob" {
+		t.Fatalf("Create() display name = %q, want bob", account.DisplayName)
+	}
+	identity := store.identitiesByUserID["user-2"]
+	if identity.Subject != "bob" {
+		t.Fatalf("password identity subject = %q, want bob", identity.Subject)
+	}
+	if identity.Email != "bob@example.com" {
+		t.Fatalf("password identity email = %q, want bob@example.com", identity.Email)
+	}
+	if err := bcrypt.CompareHashAndPassword([]byte(identity.CredentialSecret), []byte("secret")); err != nil {
+		t.Fatalf("password identity hash does not match: %v", err)
+	}
+}
+
+func TestUpdatePasswordVerifiesCurrentPassword(t *testing.T) {
+	store := newFakeStore(t)
+	service := NewService(nil, store)
+
+	if err := service.UpdatePassword(context.Background(), "user-1", "wrong", "new-secret"); !errors.Is(err, ErrInvalidPassword) {
+		t.Fatalf("UpdatePassword() wrong current error = %v, want %v", err, ErrInvalidPassword)
+	}
+	if store.updatedPasswordIdentityID != "" {
+		t.Fatalf("UpdatePassword() updated identity after wrong password")
+	}
+
+	if err := service.UpdatePassword(context.Background(), "user-1", "secret", "new-secret"); err != nil {
+		t.Fatalf("UpdatePassword() error = %v", err)
+	}
+	if store.updatedPasswordIdentityID != "identity-1" {
+		t.Fatalf("updated identity = %q, want identity-1", store.updatedPasswordIdentityID)
+	}
+	if err := bcrypt.CompareHashAndPassword([]byte(store.updatedPasswordSecret), []byte("new-secret")); err != nil {
+		t.Fatalf("updated password hash does not match: %v", err)
+	}
+}
+
+func newFakeStore(t *testing.T) *fakeStore {
+	t.Helper()
+	hash, err := bcrypt.GenerateFromPassword([]byte("secret"), bcrypt.DefaultCost)
+	if err != nil {
+		t.Fatal(err)
+	}
+	account := Account{
+		ID:          "user-1",
+		Username:    "alice",
+		Email:       "alice@example.com",
+		DisplayName: "Alice",
+		IsActive:    true,
+		CreatedAt:   time.Now(),
+		UpdatedAt:   time.Now(),
+	}
+	identity := PasswordIdentity{
+		ID:               "identity-1",
+		UserID:           "user-1",
+		Subject:          "alice",
+		Email:            "alice@example.com",
+		Username:         "alice",
+		CredentialSecret: string(hash),
+	}
+	return &fakeStore{
+		accounts: map[string]Account{
+			account.ID: account,
+		},
+		identitiesBySubject: map[string]PasswordIdentity{
+			identity.Subject: identity,
+		},
+		identitiesByEmail: map[string]PasswordIdentity{
+			identity.Email: identity,
+		},
+		identitiesByUserID: map[string]PasswordIdentity{
+			identity.UserID: identity,
+		},
+	}
+}
+
+type fakeStore struct {
+	accounts            map[string]Account
+	identitiesBySubject map[string]PasswordIdentity
+	identitiesByEmail   map[string]PasswordIdentity
+	identitiesByUserID  map[string]PasswordIdentity
+
+	touchUserID               string
+	touchIdentityID           string
+	updatedPasswordIdentityID string
+	updatedPasswordSecret     string
+}
+
+func (s *fakeStore) Get(_ context.Context, userID string) (Account, error) {
+	account, ok := s.accounts[userID]
+	if !ok {
+		return Account{}, ErrNotFound
+	}
+	return account, nil
+}
+
+func (s *fakeStore) GetPasswordIdentityBySubject(_ context.Context, subject string) (PasswordIdentity, error) {
+	identity, ok := s.identitiesBySubject[subject]
+	if !ok {
+		return PasswordIdentity{}, ErrNotFound
+	}
+	return identity, nil
+}
+
+func (s *fakeStore) GetPasswordIdentityByEmail(_ context.Context, email string) (PasswordIdentity, error) {
+	identity, ok := s.identitiesByEmail[email]
+	if !ok {
+		return PasswordIdentity{}, ErrNotFound
+	}
+	return identity, nil
+}
+
+func (s *fakeStore) GetPasswordIdentityByUserID(_ context.Context, userID string) (PasswordIdentity, error) {
+	identity, ok := s.identitiesByUserID[userID]
+	if !ok {
+		return PasswordIdentity{}, ErrNotFound
+	}
+	return identity, nil
+}
+
+func (s *fakeStore) ListAccounts(context.Context) ([]Account, error) {
+	out := make([]Account, 0, len(s.accounts))
+	for _, account := range s.accounts {
+		out = append(out, account)
+	}
+	return out, nil
+}
+
+func (s *fakeStore) SearchAccounts(ctx context.Context, _ string, _ int) ([]Account, error) {
+	return s.ListAccounts(ctx)
+}
+
+func (s *fakeStore) UpsertAccount(_ context.Context, input UpsertAccountInput) (Account, error) {
+	account := Account{
+		ID:          input.UserID,
+		Username:    input.Username,
+		Email:       input.Email,
+		DisplayName: input.DisplayName,
+		AvatarURL:   input.AvatarURL,
+		IsActive:    input.IsActive,
+		CreatedAt:   time.Now(),
+		UpdatedAt:   time.Now(),
+	}
+	s.accounts[account.ID] = account
+	return account, nil
+}
+
+func (s *fakeStore) CreateHuman(ctx context.Context, input CreateHumanInput) (Account, error) {
+	return s.UpsertAccount(ctx, UpsertAccountInput{
+		UserID:      "created-user",
+		Username:    input.Username,
+		Email:       input.Email,
+		DisplayName: input.DisplayName,
+		AvatarURL:   input.AvatarURL,
+		IsActive:    input.IsActive,
+	})
+}
+
+func (s *fakeStore) UpsertPasswordIdentity(_ context.Context, input UpsertPasswordIdentityInput) (PasswordIdentity, error) {
+	identity := PasswordIdentity{
+		ID:               "identity-" + input.UserID,
+		UserID:           input.UserID,
+		Subject:          input.Subject,
+		Email:            input.Email,
+		Username:         input.Username,
+		CredentialSecret: input.CredentialSecret,
+	}
+	s.identitiesBySubject[identity.Subject] = identity
+	s.identitiesByEmail[identity.Email] = identity
+	s.identitiesByUserID[identity.UserID] = identity
+	return identity, nil
+}
+
+func (s *fakeStore) UpdateAdmin(_ context.Context, input UpdateAdminInput) (Account, error) {
+	account, ok := s.accounts[input.UserID]
+	if !ok {
+		return Account{}, ErrNotFound
+	}
+	account.DisplayName = input.DisplayName
+	account.AvatarURL = input.AvatarURL
+	account.IsActive = input.IsActive
+	s.accounts[input.UserID] = account
+	return account, nil
+}
+
+func (s *fakeStore) UpdateProfile(_ context.Context, input UpdateProfileInput) (Account, error) {
+	account, ok := s.accounts[input.UserID]
+	if !ok {
+		return Account{}, ErrNotFound
+	}
+	account.DisplayName = input.DisplayName
+	account.AvatarURL = input.AvatarURL
+	account.Timezone = input.Timezone
+	s.accounts[input.UserID] = account
+	return account, nil
+}
+
+func (s *fakeStore) UpdatePasswordIdentity(_ context.Context, identityID string, credentialSecret string) error {
+	s.updatedPasswordIdentityID = identityID
+	s.updatedPasswordSecret = credentialSecret
+	return nil
+}
+
+func (s *fakeStore) TouchLogin(_ context.Context, userID string, identityID string) error {
+	s.touchUserID = userID
+	s.touchIdentityID = identityID
+	return nil
+}
diff --git a/internal/iam/accounts/types.go b/internal/iam/accounts/types.go
new file mode 100644
index 000000000..68b0c065e
--- /dev/null
+++ b/internal/iam/accounts/types.go
@@ -0,0 +1,112 @@
+package accounts
+
+import "time"
+
+const (
+	PasswordProviderType = "password"
+)
+
+// Account represents a human user profile.
+type Account struct {
+	ID          string    `json:"id"`
+	Username    string    `json:"username"`
+	Email       string    `json:"email,omitempty"`
+	DisplayName string    `json:"display_name"`
+	AvatarURL   string    `json:"avatar_url,omitempty"`
+	Timezone    string    `json:"timezone,omitempty"`
+	IsActive    bool      `json:"is_active"`
+	CreatedAt   time.Time `json:"created_at"`
+	UpdatedAt   time.Time `json:"updated_at"`
+	LastLoginAt time.Time `json:"last_login_at,omitempty"`
+}
+
+type PasswordIdentity struct {
+	ID               string
+	UserID           string
+	Subject          string
+	Email            string
+	Username         string
+	CredentialSecret string
+	LastLoginAt      time.Time
+}
+
+// CreateAccountRequest is the input for creating a password-backed account.
+type CreateAccountRequest struct {
+	Username    string `json:"username"`
+	Password    string `json:"password"` //nolint:gosec // intentional request credential
+	Email       string `json:"email,omitempty"`
+	DisplayName string `json:"display_name,omitempty"`
+	AvatarURL   string `json:"avatar_url,omitempty"`
+	IsActive    *bool  `json:"is_active,omitempty"`
+}
+
+// UpdateAccountRequest is the input for admin-level account updates.
+type UpdateAccountRequest struct {
+	DisplayName *string `json:"display_name,omitempty"`
+	AvatarURL   *string `json:"avatar_url,omitempty"`
+	IsActive    *bool   `json:"is_active,omitempty"`
+}
+
+// UpdateProfileRequest is the input for self-service profile updates.
+type UpdateProfileRequest struct {
+	DisplayName *string `json:"display_name,omitempty"`
+	AvatarURL   *string `json:"avatar_url,omitempty"`
+	Timezone    *string `json:"timezone,omitempty"`
+}
+
+// UpdatePasswordRequest is the input for password change.
+type UpdatePasswordRequest struct {
+	CurrentPassword string `json:"current_password,omitempty"`
+	NewPassword     string `json:"new_password"`
+}
+
+// ResetPasswordRequest is the input for admin password reset.
+type ResetPasswordRequest struct {
+	NewPassword string `json:"new_password"`
+}
+
+// ListAccountsResponse wraps a list of accounts.
+type ListAccountsResponse struct {
+	Items []Account `json:"items"`
+}
+
+type UpsertAccountInput struct {
+	UserID      string
+	Username    string
+	Email       string
+	DisplayName string
+	AvatarURL   string
+	IsActive    bool
+}
+
+type CreateHumanInput struct {
+	Username    string
+	Email       string
+	DisplayName string
+	AvatarURL   string
+	IsActive    bool
+}
+
+type UpsertPasswordIdentityInput struct {
+	UserID           string
+	Subject          string
+	Email            string
+	Username         string
+	DisplayName      string
+	AvatarURL        string
+	CredentialSecret string
+}
+
+type UpdateAdminInput struct {
+	UserID      string
+	DisplayName string
+	AvatarURL   string
+	IsActive    bool
+}
+
+type UpdateProfileInput struct {
+	UserID      string
+	DisplayName string
+	AvatarURL   string
+	Timezone    string
+}
diff --git a/internal/iam/auth/jwt.go b/internal/iam/auth/jwt.go
new file mode 100644
index 000000000..edea4c4fc
--- /dev/null
+++ b/internal/iam/auth/jwt.go
@@ -0,0 +1,236 @@
+package auth
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	echojwt "github.com/labstack/echo-jwt/v4"
+	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
+)
+
+const (
+	claimSubject           = "sub"
+	claimUserID            = "user_id"
+	claimSessionID         = "session_id"
+	claimChannelIdentityID = "channel_identity_id"
+	claimType              = "typ"
+	claimBotID             = "bot_id"
+	claimChatID            = "chat_id"
+	claimRouteID           = "route_id"
+	chatTokenType          = "chat_route"
+)
+
+func JWTMiddleware(secret string, skipper middleware.Skipper) echo.MiddlewareFunc {
+	return echojwt.WithConfig(echojwt.Config{
+		SigningKey:    []byte(secret),
+		SigningMethod: "HS256",
+		TokenLookup:   "header:Authorization:Bearer ,query:token",
+		Skipper:       skipper,
+		NewClaimsFunc: func(_ echo.Context) jwt.Claims {
+			return jwt.MapClaims{}
+		},
+	})
+}
+
+func GenerateToken(userID, sessionID, secret string, expiresIn time.Duration) (string, time.Time, error) {
+	if strings.TrimSpace(userID) == "" {
+		return "", time.Time{}, errors.New("user id is required")
+	}
+	if strings.TrimSpace(sessionID) == "" {
+		return "", time.Time{}, errors.New("session id is required")
+	}
+	if strings.TrimSpace(secret) == "" {
+		return "", time.Time{}, errors.New("jwt secret is required")
+	}
+	if expiresIn <= 0 {
+		return "", time.Time{}, errors.New("jwt expires in must be positive")
+	}
+
+	now := time.Now().UTC()
+	expiresAt := now.Add(expiresIn)
+	claims := jwt.MapClaims{
+		claimSubject:   userID,
+		claimUserID:    userID,
+		claimSessionID: sessionID,
+		"iat":          now.Unix(),
+		"exp":          expiresAt.Unix(),
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	signed, err := token.SignedString([]byte(secret))
+	if err != nil {
+		return "", time.Time{}, err
+	}
+	return signed, expiresAt, nil
+}
+
+func UserIDFromContext(c echo.Context) (string, error) {
+	claims, err := claimsFromContext(c)
+	if err != nil {
+		return "", err
+	}
+	if userID := claimString(claims, claimUserID); userID != "" {
+		return userID, nil
+	}
+	if userID := claimString(claims, claimSubject); userID != "" {
+		return userID, nil
+	}
+	return "", echo.NewHTTPError(http.StatusUnauthorized, "user id missing")
+}
+
+func SessionIDFromContext(c echo.Context) (string, error) {
+	claims, err := claimsFromContext(c)
+	if err != nil {
+		return "", err
+	}
+	if sessionID := claimString(claims, claimSessionID); sessionID != "" {
+		return sessionID, nil
+	}
+	return "", echo.NewHTTPError(http.StatusUnauthorized, "session id missing")
+}
+
+type ChatToken struct {
+	BotID             string
+	ChatID            string
+	RouteID           string
+	UserID            string
+	ChannelIdentityID string
+}
+
+func GenerateChatToken(info ChatToken, secret string, expiresIn time.Duration) (string, time.Time, error) {
+	if strings.TrimSpace(info.BotID) == "" {
+		return "", time.Time{}, errors.New("bot id is required")
+	}
+	if strings.TrimSpace(info.ChatID) == "" {
+		return "", time.Time{}, errors.New("chat id is required")
+	}
+	if strings.TrimSpace(info.UserID) == "" {
+		info.UserID = strings.TrimSpace(info.ChannelIdentityID)
+	}
+	if strings.TrimSpace(info.UserID) == "" {
+		return "", time.Time{}, errors.New("user id is required")
+	}
+	if strings.TrimSpace(secret) == "" {
+		return "", time.Time{}, errors.New("jwt secret is required")
+	}
+	if expiresIn <= 0 {
+		return "", time.Time{}, errors.New("jwt expires in must be positive")
+	}
+
+	now := time.Now().UTC()
+	expiresAt := now.Add(expiresIn)
+	claims := jwt.MapClaims{
+		claimType:              chatTokenType,
+		claimBotID:             info.BotID,
+		claimChatID:            info.ChatID,
+		claimRouteID:           info.RouteID,
+		claimUserID:            info.UserID,
+		claimChannelIdentityID: info.ChannelIdentityID,
+		"iat":                  now.Unix(),
+		"exp":                  expiresAt.Unix(),
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	signed, err := token.SignedString([]byte(secret))
+	if err != nil {
+		return "", time.Time{}, err
+	}
+	return signed, expiresAt, nil
+}
+
+func ChatTokenFromContext(c echo.Context) (ChatToken, error) {
+	claims, err := claimsFromContext(c)
+	if err != nil {
+		return ChatToken{}, err
+	}
+	if claimString(claims, claimType) != chatTokenType {
+		return ChatToken{}, echo.NewHTTPError(http.StatusUnauthorized, "invalid chat token")
+	}
+	info := ChatToken{
+		BotID:             claimString(claims, claimBotID),
+		ChatID:            claimString(claims, claimChatID),
+		RouteID:           claimString(claims, claimRouteID),
+		UserID:            claimString(claims, claimUserID),
+		ChannelIdentityID: claimString(claims, claimChannelIdentityID),
+	}
+	if strings.TrimSpace(info.UserID) == "" {
+		info.UserID = strings.TrimSpace(info.ChannelIdentityID)
+	}
+	return info, nil
+}
+
+func IsChatTokenContext(c echo.Context) bool {
+	claims, err := claimsFromContext(c)
+	if err != nil {
+		return false
+	}
+	return claimString(claims, claimType) == chatTokenType
+}
+
+func RefreshTokenFromContext(c echo.Context, secret string, defaultExpiresIn time.Duration) (string, time.Time, error) {
+	token, ok := c.Get("user").(*jwt.Token)
+	if !ok || token == nil || !token.Valid {
+		return "", time.Time{}, echo.NewHTTPError(http.StatusUnauthorized, "invalid token")
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return "", time.Time{}, echo.NewHTTPError(http.StatusUnauthorized, "invalid token claims")
+	}
+
+	expiresIn := defaultExpiresIn
+	if expRaw, ok := claims["exp"].(float64); ok {
+		if iatRaw, ok := claims["iat"].(float64); ok {
+			duration := time.Duration(expRaw-iatRaw) * time.Second
+			if duration > 0 {
+				expiresIn = duration
+			}
+		}
+	}
+
+	now := time.Now().UTC()
+	expiresAt := now.Add(expiresIn)
+	newClaims := jwt.MapClaims{}
+	for key, value := range claims {
+		newClaims[key] = value
+	}
+	newClaims["iat"] = now.Unix()
+	newClaims["exp"] = expiresAt.Unix()
+
+	newToken := jwt.NewWithClaims(jwt.SigningMethodHS256, newClaims)
+	signed, err := newToken.SignedString([]byte(secret))
+	if err != nil {
+		return "", time.Time{}, err
+	}
+	return signed, expiresAt, nil
+}
+
+func claimsFromContext(c echo.Context) (jwt.MapClaims, error) {
+	token, ok := c.Get("user").(*jwt.Token)
+	if !ok || token == nil || !token.Valid {
+		return nil, echo.NewHTTPError(http.StatusUnauthorized, "invalid token")
+	}
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, echo.NewHTTPError(http.StatusUnauthorized, "invalid token claims")
+	}
+	return claims, nil
+}
+
+func claimString(claims jwt.MapClaims, key string) string {
+	raw, ok := claims[key]
+	if !ok || raw == nil {
+		return ""
+	}
+	switch value := raw.(type) {
+	case string:
+		return value
+	case fmt.Stringer:
+		return value.String()
+	default:
+		return fmt.Sprint(raw)
+	}
+}
diff --git a/internal/iam/auth/jwt_test.go b/internal/iam/auth/jwt_test.go
new file mode 100644
index 000000000..876c8fbe4
--- /dev/null
+++ b/internal/iam/auth/jwt_test.go
@@ -0,0 +1,103 @@
+package auth
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/labstack/echo/v4"
+)
+
+func TestGenerateTokenIncludesSessionID(t *testing.T) {
+	tokenString, expiresAt, err := GenerateToken("user-1", "session-1", "secret", time.Hour)
+	if err != nil {
+		t.Fatalf("GenerateToken returned error: %v", err)
+	}
+	if time.Until(expiresAt) <= 0 {
+		t.Fatalf("expiresAt is not in the future: %v", expiresAt)
+	}
+
+	claims := parseTestClaims(t, tokenString, "secret")
+	if got := claimString(claims, claimSubject); got != "user-1" {
+		t.Fatalf("sub = %q, want user-1", got)
+	}
+	if got := claimString(claims, claimUserID); got != "user-1" {
+		t.Fatalf("user_id = %q, want user-1", got)
+	}
+	if got := claimString(claims, claimSessionID); got != "session-1" {
+		t.Fatalf("session_id = %q, want session-1", got)
+	}
+}
+
+func TestUserIDAndSessionIDFromContext(t *testing.T) {
+	c := echo.New().NewContext(httptest.NewRequest(http.MethodGet, "/", nil), httptest.NewRecorder())
+	c.Set("user", &jwt.Token{
+		Valid: true,
+		Claims: jwt.MapClaims{
+			claimUserID:    "user-1",
+			claimSessionID: "session-1",
+		},
+	})
+
+	userID, err := UserIDFromContext(c)
+	if err != nil {
+		t.Fatalf("UserIDFromContext returned error: %v", err)
+	}
+	if userID != "user-1" {
+		t.Fatalf("userID = %q, want user-1", userID)
+	}
+
+	sessionID, err := SessionIDFromContext(c)
+	if err != nil {
+		t.Fatalf("SessionIDFromContext returned error: %v", err)
+	}
+	if sessionID != "session-1" {
+		t.Fatalf("sessionID = %q, want session-1", sessionID)
+	}
+}
+
+func TestGenerateChatTokenPreservesRouteClaims(t *testing.T) {
+	tokenString, _, err := GenerateChatToken(ChatToken{
+		BotID:             "bot-1",
+		ChatID:            "chat-1",
+		RouteID:           "route-1",
+		ChannelIdentityID: "channel-identity-1",
+	}, "secret", time.Hour)
+	if err != nil {
+		t.Fatalf("GenerateChatToken returned error: %v", err)
+	}
+	claims := parseTestClaims(t, tokenString, "secret")
+	if got := claimString(claims, claimType); got != chatTokenType {
+		t.Fatalf("typ = %q, want %s", got, chatTokenType)
+	}
+
+	c := echo.New().NewContext(httptest.NewRequest(http.MethodGet, "/", nil), httptest.NewRecorder())
+	c.Set("user", &jwt.Token{Valid: true, Claims: claims})
+	info, err := ChatTokenFromContext(c)
+	if err != nil {
+		t.Fatalf("ChatTokenFromContext returned error: %v", err)
+	}
+	if info.UserID != "channel-identity-1" {
+		t.Fatalf("fallback userID = %q, want channel-identity-1", info.UserID)
+	}
+	if !IsChatTokenContext(c) {
+		t.Fatal("IsChatTokenContext returned false")
+	}
+}
+
+func parseTestClaims(t *testing.T, tokenString, secret string) jwt.MapClaims {
+	t.Helper()
+	token, err := jwt.Parse(tokenString, func(_ *jwt.Token) (interface{}, error) {
+		return []byte(secret), nil
+	})
+	if err != nil {
+		t.Fatalf("jwt.Parse returned error: %v", err)
+	}
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		t.Fatal("claims are not jwt.MapClaims")
+	}
+	return claims
+}
diff --git a/internal/iam/auth/session_middleware.go b/internal/iam/auth/session_middleware.go
new file mode 100644
index 000000000..7daa837a1
--- /dev/null
+++ b/internal/iam/auth/session_middleware.go
@@ -0,0 +1,37 @@
+package auth
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+)
+
+type SessionValidator interface {
+	ValidateSession(ctx context.Context, userID string, sessionID string) error
+}
+
+func SessionMiddleware(validator SessionValidator) echo.MiddlewareFunc {
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			if validator == nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "session validator is required")
+			}
+			if IsChatTokenContext(c) {
+				return next(c)
+			}
+			userID, err := UserIDFromContext(c)
+			if err != nil {
+				return err
+			}
+			sessionID, err := SessionIDFromContext(c)
+			if err != nil {
+				return err
+			}
+			if err := validator.ValidateSession(c.Request().Context(), userID, sessionID); err != nil {
+				return echo.NewHTTPError(http.StatusUnauthorized, "invalid session")
+			}
+			return next(c)
+		}
+	}
+}
diff --git a/internal/iam/auth/session_middleware_test.go b/internal/iam/auth/session_middleware_test.go
new file mode 100644
index 000000000..307534ea0
--- /dev/null
+++ b/internal/iam/auth/session_middleware_test.go
@@ -0,0 +1,111 @@
+package auth
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/labstack/echo/v4"
+)
+
+type stubSessionValidator struct {
+	err       error
+	userID    string
+	sessionID string
+	calls     int
+}
+
+func (s *stubSessionValidator) ValidateSession(_ context.Context, userID string, sessionID string) error {
+	s.calls++
+	s.userID = userID
+	s.sessionID = sessionID
+	return s.err
+}
+
+func TestSessionMiddlewareValidatesSession(t *testing.T) {
+	validator := &stubSessionValidator{}
+	e := echo.New()
+	c := e.NewContext(httptest.NewRequest(http.MethodGet, "/", nil), httptest.NewRecorder())
+	c.Set("user", &jwt.Token{
+		Valid: true,
+		Claims: jwt.MapClaims{
+			claimUserID:    "user-1",
+			claimSessionID: "session-1",
+		},
+	})
+
+	called := false
+	handler := SessionMiddleware(validator)(func(echo.Context) error {
+		called = true
+		return nil
+	})
+	if err := handler(c); err != nil {
+		t.Fatalf("middleware returned error: %v", err)
+	}
+	if !called {
+		t.Fatal("next handler was not called")
+	}
+	if validator.calls != 1 || validator.userID != "user-1" || validator.sessionID != "session-1" {
+		t.Fatalf("validator call = (%d, %q, %q)", validator.calls, validator.userID, validator.sessionID)
+	}
+}
+
+func TestSessionMiddlewareRejectsInvalidSession(t *testing.T) {
+	validator := &stubSessionValidator{err: errors.New("revoked")}
+	e := echo.New()
+	c := e.NewContext(httptest.NewRequest(http.MethodGet, "/", nil), httptest.NewRecorder())
+	c.Set("user", &jwt.Token{
+		Valid: true,
+		Claims: jwt.MapClaims{
+			claimUserID:    "user-1",
+			claimSessionID: "session-1",
+		},
+	})
+
+	err := SessionMiddleware(validator)(func(echo.Context) error {
+		t.Fatal("next handler should not be called")
+		return nil
+	})(c)
+	if err == nil {
+		t.Fatal("middleware returned nil error")
+	}
+	var httpErr *echo.HTTPError
+	ok := errors.As(err, &httpErr)
+	if !ok {
+		t.Fatalf("error type = %T, want *echo.HTTPError", err)
+	}
+	if httpErr.Code != http.StatusUnauthorized {
+		t.Fatalf("status = %d, want 401", httpErr.Code)
+	}
+}
+
+func TestSessionMiddlewareSkipsChatToken(t *testing.T) {
+	validator := &stubSessionValidator{err: errors.New("should not be called")}
+	e := echo.New()
+	c := e.NewContext(httptest.NewRequest(http.MethodGet, "/", nil), httptest.NewRecorder())
+	c.Set("user", &jwt.Token{
+		Valid: true,
+		Claims: jwt.MapClaims{
+			claimType:   chatTokenType,
+			claimUserID: "channel-user-1",
+		},
+	})
+
+	called := false
+	err := SessionMiddleware(validator)(func(echo.Context) error {
+		called = true
+		return nil
+	})(c)
+	if err != nil {
+		t.Fatalf("middleware returned error: %v", err)
+	}
+	if !called {
+		t.Fatal("next handler was not called")
+	}
+	if validator.calls != 0 {
+		t.Fatalf("validator calls = %d, want 0", validator.calls)
+	}
+}
diff --git a/internal/iam/rbac/bootstrap.go b/internal/iam/rbac/bootstrap.go
new file mode 100644
index 000000000..a83a84c2c
--- /dev/null
+++ b/internal/iam/rbac/bootstrap.go
@@ -0,0 +1,69 @@
+package rbac
+
+import "context"
+
+type PermissionSeed struct {
+	Key      PermissionKey
+	IsSystem bool
+}
+
+type RoleSeed struct {
+	Key      RoleKey
+	Scope    ResourceType
+	IsSystem bool
+}
+
+type RolePermissionSeed struct {
+	RoleKey       RoleKey
+	PermissionKey PermissionKey
+}
+
+var BuiltinPermissions = []PermissionSeed{
+	{Key: PermissionSystemLogin, IsSystem: true},
+	{Key: PermissionSystemAdmin, IsSystem: true},
+	{Key: PermissionBotRead, IsSystem: true},
+	{Key: PermissionBotChat, IsSystem: true},
+	{Key: PermissionBotUpdate, IsSystem: true},
+	{Key: PermissionBotDelete, IsSystem: true},
+	{Key: PermissionBotPermissionsManage, IsSystem: true},
+}
+
+var BuiltinRoles = []RoleSeed{
+	{Key: RoleMember, Scope: ResourceSystem, IsSystem: true},
+	{Key: RoleAdmin, Scope: ResourceSystem, IsSystem: true},
+	{Key: RoleBotViewer, Scope: ResourceBot, IsSystem: true},
+	{Key: RoleBotOperator, Scope: ResourceBot, IsSystem: true},
+	{Key: RoleBotOwner, Scope: ResourceBot, IsSystem: true},
+}
+
+var BuiltinRolePermissions = []RolePermissionSeed{
+	{RoleKey: RoleMember, PermissionKey: PermissionSystemLogin},
+	{RoleKey: RoleAdmin, PermissionKey: PermissionSystemLogin},
+	{RoleKey: RoleAdmin, PermissionKey: PermissionSystemAdmin},
+	{RoleKey: RoleBotViewer, PermissionKey: PermissionBotRead},
+	{RoleKey: RoleBotViewer, PermissionKey: PermissionBotChat},
+	{RoleKey: RoleBotOperator, PermissionKey: PermissionBotRead},
+	{RoleKey: RoleBotOperator, PermissionKey: PermissionBotChat},
+	{RoleKey: RoleBotOperator, PermissionKey: PermissionBotUpdate},
+	{RoleKey: RoleBotOwner, PermissionKey: PermissionBotRead},
+	{RoleKey: RoleBotOwner, PermissionKey: PermissionBotChat},
+	{RoleKey: RoleBotOwner, PermissionKey: PermissionBotUpdate},
+	{RoleKey: RoleBotOwner, PermissionKey: PermissionBotDelete},
+	{RoleKey: RoleBotOwner, PermissionKey: PermissionBotPermissionsManage},
+}
+
+type BootstrapStore interface {
+	EnsurePermissions(ctx context.Context, permissions []PermissionSeed) error
+	EnsureRoles(ctx context.Context, roles []RoleSeed) error
+	EnsureRolePermissions(ctx context.Context, rolePermissions []RolePermissionSeed) error
+}
+
+func Bootstrap(ctx context.Context, store BootstrapStore) error {
+	if err := store.EnsurePermissions(ctx, BuiltinPermissions); err != nil {
+		return err
+	}
+	if err := store.EnsureRoles(ctx, BuiltinRoles); err != nil {
+		return err
+	}
+	return store.EnsureRolePermissions(ctx, BuiltinRolePermissions)
+}
diff --git a/internal/iam/rbac/bootstrap_test.go b/internal/iam/rbac/bootstrap_test.go
new file mode 100644
index 000000000..ea010223e
--- /dev/null
+++ b/internal/iam/rbac/bootstrap_test.go
@@ -0,0 +1,65 @@
+package rbac
+
+import (
+	"context"
+	"errors"
+	"testing"
+)
+
+type fakeBootstrapStore struct {
+	permissions     []PermissionSeed
+	roles           []RoleSeed
+	rolePermissions []RolePermissionSeed
+	errAt           string
+}
+
+func (s *fakeBootstrapStore) EnsurePermissions(_ context.Context, permissions []PermissionSeed) error {
+	if s.errAt == "permissions" {
+		return errors.New("permissions failed")
+	}
+	s.permissions = append([]PermissionSeed(nil), permissions...)
+	return nil
+}
+
+func (s *fakeBootstrapStore) EnsureRoles(_ context.Context, roles []RoleSeed) error {
+	if s.errAt == "roles" {
+		return errors.New("roles failed")
+	}
+	s.roles = append([]RoleSeed(nil), roles...)
+	return nil
+}
+
+func (s *fakeBootstrapStore) EnsureRolePermissions(_ context.Context, rolePermissions []RolePermissionSeed) error {
+	if s.errAt == "role_permissions" {
+		return errors.New("role permissions failed")
+	}
+	s.rolePermissions = append([]RolePermissionSeed(nil), rolePermissions...)
+	return nil
+}
+
+func TestBootstrapSeedsBuiltinRBAC(t *testing.T) {
+	store := &fakeBootstrapStore{}
+	if err := Bootstrap(context.Background(), store); err != nil {
+		t.Fatalf("Bootstrap returned error: %v", err)
+	}
+	if len(store.permissions) != len(BuiltinPermissions) {
+		t.Fatalf("permissions = %d, want %d", len(store.permissions), len(BuiltinPermissions))
+	}
+	if len(store.roles) != len(BuiltinRoles) {
+		t.Fatalf("roles = %d, want %d", len(store.roles), len(BuiltinRoles))
+	}
+	if len(store.rolePermissions) != len(BuiltinRolePermissions) {
+		t.Fatalf("role permissions = %d, want %d", len(store.rolePermissions), len(BuiltinRolePermissions))
+	}
+}
+
+func TestBootstrapStopsOnPermissionError(t *testing.T) {
+	store := &fakeBootstrapStore{errAt: "permissions"}
+	err := Bootstrap(context.Background(), store)
+	if err == nil {
+		t.Fatal("Bootstrap returned nil error")
+	}
+	if len(store.roles) != 0 || len(store.rolePermissions) != 0 {
+		t.Fatal("Bootstrap continued after permissions error")
+	}
+}
diff --git a/internal/iam/rbac/service.go b/internal/iam/rbac/service.go
new file mode 100644
index 000000000..1995f3a33
--- /dev/null
+++ b/internal/iam/rbac/service.go
@@ -0,0 +1,115 @@
+package rbac
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/hashicorp/golang-lru/v2/expirable"
+)
+
+const (
+	defaultCacheSize = 10000
+	defaultCacheTTL  = 30 * time.Second
+)
+
+type Store interface {
+	HasPermission(ctx context.Context, check Check) (bool, error)
+	HasSystemAdmin(ctx context.Context, userID string) (bool, error)
+}
+
+type Service struct {
+	store Store
+	cache *expirable.LRU[string, bool]
+}
+
+func NewService(store Store) *Service {
+	return NewServiceWithCache(store, defaultCacheSize, defaultCacheTTL)
+}
+
+func NewServiceWithCache(store Store, cacheSize int, ttl time.Duration) *Service {
+	if cacheSize <= 0 {
+		cacheSize = defaultCacheSize
+	}
+	if ttl <= 0 {
+		ttl = defaultCacheTTL
+	}
+	return &Service{
+		store: store,
+		cache: expirable.NewLRU[string, bool](cacheSize, nil, ttl),
+	}
+}
+
+func (s *Service) HasPermission(ctx context.Context, check Check) (bool, error) {
+	if s == nil || s.store == nil {
+		return false, errors.New("rbac store is required")
+	}
+	if err := validateCheck(check); err != nil {
+		return false, err
+	}
+
+	key := cacheKey(check)
+	if allowed, ok := s.cache.Get(key); ok {
+		return allowed, nil
+	}
+
+	allowed, err := s.evaluate(ctx, check)
+	if err != nil {
+		return false, err
+	}
+	s.cache.Add(key, allowed)
+	return allowed, nil
+}
+
+func (s *Service) evaluate(ctx context.Context, check Check) (bool, error) {
+	if check.PermissionKey != PermissionSystemAdmin {
+		admin, err := s.store.HasSystemAdmin(ctx, check.UserID)
+		if err != nil {
+			return false, err
+		}
+		if admin {
+			return true, nil
+		}
+	}
+	return s.store.HasPermission(ctx, check)
+}
+
+func (s *Service) ClearCache() {
+	if s == nil || s.cache == nil {
+		return
+	}
+	s.cache.Purge()
+}
+
+func validateCheck(check Check) error {
+	if strings.TrimSpace(check.UserID) == "" {
+		return errors.New("user id is required")
+	}
+	if strings.TrimSpace(string(check.PermissionKey)) == "" {
+		return errors.New("permission key is required")
+	}
+	if strings.TrimSpace(string(check.ResourceType)) == "" {
+		return errors.New("resource type is required")
+	}
+	switch check.ResourceType {
+	case ResourceSystem:
+		if strings.TrimSpace(check.ResourceID) != "" {
+			return errors.New("system resource id must be empty")
+		}
+	case ResourceBot:
+	default:
+		return fmt.Errorf("unsupported resource type %q", check.ResourceType)
+	}
+	return nil
+}
+
+func cacheKey(check Check) string {
+	return strings.Join([]string{
+		check.UserID,
+		string(check.PermissionKey),
+		string(check.ResourceType),
+		check.ResourceID,
+	}, "\x00")
+}
diff --git a/internal/iam/rbac/service_test.go b/internal/iam/rbac/service_test.go
new file mode 100644
index 000000000..f42ddf2a0
--- /dev/null
+++ b/internal/iam/rbac/service_test.go
@@ -0,0 +1,148 @@
+package rbac
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+)
+
+type fakeStore struct {
+	allowed    map[string]bool
+	adminUsers map[string]bool
+	err        error
+	checks     int
+	adminCalls int
+}
+
+func (s *fakeStore) HasPermission(_ context.Context, check Check) (bool, error) {
+	s.checks++
+	if s.err != nil {
+		return false, s.err
+	}
+	return s.allowed[cacheKey(check)], nil
+}
+
+func (s *fakeStore) HasSystemAdmin(_ context.Context, userID string) (bool, error) {
+	s.adminCalls++
+	if s.err != nil {
+		return false, s.err
+	}
+	return s.adminUsers[userID], nil
+}
+
+func TestHasPermissionUsesStoreAndCache(t *testing.T) {
+	check := Check{
+		UserID:        "user-1",
+		PermissionKey: PermissionBotRead,
+		ResourceType:  ResourceBot,
+		ResourceID:    "bot-1",
+	}
+	store := &fakeStore{
+		allowed:    map[string]bool{cacheKey(check): true},
+		adminUsers: map[string]bool{},
+	}
+	service := NewServiceWithCache(store, 100, time.Minute)
+
+	allowed, err := service.HasPermission(context.Background(), check)
+	if err != nil {
+		t.Fatalf("HasPermission returned error: %v", err)
+	}
+	if !allowed {
+		t.Fatal("allowed = false, want true")
+	}
+	allowed, err = service.HasPermission(context.Background(), check)
+	if err != nil {
+		t.Fatalf("second HasPermission returned error: %v", err)
+	}
+	if !allowed {
+		t.Fatal("second allowed = false, want true")
+	}
+	if store.checks != 1 {
+		t.Fatalf("store checks = %d, want 1", store.checks)
+	}
+	if store.adminCalls != 1 {
+		t.Fatalf("admin calls = %d, want 1", store.adminCalls)
+	}
+}
+
+func TestHasPermissionAllowsSystemAdmin(t *testing.T) {
+	store := &fakeStore{
+		allowed:    map[string]bool{},
+		adminUsers: map[string]bool{"admin-1": true},
+	}
+	service := NewServiceWithCache(store, 100, time.Minute)
+
+	allowed, err := service.HasPermission(context.Background(), Check{
+		UserID:        "admin-1",
+		PermissionKey: PermissionBotDelete,
+		ResourceType:  ResourceBot,
+		ResourceID:    "bot-1",
+	})
+	if err != nil {
+		t.Fatalf("HasPermission returned error: %v", err)
+	}
+	if !allowed {
+		t.Fatal("allowed = false, want true")
+	}
+	if store.checks != 0 {
+		t.Fatalf("store checks = %d, want 0", store.checks)
+	}
+}
+
+func TestHasPermissionDoesNotBypassSystemAdminCheck(t *testing.T) {
+	check := Check{
+		UserID:        "user-1",
+		PermissionKey: PermissionSystemAdmin,
+		ResourceType:  ResourceSystem,
+	}
+	store := &fakeStore{
+		allowed:    map[string]bool{cacheKey(check): true},
+		adminUsers: map[string]bool{"user-1": true},
+	}
+	service := NewServiceWithCache(store, 100, time.Minute)
+
+	allowed, err := service.HasPermission(context.Background(), check)
+	if err != nil {
+		t.Fatalf("HasPermission returned error: %v", err)
+	}
+	if !allowed {
+		t.Fatal("allowed = false, want true")
+	}
+	if store.adminCalls != 0 {
+		t.Fatalf("admin calls = %d, want 0", store.adminCalls)
+	}
+	if store.checks != 1 {
+		t.Fatalf("store checks = %d, want 1", store.checks)
+	}
+}
+
+func TestHasPermissionValidatesCheck(t *testing.T) {
+	store := &fakeStore{allowed: map[string]bool{}, adminUsers: map[string]bool{}}
+	service := NewServiceWithCache(store, 100, time.Minute)
+
+	_, err := service.HasPermission(context.Background(), Check{
+		UserID:        "user-1",
+		PermissionKey: PermissionBotRead,
+		ResourceType:  ResourceSystem,
+		ResourceID:    "bot-1",
+	})
+	if err == nil {
+		t.Fatal("HasPermission returned nil error")
+	}
+}
+
+func TestHasPermissionPropagatesStoreError(t *testing.T) {
+	store := &fakeStore{err: errors.New("db failed")}
+	service := NewServiceWithCache(store, 100, time.Minute)
+
+	_, err := service.HasPermission(context.Background(), Check{
+		UserID:        "user-1",
+		PermissionKey: PermissionBotRead,
+		ResourceType:  ResourceBot,
+		ResourceID:    "bot-1",
+	})
+	if err == nil {
+		t.Fatal("HasPermission returned nil error")
+	}
+}
diff --git a/internal/iam/rbac/store.go b/internal/iam/rbac/store.go
new file mode 100644
index 000000000..eed547efe
--- /dev/null
+++ b/internal/iam/rbac/store.go
@@ -0,0 +1,47 @@
+package rbac
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgtype"
+
+	"github.com/memohai/memoh/internal/db"
+	"github.com/memohai/memoh/internal/db/postgres/sqlc"
+	dbstore "github.com/memohai/memoh/internal/db/store"
+)
+
+type SQLStore struct {
+	queries dbstore.Queries
+}
+
+func NewSQLStore(queries dbstore.Queries) *SQLStore {
+	return &SQLStore{queries: queries}
+}
+
+func (s *SQLStore) HasPermission(ctx context.Context, check Check) (bool, error) {
+	userID, err := db.ParseUUID(check.UserID)
+	if err != nil {
+		return false, err
+	}
+	var resourceID pgtype.UUID
+	if check.ResourceType != ResourceSystem && check.ResourceID != "" {
+		resourceID, err = db.ParseUUID(check.ResourceID)
+		if err != nil {
+			return false, err
+		}
+	}
+	return s.queries.HasPermission(ctx, sqlc.HasPermissionParams{
+		PermissionKey: string(check.PermissionKey),
+		ResourceType:  string(check.ResourceType),
+		ResourceID:    resourceID,
+		UserID:        userID,
+	})
+}
+
+func (s *SQLStore) HasSystemAdmin(ctx context.Context, userID string) (bool, error) {
+	return s.HasPermission(ctx, Check{
+		UserID:        userID,
+		PermissionKey: PermissionSystemAdmin,
+		ResourceType:  ResourceSystem,
+	})
+}
diff --git a/internal/iam/rbac/types.go b/internal/iam/rbac/types.go
new file mode 100644
index 000000000..211efdece
--- /dev/null
+++ b/internal/iam/rbac/types.go
@@ -0,0 +1,52 @@
+package rbac
+
+type (
+	PermissionKey    string
+	RoleKey          string
+	ResourceType     string
+	PrincipalType    string
+	AssignmentSource string
+)
+
+const (
+	PermissionSystemLogin PermissionKey = "system.login"
+	PermissionSystemAdmin PermissionKey = "system.admin"
+
+	PermissionBotRead              PermissionKey = "bot.read"
+	PermissionBotChat              PermissionKey = "bot.chat"
+	PermissionBotUpdate            PermissionKey = "bot.update"
+	PermissionBotDelete            PermissionKey = "bot.delete"
+	PermissionBotPermissionsManage PermissionKey = "bot.permissions.manage"
+)
+
+const (
+	RoleMember      RoleKey = "member"
+	RoleAdmin       RoleKey = "admin"
+	RoleBotViewer   RoleKey = "bot_viewer"
+	RoleBotOperator RoleKey = "bot_operator"
+	RoleBotOwner    RoleKey = "bot_owner"
+)
+
+const (
+	ResourceSystem ResourceType = "system"
+	ResourceBot    ResourceType = "bot"
+)
+
+const (
+	PrincipalUser  PrincipalType = "user"
+	PrincipalGroup PrincipalType = "group"
+)
+
+const (
+	SourceSystem AssignmentSource = "system"
+	SourceManual AssignmentSource = "manual"
+	SourceSSO    AssignmentSource = "sso"
+	SourceSCIM   AssignmentSource = "scim"
+)
+
+type Check struct {
+	UserID        string
+	PermissionKey PermissionKey
+	ResourceType  ResourceType
+	ResourceID    string
+}
diff --git a/internal/iam/sso/cookie.go b/internal/iam/sso/cookie.go
new file mode 100644
index 000000000..0cf355197
--- /dev/null
+++ b/internal/iam/sso/cookie.go
@@ -0,0 +1,142 @@
+package sso
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"time"
+)
+
+type OIDCState struct {
+	State        string    `json:"state"`
+	Nonce        string    `json:"nonce"`
+	CodeVerifier string    `json:"code_verifier"`
+	CreatedAt    time.Time `json:"created_at"`
+}
+
+type SAMLState struct {
+	RelayState string    `json:"relay_state"`
+	RequestID  string    `json:"request_id"`
+	CreatedAt  time.Time `json:"created_at"`
+}
+
+func SetOIDCStateCookie(w http.ResponseWriter, value OIDCState, now time.Time) error {
+	if value.State == "" || value.Nonce == "" || value.CodeVerifier == "" {
+		return ErrInvalidProfile
+	}
+	if value.CreatedAt.IsZero() {
+		value.CreatedAt = now.UTC()
+	}
+	payload, err := json.Marshal(value)
+	if err != nil {
+		return err
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     OIDCStateCookieName,
+		Value:    base64.RawURLEncoding.EncodeToString(payload),
+		Path:     "/",
+		Expires:  now.UTC().Add(OIDCStateCookieTTL),
+		MaxAge:   int(OIDCStateCookieTTL.Seconds()),
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	return nil
+}
+
+func ReadAndClearOIDCStateCookie(w http.ResponseWriter, r *http.Request, now time.Time) (OIDCState, error) {
+	clearOIDCStateCookie(w, now)
+	cookie, err := r.Cookie(OIDCStateCookieName)
+	if err != nil {
+		return OIDCState{}, err
+	}
+	payload, err := base64.RawURLEncoding.DecodeString(cookie.Value)
+	if err != nil {
+		return OIDCState{}, err
+	}
+	var value OIDCState
+	if err := json.Unmarshal(payload, &value); err != nil {
+		return OIDCState{}, err
+	}
+	if value.State == "" || value.Nonce == "" || value.CodeVerifier == "" {
+		return OIDCState{}, ErrInvalidProfile
+	}
+	if value.CreatedAt.IsZero() || now.Sub(value.CreatedAt) > OIDCStateCookieTTL {
+		return OIDCState{}, errors.New("sso: oidc state expired")
+	}
+	return value, nil
+}
+
+func clearOIDCStateCookie(w http.ResponseWriter, now time.Time) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     OIDCStateCookieName,
+		Value:    "",
+		Path:     "/",
+		Expires:  now.UTC().Add(-time.Hour),
+		MaxAge:   -1,
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteLaxMode,
+	})
+}
+
+func SetSAMLStateCookie(w http.ResponseWriter, value SAMLState, now time.Time) error {
+	if value.RelayState == "" || value.RequestID == "" {
+		return ErrInvalidProfile
+	}
+	if value.CreatedAt.IsZero() {
+		value.CreatedAt = now.UTC()
+	}
+	payload, err := json.Marshal(value)
+	if err != nil {
+		return err
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     SAMLStateCookieName,
+		Value:    base64.RawURLEncoding.EncodeToString(payload),
+		Path:     "/",
+		Expires:  now.UTC().Add(SAMLStateCookieTTL),
+		MaxAge:   int(SAMLStateCookieTTL.Seconds()),
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	return nil
+}
+
+func ReadAndClearSAMLStateCookie(w http.ResponseWriter, r *http.Request, now time.Time) (SAMLState, error) {
+	clearSAMLStateCookie(w, now)
+	cookie, err := r.Cookie(SAMLStateCookieName)
+	if err != nil {
+		return SAMLState{}, err
+	}
+	payload, err := base64.RawURLEncoding.DecodeString(cookie.Value)
+	if err != nil {
+		return SAMLState{}, err
+	}
+	var value SAMLState
+	if err := json.Unmarshal(payload, &value); err != nil {
+		return SAMLState{}, err
+	}
+	if value.RelayState == "" || value.RequestID == "" {
+		return SAMLState{}, ErrInvalidProfile
+	}
+	if value.CreatedAt.IsZero() || now.Sub(value.CreatedAt) > SAMLStateCookieTTL {
+		return SAMLState{}, errors.New("sso: saml state expired")
+	}
+	return value, nil
+}
+
+func clearSAMLStateCookie(w http.ResponseWriter, now time.Time) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     SAMLStateCookieName,
+		Value:    "",
+		Path:     "/",
+		Expires:  now.UTC().Add(-time.Hour),
+		MaxAge:   -1,
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteLaxMode,
+	})
+}
diff --git a/internal/iam/sso/cookie_test.go b/internal/iam/sso/cookie_test.go
new file mode 100644
index 000000000..e96ff9368
--- /dev/null
+++ b/internal/iam/sso/cookie_test.go
@@ -0,0 +1,66 @@
+package sso
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+)
+
+func TestOIDCStateCookieRoundTripAndClear(t *testing.T) {
+	now := time.Date(2026, 5, 2, 10, 0, 0, 0, time.UTC)
+	rec := httptest.NewRecorder()
+	state := OIDCState{
+		State:        "state-1",
+		Nonce:        "nonce-1",
+		CodeVerifier: "verifier-1",
+	}
+
+	if err := SetOIDCStateCookie(rec, state, now); err != nil {
+		t.Fatalf("set cookie: %v", err)
+	}
+	cookies := rec.Result().Cookies()
+	if len(cookies) != 1 {
+		t.Fatalf("expected one cookie, got %d", len(cookies))
+	}
+	cookie := cookies[0]
+	if cookie.Name != OIDCStateCookieName {
+		t.Fatalf("cookie name = %q", cookie.Name)
+	}
+	if !cookie.HttpOnly || !cookie.Secure || cookie.SameSite != http.SameSiteLaxMode {
+		t.Fatalf("cookie flags not secure: httponly=%v secure=%v samesite=%v", cookie.HttpOnly, cookie.Secure, cookie.SameSite)
+	}
+
+	req := httptest.NewRequest(http.MethodGet, "/auth/sso/callback", nil)
+	req.AddCookie(cookie)
+	clearRec := httptest.NewRecorder()
+	got, err := ReadAndClearOIDCStateCookie(clearRec, req, now.Add(time.Minute))
+	if err != nil {
+		t.Fatalf("read cookie: %v", err)
+	}
+	if got.State != state.State || got.Nonce != state.Nonce || got.CodeVerifier != state.CodeVerifier {
+		t.Fatalf("state mismatch: %#v", got)
+	}
+	clearCookies := clearRec.Result().Cookies()
+	if len(clearCookies) != 1 || clearCookies[0].MaxAge != -1 {
+		t.Fatalf("expected clear cookie, got %#v", clearCookies)
+	}
+}
+
+func TestOIDCStateCookieExpired(t *testing.T) {
+	now := time.Date(2026, 5, 2, 10, 0, 0, 0, time.UTC)
+	rec := httptest.NewRecorder()
+	if err := SetOIDCStateCookie(rec, OIDCState{
+		State:        "state-1",
+		Nonce:        "nonce-1",
+		CodeVerifier: "verifier-1",
+		CreatedAt:    now.Add(-OIDCStateCookieTTL - time.Second),
+	}, now); err != nil {
+		t.Fatalf("set cookie: %v", err)
+	}
+	req := httptest.NewRequest(http.MethodGet, "/auth/sso/callback", nil)
+	req.AddCookie(rec.Result().Cookies()[0])
+	if _, err := ReadAndClearOIDCStateCookie(httptest.NewRecorder(), req, now); err == nil {
+		t.Fatal("expected expired cookie error")
+	}
+}
diff --git a/internal/iam/sso/db_service.go b/internal/iam/sso/db_service.go
new file mode 100644
index 000000000..d6ef1218d
--- /dev/null
+++ b/internal/iam/sso/db_service.go
@@ -0,0 +1,473 @@
+package sso
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/xml"
+	"errors"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/crewjam/saml"
+	"github.com/crewjam/saml/samlsp"
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgtype"
+
+	"github.com/memohai/memoh/internal/db"
+	"github.com/memohai/memoh/internal/db/postgres/sqlc"
+	dbstore "github.com/memohai/memoh/internal/db/store"
+)
+
+type AuthService struct {
+	queries     dbstore.Queries
+	core        *Service
+	sessionTTL  time.Duration
+	redirectURL string
+}
+
+func NewAuthService(queries dbstore.Queries, sessionTTL time.Duration, redirectURL string) *AuthService {
+	svc := &AuthService{
+		queries:     queries,
+		sessionTTL:  sessionTTL,
+		redirectURL: redirectURL,
+	}
+	svc.core = NewService((*authStore)(svc))
+	return svc
+}
+
+func (s *AuthService) ListEnabledProviders(ctx context.Context) ([]Provider, error) {
+	rows, err := s.queries.ListEnabledSSOProviders(ctx)
+	if err != nil {
+		return nil, err
+	}
+	providers := make([]Provider, 0, len(rows))
+	for _, row := range rows {
+		provider, err := providerFromRow(row)
+		if err != nil {
+			return nil, err
+		}
+		providers = append(providers, provider)
+	}
+	return providers, nil
+}
+
+func (s *AuthService) GetProvider(ctx context.Context, providerID string) (Provider, error) {
+	id, err := db.ParseUUID(providerID)
+	if err == nil {
+		row, err := s.queries.GetSSOProviderByID(ctx, id)
+		if err != nil {
+			return Provider{}, mapSSOErr(err)
+		}
+		return providerFromRow(row)
+	}
+	row, err := s.queries.GetSSOProviderByKey(ctx, providerID)
+	if err != nil {
+		return Provider{}, mapSSOErr(err)
+	}
+	return providerFromRow(row)
+}
+
+func (*AuthService) BuildOIDCAuthRedirect(ctx context.Context, provider Provider, state string, nonce string, codeVerifier string) (OIDCAuthRedirect, error) {
+	return BuildOIDCAuthRedirect(ctx, provider.OIDC, state, nonce, codeVerifier)
+}
+
+func (s *AuthService) CompleteOIDCCallback(ctx context.Context, provider Provider, code string, state OIDCState) (LoginCode, error) {
+	claims, err := ExchangeOIDCCode(ctx, provider.OIDC, code, state.CodeVerifier)
+	if err != nil {
+		return LoginCode{}, err
+	}
+	profile, err := NormalizeOIDCClaims(provider, claims)
+	if err != nil {
+		return LoginCode{}, err
+	}
+	return s.issueLoginCode(ctx, provider, profile)
+}
+
+func (*AuthService) BuildSAMLAuthRedirect(_ context.Context, provider Provider) (SAMLAuthRedirect, error) {
+	sp, err := buildSAMLServiceProvider(provider)
+	if err != nil {
+		return SAMLAuthRedirect{}, err
+	}
+	authReq, err := sp.MakeAuthenticationRequest(sp.GetSSOBindingLocation(saml.HTTPRedirectBinding), saml.HTTPRedirectBinding, saml.HTTPPostBinding)
+	if err != nil {
+		return SAMLAuthRedirect{}, err
+	}
+	relayState, err := GenerateState()
+	if err != nil {
+		return SAMLAuthRedirect{}, err
+	}
+	redirectURL, err := authReq.Redirect(relayState, sp)
+	if err != nil {
+		return SAMLAuthRedirect{}, err
+	}
+	return SAMLAuthRedirect{URL: redirectURL.String(), RelayState: relayState, RequestID: authReq.ID}, nil
+}
+
+func (s *AuthService) CompleteSAMLACS(ctx context.Context, provider Provider, r *http.Request, state SAMLState) (LoginCode, error) {
+	if err := r.ParseForm(); err != nil {
+		return LoginCode{}, err
+	}
+	if r.Form.Get("RelayState") != state.RelayState {
+		return LoginCode{}, ErrInvalidProfile
+	}
+	sp, err := buildSAMLServiceProvider(provider)
+	if err != nil {
+		return LoginCode{}, err
+	}
+	assertion, err := sp.ParseResponse(r, []string{state.RequestID})
+	if err != nil {
+		return LoginCode{}, err
+	}
+	profile, err := NormalizeSAMLAssertion(provider, assertion)
+	if err != nil {
+		return LoginCode{}, err
+	}
+	return s.issueLoginCode(ctx, provider, profile)
+}
+
+func (*AuthService) BuildSAMLMetadata(_ context.Context, provider Provider) (string, error) {
+	sp, err := buildSAMLServiceProvider(provider)
+	if err != nil {
+		return "", err
+	}
+	buf, err := xml.MarshalIndent(sp.Metadata(), "", "  ")
+	if err != nil {
+		return "", err
+	}
+	return string(buf), nil
+}
+
+func buildSAMLServiceProvider(provider Provider) (*saml.ServiceProvider, error) {
+	cfg := provider.SAML
+	acsURL, err := parseRequiredURL(cfg.ACSURL)
+	if err != nil {
+		return nil, err
+	}
+	metadataURLValue := cfg.MetadataURL
+	if metadataURLValue == "" {
+		metadataURLValue = deriveSAMLMetadataURL(cfg.ACSURL)
+	}
+	metadataURL, err := parseRequiredURL(metadataURLValue)
+	if err != nil {
+		return nil, err
+	}
+	idpMetadata, err := samlsp.ParseMetadata([]byte(cfg.MetadataXML))
+	if err != nil {
+		return nil, err
+	}
+	return &saml.ServiceProvider{
+		EntityID:          cfg.EntityID,
+		MetadataURL:       *metadataURL,
+		AcsURL:            *acsURL,
+		IDPMetadata:       idpMetadata,
+		HTTPClient:        http.DefaultClient,
+		AuthnNameIDFormat: saml.PersistentNameIDFormat,
+	}, nil
+}
+
+func parseRequiredURL(value string) (*url.URL, error) {
+	value = strings.TrimSpace(value)
+	if value == "" {
+		return nil, ErrInvalidProvider
+	}
+	parsed, err := url.Parse(value)
+	if err != nil {
+		return nil, err
+	}
+	if parsed.Scheme == "" || parsed.Host == "" {
+		return nil, ErrInvalidProvider
+	}
+	return parsed, nil
+}
+
+func deriveSAMLMetadataURL(acsURL string) string {
+	if strings.HasSuffix(acsURL, "/acs") {
+		return strings.TrimSuffix(acsURL, "/acs") + "/metadata"
+	}
+	return strings.TrimRight(acsURL, "/") + "/metadata"
+}
+
+func GenerateState() (string, error) {
+	buf := make([]byte, 32)
+	if _, err := rand.Read(buf); err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(buf), nil
+}
+
+func (s *AuthService) ExchangeLoginCode(ctx context.Context, code string) (LoginCode, error) {
+	row, err := s.queries.UseIAMLoginCode(ctx, HashLoginCode(code))
+	if err != nil {
+		return LoginCode{}, mapSSOErr(err)
+	}
+	return LoginCode{
+		Code:      code,
+		UserID:    row.UserID.String(),
+		SessionID: row.SessionID.String(),
+	}, nil
+}
+
+func (s *AuthService) issueLoginCode(ctx context.Context, provider Provider, profile NormalizedProfile) (LoginCode, error) {
+	result, err := s.core.FindOrProvisionUser(ctx, provider, profile)
+	if err != nil {
+		return LoginCode{}, err
+	}
+	if err := s.core.SyncMappedGroups(ctx, provider, result.User.ID, profile.Groups); err != nil {
+		return LoginCode{}, err
+	}
+	userID, err := db.ParseUUID(result.User.ID)
+	if err != nil {
+		return LoginCode{}, err
+	}
+	identityID, err := db.ParseUUID(result.Identity.ID)
+	if err != nil {
+		return LoginCode{}, err
+	}
+	now := time.Now().UTC()
+	session, err := s.queries.CreateIAMSession(ctx, sqlc.CreateIAMSessionParams{
+		UserID:     userID,
+		IdentityID: identityID,
+		ExpiresAt:  pgtype.Timestamptz{Time: now.Add(s.sessionTTL), Valid: true},
+		Metadata:   []byte("{}"),
+	})
+	if err != nil {
+		return LoginCode{}, err
+	}
+	code, codeHash, err := GenerateLoginCode()
+	if err != nil {
+		return LoginCode{}, err
+	}
+	if _, err := s.queries.CreateIAMLoginCode(ctx, sqlc.CreateIAMLoginCodeParams{
+		CodeHash:   codeHash,
+		UserID:     userID,
+		IdentityID: identityID,
+		SessionID:  session.ID,
+		ExpiresAt:  pgtype.Timestamptz{Time: now.Add(LoginCodeTTL), Valid: true},
+	}); err != nil {
+		return LoginCode{}, err
+	}
+	return LoginCode{Code: code, UserID: result.User.ID, SessionID: session.ID.String(), RedirectURL: s.redirectURL}, nil
+}
+
+type authStore AuthService
+
+func (s *authStore) FindIdentity(ctx context.Context, providerType ProviderType, providerID string, subject string) (Identity, User, error) {
+	pid, err := db.ParseUUID(providerID)
+	if err != nil {
+		return Identity{}, User{}, err
+	}
+	identity, err := s.queries.GetIdentityByProviderSubject(ctx, sqlc.GetIdentityByProviderSubjectParams{
+		ProviderType: string(providerType),
+		ProviderID:   pid,
+		Subject:      subject,
+	})
+	if err != nil {
+		return Identity{}, User{}, mapSSOErr(err)
+	}
+	user, err := s.queries.GetAccountByUserID(ctx, identity.UserID)
+	if err != nil {
+		return Identity{}, User{}, mapSSOErr(err)
+	}
+	return identityFromRow(identity), userFromRow(user), nil
+}
+
+func (s *authStore) FindUserByEmail(ctx context.Context, normalizedEmail string) (User, error) {
+	rows, err := s.queries.SearchAccounts(ctx, sqlc.SearchAccountsParams{Query: normalizedEmail, LimitCount: 10})
+	if err != nil {
+		return User{}, err
+	}
+	for _, row := range rows {
+		if NormalizeEmail(row.Email.String) == normalizedEmail {
+			return userFromRow(row), nil
+		}
+	}
+	return User{}, ErrNotFound
+}
+
+func (s *authStore) CreateUserWithIdentity(ctx context.Context, profile NormalizedProfile) (Identity, User, error) {
+	row, err := s.queries.CreateUser(ctx, sqlc.CreateUserParams{IsActive: true, Metadata: []byte("{}")})
+	if err != nil {
+		return Identity{}, User{}, err
+	}
+	user := userFromRow(row)
+	userID := row.ID
+	username := profile.Username
+	if username == "" {
+		username = profile.Email
+	}
+	if username == "" {
+		username = profile.Subject
+	}
+	account, err := s.queries.CreateAccount(ctx, sqlc.CreateAccountParams{
+		UserID:      userID,
+		Username:    pgtype.Text{String: username, Valid: username != ""},
+		Email:       pgtype.Text{String: profile.Email, Valid: profile.Email != ""},
+		DisplayName: pgtype.Text{String: profile.DisplayName, Valid: profile.DisplayName != ""},
+		AvatarUrl:   pgtype.Text{String: profile.AvatarURL, Valid: profile.AvatarURL != ""},
+		IsActive:    true,
+	})
+	if err == nil {
+		user = userFromRow(account)
+	}
+	identity, err := s.upsertIdentity(ctx, userID, profile)
+	if err != nil {
+		return Identity{}, User{}, err
+	}
+	return identity, user, nil
+}
+
+func (s *authStore) LinkIdentity(ctx context.Context, userID string, profile NormalizedProfile) (Identity, error) {
+	uid, err := db.ParseUUID(userID)
+	if err != nil {
+		return Identity{}, err
+	}
+	return s.upsertIdentity(ctx, uid, profile)
+}
+
+func (s *authStore) UpdateIdentityProfile(ctx context.Context, identityID string, _ NormalizedProfile) error {
+	uid, err := db.ParseUUID(identityID)
+	if err != nil {
+		return err
+	}
+	if err := s.queries.UpdateIdentityLastLogin(ctx, uid); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (s *authStore) FindGroupMappings(ctx context.Context, providerID string, externalGroups []string) ([]GroupMapping, error) {
+	pid, err := db.ParseUUID(providerID)
+	if err != nil {
+		return nil, err
+	}
+	rows, err := s.queries.ListSSOGroupMappingsByProvider(ctx, pid)
+	if err != nil {
+		return nil, err
+	}
+	wanted := make(map[string]struct{}, len(externalGroups))
+	for _, group := range externalGroups {
+		wanted[group] = struct{}{}
+	}
+	out := make([]GroupMapping, 0, len(rows))
+	for _, row := range rows {
+		if _, ok := wanted[row.ExternalGroup]; ok {
+			out = append(out, GroupMapping{ExternalGroup: row.ExternalGroup, GroupID: row.GroupID.String()})
+		}
+	}
+	return out, nil
+}
+
+func (s *authStore) ReplaceSSOGroupMemberships(ctx context.Context, userID string, providerID string, groupIDs []string) error {
+	uid, err := db.ParseUUID(userID)
+	if err != nil {
+		return err
+	}
+	pid, err := db.ParseUUID(providerID)
+	if err != nil {
+		return err
+	}
+	gids := make([]pgtype.UUID, 0, len(groupIDs))
+	for _, groupID := range groupIDs {
+		gid, err := db.ParseUUID(groupID)
+		if err != nil {
+			return err
+		}
+		gids = append(gids, gid)
+	}
+	return s.queries.ReplaceSSOGroupMemberships(ctx, sqlc.ReplaceSSOGroupMembershipsParams{UserID: uid, GroupIds: gids, ProviderID: pid})
+}
+
+func (s *authStore) upsertIdentity(ctx context.Context, userID pgtype.UUID, profile NormalizedProfile) (Identity, error) {
+	pid, err := db.ParseUUID(profile.ProviderID)
+	if err != nil {
+		return Identity{}, err
+	}
+	rawClaims, err := json.Marshal(profile.RawClaims)
+	if err != nil {
+		return Identity{}, err
+	}
+	if len(rawClaims) == 0 || string(rawClaims) == "null" {
+		rawClaims = []byte("{}")
+	}
+	row, err := s.queries.UpsertExternalIdentity(ctx, sqlc.UpsertExternalIdentityParams{
+		UserID:       userID,
+		ProviderType: string(profile.ProviderType),
+		ProviderID:   pid,
+		Subject:      profile.Subject,
+		Email:        pgtype.Text{String: profile.Email, Valid: profile.Email != ""},
+		Username:     pgtype.Text{String: profile.Username, Valid: profile.Username != ""},
+		DisplayName:  pgtype.Text{String: profile.DisplayName, Valid: profile.DisplayName != ""},
+		AvatarUrl:    pgtype.Text{String: profile.AvatarURL, Valid: profile.AvatarURL != ""},
+		RawClaims:    rawClaims,
+	})
+	if err != nil {
+		return Identity{}, err
+	}
+	return identityFromRow(row), nil
+}
+
+func providerFromRow(row sqlc.IamSsoProvider) (Provider, error) {
+	var oidcCfg OIDCProviderConfig
+	var samlCfg SAMLProviderConfig
+	if row.Type == string(ProviderTypeOIDC) {
+		if err := json.Unmarshal(row.Config, &oidcCfg); err != nil {
+			return Provider{}, err
+		}
+	}
+	if row.Type == string(ProviderTypeSAML) {
+		if err := json.Unmarshal(row.Config, &samlCfg); err != nil {
+			return Provider{}, err
+		}
+	}
+	var mapping AttributeMapping
+	if len(row.AttributeMapping) > 0 {
+		if err := json.Unmarshal(row.AttributeMapping, &mapping); err != nil {
+			return Provider{}, err
+		}
+	}
+	return Provider{
+		ID:                 row.ID.String(),
+		Type:               ProviderType(row.Type),
+		Key:                row.Key,
+		Name:               row.Name,
+		Enabled:            row.Enabled,
+		OIDC:               oidcCfg,
+		SAML:               samlCfg,
+		AttributeMapping:   mapping,
+		JITEnabled:         row.JitEnabled,
+		EmailLinkingPolicy: EmailLinkingPolicy(row.EmailLinkingPolicy),
+		TrustEmail:         row.TrustEmail,
+	}, nil
+}
+
+func identityFromRow(row sqlc.IamIdentity) Identity {
+	return Identity{
+		ID:           row.ID.String(),
+		UserID:       row.UserID.String(),
+		ProviderType: ProviderType(row.ProviderType),
+		ProviderID:   row.ProviderID.String(),
+		Subject:      row.Subject,
+	}
+}
+
+func userFromRow(row sqlc.IamUser) User {
+	return User{
+		ID:          row.ID.String(),
+		Email:       row.Email.String,
+		Username:    row.Username.String,
+		DisplayName: row.DisplayName.String,
+		AvatarURL:   row.AvatarUrl.String,
+		IsActive:    row.IsActive,
+	}
+}
+
+func mapSSOErr(err error) error {
+	if errors.Is(err, pgx.ErrNoRows) || errors.Is(err, db.ErrNotFound) {
+		return ErrNotFound
+	}
+	return err
+}
diff --git a/internal/iam/sso/login_code.go b/internal/iam/sso/login_code.go
new file mode 100644
index 000000000..fd4216ed6
--- /dev/null
+++ b/internal/iam/sso/login_code.go
@@ -0,0 +1,22 @@
+package sso
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+)
+
+func GenerateLoginCode() (code string, codeHash string, err error) {
+	raw := make([]byte, LoginCodeBytes)
+	if _, err := rand.Read(raw); err != nil {
+		return "", "", err
+	}
+	code = base64.RawURLEncoding.EncodeToString(raw)
+	return code, HashLoginCode(code), nil
+}
+
+func HashLoginCode(code string) string {
+	sum := sha256.Sum256([]byte(code))
+	return hex.EncodeToString(sum[:])
+}
diff --git a/internal/iam/sso/login_code_test.go b/internal/iam/sso/login_code_test.go
new file mode 100644
index 000000000..84221b1de
--- /dev/null
+++ b/internal/iam/sso/login_code_test.go
@@ -0,0 +1,22 @@
+package sso
+
+import "testing"
+
+func TestGenerateLoginCodeHashesOnlyCode(t *testing.T) {
+	code, hash, err := GenerateLoginCode()
+	if err != nil {
+		t.Fatalf("generate code: %v", err)
+	}
+	if code == "" || hash == "" {
+		t.Fatal("expected code and hash")
+	}
+	if code == hash {
+		t.Fatal("hash must not equal raw code")
+	}
+	if got := HashLoginCode(code); got != hash {
+		t.Fatalf("hash mismatch: %s != %s", got, hash)
+	}
+	if len(hash) != 64 {
+		t.Fatalf("sha256 hex length = %d", len(hash))
+	}
+}
diff --git a/internal/iam/sso/oidc.go b/internal/iam/sso/oidc.go
new file mode 100644
index 000000000..c02567b2e
--- /dev/null
+++ b/internal/iam/sso/oidc.go
@@ -0,0 +1,188 @@
+package sso
+
+import (
+	"context"
+	"encoding/json"
+	"strings"
+
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"golang.org/x/oauth2"
+)
+
+type OIDCAuthRedirect struct {
+	URL           string
+	CodeVerifier  string
+	CodeChallenge string
+}
+
+func BuildOIDCAuthRedirect(ctx context.Context, cfg OIDCProviderConfig, state string, nonce string, codeVerifier string) (OIDCAuthRedirect, error) {
+	if state == "" || nonce == "" || codeVerifier == "" {
+		return OIDCAuthRedirect{}, ErrInvalidProfile
+	}
+	scopes := cfg.Scopes
+	if len(scopes) == 0 {
+		scopes = []string{"openid", "profile", "email"}
+	}
+	relyingParty, err := relyingPartyForConfig(ctx, cfg, scopes)
+	if err != nil {
+		return OIDCAuthRedirect{}, err
+	}
+	codeChallenge := oidc.NewSHACodeChallenge(codeVerifier)
+	authURL := rp.AuthURL(
+		state,
+		relyingParty,
+		rp.WithCodeChallenge(codeChallenge),
+		rp.AuthURLOpt(rp.WithURLParam("nonce", nonce)),
+	)
+	return OIDCAuthRedirect{URL: authURL, CodeVerifier: codeVerifier, CodeChallenge: codeChallenge}, nil
+}
+
+func ExchangeOIDCCode(ctx context.Context, cfg OIDCProviderConfig, code string, codeVerifier string) (*oidc.IDTokenClaims, error) {
+	scopes := cfg.Scopes
+	if len(scopes) == 0 {
+		scopes = []string{"openid", "profile", "email"}
+	}
+	relyingParty, err := relyingPartyForConfig(ctx, cfg, scopes)
+	if err != nil {
+		return nil, err
+	}
+	tokens, err := rp.CodeExchange[*oidc.IDTokenClaims](ctx, code, relyingParty, rp.WithCodeVerifier(codeVerifier))
+	if err != nil {
+		return nil, err
+	}
+	return tokens.IDTokenClaims, nil
+}
+
+func relyingPartyForConfig(ctx context.Context, cfg OIDCProviderConfig, scopes []string) (rp.RelyingParty, error) {
+	if cfg.ClientID == "" || cfg.RedirectURL == "" {
+		return nil, ErrInvalidProvider
+	}
+	if cfg.AuthorizationEndpoint != "" {
+		oauthConfig := &oauth2.Config{
+			ClientID:     cfg.ClientID,
+			ClientSecret: cfg.ClientSecret,
+			RedirectURL:  cfg.RedirectURL,
+			Scopes:       scopes,
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  cfg.AuthorizationEndpoint,
+				TokenURL: cfg.TokenEndpoint,
+			},
+		}
+		return rp.NewRelyingPartyOAuth(oauthConfig)
+	}
+	if cfg.Issuer == "" {
+		return nil, ErrInvalidProvider
+	}
+	return rp.NewRelyingPartyOIDC(ctx, cfg.Issuer, cfg.ClientID, cfg.ClientSecret, cfg.RedirectURL, scopes)
+}
+
+func NormalizeOIDCClaims(provider Provider, claims *oidc.IDTokenClaims) (NormalizedProfile, error) {
+	if claims == nil {
+		return NormalizedProfile{}, ErrInvalidProfile
+	}
+	issuer := strings.TrimSpace(claims.Issuer)
+	subject := strings.TrimSpace(claims.Subject)
+	if issuer == "" || subject == "" {
+		return NormalizedProfile{}, ErrInvalidProfile
+	}
+	rawClaims := map[string]any{}
+	if claims.Claims != nil {
+		for key, value := range claims.Claims {
+			rawClaims[key] = value
+		}
+	}
+	rawClaims["iss"] = issuer
+	rawClaims["sub"] = subject
+	rawClaims["email"] = claims.Email
+	rawClaims["email_verified"] = bool(claims.EmailVerified)
+	rawClaims["preferred_username"] = claims.PreferredUsername
+	rawClaims["name"] = claims.Name
+	rawClaims["picture"] = claims.Picture
+
+	mapping := provider.AttributeMapping
+	email := firstClaimString(rawClaims, mapping.Email, "email")
+	username := firstClaimString(rawClaims, mapping.Username, "preferred_username", "nickname", "email")
+	displayName := firstClaimString(rawClaims, mapping.DisplayName, "name", "preferred_username", "email")
+	avatarURL := firstClaimString(rawClaims, mapping.AvatarURL, "picture")
+	groupKeys := mapping.Groups
+	if len(groupKeys) == 0 {
+		groupKeys = []string{"groups", "roles", "memberOf"}
+	}
+
+	return NormalizedProfile{
+		ProviderType:  ProviderTypeOIDC,
+		ProviderID:    provider.ID,
+		Subject:       issuer + "|" + subject,
+		Email:         NormalizeEmail(email),
+		EmailVerified: bool(claims.EmailVerified),
+		Username:      username,
+		DisplayName:   displayName,
+		AvatarURL:     avatarURL,
+		Groups:        extractClaimStrings(rawClaims, groupKeys...),
+		RawClaims:     rawClaims,
+	}, nil
+}
+
+func firstClaimString(claims map[string]any, keys ...string) string {
+	for _, key := range keys {
+		values := extractClaimStrings(claims, key)
+		if len(values) > 0 {
+			return values[0]
+		}
+	}
+	return ""
+}
+
+func extractClaimStrings(claims map[string]any, keys ...string) []string {
+	out := make([]string, 0)
+	for _, key := range keys {
+		value, ok := nestedClaim(claims, key)
+		if !ok {
+			continue
+		}
+		out = append(out, stringifyClaim(value)...)
+	}
+	return dedupeStrings(out)
+}
+
+func nestedClaim(claims map[string]any, key string) (any, bool) {
+	if key == "" {
+		return nil, false
+	}
+	parts := strings.Split(key, ".")
+	var current any = claims
+	for _, part := range parts {
+		object, ok := current.(map[string]any)
+		if !ok {
+			return nil, false
+		}
+		current, ok = object[part]
+		if !ok {
+			return nil, false
+		}
+	}
+	return current, true
+}
+
+func stringifyClaim(value any) []string {
+	switch v := value.(type) {
+	case string:
+		if strings.Contains(v, ",") {
+			return strings.Split(v, ",")
+		}
+		return []string{v}
+	case []string:
+		return v
+	case []any:
+		out := make([]string, 0, len(v))
+		for _, item := range v {
+			out = append(out, stringifyClaim(item)...)
+		}
+		return out
+	case json.Number:
+		return []string{v.String()}
+	default:
+		return nil
+	}
+}
diff --git a/internal/iam/sso/oidc_test.go b/internal/iam/sso/oidc_test.go
new file mode 100644
index 000000000..b40cafec6
--- /dev/null
+++ b/internal/iam/sso/oidc_test.go
@@ -0,0 +1,83 @@
+package sso
+
+import (
+	"context"
+	"net/url"
+	"reflect"
+	"testing"
+
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+)
+
+func TestBuildOIDCAuthRedirect(t *testing.T) { //nolint:gosec // test client IDs and endpoints are not credentials.
+	// #nosec G101 -- test client IDs and endpoints are not credentials.
+	redirect, err := BuildOIDCAuthRedirect(context.Background(), OIDCProviderConfig{
+		ClientID:              "client-1",
+		RedirectURL:           "https://memoh.example.com/auth/sso/google/callback",
+		Scopes:                []string{"openid", "profile", "email", "groups"},
+		AuthorizationEndpoint: "https://idp.example.com/oauth2/auth",
+		TokenEndpoint:         "https://idp.example.com/oauth2/token",
+	}, "state-1", "nonce-1", "verifier-1")
+	if err != nil {
+		t.Fatalf("build redirect: %v", err)
+	}
+	parsed, err := url.Parse(redirect.URL)
+	if err != nil {
+		t.Fatalf("parse redirect: %v", err)
+	}
+	query := parsed.Query()
+	if parsed.String() == "" || query.Get("state") != "state-1" || query.Get("nonce") != "nonce-1" {
+		t.Fatalf("redirect missing state/nonce: %s", redirect.URL)
+	}
+	if query.Get("code_challenge") != redirect.CodeChallenge || query.Get("code_challenge_method") != "S256" {
+		t.Fatalf("redirect missing pkce: %s", redirect.URL)
+	}
+	if redirect.CodeVerifier != "verifier-1" {
+		t.Fatalf("code verifier = %q", redirect.CodeVerifier)
+	}
+}
+
+func TestNormalizeOIDCClaims(t *testing.T) {
+	provider := testProvider()
+	provider.AttributeMapping = AttributeMapping{
+		Groups: []string{"groups", "realm_access.roles"},
+	}
+	claims := &oidc.IDTokenClaims{
+		TokenClaims: oidc.TokenClaims{
+			Issuer:  "https://accounts.example.com",
+			Subject: "subject-1",
+		},
+		UserInfoProfile: oidc.UserInfoProfile{
+			Name:              "Jane Doe",
+			PreferredUsername: "jane",
+			Picture:           "https://example.com/avatar.png",
+		},
+		UserInfoEmail: oidc.UserInfoEmail{
+			Email:         "Jane@Example.COM",
+			EmailVerified: true,
+		},
+		Claims: map[string]any{
+			"groups": []any{"engineering", "ops"},
+			"realm_access": map[string]any{
+				"roles": []any{"admin", "engineering"},
+			},
+		},
+	}
+
+	profile, err := NormalizeOIDCClaims(provider, claims)
+	if err != nil {
+		t.Fatalf("normalize claims: %v", err)
+	}
+	if profile.Subject != "https://accounts.example.com|subject-1" {
+		t.Fatalf("subject = %q", profile.Subject)
+	}
+	if profile.Email != "jane@example.com" || !profile.EmailVerified {
+		t.Fatalf("email = %q verified=%v", profile.Email, profile.EmailVerified)
+	}
+	if profile.Username != "jane" || profile.DisplayName != "Jane Doe" || profile.AvatarURL == "" {
+		t.Fatalf("profile fields = %#v", profile)
+	}
+	if !reflect.DeepEqual(profile.Groups, []string{"engineering", "ops", "admin"}) {
+		t.Fatalf("groups = %#v", profile.Groups)
+	}
+}
diff --git a/internal/iam/sso/saml.go b/internal/iam/sso/saml.go
new file mode 100644
index 000000000..0369f7184
--- /dev/null
+++ b/internal/iam/sso/saml.go
@@ -0,0 +1,100 @@
+package sso
+
+import (
+	"strings"
+
+	"github.com/crewjam/saml"
+)
+
+func NormalizeSAMLAssertion(provider Provider, assertion *saml.Assertion) (NormalizedProfile, error) {
+	if assertion == nil || assertion.Subject == nil || assertion.Subject.NameID == nil {
+		return NormalizedProfile{}, ErrInvalidProfile
+	}
+	subject := strings.TrimSpace(assertion.Subject.NameID.Value)
+	if subject == "" {
+		return NormalizedProfile{}, ErrInvalidProfile
+	}
+	attributes := samlAttributes(assertion)
+	mapping := provider.AttributeMapping
+
+	email := firstAttribute(attributes, mapping.Email, "email", "Email", "mail")
+	username := firstAttribute(attributes, mapping.Username, "username", "uid", "email", "Email", "mail")
+	displayName := firstAttribute(attributes, mapping.DisplayName, "displayName", "DisplayName", "name", "cn")
+	avatarURL := firstAttribute(attributes, mapping.AvatarURL, "avatar_url", "picture")
+	groupKeys := mapping.Groups
+	if len(groupKeys) == 0 {
+		groupKeys = []string{"groups", "Groups", "memberOf"}
+	}
+
+	return NormalizedProfile{
+		ProviderType: ProviderTypeSAML,
+		ProviderID:   provider.ID,
+		Subject:      subject,
+		Email:        NormalizeEmail(email),
+		Username:     username,
+		DisplayName:  displayName,
+		AvatarURL:    avatarURL,
+		Groups:       extractAttributes(attributes, groupKeys...),
+		Attributes:   firstAttributeValues(attributes),
+	}, nil
+}
+
+func samlAttributes(assertion *saml.Assertion) map[string][]string {
+	attributes := make(map[string][]string)
+	for _, statement := range assertion.AttributeStatements {
+		for _, attribute := range statement.Attributes {
+			values := make([]string, 0, len(attribute.Values))
+			for _, value := range attribute.Values {
+				if strings.TrimSpace(value.Value) != "" {
+					values = append(values, value.Value)
+				}
+				if value.NameID != nil && strings.TrimSpace(value.NameID.Value) != "" {
+					values = append(values, value.NameID.Value)
+				}
+			}
+			values = dedupeStrings(values)
+			if len(values) == 0 {
+				continue
+			}
+			if attribute.Name != "" {
+				attributes[attribute.Name] = append(attributes[attribute.Name], values...)
+			}
+			if attribute.FriendlyName != "" {
+				attributes[attribute.FriendlyName] = append(attributes[attribute.FriendlyName], values...)
+			}
+		}
+	}
+	for key, values := range attributes {
+		attributes[key] = dedupeStrings(values)
+	}
+	return attributes
+}
+
+func firstAttribute(attributes map[string][]string, keys ...string) string {
+	values := extractAttributes(attributes, keys...)
+	if len(values) == 0 {
+		return ""
+	}
+	return values[0]
+}
+
+func extractAttributes(attributes map[string][]string, keys ...string) []string {
+	out := make([]string, 0)
+	for _, key := range keys {
+		if key == "" {
+			continue
+		}
+		out = append(out, attributes[key]...)
+	}
+	return dedupeStrings(out)
+}
+
+func firstAttributeValues(attributes map[string][]string) map[string]string {
+	out := make(map[string]string, len(attributes))
+	for key, values := range attributes {
+		if len(values) > 0 {
+			out[key] = values[0]
+		}
+	}
+	return out
+}
diff --git a/internal/iam/sso/saml_test.go b/internal/iam/sso/saml_test.go
new file mode 100644
index 000000000..fe42d1c74
--- /dev/null
+++ b/internal/iam/sso/saml_test.go
@@ -0,0 +1,42 @@
+package sso
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/crewjam/saml"
+)
+
+func TestNormalizeSAMLAssertion(t *testing.T) {
+	provider := Provider{
+		ID:      "provider-1",
+		Type:    ProviderTypeSAML,
+		Enabled: true,
+		AttributeMapping: AttributeMapping{
+			Groups: []string{"memberOf"},
+		},
+	}
+	assertion := &saml.Assertion{
+		Subject: &saml.Subject{NameID: &saml.NameID{Value: "name-id-1"}},
+		AttributeStatements: []saml.AttributeStatement{
+			{
+				Attributes: []saml.Attribute{
+					{Name: "email", Values: []saml.AttributeValue{{Value: "User@Example.COM"}}},
+					{Name: "displayName", Values: []saml.AttributeValue{{Value: "Jane Doe"}}},
+					{Name: "memberOf", Values: []saml.AttributeValue{{Value: "engineering"}, {Value: "ops"}, {Value: "engineering"}}},
+				},
+			},
+		},
+	}
+
+	profile, err := NormalizeSAMLAssertion(provider, assertion)
+	if err != nil {
+		t.Fatalf("normalize assertion: %v", err)
+	}
+	if profile.Subject != "name-id-1" || profile.Email != "user@example.com" || profile.DisplayName != "Jane Doe" {
+		t.Fatalf("profile = %#v", profile)
+	}
+	if !reflect.DeepEqual(profile.Groups, []string{"engineering", "ops"}) {
+		t.Fatalf("groups = %#v", profile.Groups)
+	}
+}
diff --git a/internal/iam/sso/service.go b/internal/iam/sso/service.go
new file mode 100644
index 000000000..4c959398f
--- /dev/null
+++ b/internal/iam/sso/service.go
@@ -0,0 +1,132 @@
+package sso
+
+import (
+	"context"
+	"errors"
+)
+
+type Store interface {
+	FindIdentity(ctx context.Context, providerType ProviderType, providerID string, subject string) (Identity, User, error)
+	FindUserByEmail(ctx context.Context, normalizedEmail string) (User, error)
+	CreateUserWithIdentity(ctx context.Context, profile NormalizedProfile) (Identity, User, error)
+	LinkIdentity(ctx context.Context, userID string, profile NormalizedProfile) (Identity, error)
+	UpdateIdentityProfile(ctx context.Context, identityID string, profile NormalizedProfile) error
+	FindGroupMappings(ctx context.Context, providerID string, externalGroups []string) ([]GroupMapping, error)
+	ReplaceSSOGroupMemberships(ctx context.Context, userID string, providerID string, groupIDs []string) error
+}
+
+type Service struct {
+	store Store
+}
+
+func NewService(store Store) *Service {
+	return &Service{store: store}
+}
+
+func (s *Service) FindOrProvisionUser(ctx context.Context, provider Provider, profile NormalizedProfile) (ProvisionResult, error) {
+	if s == nil || s.store == nil {
+		return ProvisionResult{}, errors.New("sso: store is required")
+	}
+	if !provider.Enabled {
+		return ProvisionResult{}, ErrProviderDisabled
+	}
+	if provider.ID == "" || provider.Type == "" {
+		return ProvisionResult{}, ErrInvalidProvider
+	}
+	if profile.Subject == "" {
+		return ProvisionResult{}, ErrInvalidProfile
+	}
+	profile.ProviderID = provider.ID
+	profile.ProviderType = provider.Type
+	profile.Email = NormalizeEmail(profile.Email)
+	profile.Groups = dedupeStrings(profile.Groups)
+
+	identity, user, err := s.store.FindIdentity(ctx, profile.ProviderType, profile.ProviderID, profile.Subject)
+	if err == nil {
+		if updateErr := s.store.UpdateIdentityProfile(ctx, identity.ID, profile); updateErr != nil {
+			return ProvisionResult{}, updateErr
+		}
+		return ProvisionResult{User: user, Identity: identity}, nil
+	}
+	if !errors.Is(err, ErrNotFound) {
+		return ProvisionResult{}, err
+	}
+
+	if profile.Email != "" {
+		switch provider.normalizedEmailLinkingPolicy() {
+		case EmailLinkingPolicyLinkExisting:
+			if providerCanLinkEmail(provider, profile) {
+				existingUser, findErr := s.store.FindUserByEmail(ctx, profile.Email)
+				if findErr == nil {
+					identity, linkErr := s.store.LinkIdentity(ctx, existingUser.ID, profile)
+					if linkErr != nil {
+						return ProvisionResult{}, linkErr
+					}
+					return ProvisionResult{User: existingUser, Identity: identity, Linked: true}, nil
+				}
+				if !errors.Is(findErr, ErrNotFound) {
+					return ProvisionResult{}, findErr
+				}
+			}
+		case EmailLinkingPolicyRejectExisting:
+			existingUser, findErr := s.store.FindUserByEmail(ctx, profile.Email)
+			if findErr == nil && existingUser.ID != "" {
+				return ProvisionResult{}, ErrEmailAlreadyBound
+			}
+			if findErr != nil && !errors.Is(findErr, ErrNotFound) {
+				return ProvisionResult{}, findErr
+			}
+		default:
+			return ProvisionResult{}, ErrInvalidProvider
+		}
+	}
+
+	if !provider.JITEnabled {
+		return ProvisionResult{}, ErrJITDisabled
+	}
+	identity, user, err = s.store.CreateUserWithIdentity(ctx, profile)
+	if err != nil {
+		return ProvisionResult{}, err
+	}
+	return ProvisionResult{User: user, Identity: identity, Created: true}, nil
+}
+
+func (s *Service) SyncMappedGroups(ctx context.Context, provider Provider, userID string, externalGroups []string) error {
+	if s == nil || s.store == nil {
+		return errors.New("sso: store is required")
+	}
+	if provider.ID == "" {
+		return ErrInvalidProvider
+	}
+	if userID == "" {
+		return ErrInvalidProfile
+	}
+	externalGroups = dedupeStrings(externalGroups)
+	mappings, err := s.store.FindGroupMappings(ctx, provider.ID, externalGroups)
+	if err != nil {
+		return err
+	}
+	groupIDs := make([]string, 0, len(mappings))
+	seen := make(map[string]struct{}, len(mappings))
+	for _, mapping := range mappings {
+		if mapping.GroupID == "" {
+			continue
+		}
+		if _, ok := seen[mapping.GroupID]; ok {
+			continue
+		}
+		seen[mapping.GroupID] = struct{}{}
+		groupIDs = append(groupIDs, mapping.GroupID)
+	}
+	return s.store.ReplaceSSOGroupMemberships(ctx, userID, provider.ID, groupIDs)
+}
+
+func providerCanLinkEmail(provider Provider, profile NormalizedProfile) bool {
+	if !provider.TrustEmail {
+		return false
+	}
+	if profile.ProviderType == ProviderTypeOIDC && !profile.EmailVerified {
+		return false
+	}
+	return true
+}
diff --git a/internal/iam/sso/service_test.go b/internal/iam/sso/service_test.go
new file mode 100644
index 000000000..a9e6547bd
--- /dev/null
+++ b/internal/iam/sso/service_test.go
@@ -0,0 +1,195 @@
+package sso
+
+import (
+	"context"
+	"errors"
+	"reflect"
+	"testing"
+)
+
+type fakeStore struct {
+	identity     Identity
+	identityUser User
+	identityErr  error
+
+	userByEmail    User
+	userByEmailErr error
+
+	createdIdentity Identity
+	createdUser     User
+	linkedIdentity  Identity
+
+	updatedIdentityID string
+	updatedProfile    NormalizedProfile
+	linkedUserID      string
+	linkedProfile     NormalizedProfile
+	createdProfile    NormalizedProfile
+
+	mappings              []GroupMapping
+	mappingProviderID     string
+	mappingExternalGroups []string
+	replacedUserID        string
+	replacedProviderID    string
+	replacedGroupIDs      []string
+}
+
+func (s *fakeStore) FindIdentity(context.Context, ProviderType, string, string) (Identity, User, error) {
+	return s.identity, s.identityUser, s.identityErr
+}
+
+func (s *fakeStore) FindUserByEmail(context.Context, string) (User, error) {
+	return s.userByEmail, s.userByEmailErr
+}
+
+func (s *fakeStore) CreateUserWithIdentity(_ context.Context, profile NormalizedProfile) (Identity, User, error) {
+	s.createdProfile = profile
+	return s.createdIdentity, s.createdUser, nil
+}
+
+func (s *fakeStore) LinkIdentity(_ context.Context, userID string, profile NormalizedProfile) (Identity, error) {
+	s.linkedUserID = userID
+	s.linkedProfile = profile
+	return s.linkedIdentity, nil
+}
+
+func (s *fakeStore) UpdateIdentityProfile(_ context.Context, identityID string, profile NormalizedProfile) error {
+	s.updatedIdentityID = identityID
+	s.updatedProfile = profile
+	return nil
+}
+
+func (s *fakeStore) FindGroupMappings(_ context.Context, providerID string, externalGroups []string) ([]GroupMapping, error) {
+	s.mappingProviderID = providerID
+	s.mappingExternalGroups = append([]string(nil), externalGroups...)
+	return s.mappings, nil
+}
+
+func (s *fakeStore) ReplaceSSOGroupMemberships(_ context.Context, userID string, providerID string, groupIDs []string) error {
+	s.replacedUserID = userID
+	s.replacedProviderID = providerID
+	s.replacedGroupIDs = append([]string(nil), groupIDs...)
+	return nil
+}
+
+func testProvider() Provider {
+	return Provider{
+		ID:                 "provider-1",
+		Type:               ProviderTypeOIDC,
+		Enabled:            true,
+		JITEnabled:         true,
+		EmailLinkingPolicy: EmailLinkingPolicyLinkExisting,
+		TrustEmail:         true,
+	}
+}
+
+func TestFindOrProvisionUserUpdatesExistingIdentity(t *testing.T) {
+	store := &fakeStore{
+		identity:     Identity{ID: "identity-1", UserID: "user-1"},
+		identityUser: User{ID: "user-1"},
+		identityErr:  nil,
+	}
+	service := NewService(store)
+
+	result, err := service.FindOrProvisionUser(context.Background(), testProvider(), NormalizedProfile{Subject: "issuer|sub", Email: "User@Example.COM"})
+	if err != nil {
+		t.Fatalf("find user: %v", err)
+	}
+	if result.User.ID != "user-1" || result.Identity.ID != "identity-1" {
+		t.Fatalf("unexpected result: %#v", result)
+	}
+	if store.updatedIdentityID != "identity-1" {
+		t.Fatalf("identity was not updated")
+	}
+	if store.updatedProfile.Email != "user@example.com" {
+		t.Fatalf("email not normalized: %q", store.updatedProfile.Email)
+	}
+}
+
+func TestFindOrProvisionUserLinksExistingEmailWhenTrustedOIDCVerified(t *testing.T) {
+	store := &fakeStore{
+		identityErr:    ErrNotFound,
+		userByEmail:    User{ID: "user-1", Email: "user@example.com"},
+		userByEmailErr: nil,
+		linkedIdentity: Identity{ID: "identity-2", UserID: "user-1"},
+	}
+	service := NewService(store)
+
+	result, err := service.FindOrProvisionUser(context.Background(), testProvider(), NormalizedProfile{
+		Subject:       "issuer|sub",
+		Email:         "User@Example.COM",
+		EmailVerified: true,
+	})
+	if err != nil {
+		t.Fatalf("link user: %v", err)
+	}
+	if !result.Linked || store.linkedUserID != "user-1" {
+		t.Fatalf("expected linked existing user, result=%#v linkedUserID=%q", result, store.linkedUserID)
+	}
+}
+
+func TestFindOrProvisionUserDoesNotLinkUnverifiedOIDCEmail(t *testing.T) {
+	store := &fakeStore{
+		identityErr:     ErrNotFound,
+		userByEmail:     User{ID: "user-1", Email: "user@example.com"},
+		userByEmailErr:  nil,
+		createdIdentity: Identity{ID: "identity-3", UserID: "user-2"},
+		createdUser:     User{ID: "user-2"},
+	}
+	service := NewService(store)
+
+	result, err := service.FindOrProvisionUser(context.Background(), testProvider(), NormalizedProfile{
+		Subject:       "issuer|sub",
+		Email:         "user@example.com",
+		EmailVerified: false,
+	})
+	if err != nil {
+		t.Fatalf("create user: %v", err)
+	}
+	if !result.Created || store.linkedUserID != "" {
+		t.Fatalf("expected create without link, result=%#v linkedUserID=%q", result, store.linkedUserID)
+	}
+}
+
+func TestFindOrProvisionUserRejectsExistingEmail(t *testing.T) {
+	store := &fakeStore{
+		identityErr:    ErrNotFound,
+		userByEmail:    User{ID: "user-1"},
+		userByEmailErr: nil,
+	}
+	provider := testProvider()
+	provider.EmailLinkingPolicy = EmailLinkingPolicyRejectExisting
+	service := NewService(store)
+
+	_, err := service.FindOrProvisionUser(context.Background(), provider, NormalizedProfile{
+		Subject: "issuer|sub",
+		Email:   "user@example.com",
+	})
+	if !errors.Is(err, ErrEmailAlreadyBound) {
+		t.Fatalf("expected ErrEmailAlreadyBound, got %v", err)
+	}
+}
+
+func TestSyncMappedGroupsReplacesOnlyMappedGroups(t *testing.T) {
+	store := &fakeStore{
+		mappings: []GroupMapping{
+			{ExternalGroup: "engineering", GroupID: "group-1"},
+			{ExternalGroup: "ops", GroupID: "group-2"},
+			{ExternalGroup: "ops-duplicate", GroupID: "group-2"},
+		},
+	}
+	service := NewService(store)
+
+	err := service.SyncMappedGroups(context.Background(), testProvider(), "user-1", []string{"engineering", "ops", "engineering", "unmapped"})
+	if err != nil {
+		t.Fatalf("sync groups: %v", err)
+	}
+	if store.mappingProviderID != "provider-1" {
+		t.Fatalf("mapping provider = %q", store.mappingProviderID)
+	}
+	if !reflect.DeepEqual(store.mappingExternalGroups, []string{"engineering", "ops", "unmapped"}) {
+		t.Fatalf("external groups = %#v", store.mappingExternalGroups)
+	}
+	if !reflect.DeepEqual(store.replacedGroupIDs, []string{"group-1", "group-2"}) {
+		t.Fatalf("replaced groups = %#v", store.replacedGroupIDs)
+	}
+}
diff --git a/internal/iam/sso/types.go b/internal/iam/sso/types.go
new file mode 100644
index 000000000..71fcf6f0e
--- /dev/null
+++ b/internal/iam/sso/types.go
@@ -0,0 +1,171 @@
+package sso
+
+import (
+	"errors"
+	"strings"
+	"time"
+)
+
+type ProviderType string
+
+const (
+	ProviderTypeOIDC ProviderType = "oidc"
+	ProviderTypeSAML ProviderType = "saml"
+)
+
+type EmailLinkingPolicy string
+
+const (
+	EmailLinkingPolicyLinkExisting   EmailLinkingPolicy = "link_existing"
+	EmailLinkingPolicyRejectExisting EmailLinkingPolicy = "reject_existing"
+)
+
+type OIDCProviderConfig struct {
+	Issuer                string   `json:"issuer"`
+	ClientID              string   `json:"client_id"`
+	ClientSecret          string   `json:"client_secret"` //nolint:gosec // provider configuration must carry the OAuth client secret.
+	RedirectURL           string   `json:"redirect_url"`
+	Scopes                []string `json:"scopes"`
+	AuthorizationEndpoint string   `json:"authorization_endpoint,omitempty"`
+	TokenEndpoint         string   `json:"token_endpoint,omitempty"`
+}
+
+type SAMLProviderConfig struct {
+	EntityID    string `json:"entity_id"`
+	MetadataXML string `json:"metadata_xml"`
+	MetadataURL string `json:"metadata_url,omitempty"`
+	ACSURL      string `json:"acs_url"`
+}
+
+type Provider struct {
+	ID                 string             `json:"id"`
+	Type               ProviderType       `json:"type"`
+	Key                string             `json:"key"`
+	Name               string             `json:"name"`
+	Enabled            bool               `json:"enabled"`
+	OIDC               OIDCProviderConfig `json:"oidc,omitempty"`
+	SAML               SAMLProviderConfig `json:"saml,omitempty"`
+	AttributeMapping   AttributeMapping   `json:"attribute_mapping"`
+	JITEnabled         bool               `json:"jit_enabled"`
+	EmailLinkingPolicy EmailLinkingPolicy `json:"email_linking_policy"`
+	TrustEmail         bool               `json:"trust_email"`
+}
+
+func (p Provider) normalizedEmailLinkingPolicy() EmailLinkingPolicy {
+	switch p.EmailLinkingPolicy {
+	case "", EmailLinkingPolicyLinkExisting:
+		return EmailLinkingPolicyLinkExisting
+	case EmailLinkingPolicyRejectExisting:
+		return EmailLinkingPolicyRejectExisting
+	default:
+		return p.EmailLinkingPolicy
+	}
+}
+
+type AttributeMapping struct {
+	Subject     string   `json:"subject,omitempty"`
+	Email       string   `json:"email,omitempty"`
+	Username    string   `json:"username,omitempty"`
+	DisplayName string   `json:"display_name,omitempty"`
+	AvatarURL   string   `json:"avatar_url,omitempty"`
+	Groups      []string `json:"groups,omitempty"`
+}
+
+type NormalizedProfile struct {
+	ProviderType  ProviderType      `json:"provider_type"`
+	ProviderID    string            `json:"provider_id"`
+	Subject       string            `json:"subject"`
+	Email         string            `json:"email,omitempty"`
+	EmailVerified bool              `json:"email_verified,omitempty"`
+	Username      string            `json:"username,omitempty"`
+	DisplayName   string            `json:"display_name,omitempty"`
+	AvatarURL     string            `json:"avatar_url,omitempty"`
+	Groups        []string          `json:"groups,omitempty"`
+	RawClaims     map[string]any    `json:"raw_claims,omitempty"`
+	Attributes    map[string]string `json:"attributes,omitempty"`
+}
+
+func (p NormalizedProfile) NormalizedEmail() string {
+	return NormalizeEmail(p.Email)
+}
+
+func NormalizeEmail(email string) string {
+	return strings.ToLower(strings.TrimSpace(email))
+}
+
+func dedupeStrings(values []string) []string {
+	seen := make(map[string]struct{}, len(values))
+	out := make([]string, 0, len(values))
+	for _, value := range values {
+		value = strings.TrimSpace(value)
+		if value == "" {
+			continue
+		}
+		if _, ok := seen[value]; ok {
+			continue
+		}
+		seen[value] = struct{}{}
+		out = append(out, value)
+	}
+	return out
+}
+
+type User struct {
+	ID          string
+	Email       string
+	Username    string
+	DisplayName string
+	AvatarURL   string
+	IsActive    bool
+}
+
+type Identity struct {
+	ID           string
+	UserID       string
+	ProviderType ProviderType
+	ProviderID   string
+	Subject      string
+}
+
+type GroupMapping struct {
+	ExternalGroup string
+	GroupID       string
+}
+
+type ProvisionResult struct {
+	User     User
+	Identity Identity
+	Created  bool
+	Linked   bool
+}
+
+type LoginCode struct {
+	Code        string
+	UserID      string
+	SessionID   string
+	RedirectURL string
+}
+
+type SAMLAuthRedirect struct {
+	URL        string
+	RelayState string
+	RequestID  string
+}
+
+var (
+	ErrNotFound          = errors.New("sso: not found")
+	ErrProviderDisabled  = errors.New("sso: provider disabled")
+	ErrInvalidProvider   = errors.New("sso: invalid provider")
+	ErrInvalidProfile    = errors.New("sso: invalid profile")
+	ErrJITDisabled       = errors.New("sso: jit disabled")
+	ErrEmailAlreadyBound = errors.New("sso: email already bound")
+)
+
+const (
+	OIDCStateCookieName = "memoh_oidc_state"
+	OIDCStateCookieTTL  = 10 * time.Minute
+	SAMLStateCookieName = "memoh_saml_state"
+	SAMLStateCookieTTL  = 10 * time.Minute
+	LoginCodeBytes      = 32
+	LoginCodeTTL        = 2 * time.Minute
+)
diff --git a/internal/memory/adapters/builtin/builtin.go b/internal/memory/adapters/builtin/builtin.go
index b34da98ee..4e78cac85 100644
--- a/internal/memory/adapters/builtin/builtin.go
+++ b/internal/memory/adapters/builtin/builtin.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/memohai/memoh/internal/conversation"
+	"github.com/memohai/memoh/internal/iam/rbac"
 	"github.com/memohai/memoh/internal/mcp"
 	adapters "github.com/memohai/memoh/internal/memory/adapters"
 )
@@ -50,9 +51,9 @@ type memoryRuntime interface {
 	Rebuild(ctx context.Context, botID string) (adapters.RebuildResult, error)
 }
 
-// AdminChecker checks whether a channel identity has admin privileges.
+// AdminChecker checks system-level permissions.
 type AdminChecker interface {
-	IsAdmin(ctx context.Context, channelIdentityID string) (bool, error)
+	HasPermission(ctx context.Context, check rbac.Check) (bool, error)
 }
 
 func NewBuiltinProvider(log *slog.Logger, service any, chatAccessor conversation.Accessor, adminChecker AdminChecker) *BuiltinProvider {
@@ -376,7 +377,11 @@ func (p *BuiltinProvider) CallTool(ctx context.Context, session mcp.ToolSessionC
 
 func (p *BuiltinProvider) canAccessChat(ctx context.Context, chatID, channelIdentityID string) (bool, error) {
 	if p.adminChecker != nil {
-		isAdmin, err := p.adminChecker.IsAdmin(ctx, channelIdentityID)
+		isAdmin, err := p.adminChecker.HasPermission(ctx, rbac.Check{
+			UserID:        channelIdentityID,
+			PermissionKey: rbac.PermissionSystemAdmin,
+			ResourceType:  rbac.ResourceSystem,
+		})
 		if err != nil {
 			return false, err
 		}
diff --git a/internal/providers/oauth.go b/internal/providers/oauth.go
index c430dbdfb..faf8cc08d 100644
--- a/internal/providers/oauth.go
+++ b/internal/providers/oauth.go
@@ -770,7 +770,7 @@ func toProviderOAuthToken(row sqlc.ProviderOauthToken) *oauthTokenRecord {
 	return token
 }
 
-func toUserProviderOAuthToken(row sqlc.UserProviderOauthToken) *oauthTokenRecord {
+func toUserProviderOAuthToken(row sqlc.IamUserProviderOauthToken) *oauthTokenRecord {
 	token := &oauthTokenRecord{
 		ProviderID:       row.ProviderID.String(),
 		UserID:           row.UserID.String(),
diff --git a/internal/server/server.go b/internal/server/server.go
index be1009b98..1cad372ef 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -80,6 +80,9 @@ func shouldSkipJWT(path string) bool {
 	if path == "/" || path == "/ping" || path == "/health" || path == "/api/swagger.json" || path == "/auth/login" {
 		return true
 	}
+	if path == "/auth/sso/providers" || path == "/auth/sso/exchange" || strings.HasPrefix(path, "/auth/sso/") {
+		return true
+	}
 	if strings.HasPrefix(path, "/assets/") {
 		return true
 	}
diff --git a/internal/tui/api.go b/internal/tui/api.go
index 9e161d9af..af72434b8 100644
--- a/internal/tui/api.go
+++ b/internal/tui/api.go
@@ -32,7 +32,6 @@ type LoginResponse struct {
 	TokenType   string `json:"token_type"`
 	ExpiresAt   string `json:"expires_at"`
 	UserID      string `json:"user_id"`
-	Role        string `json:"role"`
 	DisplayName string `json:"display_name"`
 	Username    string `json:"username"`
 	Timezone    string `json:"timezone,omitempty"`
diff --git a/packages/sdk/src/@pinia/colada.gen.ts b/packages/sdk/src/@pinia/colada.gen.ts
index 60ade97fd..7142128f8 100644
--- a/packages/sdk/src/@pinia/colada.gen.ts
+++ b/packages/sdk/src/@pinia/colada.gen.ts
@@ -4,8 +4,8 @@ import { type _JSONValue, defineQueryOptions, type UseMutationOptions } from '@p
 
 import { serializeQueryKeyValue } from '../client';
 import { client } from '../client.gen';
-import { deleteBotsByBotIdAclRulesByRuleId, deleteBotsByBotIdCompactionLogs, deleteBotsByBotIdContainer, deleteBotsByBotIdContainerSkills, deleteBotsByBotIdEmailBindingsById, deleteBotsByBotIdHeartbeatLogs, deleteBotsByBotIdMcpById, deleteBotsByBotIdMcpByIdOauthToken, deleteBotsByBotIdMemory, deleteBotsByBotIdMemoryById, deleteBotsByBotIdMessages, deleteBotsByBotIdScheduleById, deleteBotsByBotIdScheduleLogs, deleteBotsByBotIdSessionsBySessionId, deleteBotsByBotIdSettings, deleteBotsById, deleteBotsByIdChannelByPlatform, deleteBrowserContextsById, deleteEmailProvidersById, deleteEmailProvidersByIdOauthToken, deleteMemoryProvidersById, deleteModelsById, deleteModelsModelByModelId, deleteProvidersById, deleteProvidersByIdOauthToken, deleteSearchProvidersById, getBots, getBotsByBotIdAclChannelIdentities, getBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversations, getBotsByBotIdAclChannelTypesByChannelTypeConversations, getBotsByBotIdAclDefaultEffect, getBotsByBotIdAclRules, getBotsByBotIdCompactionLogs, getBotsByBotIdContainer, getBotsByBotIdContainerFs, getBotsByBotIdContainerFsDownload, getBotsByBotIdContainerFsList, getBotsByBotIdContainerFsRead, getBotsByBotIdContainerMetrics, getBotsByBotIdContainerSkills, getBotsByBotIdContainerSnapshots, getBotsByBotIdContainerTerminal, getBotsByBotIdContainerTerminalWs, getBotsByBotIdEmailBindings, getBotsByBotIdEmailOutbox, getBotsByBotIdEmailOutboxById, getBotsByBotIdHeartbeatLogs, getBotsByBotIdLocalWs, getBotsByBotIdMcp, getBotsByBotIdMcpById, getBotsByBotIdMcpByIdOauthStatus, getBotsByBotIdMcpExport, getBotsByBotIdMemory, getBotsByBotIdMemoryStatus, getBotsByBotIdMemoryUsage, getBotsByBotIdMessages, getBotsByBotIdSchedule, getBotsByBotIdScheduleById, getBotsByBotIdScheduleByIdLogs, getBotsByBotIdScheduleLogs, getBotsByBotIdSessions, getBotsByBotIdSessionsBySessionId, getBotsByBotIdSessionsBySessionIdStatus, getBotsByBotIdSettings, getBotsByBotIdTokenUsage, getBotsByBotIdTokenUsageRecords, getBotsById, getBotsByIdChannelByPlatform, getBotsByIdChecks, getBrowserContexts, getBrowserContextsById, getBrowserContextsCores, getChannels, getChannelsByPlatform, getEmailOauthCallback, getEmailProviders, getEmailProvidersById, getEmailProvidersByIdOauthAuthorize, getEmailProvidersByIdOauthStatus, getEmailProvidersMeta, getMemoryProviders, getMemoryProvidersById, getMemoryProvidersByIdStatus, getMemoryProvidersMeta, getModels, getModelsById, getModelsCount, getModelsModelByModelId, getPing, getProviders, getProvidersById, getProvidersByIdModels, getProvidersByIdOauthAuthorize, getProvidersByIdOauthStatus, getProvidersCount, getProvidersNameByName, getProvidersOauthCallback, getSearchProviders, getSearchProvidersById, getSearchProvidersMeta, getSpeechModels, getSpeechModelsById, getSpeechModelsByIdCapabilities, getSpeechProviders, getSpeechProvidersById, getSpeechProvidersByIdModels, getSpeechProvidersMeta, getSupermarketMcps, getSupermarketMcpsById, getSupermarketSkills, getSupermarketSkillsById, getSupermarketTags, getTranscriptionModels, getTranscriptionModelsById, getTranscriptionModelsByIdCapabilities, getTranscriptionProviders, getTranscriptionProvidersById, getTranscriptionProvidersByIdModels, getTranscriptionProvidersMeta, getUsers, getUsersById, getUsersMe, getUsersMeChannelsByPlatform, getUsersMeIdentities, type Options, patchBotsByBotIdSessionsBySessionId, patchBotsByIdChannelByPlatformStatus, postAuthLogin, postAuthRefresh, postBots, postBotsByBotIdAclRules, postBotsByBotIdContainer, postBotsByBotIdContainerDataExport, postBotsByBotIdContainerDataImport, postBotsByBotIdContainerDataRestore, postBotsByBotIdContainerFsDelete, postBotsByBotIdContainerFsMkdir, postBotsByBotIdContainerFsRename, postBotsByBotIdContainerFsUpload, postBotsByBotIdContainerFsWrite, postBotsByBotIdContainerSkills, postBotsByBotIdContainerSkillsActions, postBotsByBotIdContainerSnapshots, postBotsByBotIdContainerSnapshotsRollback, postBotsByBotIdContainerStart, postBotsByBotIdContainerStop, postBotsByBotIdEmailBindings, postBotsByBotIdLocalMessages, postBotsByBotIdMcp, postBotsByBotIdMcpByIdOauthAuthorize, postBotsByBotIdMcpByIdOauthDiscover, postBotsByBotIdMcpByIdOauthExchange, postBotsByBotIdMcpByIdProbe, postBotsByBotIdMcpOpsBatchDelete, postBotsByBotIdMcpStdio, postBotsByBotIdMcpStdioByConnectionId, postBotsByBotIdMemory, postBotsByBotIdMemoryCompact, postBotsByBotIdMemoryRebuild, postBotsByBotIdMemorySearch, postBotsByBotIdSchedule, postBotsByBotIdSessions, postBotsByBotIdSessionsBySessionIdCompact, postBotsByBotIdSettings, postBotsByBotIdSupermarketInstallMcp, postBotsByBotIdSupermarketInstallSkill, postBotsByBotIdToolApprovalsByApprovalIdApprove, postBotsByBotIdToolApprovalsByApprovalIdReject, postBotsByBotIdTools, postBotsByBotIdTtsSynthesize, postBotsByIdChannelByPlatformSend, postBotsByIdChannelByPlatformSendChat, postBrowserContexts, postEmailMailgunWebhookByConfigId, postEmailProviders, postMemoryProviders, postModels, postModelsByIdTest, postProviders, postProvidersByIdImportModels, postProvidersByIdOauthPoll, postProvidersByIdTest, postSearchProviders, postSpeechModelsByIdTest, postSpeechProvidersByIdImportModels, postTranscriptionModelsByIdTest, postTranscriptionProvidersByIdImportModels, postUsers, putBotsByBotIdAclDefaultEffect, putBotsByBotIdAclRulesByRuleId, putBotsByBotIdAclRulesReorder, putBotsByBotIdEmailBindingsById, putBotsByBotIdMcpById, putBotsByBotIdMcpImport, putBotsByBotIdScheduleById, putBotsByBotIdSettings, putBotsById, putBotsByIdChannelByPlatform, putBotsByIdOwner, putBrowserContextsById, putEmailProvidersById, putMemoryProvidersById, putModelsById, putModelsModelByModelId, putProvidersById, putSearchProvidersById, putSpeechModelsById, putTranscriptionModelsById, putUsersById, putUsersByIdPassword, putUsersMe, putUsersMeChannelsByPlatform, putUsersMePassword } from '../sdk.gen';
-import type { DeleteBotsByBotIdAclRulesByRuleIdData, DeleteBotsByBotIdAclRulesByRuleIdError, DeleteBotsByBotIdCompactionLogsData, DeleteBotsByBotIdCompactionLogsError, DeleteBotsByBotIdContainerData, DeleteBotsByBotIdContainerError, DeleteBotsByBotIdContainerSkillsData, DeleteBotsByBotIdContainerSkillsError, DeleteBotsByBotIdContainerSkillsResponse, DeleteBotsByBotIdEmailBindingsByIdData, DeleteBotsByBotIdEmailBindingsByIdError, DeleteBotsByBotIdHeartbeatLogsData, DeleteBotsByBotIdHeartbeatLogsError, DeleteBotsByBotIdMcpByIdData, DeleteBotsByBotIdMcpByIdError, DeleteBotsByBotIdMcpByIdOauthTokenData, DeleteBotsByBotIdMcpByIdOauthTokenError, DeleteBotsByBotIdMemoryByIdData, DeleteBotsByBotIdMemoryByIdError, DeleteBotsByBotIdMemoryByIdResponse, DeleteBotsByBotIdMemoryData, DeleteBotsByBotIdMemoryError, DeleteBotsByBotIdMemoryResponse, DeleteBotsByBotIdMessagesData, DeleteBotsByBotIdMessagesError, DeleteBotsByBotIdScheduleByIdData, DeleteBotsByBotIdScheduleByIdError, DeleteBotsByBotIdScheduleLogsData, DeleteBotsByBotIdScheduleLogsError, DeleteBotsByBotIdSessionsBySessionIdData, DeleteBotsByBotIdSessionsBySessionIdError, DeleteBotsByBotIdSettingsData, DeleteBotsByBotIdSettingsError, DeleteBotsByIdChannelByPlatformData, DeleteBotsByIdChannelByPlatformError, DeleteBotsByIdData, DeleteBotsByIdError, DeleteBotsByIdResponse, DeleteBrowserContextsByIdData, DeleteBrowserContextsByIdError, DeleteEmailProvidersByIdData, DeleteEmailProvidersByIdError, DeleteEmailProvidersByIdOauthTokenData, DeleteEmailProvidersByIdOauthTokenError, DeleteMemoryProvidersByIdData, DeleteMemoryProvidersByIdError, DeleteModelsByIdData, DeleteModelsByIdError, DeleteModelsModelByModelIdData, DeleteModelsModelByModelIdError, DeleteProvidersByIdData, DeleteProvidersByIdError, DeleteProvidersByIdOauthTokenData, DeleteProvidersByIdOauthTokenError, DeleteSearchProvidersByIdData, DeleteSearchProvidersByIdError, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsData, GetBotsByBotIdAclChannelIdentitiesData, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsData, GetBotsByBotIdAclDefaultEffectData, GetBotsByBotIdAclRulesData, GetBotsByBotIdCompactionLogsData, GetBotsByBotIdContainerData, GetBotsByBotIdContainerFsData, GetBotsByBotIdContainerFsDownloadData, GetBotsByBotIdContainerFsListData, GetBotsByBotIdContainerFsReadData, GetBotsByBotIdContainerMetricsData, GetBotsByBotIdContainerSkillsData, GetBotsByBotIdContainerSnapshotsData, GetBotsByBotIdContainerTerminalData, GetBotsByBotIdContainerTerminalWsData, GetBotsByBotIdEmailBindingsData, GetBotsByBotIdEmailOutboxByIdData, GetBotsByBotIdEmailOutboxData, GetBotsByBotIdHeartbeatLogsData, GetBotsByBotIdLocalWsData, GetBotsByBotIdMcpByIdData, GetBotsByBotIdMcpByIdOauthStatusData, GetBotsByBotIdMcpData, GetBotsByBotIdMcpExportData, GetBotsByBotIdMemoryData, GetBotsByBotIdMemoryStatusData, GetBotsByBotIdMemoryUsageData, GetBotsByBotIdMessagesData, GetBotsByBotIdScheduleByIdData, GetBotsByBotIdScheduleByIdLogsData, GetBotsByBotIdScheduleData, GetBotsByBotIdScheduleLogsData, GetBotsByBotIdSessionsBySessionIdData, GetBotsByBotIdSessionsBySessionIdStatusData, GetBotsByBotIdSessionsData, GetBotsByBotIdSettingsData, GetBotsByBotIdTokenUsageData, GetBotsByBotIdTokenUsageRecordsData, GetBotsByIdChannelByPlatformData, GetBotsByIdChecksData, GetBotsByIdData, GetBotsData, GetBrowserContextsByIdData, GetBrowserContextsCoresData, GetBrowserContextsData, GetChannelsByPlatformData, GetChannelsData, GetEmailOauthCallbackData, GetEmailProvidersByIdData, GetEmailProvidersByIdOauthAuthorizeData, GetEmailProvidersByIdOauthStatusData, GetEmailProvidersData, GetEmailProvidersMetaData, GetMemoryProvidersByIdData, GetMemoryProvidersByIdStatusData, GetMemoryProvidersData, GetMemoryProvidersMetaData, GetModelsByIdData, GetModelsCountData, GetModelsData, GetModelsModelByModelIdData, GetPingData, GetProvidersByIdData, GetProvidersByIdModelsData, GetProvidersByIdOauthAuthorizeData, GetProvidersByIdOauthStatusData, GetProvidersCountData, GetProvidersData, GetProvidersNameByNameData, GetProvidersOauthCallbackData, GetSearchProvidersByIdData, GetSearchProvidersData, GetSearchProvidersMetaData, GetSpeechModelsByIdCapabilitiesData, GetSpeechModelsByIdData, GetSpeechModelsData, GetSpeechProvidersByIdData, GetSpeechProvidersByIdModelsData, GetSpeechProvidersData, GetSpeechProvidersMetaData, GetSupermarketMcpsByIdData, GetSupermarketMcpsData, GetSupermarketSkillsByIdData, GetSupermarketSkillsData, GetSupermarketTagsData, GetTranscriptionModelsByIdCapabilitiesData, GetTranscriptionModelsByIdData, GetTranscriptionModelsData, GetTranscriptionProvidersByIdData, GetTranscriptionProvidersByIdModelsData, GetTranscriptionProvidersData, GetTranscriptionProvidersMetaData, GetUsersByIdData, GetUsersData, GetUsersMeChannelsByPlatformData, GetUsersMeData, GetUsersMeIdentitiesData, PatchBotsByBotIdSessionsBySessionIdData, PatchBotsByBotIdSessionsBySessionIdError, PatchBotsByBotIdSessionsBySessionIdResponse, PatchBotsByIdChannelByPlatformStatusData, PatchBotsByIdChannelByPlatformStatusError, PatchBotsByIdChannelByPlatformStatusResponse, PostAuthLoginData, PostAuthLoginError, PostAuthLoginResponse, PostAuthRefreshData, PostAuthRefreshError, PostAuthRefreshResponse, PostBotsByBotIdAclRulesData, PostBotsByBotIdAclRulesError, PostBotsByBotIdAclRulesResponse, PostBotsByBotIdContainerData, PostBotsByBotIdContainerDataExportData, PostBotsByBotIdContainerDataExportError, PostBotsByBotIdContainerDataImportData, PostBotsByBotIdContainerDataImportError, PostBotsByBotIdContainerDataImportResponse, PostBotsByBotIdContainerDataRestoreData, PostBotsByBotIdContainerDataRestoreError, PostBotsByBotIdContainerDataRestoreResponse, PostBotsByBotIdContainerError, PostBotsByBotIdContainerFsDeleteData, PostBotsByBotIdContainerFsDeleteError, PostBotsByBotIdContainerFsDeleteResponse, PostBotsByBotIdContainerFsMkdirData, PostBotsByBotIdContainerFsMkdirError, PostBotsByBotIdContainerFsMkdirResponse, PostBotsByBotIdContainerFsRenameData, PostBotsByBotIdContainerFsRenameError, PostBotsByBotIdContainerFsRenameResponse, PostBotsByBotIdContainerFsUploadData, PostBotsByBotIdContainerFsUploadError, PostBotsByBotIdContainerFsUploadResponse, PostBotsByBotIdContainerFsWriteData, PostBotsByBotIdContainerFsWriteError, PostBotsByBotIdContainerFsWriteResponse, PostBotsByBotIdContainerResponse, PostBotsByBotIdContainerSkillsActionsData, PostBotsByBotIdContainerSkillsActionsError, PostBotsByBotIdContainerSkillsActionsResponse, PostBotsByBotIdContainerSkillsData, PostBotsByBotIdContainerSkillsError, PostBotsByBotIdContainerSkillsResponse, PostBotsByBotIdContainerSnapshotsData, PostBotsByBotIdContainerSnapshotsError, PostBotsByBotIdContainerSnapshotsResponse, PostBotsByBotIdContainerSnapshotsRollbackData, PostBotsByBotIdContainerSnapshotsRollbackError, PostBotsByBotIdContainerSnapshotsRollbackResponse, PostBotsByBotIdContainerStartData, PostBotsByBotIdContainerStartError, PostBotsByBotIdContainerStartResponse, PostBotsByBotIdContainerStopData, PostBotsByBotIdContainerStopError, PostBotsByBotIdContainerStopResponse, PostBotsByBotIdEmailBindingsData, PostBotsByBotIdEmailBindingsError, PostBotsByBotIdEmailBindingsResponse, PostBotsByBotIdLocalMessagesData, PostBotsByBotIdLocalMessagesError, PostBotsByBotIdLocalMessagesResponse, PostBotsByBotIdMcpByIdOauthAuthorizeData, PostBotsByBotIdMcpByIdOauthAuthorizeError, PostBotsByBotIdMcpByIdOauthAuthorizeResponse, PostBotsByBotIdMcpByIdOauthDiscoverData, PostBotsByBotIdMcpByIdOauthDiscoverError, PostBotsByBotIdMcpByIdOauthDiscoverResponse, PostBotsByBotIdMcpByIdOauthExchangeData, PostBotsByBotIdMcpByIdOauthExchangeError, PostBotsByBotIdMcpByIdOauthExchangeResponse, PostBotsByBotIdMcpByIdProbeData, PostBotsByBotIdMcpByIdProbeError, PostBotsByBotIdMcpByIdProbeResponse, PostBotsByBotIdMcpData, PostBotsByBotIdMcpError, PostBotsByBotIdMcpOpsBatchDeleteData, PostBotsByBotIdMcpOpsBatchDeleteError, PostBotsByBotIdMcpResponse, PostBotsByBotIdMcpStdioByConnectionIdData, PostBotsByBotIdMcpStdioByConnectionIdError, PostBotsByBotIdMcpStdioByConnectionIdResponse, PostBotsByBotIdMcpStdioData, PostBotsByBotIdMcpStdioError, PostBotsByBotIdMcpStdioResponse, PostBotsByBotIdMemoryCompactData, PostBotsByBotIdMemoryCompactError, PostBotsByBotIdMemoryCompactResponse, PostBotsByBotIdMemoryData, PostBotsByBotIdMemoryError, PostBotsByBotIdMemoryRebuildData, PostBotsByBotIdMemoryRebuildError, PostBotsByBotIdMemoryRebuildResponse, PostBotsByBotIdMemoryResponse, PostBotsByBotIdMemorySearchData, PostBotsByBotIdMemorySearchError, PostBotsByBotIdMemorySearchResponse, PostBotsByBotIdScheduleData, PostBotsByBotIdScheduleError, PostBotsByBotIdScheduleResponse, PostBotsByBotIdSessionsBySessionIdCompactData, PostBotsByBotIdSessionsBySessionIdCompactError, PostBotsByBotIdSessionsBySessionIdCompactResponse, PostBotsByBotIdSessionsData, PostBotsByBotIdSessionsError, PostBotsByBotIdSessionsResponse, PostBotsByBotIdSettingsData, PostBotsByBotIdSettingsError, PostBotsByBotIdSettingsResponse, PostBotsByBotIdSupermarketInstallMcpData, PostBotsByBotIdSupermarketInstallMcpError, PostBotsByBotIdSupermarketInstallMcpResponse, PostBotsByBotIdSupermarketInstallSkillData, PostBotsByBotIdSupermarketInstallSkillError, PostBotsByBotIdSupermarketInstallSkillResponse, PostBotsByBotIdToolApprovalsByApprovalIdApproveData, PostBotsByBotIdToolApprovalsByApprovalIdApproveError, PostBotsByBotIdToolApprovalsByApprovalIdApproveResponse, PostBotsByBotIdToolApprovalsByApprovalIdRejectData, PostBotsByBotIdToolApprovalsByApprovalIdRejectError, PostBotsByBotIdToolApprovalsByApprovalIdRejectResponse, PostBotsByBotIdToolsData, PostBotsByBotIdToolsError, PostBotsByBotIdToolsResponse, PostBotsByBotIdTtsSynthesizeData, PostBotsByBotIdTtsSynthesizeError, PostBotsByBotIdTtsSynthesizeResponse, PostBotsByIdChannelByPlatformSendChatData, PostBotsByIdChannelByPlatformSendChatError, PostBotsByIdChannelByPlatformSendChatResponse, PostBotsByIdChannelByPlatformSendData, PostBotsByIdChannelByPlatformSendError, PostBotsByIdChannelByPlatformSendResponse, PostBotsData, PostBotsError, PostBotsResponse, PostBrowserContextsData, PostBrowserContextsError, PostBrowserContextsResponse, PostEmailMailgunWebhookByConfigIdData, PostEmailMailgunWebhookByConfigIdError, PostEmailMailgunWebhookByConfigIdResponse, PostEmailProvidersData, PostEmailProvidersError, PostEmailProvidersResponse, PostMemoryProvidersData, PostMemoryProvidersError, PostMemoryProvidersResponse, PostModelsByIdTestData, PostModelsByIdTestError, PostModelsByIdTestResponse, PostModelsData, PostModelsError, PostModelsResponse, PostProvidersByIdImportModelsData, PostProvidersByIdImportModelsError, PostProvidersByIdImportModelsResponse, PostProvidersByIdOauthPollData, PostProvidersByIdOauthPollError, PostProvidersByIdOauthPollResponse, PostProvidersByIdTestData, PostProvidersByIdTestError, PostProvidersByIdTestResponse, PostProvidersData, PostProvidersError, PostProvidersResponse, PostSearchProvidersData, PostSearchProvidersError, PostSearchProvidersResponse, PostSpeechModelsByIdTestData, PostSpeechModelsByIdTestError, PostSpeechProvidersByIdImportModelsData, PostSpeechProvidersByIdImportModelsError, PostSpeechProvidersByIdImportModelsResponse, PostTranscriptionModelsByIdTestData, PostTranscriptionModelsByIdTestError, PostTranscriptionModelsByIdTestResponse, PostTranscriptionProvidersByIdImportModelsData, PostTranscriptionProvidersByIdImportModelsError, PostTranscriptionProvidersByIdImportModelsResponse, PostUsersData, PostUsersError, PostUsersResponse, PutBotsByBotIdAclDefaultEffectData, PutBotsByBotIdAclDefaultEffectError, PutBotsByBotIdAclRulesByRuleIdData, PutBotsByBotIdAclRulesByRuleIdError, PutBotsByBotIdAclRulesByRuleIdResponse, PutBotsByBotIdAclRulesReorderData, PutBotsByBotIdAclRulesReorderError, PutBotsByBotIdEmailBindingsByIdData, PutBotsByBotIdEmailBindingsByIdError, PutBotsByBotIdEmailBindingsByIdResponse, PutBotsByBotIdMcpByIdData, PutBotsByBotIdMcpByIdError, PutBotsByBotIdMcpByIdResponse, PutBotsByBotIdMcpImportData, PutBotsByBotIdMcpImportError, PutBotsByBotIdMcpImportResponse, PutBotsByBotIdScheduleByIdData, PutBotsByBotIdScheduleByIdError, PutBotsByBotIdScheduleByIdResponse, PutBotsByBotIdSettingsData, PutBotsByBotIdSettingsError, PutBotsByBotIdSettingsResponse, PutBotsByIdChannelByPlatformData, PutBotsByIdChannelByPlatformError, PutBotsByIdChannelByPlatformResponse, PutBotsByIdData, PutBotsByIdError, PutBotsByIdOwnerData, PutBotsByIdOwnerError, PutBotsByIdOwnerResponse, PutBotsByIdResponse, PutBrowserContextsByIdData, PutBrowserContextsByIdError, PutBrowserContextsByIdResponse, PutEmailProvidersByIdData, PutEmailProvidersByIdError, PutEmailProvidersByIdResponse, PutMemoryProvidersByIdData, PutMemoryProvidersByIdError, PutMemoryProvidersByIdResponse, PutModelsByIdData, PutModelsByIdError, PutModelsByIdResponse, PutModelsModelByModelIdData, PutModelsModelByModelIdError, PutModelsModelByModelIdResponse, PutProvidersByIdData, PutProvidersByIdError, PutProvidersByIdResponse, PutSearchProvidersByIdData, PutSearchProvidersByIdError, PutSearchProvidersByIdResponse, PutSpeechModelsByIdData, PutSpeechModelsByIdError, PutSpeechModelsByIdResponse, PutTranscriptionModelsByIdData, PutTranscriptionModelsByIdError, PutTranscriptionModelsByIdResponse, PutUsersByIdData, PutUsersByIdError, PutUsersByIdPasswordData, PutUsersByIdPasswordError, PutUsersByIdResponse, PutUsersMeChannelsByPlatformData, PutUsersMeChannelsByPlatformError, PutUsersMeChannelsByPlatformResponse, PutUsersMeData, PutUsersMeError, PutUsersMePasswordData, PutUsersMePasswordError, PutUsersMeResponse } from '../types.gen';
+import { deleteBotsByBotIdAclRulesByRuleId, deleteBotsByBotIdCompactionLogs, deleteBotsByBotIdContainer, deleteBotsByBotIdContainerSkills, deleteBotsByBotIdEmailBindingsById, deleteBotsByBotIdHeartbeatLogs, deleteBotsByBotIdMcpById, deleteBotsByBotIdMcpByIdOauthToken, deleteBotsByBotIdMemory, deleteBotsByBotIdMemoryById, deleteBotsByBotIdMessages, deleteBotsByBotIdScheduleById, deleteBotsByBotIdScheduleLogs, deleteBotsByBotIdSessionsBySessionId, deleteBotsByBotIdSettings, deleteBotsById, deleteBotsByIdChannelByPlatform, deleteBrowserContextsById, deleteEmailProvidersById, deleteEmailProvidersByIdOauthToken, deleteIamGroupsById, deleteIamGroupsByIdMembersByUserId, deleteIamPrincipalRolesById, deleteIamSsoProvidersById, deleteIamSsoProvidersByIdGroupMappingsByExternalGroup, deleteMemoryProvidersById, deleteModelsById, deleteModelsModelByModelId, deleteProvidersById, deleteProvidersByIdOauthToken, deleteSearchProvidersById, getAuthSsoByProviderIdCallback, getAuthSsoByProviderIdSamlMetadata, getAuthSsoByProviderIdSamlStart, getAuthSsoByProviderIdStart, getAuthSsoProviders, getBots, getBotsByBotIdAclChannelIdentities, getBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversations, getBotsByBotIdAclChannelTypesByChannelTypeConversations, getBotsByBotIdAclDefaultEffect, getBotsByBotIdAclRules, getBotsByBotIdCompactionLogs, getBotsByBotIdContainer, getBotsByBotIdContainerFs, getBotsByBotIdContainerFsDownload, getBotsByBotIdContainerFsList, getBotsByBotIdContainerFsRead, getBotsByBotIdContainerMetrics, getBotsByBotIdContainerSkills, getBotsByBotIdContainerSnapshots, getBotsByBotIdContainerTerminal, getBotsByBotIdContainerTerminalWs, getBotsByBotIdEmailBindings, getBotsByBotIdEmailOutbox, getBotsByBotIdEmailOutboxById, getBotsByBotIdHeartbeatLogs, getBotsByBotIdLocalWs, getBotsByBotIdMcp, getBotsByBotIdMcpById, getBotsByBotIdMcpByIdOauthStatus, getBotsByBotIdMcpExport, getBotsByBotIdMemory, getBotsByBotIdMemoryStatus, getBotsByBotIdMemoryUsage, getBotsByBotIdMessages, getBotsByBotIdSchedule, getBotsByBotIdScheduleById, getBotsByBotIdScheduleByIdLogs, getBotsByBotIdScheduleLogs, getBotsByBotIdSessions, getBotsByBotIdSessionsBySessionId, getBotsByBotIdSessionsBySessionIdStatus, getBotsByBotIdSettings, getBotsByBotIdTokenUsage, getBotsByBotIdTokenUsageRecords, getBotsById, getBotsByIdChannelByPlatform, getBotsByIdChecks, getBrowserContexts, getBrowserContextsById, getBrowserContextsCores, getChannels, getChannelsByPlatform, getEmailOauthCallback, getEmailProviders, getEmailProvidersById, getEmailProvidersByIdOauthAuthorize, getEmailProvidersByIdOauthStatus, getEmailProvidersMeta, getIamBotsByBotIdPrincipalRoles, getIamGroups, getIamGroupsByIdMembers, getIamRoles, getIamSsoProviders, getIamSsoProvidersByIdGroupMappings, getMemoryProviders, getMemoryProvidersById, getMemoryProvidersByIdStatus, getMemoryProvidersMeta, getModels, getModelsById, getModelsCount, getModelsModelByModelId, getPing, getProviders, getProvidersById, getProvidersByIdModels, getProvidersByIdOauthAuthorize, getProvidersByIdOauthStatus, getProvidersCount, getProvidersNameByName, getProvidersOauthCallback, getSearchProviders, getSearchProvidersById, getSearchProvidersMeta, getSpeechModels, getSpeechModelsById, getSpeechModelsByIdCapabilities, getSpeechProviders, getSpeechProvidersById, getSpeechProvidersByIdModels, getSpeechProvidersMeta, getSupermarketMcps, getSupermarketMcpsById, getSupermarketSkills, getSupermarketSkillsById, getSupermarketTags, getTranscriptionModels, getTranscriptionModelsById, getTranscriptionModelsByIdCapabilities, getTranscriptionProviders, getTranscriptionProvidersById, getTranscriptionProvidersByIdModels, getTranscriptionProvidersMeta, getUsers, getUsersById, getUsersMe, getUsersMeChannelsByPlatform, getUsersMeIdentities, type Options, patchBotsByBotIdSessionsBySessionId, patchBotsByIdChannelByPlatformStatus, postAuthLogin, postAuthRefresh, postAuthSsoByProviderIdSamlAcs, postAuthSsoExchange, postBots, postBotsByBotIdAclRules, postBotsByBotIdContainer, postBotsByBotIdContainerDataExport, postBotsByBotIdContainerDataImport, postBotsByBotIdContainerDataRestore, postBotsByBotIdContainerFsDelete, postBotsByBotIdContainerFsMkdir, postBotsByBotIdContainerFsRename, postBotsByBotIdContainerFsUpload, postBotsByBotIdContainerFsWrite, postBotsByBotIdContainerSkills, postBotsByBotIdContainerSkillsActions, postBotsByBotIdContainerSnapshots, postBotsByBotIdContainerSnapshotsRollback, postBotsByBotIdContainerStart, postBotsByBotIdContainerStop, postBotsByBotIdEmailBindings, postBotsByBotIdLocalMessages, postBotsByBotIdMcp, postBotsByBotIdMcpByIdOauthAuthorize, postBotsByBotIdMcpByIdOauthDiscover, postBotsByBotIdMcpByIdOauthExchange, postBotsByBotIdMcpByIdProbe, postBotsByBotIdMcpOpsBatchDelete, postBotsByBotIdMcpStdio, postBotsByBotIdMcpStdioByConnectionId, postBotsByBotIdMemory, postBotsByBotIdMemoryCompact, postBotsByBotIdMemoryRebuild, postBotsByBotIdMemorySearch, postBotsByBotIdSchedule, postBotsByBotIdSessions, postBotsByBotIdSessionsBySessionIdCompact, postBotsByBotIdSettings, postBotsByBotIdSupermarketInstallMcp, postBotsByBotIdSupermarketInstallSkill, postBotsByBotIdToolApprovalsByApprovalIdApprove, postBotsByBotIdToolApprovalsByApprovalIdReject, postBotsByBotIdTools, postBotsByBotIdTtsSynthesize, postBotsByIdChannelByPlatformSend, postBotsByIdChannelByPlatformSendChat, postBrowserContexts, postEmailMailgunWebhookByConfigId, postEmailProviders, postIamBotsByBotIdPrincipalRoles, postIamGroups, postIamGroupsByIdMembers, postIamSsoProviders, postIamSsoProvidersByIdGroupMappings, postMemoryProviders, postModels, postModelsByIdTest, postProviders, postProvidersByIdImportModels, postProvidersByIdOauthPoll, postProvidersByIdTest, postSearchProviders, postSpeechModelsByIdTest, postSpeechProvidersByIdImportModels, postTranscriptionModelsByIdTest, postTranscriptionProvidersByIdImportModels, postUsers, putBotsByBotIdAclDefaultEffect, putBotsByBotIdAclRulesByRuleId, putBotsByBotIdAclRulesReorder, putBotsByBotIdEmailBindingsById, putBotsByBotIdMcpById, putBotsByBotIdMcpImport, putBotsByBotIdScheduleById, putBotsByBotIdSettings, putBotsById, putBotsByIdChannelByPlatform, putBotsByIdOwner, putBrowserContextsById, putEmailProvidersById, putIamGroupsById, putIamSsoProvidersById, putMemoryProvidersById, putModelsById, putModelsModelByModelId, putProvidersById, putSearchProvidersById, putSpeechModelsById, putTranscriptionModelsById, putUsersById, putUsersByIdPassword, putUsersMe, putUsersMeChannelsByPlatform, putUsersMePassword } from '../sdk.gen';
+import type { DeleteBotsByBotIdAclRulesByRuleIdData, DeleteBotsByBotIdAclRulesByRuleIdError, DeleteBotsByBotIdCompactionLogsData, DeleteBotsByBotIdCompactionLogsError, DeleteBotsByBotIdContainerData, DeleteBotsByBotIdContainerError, DeleteBotsByBotIdContainerSkillsData, DeleteBotsByBotIdContainerSkillsError, DeleteBotsByBotIdContainerSkillsResponse, DeleteBotsByBotIdEmailBindingsByIdData, DeleteBotsByBotIdEmailBindingsByIdError, DeleteBotsByBotIdHeartbeatLogsData, DeleteBotsByBotIdHeartbeatLogsError, DeleteBotsByBotIdMcpByIdData, DeleteBotsByBotIdMcpByIdError, DeleteBotsByBotIdMcpByIdOauthTokenData, DeleteBotsByBotIdMcpByIdOauthTokenError, DeleteBotsByBotIdMemoryByIdData, DeleteBotsByBotIdMemoryByIdError, DeleteBotsByBotIdMemoryByIdResponse, DeleteBotsByBotIdMemoryData, DeleteBotsByBotIdMemoryError, DeleteBotsByBotIdMemoryResponse, DeleteBotsByBotIdMessagesData, DeleteBotsByBotIdMessagesError, DeleteBotsByBotIdScheduleByIdData, DeleteBotsByBotIdScheduleByIdError, DeleteBotsByBotIdScheduleLogsData, DeleteBotsByBotIdScheduleLogsError, DeleteBotsByBotIdSessionsBySessionIdData, DeleteBotsByBotIdSessionsBySessionIdError, DeleteBotsByBotIdSettingsData, DeleteBotsByBotIdSettingsError, DeleteBotsByIdChannelByPlatformData, DeleteBotsByIdChannelByPlatformError, DeleteBotsByIdData, DeleteBotsByIdError, DeleteBotsByIdResponse, DeleteBrowserContextsByIdData, DeleteBrowserContextsByIdError, DeleteEmailProvidersByIdData, DeleteEmailProvidersByIdError, DeleteEmailProvidersByIdOauthTokenData, DeleteEmailProvidersByIdOauthTokenError, DeleteIamGroupsByIdData, DeleteIamGroupsByIdError, DeleteIamGroupsByIdMembersByUserIdData, DeleteIamGroupsByIdMembersByUserIdError, DeleteIamPrincipalRolesByIdData, DeleteIamPrincipalRolesByIdError, DeleteIamSsoProvidersByIdData, DeleteIamSsoProvidersByIdError, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupData, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupError, DeleteMemoryProvidersByIdData, DeleteMemoryProvidersByIdError, DeleteModelsByIdData, DeleteModelsByIdError, DeleteModelsModelByModelIdData, DeleteModelsModelByModelIdError, DeleteProvidersByIdData, DeleteProvidersByIdError, DeleteProvidersByIdOauthTokenData, DeleteProvidersByIdOauthTokenError, DeleteSearchProvidersByIdData, DeleteSearchProvidersByIdError, GetAuthSsoByProviderIdCallbackData, GetAuthSsoByProviderIdSamlMetadataData, GetAuthSsoByProviderIdSamlStartData, GetAuthSsoByProviderIdStartData, GetAuthSsoProvidersData, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsData, GetBotsByBotIdAclChannelIdentitiesData, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsData, GetBotsByBotIdAclDefaultEffectData, GetBotsByBotIdAclRulesData, GetBotsByBotIdCompactionLogsData, GetBotsByBotIdContainerData, GetBotsByBotIdContainerFsData, GetBotsByBotIdContainerFsDownloadData, GetBotsByBotIdContainerFsListData, GetBotsByBotIdContainerFsReadData, GetBotsByBotIdContainerMetricsData, GetBotsByBotIdContainerSkillsData, GetBotsByBotIdContainerSnapshotsData, GetBotsByBotIdContainerTerminalData, GetBotsByBotIdContainerTerminalWsData, GetBotsByBotIdEmailBindingsData, GetBotsByBotIdEmailOutboxByIdData, GetBotsByBotIdEmailOutboxData, GetBotsByBotIdHeartbeatLogsData, GetBotsByBotIdLocalWsData, GetBotsByBotIdMcpByIdData, GetBotsByBotIdMcpByIdOauthStatusData, GetBotsByBotIdMcpData, GetBotsByBotIdMcpExportData, GetBotsByBotIdMemoryData, GetBotsByBotIdMemoryStatusData, GetBotsByBotIdMemoryUsageData, GetBotsByBotIdMessagesData, GetBotsByBotIdScheduleByIdData, GetBotsByBotIdScheduleByIdLogsData, GetBotsByBotIdScheduleData, GetBotsByBotIdScheduleLogsData, GetBotsByBotIdSessionsBySessionIdData, GetBotsByBotIdSessionsBySessionIdStatusData, GetBotsByBotIdSessionsData, GetBotsByBotIdSettingsData, GetBotsByBotIdTokenUsageData, GetBotsByBotIdTokenUsageRecordsData, GetBotsByIdChannelByPlatformData, GetBotsByIdChecksData, GetBotsByIdData, GetBotsData, GetBrowserContextsByIdData, GetBrowserContextsCoresData, GetBrowserContextsData, GetChannelsByPlatformData, GetChannelsData, GetEmailOauthCallbackData, GetEmailProvidersByIdData, GetEmailProvidersByIdOauthAuthorizeData, GetEmailProvidersByIdOauthStatusData, GetEmailProvidersData, GetEmailProvidersMetaData, GetIamBotsByBotIdPrincipalRolesData, GetIamGroupsByIdMembersData, GetIamGroupsData, GetIamRolesData, GetIamSsoProvidersByIdGroupMappingsData, GetIamSsoProvidersData, GetMemoryProvidersByIdData, GetMemoryProvidersByIdStatusData, GetMemoryProvidersData, GetMemoryProvidersMetaData, GetModelsByIdData, GetModelsCountData, GetModelsData, GetModelsModelByModelIdData, GetPingData, GetProvidersByIdData, GetProvidersByIdModelsData, GetProvidersByIdOauthAuthorizeData, GetProvidersByIdOauthStatusData, GetProvidersCountData, GetProvidersData, GetProvidersNameByNameData, GetProvidersOauthCallbackData, GetSearchProvidersByIdData, GetSearchProvidersData, GetSearchProvidersMetaData, GetSpeechModelsByIdCapabilitiesData, GetSpeechModelsByIdData, GetSpeechModelsData, GetSpeechProvidersByIdData, GetSpeechProvidersByIdModelsData, GetSpeechProvidersData, GetSpeechProvidersMetaData, GetSupermarketMcpsByIdData, GetSupermarketMcpsData, GetSupermarketSkillsByIdData, GetSupermarketSkillsData, GetSupermarketTagsData, GetTranscriptionModelsByIdCapabilitiesData, GetTranscriptionModelsByIdData, GetTranscriptionModelsData, GetTranscriptionProvidersByIdData, GetTranscriptionProvidersByIdModelsData, GetTranscriptionProvidersData, GetTranscriptionProvidersMetaData, GetUsersByIdData, GetUsersData, GetUsersMeChannelsByPlatformData, GetUsersMeData, GetUsersMeIdentitiesData, PatchBotsByBotIdSessionsBySessionIdData, PatchBotsByBotIdSessionsBySessionIdError, PatchBotsByBotIdSessionsBySessionIdResponse, PatchBotsByIdChannelByPlatformStatusData, PatchBotsByIdChannelByPlatformStatusError, PatchBotsByIdChannelByPlatformStatusResponse, PostAuthLoginData, PostAuthLoginError, PostAuthLoginResponse, PostAuthRefreshData, PostAuthRefreshError, PostAuthRefreshResponse, PostAuthSsoByProviderIdSamlAcsData, PostAuthSsoByProviderIdSamlAcsError, PostAuthSsoExchangeData, PostAuthSsoExchangeError, PostAuthSsoExchangeResponse, PostBotsByBotIdAclRulesData, PostBotsByBotIdAclRulesError, PostBotsByBotIdAclRulesResponse, PostBotsByBotIdContainerData, PostBotsByBotIdContainerDataExportData, PostBotsByBotIdContainerDataExportError, PostBotsByBotIdContainerDataImportData, PostBotsByBotIdContainerDataImportError, PostBotsByBotIdContainerDataImportResponse, PostBotsByBotIdContainerDataRestoreData, PostBotsByBotIdContainerDataRestoreError, PostBotsByBotIdContainerDataRestoreResponse, PostBotsByBotIdContainerError, PostBotsByBotIdContainerFsDeleteData, PostBotsByBotIdContainerFsDeleteError, PostBotsByBotIdContainerFsDeleteResponse, PostBotsByBotIdContainerFsMkdirData, PostBotsByBotIdContainerFsMkdirError, PostBotsByBotIdContainerFsMkdirResponse, PostBotsByBotIdContainerFsRenameData, PostBotsByBotIdContainerFsRenameError, PostBotsByBotIdContainerFsRenameResponse, PostBotsByBotIdContainerFsUploadData, PostBotsByBotIdContainerFsUploadError, PostBotsByBotIdContainerFsUploadResponse, PostBotsByBotIdContainerFsWriteData, PostBotsByBotIdContainerFsWriteError, PostBotsByBotIdContainerFsWriteResponse, PostBotsByBotIdContainerResponse, PostBotsByBotIdContainerSkillsActionsData, PostBotsByBotIdContainerSkillsActionsError, PostBotsByBotIdContainerSkillsActionsResponse, PostBotsByBotIdContainerSkillsData, PostBotsByBotIdContainerSkillsError, PostBotsByBotIdContainerSkillsResponse, PostBotsByBotIdContainerSnapshotsData, PostBotsByBotIdContainerSnapshotsError, PostBotsByBotIdContainerSnapshotsResponse, PostBotsByBotIdContainerSnapshotsRollbackData, PostBotsByBotIdContainerSnapshotsRollbackError, PostBotsByBotIdContainerSnapshotsRollbackResponse, PostBotsByBotIdContainerStartData, PostBotsByBotIdContainerStartError, PostBotsByBotIdContainerStartResponse, PostBotsByBotIdContainerStopData, PostBotsByBotIdContainerStopError, PostBotsByBotIdContainerStopResponse, PostBotsByBotIdEmailBindingsData, PostBotsByBotIdEmailBindingsError, PostBotsByBotIdEmailBindingsResponse, PostBotsByBotIdLocalMessagesData, PostBotsByBotIdLocalMessagesError, PostBotsByBotIdLocalMessagesResponse, PostBotsByBotIdMcpByIdOauthAuthorizeData, PostBotsByBotIdMcpByIdOauthAuthorizeError, PostBotsByBotIdMcpByIdOauthAuthorizeResponse, PostBotsByBotIdMcpByIdOauthDiscoverData, PostBotsByBotIdMcpByIdOauthDiscoverError, PostBotsByBotIdMcpByIdOauthDiscoverResponse, PostBotsByBotIdMcpByIdOauthExchangeData, PostBotsByBotIdMcpByIdOauthExchangeError, PostBotsByBotIdMcpByIdOauthExchangeResponse, PostBotsByBotIdMcpByIdProbeData, PostBotsByBotIdMcpByIdProbeError, PostBotsByBotIdMcpByIdProbeResponse, PostBotsByBotIdMcpData, PostBotsByBotIdMcpError, PostBotsByBotIdMcpOpsBatchDeleteData, PostBotsByBotIdMcpOpsBatchDeleteError, PostBotsByBotIdMcpResponse, PostBotsByBotIdMcpStdioByConnectionIdData, PostBotsByBotIdMcpStdioByConnectionIdError, PostBotsByBotIdMcpStdioByConnectionIdResponse, PostBotsByBotIdMcpStdioData, PostBotsByBotIdMcpStdioError, PostBotsByBotIdMcpStdioResponse, PostBotsByBotIdMemoryCompactData, PostBotsByBotIdMemoryCompactError, PostBotsByBotIdMemoryCompactResponse, PostBotsByBotIdMemoryData, PostBotsByBotIdMemoryError, PostBotsByBotIdMemoryRebuildData, PostBotsByBotIdMemoryRebuildError, PostBotsByBotIdMemoryRebuildResponse, PostBotsByBotIdMemoryResponse, PostBotsByBotIdMemorySearchData, PostBotsByBotIdMemorySearchError, PostBotsByBotIdMemorySearchResponse, PostBotsByBotIdScheduleData, PostBotsByBotIdScheduleError, PostBotsByBotIdScheduleResponse, PostBotsByBotIdSessionsBySessionIdCompactData, PostBotsByBotIdSessionsBySessionIdCompactError, PostBotsByBotIdSessionsBySessionIdCompactResponse, PostBotsByBotIdSessionsData, PostBotsByBotIdSessionsError, PostBotsByBotIdSessionsResponse, PostBotsByBotIdSettingsData, PostBotsByBotIdSettingsError, PostBotsByBotIdSettingsResponse, PostBotsByBotIdSupermarketInstallMcpData, PostBotsByBotIdSupermarketInstallMcpError, PostBotsByBotIdSupermarketInstallMcpResponse, PostBotsByBotIdSupermarketInstallSkillData, PostBotsByBotIdSupermarketInstallSkillError, PostBotsByBotIdSupermarketInstallSkillResponse, PostBotsByBotIdToolApprovalsByApprovalIdApproveData, PostBotsByBotIdToolApprovalsByApprovalIdApproveError, PostBotsByBotIdToolApprovalsByApprovalIdApproveResponse, PostBotsByBotIdToolApprovalsByApprovalIdRejectData, PostBotsByBotIdToolApprovalsByApprovalIdRejectError, PostBotsByBotIdToolApprovalsByApprovalIdRejectResponse, PostBotsByBotIdToolsData, PostBotsByBotIdToolsError, PostBotsByBotIdToolsResponse, PostBotsByBotIdTtsSynthesizeData, PostBotsByBotIdTtsSynthesizeError, PostBotsByBotIdTtsSynthesizeResponse, PostBotsByIdChannelByPlatformSendChatData, PostBotsByIdChannelByPlatformSendChatError, PostBotsByIdChannelByPlatformSendChatResponse, PostBotsByIdChannelByPlatformSendData, PostBotsByIdChannelByPlatformSendError, PostBotsByIdChannelByPlatformSendResponse, PostBotsData, PostBotsError, PostBotsResponse, PostBrowserContextsData, PostBrowserContextsError, PostBrowserContextsResponse, PostEmailMailgunWebhookByConfigIdData, PostEmailMailgunWebhookByConfigIdError, PostEmailMailgunWebhookByConfigIdResponse, PostEmailProvidersData, PostEmailProvidersError, PostEmailProvidersResponse, PostIamBotsByBotIdPrincipalRolesData, PostIamBotsByBotIdPrincipalRolesError, PostIamBotsByBotIdPrincipalRolesResponse, PostIamGroupsByIdMembersData, PostIamGroupsByIdMembersError, PostIamGroupsByIdMembersResponse, PostIamGroupsData, PostIamGroupsError, PostIamGroupsResponse, PostIamSsoProvidersByIdGroupMappingsData, PostIamSsoProvidersByIdGroupMappingsError, PostIamSsoProvidersByIdGroupMappingsResponse, PostIamSsoProvidersData, PostIamSsoProvidersError, PostIamSsoProvidersResponse, PostMemoryProvidersData, PostMemoryProvidersError, PostMemoryProvidersResponse, PostModelsByIdTestData, PostModelsByIdTestError, PostModelsByIdTestResponse, PostModelsData, PostModelsError, PostModelsResponse, PostProvidersByIdImportModelsData, PostProvidersByIdImportModelsError, PostProvidersByIdImportModelsResponse, PostProvidersByIdOauthPollData, PostProvidersByIdOauthPollError, PostProvidersByIdOauthPollResponse, PostProvidersByIdTestData, PostProvidersByIdTestError, PostProvidersByIdTestResponse, PostProvidersData, PostProvidersError, PostProvidersResponse, PostSearchProvidersData, PostSearchProvidersError, PostSearchProvidersResponse, PostSpeechModelsByIdTestData, PostSpeechModelsByIdTestError, PostSpeechProvidersByIdImportModelsData, PostSpeechProvidersByIdImportModelsError, PostSpeechProvidersByIdImportModelsResponse, PostTranscriptionModelsByIdTestData, PostTranscriptionModelsByIdTestError, PostTranscriptionModelsByIdTestResponse, PostTranscriptionProvidersByIdImportModelsData, PostTranscriptionProvidersByIdImportModelsError, PostTranscriptionProvidersByIdImportModelsResponse, PostUsersData, PostUsersError, PostUsersResponse, PutBotsByBotIdAclDefaultEffectData, PutBotsByBotIdAclDefaultEffectError, PutBotsByBotIdAclRulesByRuleIdData, PutBotsByBotIdAclRulesByRuleIdError, PutBotsByBotIdAclRulesByRuleIdResponse, PutBotsByBotIdAclRulesReorderData, PutBotsByBotIdAclRulesReorderError, PutBotsByBotIdEmailBindingsByIdData, PutBotsByBotIdEmailBindingsByIdError, PutBotsByBotIdEmailBindingsByIdResponse, PutBotsByBotIdMcpByIdData, PutBotsByBotIdMcpByIdError, PutBotsByBotIdMcpByIdResponse, PutBotsByBotIdMcpImportData, PutBotsByBotIdMcpImportError, PutBotsByBotIdMcpImportResponse, PutBotsByBotIdScheduleByIdData, PutBotsByBotIdScheduleByIdError, PutBotsByBotIdScheduleByIdResponse, PutBotsByBotIdSettingsData, PutBotsByBotIdSettingsError, PutBotsByBotIdSettingsResponse, PutBotsByIdChannelByPlatformData, PutBotsByIdChannelByPlatformError, PutBotsByIdChannelByPlatformResponse, PutBotsByIdData, PutBotsByIdError, PutBotsByIdOwnerData, PutBotsByIdOwnerError, PutBotsByIdOwnerResponse, PutBotsByIdResponse, PutBrowserContextsByIdData, PutBrowserContextsByIdError, PutBrowserContextsByIdResponse, PutEmailProvidersByIdData, PutEmailProvidersByIdError, PutEmailProvidersByIdResponse, PutIamGroupsByIdData, PutIamGroupsByIdError, PutIamGroupsByIdResponse, PutIamSsoProvidersByIdData, PutIamSsoProvidersByIdError, PutIamSsoProvidersByIdResponse, PutMemoryProvidersByIdData, PutMemoryProvidersByIdError, PutMemoryProvidersByIdResponse, PutModelsByIdData, PutModelsByIdError, PutModelsByIdResponse, PutModelsModelByModelIdData, PutModelsModelByModelIdError, PutModelsModelByModelIdResponse, PutProvidersByIdData, PutProvidersByIdError, PutProvidersByIdResponse, PutSearchProvidersByIdData, PutSearchProvidersByIdError, PutSearchProvidersByIdResponse, PutSpeechModelsByIdData, PutSpeechModelsByIdError, PutSpeechModelsByIdResponse, PutTranscriptionModelsByIdData, PutTranscriptionModelsByIdError, PutTranscriptionModelsByIdResponse, PutUsersByIdData, PutUsersByIdError, PutUsersByIdPasswordData, PutUsersByIdPasswordError, PutUsersByIdResponse, PutUsersMeChannelsByPlatformData, PutUsersMeChannelsByPlatformError, PutUsersMeChannelsByPlatformResponse, PutUsersMeData, PutUsersMeError, PutUsersMePasswordData, PutUsersMePasswordError, PutUsersMeResponse } from '../types.gen';
 
 /**
  * Login
@@ -26,7 +26,7 @@ export const postAuthLoginMutation = (options?: Partial<Options<PostAuthLoginDat
 /**
  * Refresh Token
  *
- * Issue a new JWT using the existing claims with updated expiration
+ * Issue a new JWT after validating the active IAM session
  */
 export const postAuthRefreshMutation = (options?: Partial<Options<PostAuthRefreshData>>): UseMutationOptions<PostAuthRefreshResponse, Options<PostAuthRefreshData>, PostAuthRefreshError> => ({
     mutation: async (vars) => {
@@ -39,6 +39,22 @@ export const postAuthRefreshMutation = (options?: Partial<Options<PostAuthRefres
     }
 });
 
+/**
+ * Exchange SSO login code
+ *
+ * Exchange a one-time SSO login code for a session JWT
+ */
+export const postAuthSsoExchangeMutation = (options?: Partial<Options<PostAuthSsoExchangeData>>): UseMutationOptions<PostAuthSsoExchangeResponse, Options<PostAuthSsoExchangeData>, PostAuthSsoExchangeError> => ({
+    mutation: async (vars) => {
+        const { data } = await postAuthSsoExchange({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
 export type QueryKey<TOptions extends Options> = [
     Pick<TOptions, 'path'> & {
         _id: string;
@@ -74,6 +90,117 @@ const createQueryKey = <TOptions extends Options>(id: string, options?: TOptions
     return [params];
 };
 
+export const getAuthSsoProvidersQueryKey = (options?: Options<GetAuthSsoProvidersData>) => createQueryKey('getAuthSsoProviders', options);
+
+/**
+ * List SSO providers
+ *
+ * List enabled OIDC and SAML SSO providers available for login
+ */
+export const getAuthSsoProvidersQuery = defineQueryOptions((options?: Options<GetAuthSsoProvidersData>) => ({
+    key: getAuthSsoProvidersQueryKey(options),
+    query: async (context) => {
+        const { data } = await getAuthSsoProviders({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
+export const getAuthSsoByProviderIdCallbackQueryKey = (options: Options<GetAuthSsoByProviderIdCallbackData>) => createQueryKey('getAuthSsoByProviderIdCallback', options);
+
+/**
+ * Complete OIDC login
+ *
+ * Exchange the provider code, create an IAM session, and redirect to the web login callback with a short-lived login code
+ */
+export const getAuthSsoByProviderIdCallbackQuery = defineQueryOptions((options: Options<GetAuthSsoByProviderIdCallbackData>) => ({
+    key: getAuthSsoByProviderIdCallbackQueryKey(options),
+    query: async (context) => {
+        const { data } = await getAuthSsoByProviderIdCallback({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
+/**
+ * Complete SAML login
+ *
+ * Validate the SAML response, create an IAM session, and redirect to the web login callback with a short-lived login code
+ */
+export const postAuthSsoByProviderIdSamlAcsMutation = (options?: Partial<Options<PostAuthSsoByProviderIdSamlAcsData>>): UseMutationOptions<unknown, Options<PostAuthSsoByProviderIdSamlAcsData>, PostAuthSsoByProviderIdSamlAcsError> => ({
+    mutation: async (vars) => {
+        const { data } = await postAuthSsoByProviderIdSamlAcs({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+export const getAuthSsoByProviderIdSamlMetadataQueryKey = (options: Options<GetAuthSsoByProviderIdSamlMetadataData>) => createQueryKey('getAuthSsoByProviderIdSamlMetadata', options);
+
+/**
+ * Get SAML SP metadata
+ *
+ * Return the SAML service provider metadata XML for an SSO provider
+ */
+export const getAuthSsoByProviderIdSamlMetadataQuery = defineQueryOptions((options: Options<GetAuthSsoByProviderIdSamlMetadataData>) => ({
+    key: getAuthSsoByProviderIdSamlMetadataQueryKey(options),
+    query: async (context) => {
+        const { data } = await getAuthSsoByProviderIdSamlMetadata({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
+export const getAuthSsoByProviderIdSamlStartQueryKey = (options: Options<GetAuthSsoByProviderIdSamlStartData>) => createQueryKey('getAuthSsoByProviderIdSamlStart', options);
+
+/**
+ * Start SAML login
+ *
+ * Create a SAML AuthnRequest, set the transient SAML state cookie, and redirect to the IdP
+ */
+export const getAuthSsoByProviderIdSamlStartQuery = defineQueryOptions((options: Options<GetAuthSsoByProviderIdSamlStartData>) => ({
+    key: getAuthSsoByProviderIdSamlStartQueryKey(options),
+    query: async (context) => {
+        const { data } = await getAuthSsoByProviderIdSamlStart({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
+export const getAuthSsoByProviderIdStartQueryKey = (options: Options<GetAuthSsoByProviderIdStartData>) => createQueryKey('getAuthSsoByProviderIdStart', options);
+
+/**
+ * Start OIDC login
+ *
+ * Build the provider authorization URL and set the transient OIDC state cookie
+ */
+export const getAuthSsoByProviderIdStartQuery = defineQueryOptions((options: Options<GetAuthSsoByProviderIdStartData>) => ({
+    key: getAuthSsoByProviderIdStartQueryKey(options),
+    query: async (context) => {
+        const { data } = await getAuthSsoByProviderIdStart({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
 export const getBotsQueryKey = (options?: Options<GetBotsData>) => createQueryKey('getBots', options);
 
 /**
@@ -1818,7 +1945,7 @@ export const postBotsByBotIdTtsSynthesizeMutation = (options?: Partial<Options<P
 /**
  * Delete bot
  *
- * Delete a bot user (owner/admin only)
+ * Delete a bot user when the current user has bot.delete
  */
 export const deleteBotsByIdMutation = (options?: Partial<Options<DeleteBotsByIdData>>): UseMutationOptions<DeleteBotsByIdResponse, Options<DeleteBotsByIdData>, DeleteBotsByIdError> => ({
     mutation: async (vars) => {
@@ -1836,7 +1963,7 @@ export const getBotsByIdQueryKey = (options: Options<GetBotsByIdData>) => create
 /**
  * Get bot details
  *
- * Get a bot by ID (owner/admin only)
+ * Get a bot by ID when the current user has bot.read
  */
 export const getBotsByIdQuery = defineQueryOptions((options: Options<GetBotsByIdData>) => ({
     key: getBotsByIdQueryKey(options),
@@ -1853,7 +1980,7 @@ export const getBotsByIdQuery = defineQueryOptions((options: Options<GetBotsById
 /**
  * Update bot details
  *
- * Update bot profile (owner/admin only)
+ * Update bot profile when the current user has bot.update
  */
 export const putBotsByIdMutation = (options?: Partial<Options<PutBotsByIdData>>): UseMutationOptions<PutBotsByIdResponse, Options<PutBotsByIdData>, PutBotsByIdError> => ({
     mutation: async (vars) => {
@@ -1985,7 +2112,7 @@ export const getBotsByIdChecksQuery = defineQueryOptions((options: Options<GetBo
 }));
 
 /**
- * Transfer bot owner (admin only)
+ * Transfer bot owner (system admin only)
  *
  * Transfer bot ownership to another human user
  */
@@ -2323,6 +2450,312 @@ export const getEmailOauthCallbackQuery = defineQueryOptions((options: Options<G
     }
 }));
 
+export const getIamBotsByBotIdPrincipalRolesQueryKey = (options: Options<GetIamBotsByBotIdPrincipalRolesData>) => createQueryKey('getIamBotsByBotIdPrincipalRoles', options);
+
+/**
+ * List bot role assignments
+ *
+ * List user and group role assignments for a bot
+ */
+export const getIamBotsByBotIdPrincipalRolesQuery = defineQueryOptions((options: Options<GetIamBotsByBotIdPrincipalRolesData>) => ({
+    key: getIamBotsByBotIdPrincipalRolesQueryKey(options),
+    query: async (context) => {
+        const { data } = await getIamBotsByBotIdPrincipalRoles({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
+/**
+ * Assign bot role
+ *
+ * Assign a bot-scoped role to a user or group
+ */
+export const postIamBotsByBotIdPrincipalRolesMutation = (options?: Partial<Options<PostIamBotsByBotIdPrincipalRolesData>>): UseMutationOptions<PostIamBotsByBotIdPrincipalRolesResponse, Options<PostIamBotsByBotIdPrincipalRolesData>, PostIamBotsByBotIdPrincipalRolesError> => ({
+    mutation: async (vars) => {
+        const { data } = await postIamBotsByBotIdPrincipalRoles({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+export const getIamGroupsQueryKey = (options?: Options<GetIamGroupsData>) => createQueryKey('getIamGroups', options);
+
+/**
+ * List IAM groups
+ *
+ * List IAM groups
+ */
+export const getIamGroupsQuery = defineQueryOptions((options?: Options<GetIamGroupsData>) => ({
+    key: getIamGroupsQueryKey(options),
+    query: async (context) => {
+        const { data } = await getIamGroups({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
+/**
+ * Upsert IAM group
+ *
+ * Create or update an IAM group
+ */
+export const postIamGroupsMutation = (options?: Partial<Options<PostIamGroupsData>>): UseMutationOptions<PostIamGroupsResponse, Options<PostIamGroupsData>, PostIamGroupsError> => ({
+    mutation: async (vars) => {
+        const { data } = await postIamGroups({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+/**
+ * Delete IAM group
+ *
+ * Delete an IAM group
+ */
+export const deleteIamGroupsByIdMutation = (options?: Partial<Options<DeleteIamGroupsByIdData>>): UseMutationOptions<unknown, Options<DeleteIamGroupsByIdData>, DeleteIamGroupsByIdError> => ({
+    mutation: async (vars) => {
+        const { data } = await deleteIamGroupsById({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+/**
+ * Upsert IAM group
+ *
+ * Create or update an IAM group
+ */
+export const putIamGroupsByIdMutation = (options?: Partial<Options<PutIamGroupsByIdData>>): UseMutationOptions<PutIamGroupsByIdResponse, Options<PutIamGroupsByIdData>, PutIamGroupsByIdError> => ({
+    mutation: async (vars) => {
+        const { data } = await putIamGroupsById({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+export const getIamGroupsByIdMembersQueryKey = (options: Options<GetIamGroupsByIdMembersData>) => createQueryKey('getIamGroupsByIdMembers', options);
+
+/**
+ * List IAM group members
+ *
+ * List members of an IAM group
+ */
+export const getIamGroupsByIdMembersQuery = defineQueryOptions((options: Options<GetIamGroupsByIdMembersData>) => ({
+    key: getIamGroupsByIdMembersQueryKey(options),
+    query: async (context) => {
+        const { data } = await getIamGroupsByIdMembers({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
+/**
+ * Add IAM group member
+ *
+ * Add a user to an IAM group
+ */
+export const postIamGroupsByIdMembersMutation = (options?: Partial<Options<PostIamGroupsByIdMembersData>>): UseMutationOptions<PostIamGroupsByIdMembersResponse, Options<PostIamGroupsByIdMembersData>, PostIamGroupsByIdMembersError> => ({
+    mutation: async (vars) => {
+        const { data } = await postIamGroupsByIdMembers({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+/**
+ * Delete IAM group member
+ *
+ * Remove a user from an IAM group
+ */
+export const deleteIamGroupsByIdMembersByUserIdMutation = (options?: Partial<Options<DeleteIamGroupsByIdMembersByUserIdData>>): UseMutationOptions<unknown, Options<DeleteIamGroupsByIdMembersByUserIdData>, DeleteIamGroupsByIdMembersByUserIdError> => ({
+    mutation: async (vars) => {
+        const { data } = await deleteIamGroupsByIdMembersByUserId({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+/**
+ * Delete role assignment
+ *
+ * Delete a user or group role assignment
+ */
+export const deleteIamPrincipalRolesByIdMutation = (options?: Partial<Options<DeleteIamPrincipalRolesByIdData>>): UseMutationOptions<unknown, Options<DeleteIamPrincipalRolesByIdData>, DeleteIamPrincipalRolesByIdError> => ({
+    mutation: async (vars) => {
+        const { data } = await deleteIamPrincipalRolesById({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+export const getIamRolesQueryKey = (options?: Options<GetIamRolesData>) => createQueryKey('getIamRoles', options);
+
+/**
+ * List IAM roles
+ *
+ * List built-in IAM roles
+ */
+export const getIamRolesQuery = defineQueryOptions((options?: Options<GetIamRolesData>) => ({
+    key: getIamRolesQueryKey(options),
+    query: async (context) => {
+        const { data } = await getIamRoles({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
+export const getIamSsoProvidersQueryKey = (options?: Options<GetIamSsoProvidersData>) => createQueryKey('getIamSsoProviders', options);
+
+/**
+ * List IAM SSO providers
+ *
+ * List all IAM SSO providers for administration
+ */
+export const getIamSsoProvidersQuery = defineQueryOptions((options?: Options<GetIamSsoProvidersData>) => ({
+    key: getIamSsoProvidersQueryKey(options),
+    query: async (context) => {
+        const { data } = await getIamSsoProviders({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
+/**
+ * Upsert IAM SSO provider
+ *
+ * Create or update an IAM SSO provider
+ */
+export const postIamSsoProvidersMutation = (options?: Partial<Options<PostIamSsoProvidersData>>): UseMutationOptions<PostIamSsoProvidersResponse, Options<PostIamSsoProvidersData>, PostIamSsoProvidersError> => ({
+    mutation: async (vars) => {
+        const { data } = await postIamSsoProviders({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+/**
+ * Delete IAM SSO provider
+ *
+ * Delete an IAM SSO provider
+ */
+export const deleteIamSsoProvidersByIdMutation = (options?: Partial<Options<DeleteIamSsoProvidersByIdData>>): UseMutationOptions<unknown, Options<DeleteIamSsoProvidersByIdData>, DeleteIamSsoProvidersByIdError> => ({
+    mutation: async (vars) => {
+        const { data } = await deleteIamSsoProvidersById({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+/**
+ * Upsert IAM SSO provider
+ *
+ * Create or update an IAM SSO provider
+ */
+export const putIamSsoProvidersByIdMutation = (options?: Partial<Options<PutIamSsoProvidersByIdData>>): UseMutationOptions<PutIamSsoProvidersByIdResponse, Options<PutIamSsoProvidersByIdData>, PutIamSsoProvidersByIdError> => ({
+    mutation: async (vars) => {
+        const { data } = await putIamSsoProvidersById({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+export const getIamSsoProvidersByIdGroupMappingsQueryKey = (options: Options<GetIamSsoProvidersByIdGroupMappingsData>) => createQueryKey('getIamSsoProvidersByIdGroupMappings', options);
+
+/**
+ * List SSO group mappings
+ *
+ * List external group to IAM group mappings for an SSO provider
+ */
+export const getIamSsoProvidersByIdGroupMappingsQuery = defineQueryOptions((options: Options<GetIamSsoProvidersByIdGroupMappingsData>) => ({
+    key: getIamSsoProvidersByIdGroupMappingsQueryKey(options),
+    query: async (context) => {
+        const { data } = await getIamSsoProvidersByIdGroupMappings({
+            ...options,
+            ...context,
+            throwOnError: true
+        });
+        return data;
+    }
+}));
+
+/**
+ * Upsert SSO group mapping
+ *
+ * Create or update an external group to IAM group mapping
+ */
+export const postIamSsoProvidersByIdGroupMappingsMutation = (options?: Partial<Options<PostIamSsoProvidersByIdGroupMappingsData>>): UseMutationOptions<PostIamSsoProvidersByIdGroupMappingsResponse, Options<PostIamSsoProvidersByIdGroupMappingsData>, PostIamSsoProvidersByIdGroupMappingsError> => ({
+    mutation: async (vars) => {
+        const { data } = await postIamSsoProvidersByIdGroupMappings({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
+/**
+ * Delete SSO group mapping
+ *
+ * Delete an external group mapping from an SSO provider
+ */
+export const deleteIamSsoProvidersByIdGroupMappingsByExternalGroupMutation = (options?: Partial<Options<DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupData>>): UseMutationOptions<unknown, Options<DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupData>, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupError> => ({
+    mutation: async (vars) => {
+        const { data } = await deleteIamSsoProvidersByIdGroupMappingsByExternalGroup({
+            ...options,
+            ...vars,
+            throwOnError: true
+        });
+        return data;
+    }
+});
+
 export const getMemoryProvidersQueryKey = (options?: Options<GetMemoryProvidersData>) => createQueryKey('getMemoryProviders', options);
 
 /**
diff --git a/packages/sdk/src/index.ts b/packages/sdk/src/index.ts
index 9f227279b..abaae0c0f 100644
--- a/packages/sdk/src/index.ts
+++ b/packages/sdk/src/index.ts
@@ -1,4 +1,4 @@
 // This file is auto-generated by @hey-api/openapi-ts
 
-export { deleteBotsByBotIdAclRulesByRuleId, deleteBotsByBotIdCompactionLogs, deleteBotsByBotIdContainer, deleteBotsByBotIdContainerSkills, deleteBotsByBotIdEmailBindingsById, deleteBotsByBotIdHeartbeatLogs, deleteBotsByBotIdMcpById, deleteBotsByBotIdMcpByIdOauthToken, deleteBotsByBotIdMemory, deleteBotsByBotIdMemoryById, deleteBotsByBotIdMessages, deleteBotsByBotIdScheduleById, deleteBotsByBotIdScheduleLogs, deleteBotsByBotIdSessionsBySessionId, deleteBotsByBotIdSettings, deleteBotsById, deleteBotsByIdChannelByPlatform, deleteBrowserContextsById, deleteEmailProvidersById, deleteEmailProvidersByIdOauthToken, deleteMemoryProvidersById, deleteModelsById, deleteModelsModelByModelId, deleteProvidersById, deleteProvidersByIdOauthToken, deleteSearchProvidersById, getBots, getBotsByBotIdAclChannelIdentities, getBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversations, getBotsByBotIdAclChannelTypesByChannelTypeConversations, getBotsByBotIdAclDefaultEffect, getBotsByBotIdAclRules, getBotsByBotIdCompactionLogs, getBotsByBotIdContainer, getBotsByBotIdContainerFs, getBotsByBotIdContainerFsDownload, getBotsByBotIdContainerFsList, getBotsByBotIdContainerFsRead, getBotsByBotIdContainerMetrics, getBotsByBotIdContainerSkills, getBotsByBotIdContainerSnapshots, getBotsByBotIdContainerTerminal, getBotsByBotIdContainerTerminalWs, getBotsByBotIdEmailBindings, getBotsByBotIdEmailOutbox, getBotsByBotIdEmailOutboxById, getBotsByBotIdHeartbeatLogs, getBotsByBotIdLocalStream, getBotsByBotIdLocalWs, getBotsByBotIdMcp, getBotsByBotIdMcpById, getBotsByBotIdMcpByIdOauthStatus, getBotsByBotIdMcpExport, getBotsByBotIdMemory, getBotsByBotIdMemoryStatus, getBotsByBotIdMemoryUsage, getBotsByBotIdMessages, getBotsByBotIdSchedule, getBotsByBotIdScheduleById, getBotsByBotIdScheduleByIdLogs, getBotsByBotIdScheduleLogs, getBotsByBotIdSessions, getBotsByBotIdSessionsBySessionId, getBotsByBotIdSessionsBySessionIdStatus, getBotsByBotIdSettings, getBotsByBotIdTokenUsage, getBotsByBotIdTokenUsageRecords, getBotsById, getBotsByIdChannelByPlatform, getBotsByIdChecks, getBrowserContexts, getBrowserContextsById, getBrowserContextsCores, getChannels, getChannelsByPlatform, getEmailOauthCallback, getEmailProviders, getEmailProvidersById, getEmailProvidersByIdOauthAuthorize, getEmailProvidersByIdOauthStatus, getEmailProvidersMeta, getMemoryProviders, getMemoryProvidersById, getMemoryProvidersByIdStatus, getMemoryProvidersMeta, getModels, getModelsById, getModelsCount, getModelsModelByModelId, getPing, getProviders, getProvidersById, getProvidersByIdModels, getProvidersByIdOauthAuthorize, getProvidersByIdOauthStatus, getProvidersCount, getProvidersNameByName, getProvidersOauthCallback, getSearchProviders, getSearchProvidersById, getSearchProvidersMeta, getSpeechModels, getSpeechModelsById, getSpeechModelsByIdCapabilities, getSpeechProviders, getSpeechProvidersById, getSpeechProvidersByIdModels, getSpeechProvidersMeta, getSupermarketMcps, getSupermarketMcpsById, getSupermarketSkills, getSupermarketSkillsById, getSupermarketTags, getTranscriptionModels, getTranscriptionModelsById, getTranscriptionModelsByIdCapabilities, getTranscriptionProviders, getTranscriptionProvidersById, getTranscriptionProvidersByIdModels, getTranscriptionProvidersMeta, getUsers, getUsersById, getUsersMe, getUsersMeChannelsByPlatform, getUsersMeIdentities, type Options, patchBotsByBotIdSessionsBySessionId, patchBotsByIdChannelByPlatformStatus, postAuthLogin, postAuthRefresh, postBots, postBotsByBotIdAclRules, postBotsByBotIdContainer, postBotsByBotIdContainerDataExport, postBotsByBotIdContainerDataImport, postBotsByBotIdContainerDataRestore, postBotsByBotIdContainerFsDelete, postBotsByBotIdContainerFsMkdir, postBotsByBotIdContainerFsRename, postBotsByBotIdContainerFsUpload, postBotsByBotIdContainerFsWrite, postBotsByBotIdContainerSkills, postBotsByBotIdContainerSkillsActions, postBotsByBotIdContainerSnapshots, postBotsByBotIdContainerSnapshotsRollback, postBotsByBotIdContainerStart, postBotsByBotIdContainerStop, postBotsByBotIdEmailBindings, postBotsByBotIdLocalMessages, postBotsByBotIdMcp, postBotsByBotIdMcpByIdOauthAuthorize, postBotsByBotIdMcpByIdOauthDiscover, postBotsByBotIdMcpByIdOauthExchange, postBotsByBotIdMcpByIdProbe, postBotsByBotIdMcpOpsBatchDelete, postBotsByBotIdMcpStdio, postBotsByBotIdMcpStdioByConnectionId, postBotsByBotIdMemory, postBotsByBotIdMemoryCompact, postBotsByBotIdMemoryRebuild, postBotsByBotIdMemorySearch, postBotsByBotIdSchedule, postBotsByBotIdSessions, postBotsByBotIdSessionsBySessionIdCompact, postBotsByBotIdSettings, postBotsByBotIdSupermarketInstallMcp, postBotsByBotIdSupermarketInstallSkill, postBotsByBotIdToolApprovalsByApprovalIdApprove, postBotsByBotIdToolApprovalsByApprovalIdReject, postBotsByBotIdTools, postBotsByBotIdTtsSynthesize, postBotsByIdChannelByPlatformSend, postBotsByIdChannelByPlatformSendChat, postBrowserContexts, postEmailMailgunWebhookByConfigId, postEmailProviders, postMemoryProviders, postModels, postModelsByIdTest, postProviders, postProvidersByIdImportModels, postProvidersByIdOauthPoll, postProvidersByIdTest, postSearchProviders, postSpeechModelsByIdTest, postSpeechProvidersByIdImportModels, postTranscriptionModelsByIdTest, postTranscriptionProvidersByIdImportModels, postUsers, putBotsByBotIdAclDefaultEffect, putBotsByBotIdAclRulesByRuleId, putBotsByBotIdAclRulesReorder, putBotsByBotIdEmailBindingsById, putBotsByBotIdMcpById, putBotsByBotIdMcpImport, putBotsByBotIdScheduleById, putBotsByBotIdSettings, putBotsById, putBotsByIdChannelByPlatform, putBotsByIdOwner, putBrowserContextsById, putEmailProvidersById, putMemoryProvidersById, putModelsById, putModelsModelByModelId, putProvidersById, putSearchProvidersById, putSpeechModelsById, putTranscriptionModelsById, putUsersById, putUsersByIdPassword, putUsersMe, putUsersMeChannelsByPlatform, putUsersMePassword } from './sdk.gen';
-export type { AccountsAccount, AccountsCreateAccountRequest, AccountsListAccountsResponse, AccountsResetPasswordRequest, AccountsUpdateAccountRequest, AccountsUpdatePasswordRequest, AccountsUpdateProfileRequest, AclChannelIdentityCandidate, AclChannelIdentityCandidateListResponse, AclCreateRuleRequest, AclDefaultEffectResponse, AclListRulesResponse, AclObservedConversationCandidate, AclObservedConversationCandidateListResponse, AclReorderItem, AclReorderRequest, AclRule, AclSourceScope, AclUpdateRuleRequest, AdaptersCdfPoint, AdaptersCompactResult, AdaptersDeleteResponse, AdaptersHealthStatus, AdaptersMemoryItem, AdaptersMemoryStatusResponse, AdaptersMessage, AdaptersProviderCollectionStatus, AdaptersProviderConfigSchema, AdaptersProviderCreateRequest, AdaptersProviderFieldSchema, AdaptersProviderGetResponse, AdaptersProviderMeta, AdaptersProviderStatusResponse, AdaptersProviderType, AdaptersProviderUpdateRequest, AdaptersRebuildResult, AdaptersSearchResponse, AdaptersTopKBucket, AdaptersUsageResponse, AudioConfigSchema, AudioFieldSchema, AudioImportModelsResponse, AudioModelCapabilities, AudioModelInfo, AudioParamConstraint, AudioProviderMetaResponse, AudioSpeechModelResponse, AudioSpeechProviderResponse, AudioTestSynthesizeRequest, AudioTestTranscriptionResponse, AudioTranscriptionModelResponse, AudioTranscriptionWord, AudioUpdateSpeechModelRequest, AudioVoiceInfo, BotsBot, BotsBotCheck, BotsCreateBotRequest, BotsListBotsResponse, BotsListChecksResponse, BotsTransferBotRequest, BotsUpdateBotRequest, BrowsercontextsBrowserContext, BrowsercontextsCreateRequest, BrowsercontextsUpdateRequest, ChannelAction, ChannelAttachment, ChannelAttachmentType, ChannelChannelCapabilities, ChannelChannelConfig, ChannelChannelIdentityBinding, ChannelChannelType, ChannelConfigSchema, ChannelFieldSchema, ChannelFieldType, ChannelMessage, ChannelMessageFormat, ChannelMessagePart, ChannelMessagePartType, ChannelMessageTextStyle, ChannelReplyRef, ChannelSendRequest, ChannelTargetHint, ChannelTargetSpec, ChannelThreadRef, ChannelUpdateChannelStatusRequest, ChannelUpsertChannelIdentityConfigRequest, ChannelUpsertConfigRequest, ClientOptions, CompactionListLogsResponse, CompactionLog, DeleteBotsByBotIdAclRulesByRuleIdData, DeleteBotsByBotIdAclRulesByRuleIdError, DeleteBotsByBotIdAclRulesByRuleIdErrors, DeleteBotsByBotIdAclRulesByRuleIdResponses, DeleteBotsByBotIdCompactionLogsData, DeleteBotsByBotIdCompactionLogsError, DeleteBotsByBotIdCompactionLogsErrors, DeleteBotsByBotIdCompactionLogsResponses, DeleteBotsByBotIdContainerData, DeleteBotsByBotIdContainerError, DeleteBotsByBotIdContainerErrors, DeleteBotsByBotIdContainerResponses, DeleteBotsByBotIdContainerSkillsData, DeleteBotsByBotIdContainerSkillsError, DeleteBotsByBotIdContainerSkillsErrors, DeleteBotsByBotIdContainerSkillsResponse, DeleteBotsByBotIdContainerSkillsResponses, DeleteBotsByBotIdEmailBindingsByIdData, DeleteBotsByBotIdEmailBindingsByIdError, DeleteBotsByBotIdEmailBindingsByIdErrors, DeleteBotsByBotIdEmailBindingsByIdResponses, DeleteBotsByBotIdHeartbeatLogsData, DeleteBotsByBotIdHeartbeatLogsError, DeleteBotsByBotIdHeartbeatLogsErrors, DeleteBotsByBotIdHeartbeatLogsResponses, DeleteBotsByBotIdMcpByIdData, DeleteBotsByBotIdMcpByIdError, DeleteBotsByBotIdMcpByIdErrors, DeleteBotsByBotIdMcpByIdOauthTokenData, DeleteBotsByBotIdMcpByIdOauthTokenError, DeleteBotsByBotIdMcpByIdOauthTokenErrors, DeleteBotsByBotIdMcpByIdOauthTokenResponses, DeleteBotsByBotIdMcpByIdResponses, DeleteBotsByBotIdMemoryByIdData, DeleteBotsByBotIdMemoryByIdError, DeleteBotsByBotIdMemoryByIdErrors, DeleteBotsByBotIdMemoryByIdResponse, DeleteBotsByBotIdMemoryByIdResponses, DeleteBotsByBotIdMemoryData, DeleteBotsByBotIdMemoryError, DeleteBotsByBotIdMemoryErrors, DeleteBotsByBotIdMemoryResponse, DeleteBotsByBotIdMemoryResponses, DeleteBotsByBotIdMessagesData, DeleteBotsByBotIdMessagesError, DeleteBotsByBotIdMessagesErrors, DeleteBotsByBotIdMessagesResponses, DeleteBotsByBotIdScheduleByIdData, DeleteBotsByBotIdScheduleByIdError, DeleteBotsByBotIdScheduleByIdErrors, DeleteBotsByBotIdScheduleByIdResponses, DeleteBotsByBotIdScheduleLogsData, DeleteBotsByBotIdScheduleLogsError, DeleteBotsByBotIdScheduleLogsErrors, DeleteBotsByBotIdScheduleLogsResponses, DeleteBotsByBotIdSessionsBySessionIdData, DeleteBotsByBotIdSessionsBySessionIdError, DeleteBotsByBotIdSessionsBySessionIdErrors, DeleteBotsByBotIdSessionsBySessionIdResponses, DeleteBotsByBotIdSettingsData, DeleteBotsByBotIdSettingsError, DeleteBotsByBotIdSettingsErrors, DeleteBotsByBotIdSettingsResponses, DeleteBotsByIdChannelByPlatformData, DeleteBotsByIdChannelByPlatformError, DeleteBotsByIdChannelByPlatformErrors, DeleteBotsByIdChannelByPlatformResponses, DeleteBotsByIdData, DeleteBotsByIdError, DeleteBotsByIdErrors, DeleteBotsByIdResponse, DeleteBotsByIdResponses, DeleteBrowserContextsByIdData, DeleteBrowserContextsByIdError, DeleteBrowserContextsByIdErrors, DeleteBrowserContextsByIdResponses, DeleteEmailProvidersByIdData, DeleteEmailProvidersByIdError, DeleteEmailProvidersByIdErrors, DeleteEmailProvidersByIdOauthTokenData, DeleteEmailProvidersByIdOauthTokenError, DeleteEmailProvidersByIdOauthTokenErrors, DeleteEmailProvidersByIdOauthTokenResponses, DeleteEmailProvidersByIdResponses, DeleteMemoryProvidersByIdData, DeleteMemoryProvidersByIdError, DeleteMemoryProvidersByIdErrors, DeleteMemoryProvidersByIdResponses, DeleteModelsByIdData, DeleteModelsByIdError, DeleteModelsByIdErrors, DeleteModelsByIdResponses, DeleteModelsModelByModelIdData, DeleteModelsModelByModelIdError, DeleteModelsModelByModelIdErrors, DeleteModelsModelByModelIdResponses, DeleteProvidersByIdData, DeleteProvidersByIdError, DeleteProvidersByIdErrors, DeleteProvidersByIdOauthTokenData, DeleteProvidersByIdOauthTokenError, DeleteProvidersByIdOauthTokenErrors, DeleteProvidersByIdOauthTokenResponses, DeleteProvidersByIdResponses, DeleteSearchProvidersByIdData, DeleteSearchProvidersByIdError, DeleteSearchProvidersByIdErrors, DeleteSearchProvidersByIdResponses, EmailBindingResponse, EmailConfigSchema, EmailCreateBindingRequest, EmailCreateProviderRequest, EmailFieldSchema, EmailOutboxItemResponse, EmailProviderMeta, EmailProviderResponse, EmailUpdateBindingRequest, EmailUpdateProviderRequest, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsData, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsError, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsErrors, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsResponse, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsResponses, GetBotsByBotIdAclChannelIdentitiesData, GetBotsByBotIdAclChannelIdentitiesError, GetBotsByBotIdAclChannelIdentitiesErrors, GetBotsByBotIdAclChannelIdentitiesResponse, GetBotsByBotIdAclChannelIdentitiesResponses, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsData, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsError, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsErrors, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsResponse, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsResponses, GetBotsByBotIdAclDefaultEffectData, GetBotsByBotIdAclDefaultEffectError, GetBotsByBotIdAclDefaultEffectErrors, GetBotsByBotIdAclDefaultEffectResponse, GetBotsByBotIdAclDefaultEffectResponses, GetBotsByBotIdAclRulesData, GetBotsByBotIdAclRulesError, GetBotsByBotIdAclRulesErrors, GetBotsByBotIdAclRulesResponse, GetBotsByBotIdAclRulesResponses, GetBotsByBotIdCompactionLogsData, GetBotsByBotIdCompactionLogsError, GetBotsByBotIdCompactionLogsErrors, GetBotsByBotIdCompactionLogsResponse, GetBotsByBotIdCompactionLogsResponses, GetBotsByBotIdContainerData, GetBotsByBotIdContainerError, GetBotsByBotIdContainerErrors, GetBotsByBotIdContainerFsData, GetBotsByBotIdContainerFsDownloadData, GetBotsByBotIdContainerFsDownloadError, GetBotsByBotIdContainerFsDownloadErrors, GetBotsByBotIdContainerFsDownloadResponses, GetBotsByBotIdContainerFsError, GetBotsByBotIdContainerFsErrors, GetBotsByBotIdContainerFsListData, GetBotsByBotIdContainerFsListError, GetBotsByBotIdContainerFsListErrors, GetBotsByBotIdContainerFsListResponse, GetBotsByBotIdContainerFsListResponses, GetBotsByBotIdContainerFsReadData, GetBotsByBotIdContainerFsReadError, GetBotsByBotIdContainerFsReadErrors, GetBotsByBotIdContainerFsReadResponse, GetBotsByBotIdContainerFsReadResponses, GetBotsByBotIdContainerFsResponse, GetBotsByBotIdContainerFsResponses, GetBotsByBotIdContainerMetricsData, GetBotsByBotIdContainerMetricsError, GetBotsByBotIdContainerMetricsErrors, GetBotsByBotIdContainerMetricsResponse, GetBotsByBotIdContainerMetricsResponses, GetBotsByBotIdContainerResponse, GetBotsByBotIdContainerResponses, GetBotsByBotIdContainerSkillsData, GetBotsByBotIdContainerSkillsError, GetBotsByBotIdContainerSkillsErrors, GetBotsByBotIdContainerSkillsResponse, GetBotsByBotIdContainerSkillsResponses, GetBotsByBotIdContainerSnapshotsData, GetBotsByBotIdContainerSnapshotsError, GetBotsByBotIdContainerSnapshotsErrors, GetBotsByBotIdContainerSnapshotsResponse, GetBotsByBotIdContainerSnapshotsResponses, GetBotsByBotIdContainerTerminalData, GetBotsByBotIdContainerTerminalError, GetBotsByBotIdContainerTerminalErrors, GetBotsByBotIdContainerTerminalResponse, GetBotsByBotIdContainerTerminalResponses, GetBotsByBotIdContainerTerminalWsData, GetBotsByBotIdContainerTerminalWsError, GetBotsByBotIdContainerTerminalWsErrors, GetBotsByBotIdEmailBindingsData, GetBotsByBotIdEmailBindingsError, GetBotsByBotIdEmailBindingsErrors, GetBotsByBotIdEmailBindingsResponse, GetBotsByBotIdEmailBindingsResponses, GetBotsByBotIdEmailOutboxByIdData, GetBotsByBotIdEmailOutboxByIdError, GetBotsByBotIdEmailOutboxByIdErrors, GetBotsByBotIdEmailOutboxByIdResponse, GetBotsByBotIdEmailOutboxByIdResponses, GetBotsByBotIdEmailOutboxData, GetBotsByBotIdEmailOutboxError, GetBotsByBotIdEmailOutboxErrors, GetBotsByBotIdEmailOutboxResponse, GetBotsByBotIdEmailOutboxResponses, GetBotsByBotIdHeartbeatLogsData, GetBotsByBotIdHeartbeatLogsError, GetBotsByBotIdHeartbeatLogsErrors, GetBotsByBotIdHeartbeatLogsResponse, GetBotsByBotIdHeartbeatLogsResponses, GetBotsByBotIdLocalStreamData, GetBotsByBotIdLocalStreamError, GetBotsByBotIdLocalStreamErrors, GetBotsByBotIdLocalStreamResponse, GetBotsByBotIdLocalStreamResponses, GetBotsByBotIdLocalWsData, GetBotsByBotIdLocalWsError, GetBotsByBotIdLocalWsErrors, GetBotsByBotIdMcpByIdData, GetBotsByBotIdMcpByIdError, GetBotsByBotIdMcpByIdErrors, GetBotsByBotIdMcpByIdOauthStatusData, GetBotsByBotIdMcpByIdOauthStatusError, GetBotsByBotIdMcpByIdOauthStatusErrors, GetBotsByBotIdMcpByIdOauthStatusResponse, GetBotsByBotIdMcpByIdOauthStatusResponses, GetBotsByBotIdMcpByIdResponse, GetBotsByBotIdMcpByIdResponses, GetBotsByBotIdMcpData, GetBotsByBotIdMcpError, GetBotsByBotIdMcpErrors, GetBotsByBotIdMcpExportData, GetBotsByBotIdMcpExportError, GetBotsByBotIdMcpExportErrors, GetBotsByBotIdMcpExportResponse, GetBotsByBotIdMcpExportResponses, GetBotsByBotIdMcpResponse, GetBotsByBotIdMcpResponses, GetBotsByBotIdMemoryData, GetBotsByBotIdMemoryError, GetBotsByBotIdMemoryErrors, GetBotsByBotIdMemoryResponse, GetBotsByBotIdMemoryResponses, GetBotsByBotIdMemoryStatusData, GetBotsByBotIdMemoryStatusError, GetBotsByBotIdMemoryStatusErrors, GetBotsByBotIdMemoryStatusResponse, GetBotsByBotIdMemoryStatusResponses, GetBotsByBotIdMemoryUsageData, GetBotsByBotIdMemoryUsageError, GetBotsByBotIdMemoryUsageErrors, GetBotsByBotIdMemoryUsageResponse, GetBotsByBotIdMemoryUsageResponses, GetBotsByBotIdMessagesData, GetBotsByBotIdMessagesError, GetBotsByBotIdMessagesErrors, GetBotsByBotIdMessagesResponse, GetBotsByBotIdMessagesResponses, GetBotsByBotIdScheduleByIdData, GetBotsByBotIdScheduleByIdError, GetBotsByBotIdScheduleByIdErrors, GetBotsByBotIdScheduleByIdLogsData, GetBotsByBotIdScheduleByIdLogsError, GetBotsByBotIdScheduleByIdLogsErrors, GetBotsByBotIdScheduleByIdLogsResponse, GetBotsByBotIdScheduleByIdLogsResponses, GetBotsByBotIdScheduleByIdResponse, GetBotsByBotIdScheduleByIdResponses, GetBotsByBotIdScheduleData, GetBotsByBotIdScheduleError, GetBotsByBotIdScheduleErrors, GetBotsByBotIdScheduleLogsData, GetBotsByBotIdScheduleLogsError, GetBotsByBotIdScheduleLogsErrors, GetBotsByBotIdScheduleLogsResponse, GetBotsByBotIdScheduleLogsResponses, GetBotsByBotIdScheduleResponse, GetBotsByBotIdScheduleResponses, GetBotsByBotIdSessionsBySessionIdData, GetBotsByBotIdSessionsBySessionIdError, GetBotsByBotIdSessionsBySessionIdErrors, GetBotsByBotIdSessionsBySessionIdResponse, GetBotsByBotIdSessionsBySessionIdResponses, GetBotsByBotIdSessionsBySessionIdStatusData, GetBotsByBotIdSessionsBySessionIdStatusError, GetBotsByBotIdSessionsBySessionIdStatusErrors, GetBotsByBotIdSessionsBySessionIdStatusResponse, GetBotsByBotIdSessionsBySessionIdStatusResponses, GetBotsByBotIdSessionsData, GetBotsByBotIdSessionsError, GetBotsByBotIdSessionsErrors, GetBotsByBotIdSessionsResponse, GetBotsByBotIdSessionsResponses, GetBotsByBotIdSettingsData, GetBotsByBotIdSettingsError, GetBotsByBotIdSettingsErrors, GetBotsByBotIdSettingsResponse, GetBotsByBotIdSettingsResponses, GetBotsByBotIdTokenUsageData, GetBotsByBotIdTokenUsageError, GetBotsByBotIdTokenUsageErrors, GetBotsByBotIdTokenUsageRecordsData, GetBotsByBotIdTokenUsageRecordsError, GetBotsByBotIdTokenUsageRecordsErrors, GetBotsByBotIdTokenUsageRecordsResponse, GetBotsByBotIdTokenUsageRecordsResponses, GetBotsByBotIdTokenUsageResponse, GetBotsByBotIdTokenUsageResponses, GetBotsByIdChannelByPlatformData, GetBotsByIdChannelByPlatformError, GetBotsByIdChannelByPlatformErrors, GetBotsByIdChannelByPlatformResponse, GetBotsByIdChannelByPlatformResponses, GetBotsByIdChecksData, GetBotsByIdChecksError, GetBotsByIdChecksErrors, GetBotsByIdChecksResponse, GetBotsByIdChecksResponses, GetBotsByIdData, GetBotsByIdError, GetBotsByIdErrors, GetBotsByIdResponse, GetBotsByIdResponses, GetBotsData, GetBotsError, GetBotsErrors, GetBotsResponse, GetBotsResponses, GetBrowserContextsByIdData, GetBrowserContextsByIdError, GetBrowserContextsByIdErrors, GetBrowserContextsByIdResponse, GetBrowserContextsByIdResponses, GetBrowserContextsCoresData, GetBrowserContextsCoresError, GetBrowserContextsCoresErrors, GetBrowserContextsCoresResponse, GetBrowserContextsCoresResponses, GetBrowserContextsData, GetBrowserContextsError, GetBrowserContextsErrors, GetBrowserContextsResponse, GetBrowserContextsResponses, GetChannelsByPlatformData, GetChannelsByPlatformError, GetChannelsByPlatformErrors, GetChannelsByPlatformResponse, GetChannelsByPlatformResponses, GetChannelsData, GetChannelsError, GetChannelsErrors, GetChannelsResponse, GetChannelsResponses, GetEmailOauthCallbackData, GetEmailOauthCallbackError, GetEmailOauthCallbackErrors, GetEmailOauthCallbackResponse, GetEmailOauthCallbackResponses, GetEmailProvidersByIdData, GetEmailProvidersByIdError, GetEmailProvidersByIdErrors, GetEmailProvidersByIdOauthAuthorizeData, GetEmailProvidersByIdOauthAuthorizeError, GetEmailProvidersByIdOauthAuthorizeErrors, GetEmailProvidersByIdOauthAuthorizeResponse, GetEmailProvidersByIdOauthAuthorizeResponses, GetEmailProvidersByIdOauthStatusData, GetEmailProvidersByIdOauthStatusError, GetEmailProvidersByIdOauthStatusErrors, GetEmailProvidersByIdOauthStatusResponse, GetEmailProvidersByIdOauthStatusResponses, GetEmailProvidersByIdResponse, GetEmailProvidersByIdResponses, GetEmailProvidersData, GetEmailProvidersError, GetEmailProvidersErrors, GetEmailProvidersMetaData, GetEmailProvidersMetaResponse, GetEmailProvidersMetaResponses, GetEmailProvidersResponse, GetEmailProvidersResponses, GetMemoryProvidersByIdData, GetMemoryProvidersByIdError, GetMemoryProvidersByIdErrors, GetMemoryProvidersByIdResponse, GetMemoryProvidersByIdResponses, GetMemoryProvidersByIdStatusData, GetMemoryProvidersByIdStatusError, GetMemoryProvidersByIdStatusErrors, GetMemoryProvidersByIdStatusResponse, GetMemoryProvidersByIdStatusResponses, GetMemoryProvidersData, GetMemoryProvidersError, GetMemoryProvidersErrors, GetMemoryProvidersMetaData, GetMemoryProvidersMetaResponse, GetMemoryProvidersMetaResponses, GetMemoryProvidersResponse, GetMemoryProvidersResponses, GetModelsByIdData, GetModelsByIdError, GetModelsByIdErrors, GetModelsByIdResponse, GetModelsByIdResponses, GetModelsCountData, GetModelsCountError, GetModelsCountErrors, GetModelsCountResponse, GetModelsCountResponses, GetModelsData, GetModelsError, GetModelsErrors, GetModelsModelByModelIdData, GetModelsModelByModelIdError, GetModelsModelByModelIdErrors, GetModelsModelByModelIdResponse, GetModelsModelByModelIdResponses, GetModelsResponse, GetModelsResponses, GetPingData, GetPingResponse, GetPingResponses, GetProvidersByIdData, GetProvidersByIdError, GetProvidersByIdErrors, GetProvidersByIdModelsData, GetProvidersByIdModelsError, GetProvidersByIdModelsErrors, GetProvidersByIdModelsResponse, GetProvidersByIdModelsResponses, GetProvidersByIdOauthAuthorizeData, GetProvidersByIdOauthAuthorizeError, GetProvidersByIdOauthAuthorizeErrors, GetProvidersByIdOauthAuthorizeResponse, GetProvidersByIdOauthAuthorizeResponses, GetProvidersByIdOauthStatusData, GetProvidersByIdOauthStatusError, GetProvidersByIdOauthStatusErrors, GetProvidersByIdOauthStatusResponse, GetProvidersByIdOauthStatusResponses, GetProvidersByIdResponse, GetProvidersByIdResponses, GetProvidersCountData, GetProvidersCountError, GetProvidersCountErrors, GetProvidersCountResponse, GetProvidersCountResponses, GetProvidersData, GetProvidersError, GetProvidersErrors, GetProvidersNameByNameData, GetProvidersNameByNameError, GetProvidersNameByNameErrors, GetProvidersNameByNameResponse, GetProvidersNameByNameResponses, GetProvidersOauthCallbackData, GetProvidersOauthCallbackError, GetProvidersOauthCallbackErrors, GetProvidersOauthCallbackResponse, GetProvidersOauthCallbackResponses, GetProvidersResponse, GetProvidersResponses, GetSearchProvidersByIdData, GetSearchProvidersByIdError, GetSearchProvidersByIdErrors, GetSearchProvidersByIdResponse, GetSearchProvidersByIdResponses, GetSearchProvidersData, GetSearchProvidersError, GetSearchProvidersErrors, GetSearchProvidersMetaData, GetSearchProvidersMetaResponse, GetSearchProvidersMetaResponses, GetSearchProvidersResponse, GetSearchProvidersResponses, GetSpeechModelsByIdCapabilitiesData, GetSpeechModelsByIdCapabilitiesError, GetSpeechModelsByIdCapabilitiesErrors, GetSpeechModelsByIdCapabilitiesResponse, GetSpeechModelsByIdCapabilitiesResponses, GetSpeechModelsByIdData, GetSpeechModelsByIdError, GetSpeechModelsByIdErrors, GetSpeechModelsByIdResponse, GetSpeechModelsByIdResponses, GetSpeechModelsData, GetSpeechModelsError, GetSpeechModelsErrors, GetSpeechModelsResponse, GetSpeechModelsResponses, GetSpeechProvidersByIdData, GetSpeechProvidersByIdError, GetSpeechProvidersByIdErrors, GetSpeechProvidersByIdModelsData, GetSpeechProvidersByIdModelsError, GetSpeechProvidersByIdModelsErrors, GetSpeechProvidersByIdModelsResponse, GetSpeechProvidersByIdModelsResponses, GetSpeechProvidersByIdResponse, GetSpeechProvidersByIdResponses, GetSpeechProvidersData, GetSpeechProvidersError, GetSpeechProvidersErrors, GetSpeechProvidersMetaData, GetSpeechProvidersMetaResponse, GetSpeechProvidersMetaResponses, GetSpeechProvidersResponse, GetSpeechProvidersResponses, GetSupermarketMcpsByIdData, GetSupermarketMcpsByIdError, GetSupermarketMcpsByIdErrors, GetSupermarketMcpsByIdResponse, GetSupermarketMcpsByIdResponses, GetSupermarketMcpsData, GetSupermarketMcpsError, GetSupermarketMcpsErrors, GetSupermarketMcpsResponse, GetSupermarketMcpsResponses, GetSupermarketSkillsByIdData, GetSupermarketSkillsByIdError, GetSupermarketSkillsByIdErrors, GetSupermarketSkillsByIdResponse, GetSupermarketSkillsByIdResponses, GetSupermarketSkillsData, GetSupermarketSkillsError, GetSupermarketSkillsErrors, GetSupermarketSkillsResponse, GetSupermarketSkillsResponses, GetSupermarketTagsData, GetSupermarketTagsError, GetSupermarketTagsErrors, GetSupermarketTagsResponse, GetSupermarketTagsResponses, GetTranscriptionModelsByIdCapabilitiesData, GetTranscriptionModelsByIdCapabilitiesError, GetTranscriptionModelsByIdCapabilitiesErrors, GetTranscriptionModelsByIdCapabilitiesResponse, GetTranscriptionModelsByIdCapabilitiesResponses, GetTranscriptionModelsByIdData, GetTranscriptionModelsByIdError, GetTranscriptionModelsByIdErrors, GetTranscriptionModelsByIdResponse, GetTranscriptionModelsByIdResponses, GetTranscriptionModelsData, GetTranscriptionModelsError, GetTranscriptionModelsErrors, GetTranscriptionModelsResponse, GetTranscriptionModelsResponses, GetTranscriptionProvidersByIdData, GetTranscriptionProvidersByIdError, GetTranscriptionProvidersByIdErrors, GetTranscriptionProvidersByIdModelsData, GetTranscriptionProvidersByIdModelsError, GetTranscriptionProvidersByIdModelsErrors, GetTranscriptionProvidersByIdModelsResponse, GetTranscriptionProvidersByIdModelsResponses, GetTranscriptionProvidersByIdResponse, GetTranscriptionProvidersByIdResponses, GetTranscriptionProvidersData, GetTranscriptionProvidersError, GetTranscriptionProvidersErrors, GetTranscriptionProvidersMetaData, GetTranscriptionProvidersMetaResponse, GetTranscriptionProvidersMetaResponses, GetTranscriptionProvidersResponse, GetTranscriptionProvidersResponses, GetUsersByIdData, GetUsersByIdError, GetUsersByIdErrors, GetUsersByIdResponse, GetUsersByIdResponses, GetUsersData, GetUsersError, GetUsersErrors, GetUsersMeChannelsByPlatformData, GetUsersMeChannelsByPlatformError, GetUsersMeChannelsByPlatformErrors, GetUsersMeChannelsByPlatformResponse, GetUsersMeChannelsByPlatformResponses, GetUsersMeData, GetUsersMeError, GetUsersMeErrors, GetUsersMeIdentitiesData, GetUsersMeIdentitiesError, GetUsersMeIdentitiesErrors, GetUsersMeIdentitiesResponse, GetUsersMeIdentitiesResponses, GetUsersMeResponse, GetUsersMeResponses, GetUsersResponse, GetUsersResponses, GithubComMemohaiMemohInternalMcpConnection, HandlersBatchDeleteRequest, HandlersBrowserCoresResponse, HandlersCacheStats, HandlersChannelMeta, HandlersContainerCpuMetricsResponse, HandlersContainerGpuRequest, HandlersContainerMemoryMetricsResponse, HandlersContainerMetricsPayloadResponse, HandlersContainerMetricsStatusResponse, HandlersContainerStorageMetricsResponse, HandlersContextUsage, HandlersCreateContainerRequest, HandlersCreateContainerResponse, HandlersCreateSessionRequest, HandlersCreateSnapshotRequest, HandlersCreateSnapshotResponse, HandlersDailyTokenUsage, HandlersEmailOAuthStatusResponse, HandlersErrorResponse, HandlersFsDeleteRequest, HandlersFsFileInfo, HandlersFsListResponse, HandlersFsMkdirRequest, HandlersFsOpResponse, HandlersFsReadResponse, HandlersFsRenameRequest, HandlersFsUploadResponse, HandlersFsWriteRequest, HandlersGetContainerMetricsResponse, HandlersGetContainerResponse, HandlersInstallMcpRequest, HandlersInstallSkillRequest, HandlersListMyIdentitiesResponse, HandlersListSnapshotsResponse, HandlersLocalChannelMessageRequest, HandlersLoginRequest, HandlersLoginResponse, HandlersMcpStdioRequest, HandlersMcpStdioResponse, HandlersMemoryAddPayload, HandlersMemoryCompactPayload, HandlersMemoryDeletePayload, HandlersMemorySearchPayload, HandlersModelTokenUsage, HandlersOauthAuthorizeRequest, HandlersOauthDiscoverRequest, HandlersOauthExchangeRequest, HandlersPingResponse, HandlersProbeResponse, HandlersRefreshResponse, HandlersRollbackRequest, HandlersSessionInfoResponse, HandlersSkillItem, HandlersSkillsActionRequest, HandlersSkillsDeleteRequest, HandlersSkillsOpResponse, HandlersSkillsResponse, HandlersSkillsUpsertRequest, HandlersSnapshotInfo, HandlersSupermarketAuthor, HandlersSupermarketConfigVar, HandlersSupermarketMcpEntry, HandlersSupermarketMcpListResponse, HandlersSupermarketSkillEntry, HandlersSupermarketSkillListResponse, HandlersSupermarketSkillMetadata, HandlersSupermarketTagsResponse, HandlersSynthesizeRequest, HandlersSynthesizeResponse, HandlersTerminalInfoResponse, HandlersTokenUsageRecord, HandlersTokenUsageRecordsResponse, HandlersTokenUsageResponse, HandlersToolApprovalDecisionRequest, HandlersTriggerCompactResponse, HandlersUpdateSessionRequest, HeartbeatListLogsResponse, HeartbeatLog, IdentitiesChannelIdentity, McpAuthorizeResult, McpDiscoveryResult, McpExportResponse, McpImportRequest, McpListResponse, McpMcpServerEntry, McpOAuthStatus, McpToolDescriptor, McpUpsertRequest, MessageMessage, MessageMessageAsset, ModelsAddRequest, ModelsAddResponse, ModelsCountResponse, ModelsGetResponse, ModelsModelConfig, ModelsModelType, ModelsTestResponse, ModelsTestStatus, ModelsUpdateRequest, PatchBotsByBotIdSessionsBySessionIdData, PatchBotsByBotIdSessionsBySessionIdError, PatchBotsByBotIdSessionsBySessionIdErrors, PatchBotsByBotIdSessionsBySessionIdResponse, PatchBotsByBotIdSessionsBySessionIdResponses, PatchBotsByIdChannelByPlatformStatusData, PatchBotsByIdChannelByPlatformStatusError, PatchBotsByIdChannelByPlatformStatusErrors, PatchBotsByIdChannelByPlatformStatusResponse, PatchBotsByIdChannelByPlatformStatusResponses, PostAuthLoginData, PostAuthLoginError, PostAuthLoginErrors, PostAuthLoginResponse, PostAuthLoginResponses, PostAuthRefreshData, PostAuthRefreshError, PostAuthRefreshErrors, PostAuthRefreshResponse, PostAuthRefreshResponses, PostBotsByBotIdAclRulesData, PostBotsByBotIdAclRulesError, PostBotsByBotIdAclRulesErrors, PostBotsByBotIdAclRulesResponse, PostBotsByBotIdAclRulesResponses, PostBotsByBotIdContainerData, PostBotsByBotIdContainerDataExportData, PostBotsByBotIdContainerDataExportError, PostBotsByBotIdContainerDataExportErrors, PostBotsByBotIdContainerDataExportResponses, PostBotsByBotIdContainerDataImportData, PostBotsByBotIdContainerDataImportError, PostBotsByBotIdContainerDataImportErrors, PostBotsByBotIdContainerDataImportResponse, PostBotsByBotIdContainerDataImportResponses, PostBotsByBotIdContainerDataRestoreData, PostBotsByBotIdContainerDataRestoreError, PostBotsByBotIdContainerDataRestoreErrors, PostBotsByBotIdContainerDataRestoreResponse, PostBotsByBotIdContainerDataRestoreResponses, PostBotsByBotIdContainerError, PostBotsByBotIdContainerErrors, PostBotsByBotIdContainerFsDeleteData, PostBotsByBotIdContainerFsDeleteError, PostBotsByBotIdContainerFsDeleteErrors, PostBotsByBotIdContainerFsDeleteResponse, PostBotsByBotIdContainerFsDeleteResponses, PostBotsByBotIdContainerFsMkdirData, PostBotsByBotIdContainerFsMkdirError, PostBotsByBotIdContainerFsMkdirErrors, PostBotsByBotIdContainerFsMkdirResponse, PostBotsByBotIdContainerFsMkdirResponses, PostBotsByBotIdContainerFsRenameData, PostBotsByBotIdContainerFsRenameError, PostBotsByBotIdContainerFsRenameErrors, PostBotsByBotIdContainerFsRenameResponse, PostBotsByBotIdContainerFsRenameResponses, PostBotsByBotIdContainerFsUploadData, PostBotsByBotIdContainerFsUploadError, PostBotsByBotIdContainerFsUploadErrors, PostBotsByBotIdContainerFsUploadResponse, PostBotsByBotIdContainerFsUploadResponses, PostBotsByBotIdContainerFsWriteData, PostBotsByBotIdContainerFsWriteError, PostBotsByBotIdContainerFsWriteErrors, PostBotsByBotIdContainerFsWriteResponse, PostBotsByBotIdContainerFsWriteResponses, PostBotsByBotIdContainerResponse, PostBotsByBotIdContainerResponses, PostBotsByBotIdContainerSkillsActionsData, PostBotsByBotIdContainerSkillsActionsError, PostBotsByBotIdContainerSkillsActionsErrors, PostBotsByBotIdContainerSkillsActionsResponse, PostBotsByBotIdContainerSkillsActionsResponses, PostBotsByBotIdContainerSkillsData, PostBotsByBotIdContainerSkillsError, PostBotsByBotIdContainerSkillsErrors, PostBotsByBotIdContainerSkillsResponse, PostBotsByBotIdContainerSkillsResponses, PostBotsByBotIdContainerSnapshotsData, PostBotsByBotIdContainerSnapshotsError, PostBotsByBotIdContainerSnapshotsErrors, PostBotsByBotIdContainerSnapshotsResponse, PostBotsByBotIdContainerSnapshotsResponses, PostBotsByBotIdContainerSnapshotsRollbackData, PostBotsByBotIdContainerSnapshotsRollbackError, PostBotsByBotIdContainerSnapshotsRollbackErrors, PostBotsByBotIdContainerSnapshotsRollbackResponse, PostBotsByBotIdContainerSnapshotsRollbackResponses, PostBotsByBotIdContainerStartData, PostBotsByBotIdContainerStartError, PostBotsByBotIdContainerStartErrors, PostBotsByBotIdContainerStartResponse, PostBotsByBotIdContainerStartResponses, PostBotsByBotIdContainerStopData, PostBotsByBotIdContainerStopError, PostBotsByBotIdContainerStopErrors, PostBotsByBotIdContainerStopResponse, PostBotsByBotIdContainerStopResponses, PostBotsByBotIdEmailBindingsData, PostBotsByBotIdEmailBindingsError, PostBotsByBotIdEmailBindingsErrors, PostBotsByBotIdEmailBindingsResponse, PostBotsByBotIdEmailBindingsResponses, PostBotsByBotIdLocalMessagesData, PostBotsByBotIdLocalMessagesError, PostBotsByBotIdLocalMessagesErrors, PostBotsByBotIdLocalMessagesResponse, PostBotsByBotIdLocalMessagesResponses, PostBotsByBotIdMcpByIdOauthAuthorizeData, PostBotsByBotIdMcpByIdOauthAuthorizeError, PostBotsByBotIdMcpByIdOauthAuthorizeErrors, PostBotsByBotIdMcpByIdOauthAuthorizeResponse, PostBotsByBotIdMcpByIdOauthAuthorizeResponses, PostBotsByBotIdMcpByIdOauthDiscoverData, PostBotsByBotIdMcpByIdOauthDiscoverError, PostBotsByBotIdMcpByIdOauthDiscoverErrors, PostBotsByBotIdMcpByIdOauthDiscoverResponse, PostBotsByBotIdMcpByIdOauthDiscoverResponses, PostBotsByBotIdMcpByIdOauthExchangeData, PostBotsByBotIdMcpByIdOauthExchangeError, PostBotsByBotIdMcpByIdOauthExchangeErrors, PostBotsByBotIdMcpByIdOauthExchangeResponse, PostBotsByBotIdMcpByIdOauthExchangeResponses, PostBotsByBotIdMcpByIdProbeData, PostBotsByBotIdMcpByIdProbeError, PostBotsByBotIdMcpByIdProbeErrors, PostBotsByBotIdMcpByIdProbeResponse, PostBotsByBotIdMcpByIdProbeResponses, PostBotsByBotIdMcpData, PostBotsByBotIdMcpError, PostBotsByBotIdMcpErrors, PostBotsByBotIdMcpOpsBatchDeleteData, PostBotsByBotIdMcpOpsBatchDeleteError, PostBotsByBotIdMcpOpsBatchDeleteErrors, PostBotsByBotIdMcpOpsBatchDeleteResponses, PostBotsByBotIdMcpResponse, PostBotsByBotIdMcpResponses, PostBotsByBotIdMcpStdioByConnectionIdData, PostBotsByBotIdMcpStdioByConnectionIdError, PostBotsByBotIdMcpStdioByConnectionIdErrors, PostBotsByBotIdMcpStdioByConnectionIdResponse, PostBotsByBotIdMcpStdioByConnectionIdResponses, PostBotsByBotIdMcpStdioData, PostBotsByBotIdMcpStdioError, PostBotsByBotIdMcpStdioErrors, PostBotsByBotIdMcpStdioResponse, PostBotsByBotIdMcpStdioResponses, PostBotsByBotIdMemoryCompactData, PostBotsByBotIdMemoryCompactError, PostBotsByBotIdMemoryCompactErrors, PostBotsByBotIdMemoryCompactResponse, PostBotsByBotIdMemoryCompactResponses, PostBotsByBotIdMemoryData, PostBotsByBotIdMemoryError, PostBotsByBotIdMemoryErrors, PostBotsByBotIdMemoryRebuildData, PostBotsByBotIdMemoryRebuildError, PostBotsByBotIdMemoryRebuildErrors, PostBotsByBotIdMemoryRebuildResponse, PostBotsByBotIdMemoryRebuildResponses, PostBotsByBotIdMemoryResponse, PostBotsByBotIdMemoryResponses, PostBotsByBotIdMemorySearchData, PostBotsByBotIdMemorySearchError, PostBotsByBotIdMemorySearchErrors, PostBotsByBotIdMemorySearchResponse, PostBotsByBotIdMemorySearchResponses, PostBotsByBotIdScheduleData, PostBotsByBotIdScheduleError, PostBotsByBotIdScheduleErrors, PostBotsByBotIdScheduleResponse, PostBotsByBotIdScheduleResponses, PostBotsByBotIdSessionsBySessionIdCompactData, PostBotsByBotIdSessionsBySessionIdCompactError, PostBotsByBotIdSessionsBySessionIdCompactErrors, PostBotsByBotIdSessionsBySessionIdCompactResponse, PostBotsByBotIdSessionsBySessionIdCompactResponses, PostBotsByBotIdSessionsData, PostBotsByBotIdSessionsError, PostBotsByBotIdSessionsErrors, PostBotsByBotIdSessionsResponse, PostBotsByBotIdSessionsResponses, PostBotsByBotIdSettingsData, PostBotsByBotIdSettingsError, PostBotsByBotIdSettingsErrors, PostBotsByBotIdSettingsResponse, PostBotsByBotIdSettingsResponses, PostBotsByBotIdSupermarketInstallMcpData, PostBotsByBotIdSupermarketInstallMcpError, PostBotsByBotIdSupermarketInstallMcpErrors, PostBotsByBotIdSupermarketInstallMcpResponse, PostBotsByBotIdSupermarketInstallMcpResponses, PostBotsByBotIdSupermarketInstallSkillData, PostBotsByBotIdSupermarketInstallSkillError, PostBotsByBotIdSupermarketInstallSkillErrors, PostBotsByBotIdSupermarketInstallSkillResponse, PostBotsByBotIdSupermarketInstallSkillResponses, PostBotsByBotIdToolApprovalsByApprovalIdApproveData, PostBotsByBotIdToolApprovalsByApprovalIdApproveError, PostBotsByBotIdToolApprovalsByApprovalIdApproveErrors, PostBotsByBotIdToolApprovalsByApprovalIdApproveResponse, PostBotsByBotIdToolApprovalsByApprovalIdApproveResponses, PostBotsByBotIdToolApprovalsByApprovalIdRejectData, PostBotsByBotIdToolApprovalsByApprovalIdRejectError, PostBotsByBotIdToolApprovalsByApprovalIdRejectErrors, PostBotsByBotIdToolApprovalsByApprovalIdRejectResponse, PostBotsByBotIdToolApprovalsByApprovalIdRejectResponses, PostBotsByBotIdToolsData, PostBotsByBotIdToolsError, PostBotsByBotIdToolsErrors, PostBotsByBotIdToolsResponse, PostBotsByBotIdToolsResponses, PostBotsByBotIdTtsSynthesizeData, PostBotsByBotIdTtsSynthesizeError, PostBotsByBotIdTtsSynthesizeErrors, PostBotsByBotIdTtsSynthesizeResponse, PostBotsByBotIdTtsSynthesizeResponses, PostBotsByIdChannelByPlatformSendChatData, PostBotsByIdChannelByPlatformSendChatError, PostBotsByIdChannelByPlatformSendChatErrors, PostBotsByIdChannelByPlatformSendChatResponse, PostBotsByIdChannelByPlatformSendChatResponses, PostBotsByIdChannelByPlatformSendData, PostBotsByIdChannelByPlatformSendError, PostBotsByIdChannelByPlatformSendErrors, PostBotsByIdChannelByPlatformSendResponse, PostBotsByIdChannelByPlatformSendResponses, PostBotsData, PostBotsError, PostBotsErrors, PostBotsResponse, PostBotsResponses, PostBrowserContextsData, PostBrowserContextsError, PostBrowserContextsErrors, PostBrowserContextsResponse, PostBrowserContextsResponses, PostEmailMailgunWebhookByConfigIdData, PostEmailMailgunWebhookByConfigIdError, PostEmailMailgunWebhookByConfigIdErrors, PostEmailMailgunWebhookByConfigIdResponse, PostEmailMailgunWebhookByConfigIdResponses, PostEmailProvidersData, PostEmailProvidersError, PostEmailProvidersErrors, PostEmailProvidersResponse, PostEmailProvidersResponses, PostMemoryProvidersData, PostMemoryProvidersError, PostMemoryProvidersErrors, PostMemoryProvidersResponse, PostMemoryProvidersResponses, PostModelsByIdTestData, PostModelsByIdTestError, PostModelsByIdTestErrors, PostModelsByIdTestResponse, PostModelsByIdTestResponses, PostModelsData, PostModelsError, PostModelsErrors, PostModelsResponse, PostModelsResponses, PostProvidersByIdImportModelsData, PostProvidersByIdImportModelsError, PostProvidersByIdImportModelsErrors, PostProvidersByIdImportModelsResponse, PostProvidersByIdImportModelsResponses, PostProvidersByIdOauthPollData, PostProvidersByIdOauthPollError, PostProvidersByIdOauthPollErrors, PostProvidersByIdOauthPollResponse, PostProvidersByIdOauthPollResponses, PostProvidersByIdTestData, PostProvidersByIdTestError, PostProvidersByIdTestErrors, PostProvidersByIdTestResponse, PostProvidersByIdTestResponses, PostProvidersData, PostProvidersError, PostProvidersErrors, PostProvidersResponse, PostProvidersResponses, PostSearchProvidersData, PostSearchProvidersError, PostSearchProvidersErrors, PostSearchProvidersResponse, PostSearchProvidersResponses, PostSpeechModelsByIdTestData, PostSpeechModelsByIdTestError, PostSpeechModelsByIdTestErrors, PostSpeechModelsByIdTestResponses, PostSpeechProvidersByIdImportModelsData, PostSpeechProvidersByIdImportModelsError, PostSpeechProvidersByIdImportModelsErrors, PostSpeechProvidersByIdImportModelsResponse, PostSpeechProvidersByIdImportModelsResponses, PostTranscriptionModelsByIdTestData, PostTranscriptionModelsByIdTestError, PostTranscriptionModelsByIdTestErrors, PostTranscriptionModelsByIdTestResponse, PostTranscriptionModelsByIdTestResponses, PostTranscriptionProvidersByIdImportModelsData, PostTranscriptionProvidersByIdImportModelsError, PostTranscriptionProvidersByIdImportModelsErrors, PostTranscriptionProvidersByIdImportModelsResponse, PostTranscriptionProvidersByIdImportModelsResponses, PostUsersData, PostUsersError, PostUsersErrors, PostUsersResponse, PostUsersResponses, ProvidersCountResponse, ProvidersCreateRequest, ProvidersGetResponse, ProvidersImportModelsResponse, ProvidersOAuthAccount, ProvidersOAuthAuthorizeResponse, ProvidersOAuthDeviceStatus, ProvidersOAuthStatus, ProvidersTestResponse, ProvidersUpdateRequest, PutBotsByBotIdAclDefaultEffectData, PutBotsByBotIdAclDefaultEffectError, PutBotsByBotIdAclDefaultEffectErrors, PutBotsByBotIdAclDefaultEffectResponses, PutBotsByBotIdAclRulesByRuleIdData, PutBotsByBotIdAclRulesByRuleIdError, PutBotsByBotIdAclRulesByRuleIdErrors, PutBotsByBotIdAclRulesByRuleIdResponse, PutBotsByBotIdAclRulesByRuleIdResponses, PutBotsByBotIdAclRulesReorderData, PutBotsByBotIdAclRulesReorderError, PutBotsByBotIdAclRulesReorderErrors, PutBotsByBotIdAclRulesReorderResponses, PutBotsByBotIdEmailBindingsByIdData, PutBotsByBotIdEmailBindingsByIdError, PutBotsByBotIdEmailBindingsByIdErrors, PutBotsByBotIdEmailBindingsByIdResponse, PutBotsByBotIdEmailBindingsByIdResponses, PutBotsByBotIdMcpByIdData, PutBotsByBotIdMcpByIdError, PutBotsByBotIdMcpByIdErrors, PutBotsByBotIdMcpByIdResponse, PutBotsByBotIdMcpByIdResponses, PutBotsByBotIdMcpImportData, PutBotsByBotIdMcpImportError, PutBotsByBotIdMcpImportErrors, PutBotsByBotIdMcpImportResponse, PutBotsByBotIdMcpImportResponses, PutBotsByBotIdScheduleByIdData, PutBotsByBotIdScheduleByIdError, PutBotsByBotIdScheduleByIdErrors, PutBotsByBotIdScheduleByIdResponse, PutBotsByBotIdScheduleByIdResponses, PutBotsByBotIdSettingsData, PutBotsByBotIdSettingsError, PutBotsByBotIdSettingsErrors, PutBotsByBotIdSettingsResponse, PutBotsByBotIdSettingsResponses, PutBotsByIdChannelByPlatformData, PutBotsByIdChannelByPlatformError, PutBotsByIdChannelByPlatformErrors, PutBotsByIdChannelByPlatformResponse, PutBotsByIdChannelByPlatformResponses, PutBotsByIdData, PutBotsByIdError, PutBotsByIdErrors, PutBotsByIdOwnerData, PutBotsByIdOwnerError, PutBotsByIdOwnerErrors, PutBotsByIdOwnerResponse, PutBotsByIdOwnerResponses, PutBotsByIdResponse, PutBotsByIdResponses, PutBrowserContextsByIdData, PutBrowserContextsByIdError, PutBrowserContextsByIdErrors, PutBrowserContextsByIdResponse, PutBrowserContextsByIdResponses, PutEmailProvidersByIdData, PutEmailProvidersByIdError, PutEmailProvidersByIdErrors, PutEmailProvidersByIdResponse, PutEmailProvidersByIdResponses, PutMemoryProvidersByIdData, PutMemoryProvidersByIdError, PutMemoryProvidersByIdErrors, PutMemoryProvidersByIdResponse, PutMemoryProvidersByIdResponses, PutModelsByIdData, PutModelsByIdError, PutModelsByIdErrors, PutModelsByIdResponse, PutModelsByIdResponses, PutModelsModelByModelIdData, PutModelsModelByModelIdError, PutModelsModelByModelIdErrors, PutModelsModelByModelIdResponse, PutModelsModelByModelIdResponses, PutProvidersByIdData, PutProvidersByIdError, PutProvidersByIdErrors, PutProvidersByIdResponse, PutProvidersByIdResponses, PutSearchProvidersByIdData, PutSearchProvidersByIdError, PutSearchProvidersByIdErrors, PutSearchProvidersByIdResponse, PutSearchProvidersByIdResponses, PutSpeechModelsByIdData, PutSpeechModelsByIdError, PutSpeechModelsByIdErrors, PutSpeechModelsByIdResponse, PutSpeechModelsByIdResponses, PutTranscriptionModelsByIdData, PutTranscriptionModelsByIdError, PutTranscriptionModelsByIdErrors, PutTranscriptionModelsByIdResponse, PutTranscriptionModelsByIdResponses, PutUsersByIdData, PutUsersByIdError, PutUsersByIdErrors, PutUsersByIdPasswordData, PutUsersByIdPasswordError, PutUsersByIdPasswordErrors, PutUsersByIdPasswordResponses, PutUsersByIdResponse, PutUsersByIdResponses, PutUsersMeChannelsByPlatformData, PutUsersMeChannelsByPlatformError, PutUsersMeChannelsByPlatformErrors, PutUsersMeChannelsByPlatformResponse, PutUsersMeChannelsByPlatformResponses, PutUsersMeData, PutUsersMeError, PutUsersMeErrors, PutUsersMePasswordData, PutUsersMePasswordError, PutUsersMePasswordErrors, PutUsersMePasswordResponses, PutUsersMeResponse, PutUsersMeResponses, ScheduleCreateRequest, ScheduleListLogsResponse, ScheduleListResponse, ScheduleLog, ScheduleNullableInt, ScheduleSchedule, ScheduleUpdateRequest, SearchprovidersCreateRequest, SearchprovidersGetResponse, SearchprovidersProviderConfigSchema, SearchprovidersProviderFieldSchema, SearchprovidersProviderMeta, SearchprovidersProviderName, SearchprovidersUpdateRequest, SessionSession, SettingsSettings, SettingsToolApprovalConfig, SettingsToolApprovalExecPolicy, SettingsToolApprovalFilePolicy, SettingsUpsertRequest } from './types.gen';
+export { deleteBotsByBotIdAclRulesByRuleId, deleteBotsByBotIdCompactionLogs, deleteBotsByBotIdContainer, deleteBotsByBotIdContainerSkills, deleteBotsByBotIdEmailBindingsById, deleteBotsByBotIdHeartbeatLogs, deleteBotsByBotIdMcpById, deleteBotsByBotIdMcpByIdOauthToken, deleteBotsByBotIdMemory, deleteBotsByBotIdMemoryById, deleteBotsByBotIdMessages, deleteBotsByBotIdScheduleById, deleteBotsByBotIdScheduleLogs, deleteBotsByBotIdSessionsBySessionId, deleteBotsByBotIdSettings, deleteBotsById, deleteBotsByIdChannelByPlatform, deleteBrowserContextsById, deleteEmailProvidersById, deleteEmailProvidersByIdOauthToken, deleteIamGroupsById, deleteIamGroupsByIdMembersByUserId, deleteIamPrincipalRolesById, deleteIamSsoProvidersById, deleteIamSsoProvidersByIdGroupMappingsByExternalGroup, deleteMemoryProvidersById, deleteModelsById, deleteModelsModelByModelId, deleteProvidersById, deleteProvidersByIdOauthToken, deleteSearchProvidersById, getAuthSsoByProviderIdCallback, getAuthSsoByProviderIdSamlMetadata, getAuthSsoByProviderIdSamlStart, getAuthSsoByProviderIdStart, getAuthSsoProviders, getBots, getBotsByBotIdAclChannelIdentities, getBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversations, getBotsByBotIdAclChannelTypesByChannelTypeConversations, getBotsByBotIdAclDefaultEffect, getBotsByBotIdAclRules, getBotsByBotIdCompactionLogs, getBotsByBotIdContainer, getBotsByBotIdContainerFs, getBotsByBotIdContainerFsDownload, getBotsByBotIdContainerFsList, getBotsByBotIdContainerFsRead, getBotsByBotIdContainerMetrics, getBotsByBotIdContainerSkills, getBotsByBotIdContainerSnapshots, getBotsByBotIdContainerTerminal, getBotsByBotIdContainerTerminalWs, getBotsByBotIdEmailBindings, getBotsByBotIdEmailOutbox, getBotsByBotIdEmailOutboxById, getBotsByBotIdHeartbeatLogs, getBotsByBotIdLocalStream, getBotsByBotIdLocalWs, getBotsByBotIdMcp, getBotsByBotIdMcpById, getBotsByBotIdMcpByIdOauthStatus, getBotsByBotIdMcpExport, getBotsByBotIdMemory, getBotsByBotIdMemoryStatus, getBotsByBotIdMemoryUsage, getBotsByBotIdMessages, getBotsByBotIdSchedule, getBotsByBotIdScheduleById, getBotsByBotIdScheduleByIdLogs, getBotsByBotIdScheduleLogs, getBotsByBotIdSessions, getBotsByBotIdSessionsBySessionId, getBotsByBotIdSessionsBySessionIdStatus, getBotsByBotIdSettings, getBotsByBotIdTokenUsage, getBotsByBotIdTokenUsageRecords, getBotsById, getBotsByIdChannelByPlatform, getBotsByIdChecks, getBrowserContexts, getBrowserContextsById, getBrowserContextsCores, getChannels, getChannelsByPlatform, getEmailOauthCallback, getEmailProviders, getEmailProvidersById, getEmailProvidersByIdOauthAuthorize, getEmailProvidersByIdOauthStatus, getEmailProvidersMeta, getIamBotsByBotIdPrincipalRoles, getIamGroups, getIamGroupsByIdMembers, getIamRoles, getIamSsoProviders, getIamSsoProvidersByIdGroupMappings, getMemoryProviders, getMemoryProvidersById, getMemoryProvidersByIdStatus, getMemoryProvidersMeta, getModels, getModelsById, getModelsCount, getModelsModelByModelId, getPing, getProviders, getProvidersById, getProvidersByIdModels, getProvidersByIdOauthAuthorize, getProvidersByIdOauthStatus, getProvidersCount, getProvidersNameByName, getProvidersOauthCallback, getSearchProviders, getSearchProvidersById, getSearchProvidersMeta, getSpeechModels, getSpeechModelsById, getSpeechModelsByIdCapabilities, getSpeechProviders, getSpeechProvidersById, getSpeechProvidersByIdModels, getSpeechProvidersMeta, getSupermarketMcps, getSupermarketMcpsById, getSupermarketSkills, getSupermarketSkillsById, getSupermarketTags, getTranscriptionModels, getTranscriptionModelsById, getTranscriptionModelsByIdCapabilities, getTranscriptionProviders, getTranscriptionProvidersById, getTranscriptionProvidersByIdModels, getTranscriptionProvidersMeta, getUsers, getUsersById, getUsersMe, getUsersMeChannelsByPlatform, getUsersMeIdentities, type Options, patchBotsByBotIdSessionsBySessionId, patchBotsByIdChannelByPlatformStatus, postAuthLogin, postAuthRefresh, postAuthSsoByProviderIdSamlAcs, postAuthSsoExchange, postBots, postBotsByBotIdAclRules, postBotsByBotIdContainer, postBotsByBotIdContainerDataExport, postBotsByBotIdContainerDataImport, postBotsByBotIdContainerDataRestore, postBotsByBotIdContainerFsDelete, postBotsByBotIdContainerFsMkdir, postBotsByBotIdContainerFsRename, postBotsByBotIdContainerFsUpload, postBotsByBotIdContainerFsWrite, postBotsByBotIdContainerSkills, postBotsByBotIdContainerSkillsActions, postBotsByBotIdContainerSnapshots, postBotsByBotIdContainerSnapshotsRollback, postBotsByBotIdContainerStart, postBotsByBotIdContainerStop, postBotsByBotIdEmailBindings, postBotsByBotIdLocalMessages, postBotsByBotIdMcp, postBotsByBotIdMcpByIdOauthAuthorize, postBotsByBotIdMcpByIdOauthDiscover, postBotsByBotIdMcpByIdOauthExchange, postBotsByBotIdMcpByIdProbe, postBotsByBotIdMcpOpsBatchDelete, postBotsByBotIdMcpStdio, postBotsByBotIdMcpStdioByConnectionId, postBotsByBotIdMemory, postBotsByBotIdMemoryCompact, postBotsByBotIdMemoryRebuild, postBotsByBotIdMemorySearch, postBotsByBotIdSchedule, postBotsByBotIdSessions, postBotsByBotIdSessionsBySessionIdCompact, postBotsByBotIdSettings, postBotsByBotIdSupermarketInstallMcp, postBotsByBotIdSupermarketInstallSkill, postBotsByBotIdToolApprovalsByApprovalIdApprove, postBotsByBotIdToolApprovalsByApprovalIdReject, postBotsByBotIdTools, postBotsByBotIdTtsSynthesize, postBotsByIdChannelByPlatformSend, postBotsByIdChannelByPlatformSendChat, postBrowserContexts, postEmailMailgunWebhookByConfigId, postEmailProviders, postIamBotsByBotIdPrincipalRoles, postIamGroups, postIamGroupsByIdMembers, postIamSsoProviders, postIamSsoProvidersByIdGroupMappings, postMemoryProviders, postModels, postModelsByIdTest, postProviders, postProvidersByIdImportModels, postProvidersByIdOauthPoll, postProvidersByIdTest, postSearchProviders, postSpeechModelsByIdTest, postSpeechProvidersByIdImportModels, postTranscriptionModelsByIdTest, postTranscriptionProvidersByIdImportModels, postUsers, putBotsByBotIdAclDefaultEffect, putBotsByBotIdAclRulesByRuleId, putBotsByBotIdAclRulesReorder, putBotsByBotIdEmailBindingsById, putBotsByBotIdMcpById, putBotsByBotIdMcpImport, putBotsByBotIdScheduleById, putBotsByBotIdSettings, putBotsById, putBotsByIdChannelByPlatform, putBotsByIdOwner, putBrowserContextsById, putEmailProvidersById, putIamGroupsById, putIamSsoProvidersById, putMemoryProvidersById, putModelsById, putModelsModelByModelId, putProvidersById, putSearchProvidersById, putSpeechModelsById, putTranscriptionModelsById, putUsersById, putUsersByIdPassword, putUsersMe, putUsersMeChannelsByPlatform, putUsersMePassword } from './sdk.gen';
+export type { AclChannelIdentityCandidate, AclChannelIdentityCandidateListResponse, AclCreateRuleRequest, AclDefaultEffectResponse, AclListRulesResponse, AclObservedConversationCandidate, AclObservedConversationCandidateListResponse, AclReorderItem, AclReorderRequest, AclRule, AclSourceScope, AclUpdateRuleRequest, AdaptersCdfPoint, AdaptersCompactResult, AdaptersDeleteResponse, AdaptersHealthStatus, AdaptersMemoryItem, AdaptersMemoryStatusResponse, AdaptersMessage, AdaptersProviderCollectionStatus, AdaptersProviderConfigSchema, AdaptersProviderCreateRequest, AdaptersProviderFieldSchema, AdaptersProviderGetResponse, AdaptersProviderMeta, AdaptersProviderStatusResponse, AdaptersProviderType, AdaptersProviderUpdateRequest, AdaptersRebuildResult, AdaptersSearchResponse, AdaptersTopKBucket, AdaptersUsageResponse, AudioConfigSchema, AudioFieldSchema, AudioImportModelsResponse, AudioModelCapabilities, AudioModelInfo, AudioParamConstraint, AudioProviderMetaResponse, AudioSpeechModelResponse, AudioSpeechProviderResponse, AudioTestSynthesizeRequest, AudioTestTranscriptionResponse, AudioTranscriptionModelResponse, AudioTranscriptionWord, AudioUpdateSpeechModelRequest, AudioVoiceInfo, BotsBot, BotsBotCheck, BotsCreateBotRequest, BotsListBotsResponse, BotsListChecksResponse, BotsTransferBotRequest, BotsUpdateBotRequest, BrowsercontextsBrowserContext, BrowsercontextsCreateRequest, BrowsercontextsUpdateRequest, ChannelAction, ChannelAttachment, ChannelAttachmentType, ChannelChannelCapabilities, ChannelChannelConfig, ChannelChannelIdentityBinding, ChannelChannelType, ChannelConfigSchema, ChannelFieldSchema, ChannelFieldType, ChannelMessage, ChannelMessageFormat, ChannelMessagePart, ChannelMessagePartType, ChannelMessageTextStyle, ChannelReplyRef, ChannelSendRequest, ChannelTargetHint, ChannelTargetSpec, ChannelThreadRef, ChannelUpdateChannelStatusRequest, ChannelUpsertChannelIdentityConfigRequest, ChannelUpsertConfigRequest, ClientOptions, CompactionListLogsResponse, CompactionLog, DeleteBotsByBotIdAclRulesByRuleIdData, DeleteBotsByBotIdAclRulesByRuleIdError, DeleteBotsByBotIdAclRulesByRuleIdErrors, DeleteBotsByBotIdAclRulesByRuleIdResponses, DeleteBotsByBotIdCompactionLogsData, DeleteBotsByBotIdCompactionLogsError, DeleteBotsByBotIdCompactionLogsErrors, DeleteBotsByBotIdCompactionLogsResponses, DeleteBotsByBotIdContainerData, DeleteBotsByBotIdContainerError, DeleteBotsByBotIdContainerErrors, DeleteBotsByBotIdContainerResponses, DeleteBotsByBotIdContainerSkillsData, DeleteBotsByBotIdContainerSkillsError, DeleteBotsByBotIdContainerSkillsErrors, DeleteBotsByBotIdContainerSkillsResponse, DeleteBotsByBotIdContainerSkillsResponses, DeleteBotsByBotIdEmailBindingsByIdData, DeleteBotsByBotIdEmailBindingsByIdError, DeleteBotsByBotIdEmailBindingsByIdErrors, DeleteBotsByBotIdEmailBindingsByIdResponses, DeleteBotsByBotIdHeartbeatLogsData, DeleteBotsByBotIdHeartbeatLogsError, DeleteBotsByBotIdHeartbeatLogsErrors, DeleteBotsByBotIdHeartbeatLogsResponses, DeleteBotsByBotIdMcpByIdData, DeleteBotsByBotIdMcpByIdError, DeleteBotsByBotIdMcpByIdErrors, DeleteBotsByBotIdMcpByIdOauthTokenData, DeleteBotsByBotIdMcpByIdOauthTokenError, DeleteBotsByBotIdMcpByIdOauthTokenErrors, DeleteBotsByBotIdMcpByIdOauthTokenResponses, DeleteBotsByBotIdMcpByIdResponses, DeleteBotsByBotIdMemoryByIdData, DeleteBotsByBotIdMemoryByIdError, DeleteBotsByBotIdMemoryByIdErrors, DeleteBotsByBotIdMemoryByIdResponse, DeleteBotsByBotIdMemoryByIdResponses, DeleteBotsByBotIdMemoryData, DeleteBotsByBotIdMemoryError, DeleteBotsByBotIdMemoryErrors, DeleteBotsByBotIdMemoryResponse, DeleteBotsByBotIdMemoryResponses, DeleteBotsByBotIdMessagesData, DeleteBotsByBotIdMessagesError, DeleteBotsByBotIdMessagesErrors, DeleteBotsByBotIdMessagesResponses, DeleteBotsByBotIdScheduleByIdData, DeleteBotsByBotIdScheduleByIdError, DeleteBotsByBotIdScheduleByIdErrors, DeleteBotsByBotIdScheduleByIdResponses, DeleteBotsByBotIdScheduleLogsData, DeleteBotsByBotIdScheduleLogsError, DeleteBotsByBotIdScheduleLogsErrors, DeleteBotsByBotIdScheduleLogsResponses, DeleteBotsByBotIdSessionsBySessionIdData, DeleteBotsByBotIdSessionsBySessionIdError, DeleteBotsByBotIdSessionsBySessionIdErrors, DeleteBotsByBotIdSessionsBySessionIdResponses, DeleteBotsByBotIdSettingsData, DeleteBotsByBotIdSettingsError, DeleteBotsByBotIdSettingsErrors, DeleteBotsByBotIdSettingsResponses, DeleteBotsByIdChannelByPlatformData, DeleteBotsByIdChannelByPlatformError, DeleteBotsByIdChannelByPlatformErrors, DeleteBotsByIdChannelByPlatformResponses, DeleteBotsByIdData, DeleteBotsByIdError, DeleteBotsByIdErrors, DeleteBotsByIdResponse, DeleteBotsByIdResponses, DeleteBrowserContextsByIdData, DeleteBrowserContextsByIdError, DeleteBrowserContextsByIdErrors, DeleteBrowserContextsByIdResponses, DeleteEmailProvidersByIdData, DeleteEmailProvidersByIdError, DeleteEmailProvidersByIdErrors, DeleteEmailProvidersByIdOauthTokenData, DeleteEmailProvidersByIdOauthTokenError, DeleteEmailProvidersByIdOauthTokenErrors, DeleteEmailProvidersByIdOauthTokenResponses, DeleteEmailProvidersByIdResponses, DeleteIamGroupsByIdData, DeleteIamGroupsByIdError, DeleteIamGroupsByIdErrors, DeleteIamGroupsByIdMembersByUserIdData, DeleteIamGroupsByIdMembersByUserIdError, DeleteIamGroupsByIdMembersByUserIdErrors, DeleteIamGroupsByIdMembersByUserIdResponses, DeleteIamGroupsByIdResponses, DeleteIamPrincipalRolesByIdData, DeleteIamPrincipalRolesByIdError, DeleteIamPrincipalRolesByIdErrors, DeleteIamPrincipalRolesByIdResponses, DeleteIamSsoProvidersByIdData, DeleteIamSsoProvidersByIdError, DeleteIamSsoProvidersByIdErrors, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupData, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupError, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupErrors, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupResponses, DeleteIamSsoProvidersByIdResponses, DeleteMemoryProvidersByIdData, DeleteMemoryProvidersByIdError, DeleteMemoryProvidersByIdErrors, DeleteMemoryProvidersByIdResponses, DeleteModelsByIdData, DeleteModelsByIdError, DeleteModelsByIdErrors, DeleteModelsByIdResponses, DeleteModelsModelByModelIdData, DeleteModelsModelByModelIdError, DeleteModelsModelByModelIdErrors, DeleteModelsModelByModelIdResponses, DeleteProvidersByIdData, DeleteProvidersByIdError, DeleteProvidersByIdErrors, DeleteProvidersByIdOauthTokenData, DeleteProvidersByIdOauthTokenError, DeleteProvidersByIdOauthTokenErrors, DeleteProvidersByIdOauthTokenResponses, DeleteProvidersByIdResponses, DeleteSearchProvidersByIdData, DeleteSearchProvidersByIdError, DeleteSearchProvidersByIdErrors, DeleteSearchProvidersByIdResponses, EmailBindingResponse, EmailConfigSchema, EmailCreateBindingRequest, EmailCreateProviderRequest, EmailFieldSchema, EmailOutboxItemResponse, EmailProviderMeta, EmailProviderResponse, EmailUpdateBindingRequest, EmailUpdateProviderRequest, GetAuthSsoByProviderIdCallbackData, GetAuthSsoByProviderIdCallbackError, GetAuthSsoByProviderIdCallbackErrors, GetAuthSsoByProviderIdSamlMetadataData, GetAuthSsoByProviderIdSamlMetadataError, GetAuthSsoByProviderIdSamlMetadataErrors, GetAuthSsoByProviderIdSamlMetadataResponse, GetAuthSsoByProviderIdSamlMetadataResponses, GetAuthSsoByProviderIdSamlStartData, GetAuthSsoByProviderIdSamlStartError, GetAuthSsoByProviderIdSamlStartErrors, GetAuthSsoByProviderIdStartData, GetAuthSsoByProviderIdStartError, GetAuthSsoByProviderIdStartErrors, GetAuthSsoByProviderIdStartResponse, GetAuthSsoByProviderIdStartResponses, GetAuthSsoProvidersData, GetAuthSsoProvidersError, GetAuthSsoProvidersErrors, GetAuthSsoProvidersResponse, GetAuthSsoProvidersResponses, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsData, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsError, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsErrors, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsResponse, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsResponses, GetBotsByBotIdAclChannelIdentitiesData, GetBotsByBotIdAclChannelIdentitiesError, GetBotsByBotIdAclChannelIdentitiesErrors, GetBotsByBotIdAclChannelIdentitiesResponse, GetBotsByBotIdAclChannelIdentitiesResponses, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsData, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsError, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsErrors, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsResponse, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsResponses, GetBotsByBotIdAclDefaultEffectData, GetBotsByBotIdAclDefaultEffectError, GetBotsByBotIdAclDefaultEffectErrors, GetBotsByBotIdAclDefaultEffectResponse, GetBotsByBotIdAclDefaultEffectResponses, GetBotsByBotIdAclRulesData, GetBotsByBotIdAclRulesError, GetBotsByBotIdAclRulesErrors, GetBotsByBotIdAclRulesResponse, GetBotsByBotIdAclRulesResponses, GetBotsByBotIdCompactionLogsData, GetBotsByBotIdCompactionLogsError, GetBotsByBotIdCompactionLogsErrors, GetBotsByBotIdCompactionLogsResponse, GetBotsByBotIdCompactionLogsResponses, GetBotsByBotIdContainerData, GetBotsByBotIdContainerError, GetBotsByBotIdContainerErrors, GetBotsByBotIdContainerFsData, GetBotsByBotIdContainerFsDownloadData, GetBotsByBotIdContainerFsDownloadError, GetBotsByBotIdContainerFsDownloadErrors, GetBotsByBotIdContainerFsDownloadResponses, GetBotsByBotIdContainerFsError, GetBotsByBotIdContainerFsErrors, GetBotsByBotIdContainerFsListData, GetBotsByBotIdContainerFsListError, GetBotsByBotIdContainerFsListErrors, GetBotsByBotIdContainerFsListResponse, GetBotsByBotIdContainerFsListResponses, GetBotsByBotIdContainerFsReadData, GetBotsByBotIdContainerFsReadError, GetBotsByBotIdContainerFsReadErrors, GetBotsByBotIdContainerFsReadResponse, GetBotsByBotIdContainerFsReadResponses, GetBotsByBotIdContainerFsResponse, GetBotsByBotIdContainerFsResponses, GetBotsByBotIdContainerMetricsData, GetBotsByBotIdContainerMetricsError, GetBotsByBotIdContainerMetricsErrors, GetBotsByBotIdContainerMetricsResponse, GetBotsByBotIdContainerMetricsResponses, GetBotsByBotIdContainerResponse, GetBotsByBotIdContainerResponses, GetBotsByBotIdContainerSkillsData, GetBotsByBotIdContainerSkillsError, GetBotsByBotIdContainerSkillsErrors, GetBotsByBotIdContainerSkillsResponse, GetBotsByBotIdContainerSkillsResponses, GetBotsByBotIdContainerSnapshotsData, GetBotsByBotIdContainerSnapshotsError, GetBotsByBotIdContainerSnapshotsErrors, GetBotsByBotIdContainerSnapshotsResponse, GetBotsByBotIdContainerSnapshotsResponses, GetBotsByBotIdContainerTerminalData, GetBotsByBotIdContainerTerminalError, GetBotsByBotIdContainerTerminalErrors, GetBotsByBotIdContainerTerminalResponse, GetBotsByBotIdContainerTerminalResponses, GetBotsByBotIdContainerTerminalWsData, GetBotsByBotIdContainerTerminalWsError, GetBotsByBotIdContainerTerminalWsErrors, GetBotsByBotIdEmailBindingsData, GetBotsByBotIdEmailBindingsError, GetBotsByBotIdEmailBindingsErrors, GetBotsByBotIdEmailBindingsResponse, GetBotsByBotIdEmailBindingsResponses, GetBotsByBotIdEmailOutboxByIdData, GetBotsByBotIdEmailOutboxByIdError, GetBotsByBotIdEmailOutboxByIdErrors, GetBotsByBotIdEmailOutboxByIdResponse, GetBotsByBotIdEmailOutboxByIdResponses, GetBotsByBotIdEmailOutboxData, GetBotsByBotIdEmailOutboxError, GetBotsByBotIdEmailOutboxErrors, GetBotsByBotIdEmailOutboxResponse, GetBotsByBotIdEmailOutboxResponses, GetBotsByBotIdHeartbeatLogsData, GetBotsByBotIdHeartbeatLogsError, GetBotsByBotIdHeartbeatLogsErrors, GetBotsByBotIdHeartbeatLogsResponse, GetBotsByBotIdHeartbeatLogsResponses, GetBotsByBotIdLocalStreamData, GetBotsByBotIdLocalStreamError, GetBotsByBotIdLocalStreamErrors, GetBotsByBotIdLocalStreamResponse, GetBotsByBotIdLocalStreamResponses, GetBotsByBotIdLocalWsData, GetBotsByBotIdLocalWsError, GetBotsByBotIdLocalWsErrors, GetBotsByBotIdMcpByIdData, GetBotsByBotIdMcpByIdError, GetBotsByBotIdMcpByIdErrors, GetBotsByBotIdMcpByIdOauthStatusData, GetBotsByBotIdMcpByIdOauthStatusError, GetBotsByBotIdMcpByIdOauthStatusErrors, GetBotsByBotIdMcpByIdOauthStatusResponse, GetBotsByBotIdMcpByIdOauthStatusResponses, GetBotsByBotIdMcpByIdResponse, GetBotsByBotIdMcpByIdResponses, GetBotsByBotIdMcpData, GetBotsByBotIdMcpError, GetBotsByBotIdMcpErrors, GetBotsByBotIdMcpExportData, GetBotsByBotIdMcpExportError, GetBotsByBotIdMcpExportErrors, GetBotsByBotIdMcpExportResponse, GetBotsByBotIdMcpExportResponses, GetBotsByBotIdMcpResponse, GetBotsByBotIdMcpResponses, GetBotsByBotIdMemoryData, GetBotsByBotIdMemoryError, GetBotsByBotIdMemoryErrors, GetBotsByBotIdMemoryResponse, GetBotsByBotIdMemoryResponses, GetBotsByBotIdMemoryStatusData, GetBotsByBotIdMemoryStatusError, GetBotsByBotIdMemoryStatusErrors, GetBotsByBotIdMemoryStatusResponse, GetBotsByBotIdMemoryStatusResponses, GetBotsByBotIdMemoryUsageData, GetBotsByBotIdMemoryUsageError, GetBotsByBotIdMemoryUsageErrors, GetBotsByBotIdMemoryUsageResponse, GetBotsByBotIdMemoryUsageResponses, GetBotsByBotIdMessagesData, GetBotsByBotIdMessagesError, GetBotsByBotIdMessagesErrors, GetBotsByBotIdMessagesResponse, GetBotsByBotIdMessagesResponses, GetBotsByBotIdScheduleByIdData, GetBotsByBotIdScheduleByIdError, GetBotsByBotIdScheduleByIdErrors, GetBotsByBotIdScheduleByIdLogsData, GetBotsByBotIdScheduleByIdLogsError, GetBotsByBotIdScheduleByIdLogsErrors, GetBotsByBotIdScheduleByIdLogsResponse, GetBotsByBotIdScheduleByIdLogsResponses, GetBotsByBotIdScheduleByIdResponse, GetBotsByBotIdScheduleByIdResponses, GetBotsByBotIdScheduleData, GetBotsByBotIdScheduleError, GetBotsByBotIdScheduleErrors, GetBotsByBotIdScheduleLogsData, GetBotsByBotIdScheduleLogsError, GetBotsByBotIdScheduleLogsErrors, GetBotsByBotIdScheduleLogsResponse, GetBotsByBotIdScheduleLogsResponses, GetBotsByBotIdScheduleResponse, GetBotsByBotIdScheduleResponses, GetBotsByBotIdSessionsBySessionIdData, GetBotsByBotIdSessionsBySessionIdError, GetBotsByBotIdSessionsBySessionIdErrors, GetBotsByBotIdSessionsBySessionIdResponse, GetBotsByBotIdSessionsBySessionIdResponses, GetBotsByBotIdSessionsBySessionIdStatusData, GetBotsByBotIdSessionsBySessionIdStatusError, GetBotsByBotIdSessionsBySessionIdStatusErrors, GetBotsByBotIdSessionsBySessionIdStatusResponse, GetBotsByBotIdSessionsBySessionIdStatusResponses, GetBotsByBotIdSessionsData, GetBotsByBotIdSessionsError, GetBotsByBotIdSessionsErrors, GetBotsByBotIdSessionsResponse, GetBotsByBotIdSessionsResponses, GetBotsByBotIdSettingsData, GetBotsByBotIdSettingsError, GetBotsByBotIdSettingsErrors, GetBotsByBotIdSettingsResponse, GetBotsByBotIdSettingsResponses, GetBotsByBotIdTokenUsageData, GetBotsByBotIdTokenUsageError, GetBotsByBotIdTokenUsageErrors, GetBotsByBotIdTokenUsageRecordsData, GetBotsByBotIdTokenUsageRecordsError, GetBotsByBotIdTokenUsageRecordsErrors, GetBotsByBotIdTokenUsageRecordsResponse, GetBotsByBotIdTokenUsageRecordsResponses, GetBotsByBotIdTokenUsageResponse, GetBotsByBotIdTokenUsageResponses, GetBotsByIdChannelByPlatformData, GetBotsByIdChannelByPlatformError, GetBotsByIdChannelByPlatformErrors, GetBotsByIdChannelByPlatformResponse, GetBotsByIdChannelByPlatformResponses, GetBotsByIdChecksData, GetBotsByIdChecksError, GetBotsByIdChecksErrors, GetBotsByIdChecksResponse, GetBotsByIdChecksResponses, GetBotsByIdData, GetBotsByIdError, GetBotsByIdErrors, GetBotsByIdResponse, GetBotsByIdResponses, GetBotsData, GetBotsError, GetBotsErrors, GetBotsResponse, GetBotsResponses, GetBrowserContextsByIdData, GetBrowserContextsByIdError, GetBrowserContextsByIdErrors, GetBrowserContextsByIdResponse, GetBrowserContextsByIdResponses, GetBrowserContextsCoresData, GetBrowserContextsCoresError, GetBrowserContextsCoresErrors, GetBrowserContextsCoresResponse, GetBrowserContextsCoresResponses, GetBrowserContextsData, GetBrowserContextsError, GetBrowserContextsErrors, GetBrowserContextsResponse, GetBrowserContextsResponses, GetChannelsByPlatformData, GetChannelsByPlatformError, GetChannelsByPlatformErrors, GetChannelsByPlatformResponse, GetChannelsByPlatformResponses, GetChannelsData, GetChannelsError, GetChannelsErrors, GetChannelsResponse, GetChannelsResponses, GetEmailOauthCallbackData, GetEmailOauthCallbackError, GetEmailOauthCallbackErrors, GetEmailOauthCallbackResponse, GetEmailOauthCallbackResponses, GetEmailProvidersByIdData, GetEmailProvidersByIdError, GetEmailProvidersByIdErrors, GetEmailProvidersByIdOauthAuthorizeData, GetEmailProvidersByIdOauthAuthorizeError, GetEmailProvidersByIdOauthAuthorizeErrors, GetEmailProvidersByIdOauthAuthorizeResponse, GetEmailProvidersByIdOauthAuthorizeResponses, GetEmailProvidersByIdOauthStatusData, GetEmailProvidersByIdOauthStatusError, GetEmailProvidersByIdOauthStatusErrors, GetEmailProvidersByIdOauthStatusResponse, GetEmailProvidersByIdOauthStatusResponses, GetEmailProvidersByIdResponse, GetEmailProvidersByIdResponses, GetEmailProvidersData, GetEmailProvidersError, GetEmailProvidersErrors, GetEmailProvidersMetaData, GetEmailProvidersMetaResponse, GetEmailProvidersMetaResponses, GetEmailProvidersResponse, GetEmailProvidersResponses, GetIamBotsByBotIdPrincipalRolesData, GetIamBotsByBotIdPrincipalRolesError, GetIamBotsByBotIdPrincipalRolesErrors, GetIamBotsByBotIdPrincipalRolesResponse, GetIamBotsByBotIdPrincipalRolesResponses, GetIamGroupsByIdMembersData, GetIamGroupsByIdMembersError, GetIamGroupsByIdMembersErrors, GetIamGroupsByIdMembersResponse, GetIamGroupsByIdMembersResponses, GetIamGroupsData, GetIamGroupsError, GetIamGroupsErrors, GetIamGroupsResponse, GetIamGroupsResponses, GetIamRolesData, GetIamRolesError, GetIamRolesErrors, GetIamRolesResponse, GetIamRolesResponses, GetIamSsoProvidersByIdGroupMappingsData, GetIamSsoProvidersByIdGroupMappingsError, GetIamSsoProvidersByIdGroupMappingsErrors, GetIamSsoProvidersByIdGroupMappingsResponse, GetIamSsoProvidersByIdGroupMappingsResponses, GetIamSsoProvidersData, GetIamSsoProvidersError, GetIamSsoProvidersErrors, GetIamSsoProvidersResponse, GetIamSsoProvidersResponses, GetMemoryProvidersByIdData, GetMemoryProvidersByIdError, GetMemoryProvidersByIdErrors, GetMemoryProvidersByIdResponse, GetMemoryProvidersByIdResponses, GetMemoryProvidersByIdStatusData, GetMemoryProvidersByIdStatusError, GetMemoryProvidersByIdStatusErrors, GetMemoryProvidersByIdStatusResponse, GetMemoryProvidersByIdStatusResponses, GetMemoryProvidersData, GetMemoryProvidersError, GetMemoryProvidersErrors, GetMemoryProvidersMetaData, GetMemoryProvidersMetaResponse, GetMemoryProvidersMetaResponses, GetMemoryProvidersResponse, GetMemoryProvidersResponses, GetModelsByIdData, GetModelsByIdError, GetModelsByIdErrors, GetModelsByIdResponse, GetModelsByIdResponses, GetModelsCountData, GetModelsCountError, GetModelsCountErrors, GetModelsCountResponse, GetModelsCountResponses, GetModelsData, GetModelsError, GetModelsErrors, GetModelsModelByModelIdData, GetModelsModelByModelIdError, GetModelsModelByModelIdErrors, GetModelsModelByModelIdResponse, GetModelsModelByModelIdResponses, GetModelsResponse, GetModelsResponses, GetPingData, GetPingResponse, GetPingResponses, GetProvidersByIdData, GetProvidersByIdError, GetProvidersByIdErrors, GetProvidersByIdModelsData, GetProvidersByIdModelsError, GetProvidersByIdModelsErrors, GetProvidersByIdModelsResponse, GetProvidersByIdModelsResponses, GetProvidersByIdOauthAuthorizeData, GetProvidersByIdOauthAuthorizeError, GetProvidersByIdOauthAuthorizeErrors, GetProvidersByIdOauthAuthorizeResponse, GetProvidersByIdOauthAuthorizeResponses, GetProvidersByIdOauthStatusData, GetProvidersByIdOauthStatusError, GetProvidersByIdOauthStatusErrors, GetProvidersByIdOauthStatusResponse, GetProvidersByIdOauthStatusResponses, GetProvidersByIdResponse, GetProvidersByIdResponses, GetProvidersCountData, GetProvidersCountError, GetProvidersCountErrors, GetProvidersCountResponse, GetProvidersCountResponses, GetProvidersData, GetProvidersError, GetProvidersErrors, GetProvidersNameByNameData, GetProvidersNameByNameError, GetProvidersNameByNameErrors, GetProvidersNameByNameResponse, GetProvidersNameByNameResponses, GetProvidersOauthCallbackData, GetProvidersOauthCallbackError, GetProvidersOauthCallbackErrors, GetProvidersOauthCallbackResponse, GetProvidersOauthCallbackResponses, GetProvidersResponse, GetProvidersResponses, GetSearchProvidersByIdData, GetSearchProvidersByIdError, GetSearchProvidersByIdErrors, GetSearchProvidersByIdResponse, GetSearchProvidersByIdResponses, GetSearchProvidersData, GetSearchProvidersError, GetSearchProvidersErrors, GetSearchProvidersMetaData, GetSearchProvidersMetaResponse, GetSearchProvidersMetaResponses, GetSearchProvidersResponse, GetSearchProvidersResponses, GetSpeechModelsByIdCapabilitiesData, GetSpeechModelsByIdCapabilitiesError, GetSpeechModelsByIdCapabilitiesErrors, GetSpeechModelsByIdCapabilitiesResponse, GetSpeechModelsByIdCapabilitiesResponses, GetSpeechModelsByIdData, GetSpeechModelsByIdError, GetSpeechModelsByIdErrors, GetSpeechModelsByIdResponse, GetSpeechModelsByIdResponses, GetSpeechModelsData, GetSpeechModelsError, GetSpeechModelsErrors, GetSpeechModelsResponse, GetSpeechModelsResponses, GetSpeechProvidersByIdData, GetSpeechProvidersByIdError, GetSpeechProvidersByIdErrors, GetSpeechProvidersByIdModelsData, GetSpeechProvidersByIdModelsError, GetSpeechProvidersByIdModelsErrors, GetSpeechProvidersByIdModelsResponse, GetSpeechProvidersByIdModelsResponses, GetSpeechProvidersByIdResponse, GetSpeechProvidersByIdResponses, GetSpeechProvidersData, GetSpeechProvidersError, GetSpeechProvidersErrors, GetSpeechProvidersMetaData, GetSpeechProvidersMetaResponse, GetSpeechProvidersMetaResponses, GetSpeechProvidersResponse, GetSpeechProvidersResponses, GetSupermarketMcpsByIdData, GetSupermarketMcpsByIdError, GetSupermarketMcpsByIdErrors, GetSupermarketMcpsByIdResponse, GetSupermarketMcpsByIdResponses, GetSupermarketMcpsData, GetSupermarketMcpsError, GetSupermarketMcpsErrors, GetSupermarketMcpsResponse, GetSupermarketMcpsResponses, GetSupermarketSkillsByIdData, GetSupermarketSkillsByIdError, GetSupermarketSkillsByIdErrors, GetSupermarketSkillsByIdResponse, GetSupermarketSkillsByIdResponses, GetSupermarketSkillsData, GetSupermarketSkillsError, GetSupermarketSkillsErrors, GetSupermarketSkillsResponse, GetSupermarketSkillsResponses, GetSupermarketTagsData, GetSupermarketTagsError, GetSupermarketTagsErrors, GetSupermarketTagsResponse, GetSupermarketTagsResponses, GetTranscriptionModelsByIdCapabilitiesData, GetTranscriptionModelsByIdCapabilitiesError, GetTranscriptionModelsByIdCapabilitiesErrors, GetTranscriptionModelsByIdCapabilitiesResponse, GetTranscriptionModelsByIdCapabilitiesResponses, GetTranscriptionModelsByIdData, GetTranscriptionModelsByIdError, GetTranscriptionModelsByIdErrors, GetTranscriptionModelsByIdResponse, GetTranscriptionModelsByIdResponses, GetTranscriptionModelsData, GetTranscriptionModelsError, GetTranscriptionModelsErrors, GetTranscriptionModelsResponse, GetTranscriptionModelsResponses, GetTranscriptionProvidersByIdData, GetTranscriptionProvidersByIdError, GetTranscriptionProvidersByIdErrors, GetTranscriptionProvidersByIdModelsData, GetTranscriptionProvidersByIdModelsError, GetTranscriptionProvidersByIdModelsErrors, GetTranscriptionProvidersByIdModelsResponse, GetTranscriptionProvidersByIdModelsResponses, GetTranscriptionProvidersByIdResponse, GetTranscriptionProvidersByIdResponses, GetTranscriptionProvidersData, GetTranscriptionProvidersError, GetTranscriptionProvidersErrors, GetTranscriptionProvidersMetaData, GetTranscriptionProvidersMetaResponse, GetTranscriptionProvidersMetaResponses, GetTranscriptionProvidersResponse, GetTranscriptionProvidersResponses, GetUsersByIdData, GetUsersByIdError, GetUsersByIdErrors, GetUsersByIdResponse, GetUsersByIdResponses, GetUsersData, GetUsersError, GetUsersErrors, GetUsersMeChannelsByPlatformData, GetUsersMeChannelsByPlatformError, GetUsersMeChannelsByPlatformErrors, GetUsersMeChannelsByPlatformResponse, GetUsersMeChannelsByPlatformResponses, GetUsersMeData, GetUsersMeError, GetUsersMeErrors, GetUsersMeIdentitiesData, GetUsersMeIdentitiesError, GetUsersMeIdentitiesErrors, GetUsersMeIdentitiesResponse, GetUsersMeIdentitiesResponses, GetUsersMeResponse, GetUsersMeResponses, GetUsersResponse, GetUsersResponses, GithubComMemohaiMemohInternalAccountsAccount, GithubComMemohaiMemohInternalAccountsCreateAccountRequest, GithubComMemohaiMemohInternalAccountsListAccountsResponse, GithubComMemohaiMemohInternalAccountsResetPasswordRequest, GithubComMemohaiMemohInternalAccountsUpdateAccountRequest, GithubComMemohaiMemohInternalAccountsUpdatePasswordRequest, GithubComMemohaiMemohInternalAccountsUpdateProfileRequest, GithubComMemohaiMemohInternalMcpConnection, HandlersBatchDeleteRequest, HandlersBrowserCoresResponse, HandlersCacheStats, HandlersChannelMeta, HandlersContainerCpuMetricsResponse, HandlersContainerGpuRequest, HandlersContainerMemoryMetricsResponse, HandlersContainerMetricsPayloadResponse, HandlersContainerMetricsStatusResponse, HandlersContainerStorageMetricsResponse, HandlersContextUsage, HandlersCreateContainerRequest, HandlersCreateContainerResponse, HandlersCreateSessionRequest, HandlersCreateSnapshotRequest, HandlersCreateSnapshotResponse, HandlersDailyTokenUsage, HandlersEmailOAuthStatusResponse, HandlersErrorResponse, HandlersExchangeSsoCodeRequest, HandlersFsDeleteRequest, HandlersFsFileInfo, HandlersFsListResponse, HandlersFsMkdirRequest, HandlersFsOpResponse, HandlersFsReadResponse, HandlersFsRenameRequest, HandlersFsUploadResponse, HandlersFsWriteRequest, HandlersGetContainerMetricsResponse, HandlersGetContainerResponse, HandlersIamGroupMemberRequest, HandlersIamGroupMemberResponse, HandlersIamGroupRequest, HandlersIamGroupResponse, HandlersIamListGroupMembersResponse, HandlersIamListGroupsResponse, HandlersIamListPrincipalRolesResponse, HandlersIamListRolesResponse, HandlersIamListSsoGroupMappingsResponse, HandlersIamListSsoProvidersResponse, HandlersIamPrincipalRoleRequest, HandlersIamPrincipalRoleResponse, HandlersIamRoleResponse, HandlersIamssoGroupMappingRequest, HandlersIamssoGroupMappingResponse, HandlersIamssoProviderRequest, HandlersIamssoProviderResponse, HandlersInstallMcpRequest, HandlersInstallSkillRequest, HandlersListMyIdentitiesResponse, HandlersListSnapshotsResponse, HandlersListSsoProvidersResponse, HandlersLocalChannelMessageRequest, HandlersLoginRequest, HandlersLoginResponse, HandlersMcpStdioRequest, HandlersMcpStdioResponse, HandlersMemoryAddPayload, HandlersMemoryCompactPayload, HandlersMemoryDeletePayload, HandlersMemorySearchPayload, HandlersModelTokenUsage, HandlersOauthAuthorizeRequest, HandlersOauthDiscoverRequest, HandlersOauthExchangeRequest, HandlersOidcStartResponse, HandlersPingResponse, HandlersProbeResponse, HandlersRefreshResponse, HandlersRollbackRequest, HandlersSessionInfoResponse, HandlersSkillItem, HandlersSkillsActionRequest, HandlersSkillsDeleteRequest, HandlersSkillsOpResponse, HandlersSkillsResponse, HandlersSkillsUpsertRequest, HandlersSnapshotInfo, HandlersSsoProviderResponse, HandlersSupermarketAuthor, HandlersSupermarketConfigVar, HandlersSupermarketMcpEntry, HandlersSupermarketMcpListResponse, HandlersSupermarketSkillEntry, HandlersSupermarketSkillListResponse, HandlersSupermarketSkillMetadata, HandlersSupermarketTagsResponse, HandlersSynthesizeRequest, HandlersSynthesizeResponse, HandlersTerminalInfoResponse, HandlersTokenUsageRecord, HandlersTokenUsageRecordsResponse, HandlersTokenUsageResponse, HandlersToolApprovalDecisionRequest, HandlersTriggerCompactResponse, HandlersUpdateSessionRequest, HeartbeatListLogsResponse, HeartbeatLog, IdentitiesChannelIdentity, McpAuthorizeResult, McpDiscoveryResult, McpExportResponse, McpImportRequest, McpListResponse, McpMcpServerEntry, McpOAuthStatus, McpToolDescriptor, McpUpsertRequest, MessageMessage, MessageMessageAsset, ModelsAddRequest, ModelsAddResponse, ModelsCountResponse, ModelsGetResponse, ModelsModelConfig, ModelsModelType, ModelsTestResponse, ModelsTestStatus, ModelsUpdateRequest, PatchBotsByBotIdSessionsBySessionIdData, PatchBotsByBotIdSessionsBySessionIdError, PatchBotsByBotIdSessionsBySessionIdErrors, PatchBotsByBotIdSessionsBySessionIdResponse, PatchBotsByBotIdSessionsBySessionIdResponses, PatchBotsByIdChannelByPlatformStatusData, PatchBotsByIdChannelByPlatformStatusError, PatchBotsByIdChannelByPlatformStatusErrors, PatchBotsByIdChannelByPlatformStatusResponse, PatchBotsByIdChannelByPlatformStatusResponses, PostAuthLoginData, PostAuthLoginError, PostAuthLoginErrors, PostAuthLoginResponse, PostAuthLoginResponses, PostAuthRefreshData, PostAuthRefreshError, PostAuthRefreshErrors, PostAuthRefreshResponse, PostAuthRefreshResponses, PostAuthSsoByProviderIdSamlAcsData, PostAuthSsoByProviderIdSamlAcsError, PostAuthSsoByProviderIdSamlAcsErrors, PostAuthSsoExchangeData, PostAuthSsoExchangeError, PostAuthSsoExchangeErrors, PostAuthSsoExchangeResponse, PostAuthSsoExchangeResponses, PostBotsByBotIdAclRulesData, PostBotsByBotIdAclRulesError, PostBotsByBotIdAclRulesErrors, PostBotsByBotIdAclRulesResponse, PostBotsByBotIdAclRulesResponses, PostBotsByBotIdContainerData, PostBotsByBotIdContainerDataExportData, PostBotsByBotIdContainerDataExportError, PostBotsByBotIdContainerDataExportErrors, PostBotsByBotIdContainerDataExportResponses, PostBotsByBotIdContainerDataImportData, PostBotsByBotIdContainerDataImportError, PostBotsByBotIdContainerDataImportErrors, PostBotsByBotIdContainerDataImportResponse, PostBotsByBotIdContainerDataImportResponses, PostBotsByBotIdContainerDataRestoreData, PostBotsByBotIdContainerDataRestoreError, PostBotsByBotIdContainerDataRestoreErrors, PostBotsByBotIdContainerDataRestoreResponse, PostBotsByBotIdContainerDataRestoreResponses, PostBotsByBotIdContainerError, PostBotsByBotIdContainerErrors, PostBotsByBotIdContainerFsDeleteData, PostBotsByBotIdContainerFsDeleteError, PostBotsByBotIdContainerFsDeleteErrors, PostBotsByBotIdContainerFsDeleteResponse, PostBotsByBotIdContainerFsDeleteResponses, PostBotsByBotIdContainerFsMkdirData, PostBotsByBotIdContainerFsMkdirError, PostBotsByBotIdContainerFsMkdirErrors, PostBotsByBotIdContainerFsMkdirResponse, PostBotsByBotIdContainerFsMkdirResponses, PostBotsByBotIdContainerFsRenameData, PostBotsByBotIdContainerFsRenameError, PostBotsByBotIdContainerFsRenameErrors, PostBotsByBotIdContainerFsRenameResponse, PostBotsByBotIdContainerFsRenameResponses, PostBotsByBotIdContainerFsUploadData, PostBotsByBotIdContainerFsUploadError, PostBotsByBotIdContainerFsUploadErrors, PostBotsByBotIdContainerFsUploadResponse, PostBotsByBotIdContainerFsUploadResponses, PostBotsByBotIdContainerFsWriteData, PostBotsByBotIdContainerFsWriteError, PostBotsByBotIdContainerFsWriteErrors, PostBotsByBotIdContainerFsWriteResponse, PostBotsByBotIdContainerFsWriteResponses, PostBotsByBotIdContainerResponse, PostBotsByBotIdContainerResponses, PostBotsByBotIdContainerSkillsActionsData, PostBotsByBotIdContainerSkillsActionsError, PostBotsByBotIdContainerSkillsActionsErrors, PostBotsByBotIdContainerSkillsActionsResponse, PostBotsByBotIdContainerSkillsActionsResponses, PostBotsByBotIdContainerSkillsData, PostBotsByBotIdContainerSkillsError, PostBotsByBotIdContainerSkillsErrors, PostBotsByBotIdContainerSkillsResponse, PostBotsByBotIdContainerSkillsResponses, PostBotsByBotIdContainerSnapshotsData, PostBotsByBotIdContainerSnapshotsError, PostBotsByBotIdContainerSnapshotsErrors, PostBotsByBotIdContainerSnapshotsResponse, PostBotsByBotIdContainerSnapshotsResponses, PostBotsByBotIdContainerSnapshotsRollbackData, PostBotsByBotIdContainerSnapshotsRollbackError, PostBotsByBotIdContainerSnapshotsRollbackErrors, PostBotsByBotIdContainerSnapshotsRollbackResponse, PostBotsByBotIdContainerSnapshotsRollbackResponses, PostBotsByBotIdContainerStartData, PostBotsByBotIdContainerStartError, PostBotsByBotIdContainerStartErrors, PostBotsByBotIdContainerStartResponse, PostBotsByBotIdContainerStartResponses, PostBotsByBotIdContainerStopData, PostBotsByBotIdContainerStopError, PostBotsByBotIdContainerStopErrors, PostBotsByBotIdContainerStopResponse, PostBotsByBotIdContainerStopResponses, PostBotsByBotIdEmailBindingsData, PostBotsByBotIdEmailBindingsError, PostBotsByBotIdEmailBindingsErrors, PostBotsByBotIdEmailBindingsResponse, PostBotsByBotIdEmailBindingsResponses, PostBotsByBotIdLocalMessagesData, PostBotsByBotIdLocalMessagesError, PostBotsByBotIdLocalMessagesErrors, PostBotsByBotIdLocalMessagesResponse, PostBotsByBotIdLocalMessagesResponses, PostBotsByBotIdMcpByIdOauthAuthorizeData, PostBotsByBotIdMcpByIdOauthAuthorizeError, PostBotsByBotIdMcpByIdOauthAuthorizeErrors, PostBotsByBotIdMcpByIdOauthAuthorizeResponse, PostBotsByBotIdMcpByIdOauthAuthorizeResponses, PostBotsByBotIdMcpByIdOauthDiscoverData, PostBotsByBotIdMcpByIdOauthDiscoverError, PostBotsByBotIdMcpByIdOauthDiscoverErrors, PostBotsByBotIdMcpByIdOauthDiscoverResponse, PostBotsByBotIdMcpByIdOauthDiscoverResponses, PostBotsByBotIdMcpByIdOauthExchangeData, PostBotsByBotIdMcpByIdOauthExchangeError, PostBotsByBotIdMcpByIdOauthExchangeErrors, PostBotsByBotIdMcpByIdOauthExchangeResponse, PostBotsByBotIdMcpByIdOauthExchangeResponses, PostBotsByBotIdMcpByIdProbeData, PostBotsByBotIdMcpByIdProbeError, PostBotsByBotIdMcpByIdProbeErrors, PostBotsByBotIdMcpByIdProbeResponse, PostBotsByBotIdMcpByIdProbeResponses, PostBotsByBotIdMcpData, PostBotsByBotIdMcpError, PostBotsByBotIdMcpErrors, PostBotsByBotIdMcpOpsBatchDeleteData, PostBotsByBotIdMcpOpsBatchDeleteError, PostBotsByBotIdMcpOpsBatchDeleteErrors, PostBotsByBotIdMcpOpsBatchDeleteResponses, PostBotsByBotIdMcpResponse, PostBotsByBotIdMcpResponses, PostBotsByBotIdMcpStdioByConnectionIdData, PostBotsByBotIdMcpStdioByConnectionIdError, PostBotsByBotIdMcpStdioByConnectionIdErrors, PostBotsByBotIdMcpStdioByConnectionIdResponse, PostBotsByBotIdMcpStdioByConnectionIdResponses, PostBotsByBotIdMcpStdioData, PostBotsByBotIdMcpStdioError, PostBotsByBotIdMcpStdioErrors, PostBotsByBotIdMcpStdioResponse, PostBotsByBotIdMcpStdioResponses, PostBotsByBotIdMemoryCompactData, PostBotsByBotIdMemoryCompactError, PostBotsByBotIdMemoryCompactErrors, PostBotsByBotIdMemoryCompactResponse, PostBotsByBotIdMemoryCompactResponses, PostBotsByBotIdMemoryData, PostBotsByBotIdMemoryError, PostBotsByBotIdMemoryErrors, PostBotsByBotIdMemoryRebuildData, PostBotsByBotIdMemoryRebuildError, PostBotsByBotIdMemoryRebuildErrors, PostBotsByBotIdMemoryRebuildResponse, PostBotsByBotIdMemoryRebuildResponses, PostBotsByBotIdMemoryResponse, PostBotsByBotIdMemoryResponses, PostBotsByBotIdMemorySearchData, PostBotsByBotIdMemorySearchError, PostBotsByBotIdMemorySearchErrors, PostBotsByBotIdMemorySearchResponse, PostBotsByBotIdMemorySearchResponses, PostBotsByBotIdScheduleData, PostBotsByBotIdScheduleError, PostBotsByBotIdScheduleErrors, PostBotsByBotIdScheduleResponse, PostBotsByBotIdScheduleResponses, PostBotsByBotIdSessionsBySessionIdCompactData, PostBotsByBotIdSessionsBySessionIdCompactError, PostBotsByBotIdSessionsBySessionIdCompactErrors, PostBotsByBotIdSessionsBySessionIdCompactResponse, PostBotsByBotIdSessionsBySessionIdCompactResponses, PostBotsByBotIdSessionsData, PostBotsByBotIdSessionsError, PostBotsByBotIdSessionsErrors, PostBotsByBotIdSessionsResponse, PostBotsByBotIdSessionsResponses, PostBotsByBotIdSettingsData, PostBotsByBotIdSettingsError, PostBotsByBotIdSettingsErrors, PostBotsByBotIdSettingsResponse, PostBotsByBotIdSettingsResponses, PostBotsByBotIdSupermarketInstallMcpData, PostBotsByBotIdSupermarketInstallMcpError, PostBotsByBotIdSupermarketInstallMcpErrors, PostBotsByBotIdSupermarketInstallMcpResponse, PostBotsByBotIdSupermarketInstallMcpResponses, PostBotsByBotIdSupermarketInstallSkillData, PostBotsByBotIdSupermarketInstallSkillError, PostBotsByBotIdSupermarketInstallSkillErrors, PostBotsByBotIdSupermarketInstallSkillResponse, PostBotsByBotIdSupermarketInstallSkillResponses, PostBotsByBotIdToolApprovalsByApprovalIdApproveData, PostBotsByBotIdToolApprovalsByApprovalIdApproveError, PostBotsByBotIdToolApprovalsByApprovalIdApproveErrors, PostBotsByBotIdToolApprovalsByApprovalIdApproveResponse, PostBotsByBotIdToolApprovalsByApprovalIdApproveResponses, PostBotsByBotIdToolApprovalsByApprovalIdRejectData, PostBotsByBotIdToolApprovalsByApprovalIdRejectError, PostBotsByBotIdToolApprovalsByApprovalIdRejectErrors, PostBotsByBotIdToolApprovalsByApprovalIdRejectResponse, PostBotsByBotIdToolApprovalsByApprovalIdRejectResponses, PostBotsByBotIdToolsData, PostBotsByBotIdToolsError, PostBotsByBotIdToolsErrors, PostBotsByBotIdToolsResponse, PostBotsByBotIdToolsResponses, PostBotsByBotIdTtsSynthesizeData, PostBotsByBotIdTtsSynthesizeError, PostBotsByBotIdTtsSynthesizeErrors, PostBotsByBotIdTtsSynthesizeResponse, PostBotsByBotIdTtsSynthesizeResponses, PostBotsByIdChannelByPlatformSendChatData, PostBotsByIdChannelByPlatformSendChatError, PostBotsByIdChannelByPlatformSendChatErrors, PostBotsByIdChannelByPlatformSendChatResponse, PostBotsByIdChannelByPlatformSendChatResponses, PostBotsByIdChannelByPlatformSendData, PostBotsByIdChannelByPlatformSendError, PostBotsByIdChannelByPlatformSendErrors, PostBotsByIdChannelByPlatformSendResponse, PostBotsByIdChannelByPlatformSendResponses, PostBotsData, PostBotsError, PostBotsErrors, PostBotsResponse, PostBotsResponses, PostBrowserContextsData, PostBrowserContextsError, PostBrowserContextsErrors, PostBrowserContextsResponse, PostBrowserContextsResponses, PostEmailMailgunWebhookByConfigIdData, PostEmailMailgunWebhookByConfigIdError, PostEmailMailgunWebhookByConfigIdErrors, PostEmailMailgunWebhookByConfigIdResponse, PostEmailMailgunWebhookByConfigIdResponses, PostEmailProvidersData, PostEmailProvidersError, PostEmailProvidersErrors, PostEmailProvidersResponse, PostEmailProvidersResponses, PostIamBotsByBotIdPrincipalRolesData, PostIamBotsByBotIdPrincipalRolesError, PostIamBotsByBotIdPrincipalRolesErrors, PostIamBotsByBotIdPrincipalRolesResponse, PostIamBotsByBotIdPrincipalRolesResponses, PostIamGroupsByIdMembersData, PostIamGroupsByIdMembersError, PostIamGroupsByIdMembersErrors, PostIamGroupsByIdMembersResponse, PostIamGroupsByIdMembersResponses, PostIamGroupsData, PostIamGroupsError, PostIamGroupsErrors, PostIamGroupsResponse, PostIamGroupsResponses, PostIamSsoProvidersByIdGroupMappingsData, PostIamSsoProvidersByIdGroupMappingsError, PostIamSsoProvidersByIdGroupMappingsErrors, PostIamSsoProvidersByIdGroupMappingsResponse, PostIamSsoProvidersByIdGroupMappingsResponses, PostIamSsoProvidersData, PostIamSsoProvidersError, PostIamSsoProvidersErrors, PostIamSsoProvidersResponse, PostIamSsoProvidersResponses, PostMemoryProvidersData, PostMemoryProvidersError, PostMemoryProvidersErrors, PostMemoryProvidersResponse, PostMemoryProvidersResponses, PostModelsByIdTestData, PostModelsByIdTestError, PostModelsByIdTestErrors, PostModelsByIdTestResponse, PostModelsByIdTestResponses, PostModelsData, PostModelsError, PostModelsErrors, PostModelsResponse, PostModelsResponses, PostProvidersByIdImportModelsData, PostProvidersByIdImportModelsError, PostProvidersByIdImportModelsErrors, PostProvidersByIdImportModelsResponse, PostProvidersByIdImportModelsResponses, PostProvidersByIdOauthPollData, PostProvidersByIdOauthPollError, PostProvidersByIdOauthPollErrors, PostProvidersByIdOauthPollResponse, PostProvidersByIdOauthPollResponses, PostProvidersByIdTestData, PostProvidersByIdTestError, PostProvidersByIdTestErrors, PostProvidersByIdTestResponse, PostProvidersByIdTestResponses, PostProvidersData, PostProvidersError, PostProvidersErrors, PostProvidersResponse, PostProvidersResponses, PostSearchProvidersData, PostSearchProvidersError, PostSearchProvidersErrors, PostSearchProvidersResponse, PostSearchProvidersResponses, PostSpeechModelsByIdTestData, PostSpeechModelsByIdTestError, PostSpeechModelsByIdTestErrors, PostSpeechModelsByIdTestResponses, PostSpeechProvidersByIdImportModelsData, PostSpeechProvidersByIdImportModelsError, PostSpeechProvidersByIdImportModelsErrors, PostSpeechProvidersByIdImportModelsResponse, PostSpeechProvidersByIdImportModelsResponses, PostTranscriptionModelsByIdTestData, PostTranscriptionModelsByIdTestError, PostTranscriptionModelsByIdTestErrors, PostTranscriptionModelsByIdTestResponse, PostTranscriptionModelsByIdTestResponses, PostTranscriptionProvidersByIdImportModelsData, PostTranscriptionProvidersByIdImportModelsError, PostTranscriptionProvidersByIdImportModelsErrors, PostTranscriptionProvidersByIdImportModelsResponse, PostTranscriptionProvidersByIdImportModelsResponses, PostUsersData, PostUsersError, PostUsersErrors, PostUsersResponse, PostUsersResponses, ProvidersCountResponse, ProvidersCreateRequest, ProvidersGetResponse, ProvidersImportModelsResponse, ProvidersOAuthAccount, ProvidersOAuthAuthorizeResponse, ProvidersOAuthDeviceStatus, ProvidersOAuthStatus, ProvidersTestResponse, ProvidersUpdateRequest, PutBotsByBotIdAclDefaultEffectData, PutBotsByBotIdAclDefaultEffectError, PutBotsByBotIdAclDefaultEffectErrors, PutBotsByBotIdAclDefaultEffectResponses, PutBotsByBotIdAclRulesByRuleIdData, PutBotsByBotIdAclRulesByRuleIdError, PutBotsByBotIdAclRulesByRuleIdErrors, PutBotsByBotIdAclRulesByRuleIdResponse, PutBotsByBotIdAclRulesByRuleIdResponses, PutBotsByBotIdAclRulesReorderData, PutBotsByBotIdAclRulesReorderError, PutBotsByBotIdAclRulesReorderErrors, PutBotsByBotIdAclRulesReorderResponses, PutBotsByBotIdEmailBindingsByIdData, PutBotsByBotIdEmailBindingsByIdError, PutBotsByBotIdEmailBindingsByIdErrors, PutBotsByBotIdEmailBindingsByIdResponse, PutBotsByBotIdEmailBindingsByIdResponses, PutBotsByBotIdMcpByIdData, PutBotsByBotIdMcpByIdError, PutBotsByBotIdMcpByIdErrors, PutBotsByBotIdMcpByIdResponse, PutBotsByBotIdMcpByIdResponses, PutBotsByBotIdMcpImportData, PutBotsByBotIdMcpImportError, PutBotsByBotIdMcpImportErrors, PutBotsByBotIdMcpImportResponse, PutBotsByBotIdMcpImportResponses, PutBotsByBotIdScheduleByIdData, PutBotsByBotIdScheduleByIdError, PutBotsByBotIdScheduleByIdErrors, PutBotsByBotIdScheduleByIdResponse, PutBotsByBotIdScheduleByIdResponses, PutBotsByBotIdSettingsData, PutBotsByBotIdSettingsError, PutBotsByBotIdSettingsErrors, PutBotsByBotIdSettingsResponse, PutBotsByBotIdSettingsResponses, PutBotsByIdChannelByPlatformData, PutBotsByIdChannelByPlatformError, PutBotsByIdChannelByPlatformErrors, PutBotsByIdChannelByPlatformResponse, PutBotsByIdChannelByPlatformResponses, PutBotsByIdData, PutBotsByIdError, PutBotsByIdErrors, PutBotsByIdOwnerData, PutBotsByIdOwnerError, PutBotsByIdOwnerErrors, PutBotsByIdOwnerResponse, PutBotsByIdOwnerResponses, PutBotsByIdResponse, PutBotsByIdResponses, PutBrowserContextsByIdData, PutBrowserContextsByIdError, PutBrowserContextsByIdErrors, PutBrowserContextsByIdResponse, PutBrowserContextsByIdResponses, PutEmailProvidersByIdData, PutEmailProvidersByIdError, PutEmailProvidersByIdErrors, PutEmailProvidersByIdResponse, PutEmailProvidersByIdResponses, PutIamGroupsByIdData, PutIamGroupsByIdError, PutIamGroupsByIdErrors, PutIamGroupsByIdResponse, PutIamGroupsByIdResponses, PutIamSsoProvidersByIdData, PutIamSsoProvidersByIdError, PutIamSsoProvidersByIdErrors, PutIamSsoProvidersByIdResponse, PutIamSsoProvidersByIdResponses, PutMemoryProvidersByIdData, PutMemoryProvidersByIdError, PutMemoryProvidersByIdErrors, PutMemoryProvidersByIdResponse, PutMemoryProvidersByIdResponses, PutModelsByIdData, PutModelsByIdError, PutModelsByIdErrors, PutModelsByIdResponse, PutModelsByIdResponses, PutModelsModelByModelIdData, PutModelsModelByModelIdError, PutModelsModelByModelIdErrors, PutModelsModelByModelIdResponse, PutModelsModelByModelIdResponses, PutProvidersByIdData, PutProvidersByIdError, PutProvidersByIdErrors, PutProvidersByIdResponse, PutProvidersByIdResponses, PutSearchProvidersByIdData, PutSearchProvidersByIdError, PutSearchProvidersByIdErrors, PutSearchProvidersByIdResponse, PutSearchProvidersByIdResponses, PutSpeechModelsByIdData, PutSpeechModelsByIdError, PutSpeechModelsByIdErrors, PutSpeechModelsByIdResponse, PutSpeechModelsByIdResponses, PutTranscriptionModelsByIdData, PutTranscriptionModelsByIdError, PutTranscriptionModelsByIdErrors, PutTranscriptionModelsByIdResponse, PutTranscriptionModelsByIdResponses, PutUsersByIdData, PutUsersByIdError, PutUsersByIdErrors, PutUsersByIdPasswordData, PutUsersByIdPasswordError, PutUsersByIdPasswordErrors, PutUsersByIdPasswordResponses, PutUsersByIdResponse, PutUsersByIdResponses, PutUsersMeChannelsByPlatformData, PutUsersMeChannelsByPlatformError, PutUsersMeChannelsByPlatformErrors, PutUsersMeChannelsByPlatformResponse, PutUsersMeChannelsByPlatformResponses, PutUsersMeData, PutUsersMeError, PutUsersMeErrors, PutUsersMePasswordData, PutUsersMePasswordError, PutUsersMePasswordErrors, PutUsersMePasswordResponses, PutUsersMeResponse, PutUsersMeResponses, ScheduleCreateRequest, ScheduleListLogsResponse, ScheduleListResponse, ScheduleLog, ScheduleNullableInt, ScheduleSchedule, ScheduleUpdateRequest, SearchprovidersCreateRequest, SearchprovidersGetResponse, SearchprovidersProviderConfigSchema, SearchprovidersProviderFieldSchema, SearchprovidersProviderMeta, SearchprovidersProviderName, SearchprovidersUpdateRequest, SessionSession, SettingsSettings, SettingsToolApprovalConfig, SettingsToolApprovalExecPolicy, SettingsToolApprovalFilePolicy, SettingsUpsertRequest, SsoProviderType } from './types.gen';
diff --git a/packages/sdk/src/sdk.gen.ts b/packages/sdk/src/sdk.gen.ts
index c24978b3d..b89ee4be6 100644
--- a/packages/sdk/src/sdk.gen.ts
+++ b/packages/sdk/src/sdk.gen.ts
@@ -2,7 +2,7 @@
 
 import { type Client, formDataBodySerializer, type Options as Options2, type TDataShape } from './client';
 import { client } from './client.gen';
-import type { DeleteBotsByBotIdAclRulesByRuleIdData, DeleteBotsByBotIdAclRulesByRuleIdErrors, DeleteBotsByBotIdAclRulesByRuleIdResponses, DeleteBotsByBotIdCompactionLogsData, DeleteBotsByBotIdCompactionLogsErrors, DeleteBotsByBotIdCompactionLogsResponses, DeleteBotsByBotIdContainerData, DeleteBotsByBotIdContainerErrors, DeleteBotsByBotIdContainerResponses, DeleteBotsByBotIdContainerSkillsData, DeleteBotsByBotIdContainerSkillsErrors, DeleteBotsByBotIdContainerSkillsResponses, DeleteBotsByBotIdEmailBindingsByIdData, DeleteBotsByBotIdEmailBindingsByIdErrors, DeleteBotsByBotIdEmailBindingsByIdResponses, DeleteBotsByBotIdHeartbeatLogsData, DeleteBotsByBotIdHeartbeatLogsErrors, DeleteBotsByBotIdHeartbeatLogsResponses, DeleteBotsByBotIdMcpByIdData, DeleteBotsByBotIdMcpByIdErrors, DeleteBotsByBotIdMcpByIdOauthTokenData, DeleteBotsByBotIdMcpByIdOauthTokenErrors, DeleteBotsByBotIdMcpByIdOauthTokenResponses, DeleteBotsByBotIdMcpByIdResponses, DeleteBotsByBotIdMemoryByIdData, DeleteBotsByBotIdMemoryByIdErrors, DeleteBotsByBotIdMemoryByIdResponses, DeleteBotsByBotIdMemoryData, DeleteBotsByBotIdMemoryErrors, DeleteBotsByBotIdMemoryResponses, DeleteBotsByBotIdMessagesData, DeleteBotsByBotIdMessagesErrors, DeleteBotsByBotIdMessagesResponses, DeleteBotsByBotIdScheduleByIdData, DeleteBotsByBotIdScheduleByIdErrors, DeleteBotsByBotIdScheduleByIdResponses, DeleteBotsByBotIdScheduleLogsData, DeleteBotsByBotIdScheduleLogsErrors, DeleteBotsByBotIdScheduleLogsResponses, DeleteBotsByBotIdSessionsBySessionIdData, DeleteBotsByBotIdSessionsBySessionIdErrors, DeleteBotsByBotIdSessionsBySessionIdResponses, DeleteBotsByBotIdSettingsData, DeleteBotsByBotIdSettingsErrors, DeleteBotsByBotIdSettingsResponses, DeleteBotsByIdChannelByPlatformData, DeleteBotsByIdChannelByPlatformErrors, DeleteBotsByIdChannelByPlatformResponses, DeleteBotsByIdData, DeleteBotsByIdErrors, DeleteBotsByIdResponses, DeleteBrowserContextsByIdData, DeleteBrowserContextsByIdErrors, DeleteBrowserContextsByIdResponses, DeleteEmailProvidersByIdData, DeleteEmailProvidersByIdErrors, DeleteEmailProvidersByIdOauthTokenData, DeleteEmailProvidersByIdOauthTokenErrors, DeleteEmailProvidersByIdOauthTokenResponses, DeleteEmailProvidersByIdResponses, DeleteMemoryProvidersByIdData, DeleteMemoryProvidersByIdErrors, DeleteMemoryProvidersByIdResponses, DeleteModelsByIdData, DeleteModelsByIdErrors, DeleteModelsByIdResponses, DeleteModelsModelByModelIdData, DeleteModelsModelByModelIdErrors, DeleteModelsModelByModelIdResponses, DeleteProvidersByIdData, DeleteProvidersByIdErrors, DeleteProvidersByIdOauthTokenData, DeleteProvidersByIdOauthTokenErrors, DeleteProvidersByIdOauthTokenResponses, DeleteProvidersByIdResponses, DeleteSearchProvidersByIdData, DeleteSearchProvidersByIdErrors, DeleteSearchProvidersByIdResponses, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsData, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsErrors, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsResponses, GetBotsByBotIdAclChannelIdentitiesData, GetBotsByBotIdAclChannelIdentitiesErrors, GetBotsByBotIdAclChannelIdentitiesResponses, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsData, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsErrors, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsResponses, GetBotsByBotIdAclDefaultEffectData, GetBotsByBotIdAclDefaultEffectErrors, GetBotsByBotIdAclDefaultEffectResponses, GetBotsByBotIdAclRulesData, GetBotsByBotIdAclRulesErrors, GetBotsByBotIdAclRulesResponses, GetBotsByBotIdCompactionLogsData, GetBotsByBotIdCompactionLogsErrors, GetBotsByBotIdCompactionLogsResponses, GetBotsByBotIdContainerData, GetBotsByBotIdContainerErrors, GetBotsByBotIdContainerFsData, GetBotsByBotIdContainerFsDownloadData, GetBotsByBotIdContainerFsDownloadErrors, GetBotsByBotIdContainerFsDownloadResponses, GetBotsByBotIdContainerFsErrors, GetBotsByBotIdContainerFsListData, GetBotsByBotIdContainerFsListErrors, GetBotsByBotIdContainerFsListResponses, GetBotsByBotIdContainerFsReadData, GetBotsByBotIdContainerFsReadErrors, GetBotsByBotIdContainerFsReadResponses, GetBotsByBotIdContainerFsResponses, GetBotsByBotIdContainerMetricsData, GetBotsByBotIdContainerMetricsErrors, GetBotsByBotIdContainerMetricsResponses, GetBotsByBotIdContainerResponses, GetBotsByBotIdContainerSkillsData, GetBotsByBotIdContainerSkillsErrors, GetBotsByBotIdContainerSkillsResponses, GetBotsByBotIdContainerSnapshotsData, GetBotsByBotIdContainerSnapshotsErrors, GetBotsByBotIdContainerSnapshotsResponses, GetBotsByBotIdContainerTerminalData, GetBotsByBotIdContainerTerminalErrors, GetBotsByBotIdContainerTerminalResponses, GetBotsByBotIdContainerTerminalWsData, GetBotsByBotIdContainerTerminalWsErrors, GetBotsByBotIdEmailBindingsData, GetBotsByBotIdEmailBindingsErrors, GetBotsByBotIdEmailBindingsResponses, GetBotsByBotIdEmailOutboxByIdData, GetBotsByBotIdEmailOutboxByIdErrors, GetBotsByBotIdEmailOutboxByIdResponses, GetBotsByBotIdEmailOutboxData, GetBotsByBotIdEmailOutboxErrors, GetBotsByBotIdEmailOutboxResponses, GetBotsByBotIdHeartbeatLogsData, GetBotsByBotIdHeartbeatLogsErrors, GetBotsByBotIdHeartbeatLogsResponses, GetBotsByBotIdLocalStreamData, GetBotsByBotIdLocalStreamErrors, GetBotsByBotIdLocalStreamResponses, GetBotsByBotIdLocalWsData, GetBotsByBotIdLocalWsErrors, GetBotsByBotIdMcpByIdData, GetBotsByBotIdMcpByIdErrors, GetBotsByBotIdMcpByIdOauthStatusData, GetBotsByBotIdMcpByIdOauthStatusErrors, GetBotsByBotIdMcpByIdOauthStatusResponses, GetBotsByBotIdMcpByIdResponses, GetBotsByBotIdMcpData, GetBotsByBotIdMcpErrors, GetBotsByBotIdMcpExportData, GetBotsByBotIdMcpExportErrors, GetBotsByBotIdMcpExportResponses, GetBotsByBotIdMcpResponses, GetBotsByBotIdMemoryData, GetBotsByBotIdMemoryErrors, GetBotsByBotIdMemoryResponses, GetBotsByBotIdMemoryStatusData, GetBotsByBotIdMemoryStatusErrors, GetBotsByBotIdMemoryStatusResponses, GetBotsByBotIdMemoryUsageData, GetBotsByBotIdMemoryUsageErrors, GetBotsByBotIdMemoryUsageResponses, GetBotsByBotIdMessagesData, GetBotsByBotIdMessagesErrors, GetBotsByBotIdMessagesResponses, GetBotsByBotIdScheduleByIdData, GetBotsByBotIdScheduleByIdErrors, GetBotsByBotIdScheduleByIdLogsData, GetBotsByBotIdScheduleByIdLogsErrors, GetBotsByBotIdScheduleByIdLogsResponses, GetBotsByBotIdScheduleByIdResponses, GetBotsByBotIdScheduleData, GetBotsByBotIdScheduleErrors, GetBotsByBotIdScheduleLogsData, GetBotsByBotIdScheduleLogsErrors, GetBotsByBotIdScheduleLogsResponses, GetBotsByBotIdScheduleResponses, GetBotsByBotIdSessionsBySessionIdData, GetBotsByBotIdSessionsBySessionIdErrors, GetBotsByBotIdSessionsBySessionIdResponses, GetBotsByBotIdSessionsBySessionIdStatusData, GetBotsByBotIdSessionsBySessionIdStatusErrors, GetBotsByBotIdSessionsBySessionIdStatusResponses, GetBotsByBotIdSessionsData, GetBotsByBotIdSessionsErrors, GetBotsByBotIdSessionsResponses, GetBotsByBotIdSettingsData, GetBotsByBotIdSettingsErrors, GetBotsByBotIdSettingsResponses, GetBotsByBotIdTokenUsageData, GetBotsByBotIdTokenUsageErrors, GetBotsByBotIdTokenUsageRecordsData, GetBotsByBotIdTokenUsageRecordsErrors, GetBotsByBotIdTokenUsageRecordsResponses, GetBotsByBotIdTokenUsageResponses, GetBotsByIdChannelByPlatformData, GetBotsByIdChannelByPlatformErrors, GetBotsByIdChannelByPlatformResponses, GetBotsByIdChecksData, GetBotsByIdChecksErrors, GetBotsByIdChecksResponses, GetBotsByIdData, GetBotsByIdErrors, GetBotsByIdResponses, GetBotsData, GetBotsErrors, GetBotsResponses, GetBrowserContextsByIdData, GetBrowserContextsByIdErrors, GetBrowserContextsByIdResponses, GetBrowserContextsCoresData, GetBrowserContextsCoresErrors, GetBrowserContextsCoresResponses, GetBrowserContextsData, GetBrowserContextsErrors, GetBrowserContextsResponses, GetChannelsByPlatformData, GetChannelsByPlatformErrors, GetChannelsByPlatformResponses, GetChannelsData, GetChannelsErrors, GetChannelsResponses, GetEmailOauthCallbackData, GetEmailOauthCallbackErrors, GetEmailOauthCallbackResponses, GetEmailProvidersByIdData, GetEmailProvidersByIdErrors, GetEmailProvidersByIdOauthAuthorizeData, GetEmailProvidersByIdOauthAuthorizeErrors, GetEmailProvidersByIdOauthAuthorizeResponses, GetEmailProvidersByIdOauthStatusData, GetEmailProvidersByIdOauthStatusErrors, GetEmailProvidersByIdOauthStatusResponses, GetEmailProvidersByIdResponses, GetEmailProvidersData, GetEmailProvidersErrors, GetEmailProvidersMetaData, GetEmailProvidersMetaResponses, GetEmailProvidersResponses, GetMemoryProvidersByIdData, GetMemoryProvidersByIdErrors, GetMemoryProvidersByIdResponses, GetMemoryProvidersByIdStatusData, GetMemoryProvidersByIdStatusErrors, GetMemoryProvidersByIdStatusResponses, GetMemoryProvidersData, GetMemoryProvidersErrors, GetMemoryProvidersMetaData, GetMemoryProvidersMetaResponses, GetMemoryProvidersResponses, GetModelsByIdData, GetModelsByIdErrors, GetModelsByIdResponses, GetModelsCountData, GetModelsCountErrors, GetModelsCountResponses, GetModelsData, GetModelsErrors, GetModelsModelByModelIdData, GetModelsModelByModelIdErrors, GetModelsModelByModelIdResponses, GetModelsResponses, GetPingData, GetPingResponses, GetProvidersByIdData, GetProvidersByIdErrors, GetProvidersByIdModelsData, GetProvidersByIdModelsErrors, GetProvidersByIdModelsResponses, GetProvidersByIdOauthAuthorizeData, GetProvidersByIdOauthAuthorizeErrors, GetProvidersByIdOauthAuthorizeResponses, GetProvidersByIdOauthStatusData, GetProvidersByIdOauthStatusErrors, GetProvidersByIdOauthStatusResponses, GetProvidersByIdResponses, GetProvidersCountData, GetProvidersCountErrors, GetProvidersCountResponses, GetProvidersData, GetProvidersErrors, GetProvidersNameByNameData, GetProvidersNameByNameErrors, GetProvidersNameByNameResponses, GetProvidersOauthCallbackData, GetProvidersOauthCallbackErrors, GetProvidersOauthCallbackResponses, GetProvidersResponses, GetSearchProvidersByIdData, GetSearchProvidersByIdErrors, GetSearchProvidersByIdResponses, GetSearchProvidersData, GetSearchProvidersErrors, GetSearchProvidersMetaData, GetSearchProvidersMetaResponses, GetSearchProvidersResponses, GetSpeechModelsByIdCapabilitiesData, GetSpeechModelsByIdCapabilitiesErrors, GetSpeechModelsByIdCapabilitiesResponses, GetSpeechModelsByIdData, GetSpeechModelsByIdErrors, GetSpeechModelsByIdResponses, GetSpeechModelsData, GetSpeechModelsErrors, GetSpeechModelsResponses, GetSpeechProvidersByIdData, GetSpeechProvidersByIdErrors, GetSpeechProvidersByIdModelsData, GetSpeechProvidersByIdModelsErrors, GetSpeechProvidersByIdModelsResponses, GetSpeechProvidersByIdResponses, GetSpeechProvidersData, GetSpeechProvidersErrors, GetSpeechProvidersMetaData, GetSpeechProvidersMetaResponses, GetSpeechProvidersResponses, GetSupermarketMcpsByIdData, GetSupermarketMcpsByIdErrors, GetSupermarketMcpsByIdResponses, GetSupermarketMcpsData, GetSupermarketMcpsErrors, GetSupermarketMcpsResponses, GetSupermarketSkillsByIdData, GetSupermarketSkillsByIdErrors, GetSupermarketSkillsByIdResponses, GetSupermarketSkillsData, GetSupermarketSkillsErrors, GetSupermarketSkillsResponses, GetSupermarketTagsData, GetSupermarketTagsErrors, GetSupermarketTagsResponses, GetTranscriptionModelsByIdCapabilitiesData, GetTranscriptionModelsByIdCapabilitiesErrors, GetTranscriptionModelsByIdCapabilitiesResponses, GetTranscriptionModelsByIdData, GetTranscriptionModelsByIdErrors, GetTranscriptionModelsByIdResponses, GetTranscriptionModelsData, GetTranscriptionModelsErrors, GetTranscriptionModelsResponses, GetTranscriptionProvidersByIdData, GetTranscriptionProvidersByIdErrors, GetTranscriptionProvidersByIdModelsData, GetTranscriptionProvidersByIdModelsErrors, GetTranscriptionProvidersByIdModelsResponses, GetTranscriptionProvidersByIdResponses, GetTranscriptionProvidersData, GetTranscriptionProvidersErrors, GetTranscriptionProvidersMetaData, GetTranscriptionProvidersMetaResponses, GetTranscriptionProvidersResponses, GetUsersByIdData, GetUsersByIdErrors, GetUsersByIdResponses, GetUsersData, GetUsersErrors, GetUsersMeChannelsByPlatformData, GetUsersMeChannelsByPlatformErrors, GetUsersMeChannelsByPlatformResponses, GetUsersMeData, GetUsersMeErrors, GetUsersMeIdentitiesData, GetUsersMeIdentitiesErrors, GetUsersMeIdentitiesResponses, GetUsersMeResponses, GetUsersResponses, PatchBotsByBotIdSessionsBySessionIdData, PatchBotsByBotIdSessionsBySessionIdErrors, PatchBotsByBotIdSessionsBySessionIdResponses, PatchBotsByIdChannelByPlatformStatusData, PatchBotsByIdChannelByPlatformStatusErrors, PatchBotsByIdChannelByPlatformStatusResponses, PostAuthLoginData, PostAuthLoginErrors, PostAuthLoginResponses, PostAuthRefreshData, PostAuthRefreshErrors, PostAuthRefreshResponses, PostBotsByBotIdAclRulesData, PostBotsByBotIdAclRulesErrors, PostBotsByBotIdAclRulesResponses, PostBotsByBotIdContainerData, PostBotsByBotIdContainerDataExportData, PostBotsByBotIdContainerDataExportErrors, PostBotsByBotIdContainerDataExportResponses, PostBotsByBotIdContainerDataImportData, PostBotsByBotIdContainerDataImportErrors, PostBotsByBotIdContainerDataImportResponses, PostBotsByBotIdContainerDataRestoreData, PostBotsByBotIdContainerDataRestoreErrors, PostBotsByBotIdContainerDataRestoreResponses, PostBotsByBotIdContainerErrors, PostBotsByBotIdContainerFsDeleteData, PostBotsByBotIdContainerFsDeleteErrors, PostBotsByBotIdContainerFsDeleteResponses, PostBotsByBotIdContainerFsMkdirData, PostBotsByBotIdContainerFsMkdirErrors, PostBotsByBotIdContainerFsMkdirResponses, PostBotsByBotIdContainerFsRenameData, PostBotsByBotIdContainerFsRenameErrors, PostBotsByBotIdContainerFsRenameResponses, PostBotsByBotIdContainerFsUploadData, PostBotsByBotIdContainerFsUploadErrors, PostBotsByBotIdContainerFsUploadResponses, PostBotsByBotIdContainerFsWriteData, PostBotsByBotIdContainerFsWriteErrors, PostBotsByBotIdContainerFsWriteResponses, PostBotsByBotIdContainerResponses, PostBotsByBotIdContainerSkillsActionsData, PostBotsByBotIdContainerSkillsActionsErrors, PostBotsByBotIdContainerSkillsActionsResponses, PostBotsByBotIdContainerSkillsData, PostBotsByBotIdContainerSkillsErrors, PostBotsByBotIdContainerSkillsResponses, PostBotsByBotIdContainerSnapshotsData, PostBotsByBotIdContainerSnapshotsErrors, PostBotsByBotIdContainerSnapshotsResponses, PostBotsByBotIdContainerSnapshotsRollbackData, PostBotsByBotIdContainerSnapshotsRollbackErrors, PostBotsByBotIdContainerSnapshotsRollbackResponses, PostBotsByBotIdContainerStartData, PostBotsByBotIdContainerStartErrors, PostBotsByBotIdContainerStartResponses, PostBotsByBotIdContainerStopData, PostBotsByBotIdContainerStopErrors, PostBotsByBotIdContainerStopResponses, PostBotsByBotIdEmailBindingsData, PostBotsByBotIdEmailBindingsErrors, PostBotsByBotIdEmailBindingsResponses, PostBotsByBotIdLocalMessagesData, PostBotsByBotIdLocalMessagesErrors, PostBotsByBotIdLocalMessagesResponses, PostBotsByBotIdMcpByIdOauthAuthorizeData, PostBotsByBotIdMcpByIdOauthAuthorizeErrors, PostBotsByBotIdMcpByIdOauthAuthorizeResponses, PostBotsByBotIdMcpByIdOauthDiscoverData, PostBotsByBotIdMcpByIdOauthDiscoverErrors, PostBotsByBotIdMcpByIdOauthDiscoverResponses, PostBotsByBotIdMcpByIdOauthExchangeData, PostBotsByBotIdMcpByIdOauthExchangeErrors, PostBotsByBotIdMcpByIdOauthExchangeResponses, PostBotsByBotIdMcpByIdProbeData, PostBotsByBotIdMcpByIdProbeErrors, PostBotsByBotIdMcpByIdProbeResponses, PostBotsByBotIdMcpData, PostBotsByBotIdMcpErrors, PostBotsByBotIdMcpOpsBatchDeleteData, PostBotsByBotIdMcpOpsBatchDeleteErrors, PostBotsByBotIdMcpOpsBatchDeleteResponses, PostBotsByBotIdMcpResponses, PostBotsByBotIdMcpStdioByConnectionIdData, PostBotsByBotIdMcpStdioByConnectionIdErrors, PostBotsByBotIdMcpStdioByConnectionIdResponses, PostBotsByBotIdMcpStdioData, PostBotsByBotIdMcpStdioErrors, PostBotsByBotIdMcpStdioResponses, PostBotsByBotIdMemoryCompactData, PostBotsByBotIdMemoryCompactErrors, PostBotsByBotIdMemoryCompactResponses, PostBotsByBotIdMemoryData, PostBotsByBotIdMemoryErrors, PostBotsByBotIdMemoryRebuildData, PostBotsByBotIdMemoryRebuildErrors, PostBotsByBotIdMemoryRebuildResponses, PostBotsByBotIdMemoryResponses, PostBotsByBotIdMemorySearchData, PostBotsByBotIdMemorySearchErrors, PostBotsByBotIdMemorySearchResponses, PostBotsByBotIdScheduleData, PostBotsByBotIdScheduleErrors, PostBotsByBotIdScheduleResponses, PostBotsByBotIdSessionsBySessionIdCompactData, PostBotsByBotIdSessionsBySessionIdCompactErrors, PostBotsByBotIdSessionsBySessionIdCompactResponses, PostBotsByBotIdSessionsData, PostBotsByBotIdSessionsErrors, PostBotsByBotIdSessionsResponses, PostBotsByBotIdSettingsData, PostBotsByBotIdSettingsErrors, PostBotsByBotIdSettingsResponses, PostBotsByBotIdSupermarketInstallMcpData, PostBotsByBotIdSupermarketInstallMcpErrors, PostBotsByBotIdSupermarketInstallMcpResponses, PostBotsByBotIdSupermarketInstallSkillData, PostBotsByBotIdSupermarketInstallSkillErrors, PostBotsByBotIdSupermarketInstallSkillResponses, PostBotsByBotIdToolApprovalsByApprovalIdApproveData, PostBotsByBotIdToolApprovalsByApprovalIdApproveErrors, PostBotsByBotIdToolApprovalsByApprovalIdApproveResponses, PostBotsByBotIdToolApprovalsByApprovalIdRejectData, PostBotsByBotIdToolApprovalsByApprovalIdRejectErrors, PostBotsByBotIdToolApprovalsByApprovalIdRejectResponses, PostBotsByBotIdToolsData, PostBotsByBotIdToolsErrors, PostBotsByBotIdToolsResponses, PostBotsByBotIdTtsSynthesizeData, PostBotsByBotIdTtsSynthesizeErrors, PostBotsByBotIdTtsSynthesizeResponses, PostBotsByIdChannelByPlatformSendChatData, PostBotsByIdChannelByPlatformSendChatErrors, PostBotsByIdChannelByPlatformSendChatResponses, PostBotsByIdChannelByPlatformSendData, PostBotsByIdChannelByPlatformSendErrors, PostBotsByIdChannelByPlatformSendResponses, PostBotsData, PostBotsErrors, PostBotsResponses, PostBrowserContextsData, PostBrowserContextsErrors, PostBrowserContextsResponses, PostEmailMailgunWebhookByConfigIdData, PostEmailMailgunWebhookByConfigIdErrors, PostEmailMailgunWebhookByConfigIdResponses, PostEmailProvidersData, PostEmailProvidersErrors, PostEmailProvidersResponses, PostMemoryProvidersData, PostMemoryProvidersErrors, PostMemoryProvidersResponses, PostModelsByIdTestData, PostModelsByIdTestErrors, PostModelsByIdTestResponses, PostModelsData, PostModelsErrors, PostModelsResponses, PostProvidersByIdImportModelsData, PostProvidersByIdImportModelsErrors, PostProvidersByIdImportModelsResponses, PostProvidersByIdOauthPollData, PostProvidersByIdOauthPollErrors, PostProvidersByIdOauthPollResponses, PostProvidersByIdTestData, PostProvidersByIdTestErrors, PostProvidersByIdTestResponses, PostProvidersData, PostProvidersErrors, PostProvidersResponses, PostSearchProvidersData, PostSearchProvidersErrors, PostSearchProvidersResponses, PostSpeechModelsByIdTestData, PostSpeechModelsByIdTestErrors, PostSpeechModelsByIdTestResponses, PostSpeechProvidersByIdImportModelsData, PostSpeechProvidersByIdImportModelsErrors, PostSpeechProvidersByIdImportModelsResponses, PostTranscriptionModelsByIdTestData, PostTranscriptionModelsByIdTestErrors, PostTranscriptionModelsByIdTestResponses, PostTranscriptionProvidersByIdImportModelsData, PostTranscriptionProvidersByIdImportModelsErrors, PostTranscriptionProvidersByIdImportModelsResponses, PostUsersData, PostUsersErrors, PostUsersResponses, PutBotsByBotIdAclDefaultEffectData, PutBotsByBotIdAclDefaultEffectErrors, PutBotsByBotIdAclDefaultEffectResponses, PutBotsByBotIdAclRulesByRuleIdData, PutBotsByBotIdAclRulesByRuleIdErrors, PutBotsByBotIdAclRulesByRuleIdResponses, PutBotsByBotIdAclRulesReorderData, PutBotsByBotIdAclRulesReorderErrors, PutBotsByBotIdAclRulesReorderResponses, PutBotsByBotIdEmailBindingsByIdData, PutBotsByBotIdEmailBindingsByIdErrors, PutBotsByBotIdEmailBindingsByIdResponses, PutBotsByBotIdMcpByIdData, PutBotsByBotIdMcpByIdErrors, PutBotsByBotIdMcpByIdResponses, PutBotsByBotIdMcpImportData, PutBotsByBotIdMcpImportErrors, PutBotsByBotIdMcpImportResponses, PutBotsByBotIdScheduleByIdData, PutBotsByBotIdScheduleByIdErrors, PutBotsByBotIdScheduleByIdResponses, PutBotsByBotIdSettingsData, PutBotsByBotIdSettingsErrors, PutBotsByBotIdSettingsResponses, PutBotsByIdChannelByPlatformData, PutBotsByIdChannelByPlatformErrors, PutBotsByIdChannelByPlatformResponses, PutBotsByIdData, PutBotsByIdErrors, PutBotsByIdOwnerData, PutBotsByIdOwnerErrors, PutBotsByIdOwnerResponses, PutBotsByIdResponses, PutBrowserContextsByIdData, PutBrowserContextsByIdErrors, PutBrowserContextsByIdResponses, PutEmailProvidersByIdData, PutEmailProvidersByIdErrors, PutEmailProvidersByIdResponses, PutMemoryProvidersByIdData, PutMemoryProvidersByIdErrors, PutMemoryProvidersByIdResponses, PutModelsByIdData, PutModelsByIdErrors, PutModelsByIdResponses, PutModelsModelByModelIdData, PutModelsModelByModelIdErrors, PutModelsModelByModelIdResponses, PutProvidersByIdData, PutProvidersByIdErrors, PutProvidersByIdResponses, PutSearchProvidersByIdData, PutSearchProvidersByIdErrors, PutSearchProvidersByIdResponses, PutSpeechModelsByIdData, PutSpeechModelsByIdErrors, PutSpeechModelsByIdResponses, PutTranscriptionModelsByIdData, PutTranscriptionModelsByIdErrors, PutTranscriptionModelsByIdResponses, PutUsersByIdData, PutUsersByIdErrors, PutUsersByIdPasswordData, PutUsersByIdPasswordErrors, PutUsersByIdPasswordResponses, PutUsersByIdResponses, PutUsersMeChannelsByPlatformData, PutUsersMeChannelsByPlatformErrors, PutUsersMeChannelsByPlatformResponses, PutUsersMeData, PutUsersMeErrors, PutUsersMePasswordData, PutUsersMePasswordErrors, PutUsersMePasswordResponses, PutUsersMeResponses } from './types.gen';
+import type { DeleteBotsByBotIdAclRulesByRuleIdData, DeleteBotsByBotIdAclRulesByRuleIdErrors, DeleteBotsByBotIdAclRulesByRuleIdResponses, DeleteBotsByBotIdCompactionLogsData, DeleteBotsByBotIdCompactionLogsErrors, DeleteBotsByBotIdCompactionLogsResponses, DeleteBotsByBotIdContainerData, DeleteBotsByBotIdContainerErrors, DeleteBotsByBotIdContainerResponses, DeleteBotsByBotIdContainerSkillsData, DeleteBotsByBotIdContainerSkillsErrors, DeleteBotsByBotIdContainerSkillsResponses, DeleteBotsByBotIdEmailBindingsByIdData, DeleteBotsByBotIdEmailBindingsByIdErrors, DeleteBotsByBotIdEmailBindingsByIdResponses, DeleteBotsByBotIdHeartbeatLogsData, DeleteBotsByBotIdHeartbeatLogsErrors, DeleteBotsByBotIdHeartbeatLogsResponses, DeleteBotsByBotIdMcpByIdData, DeleteBotsByBotIdMcpByIdErrors, DeleteBotsByBotIdMcpByIdOauthTokenData, DeleteBotsByBotIdMcpByIdOauthTokenErrors, DeleteBotsByBotIdMcpByIdOauthTokenResponses, DeleteBotsByBotIdMcpByIdResponses, DeleteBotsByBotIdMemoryByIdData, DeleteBotsByBotIdMemoryByIdErrors, DeleteBotsByBotIdMemoryByIdResponses, DeleteBotsByBotIdMemoryData, DeleteBotsByBotIdMemoryErrors, DeleteBotsByBotIdMemoryResponses, DeleteBotsByBotIdMessagesData, DeleteBotsByBotIdMessagesErrors, DeleteBotsByBotIdMessagesResponses, DeleteBotsByBotIdScheduleByIdData, DeleteBotsByBotIdScheduleByIdErrors, DeleteBotsByBotIdScheduleByIdResponses, DeleteBotsByBotIdScheduleLogsData, DeleteBotsByBotIdScheduleLogsErrors, DeleteBotsByBotIdScheduleLogsResponses, DeleteBotsByBotIdSessionsBySessionIdData, DeleteBotsByBotIdSessionsBySessionIdErrors, DeleteBotsByBotIdSessionsBySessionIdResponses, DeleteBotsByBotIdSettingsData, DeleteBotsByBotIdSettingsErrors, DeleteBotsByBotIdSettingsResponses, DeleteBotsByIdChannelByPlatformData, DeleteBotsByIdChannelByPlatformErrors, DeleteBotsByIdChannelByPlatformResponses, DeleteBotsByIdData, DeleteBotsByIdErrors, DeleteBotsByIdResponses, DeleteBrowserContextsByIdData, DeleteBrowserContextsByIdErrors, DeleteBrowserContextsByIdResponses, DeleteEmailProvidersByIdData, DeleteEmailProvidersByIdErrors, DeleteEmailProvidersByIdOauthTokenData, DeleteEmailProvidersByIdOauthTokenErrors, DeleteEmailProvidersByIdOauthTokenResponses, DeleteEmailProvidersByIdResponses, DeleteIamGroupsByIdData, DeleteIamGroupsByIdErrors, DeleteIamGroupsByIdMembersByUserIdData, DeleteIamGroupsByIdMembersByUserIdErrors, DeleteIamGroupsByIdMembersByUserIdResponses, DeleteIamGroupsByIdResponses, DeleteIamPrincipalRolesByIdData, DeleteIamPrincipalRolesByIdErrors, DeleteIamPrincipalRolesByIdResponses, DeleteIamSsoProvidersByIdData, DeleteIamSsoProvidersByIdErrors, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupData, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupErrors, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupResponses, DeleteIamSsoProvidersByIdResponses, DeleteMemoryProvidersByIdData, DeleteMemoryProvidersByIdErrors, DeleteMemoryProvidersByIdResponses, DeleteModelsByIdData, DeleteModelsByIdErrors, DeleteModelsByIdResponses, DeleteModelsModelByModelIdData, DeleteModelsModelByModelIdErrors, DeleteModelsModelByModelIdResponses, DeleteProvidersByIdData, DeleteProvidersByIdErrors, DeleteProvidersByIdOauthTokenData, DeleteProvidersByIdOauthTokenErrors, DeleteProvidersByIdOauthTokenResponses, DeleteProvidersByIdResponses, DeleteSearchProvidersByIdData, DeleteSearchProvidersByIdErrors, DeleteSearchProvidersByIdResponses, GetAuthSsoByProviderIdCallbackData, GetAuthSsoByProviderIdCallbackErrors, GetAuthSsoByProviderIdSamlMetadataData, GetAuthSsoByProviderIdSamlMetadataErrors, GetAuthSsoByProviderIdSamlMetadataResponses, GetAuthSsoByProviderIdSamlStartData, GetAuthSsoByProviderIdSamlStartErrors, GetAuthSsoByProviderIdStartData, GetAuthSsoByProviderIdStartErrors, GetAuthSsoByProviderIdStartResponses, GetAuthSsoProvidersData, GetAuthSsoProvidersErrors, GetAuthSsoProvidersResponses, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsData, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsErrors, GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsResponses, GetBotsByBotIdAclChannelIdentitiesData, GetBotsByBotIdAclChannelIdentitiesErrors, GetBotsByBotIdAclChannelIdentitiesResponses, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsData, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsErrors, GetBotsByBotIdAclChannelTypesByChannelTypeConversationsResponses, GetBotsByBotIdAclDefaultEffectData, GetBotsByBotIdAclDefaultEffectErrors, GetBotsByBotIdAclDefaultEffectResponses, GetBotsByBotIdAclRulesData, GetBotsByBotIdAclRulesErrors, GetBotsByBotIdAclRulesResponses, GetBotsByBotIdCompactionLogsData, GetBotsByBotIdCompactionLogsErrors, GetBotsByBotIdCompactionLogsResponses, GetBotsByBotIdContainerData, GetBotsByBotIdContainerErrors, GetBotsByBotIdContainerFsData, GetBotsByBotIdContainerFsDownloadData, GetBotsByBotIdContainerFsDownloadErrors, GetBotsByBotIdContainerFsDownloadResponses, GetBotsByBotIdContainerFsErrors, GetBotsByBotIdContainerFsListData, GetBotsByBotIdContainerFsListErrors, GetBotsByBotIdContainerFsListResponses, GetBotsByBotIdContainerFsReadData, GetBotsByBotIdContainerFsReadErrors, GetBotsByBotIdContainerFsReadResponses, GetBotsByBotIdContainerFsResponses, GetBotsByBotIdContainerMetricsData, GetBotsByBotIdContainerMetricsErrors, GetBotsByBotIdContainerMetricsResponses, GetBotsByBotIdContainerResponses, GetBotsByBotIdContainerSkillsData, GetBotsByBotIdContainerSkillsErrors, GetBotsByBotIdContainerSkillsResponses, GetBotsByBotIdContainerSnapshotsData, GetBotsByBotIdContainerSnapshotsErrors, GetBotsByBotIdContainerSnapshotsResponses, GetBotsByBotIdContainerTerminalData, GetBotsByBotIdContainerTerminalErrors, GetBotsByBotIdContainerTerminalResponses, GetBotsByBotIdContainerTerminalWsData, GetBotsByBotIdContainerTerminalWsErrors, GetBotsByBotIdEmailBindingsData, GetBotsByBotIdEmailBindingsErrors, GetBotsByBotIdEmailBindingsResponses, GetBotsByBotIdEmailOutboxByIdData, GetBotsByBotIdEmailOutboxByIdErrors, GetBotsByBotIdEmailOutboxByIdResponses, GetBotsByBotIdEmailOutboxData, GetBotsByBotIdEmailOutboxErrors, GetBotsByBotIdEmailOutboxResponses, GetBotsByBotIdHeartbeatLogsData, GetBotsByBotIdHeartbeatLogsErrors, GetBotsByBotIdHeartbeatLogsResponses, GetBotsByBotIdLocalStreamData, GetBotsByBotIdLocalStreamErrors, GetBotsByBotIdLocalStreamResponses, GetBotsByBotIdLocalWsData, GetBotsByBotIdLocalWsErrors, GetBotsByBotIdMcpByIdData, GetBotsByBotIdMcpByIdErrors, GetBotsByBotIdMcpByIdOauthStatusData, GetBotsByBotIdMcpByIdOauthStatusErrors, GetBotsByBotIdMcpByIdOauthStatusResponses, GetBotsByBotIdMcpByIdResponses, GetBotsByBotIdMcpData, GetBotsByBotIdMcpErrors, GetBotsByBotIdMcpExportData, GetBotsByBotIdMcpExportErrors, GetBotsByBotIdMcpExportResponses, GetBotsByBotIdMcpResponses, GetBotsByBotIdMemoryData, GetBotsByBotIdMemoryErrors, GetBotsByBotIdMemoryResponses, GetBotsByBotIdMemoryStatusData, GetBotsByBotIdMemoryStatusErrors, GetBotsByBotIdMemoryStatusResponses, GetBotsByBotIdMemoryUsageData, GetBotsByBotIdMemoryUsageErrors, GetBotsByBotIdMemoryUsageResponses, GetBotsByBotIdMessagesData, GetBotsByBotIdMessagesErrors, GetBotsByBotIdMessagesResponses, GetBotsByBotIdScheduleByIdData, GetBotsByBotIdScheduleByIdErrors, GetBotsByBotIdScheduleByIdLogsData, GetBotsByBotIdScheduleByIdLogsErrors, GetBotsByBotIdScheduleByIdLogsResponses, GetBotsByBotIdScheduleByIdResponses, GetBotsByBotIdScheduleData, GetBotsByBotIdScheduleErrors, GetBotsByBotIdScheduleLogsData, GetBotsByBotIdScheduleLogsErrors, GetBotsByBotIdScheduleLogsResponses, GetBotsByBotIdScheduleResponses, GetBotsByBotIdSessionsBySessionIdData, GetBotsByBotIdSessionsBySessionIdErrors, GetBotsByBotIdSessionsBySessionIdResponses, GetBotsByBotIdSessionsBySessionIdStatusData, GetBotsByBotIdSessionsBySessionIdStatusErrors, GetBotsByBotIdSessionsBySessionIdStatusResponses, GetBotsByBotIdSessionsData, GetBotsByBotIdSessionsErrors, GetBotsByBotIdSessionsResponses, GetBotsByBotIdSettingsData, GetBotsByBotIdSettingsErrors, GetBotsByBotIdSettingsResponses, GetBotsByBotIdTokenUsageData, GetBotsByBotIdTokenUsageErrors, GetBotsByBotIdTokenUsageRecordsData, GetBotsByBotIdTokenUsageRecordsErrors, GetBotsByBotIdTokenUsageRecordsResponses, GetBotsByBotIdTokenUsageResponses, GetBotsByIdChannelByPlatformData, GetBotsByIdChannelByPlatformErrors, GetBotsByIdChannelByPlatformResponses, GetBotsByIdChecksData, GetBotsByIdChecksErrors, GetBotsByIdChecksResponses, GetBotsByIdData, GetBotsByIdErrors, GetBotsByIdResponses, GetBotsData, GetBotsErrors, GetBotsResponses, GetBrowserContextsByIdData, GetBrowserContextsByIdErrors, GetBrowserContextsByIdResponses, GetBrowserContextsCoresData, GetBrowserContextsCoresErrors, GetBrowserContextsCoresResponses, GetBrowserContextsData, GetBrowserContextsErrors, GetBrowserContextsResponses, GetChannelsByPlatformData, GetChannelsByPlatformErrors, GetChannelsByPlatformResponses, GetChannelsData, GetChannelsErrors, GetChannelsResponses, GetEmailOauthCallbackData, GetEmailOauthCallbackErrors, GetEmailOauthCallbackResponses, GetEmailProvidersByIdData, GetEmailProvidersByIdErrors, GetEmailProvidersByIdOauthAuthorizeData, GetEmailProvidersByIdOauthAuthorizeErrors, GetEmailProvidersByIdOauthAuthorizeResponses, GetEmailProvidersByIdOauthStatusData, GetEmailProvidersByIdOauthStatusErrors, GetEmailProvidersByIdOauthStatusResponses, GetEmailProvidersByIdResponses, GetEmailProvidersData, GetEmailProvidersErrors, GetEmailProvidersMetaData, GetEmailProvidersMetaResponses, GetEmailProvidersResponses, GetIamBotsByBotIdPrincipalRolesData, GetIamBotsByBotIdPrincipalRolesErrors, GetIamBotsByBotIdPrincipalRolesResponses, GetIamGroupsByIdMembersData, GetIamGroupsByIdMembersErrors, GetIamGroupsByIdMembersResponses, GetIamGroupsData, GetIamGroupsErrors, GetIamGroupsResponses, GetIamRolesData, GetIamRolesErrors, GetIamRolesResponses, GetIamSsoProvidersByIdGroupMappingsData, GetIamSsoProvidersByIdGroupMappingsErrors, GetIamSsoProvidersByIdGroupMappingsResponses, GetIamSsoProvidersData, GetIamSsoProvidersErrors, GetIamSsoProvidersResponses, GetMemoryProvidersByIdData, GetMemoryProvidersByIdErrors, GetMemoryProvidersByIdResponses, GetMemoryProvidersByIdStatusData, GetMemoryProvidersByIdStatusErrors, GetMemoryProvidersByIdStatusResponses, GetMemoryProvidersData, GetMemoryProvidersErrors, GetMemoryProvidersMetaData, GetMemoryProvidersMetaResponses, GetMemoryProvidersResponses, GetModelsByIdData, GetModelsByIdErrors, GetModelsByIdResponses, GetModelsCountData, GetModelsCountErrors, GetModelsCountResponses, GetModelsData, GetModelsErrors, GetModelsModelByModelIdData, GetModelsModelByModelIdErrors, GetModelsModelByModelIdResponses, GetModelsResponses, GetPingData, GetPingResponses, GetProvidersByIdData, GetProvidersByIdErrors, GetProvidersByIdModelsData, GetProvidersByIdModelsErrors, GetProvidersByIdModelsResponses, GetProvidersByIdOauthAuthorizeData, GetProvidersByIdOauthAuthorizeErrors, GetProvidersByIdOauthAuthorizeResponses, GetProvidersByIdOauthStatusData, GetProvidersByIdOauthStatusErrors, GetProvidersByIdOauthStatusResponses, GetProvidersByIdResponses, GetProvidersCountData, GetProvidersCountErrors, GetProvidersCountResponses, GetProvidersData, GetProvidersErrors, GetProvidersNameByNameData, GetProvidersNameByNameErrors, GetProvidersNameByNameResponses, GetProvidersOauthCallbackData, GetProvidersOauthCallbackErrors, GetProvidersOauthCallbackResponses, GetProvidersResponses, GetSearchProvidersByIdData, GetSearchProvidersByIdErrors, GetSearchProvidersByIdResponses, GetSearchProvidersData, GetSearchProvidersErrors, GetSearchProvidersMetaData, GetSearchProvidersMetaResponses, GetSearchProvidersResponses, GetSpeechModelsByIdCapabilitiesData, GetSpeechModelsByIdCapabilitiesErrors, GetSpeechModelsByIdCapabilitiesResponses, GetSpeechModelsByIdData, GetSpeechModelsByIdErrors, GetSpeechModelsByIdResponses, GetSpeechModelsData, GetSpeechModelsErrors, GetSpeechModelsResponses, GetSpeechProvidersByIdData, GetSpeechProvidersByIdErrors, GetSpeechProvidersByIdModelsData, GetSpeechProvidersByIdModelsErrors, GetSpeechProvidersByIdModelsResponses, GetSpeechProvidersByIdResponses, GetSpeechProvidersData, GetSpeechProvidersErrors, GetSpeechProvidersMetaData, GetSpeechProvidersMetaResponses, GetSpeechProvidersResponses, GetSupermarketMcpsByIdData, GetSupermarketMcpsByIdErrors, GetSupermarketMcpsByIdResponses, GetSupermarketMcpsData, GetSupermarketMcpsErrors, GetSupermarketMcpsResponses, GetSupermarketSkillsByIdData, GetSupermarketSkillsByIdErrors, GetSupermarketSkillsByIdResponses, GetSupermarketSkillsData, GetSupermarketSkillsErrors, GetSupermarketSkillsResponses, GetSupermarketTagsData, GetSupermarketTagsErrors, GetSupermarketTagsResponses, GetTranscriptionModelsByIdCapabilitiesData, GetTranscriptionModelsByIdCapabilitiesErrors, GetTranscriptionModelsByIdCapabilitiesResponses, GetTranscriptionModelsByIdData, GetTranscriptionModelsByIdErrors, GetTranscriptionModelsByIdResponses, GetTranscriptionModelsData, GetTranscriptionModelsErrors, GetTranscriptionModelsResponses, GetTranscriptionProvidersByIdData, GetTranscriptionProvidersByIdErrors, GetTranscriptionProvidersByIdModelsData, GetTranscriptionProvidersByIdModelsErrors, GetTranscriptionProvidersByIdModelsResponses, GetTranscriptionProvidersByIdResponses, GetTranscriptionProvidersData, GetTranscriptionProvidersErrors, GetTranscriptionProvidersMetaData, GetTranscriptionProvidersMetaResponses, GetTranscriptionProvidersResponses, GetUsersByIdData, GetUsersByIdErrors, GetUsersByIdResponses, GetUsersData, GetUsersErrors, GetUsersMeChannelsByPlatformData, GetUsersMeChannelsByPlatformErrors, GetUsersMeChannelsByPlatformResponses, GetUsersMeData, GetUsersMeErrors, GetUsersMeIdentitiesData, GetUsersMeIdentitiesErrors, GetUsersMeIdentitiesResponses, GetUsersMeResponses, GetUsersResponses, PatchBotsByBotIdSessionsBySessionIdData, PatchBotsByBotIdSessionsBySessionIdErrors, PatchBotsByBotIdSessionsBySessionIdResponses, PatchBotsByIdChannelByPlatformStatusData, PatchBotsByIdChannelByPlatformStatusErrors, PatchBotsByIdChannelByPlatformStatusResponses, PostAuthLoginData, PostAuthLoginErrors, PostAuthLoginResponses, PostAuthRefreshData, PostAuthRefreshErrors, PostAuthRefreshResponses, PostAuthSsoByProviderIdSamlAcsData, PostAuthSsoByProviderIdSamlAcsErrors, PostAuthSsoExchangeData, PostAuthSsoExchangeErrors, PostAuthSsoExchangeResponses, PostBotsByBotIdAclRulesData, PostBotsByBotIdAclRulesErrors, PostBotsByBotIdAclRulesResponses, PostBotsByBotIdContainerData, PostBotsByBotIdContainerDataExportData, PostBotsByBotIdContainerDataExportErrors, PostBotsByBotIdContainerDataExportResponses, PostBotsByBotIdContainerDataImportData, PostBotsByBotIdContainerDataImportErrors, PostBotsByBotIdContainerDataImportResponses, PostBotsByBotIdContainerDataRestoreData, PostBotsByBotIdContainerDataRestoreErrors, PostBotsByBotIdContainerDataRestoreResponses, PostBotsByBotIdContainerErrors, PostBotsByBotIdContainerFsDeleteData, PostBotsByBotIdContainerFsDeleteErrors, PostBotsByBotIdContainerFsDeleteResponses, PostBotsByBotIdContainerFsMkdirData, PostBotsByBotIdContainerFsMkdirErrors, PostBotsByBotIdContainerFsMkdirResponses, PostBotsByBotIdContainerFsRenameData, PostBotsByBotIdContainerFsRenameErrors, PostBotsByBotIdContainerFsRenameResponses, PostBotsByBotIdContainerFsUploadData, PostBotsByBotIdContainerFsUploadErrors, PostBotsByBotIdContainerFsUploadResponses, PostBotsByBotIdContainerFsWriteData, PostBotsByBotIdContainerFsWriteErrors, PostBotsByBotIdContainerFsWriteResponses, PostBotsByBotIdContainerResponses, PostBotsByBotIdContainerSkillsActionsData, PostBotsByBotIdContainerSkillsActionsErrors, PostBotsByBotIdContainerSkillsActionsResponses, PostBotsByBotIdContainerSkillsData, PostBotsByBotIdContainerSkillsErrors, PostBotsByBotIdContainerSkillsResponses, PostBotsByBotIdContainerSnapshotsData, PostBotsByBotIdContainerSnapshotsErrors, PostBotsByBotIdContainerSnapshotsResponses, PostBotsByBotIdContainerSnapshotsRollbackData, PostBotsByBotIdContainerSnapshotsRollbackErrors, PostBotsByBotIdContainerSnapshotsRollbackResponses, PostBotsByBotIdContainerStartData, PostBotsByBotIdContainerStartErrors, PostBotsByBotIdContainerStartResponses, PostBotsByBotIdContainerStopData, PostBotsByBotIdContainerStopErrors, PostBotsByBotIdContainerStopResponses, PostBotsByBotIdEmailBindingsData, PostBotsByBotIdEmailBindingsErrors, PostBotsByBotIdEmailBindingsResponses, PostBotsByBotIdLocalMessagesData, PostBotsByBotIdLocalMessagesErrors, PostBotsByBotIdLocalMessagesResponses, PostBotsByBotIdMcpByIdOauthAuthorizeData, PostBotsByBotIdMcpByIdOauthAuthorizeErrors, PostBotsByBotIdMcpByIdOauthAuthorizeResponses, PostBotsByBotIdMcpByIdOauthDiscoverData, PostBotsByBotIdMcpByIdOauthDiscoverErrors, PostBotsByBotIdMcpByIdOauthDiscoverResponses, PostBotsByBotIdMcpByIdOauthExchangeData, PostBotsByBotIdMcpByIdOauthExchangeErrors, PostBotsByBotIdMcpByIdOauthExchangeResponses, PostBotsByBotIdMcpByIdProbeData, PostBotsByBotIdMcpByIdProbeErrors, PostBotsByBotIdMcpByIdProbeResponses, PostBotsByBotIdMcpData, PostBotsByBotIdMcpErrors, PostBotsByBotIdMcpOpsBatchDeleteData, PostBotsByBotIdMcpOpsBatchDeleteErrors, PostBotsByBotIdMcpOpsBatchDeleteResponses, PostBotsByBotIdMcpResponses, PostBotsByBotIdMcpStdioByConnectionIdData, PostBotsByBotIdMcpStdioByConnectionIdErrors, PostBotsByBotIdMcpStdioByConnectionIdResponses, PostBotsByBotIdMcpStdioData, PostBotsByBotIdMcpStdioErrors, PostBotsByBotIdMcpStdioResponses, PostBotsByBotIdMemoryCompactData, PostBotsByBotIdMemoryCompactErrors, PostBotsByBotIdMemoryCompactResponses, PostBotsByBotIdMemoryData, PostBotsByBotIdMemoryErrors, PostBotsByBotIdMemoryRebuildData, PostBotsByBotIdMemoryRebuildErrors, PostBotsByBotIdMemoryRebuildResponses, PostBotsByBotIdMemoryResponses, PostBotsByBotIdMemorySearchData, PostBotsByBotIdMemorySearchErrors, PostBotsByBotIdMemorySearchResponses, PostBotsByBotIdScheduleData, PostBotsByBotIdScheduleErrors, PostBotsByBotIdScheduleResponses, PostBotsByBotIdSessionsBySessionIdCompactData, PostBotsByBotIdSessionsBySessionIdCompactErrors, PostBotsByBotIdSessionsBySessionIdCompactResponses, PostBotsByBotIdSessionsData, PostBotsByBotIdSessionsErrors, PostBotsByBotIdSessionsResponses, PostBotsByBotIdSettingsData, PostBotsByBotIdSettingsErrors, PostBotsByBotIdSettingsResponses, PostBotsByBotIdSupermarketInstallMcpData, PostBotsByBotIdSupermarketInstallMcpErrors, PostBotsByBotIdSupermarketInstallMcpResponses, PostBotsByBotIdSupermarketInstallSkillData, PostBotsByBotIdSupermarketInstallSkillErrors, PostBotsByBotIdSupermarketInstallSkillResponses, PostBotsByBotIdToolApprovalsByApprovalIdApproveData, PostBotsByBotIdToolApprovalsByApprovalIdApproveErrors, PostBotsByBotIdToolApprovalsByApprovalIdApproveResponses, PostBotsByBotIdToolApprovalsByApprovalIdRejectData, PostBotsByBotIdToolApprovalsByApprovalIdRejectErrors, PostBotsByBotIdToolApprovalsByApprovalIdRejectResponses, PostBotsByBotIdToolsData, PostBotsByBotIdToolsErrors, PostBotsByBotIdToolsResponses, PostBotsByBotIdTtsSynthesizeData, PostBotsByBotIdTtsSynthesizeErrors, PostBotsByBotIdTtsSynthesizeResponses, PostBotsByIdChannelByPlatformSendChatData, PostBotsByIdChannelByPlatformSendChatErrors, PostBotsByIdChannelByPlatformSendChatResponses, PostBotsByIdChannelByPlatformSendData, PostBotsByIdChannelByPlatformSendErrors, PostBotsByIdChannelByPlatformSendResponses, PostBotsData, PostBotsErrors, PostBotsResponses, PostBrowserContextsData, PostBrowserContextsErrors, PostBrowserContextsResponses, PostEmailMailgunWebhookByConfigIdData, PostEmailMailgunWebhookByConfigIdErrors, PostEmailMailgunWebhookByConfigIdResponses, PostEmailProvidersData, PostEmailProvidersErrors, PostEmailProvidersResponses, PostIamBotsByBotIdPrincipalRolesData, PostIamBotsByBotIdPrincipalRolesErrors, PostIamBotsByBotIdPrincipalRolesResponses, PostIamGroupsByIdMembersData, PostIamGroupsByIdMembersErrors, PostIamGroupsByIdMembersResponses, PostIamGroupsData, PostIamGroupsErrors, PostIamGroupsResponses, PostIamSsoProvidersByIdGroupMappingsData, PostIamSsoProvidersByIdGroupMappingsErrors, PostIamSsoProvidersByIdGroupMappingsResponses, PostIamSsoProvidersData, PostIamSsoProvidersErrors, PostIamSsoProvidersResponses, PostMemoryProvidersData, PostMemoryProvidersErrors, PostMemoryProvidersResponses, PostModelsByIdTestData, PostModelsByIdTestErrors, PostModelsByIdTestResponses, PostModelsData, PostModelsErrors, PostModelsResponses, PostProvidersByIdImportModelsData, PostProvidersByIdImportModelsErrors, PostProvidersByIdImportModelsResponses, PostProvidersByIdOauthPollData, PostProvidersByIdOauthPollErrors, PostProvidersByIdOauthPollResponses, PostProvidersByIdTestData, PostProvidersByIdTestErrors, PostProvidersByIdTestResponses, PostProvidersData, PostProvidersErrors, PostProvidersResponses, PostSearchProvidersData, PostSearchProvidersErrors, PostSearchProvidersResponses, PostSpeechModelsByIdTestData, PostSpeechModelsByIdTestErrors, PostSpeechModelsByIdTestResponses, PostSpeechProvidersByIdImportModelsData, PostSpeechProvidersByIdImportModelsErrors, PostSpeechProvidersByIdImportModelsResponses, PostTranscriptionModelsByIdTestData, PostTranscriptionModelsByIdTestErrors, PostTranscriptionModelsByIdTestResponses, PostTranscriptionProvidersByIdImportModelsData, PostTranscriptionProvidersByIdImportModelsErrors, PostTranscriptionProvidersByIdImportModelsResponses, PostUsersData, PostUsersErrors, PostUsersResponses, PutBotsByBotIdAclDefaultEffectData, PutBotsByBotIdAclDefaultEffectErrors, PutBotsByBotIdAclDefaultEffectResponses, PutBotsByBotIdAclRulesByRuleIdData, PutBotsByBotIdAclRulesByRuleIdErrors, PutBotsByBotIdAclRulesByRuleIdResponses, PutBotsByBotIdAclRulesReorderData, PutBotsByBotIdAclRulesReorderErrors, PutBotsByBotIdAclRulesReorderResponses, PutBotsByBotIdEmailBindingsByIdData, PutBotsByBotIdEmailBindingsByIdErrors, PutBotsByBotIdEmailBindingsByIdResponses, PutBotsByBotIdMcpByIdData, PutBotsByBotIdMcpByIdErrors, PutBotsByBotIdMcpByIdResponses, PutBotsByBotIdMcpImportData, PutBotsByBotIdMcpImportErrors, PutBotsByBotIdMcpImportResponses, PutBotsByBotIdScheduleByIdData, PutBotsByBotIdScheduleByIdErrors, PutBotsByBotIdScheduleByIdResponses, PutBotsByBotIdSettingsData, PutBotsByBotIdSettingsErrors, PutBotsByBotIdSettingsResponses, PutBotsByIdChannelByPlatformData, PutBotsByIdChannelByPlatformErrors, PutBotsByIdChannelByPlatformResponses, PutBotsByIdData, PutBotsByIdErrors, PutBotsByIdOwnerData, PutBotsByIdOwnerErrors, PutBotsByIdOwnerResponses, PutBotsByIdResponses, PutBrowserContextsByIdData, PutBrowserContextsByIdErrors, PutBrowserContextsByIdResponses, PutEmailProvidersByIdData, PutEmailProvidersByIdErrors, PutEmailProvidersByIdResponses, PutIamGroupsByIdData, PutIamGroupsByIdErrors, PutIamGroupsByIdResponses, PutIamSsoProvidersByIdData, PutIamSsoProvidersByIdErrors, PutIamSsoProvidersByIdResponses, PutMemoryProvidersByIdData, PutMemoryProvidersByIdErrors, PutMemoryProvidersByIdResponses, PutModelsByIdData, PutModelsByIdErrors, PutModelsByIdResponses, PutModelsModelByModelIdData, PutModelsModelByModelIdErrors, PutModelsModelByModelIdResponses, PutProvidersByIdData, PutProvidersByIdErrors, PutProvidersByIdResponses, PutSearchProvidersByIdData, PutSearchProvidersByIdErrors, PutSearchProvidersByIdResponses, PutSpeechModelsByIdData, PutSpeechModelsByIdErrors, PutSpeechModelsByIdResponses, PutTranscriptionModelsByIdData, PutTranscriptionModelsByIdErrors, PutTranscriptionModelsByIdResponses, PutUsersByIdData, PutUsersByIdErrors, PutUsersByIdPasswordData, PutUsersByIdPasswordErrors, PutUsersByIdPasswordResponses, PutUsersByIdResponses, PutUsersMeChannelsByPlatformData, PutUsersMeChannelsByPlatformErrors, PutUsersMeChannelsByPlatformResponses, PutUsersMeData, PutUsersMeErrors, PutUsersMePasswordData, PutUsersMePasswordErrors, PutUsersMePasswordResponses, PutUsersMeResponses } from './types.gen';
 
 export type Options<TData extends TDataShape = TDataShape, ThrowOnError extends boolean = boolean> = Options2<TData, ThrowOnError> & {
     /**
@@ -35,10 +35,66 @@ export const postAuthLogin = <ThrowOnError extends boolean = false>(options: Opt
 /**
  * Refresh Token
  *
- * Issue a new JWT using the existing claims with updated expiration
+ * Issue a new JWT after validating the active IAM session
  */
 export const postAuthRefresh = <ThrowOnError extends boolean = false>(options?: Options<PostAuthRefreshData, ThrowOnError>) => (options?.client ?? client).post<PostAuthRefreshResponses, PostAuthRefreshErrors, ThrowOnError>({ url: '/auth/refresh', ...options });
 
+/**
+ * Exchange SSO login code
+ *
+ * Exchange a one-time SSO login code for a session JWT
+ */
+export const postAuthSsoExchange = <ThrowOnError extends boolean = false>(options: Options<PostAuthSsoExchangeData, ThrowOnError>) => (options.client ?? client).post<PostAuthSsoExchangeResponses, PostAuthSsoExchangeErrors, ThrowOnError>({
+    url: '/auth/sso/exchange',
+    ...options,
+    headers: {
+        'Content-Type': 'application/json',
+        ...options.headers
+    }
+});
+
+/**
+ * List SSO providers
+ *
+ * List enabled OIDC and SAML SSO providers available for login
+ */
+export const getAuthSsoProviders = <ThrowOnError extends boolean = false>(options?: Options<GetAuthSsoProvidersData, ThrowOnError>) => (options?.client ?? client).get<GetAuthSsoProvidersResponses, GetAuthSsoProvidersErrors, ThrowOnError>({ url: '/auth/sso/providers', ...options });
+
+/**
+ * Complete OIDC login
+ *
+ * Exchange the provider code, create an IAM session, and redirect to the web login callback with a short-lived login code
+ */
+export const getAuthSsoByProviderIdCallback = <ThrowOnError extends boolean = false>(options: Options<GetAuthSsoByProviderIdCallbackData, ThrowOnError>) => (options.client ?? client).get<unknown, GetAuthSsoByProviderIdCallbackErrors, ThrowOnError>({ url: '/auth/sso/{provider_id}/callback', ...options });
+
+/**
+ * Complete SAML login
+ *
+ * Validate the SAML response, create an IAM session, and redirect to the web login callback with a short-lived login code
+ */
+export const postAuthSsoByProviderIdSamlAcs = <ThrowOnError extends boolean = false>(options: Options<PostAuthSsoByProviderIdSamlAcsData, ThrowOnError>) => (options.client ?? client).post<unknown, PostAuthSsoByProviderIdSamlAcsErrors, ThrowOnError>({ url: '/auth/sso/{provider_id}/saml/acs', ...options });
+
+/**
+ * Get SAML SP metadata
+ *
+ * Return the SAML service provider metadata XML for an SSO provider
+ */
+export const getAuthSsoByProviderIdSamlMetadata = <ThrowOnError extends boolean = false>(options: Options<GetAuthSsoByProviderIdSamlMetadataData, ThrowOnError>) => (options.client ?? client).get<GetAuthSsoByProviderIdSamlMetadataResponses, GetAuthSsoByProviderIdSamlMetadataErrors, ThrowOnError>({ url: '/auth/sso/{provider_id}/saml/metadata', ...options });
+
+/**
+ * Start SAML login
+ *
+ * Create a SAML AuthnRequest, set the transient SAML state cookie, and redirect to the IdP
+ */
+export const getAuthSsoByProviderIdSamlStart = <ThrowOnError extends boolean = false>(options: Options<GetAuthSsoByProviderIdSamlStartData, ThrowOnError>) => (options.client ?? client).get<unknown, GetAuthSsoByProviderIdSamlStartErrors, ThrowOnError>({ url: '/auth/sso/{provider_id}/saml/start', ...options });
+
+/**
+ * Start OIDC login
+ *
+ * Build the provider authorization URL and set the transient OIDC state cookie
+ */
+export const getAuthSsoByProviderIdStart = <ThrowOnError extends boolean = false>(options: Options<GetAuthSsoByProviderIdStartData, ThrowOnError>) => (options.client ?? client).get<GetAuthSsoByProviderIdStartResponses, GetAuthSsoByProviderIdStartErrors, ThrowOnError>({ url: '/auth/sso/{provider_id}/start', ...options });
+
 /**
  * List bots
  *
@@ -1042,21 +1098,21 @@ export const postBotsByBotIdTtsSynthesize = <ThrowOnError extends boolean = fals
 /**
  * Delete bot
  *
- * Delete a bot user (owner/admin only)
+ * Delete a bot user when the current user has bot.delete
  */
 export const deleteBotsById = <ThrowOnError extends boolean = false>(options: Options<DeleteBotsByIdData, ThrowOnError>) => (options.client ?? client).delete<DeleteBotsByIdResponses, DeleteBotsByIdErrors, ThrowOnError>({ url: '/bots/{id}', ...options });
 
 /**
  * Get bot details
  *
- * Get a bot by ID (owner/admin only)
+ * Get a bot by ID when the current user has bot.read
  */
 export const getBotsById = <ThrowOnError extends boolean = false>(options: Options<GetBotsByIdData, ThrowOnError>) => (options.client ?? client).get<GetBotsByIdResponses, GetBotsByIdErrors, ThrowOnError>({ url: '/bots/{id}', ...options });
 
 /**
  * Update bot details
  *
- * Update bot profile (owner/admin only)
+ * Update bot profile when the current user has bot.update
  */
 export const putBotsById = <ThrowOnError extends boolean = false>(options: Options<PutBotsByIdData, ThrowOnError>) => (options.client ?? client).put<PutBotsByIdResponses, PutBotsByIdErrors, ThrowOnError>({
     url: '/bots/{id}',
@@ -1145,7 +1201,7 @@ export const patchBotsByIdChannelByPlatformStatus = <ThrowOnError extends boolea
 export const getBotsByIdChecks = <ThrowOnError extends boolean = false>(options: Options<GetBotsByIdChecksData, ThrowOnError>) => (options.client ?? client).get<GetBotsByIdChecksResponses, GetBotsByIdChecksErrors, ThrowOnError>({ url: '/bots/{id}/checks', ...options });
 
 /**
- * Transfer bot owner (admin only)
+ * Transfer bot owner (system admin only)
  *
  * Transfer bot ownership to another human user
  */
@@ -1305,6 +1361,181 @@ export const postEmailMailgunWebhookByConfigId = <ThrowOnError extends boolean =
  */
 export const getEmailOauthCallback = <ThrowOnError extends boolean = false>(options: Options<GetEmailOauthCallbackData, ThrowOnError>) => (options.client ?? client).get<GetEmailOauthCallbackResponses, GetEmailOauthCallbackErrors, ThrowOnError>({ url: '/email/oauth/callback', ...options });
 
+/**
+ * List bot role assignments
+ *
+ * List user and group role assignments for a bot
+ */
+export const getIamBotsByBotIdPrincipalRoles = <ThrowOnError extends boolean = false>(options: Options<GetIamBotsByBotIdPrincipalRolesData, ThrowOnError>) => (options.client ?? client).get<GetIamBotsByBotIdPrincipalRolesResponses, GetIamBotsByBotIdPrincipalRolesErrors, ThrowOnError>({ url: '/iam/bots/{bot_id}/principal-roles', ...options });
+
+/**
+ * Assign bot role
+ *
+ * Assign a bot-scoped role to a user or group
+ */
+export const postIamBotsByBotIdPrincipalRoles = <ThrowOnError extends boolean = false>(options: Options<PostIamBotsByBotIdPrincipalRolesData, ThrowOnError>) => (options.client ?? client).post<PostIamBotsByBotIdPrincipalRolesResponses, PostIamBotsByBotIdPrincipalRolesErrors, ThrowOnError>({
+    url: '/iam/bots/{bot_id}/principal-roles',
+    ...options,
+    headers: {
+        'Content-Type': 'application/json',
+        ...options.headers
+    }
+});
+
+/**
+ * List IAM groups
+ *
+ * List IAM groups
+ */
+export const getIamGroups = <ThrowOnError extends boolean = false>(options?: Options<GetIamGroupsData, ThrowOnError>) => (options?.client ?? client).get<GetIamGroupsResponses, GetIamGroupsErrors, ThrowOnError>({ url: '/iam/groups', ...options });
+
+/**
+ * Upsert IAM group
+ *
+ * Create or update an IAM group
+ */
+export const postIamGroups = <ThrowOnError extends boolean = false>(options: Options<PostIamGroupsData, ThrowOnError>) => (options.client ?? client).post<PostIamGroupsResponses, PostIamGroupsErrors, ThrowOnError>({
+    url: '/iam/groups',
+    ...options,
+    headers: {
+        'Content-Type': 'application/json',
+        ...options.headers
+    }
+});
+
+/**
+ * Delete IAM group
+ *
+ * Delete an IAM group
+ */
+export const deleteIamGroupsById = <ThrowOnError extends boolean = false>(options: Options<DeleteIamGroupsByIdData, ThrowOnError>) => (options.client ?? client).delete<DeleteIamGroupsByIdResponses, DeleteIamGroupsByIdErrors, ThrowOnError>({ url: '/iam/groups/{id}', ...options });
+
+/**
+ * Upsert IAM group
+ *
+ * Create or update an IAM group
+ */
+export const putIamGroupsById = <ThrowOnError extends boolean = false>(options: Options<PutIamGroupsByIdData, ThrowOnError>) => (options.client ?? client).put<PutIamGroupsByIdResponses, PutIamGroupsByIdErrors, ThrowOnError>({
+    url: '/iam/groups/{id}',
+    ...options,
+    headers: {
+        'Content-Type': 'application/json',
+        ...options.headers
+    }
+});
+
+/**
+ * List IAM group members
+ *
+ * List members of an IAM group
+ */
+export const getIamGroupsByIdMembers = <ThrowOnError extends boolean = false>(options: Options<GetIamGroupsByIdMembersData, ThrowOnError>) => (options.client ?? client).get<GetIamGroupsByIdMembersResponses, GetIamGroupsByIdMembersErrors, ThrowOnError>({ url: '/iam/groups/{id}/members', ...options });
+
+/**
+ * Add IAM group member
+ *
+ * Add a user to an IAM group
+ */
+export const postIamGroupsByIdMembers = <ThrowOnError extends boolean = false>(options: Options<PostIamGroupsByIdMembersData, ThrowOnError>) => (options.client ?? client).post<PostIamGroupsByIdMembersResponses, PostIamGroupsByIdMembersErrors, ThrowOnError>({
+    url: '/iam/groups/{id}/members',
+    ...options,
+    headers: {
+        'Content-Type': 'application/json',
+        ...options.headers
+    }
+});
+
+/**
+ * Delete IAM group member
+ *
+ * Remove a user from an IAM group
+ */
+export const deleteIamGroupsByIdMembersByUserId = <ThrowOnError extends boolean = false>(options: Options<DeleteIamGroupsByIdMembersByUserIdData, ThrowOnError>) => (options.client ?? client).delete<DeleteIamGroupsByIdMembersByUserIdResponses, DeleteIamGroupsByIdMembersByUserIdErrors, ThrowOnError>({ url: '/iam/groups/{id}/members/{user_id}', ...options });
+
+/**
+ * Delete role assignment
+ *
+ * Delete a user or group role assignment
+ */
+export const deleteIamPrincipalRolesById = <ThrowOnError extends boolean = false>(options: Options<DeleteIamPrincipalRolesByIdData, ThrowOnError>) => (options.client ?? client).delete<DeleteIamPrincipalRolesByIdResponses, DeleteIamPrincipalRolesByIdErrors, ThrowOnError>({ url: '/iam/principal-roles/{id}', ...options });
+
+/**
+ * List IAM roles
+ *
+ * List built-in IAM roles
+ */
+export const getIamRoles = <ThrowOnError extends boolean = false>(options?: Options<GetIamRolesData, ThrowOnError>) => (options?.client ?? client).get<GetIamRolesResponses, GetIamRolesErrors, ThrowOnError>({ url: '/iam/roles', ...options });
+
+/**
+ * List IAM SSO providers
+ *
+ * List all IAM SSO providers for administration
+ */
+export const getIamSsoProviders = <ThrowOnError extends boolean = false>(options?: Options<GetIamSsoProvidersData, ThrowOnError>) => (options?.client ?? client).get<GetIamSsoProvidersResponses, GetIamSsoProvidersErrors, ThrowOnError>({ url: '/iam/sso/providers', ...options });
+
+/**
+ * Upsert IAM SSO provider
+ *
+ * Create or update an IAM SSO provider
+ */
+export const postIamSsoProviders = <ThrowOnError extends boolean = false>(options: Options<PostIamSsoProvidersData, ThrowOnError>) => (options.client ?? client).post<PostIamSsoProvidersResponses, PostIamSsoProvidersErrors, ThrowOnError>({
+    url: '/iam/sso/providers',
+    ...options,
+    headers: {
+        'Content-Type': 'application/json',
+        ...options.headers
+    }
+});
+
+/**
+ * Delete IAM SSO provider
+ *
+ * Delete an IAM SSO provider
+ */
+export const deleteIamSsoProvidersById = <ThrowOnError extends boolean = false>(options: Options<DeleteIamSsoProvidersByIdData, ThrowOnError>) => (options.client ?? client).delete<DeleteIamSsoProvidersByIdResponses, DeleteIamSsoProvidersByIdErrors, ThrowOnError>({ url: '/iam/sso/providers/{id}', ...options });
+
+/**
+ * Upsert IAM SSO provider
+ *
+ * Create or update an IAM SSO provider
+ */
+export const putIamSsoProvidersById = <ThrowOnError extends boolean = false>(options: Options<PutIamSsoProvidersByIdData, ThrowOnError>) => (options.client ?? client).put<PutIamSsoProvidersByIdResponses, PutIamSsoProvidersByIdErrors, ThrowOnError>({
+    url: '/iam/sso/providers/{id}',
+    ...options,
+    headers: {
+        'Content-Type': 'application/json',
+        ...options.headers
+    }
+});
+
+/**
+ * List SSO group mappings
+ *
+ * List external group to IAM group mappings for an SSO provider
+ */
+export const getIamSsoProvidersByIdGroupMappings = <ThrowOnError extends boolean = false>(options: Options<GetIamSsoProvidersByIdGroupMappingsData, ThrowOnError>) => (options.client ?? client).get<GetIamSsoProvidersByIdGroupMappingsResponses, GetIamSsoProvidersByIdGroupMappingsErrors, ThrowOnError>({ url: '/iam/sso/providers/{id}/group-mappings', ...options });
+
+/**
+ * Upsert SSO group mapping
+ *
+ * Create or update an external group to IAM group mapping
+ */
+export const postIamSsoProvidersByIdGroupMappings = <ThrowOnError extends boolean = false>(options: Options<PostIamSsoProvidersByIdGroupMappingsData, ThrowOnError>) => (options.client ?? client).post<PostIamSsoProvidersByIdGroupMappingsResponses, PostIamSsoProvidersByIdGroupMappingsErrors, ThrowOnError>({
+    url: '/iam/sso/providers/{id}/group-mappings',
+    ...options,
+    headers: {
+        'Content-Type': 'application/json',
+        ...options.headers
+    }
+});
+
+/**
+ * Delete SSO group mapping
+ *
+ * Delete an external group mapping from an SSO provider
+ */
+export const deleteIamSsoProvidersByIdGroupMappingsByExternalGroup = <ThrowOnError extends boolean = false>(options: Options<DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupData, ThrowOnError>) => (options.client ?? client).delete<DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupResponses, DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupErrors, ThrowOnError>({ url: '/iam/sso/providers/{id}/group-mappings/{external_group}', ...options });
+
 /**
  * List memory providers
  *
diff --git a/packages/sdk/src/types.gen.ts b/packages/sdk/src/types.gen.ts
index 1eb0409d9..83066dc6f 100644
--- a/packages/sdk/src/types.gen.ts
+++ b/packages/sdk/src/types.gen.ts
@@ -4,56 +4,6 @@ export type ClientOptions = {
     baseUrl: string;
 };
 
-export type AccountsAccount = {
-    avatar_url?: string;
-    created_at?: string;
-    display_name?: string;
-    email?: string;
-    id?: string;
-    is_active?: boolean;
-    last_login_at?: string;
-    role?: string;
-    timezone?: string;
-    updated_at?: string;
-    username?: string;
-};
-
-export type AccountsCreateAccountRequest = {
-    avatar_url?: string;
-    display_name?: string;
-    email?: string;
-    is_active?: boolean;
-    password?: string;
-    role?: string;
-    username?: string;
-};
-
-export type AccountsListAccountsResponse = {
-    items?: Array<AccountsAccount>;
-};
-
-export type AccountsResetPasswordRequest = {
-    new_password?: string;
-};
-
-export type AccountsUpdateAccountRequest = {
-    avatar_url?: string;
-    display_name?: string;
-    is_active?: boolean;
-    role?: string;
-};
-
-export type AccountsUpdatePasswordRequest = {
-    current_password?: string;
-    new_password?: string;
-};
-
-export type AccountsUpdateProfileRequest = {
-    avatar_url?: string;
-    display_name?: string;
-    timezone?: string;
-};
-
 export type AclChannelIdentityCandidate = {
     avatar_url?: string;
     channel?: string;
@@ -846,6 +796,53 @@ export type EmailUpdateProviderRequest = {
     provider?: string;
 };
 
+export type GithubComMemohaiMemohInternalAccountsAccount = {
+    avatar_url?: string;
+    created_at?: string;
+    display_name?: string;
+    email?: string;
+    id?: string;
+    is_active?: boolean;
+    last_login_at?: string;
+    timezone?: string;
+    updated_at?: string;
+    username?: string;
+};
+
+export type GithubComMemohaiMemohInternalAccountsCreateAccountRequest = {
+    avatar_url?: string;
+    display_name?: string;
+    email?: string;
+    is_active?: boolean;
+    password?: string;
+    username?: string;
+};
+
+export type GithubComMemohaiMemohInternalAccountsListAccountsResponse = {
+    items?: Array<GithubComMemohaiMemohInternalAccountsAccount>;
+};
+
+export type GithubComMemohaiMemohInternalAccountsResetPasswordRequest = {
+    new_password?: string;
+};
+
+export type GithubComMemohaiMemohInternalAccountsUpdateAccountRequest = {
+    avatar_url?: string;
+    display_name?: string;
+    is_active?: boolean;
+};
+
+export type GithubComMemohaiMemohInternalAccountsUpdatePasswordRequest = {
+    current_password?: string;
+    new_password?: string;
+};
+
+export type GithubComMemohaiMemohInternalAccountsUpdateProfileRequest = {
+    avatar_url?: string;
+    display_name?: string;
+    timezone?: string;
+};
+
 export type GithubComMemohaiMemohInternalMcpConnection = {
     auth_type?: string;
     bot_id?: string;
@@ -976,6 +973,10 @@ export type HandlersErrorResponse = {
     message?: string;
 };
 
+export type HandlersExchangeSsoCodeRequest = {
+    code?: string;
+};
+
 export type HandlersFsDeleteRequest = {
     path?: string;
     recursive?: boolean;
@@ -1044,6 +1045,140 @@ export type HandlersGetContainerResponse = {
     workspace_backend?: string;
 };
 
+export type HandlersIamGroupMemberRequest = {
+    provider_id?: string;
+    source?: string;
+    user_id?: string;
+};
+
+export type HandlersIamGroupMemberResponse = {
+    created_at?: string;
+    display_name?: string;
+    email?: string;
+    group_id?: string;
+    provider_id?: string;
+    source?: string;
+    user_id?: string;
+    username?: string;
+};
+
+export type HandlersIamGroupRequest = {
+    display_name?: string;
+    external_id?: string;
+    key?: string;
+    metadata?: Array<number>;
+    source?: string;
+};
+
+export type HandlersIamGroupResponse = {
+    created_at?: string;
+    display_name?: string;
+    external_id?: string;
+    id?: string;
+    key?: string;
+    metadata?: Array<number>;
+    source?: string;
+    updated_at?: string;
+};
+
+export type HandlersIamListGroupMembersResponse = {
+    items?: Array<HandlersIamGroupMemberResponse>;
+};
+
+export type HandlersIamListGroupsResponse = {
+    items?: Array<HandlersIamGroupResponse>;
+};
+
+export type HandlersIamListPrincipalRolesResponse = {
+    items?: Array<HandlersIamPrincipalRoleResponse>;
+};
+
+export type HandlersIamListRolesResponse = {
+    items?: Array<HandlersIamRoleResponse>;
+};
+
+export type HandlersIamListSsoGroupMappingsResponse = {
+    items?: Array<HandlersIamssoGroupMappingResponse>;
+};
+
+export type HandlersIamListSsoProvidersResponse = {
+    items?: Array<HandlersIamssoProviderResponse>;
+};
+
+export type HandlersIamPrincipalRoleRequest = {
+    principal_id?: string;
+    principal_type?: string;
+    role_key?: string;
+};
+
+export type HandlersIamPrincipalRoleResponse = {
+    created_at?: string;
+    group_display_name?: string;
+    group_key?: string;
+    id?: string;
+    principal_id?: string;
+    principal_type?: string;
+    provider_id?: string;
+    resource_id?: string;
+    resource_type?: string;
+    role_id?: string;
+    role_key?: string;
+    role_scope?: string;
+    source?: string;
+    user_display_name?: string;
+    user_email?: string;
+    user_username?: string;
+};
+
+export type HandlersIamRoleResponse = {
+    created_at?: string;
+    id?: string;
+    is_system?: boolean;
+    key?: string;
+    scope?: string;
+};
+
+export type HandlersIamssoGroupMappingRequest = {
+    external_group?: string;
+    group_id?: string;
+};
+
+export type HandlersIamssoGroupMappingResponse = {
+    created_at?: string;
+    external_group?: string;
+    group_display_name?: string;
+    group_id?: string;
+    group_key?: string;
+    provider_id?: string;
+};
+
+export type HandlersIamssoProviderRequest = {
+    attribute_mapping?: Array<number>;
+    config?: Array<number>;
+    email_linking_policy?: string;
+    enabled?: boolean;
+    jit_enabled?: boolean;
+    key?: string;
+    name?: string;
+    trust_email?: boolean;
+    type?: string;
+};
+
+export type HandlersIamssoProviderResponse = {
+    attribute_mapping?: Array<number>;
+    config?: Array<number>;
+    created_at?: string;
+    email_linking_policy?: string;
+    enabled?: boolean;
+    id?: string;
+    jit_enabled?: boolean;
+    key?: string;
+    name?: string;
+    trust_email?: boolean;
+    type?: string;
+    updated_at?: string;
+};
+
 export type HandlersInstallMcpRequest = {
     env?: {
         [key: string]: string;
@@ -1055,6 +1190,10 @@ export type HandlersInstallSkillRequest = {
     skill_id?: string;
 };
 
+export type HandlersListSsoProvidersResponse = {
+    items?: Array<HandlersSsoProviderResponse>;
+};
+
 export type HandlersListSnapshotsResponse = {
     snapshots?: Array<HandlersSnapshotInfo>;
     snapshotter?: string;
@@ -1075,7 +1214,7 @@ export type HandlersLoginResponse = {
     access_token?: string;
     display_name?: string;
     expires_at?: string;
-    role?: string;
+    session_id?: string;
     timezone?: string;
     token_type?: string;
     user_id?: string;
@@ -1107,6 +1246,10 @@ export type HandlersModelTokenUsage = {
     provider_name?: string;
 };
 
+export type HandlersOidcStartResponse = {
+    redirect_url?: string;
+};
+
 export type HandlersPingResponse = {
     commit_hash?: string;
     container_backend?: string;
@@ -1133,6 +1276,14 @@ export type HandlersRollbackRequest = {
     version?: number;
 };
 
+export type HandlersSsoProviderResponse = {
+    enabled?: boolean;
+    id?: string;
+    key?: string;
+    name?: string;
+    type?: SsoProviderType;
+};
+
 export type HandlersSessionInfoResponse = {
     cache_stats?: HandlersCacheStats;
     context_usage?: HandlersContextUsage;
@@ -1894,6 +2045,8 @@ export type SettingsUpsertRequest = {
     tts_model_id?: string;
 };
 
+export type SsoProviderType = 'oidc' | 'saml';
+
 export type PostAuthLoginData = {
     /**
      * Login request
@@ -1959,144 +2112,377 @@ export type PostAuthRefreshResponses = {
 
 export type PostAuthRefreshResponse = PostAuthRefreshResponses[keyof PostAuthRefreshResponses];
 
-export type GetBotsData = {
-    body?: never;
+export type PostAuthSsoExchangeData = {
+    /**
+     * SSO exchange request
+     */
+    body: HandlersExchangeSsoCodeRequest;
     path?: never;
-    query?: {
-        /**
-         * Owner user ID (admin only)
-         */
-        owner_id?: string;
-    };
-    url: '/bots';
+    query?: never;
+    url: '/auth/sso/exchange';
 };
 
-export type GetBotsErrors = {
+export type PostAuthSsoExchangeErrors = {
     /**
      * Bad Request
      */
     400: HandlersErrorResponse;
     /**
-     * Forbidden
+     * Unauthorized
      */
-    403: HandlersErrorResponse;
+    401: HandlersErrorResponse;
     /**
      * Internal Server Error
      */
     500: HandlersErrorResponse;
 };
 
-export type GetBotsError = GetBotsErrors[keyof GetBotsErrors];
+export type PostAuthSsoExchangeError = PostAuthSsoExchangeErrors[keyof PostAuthSsoExchangeErrors];
 
-export type GetBotsResponses = {
+export type PostAuthSsoExchangeResponses = {
     /**
      * OK
      */
-    200: BotsListBotsResponse;
+    200: HandlersLoginResponse;
 };
 
-export type GetBotsResponse = GetBotsResponses[keyof GetBotsResponses];
+export type PostAuthSsoExchangeResponse = PostAuthSsoExchangeResponses[keyof PostAuthSsoExchangeResponses];
 
-export type PostBotsData = {
-    /**
-     * Bot payload
-     */
-    body: BotsCreateBotRequest;
+export type GetAuthSsoProvidersData = {
+    body?: never;
     path?: never;
     query?: never;
-    url: '/bots';
+    url: '/auth/sso/providers';
 };
 
-export type PostBotsErrors = {
-    /**
-     * Bad Request
-     */
-    400: HandlersErrorResponse;
-    /**
-     * Forbidden
-     */
-    403: HandlersErrorResponse;
+export type GetAuthSsoProvidersErrors = {
     /**
      * Internal Server Error
      */
     500: HandlersErrorResponse;
 };
 
-export type PostBotsError = PostBotsErrors[keyof PostBotsErrors];
+export type GetAuthSsoProvidersError = GetAuthSsoProvidersErrors[keyof GetAuthSsoProvidersErrors];
 
-export type PostBotsResponses = {
+export type GetAuthSsoProvidersResponses = {
     /**
-     * Created
+     * OK
      */
-    201: BotsBot;
+    200: HandlersListSsoProvidersResponse;
 };
 
-export type PostBotsResponse = PostBotsResponses[keyof PostBotsResponses];
+export type GetAuthSsoProvidersResponse = GetAuthSsoProvidersResponses[keyof GetAuthSsoProvidersResponses];
 
-export type GetBotsByBotIdAclChannelIdentitiesData = {
+export type GetAuthSsoByProviderIdCallbackData = {
     body?: never;
     path: {
         /**
-         * Bot ID
+         * SSO provider ID or key
          */
-        bot_id: string;
+        provider_id: string;
     };
-    query?: {
+    query: {
         /**
-         * Search query
+         * OIDC authorization code
          */
-        q?: string;
+        code: string;
         /**
-         * Max results
+         * OIDC state
          */
-        limit?: number;
+        state: string;
     };
-    url: '/bots/{bot_id}/acl/channel-identities';
+    url: '/auth/sso/{provider_id}/callback';
 };
 
-export type GetBotsByBotIdAclChannelIdentitiesErrors = {
+export type GetAuthSsoByProviderIdCallbackErrors = {
     /**
      * Bad Request
      */
     400: HandlersErrorResponse;
     /**
-     * Forbidden
-     */
-    403: HandlersErrorResponse;
-    /**
-     * Internal Server Error
+     * Unauthorized
      */
-    500: HandlersErrorResponse;
-};
-
-export type GetBotsByBotIdAclChannelIdentitiesError = GetBotsByBotIdAclChannelIdentitiesErrors[keyof GetBotsByBotIdAclChannelIdentitiesErrors];
-
-export type GetBotsByBotIdAclChannelIdentitiesResponses = {
+    401: HandlersErrorResponse;
     /**
-     * OK
+     * Not Found
      */
-    200: AclChannelIdentityCandidateListResponse;
+    404: HandlersErrorResponse;
 };
 
-export type GetBotsByBotIdAclChannelIdentitiesResponse = GetBotsByBotIdAclChannelIdentitiesResponses[keyof GetBotsByBotIdAclChannelIdentitiesResponses];
+export type GetAuthSsoByProviderIdCallbackError = GetAuthSsoByProviderIdCallbackErrors[keyof GetAuthSsoByProviderIdCallbackErrors];
 
-export type GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsData = {
+export type PostAuthSsoByProviderIdSamlAcsData = {
     body?: never;
     path: {
         /**
-         * Bot ID
-         */
-        bot_id: string;
-        /**
-         * Channel Identity ID
+         * SSO provider ID or key
          */
-        channel_identity_id: string;
+        provider_id: string;
     };
     query?: never;
-    url: '/bots/{bot_id}/acl/channel-identities/{channel_identity_id}/conversations';
+    url: '/auth/sso/{provider_id}/saml/acs';
 };
 
-export type GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsErrors = {
+export type PostAuthSsoByProviderIdSamlAcsErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Not Found
+     */
+    404: HandlersErrorResponse;
+};
+
+export type PostAuthSsoByProviderIdSamlAcsError = PostAuthSsoByProviderIdSamlAcsErrors[keyof PostAuthSsoByProviderIdSamlAcsErrors];
+
+export type GetAuthSsoByProviderIdSamlMetadataData = {
+    body?: never;
+    path: {
+        /**
+         * SSO provider ID or key
+         */
+        provider_id: string;
+    };
+    query?: never;
+    url: '/auth/sso/{provider_id}/saml/metadata';
+};
+
+export type GetAuthSsoByProviderIdSamlMetadataErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Not Found
+     */
+    404: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetAuthSsoByProviderIdSamlMetadataError = GetAuthSsoByProviderIdSamlMetadataErrors[keyof GetAuthSsoByProviderIdSamlMetadataErrors];
+
+export type GetAuthSsoByProviderIdSamlMetadataResponses = {
+    /**
+     * OK
+     */
+    200: string;
+};
+
+export type GetAuthSsoByProviderIdSamlMetadataResponse = GetAuthSsoByProviderIdSamlMetadataResponses[keyof GetAuthSsoByProviderIdSamlMetadataResponses];
+
+export type GetAuthSsoByProviderIdSamlStartData = {
+    body?: never;
+    path: {
+        /**
+         * SSO provider ID or key
+         */
+        provider_id: string;
+    };
+    query?: never;
+    url: '/auth/sso/{provider_id}/saml/start';
+};
+
+export type GetAuthSsoByProviderIdSamlStartErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Not Found
+     */
+    404: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetAuthSsoByProviderIdSamlStartError = GetAuthSsoByProviderIdSamlStartErrors[keyof GetAuthSsoByProviderIdSamlStartErrors];
+
+export type GetAuthSsoByProviderIdStartData = {
+    body?: never;
+    path: {
+        /**
+         * SSO provider ID or key
+         */
+        provider_id: string;
+    };
+    query?: never;
+    url: '/auth/sso/{provider_id}/start';
+};
+
+export type GetAuthSsoByProviderIdStartErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Not Found
+     */
+    404: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetAuthSsoByProviderIdStartError = GetAuthSsoByProviderIdStartErrors[keyof GetAuthSsoByProviderIdStartErrors];
+
+export type GetAuthSsoByProviderIdStartResponses = {
+    /**
+     * OK
+     */
+    200: HandlersOidcStartResponse;
+};
+
+export type GetAuthSsoByProviderIdStartResponse = GetAuthSsoByProviderIdStartResponses[keyof GetAuthSsoByProviderIdStartResponses];
+
+export type GetBotsData = {
+    body?: never;
+    path?: never;
+    query?: {
+        /**
+         * Owner user ID (admin only)
+         */
+        owner_id?: string;
+    };
+    url: '/bots';
+};
+
+export type GetBotsErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetBotsError = GetBotsErrors[keyof GetBotsErrors];
+
+export type GetBotsResponses = {
+    /**
+     * OK
+     */
+    200: BotsListBotsResponse;
+};
+
+export type GetBotsResponse = GetBotsResponses[keyof GetBotsResponses];
+
+export type PostBotsData = {
+    /**
+     * Bot payload
+     */
+    body: BotsCreateBotRequest;
+    path?: never;
+    query?: never;
+    url: '/bots';
+};
+
+export type PostBotsErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type PostBotsError = PostBotsErrors[keyof PostBotsErrors];
+
+export type PostBotsResponses = {
+    /**
+     * Created
+     */
+    201: BotsBot;
+};
+
+export type PostBotsResponse = PostBotsResponses[keyof PostBotsResponses];
+
+export type GetBotsByBotIdAclChannelIdentitiesData = {
+    body?: never;
+    path: {
+        /**
+         * Bot ID
+         */
+        bot_id: string;
+    };
+    query?: {
+        /**
+         * Search query
+         */
+        q?: string;
+        /**
+         * Max results
+         */
+        limit?: number;
+    };
+    url: '/bots/{bot_id}/acl/channel-identities';
+};
+
+export type GetBotsByBotIdAclChannelIdentitiesErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetBotsByBotIdAclChannelIdentitiesError = GetBotsByBotIdAclChannelIdentitiesErrors[keyof GetBotsByBotIdAclChannelIdentitiesErrors];
+
+export type GetBotsByBotIdAclChannelIdentitiesResponses = {
+    /**
+     * OK
+     */
+    200: AclChannelIdentityCandidateListResponse;
+};
+
+export type GetBotsByBotIdAclChannelIdentitiesResponse = GetBotsByBotIdAclChannelIdentitiesResponses[keyof GetBotsByBotIdAclChannelIdentitiesResponses];
+
+export type GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsData = {
+    body?: never;
+    path: {
+        /**
+         * Bot ID
+         */
+        bot_id: string;
+        /**
+         * Channel Identity ID
+         */
+        channel_identity_id: string;
+    };
+    query?: never;
+    url: '/bots/{bot_id}/acl/channel-identities/{channel_identity_id}/conversations';
+};
+
+export type GetBotsByBotIdAclChannelIdentitiesByChannelIdentityIdConversationsErrors = {
     /**
      * Bad Request
      */
@@ -7240,6 +7626,759 @@ export type GetEmailOauthCallbackResponses = {
 
 export type GetEmailOauthCallbackResponse = GetEmailOauthCallbackResponses[keyof GetEmailOauthCallbackResponses];
 
+export type GetIamBotsByBotIdPrincipalRolesData = {
+    body?: never;
+    path: {
+        /**
+         * Bot ID
+         */
+        bot_id: string;
+    };
+    query?: never;
+    url: '/iam/bots/{bot_id}/principal-roles';
+};
+
+export type GetIamBotsByBotIdPrincipalRolesErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetIamBotsByBotIdPrincipalRolesError = GetIamBotsByBotIdPrincipalRolesErrors[keyof GetIamBotsByBotIdPrincipalRolesErrors];
+
+export type GetIamBotsByBotIdPrincipalRolesResponses = {
+    /**
+     * OK
+     */
+    200: HandlersIamListPrincipalRolesResponse;
+};
+
+export type GetIamBotsByBotIdPrincipalRolesResponse = GetIamBotsByBotIdPrincipalRolesResponses[keyof GetIamBotsByBotIdPrincipalRolesResponses];
+
+export type PostIamBotsByBotIdPrincipalRolesData = {
+    /**
+     * Principal role payload
+     */
+    body: HandlersIamPrincipalRoleRequest;
+    path: {
+        /**
+         * Bot ID
+         */
+        bot_id: string;
+    };
+    query?: never;
+    url: '/iam/bots/{bot_id}/principal-roles';
+};
+
+export type PostIamBotsByBotIdPrincipalRolesErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type PostIamBotsByBotIdPrincipalRolesError = PostIamBotsByBotIdPrincipalRolesErrors[keyof PostIamBotsByBotIdPrincipalRolesErrors];
+
+export type PostIamBotsByBotIdPrincipalRolesResponses = {
+    /**
+     * OK
+     */
+    200: {
+        [key: string]: string;
+    };
+    /**
+     * No Content
+     */
+    204: unknown;
+};
+
+export type PostIamBotsByBotIdPrincipalRolesResponse = PostIamBotsByBotIdPrincipalRolesResponses[keyof PostIamBotsByBotIdPrincipalRolesResponses];
+
+export type GetIamGroupsData = {
+    body?: never;
+    path?: never;
+    query?: never;
+    url: '/iam/groups';
+};
+
+export type GetIamGroupsErrors = {
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetIamGroupsError = GetIamGroupsErrors[keyof GetIamGroupsErrors];
+
+export type GetIamGroupsResponses = {
+    /**
+     * OK
+     */
+    200: HandlersIamListGroupsResponse;
+};
+
+export type GetIamGroupsResponse = GetIamGroupsResponses[keyof GetIamGroupsResponses];
+
+export type PostIamGroupsData = {
+    /**
+     * Group payload
+     */
+    body: HandlersIamGroupRequest;
+    path?: never;
+    query?: never;
+    url: '/iam/groups';
+};
+
+export type PostIamGroupsErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type PostIamGroupsError = PostIamGroupsErrors[keyof PostIamGroupsErrors];
+
+export type PostIamGroupsResponses = {
+    /**
+     * OK
+     */
+    200: HandlersIamGroupResponse;
+};
+
+export type PostIamGroupsResponse = PostIamGroupsResponses[keyof PostIamGroupsResponses];
+
+export type DeleteIamGroupsByIdData = {
+    body?: never;
+    path: {
+        /**
+         * Group ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/iam/groups/{id}';
+};
+
+export type DeleteIamGroupsByIdErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type DeleteIamGroupsByIdError = DeleteIamGroupsByIdErrors[keyof DeleteIamGroupsByIdErrors];
+
+export type DeleteIamGroupsByIdResponses = {
+    /**
+     * No Content
+     */
+    204: unknown;
+};
+
+export type PutIamGroupsByIdData = {
+    /**
+     * Group payload
+     */
+    body: HandlersIamGroupRequest;
+    path?: {
+        /**
+         * Group ID
+         */
+        id?: string;
+    };
+    query?: never;
+    url: '/iam/groups/{id}';
+};
+
+export type PutIamGroupsByIdErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type PutIamGroupsByIdError = PutIamGroupsByIdErrors[keyof PutIamGroupsByIdErrors];
+
+export type PutIamGroupsByIdResponses = {
+    /**
+     * OK
+     */
+    200: HandlersIamGroupResponse;
+};
+
+export type PutIamGroupsByIdResponse = PutIamGroupsByIdResponses[keyof PutIamGroupsByIdResponses];
+
+export type GetIamGroupsByIdMembersData = {
+    body?: never;
+    path: {
+        /**
+         * Group ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/iam/groups/{id}/members';
+};
+
+export type GetIamGroupsByIdMembersErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetIamGroupsByIdMembersError = GetIamGroupsByIdMembersErrors[keyof GetIamGroupsByIdMembersErrors];
+
+export type GetIamGroupsByIdMembersResponses = {
+    /**
+     * OK
+     */
+    200: HandlersIamListGroupMembersResponse;
+};
+
+export type GetIamGroupsByIdMembersResponse = GetIamGroupsByIdMembersResponses[keyof GetIamGroupsByIdMembersResponses];
+
+export type PostIamGroupsByIdMembersData = {
+    /**
+     * Group member payload
+     */
+    body: HandlersIamGroupMemberRequest;
+    path: {
+        /**
+         * Group ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/iam/groups/{id}/members';
+};
+
+export type PostIamGroupsByIdMembersErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type PostIamGroupsByIdMembersError = PostIamGroupsByIdMembersErrors[keyof PostIamGroupsByIdMembersErrors];
+
+export type PostIamGroupsByIdMembersResponses = {
+    /**
+     * OK
+     */
+    200: {
+        [key: string]: string;
+    };
+};
+
+export type PostIamGroupsByIdMembersResponse = PostIamGroupsByIdMembersResponses[keyof PostIamGroupsByIdMembersResponses];
+
+export type DeleteIamGroupsByIdMembersByUserIdData = {
+    body?: never;
+    path: {
+        /**
+         * Group ID
+         */
+        id: string;
+        /**
+         * User ID
+         */
+        user_id: string;
+    };
+    query?: never;
+    url: '/iam/groups/{id}/members/{user_id}';
+};
+
+export type DeleteIamGroupsByIdMembersByUserIdErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type DeleteIamGroupsByIdMembersByUserIdError = DeleteIamGroupsByIdMembersByUserIdErrors[keyof DeleteIamGroupsByIdMembersByUserIdErrors];
+
+export type DeleteIamGroupsByIdMembersByUserIdResponses = {
+    /**
+     * No Content
+     */
+    204: unknown;
+};
+
+export type DeleteIamPrincipalRolesByIdData = {
+    body?: never;
+    path: {
+        /**
+         * Principal role assignment ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/iam/principal-roles/{id}';
+};
+
+export type DeleteIamPrincipalRolesByIdErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type DeleteIamPrincipalRolesByIdError = DeleteIamPrincipalRolesByIdErrors[keyof DeleteIamPrincipalRolesByIdErrors];
+
+export type DeleteIamPrincipalRolesByIdResponses = {
+    /**
+     * No Content
+     */
+    204: unknown;
+};
+
+export type GetIamRolesData = {
+    body?: never;
+    path?: never;
+    query?: never;
+    url: '/iam/roles';
+};
+
+export type GetIamRolesErrors = {
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetIamRolesError = GetIamRolesErrors[keyof GetIamRolesErrors];
+
+export type GetIamRolesResponses = {
+    /**
+     * OK
+     */
+    200: HandlersIamListRolesResponse;
+};
+
+export type GetIamRolesResponse = GetIamRolesResponses[keyof GetIamRolesResponses];
+
+export type GetIamSsoProvidersData = {
+    body?: never;
+    path?: never;
+    query?: never;
+    url: '/iam/sso/providers';
+};
+
+export type GetIamSsoProvidersErrors = {
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetIamSsoProvidersError = GetIamSsoProvidersErrors[keyof GetIamSsoProvidersErrors];
+
+export type GetIamSsoProvidersResponses = {
+    /**
+     * OK
+     */
+    200: HandlersIamListSsoProvidersResponse;
+};
+
+export type GetIamSsoProvidersResponse = GetIamSsoProvidersResponses[keyof GetIamSsoProvidersResponses];
+
+export type PostIamSsoProvidersData = {
+    /**
+     * SSO provider payload
+     */
+    body: HandlersIamssoProviderRequest;
+    path?: {
+        /**
+         * SSO provider ID
+         */
+        id?: string;
+    };
+    query?: never;
+    url: '/iam/sso/providers';
+};
+
+export type PostIamSsoProvidersErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type PostIamSsoProvidersError = PostIamSsoProvidersErrors[keyof PostIamSsoProvidersErrors];
+
+export type PostIamSsoProvidersResponses = {
+    /**
+     * OK
+     */
+    200: HandlersIamssoProviderResponse;
+};
+
+export type PostIamSsoProvidersResponse = PostIamSsoProvidersResponses[keyof PostIamSsoProvidersResponses];
+
+export type DeleteIamSsoProvidersByIdData = {
+    body?: never;
+    path: {
+        /**
+         * SSO provider ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/iam/sso/providers/{id}';
+};
+
+export type DeleteIamSsoProvidersByIdErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type DeleteIamSsoProvidersByIdError = DeleteIamSsoProvidersByIdErrors[keyof DeleteIamSsoProvidersByIdErrors];
+
+export type DeleteIamSsoProvidersByIdResponses = {
+    /**
+     * No Content
+     */
+    204: unknown;
+};
+
+export type PutIamSsoProvidersByIdData = {
+    /**
+     * SSO provider payload
+     */
+    body: HandlersIamssoProviderRequest;
+    path?: {
+        /**
+         * SSO provider ID
+         */
+        id?: string;
+    };
+    query?: never;
+    url: '/iam/sso/providers/{id}';
+};
+
+export type PutIamSsoProvidersByIdErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type PutIamSsoProvidersByIdError = PutIamSsoProvidersByIdErrors[keyof PutIamSsoProvidersByIdErrors];
+
+export type PutIamSsoProvidersByIdResponses = {
+    /**
+     * OK
+     */
+    200: HandlersIamssoProviderResponse;
+};
+
+export type PutIamSsoProvidersByIdResponse = PutIamSsoProvidersByIdResponses[keyof PutIamSsoProvidersByIdResponses];
+
+export type GetIamSsoProvidersByIdGroupMappingsData = {
+    body?: never;
+    path: {
+        /**
+         * SSO provider ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/iam/sso/providers/{id}/group-mappings';
+};
+
+export type GetIamSsoProvidersByIdGroupMappingsErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type GetIamSsoProvidersByIdGroupMappingsError = GetIamSsoProvidersByIdGroupMappingsErrors[keyof GetIamSsoProvidersByIdGroupMappingsErrors];
+
+export type GetIamSsoProvidersByIdGroupMappingsResponses = {
+    /**
+     * OK
+     */
+    200: HandlersIamListSsoGroupMappingsResponse;
+};
+
+export type GetIamSsoProvidersByIdGroupMappingsResponse = GetIamSsoProvidersByIdGroupMappingsResponses[keyof GetIamSsoProvidersByIdGroupMappingsResponses];
+
+export type PostIamSsoProvidersByIdGroupMappingsData = {
+    /**
+     * SSO group mapping payload
+     */
+    body: HandlersIamssoGroupMappingRequest;
+    path: {
+        /**
+         * SSO provider ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/iam/sso/providers/{id}/group-mappings';
+};
+
+export type PostIamSsoProvidersByIdGroupMappingsErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type PostIamSsoProvidersByIdGroupMappingsError = PostIamSsoProvidersByIdGroupMappingsErrors[keyof PostIamSsoProvidersByIdGroupMappingsErrors];
+
+export type PostIamSsoProvidersByIdGroupMappingsResponses = {
+    /**
+     * OK
+     */
+    200: {
+        [key: string]: string;
+    };
+};
+
+export type PostIamSsoProvidersByIdGroupMappingsResponse = PostIamSsoProvidersByIdGroupMappingsResponses[keyof PostIamSsoProvidersByIdGroupMappingsResponses];
+
+export type DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupData = {
+    body?: never;
+    path: {
+        /**
+         * SSO provider ID
+         */
+        id: string;
+        /**
+         * External group
+         */
+        external_group: string;
+    };
+    query?: never;
+    url: '/iam/sso/providers/{id}/group-mappings/{external_group}';
+};
+
+export type DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupErrors = {
+    /**
+     * Bad Request
+     */
+    400: HandlersErrorResponse;
+    /**
+     * Unauthorized
+     */
+    401: HandlersErrorResponse;
+    /**
+     * Forbidden
+     */
+    403: HandlersErrorResponse;
+    /**
+     * Internal Server Error
+     */
+    500: HandlersErrorResponse;
+};
+
+export type DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupError = DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupErrors[keyof DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupErrors];
+
+export type DeleteIamSsoProvidersByIdGroupMappingsByExternalGroupResponses = {
+    /**
+     * No Content
+     */
+    204: unknown;
+};
+
 export type GetMemoryProvidersData = {
     body?: never;
     path?: never;
@@ -9370,7 +10509,7 @@ export type GetUsersResponses = {
     /**
      * OK
      */
-    200: AccountsListAccountsResponse;
+    200: GithubComMemohaiMemohInternalAccountsListAccountsResponse;
 };
 
 export type GetUsersResponse = GetUsersResponses[keyof GetUsersResponses];
@@ -9379,7 +10518,7 @@ export type PostUsersData = {
     /**
      * User payload
      */
-    body: AccountsCreateAccountRequest;
+    body: GithubComMemohaiMemohInternalAccountsCreateAccountRequest;
     path?: never;
     query?: never;
     url: '/users';
@@ -9406,7 +10545,7 @@ export type PostUsersResponses = {
     /**
      * Created
      */
-    201: AccountsAccount;
+    201: GithubComMemohaiMemohInternalAccountsAccount;
 };
 
 export type PostUsersResponse = PostUsersResponses[keyof PostUsersResponses];
@@ -9435,7 +10574,7 @@ export type GetUsersMeResponses = {
     /**
      * OK
      */
-    200: AccountsAccount;
+    200: GithubComMemohaiMemohInternalAccountsAccount;
 };
 
 export type GetUsersMeResponse = GetUsersMeResponses[keyof GetUsersMeResponses];
@@ -9444,7 +10583,7 @@ export type PutUsersMeData = {
     /**
      * Profile payload
      */
-    body: AccountsUpdateProfileRequest;
+    body: GithubComMemohaiMemohInternalAccountsUpdateProfileRequest;
     path?: never;
     query?: never;
     url: '/users/me';
@@ -9467,7 +10606,7 @@ export type PutUsersMeResponses = {
     /**
      * OK
      */
-    200: AccountsAccount;
+    200: GithubComMemohaiMemohInternalAccountsAccount;
 };
 
 export type PutUsersMeResponse = PutUsersMeResponses[keyof PutUsersMeResponses];
@@ -9584,7 +10723,7 @@ export type PutUsersMePasswordData = {
     /**
      * Password payload
      */
-    body: AccountsUpdatePasswordRequest;
+    body: GithubComMemohaiMemohInternalAccountsUpdatePasswordRequest;
     path?: never;
     query?: never;
     url: '/users/me/password';
@@ -9647,7 +10786,7 @@ export type GetUsersByIdResponses = {
     /**
      * OK
      */
-    200: AccountsAccount;
+    200: GithubComMemohaiMemohInternalAccountsAccount;
 };
 
 export type GetUsersByIdResponse = GetUsersByIdResponses[keyof GetUsersByIdResponses];
@@ -9656,7 +10795,7 @@ export type PutUsersByIdData = {
     /**
      * User update payload
      */
-    body: AccountsUpdateAccountRequest;
+    body: GithubComMemohaiMemohInternalAccountsUpdateAccountRequest;
     path: {
         /**
          * User ID
@@ -9692,7 +10831,7 @@ export type PutUsersByIdResponses = {
     /**
      * OK
      */
-    200: AccountsAccount;
+    200: GithubComMemohaiMemohInternalAccountsAccount;
 };
 
 export type PutUsersByIdResponse = PutUsersByIdResponses[keyof PutUsersByIdResponses];
@@ -9701,7 +10840,7 @@ export type PutUsersByIdPasswordData = {
     /**
      * Password payload
      */
-    body: AccountsResetPasswordRequest;
+    body: GithubComMemohaiMemohInternalAccountsResetPasswordRequest;
     path: {
         /**
          * User ID
diff --git a/spec/docs.go b/spec/docs.go
index 6607631d8..26555966c 100644
--- a/spec/docs.go
+++ b/spec/docs.go
@@ -68,7 +68,7 @@ const docTemplate = `{
                         "BearerAuth": []
                     }
                 ],
-                "description": "Issue a new JWT using the existing claims with updated expiration",
+                "description": "Issue a new JWT after validating the active IAM session",
                 "tags": [
                     "auth"
                 ],
@@ -95,6 +95,300 @@ const docTemplate = `{
                 }
             }
         },
+        "/auth/sso/exchange": {
+            "post": {
+                "description": "Exchange a one-time SSO login code for a session JWT",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Exchange SSO login code",
+                "parameters": [
+                    {
+                        "description": "SSO exchange request",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ExchangeSSOCodeRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.LoginResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/providers": {
+            "get": {
+                "description": "List enabled OIDC and SAML SSO providers available for login",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "List SSO providers",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ListSSOProvidersResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/{provider_id}/callback": {
+            "get": {
+                "description": "Exchange the provider code, create an IAM session, and redirect to the web login callback with a short-lived login code",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Complete OIDC login",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID or key",
+                        "name": "provider_id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "OIDC authorization code",
+                        "name": "code",
+                        "in": "query",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "OIDC state",
+                        "name": "state",
+                        "in": "query",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "302": {
+                        "description": "Found"
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/{provider_id}/saml/acs": {
+            "post": {
+                "description": "Validate the SAML response, create an IAM session, and redirect to the web login callback with a short-lived login code",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Complete SAML login",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID or key",
+                        "name": "provider_id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "302": {
+                        "description": "Found"
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/{provider_id}/saml/metadata": {
+            "get": {
+                "description": "Return the SAML service provider metadata XML for an SSO provider",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Get SAML SP metadata",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID or key",
+                        "name": "provider_id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/{provider_id}/saml/start": {
+            "get": {
+                "description": "Create a SAML AuthnRequest, set the transient SAML state cookie, and redirect to the IdP",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Start SAML login",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID or key",
+                        "name": "provider_id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "302": {
+                        "description": "Found"
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/{provider_id}/start": {
+            "get": {
+                "description": "Build the provider authorization URL and set the transient OIDC state cookie",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Start OIDC login",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID or key",
+                        "name": "provider_id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.OIDCStartResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/bots": {
             "get": {
                 "description": "List bots accessible to current user (admin can specify owner_id)",
@@ -5196,7 +5490,7 @@ const docTemplate = `{
         },
         "/bots/{id}": {
             "get": {
-                "description": "Get a bot by ID (owner/admin only)",
+                "description": "Get a bot by ID when the current user has bot.read",
                 "tags": [
                     "bots"
                 ],
@@ -5244,7 +5538,7 @@ const docTemplate = `{
                 }
             },
             "put": {
-                "description": "Update bot profile (owner/admin only)",
+                "description": "Update bot profile when the current user has bot.update",
                 "tags": [
                     "bots"
                 ],
@@ -5301,7 +5595,7 @@ const docTemplate = `{
                 }
             },
             "delete": {
-                "description": "Delete a bot user (owner/admin only)",
+                "description": "Delete a bot user when the current user has bot.delete",
                 "tags": [
                     "bots"
                 ],
@@ -5779,7 +6073,7 @@ const docTemplate = `{
                 "tags": [
                     "bots"
                 ],
-                "summary": "Transfer bot owner (admin only)",
+                "summary": "Transfer bot owner (system admin only)",
                 "parameters": [
                     {
                         "type": "string",
@@ -6536,24 +6830,50 @@ const docTemplate = `{
                 }
             }
         },
-        "/memory-providers": {
+        "/iam/bots/{bot_id}/principal-roles": {
             "get": {
-                "description": "List configured memory providers",
-                "produces": [
-                    "application/json"
-                ],
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "List user and group role assignments for a bot",
                 "tags": [
-                    "memory-providers"
+                    "iam"
+                ],
+                "summary": "List bot role assignments",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Bot ID",
+                        "name": "bot_id",
+                        "in": "path",
+                        "required": true
+                    }
                 ],
-                "summary": "List memory providers",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/adapters.ProviderGetResponse"
-                            }
+                            "$ref": "#/definitions/handlers.IAMListPrincipalRolesResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
                     "500": {
@@ -6565,41 +6885,65 @@ const docTemplate = `{
                 }
             },
             "post": {
-                "description": "Create a memory provider configuration",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
+                "description": "Assign a bot-scoped role to a user or group",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "Create a memory provider",
+                "summary": "Assign bot role",
                 "parameters": [
                     {
-                        "description": "Memory provider configuration",
-                        "name": "request",
+                        "type": "string",
+                        "description": "Bot ID",
+                        "name": "bot_id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Principal role payload",
+                        "name": "payload",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderCreateRequest"
+                            "$ref": "#/definitions/handlers.IAMPrincipalRoleRequest"
                         }
                     }
                 ],
                 "responses": {
-                    "201": {
-                        "description": "Created",
+                    "200": {
+                        "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderGetResponse"
+                            "type": "object",
+                            "additionalProperties": {
+                                "type": "string"
+                            }
                         }
                     },
+                    "204": {
+                        "description": "No Content"
+                    },
                     "400": {
                         "description": "Bad Request",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -6609,50 +6953,72 @@ const docTemplate = `{
                 }
             }
         },
-        "/memory-providers/meta": {
+        "/iam/groups": {
             "get": {
-                "description": "List available memory provider types and config schemas",
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "List IAM groups",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "List memory provider metadata",
+                "summary": "List IAM groups",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/adapters.ProviderMeta"
-                            }
+                            "$ref": "#/definitions/handlers.IAMListGroupsResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     }
                 }
-            }
-        },
-        "/memory-providers/{id}": {
-            "get": {
-                "description": "Get memory provider by ID",
-                "produces": [
-                    "application/json"
+            },
+            "post": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
+                "description": "Create or update an IAM group",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "Get a memory provider",
+                "summary": "Upsert IAM group",
                 "parameters": [
                     {
-                        "type": "string",
-                        "description": "Provider ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                        "description": "Group payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMGroupRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderGetResponse"
+                            "$ref": "#/definitions/handlers.IAMGroupResponse"
                         }
                     },
                     "400": {
@@ -6661,41 +7027,53 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     }
                 }
-            },
+            }
+        },
+        "/iam/groups/{id}": {
             "put": {
-                "description": "Update memory provider by ID",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
+                "description": "Create or update an IAM group",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "Update a memory provider",
+                "summary": "Upsert IAM group",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Group ID",
                         "name": "id",
-                        "in": "path",
-                        "required": true
+                        "in": "path"
                     },
                     {
-                        "description": "Updated configuration",
-                        "name": "request",
+                        "description": "Group payload",
+                        "name": "payload",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderUpdateRequest"
+                            "$ref": "#/definitions/handlers.IAMGroupRequest"
                         }
                     }
                 ],
@@ -6703,7 +7081,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderGetResponse"
+                            "$ref": "#/definitions/handlers.IAMGroupResponse"
                         }
                     },
                     "400": {
@@ -6712,6 +7090,18 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -6721,15 +7111,20 @@ const docTemplate = `{
                 }
             },
             "delete": {
-                "description": "Delete memory provider by ID",
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Delete an IAM group",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "Delete a memory provider",
+                "summary": "Delete IAM group",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Group ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -6745,6 +7140,18 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -6754,20 +7161,22 @@ const docTemplate = `{
                 }
             }
         },
-        "/memory-providers/{id}/status": {
+        "/iam/groups/{id}/members": {
             "get": {
-                "description": "Get runtime status data for a memory provider",
-                "produces": [
-                    "application/json"
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
+                "description": "List members of an IAM group",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "Get memory provider status",
+                "summary": "List IAM group members",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Group ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -6777,7 +7186,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderStatusResponse"
+                            "$ref": "#/definitions/handlers.IAMListGroupMembersResponse"
                         }
                     },
                     "400": {
@@ -6786,8 +7195,14 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -6799,36 +7214,43 @@ const docTemplate = `{
                         }
                     }
                 }
-            }
-        },
-        "/models": {
-            "get": {
-                "description": "Get a list of all configured models, optionally filtered by type or provider client type",
+            },
+            "post": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Add a user to an IAM group",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "List all models",
+                "summary": "Add IAM group member",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model type (chat, embedding)",
-                        "name": "type",
-                        "in": "query"
+                        "description": "Group ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
                     },
                     {
-                        "type": "string",
-                        "description": "Provider client type (openai-responses, openai-completions, anthropic-messages, google-generative-ai)",
-                        "name": "client_type",
-                        "in": "query"
+                        "description": "Group member payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMGroupMemberRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/models.GetResponse"
+                            "type": "object",
+                            "additionalProperties": {
+                                "type": "string"
                             }
                         }
                     },
@@ -6838,40 +7260,14 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "401": {
+                        "description": "Unauthorized",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    }
-                }
-            },
-            "post": {
-                "description": "Create a new model configuration",
-                "tags": [
-                    "models"
-                ],
-                "summary": "Create a new model",
-                "parameters": [
-                    {
-                        "description": "Model configuration",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/models.AddRequest"
-                        }
-                    }
-                ],
-                "responses": {
-                    "201": {
-                        "description": "Created",
-                        "schema": {
-                            "$ref": "#/definitions/models.AddResponse"
-                        }
                     },
-                    "400": {
-                        "description": "Bad Request",
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -6885,27 +7281,37 @@ const docTemplate = `{
                 }
             }
         },
-        "/models/count": {
-            "get": {
-                "description": "Get the total count of models, optionally filtered by type",
+        "/iam/groups/{id}/members/{user_id}": {
+            "delete": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Remove a user from an IAM group",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Get model count",
+                "summary": "Delete IAM group member",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model type (chat, embedding)",
-                        "name": "type",
-                        "in": "query"
+                        "description": "Group ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "User ID",
+                        "name": "user_id",
+                        "in": "path",
+                        "required": true
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/models.CountResponse"
-                        }
+                    "204": {
+                        "description": "No Content"
                     },
                     "400": {
                         "description": "Bad Request",
@@ -6913,6 +7319,18 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -6922,28 +7340,30 @@ const docTemplate = `{
                 }
             }
         },
-        "/models/model/{modelId}": {
-            "get": {
-                "description": "Get a model configuration by its model_id field (e.g., gpt-4)",
+        "/iam/principal-roles/{id}": {
+            "delete": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Delete a user or group role assignment",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Get model by model ID",
+                "summary": "Delete role assignment",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID (e.g., gpt-4)",
-                        "name": "modelId",
+                        "description": "Principal role assignment ID",
+                        "name": "id",
                         "in": "path",
                         "required": true
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/models.GetResponse"
-                        }
+                    "204": {
+                        "description": "No Content"
                     },
                     "400": {
                         "description": "Bad Request",
@@ -6951,8 +7371,14 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -6964,46 +7390,35 @@ const docTemplate = `{
                         }
                     }
                 }
-            },
-            "put": {
-                "description": "Update a model configuration by its model_id field (e.g., gpt-4)",
-                "tags": [
-                    "models"
-                ],
-                "summary": "Update model by model ID",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Model ID (e.g., gpt-4)",
-                        "name": "modelId",
-                        "in": "path",
-                        "required": true
-                    },
+            }
+        },
+        "/iam/roles": {
+            "get": {
+                "security": [
                     {
-                        "description": "Updated model configuration",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/models.UpdateRequest"
-                        }
+                        "BearerAuth": []
                     }
                 ],
+                "description": "List built-in IAM roles",
+                "tags": [
+                    "iam"
+                ],
+                "summary": "List IAM roles",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/models.GetResponse"
+                            "$ref": "#/definitions/handlers.IAMListRolesResponse"
                         }
                     },
-                    "400": {
-                        "description": "Bad Request",
+                    "401": {
+                        "description": "Unauthorized",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7015,34 +7430,35 @@ const docTemplate = `{
                         }
                     }
                 }
-            },
-            "delete": {
-                "description": "Delete a model configuration by its model_id field (e.g., gpt-4)",
-                "tags": [
-                    "models"
-                ],
-                "summary": "Delete model by model ID",
-                "parameters": [
+            }
+        },
+        "/iam/sso/providers": {
+            "get": {
+                "security": [
                     {
-                        "type": "string",
-                        "description": "Model ID (e.g., gpt-4)",
-                        "name": "modelId",
-                        "in": "path",
-                        "required": true
+                        "BearerAuth": []
                     }
                 ],
+                "description": "List all IAM SSO providers for administration",
+                "tags": [
+                    "iam"
+                ],
+                "summary": "List IAM SSO providers",
                 "responses": {
-                    "204": {
-                        "description": "No Content"
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMListSSOProvidersResponse"
+                        }
                     },
-                    "400": {
-                        "description": "Bad Request",
+                    "401": {
+                        "description": "Unauthorized",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7054,29 +7470,40 @@ const docTemplate = `{
                         }
                     }
                 }
-            }
-        },
-        "/models/{id}": {
-            "get": {
-                "description": "Get a model configuration by its internal UUID",
+            },
+            "post": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Create or update an IAM SSO provider",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Get model by internal ID",
+                "summary": "Upsert IAM SSO provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model internal ID (UUID)",
+                        "description": "SSO provider ID",
                         "name": "id",
-                        "in": "path",
-                        "required": true
+                        "in": "path"
+                    },
+                    {
+                        "description": "SSO provider payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMSSOProviderRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/models.GetResponse"
+                            "$ref": "#/definitions/handlers.IAMSSOProviderResponse"
                         }
                     },
                     "400": {
@@ -7085,8 +7512,14 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7098,28 +7531,34 @@ const docTemplate = `{
                         }
                     }
                 }
-            },
+            }
+        },
+        "/iam/sso/providers/{id}": {
             "put": {
-                "description": "Update a model configuration by its internal UUID",
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Create or update an IAM SSO provider",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Update model by internal ID",
+                "summary": "Upsert IAM SSO provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model internal ID (UUID)",
+                        "description": "SSO provider ID",
                         "name": "id",
-                        "in": "path",
-                        "required": true
+                        "in": "path"
                     },
                     {
-                        "description": "Updated model configuration",
+                        "description": "SSO provider payload",
                         "name": "payload",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/models.UpdateRequest"
+                            "$ref": "#/definitions/handlers.IAMSSOProviderRequest"
                         }
                     }
                 ],
@@ -7127,7 +7566,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/models.GetResponse"
+                            "$ref": "#/definitions/handlers.IAMSSOProviderResponse"
                         }
                     },
                     "400": {
@@ -7136,8 +7575,14 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7151,15 +7596,20 @@ const docTemplate = `{
                 }
             },
             "delete": {
-                "description": "Delete a model configuration by its internal UUID",
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Delete an IAM SSO provider",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Delete model by internal ID",
+                "summary": "Delete IAM SSO provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model internal ID (UUID)",
+                        "description": "SSO provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -7175,8 +7625,14 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7190,33 +7646,97 @@ const docTemplate = `{
                 }
             }
         },
-        "/models/{id}/test": {
-            "post": {
-                "description": "Probe a model's provider endpoint using the model's real model_id and client_type to verify configuration",
-                "consumes": [
-                    "application/json"
+        "/iam/sso/providers/{id}/group-mappings": {
+            "get": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
-                "produces": [
-                    "application/json"
+                "description": "List external group to IAM group mappings for an SSO provider",
+                "tags": [
+                    "iam"
+                ],
+                "summary": "List SSO group mappings",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMListSSOGroupMappingsResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "post": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
+                "description": "Create or update an external group to IAM group mapping",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Test model connectivity",
+                "summary": "Upsert SSO group mapping",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model internal ID (UUID)",
+                        "description": "SSO provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
+                    },
+                    {
+                        "description": "SSO group mapping payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMSSOGroupMappingRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/models.TestResponse"
+                            "type": "object",
+                            "additionalProperties": {
+                                "type": "string"
+                            }
                         }
                     },
                     "400": {
@@ -7225,8 +7745,14 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7240,42 +7766,82 @@ const docTemplate = `{
                 }
             }
         },
-        "/ping": {
-            "get": {
+        "/iam/sso/providers/{id}/group-mappings/{external_group}": {
+            "delete": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Delete an external group mapping from an SSO provider",
                 "tags": [
-                    "system"
+                    "iam"
+                ],
+                "summary": "Delete SSO group mapping",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "External group",
+                        "name": "external_group",
+                        "in": "path",
+                        "required": true
+                    }
                 ],
-                "summary": "Health check with server capabilities",
                 "responses": {
-                    "200": {
-                        "description": "OK",
+                    "204": {
+                        "description": "No Content"
+                    },
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
-                            "$ref": "#/definitions/handlers.PingResponse"
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     }
                 }
             }
         },
-        "/providers": {
+        "/memory-providers": {
             "get": {
-                "description": "Get a list of all configured LLM providers",
-                "consumes": [
-                    "application/json"
-                ],
+                "description": "List configured memory providers",
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "List all LLM providers",
+                "summary": "List memory providers",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
                             "type": "array",
                             "items": {
-                                "$ref": "#/definitions/providers.GetResponse"
+                                "$ref": "#/definitions/adapters.ProviderGetResponse"
                             }
                         }
                     },
@@ -7288,7 +7854,7 @@ const docTemplate = `{
                 }
             },
             "post": {
-                "description": "Create a new LLM provider configuration",
+                "description": "Create a memory provider configuration",
                 "consumes": [
                     "application/json"
                 ],
@@ -7296,17 +7862,17 @@ const docTemplate = `{
                     "application/json"
                 ],
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "Create a new LLM provider",
+                "summary": "Create a memory provider",
                 "parameters": [
                     {
-                        "description": "Provider configuration",
+                        "description": "Memory provider configuration",
                         "name": "request",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/providers.CreateRequest"
+                            "$ref": "#/definitions/adapters.ProviderCreateRequest"
                         }
                     }
                 ],
@@ -7314,7 +7880,7 @@ const docTemplate = `{
                     "201": {
                         "description": "Created",
                         "schema": {
-                            "$ref": "#/definitions/providers.GetResponse"
+                            "$ref": "#/definitions/adapters.ProviderGetResponse"
                         }
                     },
                     "400": {
@@ -7332,53 +7898,41 @@ const docTemplate = `{
                 }
             }
         },
-        "/providers/count": {
+        "/memory-providers/meta": {
             "get": {
-                "description": "Get the total count of providers",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+                "description": "List available memory provider types and config schemas",
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "Count providers",
+                "summary": "List memory provider metadata",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.CountResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/adapters.ProviderMeta"
+                            }
                         }
                     }
                 }
             }
         },
-        "/providers/name/{name}": {
+        "/memory-providers/{id}": {
             "get": {
-                "description": "Get a provider configuration by its name",
-                "consumes": [
-                    "application/json"
-                ],
+                "description": "Get memory provider by ID",
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "Get provider by name",
+                "summary": "Get a memory provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider name",
-                        "name": "name",
+                        "description": "Provider ID",
+                        "name": "id",
                         "in": "path",
                         "required": true
                     }
@@ -7387,7 +7941,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.GetResponse"
+                            "$ref": "#/definitions/adapters.ProviderGetResponse"
                         }
                     },
                     "400": {
@@ -7401,130 +7955,36 @@ const docTemplate = `{
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
                     }
                 }
-            }
-        },
-        "/providers/oauth/callback": {
-            "get": {
+            },
+            "put": {
+                "description": "Update memory provider by ID",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "providers-oauth"
+                    "memory-providers"
                 ],
-                "summary": "OAuth2 callback for LLM providers",
+                "summary": "Update a memory provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Authorization code",
-                        "name": "code",
-                        "in": "query",
+                        "description": "Provider ID",
+                        "name": "id",
+                        "in": "path",
                         "required": true
                     },
                     {
-                        "type": "string",
-                        "description": "State parameter",
-                        "name": "state",
-                        "in": "query",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "HTML success page",
-                        "schema": {
-                            "type": "string"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            }
-        },
-        "/providers/{id}": {
-            "get": {
-                "description": "Get a provider configuration by its ID",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "providers"
-                ],
-                "summary": "Get provider by ID",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/providers.GetResponse"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            },
-            "put": {
-                "description": "Update an existing provider configuration",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "providers"
-                ],
-                "summary": "Update provider",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "description": "Updated provider configuration",
+                        "description": "Updated configuration",
                         "name": "request",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/providers.UpdateRequest"
+                            "$ref": "#/definitions/adapters.ProviderUpdateRequest"
                         }
                     }
                 ],
@@ -7532,7 +7992,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.GetResponse"
+                            "$ref": "#/definitions/adapters.ProviderGetResponse"
                         }
                     },
                     "400": {
@@ -7541,12 +8001,6 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -7556,21 +8010,15 @@ const docTemplate = `{
                 }
             },
             "delete": {
-                "description": "Delete a provider configuration",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+                "description": "Delete memory provider by ID",
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "Delete provider",
+                "summary": "Delete a memory provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
+                        "description": "Provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -7586,12 +8034,6 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -7601,23 +8043,20 @@ const docTemplate = `{
                 }
             }
         },
-        "/providers/{id}/import-models": {
-            "post": {
-                "description": "Fetch models from provider's /v1/models endpoint and import them",
-                "consumes": [
-                    "application/json"
-                ],
+        "/memory-providers/{id}/status": {
+            "get": {
+                "description": "Get runtime status data for a memory provider",
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "Import models from provider",
+                "summary": "Get memory provider status",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
+                        "description": "Provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -7627,7 +8066,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.ImportModelsResponse"
+                            "$ref": "#/definitions/adapters.ProviderStatusResponse"
                         }
                     },
                     "400": {
@@ -7651,25 +8090,24 @@ const docTemplate = `{
                 }
             }
         },
-        "/providers/{id}/models": {
+        "/models": {
             "get": {
-                "description": "Get models for a provider by id, optionally filtered by type",
+                "description": "Get a list of all configured models, optionally filtered by type or provider client type",
                 "tags": [
-                    "providers"
+                    "models"
                 ],
-                "summary": "List provider models",
+                "summary": "List all models",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                        "description": "Model type (chat, embedding)",
+                        "name": "type",
+                        "in": "query"
                     },
                     {
                         "type": "string",
-                        "description": "Model type (chat, embedding)",
-                        "name": "type",
+                        "description": "Provider client type (openai-responses, openai-completions, anthropic-messages, google-generative-ai)",
+                        "name": "client_type",
                         "in": "query"
                     }
                 ],
@@ -7689,12 +8127,6 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -7702,28 +8134,29 @@ const docTemplate = `{
                         }
                     }
                 }
-            }
-        },
-        "/providers/{id}/oauth/authorize": {
-            "get": {
+            },
+            "post": {
+                "description": "Create a new model configuration",
                 "tags": [
-                    "providers-oauth"
+                    "models"
                 ],
-                "summary": "Start OAuth2 authorization for an LLM provider",
+                "summary": "Create a new model",
                 "parameters": [
                     {
-                        "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                        "description": "Model configuration",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/models.AddRequest"
+                        }
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
+                    "201": {
+                        "description": "Created",
                         "schema": {
-                            "$ref": "#/definitions/providers.OAuthAuthorizeResponse"
+                            "$ref": "#/definitions/models.AddResponse"
                         }
                     },
                     "400": {
@@ -7732,8 +8165,8 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7741,26 +8174,26 @@ const docTemplate = `{
                 }
             }
         },
-        "/providers/{id}/oauth/poll": {
-            "post": {
+        "/models/count": {
+            "get": {
+                "description": "Get the total count of models, optionally filtered by type",
                 "tags": [
-                    "providers-oauth"
+                    "models"
                 ],
-                "summary": "Poll OAuth device authorization for an LLM provider",
+                "summary": "Get model count",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                        "description": "Model type (chat, embedding)",
+                        "name": "type",
+                        "in": "query"
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.OAuthStatus"
+                            "$ref": "#/definitions/models.CountResponse"
                         }
                     },
                     "400": {
@@ -7769,8 +8202,8 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7778,17 +8211,18 @@ const docTemplate = `{
                 }
             }
         },
-        "/providers/{id}/oauth/status": {
+        "/models/model/{modelId}": {
             "get": {
+                "description": "Get a model configuration by its model_id field (e.g., gpt-4)",
                 "tags": [
-                    "providers-oauth"
+                    "models"
                 ],
-                "summary": "Get OAuth2 status for an LLM provider",
+                "summary": "Get model by model ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
+                        "description": "Model ID (e.g., gpt-4)",
+                        "name": "modelId",
                         "in": "path",
                         "required": true
                     }
@@ -7797,7 +8231,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.OAuthStatus"
+                            "$ref": "#/definitions/models.GetResponse"
                         }
                     },
                     "400": {
@@ -7811,71 +8245,44 @@ const docTemplate = `{
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
                     }
                 }
-            }
-        },
-        "/providers/{id}/oauth/token": {
-            "delete": {
+            },
+            "put": {
+                "description": "Update a model configuration by its model_id field (e.g., gpt-4)",
                 "tags": [
-                    "providers-oauth"
+                    "models"
                 ],
-                "summary": "Revoke stored OAuth2 tokens for an LLM provider",
+                "summary": "Update model by model ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
+                        "description": "Model ID (e.g., gpt-4)",
+                        "name": "modelId",
                         "in": "path",
                         "required": true
-                    }
-                ],
-                "responses": {
-                    "204": {
-                        "description": "No Content"
                     },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "404": {
-                        "description": "Not Found",
+                    {
+                        "description": "Updated model configuration",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
                         "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "$ref": "#/definitions/models.UpdateRequest"
                         }
                     }
-                }
-            }
-        },
-        "/providers/{id}/test": {
-            "post": {
-                "description": "Probe a provider's base URL to check reachability, supported client types, and embedding support",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "providers"
-                ],
-                "summary": "Test provider connectivity",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.TestResponse"
+                            "$ref": "#/definitions/models.GetResponse"
                         }
                     },
                     "400": {
@@ -7897,79 +8304,34 @@ const docTemplate = `{
                         }
                     }
                 }
-            }
-        },
-        "/search-providers": {
-            "get": {
-                "description": "List configured search providers",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+            },
+            "delete": {
+                "description": "Delete a model configuration by its model_id field (e.g., gpt-4)",
                 "tags": [
-                    "search-providers"
+                    "models"
                 ],
-                "summary": "List search providers",
+                "summary": "Delete model by model ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider filter (brave)",
-                        "name": "provider",
-                        "in": "query"
+                        "description": "Model ID (e.g., gpt-4)",
+                        "name": "modelId",
+                        "in": "path",
+                        "required": true
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/searchproviders.GetResponse"
-                            }
-                        }
+                    "204": {
+                        "description": "No Content"
                     },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    }
-                }
-            },
-            "post": {
-                "description": "Create a search provider configuration",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "search-providers"
-                ],
-                "summary": "Create a search provider",
-                "parameters": [
-                    {
-                        "description": "Search provider configuration",
-                        "name": "request",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/searchproviders.CreateRequest"
-                        }
-                    }
-                ],
-                "responses": {
-                    "201": {
-                        "description": "Created",
-                        "schema": {
-                            "$ref": "#/definitions/searchproviders.GetResponse"
-                        }
                     },
-                    "400": {
-                        "description": "Bad Request",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7983,43 +8345,17 @@ const docTemplate = `{
                 }
             }
         },
-        "/search-providers/meta": {
-            "get": {
-                "description": "List available search provider types and config schemas",
-                "tags": [
-                    "search-providers"
-                ],
-                "summary": "List search provider metadata",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/searchproviders.ProviderMeta"
-                            }
-                        }
-                    }
-                }
-            }
-        },
-        "/search-providers/{id}": {
+        "/models/{id}": {
             "get": {
-                "description": "Get search provider by ID",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+                "description": "Get a model configuration by its internal UUID",
                 "tags": [
-                    "search-providers"
+                    "models"
                 ],
-                "summary": "Get a search provider",
+                "summary": "Get model by internal ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Model internal ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -8029,7 +8365,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/searchproviders.GetResponse"
+                            "$ref": "#/definitions/models.GetResponse"
                         }
                     },
                     "400": {
@@ -8043,36 +8379,36 @@ const docTemplate = `{
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
                     }
                 }
             },
             "put": {
-                "description": "Update search provider by ID",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+                "description": "Update a model configuration by its internal UUID",
                 "tags": [
-                    "search-providers"
+                    "models"
                 ],
-                "summary": "Update a search provider",
+                "summary": "Update model by internal ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Model internal ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
                     },
                     {
-                        "description": "Updated configuration",
-                        "name": "request",
+                        "description": "Updated model configuration",
+                        "name": "payload",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/searchproviders.UpdateRequest"
+                            "$ref": "#/definitions/models.UpdateRequest"
                         }
                     }
                 ],
@@ -8080,7 +8416,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/searchproviders.GetResponse"
+                            "$ref": "#/definitions/models.GetResponse"
                         }
                     },
                     "400": {
@@ -8089,6 +8425,12 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -8098,21 +8440,15 @@ const docTemplate = `{
                 }
             },
             "delete": {
-                "description": "Delete search provider by ID",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+                "description": "Delete a model configuration by its internal UUID",
                 "tags": [
-                    "search-providers"
+                    "models"
                 ],
-                "summary": "Delete a search provider",
+                "summary": "Delete model by internal ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Model internal ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -8128,34 +8464,11 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    }
-                }
-            }
-        },
-        "/speech-models": {
-            "get": {
-                "description": "List all models of type 'speech' (filtered view of unified models table)",
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "speech-models"
-                ],
-                "summary": "List all speech models",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.SpeechModelResponse"
-                            }
-                        }
                     },
                     "500": {
                         "description": "Internal Server Error",
@@ -8166,19 +8479,23 @@ const docTemplate = `{
                 }
             }
         },
-        "/speech-models/{id}": {
-            "get": {
+        "/models/{id}/test": {
+            "post": {
+                "description": "Probe a model's provider endpoint using the model's real model_id and client_type to verify configuration",
+                "consumes": [
+                    "application/json"
+                ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "speech-models"
+                    "models"
                 ],
-                "summary": "Get a speech model",
+                "summary": "Test model connectivity",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID",
+                        "description": "Model internal ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -8188,7 +8505,13 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.SpeechModelResponse"
+                            "$ref": "#/definitions/models.TestResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
                     "404": {
@@ -8196,10 +8519,35 @@ const docTemplate = `{
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
                     }
                 }
-            },
-            "put": {
+            }
+        },
+        "/ping": {
+            "get": {
+                "tags": [
+                    "system"
+                ],
+                "summary": "Health check with server capabilities",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.PingResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/providers": {
+            "get": {
+                "description": "Get a list of all configured LLM providers",
                 "consumes": [
                     "application/json"
                 ],
@@ -8207,32 +8555,55 @@ const docTemplate = `{
                     "application/json"
                 ],
                 "tags": [
-                    "speech-models"
+                    "providers"
                 ],
-                "summary": "Update a speech model",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Model ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                "summary": "List all LLM providers",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/providers.GetResponse"
+                            }
+                        }
                     },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "post": {
+                "description": "Create a new LLM provider configuration",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "providers"
+                ],
+                "summary": "Create a new LLM provider",
+                "parameters": [
                     {
-                        "description": "Model update payload",
+                        "description": "Provider configuration",
                         "name": "request",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/audio.UpdateSpeechModelRequest"
+                            "$ref": "#/definitions/providers.CreateRequest"
                         }
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
+                    "201": {
+                        "description": "Created",
                         "schema": {
-                            "$ref": "#/definitions/audio.SpeechModelResponse"
+                            "$ref": "#/definitions/providers.GetResponse"
                         }
                     },
                     "400": {
@@ -8250,33 +8621,28 @@ const docTemplate = `{
                 }
             }
         },
-        "/speech-models/{id}/capabilities": {
+        "/providers/count": {
             "get": {
+                "description": "Get the total count of providers",
+                "consumes": [
+                    "application/json"
+                ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "speech-models"
-                ],
-                "summary": "Get speech model capabilities",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Model ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    }
+                    "providers"
                 ],
+                "summary": "Count providers",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.ModelCapabilities"
+                            "$ref": "#/definitions/providers.CountResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8284,42 +8650,33 @@ const docTemplate = `{
                 }
             }
         },
-        "/speech-models/{id}/test": {
-            "post": {
-                "description": "Synthesize text using a specific model's config and return audio",
+        "/providers/name/{name}": {
+            "get": {
+                "description": "Get a provider configuration by its name",
                 "consumes": [
                     "application/json"
                 ],
                 "produces": [
-                    "application/octet-stream"
+                    "application/json"
                 ],
                 "tags": [
-                    "speech-models"
+                    "providers"
                 ],
-                "summary": "Test speech model synthesis",
+                "summary": "Get provider by name",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID",
-                        "name": "id",
+                        "description": "Provider name",
+                        "name": "name",
                         "in": "path",
                         "required": true
-                    },
-                    {
-                        "description": "Text to synthesize",
-                        "name": "request",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/audio.TestSynthesizeRequest"
-                        }
                     }
                 ],
                 "responses": {
                     "200": {
-                        "description": "Audio data",
+                        "description": "OK",
                         "schema": {
-                            "type": "file"
+                            "$ref": "#/definitions/providers.GetResponse"
                         }
                     },
                     "400": {
@@ -8328,6 +8685,12 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -8337,28 +8700,37 @@ const docTemplate = `{
                 }
             }
         },
-        "/speech-providers": {
+        "/providers/oauth/callback": {
             "get": {
-                "description": "List providers that support speech (filtered view of unified providers table)",
-                "produces": [
-                    "application/json"
-                ],
                 "tags": [
-                    "speech-providers"
+                    "providers-oauth"
+                ],
+                "summary": "OAuth2 callback for LLM providers",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Authorization code",
+                        "name": "code",
+                        "in": "query",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "State parameter",
+                        "name": "state",
+                        "in": "query",
+                        "required": true
+                    }
                 ],
-                "summary": "List speech providers",
                 "responses": {
                     "200": {
-                        "description": "OK",
+                        "description": "HTML success page",
                         "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.SpeechProviderResponse"
-                            }
+                            "type": "string"
                         }
                     },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8366,36 +8738,19 @@ const docTemplate = `{
                 }
             }
         },
-        "/speech-providers/meta": {
+        "/providers/{id}": {
             "get": {
-                "description": "List available speech provider types with their models and capabilities",
-                "tags": [
-                    "speech-providers"
+                "description": "Get a provider configuration by its ID",
+                "consumes": [
+                    "application/json"
                 ],
-                "summary": "List speech provider metadata",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.ProviderMetaResponse"
-                            }
-                        }
-                    }
-                }
-            }
-        },
-        "/speech-providers/{id}": {
-            "get": {
-                "description": "Get a speech provider with masked config values",
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "speech-providers"
+                    "providers"
                 ],
-                "summary": "Get speech provider",
+                "summary": "Get provider by ID",
                 "parameters": [
                     {
                         "type": "string",
@@ -8409,7 +8764,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.SpeechProviderResponse"
+                            "$ref": "#/definitions/providers.GetResponse"
                         }
                     },
                     "400": {
@@ -8423,13 +8778,17 @@ const docTemplate = `{
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
                     }
                 }
-            }
-        },
-        "/speech-providers/{id}/import-models": {
-            "post": {
-                "description": "Fetch models using the configured speech provider and import them into the unified models table",
+            },
+            "put": {
+                "description": "Update an existing provider configuration",
                 "consumes": [
                     "application/json"
                 ],
@@ -8437,9 +8796,9 @@ const docTemplate = `{
                     "application/json"
                 ],
                 "tags": [
-                    "speech-providers"
+                    "providers"
                 ],
-                "summary": "Import speech models from provider",
+                "summary": "Update provider",
                 "parameters": [
                     {
                         "type": "string",
@@ -8447,13 +8806,22 @@ const docTemplate = `{
                         "name": "id",
                         "in": "path",
                         "required": true
+                    },
+                    {
+                        "description": "Updated provider configuration",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/providers.UpdateRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.ImportModelsResponse"
+                            "$ref": "#/definitions/providers.GetResponse"
                         }
                     },
                     "400": {
@@ -8475,18 +8843,19 @@ const docTemplate = `{
                         }
                     }
                 }
-            }
-        },
-        "/speech-providers/{id}/models": {
-            "get": {
-                "description": "List models of type 'speech' for a specific speech provider",
+            },
+            "delete": {
+                "description": "Delete a provider configuration",
+                "consumes": [
+                    "application/json"
+                ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "speech-providers"
+                    "providers"
                 ],
-                "summary": "List speech models by provider",
+                "summary": "Delete provider",
                 "parameters": [
                     {
                         "type": "string",
@@ -8497,14 +8866,8 @@ const docTemplate = `{
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.SpeechModelResponse"
-                            }
-                        }
+                    "204": {
+                        "description": "No Content"
                     },
                     "400": {
                         "description": "Bad Request",
@@ -8512,7 +8875,13 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "500": {
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
                         "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
@@ -8521,53 +8890,49 @@ const docTemplate = `{
                 }
             }
         },
-        "/supermarket/mcps": {
-            "get": {
+        "/providers/{id}/import-models": {
+            "post": {
+                "description": "Fetch models from provider's /v1/models endpoint and import them",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "supermarket"
+                    "providers"
                 ],
-                "summary": "List MCPs from supermarket",
+                "summary": "Import models from provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Search query",
-                        "name": "q",
-                        "in": "query"
-                    },
-                    {
-                        "type": "string",
-                        "description": "Filter by tag",
-                        "name": "tag",
-                        "in": "query"
-                    },
-                    {
-                        "type": "string",
-                        "description": "Filter by transport type",
-                        "name": "transport",
-                        "in": "query"
-                    },
-                    {
-                        "type": "integer",
-                        "description": "Page number",
-                        "name": "page",
-                        "in": "query"
-                    },
-                    {
-                        "type": "integer",
-                        "description": "Items per page",
-                        "name": "limit",
-                        "in": "query"
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.SupermarketMcpListResponse"
+                            "$ref": "#/definitions/providers.ImportModelsResponse"
                         }
                     },
-                    "502": {
-                        "description": "Bad Gateway",
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8575,26 +8940,42 @@ const docTemplate = `{
                 }
             }
         },
-        "/supermarket/mcps/{id}": {
+        "/providers/{id}/models": {
             "get": {
+                "description": "Get models for a provider by id, optionally filtered by type",
                 "tags": [
-                    "supermarket"
+                    "providers"
                 ],
-                "summary": "Get MCP detail from supermarket",
+                "summary": "List provider models",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "MCP ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Model type (chat, embedding)",
+                        "name": "type",
+                        "in": "query"
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.SupermarketMcpEntry"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/models.GetResponse"
+                            }
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
                     "404": {
@@ -8603,8 +8984,8 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "502": {
-                        "description": "Bad Gateway",
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8612,47 +8993,36 @@ const docTemplate = `{
                 }
             }
         },
-        "/supermarket/skills": {
+        "/providers/{id}/oauth/authorize": {
             "get": {
                 "tags": [
-                    "supermarket"
+                    "providers-oauth"
                 ],
-                "summary": "List skills from supermarket",
+                "summary": "Start OAuth2 authorization for an LLM provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Search query",
-                        "name": "q",
-                        "in": "query"
-                    },
-                    {
-                        "type": "string",
-                        "description": "Filter by tag",
-                        "name": "tag",
-                        "in": "query"
-                    },
-                    {
-                        "type": "integer",
-                        "description": "Page number",
-                        "name": "page",
-                        "in": "query"
-                    },
-                    {
-                        "type": "integer",
-                        "description": "Items per page",
-                        "name": "limit",
-                        "in": "query"
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.SupermarketSkillListResponse"
+                            "$ref": "#/definitions/providers.OAuthAuthorizeResponse"
                         }
                     },
-                    "502": {
-                        "description": "Bad Gateway",
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8660,16 +9030,16 @@ const docTemplate = `{
                 }
             }
         },
-        "/supermarket/skills/{id}": {
-            "get": {
+        "/providers/{id}/oauth/poll": {
+            "post": {
                 "tags": [
-                    "supermarket"
+                    "providers-oauth"
                 ],
-                "summary": "Get skill detail from supermarket",
+                "summary": "Poll OAuth device authorization for an LLM provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Skill ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -8679,17 +9049,17 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.SupermarketSkillEntry"
+                            "$ref": "#/definitions/providers.OAuthStatus"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "502": {
-                        "description": "Bad Gateway",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8697,50 +9067,36 @@ const docTemplate = `{
                 }
             }
         },
-        "/supermarket/tags": {
+        "/providers/{id}/oauth/status": {
             "get": {
                 "tags": [
-                    "supermarket"
+                    "providers-oauth"
+                ],
+                "summary": "Get OAuth2 status for an LLM provider",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
                 ],
-                "summary": "List all tags from supermarket",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.SupermarketTagsResponse"
+                            "$ref": "#/definitions/providers.OAuthStatus"
                         }
                     },
-                    "502": {
-                        "description": "Bad Gateway",
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    }
-                }
-            }
-        },
-        "/transcription-models": {
-            "get": {
-                "description": "List all models of type 'transcription' (filtered view of unified models table)",
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "transcription-models"
-                ],
-                "summary": "List all transcription models",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.TranscriptionModelResponse"
-                            }
-                        }
                     },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8748,29 +9104,29 @@ const docTemplate = `{
                 }
             }
         },
-        "/transcription-models/{id}": {
-            "get": {
-                "produces": [
-                    "application/json"
-                ],
+        "/providers/{id}/oauth/token": {
+            "delete": {
                 "tags": [
-                    "transcription-models"
+                    "providers-oauth"
                 ],
-                "summary": "Get a transcription model",
+                "summary": "Revoke stored OAuth2 tokens for an LLM provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
+                    "204": {
+                        "description": "No Content"
+                    },
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
-                            "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
                     "404": {
@@ -8780,8 +9136,11 @@ const docTemplate = `{
                         }
                     }
                 }
-            },
-            "put": {
+            }
+        },
+        "/providers/{id}/test": {
+            "post": {
+                "description": "Probe a provider's base URL to check reachability, supported client types, and embedding support",
                 "consumes": [
                     "application/json"
                 ],
@@ -8789,32 +9148,23 @@ const docTemplate = `{
                     "application/json"
                 ],
                 "tags": [
-                    "transcription-models"
+                    "providers"
                 ],
-                "summary": "Update a transcription model",
+                "summary": "Test provider connectivity",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
-                    },
-                    {
-                        "description": "Model update payload",
-                        "name": "request",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/audio.UpdateSpeechModelRequest"
-                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                            "$ref": "#/definitions/providers.TestResponse"
                         }
                     },
                     "400": {
@@ -8823,6 +9173,12 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -8832,80 +9188,73 @@ const docTemplate = `{
                 }
             }
         },
-        "/transcription-models/{id}/capabilities": {
+        "/search-providers": {
             "get": {
+                "description": "List configured search providers",
+                "consumes": [
+                    "application/json"
+                ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "transcription-models"
+                    "search-providers"
                 ],
-                "summary": "Get transcription model capabilities",
+                "summary": "List search providers",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                        "description": "Provider filter (brave)",
+                        "name": "provider",
+                        "in": "query"
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.ModelCapabilities"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/searchproviders.GetResponse"
+                            }
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     }
                 }
-            }
-        },
-        "/transcription-models/{id}/test": {
+            },
             "post": {
-                "description": "Transcribe uploaded audio using a specific model's config and return structured text output",
+                "description": "Create a search provider configuration",
                 "consumes": [
-                    "multipart/form-data"
+                    "application/json"
                 ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "transcription-models"
+                    "search-providers"
                 ],
-                "summary": "Test transcription model recognition",
+                "summary": "Create a search provider",
                 "parameters": [
                     {
-                        "type": "string",
-                        "description": "Model ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "file",
-                        "description": "Audio file",
-                        "name": "file",
-                        "in": "formData",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "description": "Optional JSON config",
-                        "name": "config",
-                        "in": "formData"
+                        "description": "Search provider configuration",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/searchproviders.CreateRequest"
+                        }
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
+                    "201": {
+                        "description": "Created",
                         "schema": {
-                            "$ref": "#/definitions/audio.TestTranscriptionResponse"
+                            "$ref": "#/definitions/searchproviders.GetResponse"
                         }
                     },
                     "400": {
@@ -8923,69 +9272,43 @@ const docTemplate = `{
                 }
             }
         },
-        "/transcription-providers": {
+        "/search-providers/meta": {
             "get": {
-                "description": "List providers that support transcription (filtered view of unified providers table)",
-                "produces": [
-                    "application/json"
-                ],
+                "description": "List available search provider types and config schemas",
                 "tags": [
-                    "transcription-providers"
+                    "search-providers"
                 ],
-                "summary": "List transcription providers",
+                "summary": "List search provider metadata",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
                             "type": "array",
                             "items": {
-                                "$ref": "#/definitions/audio.SpeechProviderResponse"
+                                "$ref": "#/definitions/searchproviders.ProviderMeta"
                             }
                         }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
                     }
                 }
             }
         },
-        "/transcription-providers/meta": {
+        "/search-providers/{id}": {
             "get": {
-                "description": "List available transcription provider types with their models and capabilities",
-                "tags": [
-                    "transcription-providers"
+                "description": "Get search provider by ID",
+                "consumes": [
+                    "application/json"
                 ],
-                "summary": "List transcription provider metadata",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.ProviderMetaResponse"
-                            }
-                        }
-                    }
-                }
-            }
-        },
-        "/transcription-providers/{id}": {
-            "get": {
-                "description": "Get a speech provider with masked config values",
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "speech-providers"
+                    "search-providers"
                 ],
-                "summary": "Get speech provider",
+                "summary": "Get a search provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
+                        "description": "Provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -8995,7 +9318,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.SpeechProviderResponse"
+                            "$ref": "#/definitions/searchproviders.GetResponse"
                         }
                     },
                     "400": {
@@ -9011,11 +9334,9 @@ const docTemplate = `{
                         }
                     }
                 }
-            }
-        },
-        "/transcription-providers/{id}/import-models": {
-            "post": {
-                "description": "Fetch models using the configured transcription provider and import them into the unified models table",
+            },
+            "put": {
+                "description": "Update search provider by ID",
                 "consumes": [
                     "application/json"
                 ],
@@ -9023,23 +9344,32 @@ const docTemplate = `{
                     "application/json"
                 ],
                 "tags": [
-                    "transcription-providers"
+                    "search-providers"
                 ],
-                "summary": "Import transcription models from provider",
+                "summary": "Update a search provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
+                        "description": "Provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
+                    },
+                    {
+                        "description": "Updated configuration",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/searchproviders.UpdateRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.ImportModelsResponse"
+                            "$ref": "#/definitions/searchproviders.GetResponse"
                         }
                     },
                     "400": {
@@ -9048,12 +9378,6 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -9061,36 +9385,31 @@ const docTemplate = `{
                         }
                     }
                 }
-            }
-        },
-        "/transcription-providers/{id}/models": {
-            "get": {
-                "description": "List models of type 'transcription' for a specific transcription provider",
+            },
+            "delete": {
+                "description": "Delete search provider by ID",
+                "consumes": [
+                    "application/json"
+                ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "transcription-providers"
+                    "search-providers"
                 ],
-                "summary": "List transcription models by provider",
+                "summary": "Delete a search provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
+                        "description": "Provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.TranscriptionModelResponse"
-                            }
-                        }
+                    "204": {
+                        "description": "No Content"
                     },
                     "400": {
                         "description": "Bad Request",
@@ -9107,30 +9426,24 @@ const docTemplate = `{
                 }
             }
         },
-        "/users": {
+        "/speech-models": {
             "get": {
-                "description": "List users",
+                "description": "List all models of type 'speech' (filtered view of unified models table)",
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-models"
                 ],
-                "summary": "List users (admin only)",
+                "summary": "List all speech models",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/accounts.ListAccountsResponse"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "403": {
-                        "description": "Forbidden",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.SpeechModelResponse"
+                            }
                         }
                     },
                     "500": {
@@ -9140,74 +9453,35 @@ const docTemplate = `{
                         }
                     }
                 }
-            },
-            "post": {
-                "description": "Create a new human user account",
+            }
+        },
+        "/speech-models/{id}": {
+            "get": {
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-models"
                 ],
-                "summary": "Create human user (admin only)",
+                "summary": "Get a speech model",
                 "parameters": [
                     {
-                        "description": "User payload",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/accounts.CreateAccountRequest"
-                        }
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
                     }
                 ],
                 "responses": {
-                    "201": {
-                        "description": "Created",
-                        "schema": {
-                            "$ref": "#/definitions/accounts.Account"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
+                    "200": {
+                        "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "$ref": "#/definitions/audio.SpeechModelResponse"
                         }
                     },
-                    "403": {
-                        "description": "Forbidden",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            }
-        },
-        "/users/me": {
-            "get": {
-                "description": "Get current user profile",
-                "tags": [
-                    "users"
-                ],
-                "summary": "Get current user",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/accounts.Account"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -9215,19 +9489,31 @@ const docTemplate = `{
                 }
             },
             "put": {
-                "description": "Update current user display name or avatar",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-models"
                 ],
-                "summary": "Update current user profile",
+                "summary": "Update a speech model",
                 "parameters": [
                     {
-                        "description": "Profile payload",
-                        "name": "payload",
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Model update payload",
+                        "name": "request",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/accounts.UpdateProfileRequest"
+                            "$ref": "#/definitions/audio.UpdateSpeechModelRequest"
                         }
                     }
                 ],
@@ -9235,7 +9521,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/accounts.Account"
+                            "$ref": "#/definitions/audio.SpeechModelResponse"
                         }
                     },
                     "400": {
@@ -9253,18 +9539,20 @@ const docTemplate = `{
                 }
             }
         },
-        "/users/me/channels/{platform}": {
+        "/speech-models/{id}/capabilities": {
             "get": {
-                "description": "Get channel binding configuration for current user",
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "channel"
+                    "speech-models"
                 ],
-                "summary": "Get channel user config",
+                "summary": "Get speech model capabilities",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Channel platform",
-                        "name": "platform",
+                        "description": "Model ID",
+                        "name": "id",
                         "in": "path",
                         "required": true
                     }
@@ -9273,13 +9561,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/channel.ChannelIdentityBinding"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "$ref": "#/definitions/audio.ModelCapabilities"
                         }
                     },
                     "404": {
@@ -9287,44 +9569,46 @@ const docTemplate = `{
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
                     }
                 }
-            },
-            "put": {
-                "description": "Update channel binding configuration for current user",
+            }
+        },
+        "/speech-models/{id}/test": {
+            "post": {
+                "description": "Synthesize text using a specific model's config and return audio",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/octet-stream"
+                ],
                 "tags": [
-                    "channel"
+                    "speech-models"
                 ],
-                "summary": "Update channel user config",
+                "summary": "Test speech model synthesis",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Channel platform",
-                        "name": "platform",
+                        "description": "Model ID",
+                        "name": "id",
                         "in": "path",
                         "required": true
                     },
                     {
-                        "description": "Channel user config payload",
-                        "name": "payload",
+                        "description": "Text to synthesize",
+                        "name": "request",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/channel.UpsertChannelIdentityConfigRequest"
+                            "$ref": "#/definitions/audio.TestSynthesizeRequest"
                         }
                     }
                 ],
                 "responses": {
                     "200": {
-                        "description": "OK",
+                        "description": "Audio data",
                         "schema": {
-                            "$ref": "#/definitions/channel.ChannelIdentityBinding"
+                            "type": "file"
                         }
                     },
                     "400": {
@@ -9342,30 +9626,24 @@ const docTemplate = `{
                 }
             }
         },
-        "/users/me/identities": {
+        "/speech-providers": {
             "get": {
-                "description": "List all channel identities linked to current user",
+                "description": "List providers that support speech (filtered view of unified providers table)",
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-providers"
                 ],
-                "summary": "List current user's channel identities",
+                "summary": "List speech providers",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.listMyIdentitiesResponse"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.SpeechProviderResponse"
+                            }
                         }
                     },
                     "500": {
@@ -9377,54 +9655,40 @@ const docTemplate = `{
                 }
             }
         },
-        "/users/me/password": {
-            "put": {
-                "description": "Update current user password with current password check",
+        "/speech-providers/meta": {
+            "get": {
+                "description": "List available speech provider types with their models and capabilities",
                 "tags": [
-                    "users"
-                ],
-                "summary": "Update current user password",
-                "parameters": [
-                    {
-                        "description": "Password payload",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/accounts.UpdatePasswordRequest"
-                        }
-                    }
+                    "speech-providers"
                 ],
+                "summary": "List speech provider metadata",
                 "responses": {
-                    "204": {
-                        "description": "No Content"
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "200": {
+                        "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.ProviderMetaResponse"
+                            }
                         }
                     }
                 }
             }
         },
-        "/users/{id}": {
+        "/speech-providers/{id}": {
             "get": {
-                "description": "Get user details (self or admin only)",
+                "description": "Get a speech provider with masked config values",
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-providers"
                 ],
-                "summary": "Get user by ID",
+                "summary": "Get speech provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "User ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -9434,7 +9698,7 @@ const docTemplate = `{
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/accounts.Account"
+                            "$ref": "#/definitions/audio.SpeechProviderResponse"
                         }
                     },
                     "400": {
@@ -9443,55 +9707,42 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "403": {
-                        "description": "Forbidden",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "404": {
                         "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
                     }
                 }
-            },
-            "put": {
-                "description": "Update user profile and status",
+            }
+        },
+        "/speech-providers/{id}/import-models": {
+            "post": {
+                "description": "Fetch models using the configured speech provider and import them into the unified models table",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-providers"
                 ],
-                "summary": "Update user (admin only)",
+                "summary": "Import speech models from provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "User ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
-                    },
-                    {
-                        "description": "User update payload",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/accounts.UpdateAccountRequest"
-                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/accounts.Account"
+                            "$ref": "#/definitions/audio.ImportModelsResponse"
                         }
                     },
                     "400": {
@@ -9500,12 +9751,6 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "403": {
-                        "description": "Forbidden",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "404": {
                         "description": "Not Found",
                         "schema": {
@@ -9521,46 +9766,210 @@ const docTemplate = `{
                 }
             }
         },
-        "/users/{id}/password": {
-            "put": {
-                "description": "Reset a user password",
+        "/speech-providers/{id}/models": {
+            "get": {
+                "description": "List models of type 'speech' for a specific speech provider",
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-providers"
                 ],
-                "summary": "Reset user password (admin only)",
+                "summary": "List speech models by provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "User ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.SpeechModelResponse"
+                            }
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/supermarket/mcps": {
+            "get": {
+                "tags": [
+                    "supermarket"
+                ],
+                "summary": "List MCPs from supermarket",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Search query",
+                        "name": "q",
+                        "in": "query"
                     },
                     {
-                        "description": "Password payload",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
+                        "type": "string",
+                        "description": "Filter by tag",
+                        "name": "tag",
+                        "in": "query"
+                    },
+                    {
+                        "type": "string",
+                        "description": "Filter by transport type",
+                        "name": "transport",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Page number",
+                        "name": "page",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Items per page",
+                        "name": "limit",
+                        "in": "query"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/accounts.ResetPasswordRequest"
+                            "$ref": "#/definitions/handlers.SupermarketMcpListResponse"
+                        }
+                    },
+                    "502": {
+                        "description": "Bad Gateway",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     }
+                }
+            }
+        },
+        "/supermarket/mcps/{id}": {
+            "get": {
+                "tags": [
+                    "supermarket"
+                ],
+                "summary": "Get MCP detail from supermarket",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "MCP ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
                 ],
                 "responses": {
-                    "204": {
-                        "description": "No Content"
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.SupermarketMcpEntry"
+                        }
                     },
-                    "400": {
-                        "description": "Bad Request",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "403": {
-                        "description": "Forbidden",
+                    "502": {
+                        "description": "Bad Gateway",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/supermarket/skills": {
+            "get": {
+                "tags": [
+                    "supermarket"
+                ],
+                "summary": "List skills from supermarket",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Search query",
+                        "name": "q",
+                        "in": "query"
+                    },
+                    {
+                        "type": "string",
+                        "description": "Filter by tag",
+                        "name": "tag",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Page number",
+                        "name": "page",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Items per page",
+                        "name": "limit",
+                        "in": "query"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.SupermarketSkillListResponse"
+                        }
+                    },
+                    "502": {
+                        "description": "Bad Gateway",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
+                    }
+                }
+            }
+        },
+        "/supermarket/skills/{id}": {
+            "get": {
+                "tags": [
+                    "supermarket"
+                ],
+                "summary": "Get skill detail from supermarket",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Skill ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.SupermarketSkillEntry"
+                        }
                     },
                     "404": {
                         "description": "Not Found",
@@ -9568,6 +9977,57 @@ const docTemplate = `{
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "502": {
+                        "description": "Bad Gateway",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/supermarket/tags": {
+            "get": {
+                "tags": [
+                    "supermarket"
+                ],
+                "summary": "List all tags from supermarket",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.SupermarketTagsResponse"
+                        }
+                    },
+                    "502": {
+                        "description": "Bad Gateway",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-models": {
+            "get": {
+                "description": "List all models of type 'transcription' (filtered view of unified models table)",
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-models"
+                ],
+                "summary": "List all transcription models",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                            }
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -9576,1041 +10036,2606 @@ const docTemplate = `{
                     }
                 }
             }
-        }
-    },
-    "definitions": {
-        "accounts.Account": {
+        },
+        "/transcription-models/{id}": {
+            "get": {
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-models"
+                ],
+                "summary": "Get a transcription model",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-models"
+                ],
+                "summary": "Update a transcription model",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Model update payload",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/audio.UpdateSpeechModelRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-models/{id}/capabilities": {
+            "get": {
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-models"
+                ],
+                "summary": "Get transcription model capabilities",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.ModelCapabilities"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-models/{id}/test": {
+            "post": {
+                "description": "Transcribe uploaded audio using a specific model's config and return structured text output",
+                "consumes": [
+                    "multipart/form-data"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-models"
+                ],
+                "summary": "Test transcription model recognition",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "file",
+                        "description": "Audio file",
+                        "name": "file",
+                        "in": "formData",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Optional JSON config",
+                        "name": "config",
+                        "in": "formData"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.TestTranscriptionResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-providers": {
+            "get": {
+                "description": "List providers that support transcription (filtered view of unified providers table)",
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-providers"
+                ],
+                "summary": "List transcription providers",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.SpeechProviderResponse"
+                            }
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-providers/meta": {
+            "get": {
+                "description": "List available transcription provider types with their models and capabilities",
+                "tags": [
+                    "transcription-providers"
+                ],
+                "summary": "List transcription provider metadata",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.ProviderMetaResponse"
+                            }
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-providers/{id}": {
+            "get": {
+                "description": "Get a speech provider with masked config values",
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "speech-providers"
+                ],
+                "summary": "Get speech provider",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.SpeechProviderResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-providers/{id}/import-models": {
+            "post": {
+                "description": "Fetch models using the configured transcription provider and import them into the unified models table",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-providers"
+                ],
+                "summary": "Import transcription models from provider",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.ImportModelsResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-providers/{id}/models": {
+            "get": {
+                "description": "List models of type 'transcription' for a specific transcription provider",
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-providers"
+                ],
+                "summary": "List transcription models by provider",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                            }
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users": {
+            "get": {
+                "description": "List users",
+                "tags": [
+                    "users"
+                ],
+                "summary": "List users (admin only)",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.ListAccountsResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "post": {
+                "description": "Create a new human user account",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Create human user (admin only)",
+                "parameters": [
+                    {
+                        "description": "User payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.CreateAccountRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "201": {
+                        "description": "Created",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/me": {
+            "get": {
+                "description": "Get current user profile",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Get current user",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "description": "Update current user display name or avatar",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Update current user profile",
+                "parameters": [
+                    {
+                        "description": "Profile payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.UpdateProfileRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/me/channels/{platform}": {
+            "get": {
+                "description": "Get channel binding configuration for current user",
+                "tags": [
+                    "channel"
+                ],
+                "summary": "Get channel user config",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Channel platform",
+                        "name": "platform",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/channel.ChannelIdentityBinding"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "description": "Update channel binding configuration for current user",
+                "tags": [
+                    "channel"
+                ],
+                "summary": "Update channel user config",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Channel platform",
+                        "name": "platform",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Channel user config payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/channel.UpsertChannelIdentityConfigRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/channel.ChannelIdentityBinding"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/me/identities": {
+            "get": {
+                "description": "List all channel identities linked to current user",
+                "tags": [
+                    "users"
+                ],
+                "summary": "List current user's channel identities",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.listMyIdentitiesResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/me/password": {
+            "put": {
+                "description": "Update current user password with current password check",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Update current user password",
+                "parameters": [
+                    {
+                        "description": "Password payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.UpdatePasswordRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "204": {
+                        "description": "No Content"
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/{id}": {
+            "get": {
+                "description": "Get user details (self or admin only)",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Get user by ID",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "User ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "description": "Update user profile and status",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Update user (admin only)",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "User ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "User update payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.UpdateAccountRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/{id}/password": {
+            "put": {
+                "description": "Reset a user password",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Reset user password (admin only)",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "User ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Password payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.ResetPasswordRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "204": {
+                        "description": "No Content"
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        }
+    },
+    "definitions": {
+        "acl.ChannelIdentityCandidate": {
+            "type": "object",
+            "properties": {
+                "avatar_url": {
+                    "type": "string"
+                },
+                "channel": {
+                    "type": "string"
+                },
+                "channel_subject_id": {
+                    "type": "string"
+                },
+                "display_name": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "linked_avatar_url": {
+                    "type": "string"
+                },
+                "linked_display_name": {
+                    "type": "string"
+                },
+                "linked_user_id": {
+                    "type": "string"
+                },
+                "linked_username": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.ChannelIdentityCandidateListResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/acl.ChannelIdentityCandidate"
+                    }
+                }
+            }
+        },
+        "acl.CreateRuleRequest": {
+            "type": "object",
+            "properties": {
+                "channel_identity_id": {
+                    "type": "string"
+                },
+                "description": {
+                    "type": "string"
+                },
+                "effect": {
+                    "type": "string"
+                },
+                "enabled": {
+                    "type": "boolean"
+                },
+                "priority": {
+                    "type": "integer"
+                },
+                "source_scope": {
+                    "$ref": "#/definitions/acl.SourceScope"
+                },
+                "subject_channel_type": {
+                    "type": "string"
+                },
+                "subject_kind": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.DefaultEffectResponse": {
+            "type": "object",
+            "properties": {
+                "default_effect": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.ListRulesResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/acl.Rule"
+                    }
+                }
+            }
+        },
+        "acl.ObservedConversationCandidate": {
+            "type": "object",
+            "properties": {
+                "channel": {
+                    "type": "string"
+                },
+                "conversation_id": {
+                    "type": "string"
+                },
+                "conversation_name": {
+                    "type": "string"
+                },
+                "conversation_type": {
+                    "type": "string"
+                },
+                "last_observed_at": {
+                    "type": "string"
+                },
+                "route_id": {
+                    "type": "string"
+                },
+                "thread_id": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.ObservedConversationCandidateListResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/acl.ObservedConversationCandidate"
+                    }
+                }
+            }
+        },
+        "acl.ReorderItem": {
+            "type": "object",
+            "properties": {
+                "id": {
+                    "type": "string"
+                },
+                "priority": {
+                    "type": "integer"
+                }
+            }
+        },
+        "acl.ReorderRequest": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/acl.ReorderItem"
+                    }
+                }
+            }
+        },
+        "acl.Rule": {
+            "type": "object",
+            "properties": {
+                "action": {
+                    "type": "string"
+                },
+                "bot_id": {
+                    "type": "string"
+                },
+                "channel_identity_avatar_url": {
+                    "type": "string"
+                },
+                "channel_identity_display_name": {
+                    "type": "string"
+                },
+                "channel_identity_id": {
+                    "type": "string"
+                },
+                "channel_subject_id": {
+                    "type": "string"
+                },
+                "channel_type": {
+                    "type": "string"
+                },
+                "created_at": {
+                    "type": "string"
+                },
+                "description": {
+                    "type": "string"
+                },
+                "effect": {
+                    "type": "string"
+                },
+                "enabled": {
+                    "type": "boolean"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "linked_user_avatar_url": {
+                    "type": "string"
+                },
+                "linked_user_display_name": {
+                    "type": "string"
+                },
+                "linked_user_id": {
+                    "type": "string"
+                },
+                "linked_user_username": {
+                    "type": "string"
+                },
+                "priority": {
+                    "type": "integer"
+                },
+                "source_scope": {
+                    "$ref": "#/definitions/acl.SourceScope"
+                },
+                "subject_channel_type": {
+                    "type": "string"
+                },
+                "subject_kind": {
+                    "type": "string"
+                },
+                "updated_at": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.SourceScope": {
+            "type": "object",
+            "properties": {
+                "conversation_id": {
+                    "type": "string"
+                },
+                "conversation_type": {
+                    "type": "string"
+                },
+                "thread_id": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.UpdateRuleRequest": {
+            "type": "object",
+            "properties": {
+                "channel_identity_id": {
+                    "type": "string"
+                },
+                "description": {
+                    "type": "string"
+                },
+                "effect": {
+                    "type": "string"
+                },
+                "enabled": {
+                    "type": "boolean"
+                },
+                "priority": {
+                    "type": "integer"
+                },
+                "source_scope": {
+                    "$ref": "#/definitions/acl.SourceScope"
+                },
+                "subject_channel_type": {
+                    "type": "string"
+                },
+                "subject_kind": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.CDFPoint": {
+            "type": "object",
+            "properties": {
+                "cumulative": {
+                    "description": "cumulative weight fraction [0.0, 1.0]",
+                    "type": "number"
+                },
+                "k": {
+                    "description": "rank position (1-based, sorted by value desc)",
+                    "type": "integer"
+                }
+            }
+        },
+        "adapters.CompactResult": {
+            "type": "object",
+            "properties": {
+                "after_count": {
+                    "type": "integer"
+                },
+                "before_count": {
+                    "type": "integer"
+                },
+                "ratio": {
+                    "type": "number"
+                },
+                "results": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/adapters.MemoryItem"
+                    }
+                }
+            }
+        },
+        "adapters.DeleteResponse": {
+            "type": "object",
+            "properties": {
+                "message": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.HealthStatus": {
+            "type": "object",
+            "properties": {
+                "error": {
+                    "type": "string"
+                },
+                "ok": {
+                    "type": "boolean"
+                }
+            }
+        },
+        "adapters.MemoryItem": {
+            "type": "object",
+            "properties": {
+                "agent_id": {
+                    "type": "string"
+                },
+                "bot_id": {
+                    "type": "string"
+                },
+                "cdf_curve": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/adapters.CDFPoint"
+                    }
+                },
+                "created_at": {
+                    "type": "string"
+                },
+                "hash": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "memory": {
+                    "type": "string"
+                },
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "run_id": {
+                    "type": "string"
+                },
+                "score": {
+                    "type": "number"
+                },
+                "top_k_buckets": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/adapters.TopKBucket"
+                    }
+                },
+                "updated_at": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.MemoryStatusResponse": {
+            "type": "object",
+            "properties": {
+                "can_manual_sync": {
+                    "type": "boolean"
+                },
+                "encoder": {
+                    "$ref": "#/definitions/adapters.HealthStatus"
+                },
+                "indexed_count": {
+                    "type": "integer"
+                },
+                "markdown_file_count": {
+                    "type": "integer"
+                },
+                "memory_mode": {
+                    "type": "string"
+                },
+                "overview_path": {
+                    "type": "string"
+                },
+                "provider_type": {
+                    "type": "string"
+                },
+                "qdrant": {
+                    "$ref": "#/definitions/adapters.HealthStatus"
+                },
+                "qdrant_collection": {
+                    "type": "string"
+                },
+                "source_count": {
+                    "type": "integer"
+                },
+                "source_dir": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.Message": {
+            "type": "object",
+            "properties": {
+                "content": {
+                    "type": "string"
+                },
+                "role": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.ProviderCollectionStatus": {
+            "type": "object",
+            "properties": {
+                "exists": {
+                    "type": "boolean"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "points": {
+                    "type": "integer"
+                },
+                "qdrant": {
+                    "$ref": "#/definitions/adapters.HealthStatus"
+                }
+            }
+        },
+        "adapters.ProviderConfigSchema": {
+            "type": "object",
+            "properties": {
+                "fields": {
+                    "type": "object",
+                    "additionalProperties": {
+                        "$ref": "#/definitions/adapters.ProviderFieldSchema"
+                    }
+                }
+            }
+        },
+        "adapters.ProviderCreateRequest": {
+            "type": "object",
+            "properties": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "name": {
+                    "type": "string"
+                },
+                "provider": {
+                    "$ref": "#/definitions/adapters.ProviderType"
+                }
+            }
+        },
+        "adapters.ProviderFieldSchema": {
+            "type": "object",
+            "properties": {
+                "description": {
+                    "type": "string"
+                },
+                "example": {},
+                "required": {
+                    "type": "boolean"
+                },
+                "secret": {
+                    "type": "boolean"
+                },
+                "title": {
+                    "type": "string"
+                },
+                "type": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.ProviderGetResponse": {
+            "type": "object",
+            "properties": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "created_at": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "is_default": {
+                    "type": "boolean"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "provider": {
+                    "type": "string"
+                },
+                "updated_at": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.ProviderMeta": {
+            "type": "object",
+            "properties": {
+                "config_schema": {
+                    "$ref": "#/definitions/adapters.ProviderConfigSchema"
+                },
+                "display_name": {
+                    "type": "string"
+                },
+                "provider": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.ProviderStatusResponse": {
+            "type": "object",
+            "properties": {
+                "collections": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/adapters.ProviderCollectionStatus"
+                    }
+                },
+                "embedding_model_id": {
+                    "type": "string"
+                },
+                "memory_mode": {
+                    "type": "string"
+                },
+                "provider_type": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.ProviderType": {
+            "type": "string",
+            "enum": [
+                "builtin",
+                "mem0",
+                "openviking"
+            ],
+            "x-enum-varnames": [
+                "ProviderBuiltin",
+                "ProviderMem0",
+                "ProviderOpenViking"
+            ]
+        },
+        "adapters.ProviderUpdateRequest": {
+            "type": "object",
+            "properties": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "name": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.RebuildResult": {
+            "type": "object",
+            "properties": {
+                "fs_count": {
+                    "type": "integer"
+                },
+                "missing_count": {
+                    "type": "integer"
+                },
+                "restored_count": {
+                    "type": "integer"
+                },
+                "storage_count": {
+                    "type": "integer"
+                }
+            }
+        },
+        "adapters.SearchResponse": {
+            "type": "object",
+            "properties": {
+                "relations": {
+                    "type": "array",
+                    "items": {}
+                },
+                "results": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/adapters.MemoryItem"
+                    }
+                }
+            }
+        },
+        "adapters.TopKBucket": {
+            "type": "object",
+            "properties": {
+                "index": {
+                    "description": "sparse dimension index (term hash)",
+                    "type": "integer"
+                },
+                "value": {
+                    "description": "weight (term frequency)",
+                    "type": "number"
+                }
+            }
+        },
+        "adapters.UsageResponse": {
+            "type": "object",
+            "properties": {
+                "avg_text_bytes": {
+                    "type": "integer"
+                },
+                "count": {
+                    "type": "integer"
+                },
+                "estimated_storage_bytes": {
+                    "type": "integer"
+                },
+                "total_text_bytes": {
+                    "type": "integer"
+                }
+            }
+        },
+        "audio.ConfigSchema": {
+            "type": "object",
+            "properties": {
+                "fields": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/audio.FieldSchema"
+                    }
+                }
+            }
+        },
+        "audio.FieldSchema": {
             "type": "object",
             "properties": {
-                "avatar_url": {
-                    "type": "string"
+                "advanced": {
+                    "type": "boolean"
                 },
-                "created_at": {
+                "description": {
                     "type": "string"
                 },
-                "display_name": {
-                    "type": "string"
+                "enum": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 },
-                "email": {
+                "example": {},
+                "key": {
                     "type": "string"
                 },
-                "id": {
-                    "type": "string"
+                "order": {
+                    "type": "integer"
                 },
-                "is_active": {
+                "required": {
                     "type": "boolean"
                 },
-                "last_login_at": {
-                    "type": "string"
-                },
-                "role": {
-                    "type": "string"
-                },
-                "timezone": {
-                    "type": "string"
-                },
-                "updated_at": {
+                "title": {
                     "type": "string"
                 },
-                "username": {
+                "type": {
                     "type": "string"
                 }
             }
         },
-        "accounts.CreateAccountRequest": {
+        "audio.ImportModelsResponse": {
             "type": "object",
             "properties": {
-                "avatar_url": {
-                    "type": "string"
-                },
-                "display_name": {
-                    "type": "string"
-                },
-                "email": {
-                    "type": "string"
-                },
-                "is_active": {
-                    "type": "boolean"
-                },
-                "password": {
-                    "type": "string"
+                "created": {
+                    "type": "integer"
                 },
-                "role": {
-                    "type": "string"
+                "models": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 },
-                "username": {
-                    "type": "string"
+                "skipped": {
+                    "type": "integer"
                 }
             }
         },
-        "accounts.ListAccountsResponse": {
+        "audio.ModelCapabilities": {
             "type": "object",
             "properties": {
-                "items": {
+                "config_schema": {
+                    "$ref": "#/definitions/audio.ConfigSchema"
+                },
+                "formats": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {
+                        "type": "string"
+                    }
+                },
+                "pitch": {
+                    "$ref": "#/definitions/audio.ParamConstraint"
+                },
+                "speed": {
+                    "$ref": "#/definitions/audio.ParamConstraint"
+                },
+                "voices": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/accounts.Account"
+                        "$ref": "#/definitions/audio.VoiceInfo"
                     }
                 }
             }
         },
-        "accounts.ResetPasswordRequest": {
+        "audio.ModelInfo": {
             "type": "object",
             "properties": {
-                "new_password": {
+                "capabilities": {
+                    "$ref": "#/definitions/audio.ModelCapabilities"
+                },
+                "config_schema": {
+                    "$ref": "#/definitions/audio.ConfigSchema"
+                },
+                "description": {
                     "type": "string"
-                }
-            }
-        },
-        "accounts.UpdateAccountRequest": {
-            "type": "object",
-            "properties": {
-                "avatar_url": {
+                },
+                "id": {
                     "type": "string"
                 },
-                "display_name": {
+                "name": {
                     "type": "string"
                 },
-                "is_active": {
+                "template_only": {
                     "type": "boolean"
-                },
-                "role": {
-                    "type": "string"
                 }
             }
         },
-        "accounts.UpdatePasswordRequest": {
+        "audio.ParamConstraint": {
             "type": "object",
             "properties": {
-                "current_password": {
-                    "type": "string"
+                "default": {
+                    "type": "number"
                 },
-                "new_password": {
-                    "type": "string"
+                "max": {
+                    "type": "number"
+                },
+                "min": {
+                    "type": "number"
+                },
+                "options": {
+                    "type": "array",
+                    "items": {
+                        "type": "number"
+                    }
                 }
             }
         },
-        "accounts.UpdateProfileRequest": {
+        "audio.ProviderMetaResponse": {
             "type": "object",
             "properties": {
-                "avatar_url": {
+                "config_schema": {
+                    "$ref": "#/definitions/audio.ConfigSchema"
+                },
+                "default_model": {
+                    "type": "string"
+                },
+                "default_synthesis_model": {
+                    "type": "string"
+                },
+                "default_transcription_model": {
+                    "type": "string"
+                },
+                "description": {
                     "type": "string"
                 },
                 "display_name": {
                     "type": "string"
                 },
-                "timezone": {
+                "models": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/audio.ModelInfo"
+                    }
+                },
+                "provider": {
                     "type": "string"
+                },
+                "supports_synthesis_list": {
+                    "type": "boolean"
+                },
+                "supports_transcription_list": {
+                    "type": "boolean"
+                },
+                "synthesis_models": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/audio.ModelInfo"
+                    }
+                },
+                "transcription_models": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/audio.ModelInfo"
+                    }
                 }
             }
         },
-        "acl.ChannelIdentityCandidate": {
+        "audio.SpeechModelResponse": {
             "type": "object",
             "properties": {
-                "avatar_url": {
-                    "type": "string"
-                },
-                "channel": {
-                    "type": "string"
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "channel_subject_id": {
+                "created_at": {
                     "type": "string"
                 },
-                "display_name": {
+                "id": {
                     "type": "string"
                 },
-                "id": {
+                "model_id": {
                     "type": "string"
                 },
-                "linked_avatar_url": {
+                "name": {
                     "type": "string"
                 },
-                "linked_display_name": {
+                "provider_id": {
                     "type": "string"
                 },
-                "linked_user_id": {
+                "provider_type": {
                     "type": "string"
                 },
-                "linked_username": {
+                "updated_at": {
                     "type": "string"
                 }
             }
         },
-        "acl.ChannelIdentityCandidateListResponse": {
-            "type": "object",
-            "properties": {
-                "items": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/acl.ChannelIdentityCandidate"
-                    }
-                }
-            }
-        },
-        "acl.CreateRuleRequest": {
+        "audio.SpeechProviderResponse": {
             "type": "object",
             "properties": {
-                "channel_identity_id": {
+                "client_type": {
                     "type": "string"
                 },
-                "description": {
-                    "type": "string"
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "effect": {
+                "created_at": {
                     "type": "string"
                 },
-                "enabled": {
+                "enable": {
                     "type": "boolean"
                 },
-                "priority": {
-                    "type": "integer"
+                "icon": {
+                    "type": "string"
                 },
-                "source_scope": {
-                    "$ref": "#/definitions/acl.SourceScope"
+                "id": {
+                    "type": "string"
                 },
-                "subject_channel_type": {
+                "name": {
                     "type": "string"
                 },
-                "subject_kind": {
+                "updated_at": {
                     "type": "string"
                 }
             }
         },
-        "acl.DefaultEffectResponse": {
+        "audio.TestSynthesizeRequest": {
             "type": "object",
             "properties": {
-                "default_effect": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "text": {
                     "type": "string"
                 }
             }
         },
-        "acl.ListRulesResponse": {
+        "audio.TestTranscriptionResponse": {
             "type": "object",
             "properties": {
-                "items": {
+                "duration_seconds": {
+                    "type": "number"
+                },
+                "language": {
+                    "type": "string"
+                },
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "text": {
+                    "type": "string"
+                },
+                "words": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/acl.Rule"
+                        "$ref": "#/definitions/audio.TranscriptionWord"
                     }
                 }
             }
         },
-        "acl.ObservedConversationCandidate": {
+        "audio.TranscriptionModelResponse": {
             "type": "object",
             "properties": {
-                "channel": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "created_at": {
                     "type": "string"
                 },
-                "conversation_id": {
+                "id": {
                     "type": "string"
                 },
-                "conversation_name": {
+                "model_id": {
                     "type": "string"
                 },
-                "conversation_type": {
+                "name": {
                     "type": "string"
                 },
-                "last_observed_at": {
+                "provider_id": {
                     "type": "string"
                 },
-                "route_id": {
+                "provider_type": {
                     "type": "string"
                 },
-                "thread_id": {
+                "updated_at": {
                     "type": "string"
                 }
             }
         },
-        "acl.ObservedConversationCandidateListResponse": {
-            "type": "object",
-            "properties": {
-                "items": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/acl.ObservedConversationCandidate"
-                    }
-                }
-            }
-        },
-        "acl.ReorderItem": {
+        "audio.TranscriptionWord": {
             "type": "object",
             "properties": {
-                "id": {
+                "end": {
+                    "type": "number"
+                },
+                "speaker_id": {
                     "type": "string"
                 },
-                "priority": {
-                    "type": "integer"
+                "start": {
+                    "type": "number"
+                },
+                "text": {
+                    "type": "string"
                 }
             }
         },
-        "acl.ReorderRequest": {
+        "audio.UpdateSpeechModelRequest": {
             "type": "object",
             "properties": {
-                "items": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/acl.ReorderItem"
-                    }
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "name": {
+                    "type": "string"
                 }
             }
         },
-        "acl.Rule": {
+        "audio.VoiceInfo": {
             "type": "object",
             "properties": {
-                "action": {
-                    "type": "string"
-                },
-                "bot_id": {
+                "id": {
                     "type": "string"
                 },
-                "channel_identity_avatar_url": {
+                "lang": {
                     "type": "string"
                 },
-                "channel_identity_display_name": {
+                "name": {
                     "type": "string"
-                },
-                "channel_identity_id": {
+                }
+            }
+        },
+        "bots.Bot": {
+            "type": "object",
+            "properties": {
+                "avatar_url": {
                     "type": "string"
                 },
-                "channel_subject_id": {
-                    "type": "string"
+                "check_issue_count": {
+                    "type": "integer"
                 },
-                "channel_type": {
+                "check_state": {
                     "type": "string"
                 },
                 "created_at": {
                     "type": "string"
                 },
-                "description": {
+                "display_name": {
                     "type": "string"
                 },
-                "effect": {
+                "id": {
                     "type": "string"
                 },
-                "enabled": {
+                "is_active": {
                     "type": "boolean"
                 },
-                "id": {
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "owner_user_id": {
                     "type": "string"
                 },
-                "linked_user_avatar_url": {
+                "status": {
                     "type": "string"
                 },
-                "linked_user_display_name": {
+                "timezone": {
                     "type": "string"
                 },
-                "linked_user_id": {
+                "updated_at": {
+                    "type": "string"
+                }
+            }
+        },
+        "bots.BotCheck": {
+            "type": "object",
+            "properties": {
+                "detail": {
                     "type": "string"
                 },
-                "linked_user_username": {
+                "id": {
                     "type": "string"
                 },
-                "priority": {
-                    "type": "integer"
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "source_scope": {
-                    "$ref": "#/definitions/acl.SourceScope"
+                "status": {
+                    "type": "string"
                 },
-                "subject_channel_type": {
+                "subtitle": {
                     "type": "string"
                 },
-                "subject_kind": {
+                "summary": {
                     "type": "string"
                 },
-                "updated_at": {
+                "title_key": {
+                    "type": "string"
+                },
+                "type": {
                     "type": "string"
                 }
             }
         },
-        "acl.SourceScope": {
+        "bots.CreateBotRequest": {
             "type": "object",
             "properties": {
-                "conversation_id": {
+                "acl_preset": {
                     "type": "string"
                 },
-                "conversation_type": {
+                "avatar_url": {
                     "type": "string"
                 },
-                "thread_id": {
+                "display_name": {
+                    "type": "string"
+                },
+                "is_active": {
+                    "type": "boolean"
+                },
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "timezone": {
                     "type": "string"
                 }
             }
         },
-        "acl.UpdateRuleRequest": {
+        "bots.ListBotsResponse": {
             "type": "object",
             "properties": {
-                "channel_identity_id": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/bots.Bot"
+                    }
+                }
+            }
+        },
+        "bots.ListChecksResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/bots.BotCheck"
+                    }
+                }
+            }
+        },
+        "bots.TransferBotRequest": {
+            "type": "object",
+            "properties": {
+                "owner_user_id": {
                     "type": "string"
-                },
-                "description": {
+                }
+            }
+        },
+        "bots.UpdateBotRequest": {
+            "type": "object",
+            "properties": {
+                "avatar_url": {
                     "type": "string"
                 },
-                "effect": {
+                "display_name": {
                     "type": "string"
                 },
-                "enabled": {
+                "is_active": {
                     "type": "boolean"
                 },
-                "priority": {
-                    "type": "integer"
-                },
-                "source_scope": {
-                    "$ref": "#/definitions/acl.SourceScope"
-                },
-                "subject_channel_type": {
-                    "type": "string"
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "subject_kind": {
+                "timezone": {
                     "type": "string"
                 }
             }
         },
-        "adapters.CDFPoint": {
+        "browsercontexts.BrowserContext": {
             "type": "object",
             "properties": {
-                "cumulative": {
-                    "description": "cumulative weight fraction [0.0, 1.0]",
-                    "type": "number"
+                "config": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
                 },
-                "k": {
-                    "description": "rank position (1-based, sorted by value desc)",
-                    "type": "integer"
+                "created_at": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "updated_at": {
+                    "type": "string"
                 }
             }
         },
-        "adapters.CompactResult": {
+        "browsercontexts.CreateRequest": {
             "type": "object",
             "properties": {
-                "after_count": {
-                    "type": "integer"
-                },
-                "before_count": {
-                    "type": "integer"
-                },
-                "ratio": {
-                    "type": "number"
-                },
-                "results": {
+                "config": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/adapters.MemoryItem"
+                        "type": "integer"
                     }
+                },
+                "name": {
+                    "type": "string"
                 }
             }
         },
-        "adapters.DeleteResponse": {
+        "browsercontexts.UpdateRequest": {
             "type": "object",
             "properties": {
-                "message": {
+                "config": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
+                },
+                "name": {
                     "type": "string"
                 }
             }
         },
-        "adapters.HealthStatus": {
+        "channel.Action": {
             "type": "object",
             "properties": {
-                "error": {
+                "label": {
                     "type": "string"
                 },
-                "ok": {
-                    "type": "boolean"
+                "type": {
+                    "type": "string"
+                },
+                "url": {
+                    "type": "string"
+                },
+                "value": {
+                    "type": "string"
                 }
             }
         },
-        "adapters.MemoryItem": {
+        "channel.Attachment": {
             "type": "object",
             "properties": {
-                "agent_id": {
+                "base64": {
+                    "description": "data URL for agent delivery",
                     "type": "string"
                 },
-                "bot_id": {
+                "caption": {
                     "type": "string"
                 },
-                "cdf_curve": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/adapters.CDFPoint"
-                    }
+                "content_hash": {
+                    "type": "string"
                 },
-                "created_at": {
+                "duration_ms": {
+                    "type": "integer"
+                },
+                "height": {
+                    "type": "integer"
+                },
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "mime": {
                     "type": "string"
                 },
-                "hash": {
+                "name": {
                     "type": "string"
                 },
-                "id": {
+                "path": {
+                    "description": "container-local filesystem path",
                     "type": "string"
                 },
-                "memory": {
+                "platform_key": {
                     "type": "string"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "size": {
+                    "type": "integer"
                 },
-                "run_id": {
+                "source_platform": {
                     "type": "string"
                 },
-                "score": {
-                    "type": "number"
+                "thumbnail_url": {
+                    "type": "string"
                 },
-                "top_k_buckets": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/adapters.TopKBucket"
-                    }
+                "type": {
+                    "$ref": "#/definitions/channel.AttachmentType"
                 },
-                "updated_at": {
+                "url": {
+                    "description": "HTTP(S) or data URL",
                     "type": "string"
+                },
+                "width": {
+                    "type": "integer"
                 }
             }
         },
-        "adapters.MemoryStatusResponse": {
+        "channel.AttachmentType": {
+            "type": "string",
+            "enum": [
+                "image",
+                "audio",
+                "video",
+                "voice",
+                "file",
+                "gif"
+            ],
+            "x-enum-varnames": [
+                "AttachmentImage",
+                "AttachmentAudio",
+                "AttachmentVideo",
+                "AttachmentVoice",
+                "AttachmentFile",
+                "AttachmentGIF"
+            ]
+        },
+        "channel.ChannelCapabilities": {
             "type": "object",
             "properties": {
-                "can_manual_sync": {
+                "attachments": {
                     "type": "boolean"
                 },
-                "encoder": {
-                    "$ref": "#/definitions/adapters.HealthStatus"
+                "block_streaming": {
+                    "type": "boolean"
                 },
-                "indexed_count": {
-                    "type": "integer"
+                "buttons": {
+                    "type": "boolean"
                 },
-                "markdown_file_count": {
-                    "type": "integer"
+                "chat_types": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 },
-                "memory_mode": {
-                    "type": "string"
+                "edit": {
+                    "type": "boolean"
                 },
-                "overview_path": {
-                    "type": "string"
+                "markdown": {
+                    "type": "boolean"
                 },
-                "provider_type": {
-                    "type": "string"
+                "media": {
+                    "type": "boolean"
                 },
-                "qdrant": {
-                    "$ref": "#/definitions/adapters.HealthStatus"
+                "native_commands": {
+                    "type": "boolean"
                 },
-                "qdrant_collection": {
-                    "type": "string"
+                "polls": {
+                    "type": "boolean"
                 },
-                "source_count": {
-                    "type": "integer"
+                "reactions": {
+                    "type": "boolean"
                 },
-                "source_dir": {
-                    "type": "string"
+                "reply": {
+                    "type": "boolean"
+                },
+                "rich_text": {
+                    "type": "boolean"
+                },
+                "streaming": {
+                    "type": "boolean"
+                },
+                "text": {
+                    "type": "boolean"
+                },
+                "threads": {
+                    "type": "boolean"
+                },
+                "unsend": {
+                    "type": "boolean"
                 }
             }
         },
-        "adapters.Message": {
+        "channel.ChannelConfig": {
             "type": "object",
             "properties": {
-                "content": {
+                "bot_id": {
                     "type": "string"
                 },
-                "role": {
+                "channel_type": {
+                    "$ref": "#/definitions/channel.ChannelType"
+                },
+                "created_at": {
+                    "type": "string"
+                },
+                "credentials": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "disabled": {
+                    "type": "boolean"
+                },
+                "external_identity": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "routing": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "self_identity": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "updated_at": {
+                    "type": "string"
+                },
+                "verified_at": {
                     "type": "string"
                 }
             }
         },
-        "adapters.ProviderCollectionStatus": {
+        "channel.ChannelIdentityBinding": {
             "type": "object",
             "properties": {
-                "exists": {
-                    "type": "boolean"
+                "channel_identity_id": {
+                    "type": "string"
                 },
-                "name": {
+                "channel_type": {
+                    "$ref": "#/definitions/channel.ChannelType"
+                },
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "created_at": {
                     "type": "string"
                 },
-                "points": {
-                    "type": "integer"
+                "id": {
+                    "type": "string"
                 },
-                "qdrant": {
-                    "$ref": "#/definitions/adapters.HealthStatus"
+                "updated_at": {
+                    "type": "string"
                 }
             }
         },
-        "adapters.ProviderConfigSchema": {
+        "channel.ChannelType": {
+            "type": "string",
+            "enum": [
+                "telegram",
+                "feishu",
+                "dingtalk",
+                "matrix",
+                "discord",
+                "qq",
+                "wecom",
+                "weixin",
+                "wechatoa",
+                "local",
+                "slack"
+            ],
+            "x-enum-varnames": [
+                "ChannelTypeTelegram",
+                "ChannelTypeFeishu",
+                "ChannelTypeDingtalk",
+                "ChannelTypeMatrix",
+                "ChannelTypeDiscord",
+                "ChannelTypeQQ",
+                "ChannelTypeWecom",
+                "ChannelTypeWeixin",
+                "ChannelTypeWeChatOA",
+                "ChannelTypeLocal",
+                "ChannelTypeSlack"
+            ]
+        },
+        "channel.ConfigSchema": {
             "type": "object",
             "properties": {
                 "fields": {
                     "type": "object",
                     "additionalProperties": {
-                        "$ref": "#/definitions/adapters.ProviderFieldSchema"
+                        "$ref": "#/definitions/channel.FieldSchema"
                     }
-                }
-            }
-        },
-        "adapters.ProviderCreateRequest": {
-            "type": "object",
-            "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "name": {
-                    "type": "string"
                 },
-                "provider": {
-                    "$ref": "#/definitions/adapters.ProviderType"
+                "version": {
+                    "type": "integer"
                 }
             }
         },
-        "adapters.ProviderFieldSchema": {
+        "channel.FieldSchema": {
             "type": "object",
             "properties": {
                 "description": {
                     "type": "string"
                 },
+                "enum": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                 "example": {},
-                "required": {
-                    "type": "boolean"
+                "order": {
+                    "type": "integer"
                 },
-                "secret": {
+                "required": {
                     "type": "boolean"
                 },
                 "title": {
                     "type": "string"
                 },
                 "type": {
-                    "type": "string"
+                    "$ref": "#/definitions/channel.FieldType"
                 }
             }
         },
-        "adapters.ProviderGetResponse": {
+        "channel.FieldType": {
+            "type": "string",
+            "enum": [
+                "string",
+                "secret",
+                "bool",
+                "number",
+                "enum"
+            ],
+            "x-enum-varnames": [
+                "FieldString",
+                "FieldSecret",
+                "FieldBool",
+                "FieldNumber",
+                "FieldEnum"
+            ]
+        },
+        "channel.Message": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "created_at": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "string"
-                },
-                "is_default": {
-                    "type": "boolean"
+                "actions": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/channel.Action"
+                    }
                 },
-                "name": {
-                    "type": "string"
+                "attachments": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/channel.Attachment"
+                    }
                 },
-                "provider": {
-                    "type": "string"
+                "format": {
+                    "$ref": "#/definitions/channel.MessageFormat"
                 },
-                "updated_at": {
+                "id": {
                     "type": "string"
-                }
-            }
-        },
-        "adapters.ProviderMeta": {
-            "type": "object",
-            "properties": {
-                "config_schema": {
-                    "$ref": "#/definitions/adapters.ProviderConfigSchema"
                 },
-                "display_name": {
-                    "type": "string"
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "provider": {
-                    "type": "string"
-                }
-            }
-        },
-        "adapters.ProviderStatusResponse": {
-            "type": "object",
-            "properties": {
-                "collections": {
+                "parts": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/adapters.ProviderCollectionStatus"
+                        "$ref": "#/definitions/channel.MessagePart"
                     }
                 },
-                "embedding_model_id": {
-                    "type": "string"
+                "reply": {
+                    "$ref": "#/definitions/channel.ReplyRef"
                 },
-                "memory_mode": {
+                "text": {
                     "type": "string"
                 },
-                "provider_type": {
-                    "type": "string"
+                "thread": {
+                    "$ref": "#/definitions/channel.ThreadRef"
                 }
             }
         },
-        "adapters.ProviderType": {
+        "channel.MessageFormat": {
             "type": "string",
             "enum": [
-                "builtin",
-                "mem0",
-                "openviking"
+                "plain",
+                "markdown",
+                "rich"
             ],
             "x-enum-varnames": [
-                "ProviderBuiltin",
-                "ProviderMem0",
-                "ProviderOpenViking"
+                "MessageFormatPlain",
+                "MessageFormatMarkdown",
+                "MessageFormatRich"
             ]
         },
-        "adapters.ProviderUpdateRequest": {
+        "channel.MessagePart": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "name": {
+                "channel_identity_id": {
                     "type": "string"
-                }
-            }
-        },
-        "adapters.RebuildResult": {
-            "type": "object",
-            "properties": {
-                "fs_count": {
-                    "type": "integer"
                 },
-                "missing_count": {
-                    "type": "integer"
+                "emoji": {
+                    "type": "string"
                 },
-                "restored_count": {
-                    "type": "integer"
+                "language": {
+                    "type": "string"
                 },
-                "storage_count": {
-                    "type": "integer"
-                }
-            }
-        },
-        "adapters.SearchResponse": {
-            "type": "object",
-            "properties": {
-                "relations": {
-                    "type": "array",
-                    "items": {}
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "results": {
+                "styles": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/adapters.MemoryItem"
+                        "$ref": "#/definitions/channel.MessageTextStyle"
                     }
-                }
-            }
-        },
-        "adapters.TopKBucket": {
-            "type": "object",
-            "properties": {
-                "index": {
-                    "description": "sparse dimension index (term hash)",
-                    "type": "integer"
-                },
-                "value": {
-                    "description": "weight (term frequency)",
-                    "type": "number"
-                }
-            }
-        },
-        "adapters.UsageResponse": {
-            "type": "object",
-            "properties": {
-                "avg_text_bytes": {
-                    "type": "integer"
                 },
-                "count": {
-                    "type": "integer"
+                "text": {
+                    "type": "string"
                 },
-                "estimated_storage_bytes": {
-                    "type": "integer"
+                "type": {
+                    "$ref": "#/definitions/channel.MessagePartType"
                 },
-                "total_text_bytes": {
-                    "type": "integer"
+                "url": {
+                    "type": "string"
                 }
             }
         },
-        "audio.ConfigSchema": {
-            "type": "object",
-            "properties": {
-                "fields": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/audio.FieldSchema"
-                    }
-                }
-            }
+        "channel.MessagePartType": {
+            "type": "string",
+            "enum": [
+                "text",
+                "link",
+                "code_block",
+                "mention",
+                "emoji"
+            ],
+            "x-enum-varnames": [
+                "MessagePartText",
+                "MessagePartLink",
+                "MessagePartCodeBlock",
+                "MessagePartMention",
+                "MessagePartEmoji"
+            ]
         },
-        "audio.FieldSchema": {
+        "channel.MessageTextStyle": {
+            "type": "string",
+            "enum": [
+                "bold",
+                "italic",
+                "strikethrough",
+                "code"
+            ],
+            "x-enum-varnames": [
+                "MessageStyleBold",
+                "MessageStyleItalic",
+                "MessageStyleStrikethrough",
+                "MessageStyleCode"
+            ]
+        },
+        "channel.ReplyRef": {
             "type": "object",
             "properties": {
-                "advanced": {
-                    "type": "boolean"
-                },
-                "description": {
+                "message_id": {
                     "type": "string"
                 },
-                "enum": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
-                },
-                "example": {},
-                "key": {
+                "preview": {
                     "type": "string"
                 },
-                "order": {
-                    "type": "integer"
-                },
-                "required": {
-                    "type": "boolean"
-                },
-                "title": {
+                "sender": {
                     "type": "string"
                 },
-                "type": {
+                "target": {
                     "type": "string"
                 }
             }
         },
-        "audio.ImportModelsResponse": {
+        "channel.SendRequest": {
             "type": "object",
             "properties": {
-                "created": {
-                    "type": "integer"
+                "channel_identity_id": {
+                    "type": "string"
                 },
-                "models": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                "message": {
+                    "$ref": "#/definitions/channel.Message"
                 },
-                "skipped": {
-                    "type": "integer"
+                "target": {
+                    "type": "string"
                 }
             }
         },
-        "audio.ModelCapabilities": {
+        "channel.TargetHint": {
             "type": "object",
             "properties": {
-                "config_schema": {
-                    "$ref": "#/definitions/audio.ConfigSchema"
-                },
-                "formats": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
-                },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {
-                        "type": "string"
-                    }
-                },
-                "pitch": {
-                    "$ref": "#/definitions/audio.ParamConstraint"
+                "example": {
+                    "type": "string"
                 },
-                "speed": {
-                    "$ref": "#/definitions/audio.ParamConstraint"
+                "label": {
+                    "type": "string"
+                }
+            }
+        },
+        "channel.TargetSpec": {
+            "type": "object",
+            "properties": {
+                "format": {
+                    "type": "string"
                 },
-                "voices": {
+                "hints": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/audio.VoiceInfo"
+                        "$ref": "#/definitions/channel.TargetHint"
                     }
                 }
             }
         },
-        "audio.ModelInfo": {
+        "channel.ThreadRef": {
             "type": "object",
             "properties": {
-                "capabilities": {
-                    "$ref": "#/definitions/audio.ModelCapabilities"
-                },
-                "config_schema": {
-                    "$ref": "#/definitions/audio.ConfigSchema"
-                },
-                "description": {
-                    "type": "string"
-                },
                 "id": {
                     "type": "string"
-                },
-                "name": {
-                    "type": "string"
-                },
-                "template_only": {
-                    "type": "boolean"
                 }
             }
         },
-        "audio.ParamConstraint": {
+        "channel.UpdateChannelStatusRequest": {
             "type": "object",
             "properties": {
-                "default": {
-                    "type": "number"
-                },
-                "max": {
-                    "type": "number"
-                },
-                "min": {
-                    "type": "number"
-                },
-                "options": {
-                    "type": "array",
-                    "items": {
-                        "type": "number"
-                    }
+                "disabled": {
+                    "type": "boolean"
                 }
             }
         },
-        "audio.ProviderMetaResponse": {
+        "channel.UpsertChannelIdentityConfigRequest": {
             "type": "object",
             "properties": {
-                "config_schema": {
-                    "$ref": "#/definitions/audio.ConfigSchema"
-                },
-                "default_model": {
-                    "type": "string"
-                },
-                "default_synthesis_model": {
-                    "type": "string"
-                },
-                "default_transcription_model": {
-                    "type": "string"
-                },
-                "description": {
-                    "type": "string"
-                },
-                "display_name": {
-                    "type": "string"
-                },
-                "models": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/audio.ModelInfo"
-                    }
-                },
-                "provider": {
-                    "type": "string"
-                },
-                "supports_synthesis_list": {
-                    "type": "boolean"
-                },
-                "supports_transcription_list": {
-                    "type": "boolean"
-                },
-                "synthesis_models": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/audio.ModelInfo"
-                    }
-                },
-                "transcription_models": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/audio.ModelInfo"
-                    }
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
                 }
             }
         },
-        "audio.SpeechModelResponse": {
+        "channel.UpsertConfigRequest": {
             "type": "object",
             "properties": {
-                "config": {
+                "credentials": {
                     "type": "object",
                     "additionalProperties": {}
                 },
-                "created_at": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "string"
+                "disabled": {
+                    "type": "boolean"
                 },
-                "model_id": {
+                "external_identity": {
                     "type": "string"
                 },
-                "name": {
-                    "type": "string"
+                "routing": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "provider_id": {
-                    "type": "string"
+                "self_identity": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "provider_type": {
+                "verified_at": {
                     "type": "string"
+                }
+            }
+        },
+        "compaction.ListLogsResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/compaction.Log"
+                    }
                 },
-                "updated_at": {
-                    "type": "string"
+                "total_count": {
+                    "type": "integer"
                 }
             }
         },
-        "audio.SpeechProviderResponse": {
+        "compaction.Log": {
             "type": "object",
             "properties": {
-                "client_type": {
+                "bot_id": {
                     "type": "string"
                 },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "created_at": {
+                "completed_at": {
                     "type": "string"
                 },
-                "enable": {
-                    "type": "boolean"
-                },
-                "icon": {
+                "error_message": {
                     "type": "string"
                 },
                 "id": {
                     "type": "string"
                 },
-                "name": {
-                    "type": "string"
+                "message_count": {
+                    "type": "integer"
                 },
-                "updated_at": {
+                "model_id": {
                     "type": "string"
-                }
-            }
-        },
-        "audio.TestSynthesizeRequest": {
-            "type": "object",
-            "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
                 },
-                "text": {
+                "session_id": {
                     "type": "string"
-                }
-            }
-        },
-        "audio.TestTranscriptionResponse": {
-            "type": "object",
-            "properties": {
-                "duration_seconds": {
-                    "type": "number"
                 },
-                "language": {
+                "started_at": {
                     "type": "string"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "status": {
+                    "type": "string"
                 },
-                "text": {
+                "summary": {
                     "type": "string"
                 },
-                "words": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/audio.TranscriptionWord"
-                    }
-                }
+                "usage": {}
             }
         },
-        "audio.TranscriptionModelResponse": {
+        "email.BindingResponse": {
             "type": "object",
             "properties": {
+                "bot_id": {
+                    "type": "string"
+                },
+                "can_delete": {
+                    "type": "boolean"
+                },
+                "can_read": {
+                    "type": "boolean"
+                },
+                "can_write": {
+                    "type": "boolean"
+                },
                 "config": {
                     "type": "object",
                     "additionalProperties": {}
@@ -10618,19 +12643,13 @@ const docTemplate = `{
                 "created_at": {
                     "type": "string"
                 },
-                "id": {
-                    "type": "string"
-                },
-                "model_id": {
-                    "type": "string"
-                },
-                "name": {
+                "email_address": {
                     "type": "string"
                 },
-                "provider_id": {
+                "email_provider_id": {
                     "type": "string"
                 },
-                "provider_type": {
+                "id": {
                     "type": "string"
                 },
                 "updated_at": {
@@ -10638,24 +12657,42 @@ const docTemplate = `{
                 }
             }
         },
-        "audio.TranscriptionWord": {
+        "email.ConfigSchema": {
             "type": "object",
             "properties": {
-                "end": {
-                    "type": "number"
+                "fields": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/email.FieldSchema"
+                    }
+                }
+            }
+        },
+        "email.CreateBindingRequest": {
+            "type": "object",
+            "properties": {
+                "can_delete": {
+                    "type": "boolean"
                 },
-                "speaker_id": {
-                    "type": "string"
+                "can_read": {
+                    "type": "boolean"
                 },
-                "start": {
-                    "type": "number"
+                "can_write": {
+                    "type": "boolean"
                 },
-                "text": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "email_address": {
+                    "type": "string"
+                },
+                "email_provider_id": {
                     "type": "string"
                 }
             }
         },
-        "audio.UpdateSpeechModelRequest": {
+        "email.CreateProviderRequest": {
             "type": "object",
             "properties": {
                 "config": {
@@ -10664,1081 +12701,880 @@ const docTemplate = `{
                 },
                 "name": {
                     "type": "string"
+                },
+                "provider": {
+                    "type": "string"
                 }
             }
         },
-        "audio.VoiceInfo": {
+        "email.FieldSchema": {
             "type": "object",
             "properties": {
-                "id": {
+                "description": {
                     "type": "string"
                 },
-                "lang": {
+                "enum": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
+                "example": {},
+                "key": {
                     "type": "string"
                 },
-                "name": {
+                "order": {
+                    "type": "integer"
+                },
+                "required": {
+                    "type": "boolean"
+                },
+                "title": {
+                    "type": "string"
+                },
+                "type": {
                     "type": "string"
                 }
             }
         },
-        "bots.Bot": {
+        "email.OutboxItemResponse": {
             "type": "object",
             "properties": {
-                "avatar_url": {
+                "attachments": {
+                    "type": "array",
+                    "items": {}
+                },
+                "body_html": {
                     "type": "string"
                 },
-                "check_issue_count": {
-                    "type": "integer"
+                "body_text": {
+                    "type": "string"
                 },
-                "check_state": {
+                "bot_id": {
                     "type": "string"
                 },
                 "created_at": {
                     "type": "string"
                 },
-                "display_name": {
+                "error": {
+                    "type": "string"
+                },
+                "from": {
                     "type": "string"
                 },
                 "id": {
                     "type": "string"
                 },
-                "is_active": {
-                    "type": "boolean"
+                "message_id": {
+                    "type": "string"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "provider_id": {
+                    "type": "string"
                 },
-                "owner_user_id": {
+                "sent_at": {
                     "type": "string"
                 },
                 "status": {
                     "type": "string"
                 },
-                "timezone": {
+                "subject": {
                     "type": "string"
                 },
-                "updated_at": {
-                    "type": "string"
+                "to": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 }
             }
         },
-        "bots.BotCheck": {
+        "email.ProviderMeta": {
             "type": "object",
             "properties": {
-                "detail": {
-                    "type": "string"
+                "config_schema": {
+                    "$ref": "#/definitions/email.ConfigSchema"
                 },
-                "id": {
+                "display_name": {
                     "type": "string"
                 },
-                "metadata": {
+                "provider": {
+                    "type": "string"
+                }
+            }
+        },
+        "email.ProviderResponse": {
+            "type": "object",
+            "properties": {
+                "config": {
                     "type": "object",
                     "additionalProperties": {}
                 },
-                "status": {
+                "created_at": {
                     "type": "string"
                 },
-                "subtitle": {
+                "id": {
                     "type": "string"
                 },
-                "summary": {
+                "name": {
                     "type": "string"
                 },
-                "title_key": {
+                "provider": {
                     "type": "string"
                 },
-                "type": {
+                "updated_at": {
                     "type": "string"
                 }
             }
         },
-        "bots.CreateBotRequest": {
+        "email.UpdateBindingRequest": {
             "type": "object",
             "properties": {
-                "acl_preset": {
-                    "type": "string"
-                },
-                "avatar_url": {
-                    "type": "string"
+                "can_delete": {
+                    "type": "boolean"
                 },
-                "display_name": {
-                    "type": "string"
+                "can_read": {
+                    "type": "boolean"
                 },
-                "is_active": {
+                "can_write": {
                     "type": "boolean"
                 },
-                "metadata": {
+                "config": {
                     "type": "object",
                     "additionalProperties": {}
                 },
-                "timezone": {
+                "email_address": {
                     "type": "string"
                 }
             }
         },
-        "bots.ListBotsResponse": {
-            "type": "object",
-            "properties": {
-                "items": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/bots.Bot"
-                    }
-                }
-            }
-        },
-        "bots.ListChecksResponse": {
-            "type": "object",
-            "properties": {
-                "items": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/bots.BotCheck"
-                    }
-                }
-            }
-        },
-        "bots.TransferBotRequest": {
+        "email.UpdateProviderRequest": {
             "type": "object",
             "properties": {
-                "owner_user_id": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "name": {
+                    "type": "string"
+                },
+                "provider": {
                     "type": "string"
                 }
             }
         },
-        "bots.UpdateBotRequest": {
+        "github_com_memohai_memoh_internal_accounts.Account": {
             "type": "object",
             "properties": {
                 "avatar_url": {
                     "type": "string"
                 },
+                "created_at": {
+                    "type": "string"
+                },
                 "display_name": {
                     "type": "string"
                 },
+                "email": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
                 "is_active": {
                     "type": "boolean"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "last_login_at": {
+                    "type": "string"
                 },
                 "timezone": {
                     "type": "string"
+                },
+                "updated_at": {
+                    "type": "string"
+                },
+                "username": {
+                    "type": "string"
                 }
             }
         },
-        "browsercontexts.BrowserContext": {
+        "github_com_memohai_memoh_internal_accounts.CreateAccountRequest": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "array",
-                    "items": {
-                        "type": "integer"
-                    }
+                "avatar_url": {
+                    "type": "string"
                 },
-                "created_at": {
+                "display_name": {
                     "type": "string"
                 },
-                "id": {
+                "email": {
                     "type": "string"
                 },
-                "name": {
+                "is_active": {
+                    "type": "boolean"
+                },
+                "password": {
                     "type": "string"
                 },
-                "updated_at": {
+                "username": {
                     "type": "string"
                 }
             }
         },
-        "browsercontexts.CreateRequest": {
+        "github_com_memohai_memoh_internal_accounts.ListAccountsResponse": {
             "type": "object",
             "properties": {
-                "config": {
+                "items": {
                     "type": "array",
                     "items": {
-                        "type": "integer"
+                        "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
                     }
-                },
-                "name": {
+                }
+            }
+        },
+        "github_com_memohai_memoh_internal_accounts.ResetPasswordRequest": {
+            "type": "object",
+            "properties": {
+                "new_password": {
                     "type": "string"
                 }
             }
         },
-        "browsercontexts.UpdateRequest": {
+        "github_com_memohai_memoh_internal_accounts.UpdateAccountRequest": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "array",
-                    "items": {
-                        "type": "integer"
-                    }
+                "avatar_url": {
+                    "type": "string"
                 },
-                "name": {
+                "display_name": {
                     "type": "string"
+                },
+                "is_active": {
+                    "type": "boolean"
                 }
             }
         },
-        "channel.Action": {
+        "github_com_memohai_memoh_internal_accounts.UpdatePasswordRequest": {
             "type": "object",
             "properties": {
-                "label": {
+                "current_password": {
                     "type": "string"
                 },
-                "type": {
+                "new_password": {
+                    "type": "string"
+                }
+            }
+        },
+        "github_com_memohai_memoh_internal_accounts.UpdateProfileRequest": {
+            "type": "object",
+            "properties": {
+                "avatar_url": {
                     "type": "string"
                 },
-                "url": {
+                "display_name": {
                     "type": "string"
                 },
-                "value": {
+                "timezone": {
                     "type": "string"
                 }
             }
         },
-        "channel.Attachment": {
+        "github_com_memohai_memoh_internal_mcp.Connection": {
             "type": "object",
             "properties": {
-                "base64": {
-                    "description": "data URL for agent delivery",
-                    "type": "string"
-                },
-                "caption": {
+                "auth_type": {
                     "type": "string"
                 },
-                "content_hash": {
+                "bot_id": {
                     "type": "string"
                 },
-                "duration_ms": {
-                    "type": "integer"
-                },
-                "height": {
-                    "type": "integer"
-                },
-                "metadata": {
+                "config": {
                     "type": "object",
                     "additionalProperties": {}
                 },
-                "mime": {
+                "created_at": {
                     "type": "string"
                 },
-                "name": {
+                "id": {
                     "type": "string"
                 },
-                "path": {
-                    "description": "container-local filesystem path",
-                    "type": "string"
+                "is_active": {
+                    "type": "boolean"
                 },
-                "platform_key": {
+                "last_probed_at": {
                     "type": "string"
                 },
-                "size": {
-                    "type": "integer"
+                "name": {
+                    "type": "string"
                 },
-                "source_platform": {
+                "status": {
                     "type": "string"
                 },
-                "thumbnail_url": {
+                "status_message": {
                     "type": "string"
                 },
-                "type": {
-                    "$ref": "#/definitions/channel.AttachmentType"
+                "tools_cache": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/mcp.ToolDescriptor"
+                    }
                 },
-                "url": {
-                    "description": "HTTP(S) or data URL",
+                "type": {
                     "type": "string"
                 },
-                "width": {
-                    "type": "integer"
+                "updated_at": {
+                    "type": "string"
                 }
             }
         },
-        "channel.AttachmentType": {
-            "type": "string",
-            "enum": [
-                "image",
-                "audio",
-                "video",
-                "voice",
-                "file",
-                "gif"
-            ],
-            "x-enum-varnames": [
-                "AttachmentImage",
-                "AttachmentAudio",
-                "AttachmentVideo",
-                "AttachmentVoice",
-                "AttachmentFile",
-                "AttachmentGIF"
-            ]
+        "handlers.BatchDeleteRequest": {
+            "type": "object",
+            "properties": {
+                "ids": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                }
+            }
         },
-        "channel.ChannelCapabilities": {
+        "handlers.BrowserCoresResponse": {
             "type": "object",
             "properties": {
-                "attachments": {
-                    "type": "boolean"
-                },
-                "block_streaming": {
-                    "type": "boolean"
-                },
-                "buttons": {
-                    "type": "boolean"
-                },
-                "chat_types": {
+                "cores": {
                     "type": "array",
                     "items": {
                         "type": "string"
                     }
-                },
-                "edit": {
-                    "type": "boolean"
-                },
-                "markdown": {
-                    "type": "boolean"
-                },
-                "media": {
-                    "type": "boolean"
-                },
-                "native_commands": {
-                    "type": "boolean"
-                },
-                "polls": {
-                    "type": "boolean"
-                },
-                "reactions": {
-                    "type": "boolean"
-                },
-                "reply": {
-                    "type": "boolean"
-                },
-                "rich_text": {
-                    "type": "boolean"
-                },
-                "streaming": {
-                    "type": "boolean"
-                },
-                "text": {
-                    "type": "boolean"
-                },
-                "threads": {
-                    "type": "boolean"
-                },
-                "unsend": {
-                    "type": "boolean"
                 }
             }
         },
-        "channel.ChannelConfig": {
+        "handlers.CacheStats": {
             "type": "object",
             "properties": {
-                "bot_id": {
-                    "type": "string"
-                },
-                "channel_type": {
-                    "$ref": "#/definitions/channel.ChannelType"
-                },
-                "created_at": {
-                    "type": "string"
-                },
-                "credentials": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "disabled": {
-                    "type": "boolean"
-                },
-                "external_identity": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "string"
-                },
-                "routing": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "cache_hit_rate": {
+                    "type": "number"
                 },
-                "self_identity": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "cache_read_tokens": {
+                    "type": "integer"
                 },
-                "updated_at": {
-                    "type": "string"
+                "cache_write_tokens": {
+                    "type": "integer"
                 },
-                "verified_at": {
-                    "type": "string"
+                "total_input_tokens": {
+                    "type": "integer"
                 }
             }
         },
-        "channel.ChannelIdentityBinding": {
+        "handlers.ChannelMeta": {
             "type": "object",
             "properties": {
-                "channel_identity_id": {
-                    "type": "string"
+                "capabilities": {
+                    "$ref": "#/definitions/channel.ChannelCapabilities"
                 },
-                "channel_type": {
-                    "$ref": "#/definitions/channel.ChannelType"
+                "config_schema": {
+                    "$ref": "#/definitions/channel.ConfigSchema"
                 },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "configless": {
+                    "type": "boolean"
                 },
-                "created_at": {
+                "display_name": {
                     "type": "string"
                 },
-                "id": {
-                    "type": "string"
+                "target_spec": {
+                    "$ref": "#/definitions/channel.TargetSpec"
                 },
-                "updated_at": {
+                "type": {
                     "type": "string"
-                }
-            }
-        },
-        "channel.ChannelType": {
-            "type": "string",
-            "enum": [
-                "telegram",
-                "feishu",
-                "dingtalk",
-                "matrix",
-                "discord",
-                "qq",
-                "wecom",
-                "weixin",
-                "wechatoa",
-                "local",
-                "slack"
-            ],
-            "x-enum-varnames": [
-                "ChannelTypeTelegram",
-                "ChannelTypeFeishu",
-                "ChannelTypeDingtalk",
-                "ChannelTypeMatrix",
-                "ChannelTypeDiscord",
-                "ChannelTypeQQ",
-                "ChannelTypeWecom",
-                "ChannelTypeWeixin",
-                "ChannelTypeWeChatOA",
-                "ChannelTypeLocal",
-                "ChannelTypeSlack"
-            ]
+                },
+                "user_config_schema": {
+                    "$ref": "#/definitions/channel.ConfigSchema"
+                }
+            }
         },
-        "channel.ConfigSchema": {
+        "handlers.ContainerCPUMetricsResponse": {
             "type": "object",
             "properties": {
-                "fields": {
-                    "type": "object",
-                    "additionalProperties": {
-                        "$ref": "#/definitions/channel.FieldSchema"
-                    }
+                "kernel_nanoseconds": {
+                    "type": "integer"
                 },
-                "version": {
+                "usage_nanocores": {
+                    "type": "integer"
+                },
+                "usage_nanoseconds": {
+                    "type": "integer"
+                },
+                "usage_percent": {
+                    "type": "number"
+                },
+                "user_nanoseconds": {
                     "type": "integer"
                 }
             }
         },
-        "channel.FieldSchema": {
+        "handlers.ContainerGPURequest": {
             "type": "object",
             "properties": {
-                "description": {
-                    "type": "string"
-                },
-                "enum": {
+                "devices": {
                     "type": "array",
                     "items": {
                         "type": "string"
                     }
+                }
+            }
+        },
+        "handlers.ContainerMemoryMetricsResponse": {
+            "type": "object",
+            "properties": {
+                "limit_bytes": {
+                    "type": "integer"
                 },
-                "example": {},
-                "order": {
+                "usage_bytes": {
                     "type": "integer"
                 },
-                "required": {
-                    "type": "boolean"
+                "usage_percent": {
+                    "type": "number"
+                }
+            }
+        },
+        "handlers.ContainerMetricsPayloadResponse": {
+            "type": "object",
+            "properties": {
+                "cpu": {
+                    "$ref": "#/definitions/handlers.ContainerCPUMetricsResponse"
                 },
-                "title": {
-                    "type": "string"
+                "memory": {
+                    "$ref": "#/definitions/handlers.ContainerMemoryMetricsResponse"
                 },
-                "type": {
-                    "$ref": "#/definitions/channel.FieldType"
+                "storage": {
+                    "$ref": "#/definitions/handlers.ContainerStorageMetricsResponse"
                 }
             }
         },
-        "channel.FieldType": {
-            "type": "string",
-            "enum": [
-                "string",
-                "secret",
-                "bool",
-                "number",
-                "enum"
-            ],
-            "x-enum-varnames": [
-                "FieldString",
-                "FieldSecret",
-                "FieldBool",
-                "FieldNumber",
-                "FieldEnum"
-            ]
+        "handlers.ContainerMetricsStatusResponse": {
+            "type": "object",
+            "properties": {
+                "exists": {
+                    "type": "boolean"
+                },
+                "task_running": {
+                    "type": "boolean"
+                }
+            }
         },
-        "channel.Message": {
+        "handlers.ContainerStorageMetricsResponse": {
             "type": "object",
             "properties": {
-                "actions": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/channel.Action"
-                    }
+                "path": {
+                    "type": "string"
                 },
-                "attachments": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/channel.Attachment"
-                    }
+                "used_bytes": {
+                    "type": "integer"
+                }
+            }
+        },
+        "handlers.ContextUsage": {
+            "type": "object",
+            "properties": {
+                "context_window": {
+                    "type": "integer"
                 },
-                "format": {
-                    "$ref": "#/definitions/channel.MessageFormat"
+                "used_tokens": {
+                    "type": "integer"
+                }
+            }
+        },
+        "handlers.CreateContainerRequest": {
+            "type": "object",
+            "properties": {
+                "gpu": {
+                    "$ref": "#/definitions/handlers.ContainerGPURequest"
                 },
-                "id": {
+                "image": {
                     "type": "string"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "parts": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/channel.MessagePart"
-                    }
+                "local_workspace_path": {
+                    "type": "string"
                 },
-                "reply": {
-                    "$ref": "#/definitions/channel.ReplyRef"
+                "restore_data": {
+                    "type": "boolean"
                 },
-                "text": {
+                "snapshotter": {
                     "type": "string"
                 },
-                "thread": {
-                    "$ref": "#/definitions/channel.ThreadRef"
+                "workspace_backend": {
+                    "type": "string"
                 }
             }
         },
-        "channel.MessageFormat": {
-            "type": "string",
-            "enum": [
-                "plain",
-                "markdown",
-                "rich"
-            ],
-            "x-enum-varnames": [
-                "MessageFormatPlain",
-                "MessageFormatMarkdown",
-                "MessageFormatRich"
-            ]
-        },
-        "channel.MessagePart": {
+        "handlers.CreateContainerResponse": {
             "type": "object",
             "properties": {
-                "channel_identity_id": {
-                    "type": "string"
+                "cdi_devices": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 },
-                "emoji": {
+                "container_id": {
                     "type": "string"
                 },
-                "language": {
+                "container_path": {
                     "type": "string"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "data_restored": {
+                    "type": "boolean"
                 },
-                "styles": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/channel.MessageTextStyle"
-                    }
+                "has_preserved_data": {
+                    "type": "boolean"
                 },
-                "text": {
+                "image": {
                     "type": "string"
                 },
-                "type": {
-                    "$ref": "#/definitions/channel.MessagePartType"
+                "snapshotter": {
+                    "type": "string"
                 },
-                "url": {
+                "started": {
+                    "type": "boolean"
+                },
+                "workspace_backend": {
                     "type": "string"
                 }
             }
         },
-        "channel.MessagePartType": {
-            "type": "string",
-            "enum": [
-                "text",
-                "link",
-                "code_block",
-                "mention",
-                "emoji"
-            ],
-            "x-enum-varnames": [
-                "MessagePartText",
-                "MessagePartLink",
-                "MessagePartCodeBlock",
-                "MessagePartMention",
-                "MessagePartEmoji"
-            ]
-        },
-        "channel.MessageTextStyle": {
-            "type": "string",
-            "enum": [
-                "bold",
-                "italic",
-                "strikethrough",
-                "code"
-            ],
-            "x-enum-varnames": [
-                "MessageStyleBold",
-                "MessageStyleItalic",
-                "MessageStyleStrikethrough",
-                "MessageStyleCode"
-            ]
+        "handlers.CreateSnapshotRequest": {
+            "type": "object",
+            "properties": {
+                "snapshot_name": {
+                    "type": "string"
+                }
+            }
         },
-        "channel.ReplyRef": {
+        "handlers.CreateSnapshotResponse": {
             "type": "object",
             "properties": {
-                "message_id": {
+                "container_id": {
                     "type": "string"
                 },
-                "preview": {
+                "display_name": {
                     "type": "string"
                 },
-                "sender": {
+                "runtime_snapshot_name": {
                     "type": "string"
                 },
-                "target": {
-                    "type": "string"
-                }
-            }
-        },
-        "channel.SendRequest": {
-            "type": "object",
-            "properties": {
-                "channel_identity_id": {
+                "snapshot_name": {
                     "type": "string"
                 },
-                "message": {
-                    "$ref": "#/definitions/channel.Message"
+                "snapshotter": {
+                    "type": "string"
                 },
-                "target": {
+                "source": {
                     "type": "string"
+                },
+                "version": {
+                    "type": "integer"
                 }
             }
         },
-        "channel.TargetHint": {
+        "handlers.DailyTokenUsage": {
             "type": "object",
             "properties": {
-                "example": {
-                    "type": "string"
+                "cache_read_tokens": {
+                    "type": "integer"
                 },
-                "label": {
+                "cache_write_tokens": {
+                    "type": "integer"
+                },
+                "day": {
                     "type": "string"
+                },
+                "input_tokens": {
+                    "type": "integer"
+                },
+                "output_tokens": {
+                    "type": "integer"
+                },
+                "reasoning_tokens": {
+                    "type": "integer"
                 }
             }
         },
-        "channel.TargetSpec": {
+        "handlers.ErrorResponse": {
             "type": "object",
             "properties": {
-                "format": {
+                "message": {
                     "type": "string"
-                },
-                "hints": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/channel.TargetHint"
-                    }
                 }
             }
         },
-        "channel.ThreadRef": {
+        "handlers.ExchangeSSOCodeRequest": {
             "type": "object",
             "properties": {
-                "id": {
+                "code": {
                     "type": "string"
                 }
             }
         },
-        "channel.UpdateChannelStatusRequest": {
+        "handlers.FSDeleteRequest": {
             "type": "object",
             "properties": {
-                "disabled": {
+                "path": {
+                    "type": "string"
+                },
+                "recursive": {
                     "type": "boolean"
                 }
             }
         },
-        "channel.UpsertChannelIdentityConfigRequest": {
-            "type": "object",
-            "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                }
-            }
-        },
-        "channel.UpsertConfigRequest": {
+        "handlers.FSFileInfo": {
             "type": "object",
             "properties": {
-                "credentials": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "disabled": {
+                "isDir": {
                     "type": "boolean"
                 },
-                "external_identity": {
+                "modTime": {
                     "type": "string"
                 },
-                "routing": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "mode": {
+                    "type": "string"
                 },
-                "self_identity": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "name": {
+                    "type": "string"
                 },
-                "verified_at": {
+                "path": {
                     "type": "string"
+                },
+                "size": {
+                    "type": "integer"
                 }
             }
         },
-        "compaction.ListLogsResponse": {
+        "handlers.FSListResponse": {
             "type": "object",
             "properties": {
-                "items": {
+                "entries": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/compaction.Log"
+                        "$ref": "#/definitions/handlers.FSFileInfo"
                     }
                 },
-                "total_count": {
-                    "type": "integer"
+                "path": {
+                    "type": "string"
                 }
             }
         },
-        "compaction.Log": {
+        "handlers.FSMkdirRequest": {
             "type": "object",
             "properties": {
-                "bot_id": {
-                    "type": "string"
-                },
-                "completed_at": {
-                    "type": "string"
-                },
-                "error_message": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "string"
-                },
-                "message_count": {
-                    "type": "integer"
-                },
-                "model_id": {
-                    "type": "string"
-                },
-                "session_id": {
-                    "type": "string"
-                },
-                "started_at": {
-                    "type": "string"
-                },
-                "status": {
-                    "type": "string"
-                },
-                "summary": {
+                "path": {
                     "type": "string"
-                },
-                "usage": {}
+                }
             }
         },
-        "email.BindingResponse": {
+        "handlers.FSReadResponse": {
             "type": "object",
             "properties": {
-                "bot_id": {
-                    "type": "string"
-                },
-                "can_delete": {
-                    "type": "boolean"
-                },
-                "can_read": {
-                    "type": "boolean"
-                },
-                "can_write": {
-                    "type": "boolean"
-                },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "created_at": {
-                    "type": "string"
-                },
-                "email_address": {
-                    "type": "string"
-                },
-                "email_provider_id": {
+                "content": {
                     "type": "string"
                 },
-                "id": {
+                "path": {
                     "type": "string"
                 },
-                "updated_at": {
-                    "type": "string"
+                "size": {
+                    "type": "integer"
                 }
             }
         },
-        "email.ConfigSchema": {
+        "handlers.FSRenameRequest": {
             "type": "object",
             "properties": {
-                "fields": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/email.FieldSchema"
-                    }
+                "newPath": {
+                    "type": "string"
+                },
+                "oldPath": {
+                    "type": "string"
                 }
             }
         },
-        "email.CreateBindingRequest": {
+        "handlers.FSUploadResponse": {
             "type": "object",
             "properties": {
-                "can_delete": {
-                    "type": "boolean"
-                },
-                "can_read": {
-                    "type": "boolean"
-                },
-                "can_write": {
-                    "type": "boolean"
-                },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "email_address": {
+                "path": {
                     "type": "string"
                 },
-                "email_provider_id": {
-                    "type": "string"
+                "size": {
+                    "type": "integer"
                 }
             }
         },
-        "email.CreateProviderRequest": {
+        "handlers.FSWriteRequest": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "name": {
+                "content": {
                     "type": "string"
                 },
-                "provider": {
+                "path": {
                     "type": "string"
                 }
             }
         },
-        "email.FieldSchema": {
+        "handlers.GetContainerMetricsResponse": {
             "type": "object",
             "properties": {
-                "description": {
+                "backend": {
                     "type": "string"
                 },
-                "enum": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                "metrics": {
+                    "$ref": "#/definitions/handlers.ContainerMetricsPayloadResponse"
                 },
-                "example": {},
-                "key": {
+                "sampled_at": {
                     "type": "string"
                 },
-                "order": {
-                    "type": "integer"
+                "status": {
+                    "$ref": "#/definitions/handlers.ContainerMetricsStatusResponse"
                 },
-                "required": {
+                "supported": {
                     "type": "boolean"
                 },
-                "title": {
-                    "type": "string"
-                },
-                "type": {
+                "unsupported_reason": {
                     "type": "string"
                 }
             }
         },
-        "email.OutboxItemResponse": {
+        "handlers.GetContainerResponse": {
             "type": "object",
             "properties": {
-                "attachments": {
+                "cdi_devices": {
                     "type": "array",
-                    "items": {}
-                },
-                "body_html": {
-                    "type": "string"
+                    "items": {
+                        "type": "string"
+                    }
                 },
-                "body_text": {
+                "container_id": {
                     "type": "string"
                 },
-                "bot_id": {
+                "container_path": {
                     "type": "string"
                 },
                 "created_at": {
                     "type": "string"
                 },
-                "error": {
-                    "type": "string"
-                },
-                "from": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "string"
+                "has_preserved_data": {
+                    "type": "boolean"
                 },
-                "message_id": {
+                "image": {
                     "type": "string"
                 },
-                "provider_id": {
-                    "type": "string"
+                "legacy": {
+                    "type": "boolean"
                 },
-                "sent_at": {
+                "namespace": {
                     "type": "string"
                 },
                 "status": {
                     "type": "string"
                 },
-                "subject": {
+                "task_running": {
+                    "type": "boolean"
+                },
+                "updated_at": {
                     "type": "string"
                 },
-                "to": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                "workspace_backend": {
+                    "type": "string"
                 }
             }
         },
-        "email.ProviderMeta": {
+        "handlers.IAMGroupMemberRequest": {
             "type": "object",
             "properties": {
-                "config_schema": {
-                    "$ref": "#/definitions/email.ConfigSchema"
+                "provider_id": {
+                    "type": "string"
                 },
-                "display_name": {
+                "source": {
                     "type": "string"
                 },
-                "provider": {
+                "user_id": {
                     "type": "string"
                 }
             }
         },
-        "email.ProviderResponse": {
+        "handlers.IAMGroupMemberResponse": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
                 "created_at": {
                     "type": "string"
                 },
-                "id": {
+                "display_name": {
                     "type": "string"
                 },
-                "name": {
+                "email": {
                     "type": "string"
                 },
-                "provider": {
+                "group_id": {
                     "type": "string"
                 },
-                "updated_at": {
+                "provider_id": {
                     "type": "string"
-                }
-            }
-        },
-        "email.UpdateBindingRequest": {
-            "type": "object",
-            "properties": {
-                "can_delete": {
-                    "type": "boolean"
-                },
-                "can_read": {
-                    "type": "boolean"
                 },
-                "can_write": {
-                    "type": "boolean"
+                "source": {
+                    "type": "string"
                 },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "user_id": {
+                    "type": "string"
                 },
-                "email_address": {
+                "username": {
                     "type": "string"
                 }
             }
         },
-        "email.UpdateProviderRequest": {
+        "handlers.IAMGroupRequest": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "display_name": {
+                    "type": "string"
                 },
-                "name": {
+                "external_id": {
                     "type": "string"
                 },
-                "provider": {
+                "key": {
+                    "type": "string"
+                },
+                "metadata": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
+                },
+                "source": {
                     "type": "string"
                 }
             }
         },
-        "github_com_memohai_memoh_internal_mcp.Connection": {
+        "handlers.IAMGroupResponse": {
             "type": "object",
             "properties": {
-                "auth_type": {
-                    "type": "string"
-                },
-                "bot_id": {
-                    "type": "string"
-                },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
                 "created_at": {
                     "type": "string"
                 },
-                "id": {
-                    "type": "string"
-                },
-                "is_active": {
-                    "type": "boolean"
-                },
-                "last_probed_at": {
+                "display_name": {
                     "type": "string"
                 },
-                "name": {
+                "external_id": {
                     "type": "string"
                 },
-                "status": {
+                "id": {
                     "type": "string"
                 },
-                "status_message": {
+                "key": {
                     "type": "string"
                 },
-                "tools_cache": {
+                "metadata": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/mcp.ToolDescriptor"
+                        "type": "integer"
                     }
                 },
-                "type": {
+                "source": {
                     "type": "string"
                 },
                 "updated_at": {
@@ -11746,452 +13582,274 @@ const docTemplate = `{
                 }
             }
         },
-        "handlers.BatchDeleteRequest": {
+        "handlers.IAMListGroupMembersResponse": {
             "type": "object",
             "properties": {
-                "ids": {
+                "items": {
                     "type": "array",
                     "items": {
-                        "type": "string"
+                        "$ref": "#/definitions/handlers.IAMGroupMemberResponse"
                     }
                 }
             }
         },
-        "handlers.BrowserCoresResponse": {
+        "handlers.IAMListGroupsResponse": {
             "type": "object",
             "properties": {
-                "cores": {
+                "items": {
                     "type": "array",
                     "items": {
-                        "type": "string"
+                        "$ref": "#/definitions/handlers.IAMGroupResponse"
                     }
                 }
             }
         },
-        "handlers.CacheStats": {
-            "type": "object",
-            "properties": {
-                "cache_hit_rate": {
-                    "type": "number"
-                },
-                "cache_read_tokens": {
-                    "type": "integer"
-                },
-                "cache_write_tokens": {
-                    "type": "integer"
-                },
-                "total_input_tokens": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.ChannelMeta": {
-            "type": "object",
-            "properties": {
-                "capabilities": {
-                    "$ref": "#/definitions/channel.ChannelCapabilities"
-                },
-                "config_schema": {
-                    "$ref": "#/definitions/channel.ConfigSchema"
-                },
-                "configless": {
-                    "type": "boolean"
-                },
-                "display_name": {
-                    "type": "string"
-                },
-                "target_spec": {
-                    "$ref": "#/definitions/channel.TargetSpec"
-                },
-                "type": {
-                    "type": "string"
-                },
-                "user_config_schema": {
-                    "$ref": "#/definitions/channel.ConfigSchema"
-                }
-            }
-        },
-        "handlers.ContainerCPUMetricsResponse": {
-            "type": "object",
-            "properties": {
-                "kernel_nanoseconds": {
-                    "type": "integer"
-                },
-                "usage_nanocores": {
-                    "type": "integer"
-                },
-                "usage_nanoseconds": {
-                    "type": "integer"
-                },
-                "usage_percent": {
-                    "type": "number"
-                },
-                "user_nanoseconds": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.ContainerGPURequest": {
+        "handlers.IAMListPrincipalRolesResponse": {
             "type": "object",
             "properties": {
-                "devices": {
+                "items": {
                     "type": "array",
                     "items": {
-                        "type": "string"
+                        "$ref": "#/definitions/handlers.IAMPrincipalRoleResponse"
                     }
                 }
             }
         },
-        "handlers.ContainerMemoryMetricsResponse": {
-            "type": "object",
-            "properties": {
-                "limit_bytes": {
-                    "type": "integer"
-                },
-                "usage_bytes": {
-                    "type": "integer"
-                },
-                "usage_percent": {
-                    "type": "number"
-                }
-            }
-        },
-        "handlers.ContainerMetricsPayloadResponse": {
-            "type": "object",
-            "properties": {
-                "cpu": {
-                    "$ref": "#/definitions/handlers.ContainerCPUMetricsResponse"
-                },
-                "memory": {
-                    "$ref": "#/definitions/handlers.ContainerMemoryMetricsResponse"
-                },
-                "storage": {
-                    "$ref": "#/definitions/handlers.ContainerStorageMetricsResponse"
-                }
-            }
-        },
-        "handlers.ContainerMetricsStatusResponse": {
-            "type": "object",
-            "properties": {
-                "exists": {
-                    "type": "boolean"
-                },
-                "task_running": {
-                    "type": "boolean"
-                }
-            }
-        },
-        "handlers.ContainerStorageMetricsResponse": {
-            "type": "object",
-            "properties": {
-                "path": {
-                    "type": "string"
-                },
-                "used_bytes": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.ContextUsage": {
+        "handlers.IAMListRolesResponse": {
             "type": "object",
             "properties": {
-                "context_window": {
-                    "type": "integer"
-                },
-                "used_tokens": {
-                    "type": "integer"
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/handlers.IAMRoleResponse"
+                    }
                 }
             }
         },
-        "handlers.CreateContainerRequest": {
+        "handlers.IAMListSSOGroupMappingsResponse": {
             "type": "object",
             "properties": {
-                "gpu": {
-                    "$ref": "#/definitions/handlers.ContainerGPURequest"
-                },
-                "image": {
-                    "type": "string"
-                },
-                "local_workspace_path": {
-                    "type": "string"
-                },
-                "restore_data": {
-                    "type": "boolean"
-                },
-                "snapshotter": {
-                    "type": "string"
-                },
-                "workspace_backend": {
-                    "type": "string"
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/handlers.IAMSSOGroupMappingResponse"
+                    }
                 }
             }
         },
-        "handlers.CreateContainerResponse": {
+        "handlers.IAMListSSOProvidersResponse": {
             "type": "object",
             "properties": {
-                "cdi_devices": {
+                "items": {
                     "type": "array",
                     "items": {
-                        "type": "string"
+                        "$ref": "#/definitions/handlers.IAMSSOProviderResponse"
                     }
-                },
-                "container_id": {
-                    "type": "string"
-                },
-                "container_path": {
-                    "type": "string"
-                },
-                "data_restored": {
-                    "type": "boolean"
-                },
-                "has_preserved_data": {
-                    "type": "boolean"
-                },
-                "image": {
-                    "type": "string"
-                },
-                "snapshotter": {
-                    "type": "string"
-                },
-                "started": {
-                    "type": "boolean"
-                },
-                "workspace_backend": {
-                    "type": "string"
                 }
             }
         },
-        "handlers.CreateSnapshotRequest": {
+        "handlers.IAMPrincipalRoleRequest": {
             "type": "object",
             "properties": {
-                "snapshot_name": {
+                "principal_id": {
+                    "type": "string"
+                },
+                "principal_type": {
+                    "type": "string"
+                },
+                "role_key": {
                     "type": "string"
                 }
             }
         },
-        "handlers.CreateSnapshotResponse": {
+        "handlers.IAMPrincipalRoleResponse": {
             "type": "object",
             "properties": {
-                "container_id": {
+                "created_at": {
                     "type": "string"
                 },
-                "display_name": {
+                "group_display_name": {
                     "type": "string"
                 },
-                "runtime_snapshot_name": {
+                "group_key": {
                     "type": "string"
                 },
-                "snapshot_name": {
+                "id": {
                     "type": "string"
                 },
-                "snapshotter": {
+                "principal_id": {
                     "type": "string"
                 },
-                "source": {
+                "principal_type": {
                     "type": "string"
                 },
-                "version": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.DailyTokenUsage": {
-            "type": "object",
-            "properties": {
-                "cache_read_tokens": {
-                    "type": "integer"
-                },
-                "cache_write_tokens": {
-                    "type": "integer"
-                },
-                "day": {
+                "provider_id": {
                     "type": "string"
                 },
-                "input_tokens": {
-                    "type": "integer"
-                },
-                "output_tokens": {
-                    "type": "integer"
-                },
-                "reasoning_tokens": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.ErrorResponse": {
-            "type": "object",
-            "properties": {
-                "message": {
+                "resource_id": {
                     "type": "string"
-                }
-            }
-        },
-        "handlers.FSDeleteRequest": {
-            "type": "object",
-            "properties": {
-                "path": {
+                },
+                "resource_type": {
                     "type": "string"
                 },
-                "recursive": {
-                    "type": "boolean"
-                }
-            }
-        },
-        "handlers.FSFileInfo": {
-            "type": "object",
-            "properties": {
-                "isDir": {
-                    "type": "boolean"
+                "role_id": {
+                    "type": "string"
                 },
-                "modTime": {
+                "role_key": {
                     "type": "string"
                 },
-                "mode": {
+                "role_scope": {
                     "type": "string"
                 },
-                "name": {
+                "source": {
                     "type": "string"
                 },
-                "path": {
+                "user_display_name": {
                     "type": "string"
                 },
-                "size": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.FSListResponse": {
-            "type": "object",
-            "properties": {
-                "entries": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/handlers.FSFileInfo"
-                    }
+                "user_email": {
+                    "type": "string"
                 },
-                "path": {
+                "user_username": {
                     "type": "string"
                 }
             }
         },
-        "handlers.FSMkdirRequest": {
+        "handlers.IAMRoleResponse": {
             "type": "object",
             "properties": {
-                "path": {
+                "created_at": {
                     "type": "string"
-                }
-            }
-        },
-        "handlers.FSReadResponse": {
-            "type": "object",
-            "properties": {
-                "content": {
+                },
+                "id": {
                     "type": "string"
                 },
-                "path": {
+                "is_system": {
+                    "type": "boolean"
+                },
+                "key": {
                     "type": "string"
                 },
-                "size": {
-                    "type": "integer"
+                "scope": {
+                    "type": "string"
                 }
             }
         },
-        "handlers.FSRenameRequest": {
+        "handlers.IAMSSOGroupMappingRequest": {
             "type": "object",
             "properties": {
-                "newPath": {
+                "external_group": {
                     "type": "string"
                 },
-                "oldPath": {
+                "group_id": {
                     "type": "string"
                 }
             }
         },
-        "handlers.FSUploadResponse": {
+        "handlers.IAMSSOGroupMappingResponse": {
             "type": "object",
             "properties": {
-                "path": {
+                "created_at": {
                     "type": "string"
                 },
-                "size": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.FSWriteRequest": {
-            "type": "object",
-            "properties": {
-                "content": {
+                "external_group": {
                     "type": "string"
                 },
-                "path": {
+                "group_display_name": {
+                    "type": "string"
+                },
+                "group_id": {
+                    "type": "string"
+                },
+                "group_key": {
+                    "type": "string"
+                },
+                "provider_id": {
                     "type": "string"
                 }
             }
         },
-        "handlers.GetContainerMetricsResponse": {
+        "handlers.IAMSSOProviderRequest": {
             "type": "object",
             "properties": {
-                "backend": {
+                "attribute_mapping": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
+                },
+                "config": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
+                },
+                "email_linking_policy": {
                     "type": "string"
                 },
-                "metrics": {
-                    "$ref": "#/definitions/handlers.ContainerMetricsPayloadResponse"
+                "enabled": {
+                    "type": "boolean"
                 },
-                "sampled_at": {
+                "jit_enabled": {
+                    "type": "boolean"
+                },
+                "key": {
                     "type": "string"
                 },
-                "status": {
-                    "$ref": "#/definitions/handlers.ContainerMetricsStatusResponse"
+                "name": {
+                    "type": "string"
                 },
-                "supported": {
+                "trust_email": {
                     "type": "boolean"
                 },
-                "unsupported_reason": {
+                "type": {
                     "type": "string"
                 }
             }
         },
-        "handlers.GetContainerResponse": {
+        "handlers.IAMSSOProviderResponse": {
             "type": "object",
             "properties": {
-                "cdi_devices": {
+                "attribute_mapping": {
                     "type": "array",
                     "items": {
-                        "type": "string"
+                        "type": "integer"
                     }
                 },
-                "container_id": {
-                    "type": "string"
+                "config": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
                 },
-                "container_path": {
+                "created_at": {
                     "type": "string"
                 },
-                "created_at": {
+                "email_linking_policy": {
                     "type": "string"
                 },
-                "has_preserved_data": {
+                "enabled": {
                     "type": "boolean"
                 },
-                "image": {
+                "id": {
                     "type": "string"
                 },
-                "legacy": {
+                "jit_enabled": {
                     "type": "boolean"
                 },
-                "namespace": {
+                "key": {
                     "type": "string"
                 },
-                "status": {
+                "name": {
                     "type": "string"
                 },
-                "task_running": {
+                "trust_email": {
                     "type": "boolean"
                 },
-                "updated_at": {
+                "type": {
                     "type": "string"
                 },
-                "workspace_backend": {
+                "updated_at": {
                     "type": "string"
                 }
             }
@@ -12218,6 +13876,17 @@ const docTemplate = `{
                 }
             }
         },
+        "handlers.ListSSOProvidersResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/handlers.SSOProviderResponse"
+                    }
+                }
+            }
+        },
         "handlers.ListSnapshotsResponse": {
             "type": "object",
             "properties": {
@@ -12269,7 +13938,7 @@ const docTemplate = `{
                 "expires_at": {
                     "type": "string"
                 },
-                "role": {
+                "session_id": {
                     "type": "string"
                 },
                 "timezone": {
@@ -12352,6 +14021,14 @@ const docTemplate = `{
                 }
             }
         },
+        "handlers.OIDCStartResponse": {
+            "type": "object",
+            "properties": {
+                "redirect_url": {
+                    "type": "string"
+                }
+            }
+        },
         "handlers.PingResponse": {
             "type": "object",
             "properties": {
@@ -12417,6 +14094,26 @@ const docTemplate = `{
                 }
             }
         },
+        "handlers.SSOProviderResponse": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "key": {
+                    "type": "string"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "type": {
+                    "$ref": "#/definitions/sso.ProviderType"
+                }
+            }
+        },
         "handlers.SessionInfoResponse": {
             "type": "object",
             "properties": {
@@ -14377,6 +16074,17 @@ const docTemplate = `{
                     "type": "string"
                 }
             }
+        },
+        "sso.ProviderType": {
+            "type": "string",
+            "enum": [
+                "oidc",
+                "saml"
+            ],
+            "x-enum-varnames": [
+                "ProviderTypeOIDC",
+                "ProviderTypeSAML"
+            ]
         }
     }
 }`
diff --git a/spec/swagger.json b/spec/swagger.json
index 8f4097504..dc937706d 100644
--- a/spec/swagger.json
+++ b/spec/swagger.json
@@ -59,7 +59,7 @@
                         "BearerAuth": []
                     }
                 ],
-                "description": "Issue a new JWT using the existing claims with updated expiration",
+                "description": "Issue a new JWT after validating the active IAM session",
                 "tags": [
                     "auth"
                 ],
@@ -86,6 +86,300 @@
                 }
             }
         },
+        "/auth/sso/exchange": {
+            "post": {
+                "description": "Exchange a one-time SSO login code for a session JWT",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Exchange SSO login code",
+                "parameters": [
+                    {
+                        "description": "SSO exchange request",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ExchangeSSOCodeRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.LoginResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/providers": {
+            "get": {
+                "description": "List enabled OIDC and SAML SSO providers available for login",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "List SSO providers",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ListSSOProvidersResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/{provider_id}/callback": {
+            "get": {
+                "description": "Exchange the provider code, create an IAM session, and redirect to the web login callback with a short-lived login code",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Complete OIDC login",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID or key",
+                        "name": "provider_id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "OIDC authorization code",
+                        "name": "code",
+                        "in": "query",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "OIDC state",
+                        "name": "state",
+                        "in": "query",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "302": {
+                        "description": "Found"
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/{provider_id}/saml/acs": {
+            "post": {
+                "description": "Validate the SAML response, create an IAM session, and redirect to the web login callback with a short-lived login code",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Complete SAML login",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID or key",
+                        "name": "provider_id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "302": {
+                        "description": "Found"
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/{provider_id}/saml/metadata": {
+            "get": {
+                "description": "Return the SAML service provider metadata XML for an SSO provider",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Get SAML SP metadata",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID or key",
+                        "name": "provider_id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/{provider_id}/saml/start": {
+            "get": {
+                "description": "Create a SAML AuthnRequest, set the transient SAML state cookie, and redirect to the IdP",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Start SAML login",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID or key",
+                        "name": "provider_id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "302": {
+                        "description": "Found"
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/auth/sso/{provider_id}/start": {
+            "get": {
+                "description": "Build the provider authorization URL and set the transient OIDC state cookie",
+                "tags": [
+                    "auth"
+                ],
+                "summary": "Start OIDC login",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID or key",
+                        "name": "provider_id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.OIDCStartResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/bots": {
             "get": {
                 "description": "List bots accessible to current user (admin can specify owner_id)",
@@ -5187,7 +5481,7 @@
         },
         "/bots/{id}": {
             "get": {
-                "description": "Get a bot by ID (owner/admin only)",
+                "description": "Get a bot by ID when the current user has bot.read",
                 "tags": [
                     "bots"
                 ],
@@ -5235,7 +5529,7 @@
                 }
             },
             "put": {
-                "description": "Update bot profile (owner/admin only)",
+                "description": "Update bot profile when the current user has bot.update",
                 "tags": [
                     "bots"
                 ],
@@ -5292,7 +5586,7 @@
                 }
             },
             "delete": {
-                "description": "Delete a bot user (owner/admin only)",
+                "description": "Delete a bot user when the current user has bot.delete",
                 "tags": [
                     "bots"
                 ],
@@ -5770,7 +6064,7 @@
                 "tags": [
                     "bots"
                 ],
-                "summary": "Transfer bot owner (admin only)",
+                "summary": "Transfer bot owner (system admin only)",
                 "parameters": [
                     {
                         "type": "string",
@@ -6527,24 +6821,50 @@
                 }
             }
         },
-        "/memory-providers": {
+        "/iam/bots/{bot_id}/principal-roles": {
             "get": {
-                "description": "List configured memory providers",
-                "produces": [
-                    "application/json"
-                ],
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "List user and group role assignments for a bot",
                 "tags": [
-                    "memory-providers"
+                    "iam"
+                ],
+                "summary": "List bot role assignments",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Bot ID",
+                        "name": "bot_id",
+                        "in": "path",
+                        "required": true
+                    }
                 ],
-                "summary": "List memory providers",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/adapters.ProviderGetResponse"
-                            }
+                            "$ref": "#/definitions/handlers.IAMListPrincipalRolesResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
                     "500": {
@@ -6556,41 +6876,65 @@
                 }
             },
             "post": {
-                "description": "Create a memory provider configuration",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
+                "description": "Assign a bot-scoped role to a user or group",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "Create a memory provider",
+                "summary": "Assign bot role",
                 "parameters": [
                     {
-                        "description": "Memory provider configuration",
-                        "name": "request",
+                        "type": "string",
+                        "description": "Bot ID",
+                        "name": "bot_id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Principal role payload",
+                        "name": "payload",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderCreateRequest"
+                            "$ref": "#/definitions/handlers.IAMPrincipalRoleRequest"
                         }
                     }
                 ],
                 "responses": {
-                    "201": {
-                        "description": "Created",
+                    "200": {
+                        "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderGetResponse"
+                            "type": "object",
+                            "additionalProperties": {
+                                "type": "string"
+                            }
                         }
                     },
+                    "204": {
+                        "description": "No Content"
+                    },
                     "400": {
                         "description": "Bad Request",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -6600,50 +6944,72 @@
                 }
             }
         },
-        "/memory-providers/meta": {
+        "/iam/groups": {
             "get": {
-                "description": "List available memory provider types and config schemas",
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "List IAM groups",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "List memory provider metadata",
+                "summary": "List IAM groups",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/adapters.ProviderMeta"
-                            }
+                            "$ref": "#/definitions/handlers.IAMListGroupsResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     }
                 }
-            }
-        },
-        "/memory-providers/{id}": {
-            "get": {
-                "description": "Get memory provider by ID",
-                "produces": [
-                    "application/json"
+            },
+            "post": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
+                "description": "Create or update an IAM group",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "Get a memory provider",
+                "summary": "Upsert IAM group",
                 "parameters": [
                     {
-                        "type": "string",
-                        "description": "Provider ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                        "description": "Group payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMGroupRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderGetResponse"
+                            "$ref": "#/definitions/handlers.IAMGroupResponse"
                         }
                     },
                     "400": {
@@ -6652,41 +7018,53 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     }
                 }
-            },
+            }
+        },
+        "/iam/groups/{id}": {
             "put": {
-                "description": "Update memory provider by ID",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
+                "description": "Create or update an IAM group",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "Update a memory provider",
+                "summary": "Upsert IAM group",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Group ID",
                         "name": "id",
-                        "in": "path",
-                        "required": true
+                        "in": "path"
                     },
                     {
-                        "description": "Updated configuration",
-                        "name": "request",
+                        "description": "Group payload",
+                        "name": "payload",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderUpdateRequest"
+                            "$ref": "#/definitions/handlers.IAMGroupRequest"
                         }
                     }
                 ],
@@ -6694,7 +7072,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderGetResponse"
+                            "$ref": "#/definitions/handlers.IAMGroupResponse"
                         }
                     },
                     "400": {
@@ -6703,6 +7081,18 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -6712,15 +7102,20 @@
                 }
             },
             "delete": {
-                "description": "Delete memory provider by ID",
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Delete an IAM group",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "Delete a memory provider",
+                "summary": "Delete IAM group",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Group ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -6736,6 +7131,18 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -6745,20 +7152,22 @@
                 }
             }
         },
-        "/memory-providers/{id}/status": {
+        "/iam/groups/{id}/members": {
             "get": {
-                "description": "Get runtime status data for a memory provider",
-                "produces": [
-                    "application/json"
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
+                "description": "List members of an IAM group",
                 "tags": [
-                    "memory-providers"
+                    "iam"
                 ],
-                "summary": "Get memory provider status",
+                "summary": "List IAM group members",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Group ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -6768,7 +7177,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/adapters.ProviderStatusResponse"
+                            "$ref": "#/definitions/handlers.IAMListGroupMembersResponse"
                         }
                     },
                     "400": {
@@ -6777,8 +7186,14 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -6790,36 +7205,43 @@
                         }
                     }
                 }
-            }
-        },
-        "/models": {
-            "get": {
-                "description": "Get a list of all configured models, optionally filtered by type or provider client type",
+            },
+            "post": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Add a user to an IAM group",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "List all models",
+                "summary": "Add IAM group member",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model type (chat, embedding)",
-                        "name": "type",
-                        "in": "query"
+                        "description": "Group ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
                     },
                     {
-                        "type": "string",
-                        "description": "Provider client type (openai-responses, openai-completions, anthropic-messages, google-generative-ai)",
-                        "name": "client_type",
-                        "in": "query"
+                        "description": "Group member payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMGroupMemberRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/models.GetResponse"
+                            "type": "object",
+                            "additionalProperties": {
+                                "type": "string"
                             }
                         }
                     },
@@ -6829,40 +7251,14 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "401": {
+                        "description": "Unauthorized",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    }
-                }
-            },
-            "post": {
-                "description": "Create a new model configuration",
-                "tags": [
-                    "models"
-                ],
-                "summary": "Create a new model",
-                "parameters": [
-                    {
-                        "description": "Model configuration",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/models.AddRequest"
-                        }
-                    }
-                ],
-                "responses": {
-                    "201": {
-                        "description": "Created",
-                        "schema": {
-                            "$ref": "#/definitions/models.AddResponse"
-                        }
                     },
-                    "400": {
-                        "description": "Bad Request",
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -6876,27 +7272,37 @@
                 }
             }
         },
-        "/models/count": {
-            "get": {
-                "description": "Get the total count of models, optionally filtered by type",
+        "/iam/groups/{id}/members/{user_id}": {
+            "delete": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Remove a user from an IAM group",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Get model count",
+                "summary": "Delete IAM group member",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model type (chat, embedding)",
-                        "name": "type",
-                        "in": "query"
+                        "description": "Group ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "User ID",
+                        "name": "user_id",
+                        "in": "path",
+                        "required": true
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/models.CountResponse"
-                        }
+                    "204": {
+                        "description": "No Content"
                     },
                     "400": {
                         "description": "Bad Request",
@@ -6904,6 +7310,18 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -6913,28 +7331,30 @@
                 }
             }
         },
-        "/models/model/{modelId}": {
-            "get": {
-                "description": "Get a model configuration by its model_id field (e.g., gpt-4)",
+        "/iam/principal-roles/{id}": {
+            "delete": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Delete a user or group role assignment",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Get model by model ID",
+                "summary": "Delete role assignment",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID (e.g., gpt-4)",
-                        "name": "modelId",
+                        "description": "Principal role assignment ID",
+                        "name": "id",
                         "in": "path",
                         "required": true
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/models.GetResponse"
-                        }
+                    "204": {
+                        "description": "No Content"
                     },
                     "400": {
                         "description": "Bad Request",
@@ -6942,8 +7362,14 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -6955,46 +7381,35 @@
                         }
                     }
                 }
-            },
-            "put": {
-                "description": "Update a model configuration by its model_id field (e.g., gpt-4)",
-                "tags": [
-                    "models"
-                ],
-                "summary": "Update model by model ID",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Model ID (e.g., gpt-4)",
-                        "name": "modelId",
-                        "in": "path",
-                        "required": true
-                    },
+            }
+        },
+        "/iam/roles": {
+            "get": {
+                "security": [
                     {
-                        "description": "Updated model configuration",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/models.UpdateRequest"
-                        }
+                        "BearerAuth": []
                     }
                 ],
+                "description": "List built-in IAM roles",
+                "tags": [
+                    "iam"
+                ],
+                "summary": "List IAM roles",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/models.GetResponse"
+                            "$ref": "#/definitions/handlers.IAMListRolesResponse"
                         }
                     },
-                    "400": {
-                        "description": "Bad Request",
+                    "401": {
+                        "description": "Unauthorized",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7006,34 +7421,35 @@
                         }
                     }
                 }
-            },
-            "delete": {
-                "description": "Delete a model configuration by its model_id field (e.g., gpt-4)",
-                "tags": [
-                    "models"
-                ],
-                "summary": "Delete model by model ID",
-                "parameters": [
+            }
+        },
+        "/iam/sso/providers": {
+            "get": {
+                "security": [
                     {
-                        "type": "string",
-                        "description": "Model ID (e.g., gpt-4)",
-                        "name": "modelId",
-                        "in": "path",
-                        "required": true
+                        "BearerAuth": []
                     }
                 ],
+                "description": "List all IAM SSO providers for administration",
+                "tags": [
+                    "iam"
+                ],
+                "summary": "List IAM SSO providers",
                 "responses": {
-                    "204": {
-                        "description": "No Content"
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMListSSOProvidersResponse"
+                        }
                     },
-                    "400": {
-                        "description": "Bad Request",
+                    "401": {
+                        "description": "Unauthorized",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7045,29 +7461,40 @@
                         }
                     }
                 }
-            }
-        },
-        "/models/{id}": {
-            "get": {
-                "description": "Get a model configuration by its internal UUID",
+            },
+            "post": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Create or update an IAM SSO provider",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Get model by internal ID",
+                "summary": "Upsert IAM SSO provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model internal ID (UUID)",
+                        "description": "SSO provider ID",
                         "name": "id",
-                        "in": "path",
-                        "required": true
+                        "in": "path"
+                    },
+                    {
+                        "description": "SSO provider payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMSSOProviderRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/models.GetResponse"
+                            "$ref": "#/definitions/handlers.IAMSSOProviderResponse"
                         }
                     },
                     "400": {
@@ -7076,8 +7503,14 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7089,28 +7522,34 @@
                         }
                     }
                 }
-            },
+            }
+        },
+        "/iam/sso/providers/{id}": {
             "put": {
-                "description": "Update a model configuration by its internal UUID",
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Create or update an IAM SSO provider",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Update model by internal ID",
+                "summary": "Upsert IAM SSO provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model internal ID (UUID)",
+                        "description": "SSO provider ID",
                         "name": "id",
-                        "in": "path",
-                        "required": true
+                        "in": "path"
                     },
                     {
-                        "description": "Updated model configuration",
+                        "description": "SSO provider payload",
                         "name": "payload",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/models.UpdateRequest"
+                            "$ref": "#/definitions/handlers.IAMSSOProviderRequest"
                         }
                     }
                 ],
@@ -7118,7 +7557,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/models.GetResponse"
+                            "$ref": "#/definitions/handlers.IAMSSOProviderResponse"
                         }
                     },
                     "400": {
@@ -7127,8 +7566,14 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7142,15 +7587,20 @@
                 }
             },
             "delete": {
-                "description": "Delete a model configuration by its internal UUID",
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Delete an IAM SSO provider",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Delete model by internal ID",
+                "summary": "Delete IAM SSO provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model internal ID (UUID)",
+                        "description": "SSO provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -7166,8 +7616,14 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7181,33 +7637,97 @@
                 }
             }
         },
-        "/models/{id}/test": {
-            "post": {
-                "description": "Probe a model's provider endpoint using the model's real model_id and client_type to verify configuration",
-                "consumes": [
-                    "application/json"
+        "/iam/sso/providers/{id}/group-mappings": {
+            "get": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
-                "produces": [
-                    "application/json"
+                "description": "List external group to IAM group mappings for an SSO provider",
+                "tags": [
+                    "iam"
+                ],
+                "summary": "List SSO group mappings",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMListSSOGroupMappingsResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "post": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
                 ],
+                "description": "Create or update an external group to IAM group mapping",
                 "tags": [
-                    "models"
+                    "iam"
                 ],
-                "summary": "Test model connectivity",
+                "summary": "Upsert SSO group mapping",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model internal ID (UUID)",
+                        "description": "SSO provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
+                    },
+                    {
+                        "description": "SSO group mapping payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/handlers.IAMSSOGroupMappingRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/models.TestResponse"
+                            "type": "object",
+                            "additionalProperties": {
+                                "type": "string"
+                            }
                         }
                     },
                     "400": {
@@ -7216,8 +7736,14 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7231,42 +7757,82 @@
                 }
             }
         },
-        "/ping": {
-            "get": {
+        "/iam/sso/providers/{id}/group-mappings/{external_group}": {
+            "delete": {
+                "security": [
+                    {
+                        "BearerAuth": []
+                    }
+                ],
+                "description": "Delete an external group mapping from an SSO provider",
                 "tags": [
-                    "system"
+                    "iam"
+                ],
+                "summary": "Delete SSO group mapping",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "SSO provider ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "External group",
+                        "name": "external_group",
+                        "in": "path",
+                        "required": true
+                    }
                 ],
-                "summary": "Health check with server capabilities",
                 "responses": {
-                    "200": {
-                        "description": "OK",
+                    "204": {
+                        "description": "No Content"
+                    },
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
-                            "$ref": "#/definitions/handlers.PingResponse"
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     }
                 }
             }
         },
-        "/providers": {
+        "/memory-providers": {
             "get": {
-                "description": "Get a list of all configured LLM providers",
-                "consumes": [
-                    "application/json"
-                ],
+                "description": "List configured memory providers",
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "List all LLM providers",
+                "summary": "List memory providers",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
                             "type": "array",
                             "items": {
-                                "$ref": "#/definitions/providers.GetResponse"
+                                "$ref": "#/definitions/adapters.ProviderGetResponse"
                             }
                         }
                     },
@@ -7279,7 +7845,7 @@
                 }
             },
             "post": {
-                "description": "Create a new LLM provider configuration",
+                "description": "Create a memory provider configuration",
                 "consumes": [
                     "application/json"
                 ],
@@ -7287,17 +7853,17 @@
                     "application/json"
                 ],
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "Create a new LLM provider",
+                "summary": "Create a memory provider",
                 "parameters": [
                     {
-                        "description": "Provider configuration",
+                        "description": "Memory provider configuration",
                         "name": "request",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/providers.CreateRequest"
+                            "$ref": "#/definitions/adapters.ProviderCreateRequest"
                         }
                     }
                 ],
@@ -7305,7 +7871,7 @@
                     "201": {
                         "description": "Created",
                         "schema": {
-                            "$ref": "#/definitions/providers.GetResponse"
+                            "$ref": "#/definitions/adapters.ProviderGetResponse"
                         }
                     },
                     "400": {
@@ -7323,53 +7889,41 @@
                 }
             }
         },
-        "/providers/count": {
+        "/memory-providers/meta": {
             "get": {
-                "description": "Get the total count of providers",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+                "description": "List available memory provider types and config schemas",
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "Count providers",
+                "summary": "List memory provider metadata",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.CountResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/adapters.ProviderMeta"
+                            }
                         }
                     }
                 }
             }
         },
-        "/providers/name/{name}": {
+        "/memory-providers/{id}": {
             "get": {
-                "description": "Get a provider configuration by its name",
-                "consumes": [
-                    "application/json"
-                ],
+                "description": "Get memory provider by ID",
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "Get provider by name",
+                "summary": "Get a memory provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider name",
-                        "name": "name",
+                        "description": "Provider ID",
+                        "name": "id",
                         "in": "path",
                         "required": true
                     }
@@ -7378,7 +7932,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.GetResponse"
+                            "$ref": "#/definitions/adapters.ProviderGetResponse"
                         }
                     },
                     "400": {
@@ -7392,130 +7946,36 @@
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
                     }
                 }
-            }
-        },
-        "/providers/oauth/callback": {
-            "get": {
+            },
+            "put": {
+                "description": "Update memory provider by ID",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "providers-oauth"
+                    "memory-providers"
                 ],
-                "summary": "OAuth2 callback for LLM providers",
+                "summary": "Update a memory provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Authorization code",
-                        "name": "code",
-                        "in": "query",
+                        "description": "Provider ID",
+                        "name": "id",
+                        "in": "path",
                         "required": true
                     },
                     {
-                        "type": "string",
-                        "description": "State parameter",
-                        "name": "state",
-                        "in": "query",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "HTML success page",
-                        "schema": {
-                            "type": "string"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            }
-        },
-        "/providers/{id}": {
-            "get": {
-                "description": "Get a provider configuration by its ID",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "providers"
-                ],
-                "summary": "Get provider by ID",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/providers.GetResponse"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            },
-            "put": {
-                "description": "Update an existing provider configuration",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "providers"
-                ],
-                "summary": "Update provider",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "description": "Updated provider configuration",
+                        "description": "Updated configuration",
                         "name": "request",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/providers.UpdateRequest"
+                            "$ref": "#/definitions/adapters.ProviderUpdateRequest"
                         }
                     }
                 ],
@@ -7523,7 +7983,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.GetResponse"
+                            "$ref": "#/definitions/adapters.ProviderGetResponse"
                         }
                     },
                     "400": {
@@ -7532,12 +7992,6 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -7547,21 +8001,15 @@
                 }
             },
             "delete": {
-                "description": "Delete a provider configuration",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+                "description": "Delete memory provider by ID",
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "Delete provider",
+                "summary": "Delete a memory provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
+                        "description": "Provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -7577,12 +8025,6 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -7592,23 +8034,20 @@
                 }
             }
         },
-        "/providers/{id}/import-models": {
-            "post": {
-                "description": "Fetch models from provider's /v1/models endpoint and import them",
-                "consumes": [
-                    "application/json"
-                ],
+        "/memory-providers/{id}/status": {
+            "get": {
+                "description": "Get runtime status data for a memory provider",
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "providers"
+                    "memory-providers"
                 ],
-                "summary": "Import models from provider",
+                "summary": "Get memory provider status",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
+                        "description": "Provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -7618,7 +8057,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.ImportModelsResponse"
+                            "$ref": "#/definitions/adapters.ProviderStatusResponse"
                         }
                     },
                     "400": {
@@ -7642,25 +8081,24 @@
                 }
             }
         },
-        "/providers/{id}/models": {
+        "/models": {
             "get": {
-                "description": "Get models for a provider by id, optionally filtered by type",
+                "description": "Get a list of all configured models, optionally filtered by type or provider client type",
                 "tags": [
-                    "providers"
+                    "models"
                 ],
-                "summary": "List provider models",
+                "summary": "List all models",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                        "description": "Model type (chat, embedding)",
+                        "name": "type",
+                        "in": "query"
                     },
                     {
                         "type": "string",
-                        "description": "Model type (chat, embedding)",
-                        "name": "type",
+                        "description": "Provider client type (openai-responses, openai-completions, anthropic-messages, google-generative-ai)",
+                        "name": "client_type",
                         "in": "query"
                     }
                 ],
@@ -7680,12 +8118,6 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -7693,28 +8125,29 @@
                         }
                     }
                 }
-            }
-        },
-        "/providers/{id}/oauth/authorize": {
-            "get": {
+            },
+            "post": {
+                "description": "Create a new model configuration",
                 "tags": [
-                    "providers-oauth"
+                    "models"
                 ],
-                "summary": "Start OAuth2 authorization for an LLM provider",
+                "summary": "Create a new model",
                 "parameters": [
                     {
-                        "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                        "description": "Model configuration",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/models.AddRequest"
+                        }
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
+                    "201": {
+                        "description": "Created",
                         "schema": {
-                            "$ref": "#/definitions/providers.OAuthAuthorizeResponse"
+                            "$ref": "#/definitions/models.AddResponse"
                         }
                     },
                     "400": {
@@ -7723,8 +8156,8 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7732,26 +8165,26 @@
                 }
             }
         },
-        "/providers/{id}/oauth/poll": {
-            "post": {
+        "/models/count": {
+            "get": {
+                "description": "Get the total count of models, optionally filtered by type",
                 "tags": [
-                    "providers-oauth"
+                    "models"
                 ],
-                "summary": "Poll OAuth device authorization for an LLM provider",
+                "summary": "Get model count",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                        "description": "Model type (chat, embedding)",
+                        "name": "type",
+                        "in": "query"
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.OAuthStatus"
+                            "$ref": "#/definitions/models.CountResponse"
                         }
                     },
                     "400": {
@@ -7760,8 +8193,8 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7769,17 +8202,18 @@
                 }
             }
         },
-        "/providers/{id}/oauth/status": {
+        "/models/model/{modelId}": {
             "get": {
+                "description": "Get a model configuration by its model_id field (e.g., gpt-4)",
                 "tags": [
-                    "providers-oauth"
+                    "models"
                 ],
-                "summary": "Get OAuth2 status for an LLM provider",
+                "summary": "Get model by model ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
+                        "description": "Model ID (e.g., gpt-4)",
+                        "name": "modelId",
                         "in": "path",
                         "required": true
                     }
@@ -7788,7 +8222,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.OAuthStatus"
+                            "$ref": "#/definitions/models.GetResponse"
                         }
                     },
                     "400": {
@@ -7802,71 +8236,44 @@
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
                     }
                 }
-            }
-        },
-        "/providers/{id}/oauth/token": {
-            "delete": {
+            },
+            "put": {
+                "description": "Update a model configuration by its model_id field (e.g., gpt-4)",
                 "tags": [
-                    "providers-oauth"
+                    "models"
                 ],
-                "summary": "Revoke stored OAuth2 tokens for an LLM provider",
+                "summary": "Update model by model ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
+                        "description": "Model ID (e.g., gpt-4)",
+                        "name": "modelId",
                         "in": "path",
                         "required": true
-                    }
-                ],
-                "responses": {
-                    "204": {
-                        "description": "No Content"
                     },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "404": {
-                        "description": "Not Found",
+                    {
+                        "description": "Updated model configuration",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
                         "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "$ref": "#/definitions/models.UpdateRequest"
                         }
                     }
-                }
-            }
-        },
-        "/providers/{id}/test": {
-            "post": {
-                "description": "Probe a provider's base URL to check reachability, supported client types, and embedding support",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "providers"
-                ],
-                "summary": "Test provider connectivity",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Provider ID (UUID)",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/providers.TestResponse"
+                            "$ref": "#/definitions/models.GetResponse"
                         }
                     },
                     "400": {
@@ -7888,79 +8295,34 @@
                         }
                     }
                 }
-            }
-        },
-        "/search-providers": {
-            "get": {
-                "description": "List configured search providers",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+            },
+            "delete": {
+                "description": "Delete a model configuration by its model_id field (e.g., gpt-4)",
                 "tags": [
-                    "search-providers"
+                    "models"
                 ],
-                "summary": "List search providers",
+                "summary": "Delete model by model ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider filter (brave)",
-                        "name": "provider",
-                        "in": "query"
+                        "description": "Model ID (e.g., gpt-4)",
+                        "name": "modelId",
+                        "in": "path",
+                        "required": true
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/searchproviders.GetResponse"
-                            }
-                        }
+                    "204": {
+                        "description": "No Content"
                     },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    }
-                }
-            },
-            "post": {
-                "description": "Create a search provider configuration",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "search-providers"
-                ],
-                "summary": "Create a search provider",
-                "parameters": [
-                    {
-                        "description": "Search provider configuration",
-                        "name": "request",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/searchproviders.CreateRequest"
-                        }
-                    }
-                ],
-                "responses": {
-                    "201": {
-                        "description": "Created",
-                        "schema": {
-                            "$ref": "#/definitions/searchproviders.GetResponse"
-                        }
                     },
-                    "400": {
-                        "description": "Bad Request",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -7974,43 +8336,17 @@
                 }
             }
         },
-        "/search-providers/meta": {
-            "get": {
-                "description": "List available search provider types and config schemas",
-                "tags": [
-                    "search-providers"
-                ],
-                "summary": "List search provider metadata",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/searchproviders.ProviderMeta"
-                            }
-                        }
-                    }
-                }
-            }
-        },
-        "/search-providers/{id}": {
+        "/models/{id}": {
             "get": {
-                "description": "Get search provider by ID",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+                "description": "Get a model configuration by its internal UUID",
                 "tags": [
-                    "search-providers"
+                    "models"
                 ],
-                "summary": "Get a search provider",
+                "summary": "Get model by internal ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Model internal ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -8020,7 +8356,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/searchproviders.GetResponse"
+                            "$ref": "#/definitions/models.GetResponse"
                         }
                     },
                     "400": {
@@ -8034,36 +8370,36 @@
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
                     }
                 }
             },
             "put": {
-                "description": "Update search provider by ID",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+                "description": "Update a model configuration by its internal UUID",
                 "tags": [
-                    "search-providers"
+                    "models"
                 ],
-                "summary": "Update a search provider",
+                "summary": "Update model by internal ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Model internal ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
                     },
                     {
-                        "description": "Updated configuration",
-                        "name": "request",
+                        "description": "Updated model configuration",
+                        "name": "payload",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/searchproviders.UpdateRequest"
+                            "$ref": "#/definitions/models.UpdateRequest"
                         }
                     }
                 ],
@@ -8071,7 +8407,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/searchproviders.GetResponse"
+                            "$ref": "#/definitions/models.GetResponse"
                         }
                     },
                     "400": {
@@ -8080,6 +8416,12 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -8089,21 +8431,15 @@
                 }
             },
             "delete": {
-                "description": "Delete search provider by ID",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
+                "description": "Delete a model configuration by its internal UUID",
                 "tags": [
-                    "search-providers"
+                    "models"
                 ],
-                "summary": "Delete a search provider",
+                "summary": "Delete model by internal ID",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID",
+                        "description": "Model internal ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -8119,34 +8455,11 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    }
-                }
-            }
-        },
-        "/speech-models": {
-            "get": {
-                "description": "List all models of type 'speech' (filtered view of unified models table)",
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "speech-models"
-                ],
-                "summary": "List all speech models",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.SpeechModelResponse"
-                            }
-                        }
                     },
                     "500": {
                         "description": "Internal Server Error",
@@ -8157,19 +8470,23 @@
                 }
             }
         },
-        "/speech-models/{id}": {
-            "get": {
+        "/models/{id}/test": {
+            "post": {
+                "description": "Probe a model's provider endpoint using the model's real model_id and client_type to verify configuration",
+                "consumes": [
+                    "application/json"
+                ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "speech-models"
+                    "models"
                 ],
-                "summary": "Get a speech model",
+                "summary": "Test model connectivity",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID",
+                        "description": "Model internal ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -8179,7 +8496,13 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.SpeechModelResponse"
+                            "$ref": "#/definitions/models.TestResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
                     "404": {
@@ -8187,10 +8510,35 @@
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
                     }
                 }
-            },
-            "put": {
+            }
+        },
+        "/ping": {
+            "get": {
+                "tags": [
+                    "system"
+                ],
+                "summary": "Health check with server capabilities",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.PingResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/providers": {
+            "get": {
+                "description": "Get a list of all configured LLM providers",
                 "consumes": [
                     "application/json"
                 ],
@@ -8198,32 +8546,55 @@
                     "application/json"
                 ],
                 "tags": [
-                    "speech-models"
+                    "providers"
                 ],
-                "summary": "Update a speech model",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Model ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                "summary": "List all LLM providers",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/providers.GetResponse"
+                            }
+                        }
                     },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "post": {
+                "description": "Create a new LLM provider configuration",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "providers"
+                ],
+                "summary": "Create a new LLM provider",
+                "parameters": [
                     {
-                        "description": "Model update payload",
+                        "description": "Provider configuration",
                         "name": "request",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/audio.UpdateSpeechModelRequest"
+                            "$ref": "#/definitions/providers.CreateRequest"
                         }
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
+                    "201": {
+                        "description": "Created",
                         "schema": {
-                            "$ref": "#/definitions/audio.SpeechModelResponse"
+                            "$ref": "#/definitions/providers.GetResponse"
                         }
                     },
                     "400": {
@@ -8241,33 +8612,28 @@
                 }
             }
         },
-        "/speech-models/{id}/capabilities": {
+        "/providers/count": {
             "get": {
+                "description": "Get the total count of providers",
+                "consumes": [
+                    "application/json"
+                ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "speech-models"
-                ],
-                "summary": "Get speech model capabilities",
-                "parameters": [
-                    {
-                        "type": "string",
-                        "description": "Model ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    }
+                    "providers"
                 ],
+                "summary": "Count providers",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.ModelCapabilities"
+                            "$ref": "#/definitions/providers.CountResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8275,42 +8641,33 @@
                 }
             }
         },
-        "/speech-models/{id}/test": {
-            "post": {
-                "description": "Synthesize text using a specific model's config and return audio",
+        "/providers/name/{name}": {
+            "get": {
+                "description": "Get a provider configuration by its name",
                 "consumes": [
                     "application/json"
                 ],
                 "produces": [
-                    "application/octet-stream"
+                    "application/json"
                 ],
                 "tags": [
-                    "speech-models"
+                    "providers"
                 ],
-                "summary": "Test speech model synthesis",
+                "summary": "Get provider by name",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID",
-                        "name": "id",
+                        "description": "Provider name",
+                        "name": "name",
                         "in": "path",
                         "required": true
-                    },
-                    {
-                        "description": "Text to synthesize",
-                        "name": "request",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/audio.TestSynthesizeRequest"
-                        }
                     }
                 ],
                 "responses": {
                     "200": {
-                        "description": "Audio data",
+                        "description": "OK",
                         "schema": {
-                            "type": "file"
+                            "$ref": "#/definitions/providers.GetResponse"
                         }
                     },
                     "400": {
@@ -8319,6 +8676,12 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -8328,28 +8691,37 @@
                 }
             }
         },
-        "/speech-providers": {
+        "/providers/oauth/callback": {
             "get": {
-                "description": "List providers that support speech (filtered view of unified providers table)",
-                "produces": [
-                    "application/json"
-                ],
                 "tags": [
-                    "speech-providers"
+                    "providers-oauth"
+                ],
+                "summary": "OAuth2 callback for LLM providers",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Authorization code",
+                        "name": "code",
+                        "in": "query",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "State parameter",
+                        "name": "state",
+                        "in": "query",
+                        "required": true
+                    }
                 ],
-                "summary": "List speech providers",
                 "responses": {
                     "200": {
-                        "description": "OK",
+                        "description": "HTML success page",
                         "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.SpeechProviderResponse"
-                            }
+                            "type": "string"
                         }
                     },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8357,36 +8729,19 @@
                 }
             }
         },
-        "/speech-providers/meta": {
+        "/providers/{id}": {
             "get": {
-                "description": "List available speech provider types with their models and capabilities",
-                "tags": [
-                    "speech-providers"
+                "description": "Get a provider configuration by its ID",
+                "consumes": [
+                    "application/json"
                 ],
-                "summary": "List speech provider metadata",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.ProviderMetaResponse"
-                            }
-                        }
-                    }
-                }
-            }
-        },
-        "/speech-providers/{id}": {
-            "get": {
-                "description": "Get a speech provider with masked config values",
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "speech-providers"
+                    "providers"
                 ],
-                "summary": "Get speech provider",
+                "summary": "Get provider by ID",
                 "parameters": [
                     {
                         "type": "string",
@@ -8400,7 +8755,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.SpeechProviderResponse"
+                            "$ref": "#/definitions/providers.GetResponse"
                         }
                     },
                     "400": {
@@ -8414,13 +8769,17 @@
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
                     }
                 }
-            }
-        },
-        "/speech-providers/{id}/import-models": {
-            "post": {
-                "description": "Fetch models using the configured speech provider and import them into the unified models table",
+            },
+            "put": {
+                "description": "Update an existing provider configuration",
                 "consumes": [
                     "application/json"
                 ],
@@ -8428,9 +8787,9 @@
                     "application/json"
                 ],
                 "tags": [
-                    "speech-providers"
+                    "providers"
                 ],
-                "summary": "Import speech models from provider",
+                "summary": "Update provider",
                 "parameters": [
                     {
                         "type": "string",
@@ -8438,13 +8797,22 @@
                         "name": "id",
                         "in": "path",
                         "required": true
+                    },
+                    {
+                        "description": "Updated provider configuration",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/providers.UpdateRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.ImportModelsResponse"
+                            "$ref": "#/definitions/providers.GetResponse"
                         }
                     },
                     "400": {
@@ -8466,18 +8834,19 @@
                         }
                     }
                 }
-            }
-        },
-        "/speech-providers/{id}/models": {
-            "get": {
-                "description": "List models of type 'speech' for a specific speech provider",
+            },
+            "delete": {
+                "description": "Delete a provider configuration",
+                "consumes": [
+                    "application/json"
+                ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "speech-providers"
+                    "providers"
                 ],
-                "summary": "List speech models by provider",
+                "summary": "Delete provider",
                 "parameters": [
                     {
                         "type": "string",
@@ -8488,14 +8857,8 @@
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.SpeechModelResponse"
-                            }
-                        }
+                    "204": {
+                        "description": "No Content"
                     },
                     "400": {
                         "description": "Bad Request",
@@ -8503,7 +8866,13 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "500": {
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
                         "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
@@ -8512,53 +8881,49 @@
                 }
             }
         },
-        "/supermarket/mcps": {
-            "get": {
+        "/providers/{id}/import-models": {
+            "post": {
+                "description": "Fetch models from provider's /v1/models endpoint and import them",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "supermarket"
+                    "providers"
                 ],
-                "summary": "List MCPs from supermarket",
+                "summary": "Import models from provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Search query",
-                        "name": "q",
-                        "in": "query"
-                    },
-                    {
-                        "type": "string",
-                        "description": "Filter by tag",
-                        "name": "tag",
-                        "in": "query"
-                    },
-                    {
-                        "type": "string",
-                        "description": "Filter by transport type",
-                        "name": "transport",
-                        "in": "query"
-                    },
-                    {
-                        "type": "integer",
-                        "description": "Page number",
-                        "name": "page",
-                        "in": "query"
-                    },
-                    {
-                        "type": "integer",
-                        "description": "Items per page",
-                        "name": "limit",
-                        "in": "query"
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.SupermarketMcpListResponse"
+                            "$ref": "#/definitions/providers.ImportModelsResponse"
                         }
                     },
-                    "502": {
-                        "description": "Bad Gateway",
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8566,26 +8931,42 @@
                 }
             }
         },
-        "/supermarket/mcps/{id}": {
+        "/providers/{id}/models": {
             "get": {
+                "description": "Get models for a provider by id, optionally filtered by type",
                 "tags": [
-                    "supermarket"
+                    "providers"
                 ],
-                "summary": "Get MCP detail from supermarket",
+                "summary": "List provider models",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "MCP ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Model type (chat, embedding)",
+                        "name": "type",
+                        "in": "query"
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.SupermarketMcpEntry"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/models.GetResponse"
+                            }
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
                     "404": {
@@ -8594,8 +8975,8 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "502": {
-                        "description": "Bad Gateway",
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8603,47 +8984,36 @@
                 }
             }
         },
-        "/supermarket/skills": {
+        "/providers/{id}/oauth/authorize": {
             "get": {
                 "tags": [
-                    "supermarket"
+                    "providers-oauth"
                 ],
-                "summary": "List skills from supermarket",
+                "summary": "Start OAuth2 authorization for an LLM provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Search query",
-                        "name": "q",
-                        "in": "query"
-                    },
-                    {
-                        "type": "string",
-                        "description": "Filter by tag",
-                        "name": "tag",
-                        "in": "query"
-                    },
-                    {
-                        "type": "integer",
-                        "description": "Page number",
-                        "name": "page",
-                        "in": "query"
-                    },
-                    {
-                        "type": "integer",
-                        "description": "Items per page",
-                        "name": "limit",
-                        "in": "query"
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.SupermarketSkillListResponse"
+                            "$ref": "#/definitions/providers.OAuthAuthorizeResponse"
                         }
                     },
-                    "502": {
-                        "description": "Bad Gateway",
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8651,16 +9021,16 @@
                 }
             }
         },
-        "/supermarket/skills/{id}": {
-            "get": {
+        "/providers/{id}/oauth/poll": {
+            "post": {
                 "tags": [
-                    "supermarket"
+                    "providers-oauth"
                 ],
-                "summary": "Get skill detail from supermarket",
+                "summary": "Poll OAuth device authorization for an LLM provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Skill ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -8670,17 +9040,17 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.SupermarketSkillEntry"
+                            "$ref": "#/definitions/providers.OAuthStatus"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "502": {
-                        "description": "Bad Gateway",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8688,50 +9058,36 @@
                 }
             }
         },
-        "/supermarket/tags": {
+        "/providers/{id}/oauth/status": {
             "get": {
                 "tags": [
-                    "supermarket"
+                    "providers-oauth"
+                ],
+                "summary": "Get OAuth2 status for an LLM provider",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
                 ],
-                "summary": "List all tags from supermarket",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.SupermarketTagsResponse"
+                            "$ref": "#/definitions/providers.OAuthStatus"
                         }
                     },
-                    "502": {
-                        "description": "Bad Gateway",
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    }
-                }
-            }
-        },
-        "/transcription-models": {
-            "get": {
-                "description": "List all models of type 'transcription' (filtered view of unified models table)",
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "transcription-models"
-                ],
-                "summary": "List all transcription models",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.TranscriptionModelResponse"
-                            }
-                        }
                     },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -8739,29 +9095,29 @@
                 }
             }
         },
-        "/transcription-models/{id}": {
-            "get": {
-                "produces": [
-                    "application/json"
-                ],
+        "/providers/{id}/oauth/token": {
+            "delete": {
                 "tags": [
-                    "transcription-models"
+                    "providers-oauth"
                 ],
-                "summary": "Get a transcription model",
+                "summary": "Revoke stored OAuth2 tokens for an LLM provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
+                    "204": {
+                        "description": "No Content"
+                    },
+                    "400": {
+                        "description": "Bad Request",
                         "schema": {
-                            "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
                     "404": {
@@ -8771,8 +9127,11 @@
                         }
                     }
                 }
-            },
-            "put": {
+            }
+        },
+        "/providers/{id}/test": {
+            "post": {
+                "description": "Probe a provider's base URL to check reachability, supported client types, and embedding support",
                 "consumes": [
                     "application/json"
                 ],
@@ -8780,32 +9139,23 @@
                     "application/json"
                 ],
                 "tags": [
-                    "transcription-models"
+                    "providers"
                 ],
-                "summary": "Update a transcription model",
+                "summary": "Test provider connectivity",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
-                    },
-                    {
-                        "description": "Model update payload",
-                        "name": "request",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/audio.UpdateSpeechModelRequest"
-                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                            "$ref": "#/definitions/providers.TestResponse"
                         }
                     },
                     "400": {
@@ -8814,6 +9164,12 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -8823,80 +9179,73 @@
                 }
             }
         },
-        "/transcription-models/{id}/capabilities": {
+        "/search-providers": {
             "get": {
+                "description": "List configured search providers",
+                "consumes": [
+                    "application/json"
+                ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "transcription-models"
+                    "search-providers"
                 ],
-                "summary": "Get transcription model capabilities",
+                "summary": "List search providers",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Model ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
+                        "description": "Provider filter (brave)",
+                        "name": "provider",
+                        "in": "query"
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.ModelCapabilities"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/searchproviders.GetResponse"
+                            }
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
+                    "500": {
+                        "description": "Internal Server Error",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     }
                 }
-            }
-        },
-        "/transcription-models/{id}/test": {
+            },
             "post": {
-                "description": "Transcribe uploaded audio using a specific model's config and return structured text output",
+                "description": "Create a search provider configuration",
                 "consumes": [
-                    "multipart/form-data"
+                    "application/json"
                 ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "transcription-models"
+                    "search-providers"
                 ],
-                "summary": "Test transcription model recognition",
+                "summary": "Create a search provider",
                 "parameters": [
                     {
-                        "type": "string",
-                        "description": "Model ID",
-                        "name": "id",
-                        "in": "path",
-                        "required": true
-                    },
-                    {
-                        "type": "file",
-                        "description": "Audio file",
-                        "name": "file",
-                        "in": "formData",
-                        "required": true
-                    },
-                    {
-                        "type": "string",
-                        "description": "Optional JSON config",
-                        "name": "config",
-                        "in": "formData"
+                        "description": "Search provider configuration",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/searchproviders.CreateRequest"
+                        }
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
+                    "201": {
+                        "description": "Created",
                         "schema": {
-                            "$ref": "#/definitions/audio.TestTranscriptionResponse"
+                            "$ref": "#/definitions/searchproviders.GetResponse"
                         }
                     },
                     "400": {
@@ -8914,69 +9263,43 @@
                 }
             }
         },
-        "/transcription-providers": {
+        "/search-providers/meta": {
             "get": {
-                "description": "List providers that support transcription (filtered view of unified providers table)",
-                "produces": [
-                    "application/json"
-                ],
+                "description": "List available search provider types and config schemas",
                 "tags": [
-                    "transcription-providers"
+                    "search-providers"
                 ],
-                "summary": "List transcription providers",
+                "summary": "List search provider metadata",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
                             "type": "array",
                             "items": {
-                                "$ref": "#/definitions/audio.SpeechProviderResponse"
+                                "$ref": "#/definitions/searchproviders.ProviderMeta"
                             }
                         }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
                     }
                 }
             }
         },
-        "/transcription-providers/meta": {
+        "/search-providers/{id}": {
             "get": {
-                "description": "List available transcription provider types with their models and capabilities",
-                "tags": [
-                    "transcription-providers"
+                "description": "Get search provider by ID",
+                "consumes": [
+                    "application/json"
                 ],
-                "summary": "List transcription provider metadata",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.ProviderMetaResponse"
-                            }
-                        }
-                    }
-                }
-            }
-        },
-        "/transcription-providers/{id}": {
-            "get": {
-                "description": "Get a speech provider with masked config values",
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "speech-providers"
+                    "search-providers"
                 ],
-                "summary": "Get speech provider",
+                "summary": "Get a search provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
+                        "description": "Provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -8986,7 +9309,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.SpeechProviderResponse"
+                            "$ref": "#/definitions/searchproviders.GetResponse"
                         }
                     },
                     "400": {
@@ -9002,11 +9325,9 @@
                         }
                     }
                 }
-            }
-        },
-        "/transcription-providers/{id}/import-models": {
-            "post": {
-                "description": "Fetch models using the configured transcription provider and import them into the unified models table",
+            },
+            "put": {
+                "description": "Update search provider by ID",
                 "consumes": [
                     "application/json"
                 ],
@@ -9014,23 +9335,32 @@
                     "application/json"
                 ],
                 "tags": [
-                    "transcription-providers"
+                    "search-providers"
                 ],
-                "summary": "Import transcription models from provider",
+                "summary": "Update a search provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
+                        "description": "Provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
+                    },
+                    {
+                        "description": "Updated configuration",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/searchproviders.UpdateRequest"
+                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/audio.ImportModelsResponse"
+                            "$ref": "#/definitions/searchproviders.GetResponse"
                         }
                     },
                     "400": {
@@ -9039,12 +9369,6 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -9052,36 +9376,31 @@
                         }
                     }
                 }
-            }
-        },
-        "/transcription-providers/{id}/models": {
-            "get": {
-                "description": "List models of type 'transcription' for a specific transcription provider",
+            },
+            "delete": {
+                "description": "Delete search provider by ID",
+                "consumes": [
+                    "application/json"
+                ],
                 "produces": [
                     "application/json"
                 ],
                 "tags": [
-                    "transcription-providers"
+                    "search-providers"
                 ],
-                "summary": "List transcription models by provider",
+                "summary": "Delete a search provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Provider ID (UUID)",
+                        "description": "Provider ID",
                         "name": "id",
                         "in": "path",
                         "required": true
                     }
                 ],
                 "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "type": "array",
-                            "items": {
-                                "$ref": "#/definitions/audio.TranscriptionModelResponse"
-                            }
-                        }
+                    "204": {
+                        "description": "No Content"
                     },
                     "400": {
                         "description": "Bad Request",
@@ -9098,30 +9417,24 @@
                 }
             }
         },
-        "/users": {
+        "/speech-models": {
             "get": {
-                "description": "List users",
+                "description": "List all models of type 'speech' (filtered view of unified models table)",
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-models"
                 ],
-                "summary": "List users (admin only)",
+                "summary": "List all speech models",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/accounts.ListAccountsResponse"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "403": {
-                        "description": "Forbidden",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.SpeechModelResponse"
+                            }
                         }
                     },
                     "500": {
@@ -9131,74 +9444,35 @@
                         }
                     }
                 }
-            },
-            "post": {
-                "description": "Create a new human user account",
+            }
+        },
+        "/speech-models/{id}": {
+            "get": {
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-models"
                 ],
-                "summary": "Create human user (admin only)",
+                "summary": "Get a speech model",
                 "parameters": [
                     {
-                        "description": "User payload",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/accounts.CreateAccountRequest"
-                        }
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
                     }
                 ],
                 "responses": {
-                    "201": {
-                        "description": "Created",
-                        "schema": {
-                            "$ref": "#/definitions/accounts.Account"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
+                    "200": {
+                        "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "$ref": "#/definitions/audio.SpeechModelResponse"
                         }
                     },
-                    "403": {
-                        "description": "Forbidden",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    }
-                }
-            }
-        },
-        "/users/me": {
-            "get": {
-                "description": "Get current user profile",
-                "tags": [
-                    "users"
-                ],
-                "summary": "Get current user",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/accounts.Account"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
@@ -9206,19 +9480,31 @@
                 }
             },
             "put": {
-                "description": "Update current user display name or avatar",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-models"
                 ],
-                "summary": "Update current user profile",
+                "summary": "Update a speech model",
                 "parameters": [
                     {
-                        "description": "Profile payload",
-                        "name": "payload",
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Model update payload",
+                        "name": "request",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/accounts.UpdateProfileRequest"
+                            "$ref": "#/definitions/audio.UpdateSpeechModelRequest"
                         }
                     }
                 ],
@@ -9226,7 +9512,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/accounts.Account"
+                            "$ref": "#/definitions/audio.SpeechModelResponse"
                         }
                     },
                     "400": {
@@ -9244,18 +9530,20 @@
                 }
             }
         },
-        "/users/me/channels/{platform}": {
+        "/speech-models/{id}/capabilities": {
             "get": {
-                "description": "Get channel binding configuration for current user",
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "channel"
+                    "speech-models"
                 ],
-                "summary": "Get channel user config",
+                "summary": "Get speech model capabilities",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Channel platform",
-                        "name": "platform",
+                        "description": "Model ID",
+                        "name": "id",
                         "in": "path",
                         "required": true
                     }
@@ -9264,13 +9552,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/channel.ChannelIdentityBinding"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "$ref": "#/definitions/audio.ModelCapabilities"
                         }
                     },
                     "404": {
@@ -9278,44 +9560,46 @@
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
                     }
                 }
-            },
-            "put": {
-                "description": "Update channel binding configuration for current user",
+            }
+        },
+        "/speech-models/{id}/test": {
+            "post": {
+                "description": "Synthesize text using a specific model's config and return audio",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/octet-stream"
+                ],
                 "tags": [
-                    "channel"
+                    "speech-models"
                 ],
-                "summary": "Update channel user config",
+                "summary": "Test speech model synthesis",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "Channel platform",
-                        "name": "platform",
+                        "description": "Model ID",
+                        "name": "id",
                         "in": "path",
                         "required": true
                     },
                     {
-                        "description": "Channel user config payload",
-                        "name": "payload",
+                        "description": "Text to synthesize",
+                        "name": "request",
                         "in": "body",
                         "required": true,
                         "schema": {
-                            "$ref": "#/definitions/channel.UpsertChannelIdentityConfigRequest"
+                            "$ref": "#/definitions/audio.TestSynthesizeRequest"
                         }
                     }
                 ],
                 "responses": {
                     "200": {
-                        "description": "OK",
+                        "description": "Audio data",
                         "schema": {
-                            "$ref": "#/definitions/channel.ChannelIdentityBinding"
+                            "type": "file"
                         }
                     },
                     "400": {
@@ -9333,30 +9617,24 @@
                 }
             }
         },
-        "/users/me/identities": {
+        "/speech-providers": {
             "get": {
-                "description": "List all channel identities linked to current user",
+                "description": "List providers that support speech (filtered view of unified providers table)",
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-providers"
                 ],
-                "summary": "List current user's channel identities",
+                "summary": "List speech providers",
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.listMyIdentitiesResponse"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "404": {
-                        "description": "Not Found",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.SpeechProviderResponse"
+                            }
                         }
                     },
                     "500": {
@@ -9368,54 +9646,40 @@
                 }
             }
         },
-        "/users/me/password": {
-            "put": {
-                "description": "Update current user password with current password check",
+        "/speech-providers/meta": {
+            "get": {
+                "description": "List available speech provider types with their models and capabilities",
                 "tags": [
-                    "users"
-                ],
-                "summary": "Update current user password",
-                "parameters": [
-                    {
-                        "description": "Password payload",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/accounts.UpdatePasswordRequest"
-                        }
-                    }
+                    "speech-providers"
                 ],
+                "summary": "List speech provider metadata",
                 "responses": {
-                    "204": {
-                        "description": "No Content"
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
+                    "200": {
+                        "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.ProviderMetaResponse"
+                            }
                         }
                     }
                 }
             }
         },
-        "/users/{id}": {
+        "/speech-providers/{id}": {
             "get": {
-                "description": "Get user details (self or admin only)",
+                "description": "Get a speech provider with masked config values",
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-providers"
                 ],
-                "summary": "Get user by ID",
+                "summary": "Get speech provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "User ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
@@ -9425,7 +9689,7 @@
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/accounts.Account"
+                            "$ref": "#/definitions/audio.SpeechProviderResponse"
                         }
                     },
                     "400": {
@@ -9434,55 +9698,42 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "403": {
-                        "description": "Forbidden",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "404": {
                         "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
                     }
                 }
-            },
-            "put": {
-                "description": "Update user profile and status",
+            }
+        },
+        "/speech-providers/{id}/import-models": {
+            "post": {
+                "description": "Fetch models using the configured speech provider and import them into the unified models table",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-providers"
                 ],
-                "summary": "Update user (admin only)",
+                "summary": "Import speech models from provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "User ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
-                    },
-                    {
-                        "description": "User update payload",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/accounts.UpdateAccountRequest"
-                        }
                     }
                 ],
                 "responses": {
                     "200": {
                         "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/accounts.Account"
+                            "$ref": "#/definitions/audio.ImportModelsResponse"
                         }
                     },
                     "400": {
@@ -9491,12 +9742,6 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "403": {
-                        "description": "Forbidden",
-                        "schema": {
-                            "$ref": "#/definitions/handlers.ErrorResponse"
-                        }
-                    },
                     "404": {
                         "description": "Not Found",
                         "schema": {
@@ -9512,46 +9757,210 @@
                 }
             }
         },
-        "/users/{id}/password": {
-            "put": {
-                "description": "Reset a user password",
+        "/speech-providers/{id}/models": {
+            "get": {
+                "description": "List models of type 'speech' for a specific speech provider",
+                "produces": [
+                    "application/json"
+                ],
                 "tags": [
-                    "users"
+                    "speech-providers"
                 ],
-                "summary": "Reset user password (admin only)",
+                "summary": "List speech models by provider",
                 "parameters": [
                     {
                         "type": "string",
-                        "description": "User ID",
+                        "description": "Provider ID (UUID)",
                         "name": "id",
                         "in": "path",
                         "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.SpeechModelResponse"
+                            }
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/supermarket/mcps": {
+            "get": {
+                "tags": [
+                    "supermarket"
+                ],
+                "summary": "List MCPs from supermarket",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Search query",
+                        "name": "q",
+                        "in": "query"
                     },
                     {
-                        "description": "Password payload",
-                        "name": "payload",
-                        "in": "body",
-                        "required": true,
+                        "type": "string",
+                        "description": "Filter by tag",
+                        "name": "tag",
+                        "in": "query"
+                    },
+                    {
+                        "type": "string",
+                        "description": "Filter by transport type",
+                        "name": "transport",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Page number",
+                        "name": "page",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Items per page",
+                        "name": "limit",
+                        "in": "query"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
                         "schema": {
-                            "$ref": "#/definitions/accounts.ResetPasswordRequest"
+                            "$ref": "#/definitions/handlers.SupermarketMcpListResponse"
+                        }
+                    },
+                    "502": {
+                        "description": "Bad Gateway",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     }
+                }
+            }
+        },
+        "/supermarket/mcps/{id}": {
+            "get": {
+                "tags": [
+                    "supermarket"
+                ],
+                "summary": "Get MCP detail from supermarket",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "MCP ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
                 ],
                 "responses": {
-                    "204": {
-                        "description": "No Content"
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.SupermarketMcpEntry"
+                        }
                     },
-                    "400": {
-                        "description": "Bad Request",
+                    "404": {
+                        "description": "Not Found",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
-                    "403": {
-                        "description": "Forbidden",
+                    "502": {
+                        "description": "Bad Gateway",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/supermarket/skills": {
+            "get": {
+                "tags": [
+                    "supermarket"
+                ],
+                "summary": "List skills from supermarket",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Search query",
+                        "name": "q",
+                        "in": "query"
+                    },
+                    {
+                        "type": "string",
+                        "description": "Filter by tag",
+                        "name": "tag",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Page number",
+                        "name": "page",
+                        "in": "query"
+                    },
+                    {
+                        "type": "integer",
+                        "description": "Items per page",
+                        "name": "limit",
+                        "in": "query"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.SupermarketSkillListResponse"
+                        }
+                    },
+                    "502": {
+                        "description": "Bad Gateway",
                         "schema": {
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
+                    }
+                }
+            }
+        },
+        "/supermarket/skills/{id}": {
+            "get": {
+                "tags": [
+                    "supermarket"
+                ],
+                "summary": "Get skill detail from supermarket",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Skill ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.SupermarketSkillEntry"
+                        }
                     },
                     "404": {
                         "description": "Not Found",
@@ -9559,6 +9968,57 @@
                             "$ref": "#/definitions/handlers.ErrorResponse"
                         }
                     },
+                    "502": {
+                        "description": "Bad Gateway",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/supermarket/tags": {
+            "get": {
+                "tags": [
+                    "supermarket"
+                ],
+                "summary": "List all tags from supermarket",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.SupermarketTagsResponse"
+                        }
+                    },
+                    "502": {
+                        "description": "Bad Gateway",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-models": {
+            "get": {
+                "description": "List all models of type 'transcription' (filtered view of unified models table)",
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-models"
+                ],
+                "summary": "List all transcription models",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                            }
+                        }
+                    },
                     "500": {
                         "description": "Internal Server Error",
                         "schema": {
@@ -9567,1041 +10027,2606 @@
                     }
                 }
             }
-        }
-    },
-    "definitions": {
-        "accounts.Account": {
+        },
+        "/transcription-models/{id}": {
+            "get": {
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-models"
+                ],
+                "summary": "Get a transcription model",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-models"
+                ],
+                "summary": "Update a transcription model",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Model update payload",
+                        "name": "request",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/audio.UpdateSpeechModelRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-models/{id}/capabilities": {
+            "get": {
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-models"
+                ],
+                "summary": "Get transcription model capabilities",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.ModelCapabilities"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-models/{id}/test": {
+            "post": {
+                "description": "Transcribe uploaded audio using a specific model's config and return structured text output",
+                "consumes": [
+                    "multipart/form-data"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-models"
+                ],
+                "summary": "Test transcription model recognition",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Model ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "type": "file",
+                        "description": "Audio file",
+                        "name": "file",
+                        "in": "formData",
+                        "required": true
+                    },
+                    {
+                        "type": "string",
+                        "description": "Optional JSON config",
+                        "name": "config",
+                        "in": "formData"
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.TestTranscriptionResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-providers": {
+            "get": {
+                "description": "List providers that support transcription (filtered view of unified providers table)",
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-providers"
+                ],
+                "summary": "List transcription providers",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.SpeechProviderResponse"
+                            }
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-providers/meta": {
+            "get": {
+                "description": "List available transcription provider types with their models and capabilities",
+                "tags": [
+                    "transcription-providers"
+                ],
+                "summary": "List transcription provider metadata",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.ProviderMetaResponse"
+                            }
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-providers/{id}": {
+            "get": {
+                "description": "Get a speech provider with masked config values",
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "speech-providers"
+                ],
+                "summary": "Get speech provider",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.SpeechProviderResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-providers/{id}/import-models": {
+            "post": {
+                "description": "Fetch models using the configured transcription provider and import them into the unified models table",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-providers"
+                ],
+                "summary": "Import transcription models from provider",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/audio.ImportModelsResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/transcription-providers/{id}/models": {
+            "get": {
+                "description": "List models of type 'transcription' for a specific transcription provider",
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "transcription-providers"
+                ],
+                "summary": "List transcription models by provider",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Provider ID (UUID)",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "type": "array",
+                            "items": {
+                                "$ref": "#/definitions/audio.TranscriptionModelResponse"
+                            }
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users": {
+            "get": {
+                "description": "List users",
+                "tags": [
+                    "users"
+                ],
+                "summary": "List users (admin only)",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.ListAccountsResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "post": {
+                "description": "Create a new human user account",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Create human user (admin only)",
+                "parameters": [
+                    {
+                        "description": "User payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.CreateAccountRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "201": {
+                        "description": "Created",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/me": {
+            "get": {
+                "description": "Get current user profile",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Get current user",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "description": "Update current user display name or avatar",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Update current user profile",
+                "parameters": [
+                    {
+                        "description": "Profile payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.UpdateProfileRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/me/channels/{platform}": {
+            "get": {
+                "description": "Get channel binding configuration for current user",
+                "tags": [
+                    "channel"
+                ],
+                "summary": "Get channel user config",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Channel platform",
+                        "name": "platform",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/channel.ChannelIdentityBinding"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "description": "Update channel binding configuration for current user",
+                "tags": [
+                    "channel"
+                ],
+                "summary": "Update channel user config",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "Channel platform",
+                        "name": "platform",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Channel user config payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/channel.UpsertChannelIdentityConfigRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/channel.ChannelIdentityBinding"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/me/identities": {
+            "get": {
+                "description": "List all channel identities linked to current user",
+                "tags": [
+                    "users"
+                ],
+                "summary": "List current user's channel identities",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.listMyIdentitiesResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/me/password": {
+            "put": {
+                "description": "Update current user password with current password check",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Update current user password",
+                "parameters": [
+                    {
+                        "description": "Password payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.UpdatePasswordRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "204": {
+                        "description": "No Content"
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/{id}": {
+            "get": {
+                "description": "Get user details (self or admin only)",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Get user by ID",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "User ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            },
+            "put": {
+                "description": "Update user profile and status",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Update user (admin only)",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "User ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "User update payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.UpdateAccountRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
+        "/users/{id}/password": {
+            "put": {
+                "description": "Reset a user password",
+                "tags": [
+                    "users"
+                ],
+                "summary": "Reset user password (admin only)",
+                "parameters": [
+                    {
+                        "type": "string",
+                        "description": "User ID",
+                        "name": "id",
+                        "in": "path",
+                        "required": true
+                    },
+                    {
+                        "description": "Password payload",
+                        "name": "payload",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.ResetPasswordRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "204": {
+                        "description": "No Content"
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "403": {
+                        "description": "Forbidden",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "404": {
+                        "description": "Not Found",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/handlers.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        }
+    },
+    "definitions": {
+        "acl.ChannelIdentityCandidate": {
+            "type": "object",
+            "properties": {
+                "avatar_url": {
+                    "type": "string"
+                },
+                "channel": {
+                    "type": "string"
+                },
+                "channel_subject_id": {
+                    "type": "string"
+                },
+                "display_name": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "linked_avatar_url": {
+                    "type": "string"
+                },
+                "linked_display_name": {
+                    "type": "string"
+                },
+                "linked_user_id": {
+                    "type": "string"
+                },
+                "linked_username": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.ChannelIdentityCandidateListResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/acl.ChannelIdentityCandidate"
+                    }
+                }
+            }
+        },
+        "acl.CreateRuleRequest": {
+            "type": "object",
+            "properties": {
+                "channel_identity_id": {
+                    "type": "string"
+                },
+                "description": {
+                    "type": "string"
+                },
+                "effect": {
+                    "type": "string"
+                },
+                "enabled": {
+                    "type": "boolean"
+                },
+                "priority": {
+                    "type": "integer"
+                },
+                "source_scope": {
+                    "$ref": "#/definitions/acl.SourceScope"
+                },
+                "subject_channel_type": {
+                    "type": "string"
+                },
+                "subject_kind": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.DefaultEffectResponse": {
+            "type": "object",
+            "properties": {
+                "default_effect": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.ListRulesResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/acl.Rule"
+                    }
+                }
+            }
+        },
+        "acl.ObservedConversationCandidate": {
+            "type": "object",
+            "properties": {
+                "channel": {
+                    "type": "string"
+                },
+                "conversation_id": {
+                    "type": "string"
+                },
+                "conversation_name": {
+                    "type": "string"
+                },
+                "conversation_type": {
+                    "type": "string"
+                },
+                "last_observed_at": {
+                    "type": "string"
+                },
+                "route_id": {
+                    "type": "string"
+                },
+                "thread_id": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.ObservedConversationCandidateListResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/acl.ObservedConversationCandidate"
+                    }
+                }
+            }
+        },
+        "acl.ReorderItem": {
+            "type": "object",
+            "properties": {
+                "id": {
+                    "type": "string"
+                },
+                "priority": {
+                    "type": "integer"
+                }
+            }
+        },
+        "acl.ReorderRequest": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/acl.ReorderItem"
+                    }
+                }
+            }
+        },
+        "acl.Rule": {
+            "type": "object",
+            "properties": {
+                "action": {
+                    "type": "string"
+                },
+                "bot_id": {
+                    "type": "string"
+                },
+                "channel_identity_avatar_url": {
+                    "type": "string"
+                },
+                "channel_identity_display_name": {
+                    "type": "string"
+                },
+                "channel_identity_id": {
+                    "type": "string"
+                },
+                "channel_subject_id": {
+                    "type": "string"
+                },
+                "channel_type": {
+                    "type": "string"
+                },
+                "created_at": {
+                    "type": "string"
+                },
+                "description": {
+                    "type": "string"
+                },
+                "effect": {
+                    "type": "string"
+                },
+                "enabled": {
+                    "type": "boolean"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "linked_user_avatar_url": {
+                    "type": "string"
+                },
+                "linked_user_display_name": {
+                    "type": "string"
+                },
+                "linked_user_id": {
+                    "type": "string"
+                },
+                "linked_user_username": {
+                    "type": "string"
+                },
+                "priority": {
+                    "type": "integer"
+                },
+                "source_scope": {
+                    "$ref": "#/definitions/acl.SourceScope"
+                },
+                "subject_channel_type": {
+                    "type": "string"
+                },
+                "subject_kind": {
+                    "type": "string"
+                },
+                "updated_at": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.SourceScope": {
+            "type": "object",
+            "properties": {
+                "conversation_id": {
+                    "type": "string"
+                },
+                "conversation_type": {
+                    "type": "string"
+                },
+                "thread_id": {
+                    "type": "string"
+                }
+            }
+        },
+        "acl.UpdateRuleRequest": {
+            "type": "object",
+            "properties": {
+                "channel_identity_id": {
+                    "type": "string"
+                },
+                "description": {
+                    "type": "string"
+                },
+                "effect": {
+                    "type": "string"
+                },
+                "enabled": {
+                    "type": "boolean"
+                },
+                "priority": {
+                    "type": "integer"
+                },
+                "source_scope": {
+                    "$ref": "#/definitions/acl.SourceScope"
+                },
+                "subject_channel_type": {
+                    "type": "string"
+                },
+                "subject_kind": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.CDFPoint": {
+            "type": "object",
+            "properties": {
+                "cumulative": {
+                    "description": "cumulative weight fraction [0.0, 1.0]",
+                    "type": "number"
+                },
+                "k": {
+                    "description": "rank position (1-based, sorted by value desc)",
+                    "type": "integer"
+                }
+            }
+        },
+        "adapters.CompactResult": {
+            "type": "object",
+            "properties": {
+                "after_count": {
+                    "type": "integer"
+                },
+                "before_count": {
+                    "type": "integer"
+                },
+                "ratio": {
+                    "type": "number"
+                },
+                "results": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/adapters.MemoryItem"
+                    }
+                }
+            }
+        },
+        "adapters.DeleteResponse": {
+            "type": "object",
+            "properties": {
+                "message": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.HealthStatus": {
+            "type": "object",
+            "properties": {
+                "error": {
+                    "type": "string"
+                },
+                "ok": {
+                    "type": "boolean"
+                }
+            }
+        },
+        "adapters.MemoryItem": {
+            "type": "object",
+            "properties": {
+                "agent_id": {
+                    "type": "string"
+                },
+                "bot_id": {
+                    "type": "string"
+                },
+                "cdf_curve": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/adapters.CDFPoint"
+                    }
+                },
+                "created_at": {
+                    "type": "string"
+                },
+                "hash": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "memory": {
+                    "type": "string"
+                },
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "run_id": {
+                    "type": "string"
+                },
+                "score": {
+                    "type": "number"
+                },
+                "top_k_buckets": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/adapters.TopKBucket"
+                    }
+                },
+                "updated_at": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.MemoryStatusResponse": {
+            "type": "object",
+            "properties": {
+                "can_manual_sync": {
+                    "type": "boolean"
+                },
+                "encoder": {
+                    "$ref": "#/definitions/adapters.HealthStatus"
+                },
+                "indexed_count": {
+                    "type": "integer"
+                },
+                "markdown_file_count": {
+                    "type": "integer"
+                },
+                "memory_mode": {
+                    "type": "string"
+                },
+                "overview_path": {
+                    "type": "string"
+                },
+                "provider_type": {
+                    "type": "string"
+                },
+                "qdrant": {
+                    "$ref": "#/definitions/adapters.HealthStatus"
+                },
+                "qdrant_collection": {
+                    "type": "string"
+                },
+                "source_count": {
+                    "type": "integer"
+                },
+                "source_dir": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.Message": {
+            "type": "object",
+            "properties": {
+                "content": {
+                    "type": "string"
+                },
+                "role": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.ProviderCollectionStatus": {
+            "type": "object",
+            "properties": {
+                "exists": {
+                    "type": "boolean"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "points": {
+                    "type": "integer"
+                },
+                "qdrant": {
+                    "$ref": "#/definitions/adapters.HealthStatus"
+                }
+            }
+        },
+        "adapters.ProviderConfigSchema": {
+            "type": "object",
+            "properties": {
+                "fields": {
+                    "type": "object",
+                    "additionalProperties": {
+                        "$ref": "#/definitions/adapters.ProviderFieldSchema"
+                    }
+                }
+            }
+        },
+        "adapters.ProviderCreateRequest": {
+            "type": "object",
+            "properties": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "name": {
+                    "type": "string"
+                },
+                "provider": {
+                    "$ref": "#/definitions/adapters.ProviderType"
+                }
+            }
+        },
+        "adapters.ProviderFieldSchema": {
+            "type": "object",
+            "properties": {
+                "description": {
+                    "type": "string"
+                },
+                "example": {},
+                "required": {
+                    "type": "boolean"
+                },
+                "secret": {
+                    "type": "boolean"
+                },
+                "title": {
+                    "type": "string"
+                },
+                "type": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.ProviderGetResponse": {
+            "type": "object",
+            "properties": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "created_at": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "is_default": {
+                    "type": "boolean"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "provider": {
+                    "type": "string"
+                },
+                "updated_at": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.ProviderMeta": {
+            "type": "object",
+            "properties": {
+                "config_schema": {
+                    "$ref": "#/definitions/adapters.ProviderConfigSchema"
+                },
+                "display_name": {
+                    "type": "string"
+                },
+                "provider": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.ProviderStatusResponse": {
+            "type": "object",
+            "properties": {
+                "collections": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/adapters.ProviderCollectionStatus"
+                    }
+                },
+                "embedding_model_id": {
+                    "type": "string"
+                },
+                "memory_mode": {
+                    "type": "string"
+                },
+                "provider_type": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.ProviderType": {
+            "type": "string",
+            "enum": [
+                "builtin",
+                "mem0",
+                "openviking"
+            ],
+            "x-enum-varnames": [
+                "ProviderBuiltin",
+                "ProviderMem0",
+                "ProviderOpenViking"
+            ]
+        },
+        "adapters.ProviderUpdateRequest": {
+            "type": "object",
+            "properties": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "name": {
+                    "type": "string"
+                }
+            }
+        },
+        "adapters.RebuildResult": {
+            "type": "object",
+            "properties": {
+                "fs_count": {
+                    "type": "integer"
+                },
+                "missing_count": {
+                    "type": "integer"
+                },
+                "restored_count": {
+                    "type": "integer"
+                },
+                "storage_count": {
+                    "type": "integer"
+                }
+            }
+        },
+        "adapters.SearchResponse": {
+            "type": "object",
+            "properties": {
+                "relations": {
+                    "type": "array",
+                    "items": {}
+                },
+                "results": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/adapters.MemoryItem"
+                    }
+                }
+            }
+        },
+        "adapters.TopKBucket": {
+            "type": "object",
+            "properties": {
+                "index": {
+                    "description": "sparse dimension index (term hash)",
+                    "type": "integer"
+                },
+                "value": {
+                    "description": "weight (term frequency)",
+                    "type": "number"
+                }
+            }
+        },
+        "adapters.UsageResponse": {
+            "type": "object",
+            "properties": {
+                "avg_text_bytes": {
+                    "type": "integer"
+                },
+                "count": {
+                    "type": "integer"
+                },
+                "estimated_storage_bytes": {
+                    "type": "integer"
+                },
+                "total_text_bytes": {
+                    "type": "integer"
+                }
+            }
+        },
+        "audio.ConfigSchema": {
+            "type": "object",
+            "properties": {
+                "fields": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/audio.FieldSchema"
+                    }
+                }
+            }
+        },
+        "audio.FieldSchema": {
             "type": "object",
             "properties": {
-                "avatar_url": {
-                    "type": "string"
+                "advanced": {
+                    "type": "boolean"
                 },
-                "created_at": {
+                "description": {
                     "type": "string"
                 },
-                "display_name": {
-                    "type": "string"
+                "enum": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 },
-                "email": {
+                "example": {},
+                "key": {
                     "type": "string"
                 },
-                "id": {
-                    "type": "string"
+                "order": {
+                    "type": "integer"
                 },
-                "is_active": {
+                "required": {
                     "type": "boolean"
                 },
-                "last_login_at": {
-                    "type": "string"
-                },
-                "role": {
-                    "type": "string"
-                },
-                "timezone": {
-                    "type": "string"
-                },
-                "updated_at": {
+                "title": {
                     "type": "string"
                 },
-                "username": {
+                "type": {
                     "type": "string"
                 }
             }
         },
-        "accounts.CreateAccountRequest": {
+        "audio.ImportModelsResponse": {
             "type": "object",
             "properties": {
-                "avatar_url": {
-                    "type": "string"
-                },
-                "display_name": {
-                    "type": "string"
-                },
-                "email": {
-                    "type": "string"
-                },
-                "is_active": {
-                    "type": "boolean"
-                },
-                "password": {
-                    "type": "string"
+                "created": {
+                    "type": "integer"
                 },
-                "role": {
-                    "type": "string"
+                "models": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 },
-                "username": {
-                    "type": "string"
+                "skipped": {
+                    "type": "integer"
                 }
             }
         },
-        "accounts.ListAccountsResponse": {
+        "audio.ModelCapabilities": {
             "type": "object",
             "properties": {
-                "items": {
+                "config_schema": {
+                    "$ref": "#/definitions/audio.ConfigSchema"
+                },
+                "formats": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {
+                        "type": "string"
+                    }
+                },
+                "pitch": {
+                    "$ref": "#/definitions/audio.ParamConstraint"
+                },
+                "speed": {
+                    "$ref": "#/definitions/audio.ParamConstraint"
+                },
+                "voices": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/accounts.Account"
+                        "$ref": "#/definitions/audio.VoiceInfo"
                     }
                 }
             }
         },
-        "accounts.ResetPasswordRequest": {
+        "audio.ModelInfo": {
             "type": "object",
             "properties": {
-                "new_password": {
+                "capabilities": {
+                    "$ref": "#/definitions/audio.ModelCapabilities"
+                },
+                "config_schema": {
+                    "$ref": "#/definitions/audio.ConfigSchema"
+                },
+                "description": {
                     "type": "string"
-                }
-            }
-        },
-        "accounts.UpdateAccountRequest": {
-            "type": "object",
-            "properties": {
-                "avatar_url": {
+                },
+                "id": {
                     "type": "string"
                 },
-                "display_name": {
+                "name": {
                     "type": "string"
                 },
-                "is_active": {
+                "template_only": {
                     "type": "boolean"
-                },
-                "role": {
-                    "type": "string"
                 }
             }
         },
-        "accounts.UpdatePasswordRequest": {
+        "audio.ParamConstraint": {
             "type": "object",
             "properties": {
-                "current_password": {
-                    "type": "string"
+                "default": {
+                    "type": "number"
                 },
-                "new_password": {
-                    "type": "string"
+                "max": {
+                    "type": "number"
+                },
+                "min": {
+                    "type": "number"
+                },
+                "options": {
+                    "type": "array",
+                    "items": {
+                        "type": "number"
+                    }
                 }
             }
         },
-        "accounts.UpdateProfileRequest": {
+        "audio.ProviderMetaResponse": {
             "type": "object",
             "properties": {
-                "avatar_url": {
+                "config_schema": {
+                    "$ref": "#/definitions/audio.ConfigSchema"
+                },
+                "default_model": {
+                    "type": "string"
+                },
+                "default_synthesis_model": {
+                    "type": "string"
+                },
+                "default_transcription_model": {
+                    "type": "string"
+                },
+                "description": {
                     "type": "string"
                 },
                 "display_name": {
                     "type": "string"
                 },
-                "timezone": {
+                "models": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/audio.ModelInfo"
+                    }
+                },
+                "provider": {
                     "type": "string"
+                },
+                "supports_synthesis_list": {
+                    "type": "boolean"
+                },
+                "supports_transcription_list": {
+                    "type": "boolean"
+                },
+                "synthesis_models": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/audio.ModelInfo"
+                    }
+                },
+                "transcription_models": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/audio.ModelInfo"
+                    }
                 }
             }
         },
-        "acl.ChannelIdentityCandidate": {
+        "audio.SpeechModelResponse": {
             "type": "object",
             "properties": {
-                "avatar_url": {
-                    "type": "string"
-                },
-                "channel": {
-                    "type": "string"
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "channel_subject_id": {
+                "created_at": {
                     "type": "string"
                 },
-                "display_name": {
+                "id": {
                     "type": "string"
                 },
-                "id": {
+                "model_id": {
                     "type": "string"
                 },
-                "linked_avatar_url": {
+                "name": {
                     "type": "string"
                 },
-                "linked_display_name": {
+                "provider_id": {
                     "type": "string"
                 },
-                "linked_user_id": {
+                "provider_type": {
                     "type": "string"
                 },
-                "linked_username": {
+                "updated_at": {
                     "type": "string"
                 }
             }
         },
-        "acl.ChannelIdentityCandidateListResponse": {
-            "type": "object",
-            "properties": {
-                "items": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/acl.ChannelIdentityCandidate"
-                    }
-                }
-            }
-        },
-        "acl.CreateRuleRequest": {
+        "audio.SpeechProviderResponse": {
             "type": "object",
             "properties": {
-                "channel_identity_id": {
+                "client_type": {
                     "type": "string"
                 },
-                "description": {
-                    "type": "string"
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "effect": {
+                "created_at": {
                     "type": "string"
                 },
-                "enabled": {
+                "enable": {
                     "type": "boolean"
                 },
-                "priority": {
-                    "type": "integer"
+                "icon": {
+                    "type": "string"
                 },
-                "source_scope": {
-                    "$ref": "#/definitions/acl.SourceScope"
+                "id": {
+                    "type": "string"
                 },
-                "subject_channel_type": {
+                "name": {
                     "type": "string"
                 },
-                "subject_kind": {
+                "updated_at": {
                     "type": "string"
                 }
             }
         },
-        "acl.DefaultEffectResponse": {
+        "audio.TestSynthesizeRequest": {
             "type": "object",
             "properties": {
-                "default_effect": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "text": {
                     "type": "string"
                 }
             }
         },
-        "acl.ListRulesResponse": {
+        "audio.TestTranscriptionResponse": {
             "type": "object",
             "properties": {
-                "items": {
+                "duration_seconds": {
+                    "type": "number"
+                },
+                "language": {
+                    "type": "string"
+                },
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "text": {
+                    "type": "string"
+                },
+                "words": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/acl.Rule"
+                        "$ref": "#/definitions/audio.TranscriptionWord"
                     }
                 }
             }
         },
-        "acl.ObservedConversationCandidate": {
+        "audio.TranscriptionModelResponse": {
             "type": "object",
             "properties": {
-                "channel": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "created_at": {
                     "type": "string"
                 },
-                "conversation_id": {
+                "id": {
                     "type": "string"
                 },
-                "conversation_name": {
+                "model_id": {
                     "type": "string"
                 },
-                "conversation_type": {
+                "name": {
                     "type": "string"
                 },
-                "last_observed_at": {
+                "provider_id": {
                     "type": "string"
                 },
-                "route_id": {
+                "provider_type": {
                     "type": "string"
                 },
-                "thread_id": {
+                "updated_at": {
                     "type": "string"
                 }
             }
         },
-        "acl.ObservedConversationCandidateListResponse": {
-            "type": "object",
-            "properties": {
-                "items": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/acl.ObservedConversationCandidate"
-                    }
-                }
-            }
-        },
-        "acl.ReorderItem": {
+        "audio.TranscriptionWord": {
             "type": "object",
             "properties": {
-                "id": {
+                "end": {
+                    "type": "number"
+                },
+                "speaker_id": {
                     "type": "string"
                 },
-                "priority": {
-                    "type": "integer"
+                "start": {
+                    "type": "number"
+                },
+                "text": {
+                    "type": "string"
                 }
             }
         },
-        "acl.ReorderRequest": {
+        "audio.UpdateSpeechModelRequest": {
             "type": "object",
             "properties": {
-                "items": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/acl.ReorderItem"
-                    }
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "name": {
+                    "type": "string"
                 }
             }
         },
-        "acl.Rule": {
+        "audio.VoiceInfo": {
             "type": "object",
             "properties": {
-                "action": {
-                    "type": "string"
-                },
-                "bot_id": {
+                "id": {
                     "type": "string"
                 },
-                "channel_identity_avatar_url": {
+                "lang": {
                     "type": "string"
                 },
-                "channel_identity_display_name": {
+                "name": {
                     "type": "string"
-                },
-                "channel_identity_id": {
+                }
+            }
+        },
+        "bots.Bot": {
+            "type": "object",
+            "properties": {
+                "avatar_url": {
                     "type": "string"
                 },
-                "channel_subject_id": {
-                    "type": "string"
+                "check_issue_count": {
+                    "type": "integer"
                 },
-                "channel_type": {
+                "check_state": {
                     "type": "string"
                 },
                 "created_at": {
                     "type": "string"
                 },
-                "description": {
+                "display_name": {
                     "type": "string"
                 },
-                "effect": {
+                "id": {
                     "type": "string"
                 },
-                "enabled": {
+                "is_active": {
                     "type": "boolean"
                 },
-                "id": {
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "owner_user_id": {
                     "type": "string"
                 },
-                "linked_user_avatar_url": {
+                "status": {
                     "type": "string"
                 },
-                "linked_user_display_name": {
+                "timezone": {
                     "type": "string"
                 },
-                "linked_user_id": {
+                "updated_at": {
+                    "type": "string"
+                }
+            }
+        },
+        "bots.BotCheck": {
+            "type": "object",
+            "properties": {
+                "detail": {
                     "type": "string"
                 },
-                "linked_user_username": {
+                "id": {
                     "type": "string"
                 },
-                "priority": {
-                    "type": "integer"
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "source_scope": {
-                    "$ref": "#/definitions/acl.SourceScope"
+                "status": {
+                    "type": "string"
                 },
-                "subject_channel_type": {
+                "subtitle": {
                     "type": "string"
                 },
-                "subject_kind": {
+                "summary": {
                     "type": "string"
                 },
-                "updated_at": {
+                "title_key": {
+                    "type": "string"
+                },
+                "type": {
                     "type": "string"
                 }
             }
         },
-        "acl.SourceScope": {
+        "bots.CreateBotRequest": {
             "type": "object",
             "properties": {
-                "conversation_id": {
+                "acl_preset": {
                     "type": "string"
                 },
-                "conversation_type": {
+                "avatar_url": {
                     "type": "string"
                 },
-                "thread_id": {
+                "display_name": {
+                    "type": "string"
+                },
+                "is_active": {
+                    "type": "boolean"
+                },
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "timezone": {
                     "type": "string"
                 }
             }
         },
-        "acl.UpdateRuleRequest": {
+        "bots.ListBotsResponse": {
             "type": "object",
             "properties": {
-                "channel_identity_id": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/bots.Bot"
+                    }
+                }
+            }
+        },
+        "bots.ListChecksResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/bots.BotCheck"
+                    }
+                }
+            }
+        },
+        "bots.TransferBotRequest": {
+            "type": "object",
+            "properties": {
+                "owner_user_id": {
                     "type": "string"
-                },
-                "description": {
+                }
+            }
+        },
+        "bots.UpdateBotRequest": {
+            "type": "object",
+            "properties": {
+                "avatar_url": {
                     "type": "string"
                 },
-                "effect": {
+                "display_name": {
                     "type": "string"
                 },
-                "enabled": {
+                "is_active": {
                     "type": "boolean"
                 },
-                "priority": {
-                    "type": "integer"
-                },
-                "source_scope": {
-                    "$ref": "#/definitions/acl.SourceScope"
-                },
-                "subject_channel_type": {
-                    "type": "string"
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "subject_kind": {
+                "timezone": {
                     "type": "string"
                 }
             }
         },
-        "adapters.CDFPoint": {
+        "browsercontexts.BrowserContext": {
             "type": "object",
             "properties": {
-                "cumulative": {
-                    "description": "cumulative weight fraction [0.0, 1.0]",
-                    "type": "number"
+                "config": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
                 },
-                "k": {
-                    "description": "rank position (1-based, sorted by value desc)",
-                    "type": "integer"
+                "created_at": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "updated_at": {
+                    "type": "string"
                 }
             }
         },
-        "adapters.CompactResult": {
+        "browsercontexts.CreateRequest": {
             "type": "object",
             "properties": {
-                "after_count": {
-                    "type": "integer"
-                },
-                "before_count": {
-                    "type": "integer"
-                },
-                "ratio": {
-                    "type": "number"
-                },
-                "results": {
+                "config": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/adapters.MemoryItem"
+                        "type": "integer"
                     }
+                },
+                "name": {
+                    "type": "string"
                 }
             }
         },
-        "adapters.DeleteResponse": {
+        "browsercontexts.UpdateRequest": {
             "type": "object",
             "properties": {
-                "message": {
+                "config": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
+                },
+                "name": {
                     "type": "string"
                 }
             }
         },
-        "adapters.HealthStatus": {
+        "channel.Action": {
             "type": "object",
             "properties": {
-                "error": {
+                "label": {
                     "type": "string"
                 },
-                "ok": {
-                    "type": "boolean"
+                "type": {
+                    "type": "string"
+                },
+                "url": {
+                    "type": "string"
+                },
+                "value": {
+                    "type": "string"
                 }
             }
         },
-        "adapters.MemoryItem": {
+        "channel.Attachment": {
             "type": "object",
             "properties": {
-                "agent_id": {
+                "base64": {
+                    "description": "data URL for agent delivery",
                     "type": "string"
                 },
-                "bot_id": {
+                "caption": {
                     "type": "string"
                 },
-                "cdf_curve": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/adapters.CDFPoint"
-                    }
+                "content_hash": {
+                    "type": "string"
                 },
-                "created_at": {
+                "duration_ms": {
+                    "type": "integer"
+                },
+                "height": {
+                    "type": "integer"
+                },
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "mime": {
                     "type": "string"
                 },
-                "hash": {
+                "name": {
                     "type": "string"
                 },
-                "id": {
+                "path": {
+                    "description": "container-local filesystem path",
                     "type": "string"
                 },
-                "memory": {
+                "platform_key": {
                     "type": "string"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "size": {
+                    "type": "integer"
                 },
-                "run_id": {
+                "source_platform": {
                     "type": "string"
                 },
-                "score": {
-                    "type": "number"
+                "thumbnail_url": {
+                    "type": "string"
                 },
-                "top_k_buckets": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/adapters.TopKBucket"
-                    }
+                "type": {
+                    "$ref": "#/definitions/channel.AttachmentType"
                 },
-                "updated_at": {
+                "url": {
+                    "description": "HTTP(S) or data URL",
                     "type": "string"
+                },
+                "width": {
+                    "type": "integer"
                 }
             }
         },
-        "adapters.MemoryStatusResponse": {
+        "channel.AttachmentType": {
+            "type": "string",
+            "enum": [
+                "image",
+                "audio",
+                "video",
+                "voice",
+                "file",
+                "gif"
+            ],
+            "x-enum-varnames": [
+                "AttachmentImage",
+                "AttachmentAudio",
+                "AttachmentVideo",
+                "AttachmentVoice",
+                "AttachmentFile",
+                "AttachmentGIF"
+            ]
+        },
+        "channel.ChannelCapabilities": {
             "type": "object",
             "properties": {
-                "can_manual_sync": {
+                "attachments": {
                     "type": "boolean"
                 },
-                "encoder": {
-                    "$ref": "#/definitions/adapters.HealthStatus"
+                "block_streaming": {
+                    "type": "boolean"
                 },
-                "indexed_count": {
-                    "type": "integer"
+                "buttons": {
+                    "type": "boolean"
                 },
-                "markdown_file_count": {
-                    "type": "integer"
+                "chat_types": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 },
-                "memory_mode": {
-                    "type": "string"
+                "edit": {
+                    "type": "boolean"
                 },
-                "overview_path": {
-                    "type": "string"
+                "markdown": {
+                    "type": "boolean"
                 },
-                "provider_type": {
-                    "type": "string"
+                "media": {
+                    "type": "boolean"
                 },
-                "qdrant": {
-                    "$ref": "#/definitions/adapters.HealthStatus"
+                "native_commands": {
+                    "type": "boolean"
                 },
-                "qdrant_collection": {
-                    "type": "string"
+                "polls": {
+                    "type": "boolean"
                 },
-                "source_count": {
-                    "type": "integer"
+                "reactions": {
+                    "type": "boolean"
                 },
-                "source_dir": {
-                    "type": "string"
+                "reply": {
+                    "type": "boolean"
+                },
+                "rich_text": {
+                    "type": "boolean"
+                },
+                "streaming": {
+                    "type": "boolean"
+                },
+                "text": {
+                    "type": "boolean"
+                },
+                "threads": {
+                    "type": "boolean"
+                },
+                "unsend": {
+                    "type": "boolean"
                 }
             }
         },
-        "adapters.Message": {
+        "channel.ChannelConfig": {
             "type": "object",
             "properties": {
-                "content": {
+                "bot_id": {
                     "type": "string"
                 },
-                "role": {
+                "channel_type": {
+                    "$ref": "#/definitions/channel.ChannelType"
+                },
+                "created_at": {
+                    "type": "string"
+                },
+                "credentials": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "disabled": {
+                    "type": "boolean"
+                },
+                "external_identity": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "routing": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "self_identity": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "updated_at": {
+                    "type": "string"
+                },
+                "verified_at": {
                     "type": "string"
                 }
             }
         },
-        "adapters.ProviderCollectionStatus": {
+        "channel.ChannelIdentityBinding": {
             "type": "object",
             "properties": {
-                "exists": {
-                    "type": "boolean"
+                "channel_identity_id": {
+                    "type": "string"
                 },
-                "name": {
+                "channel_type": {
+                    "$ref": "#/definitions/channel.ChannelType"
+                },
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "created_at": {
                     "type": "string"
                 },
-                "points": {
-                    "type": "integer"
+                "id": {
+                    "type": "string"
                 },
-                "qdrant": {
-                    "$ref": "#/definitions/adapters.HealthStatus"
+                "updated_at": {
+                    "type": "string"
                 }
             }
         },
-        "adapters.ProviderConfigSchema": {
+        "channel.ChannelType": {
+            "type": "string",
+            "enum": [
+                "telegram",
+                "feishu",
+                "dingtalk",
+                "matrix",
+                "discord",
+                "qq",
+                "wecom",
+                "weixin",
+                "wechatoa",
+                "local",
+                "slack"
+            ],
+            "x-enum-varnames": [
+                "ChannelTypeTelegram",
+                "ChannelTypeFeishu",
+                "ChannelTypeDingtalk",
+                "ChannelTypeMatrix",
+                "ChannelTypeDiscord",
+                "ChannelTypeQQ",
+                "ChannelTypeWecom",
+                "ChannelTypeWeixin",
+                "ChannelTypeWeChatOA",
+                "ChannelTypeLocal",
+                "ChannelTypeSlack"
+            ]
+        },
+        "channel.ConfigSchema": {
             "type": "object",
             "properties": {
                 "fields": {
                     "type": "object",
                     "additionalProperties": {
-                        "$ref": "#/definitions/adapters.ProviderFieldSchema"
+                        "$ref": "#/definitions/channel.FieldSchema"
                     }
-                }
-            }
-        },
-        "adapters.ProviderCreateRequest": {
-            "type": "object",
-            "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "name": {
-                    "type": "string"
                 },
-                "provider": {
-                    "$ref": "#/definitions/adapters.ProviderType"
+                "version": {
+                    "type": "integer"
                 }
             }
         },
-        "adapters.ProviderFieldSchema": {
+        "channel.FieldSchema": {
             "type": "object",
             "properties": {
                 "description": {
                     "type": "string"
                 },
+                "enum": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                 "example": {},
-                "required": {
-                    "type": "boolean"
+                "order": {
+                    "type": "integer"
                 },
-                "secret": {
+                "required": {
                     "type": "boolean"
                 },
                 "title": {
                     "type": "string"
                 },
                 "type": {
-                    "type": "string"
+                    "$ref": "#/definitions/channel.FieldType"
                 }
             }
         },
-        "adapters.ProviderGetResponse": {
+        "channel.FieldType": {
+            "type": "string",
+            "enum": [
+                "string",
+                "secret",
+                "bool",
+                "number",
+                "enum"
+            ],
+            "x-enum-varnames": [
+                "FieldString",
+                "FieldSecret",
+                "FieldBool",
+                "FieldNumber",
+                "FieldEnum"
+            ]
+        },
+        "channel.Message": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "created_at": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "string"
-                },
-                "is_default": {
-                    "type": "boolean"
+                "actions": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/channel.Action"
+                    }
                 },
-                "name": {
-                    "type": "string"
+                "attachments": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/channel.Attachment"
+                    }
                 },
-                "provider": {
-                    "type": "string"
+                "format": {
+                    "$ref": "#/definitions/channel.MessageFormat"
                 },
-                "updated_at": {
+                "id": {
                     "type": "string"
-                }
-            }
-        },
-        "adapters.ProviderMeta": {
-            "type": "object",
-            "properties": {
-                "config_schema": {
-                    "$ref": "#/definitions/adapters.ProviderConfigSchema"
                 },
-                "display_name": {
-                    "type": "string"
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "provider": {
-                    "type": "string"
-                }
-            }
-        },
-        "adapters.ProviderStatusResponse": {
-            "type": "object",
-            "properties": {
-                "collections": {
+                "parts": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/adapters.ProviderCollectionStatus"
+                        "$ref": "#/definitions/channel.MessagePart"
                     }
                 },
-                "embedding_model_id": {
-                    "type": "string"
+                "reply": {
+                    "$ref": "#/definitions/channel.ReplyRef"
                 },
-                "memory_mode": {
+                "text": {
                     "type": "string"
                 },
-                "provider_type": {
-                    "type": "string"
+                "thread": {
+                    "$ref": "#/definitions/channel.ThreadRef"
                 }
             }
         },
-        "adapters.ProviderType": {
+        "channel.MessageFormat": {
             "type": "string",
             "enum": [
-                "builtin",
-                "mem0",
-                "openviking"
+                "plain",
+                "markdown",
+                "rich"
             ],
             "x-enum-varnames": [
-                "ProviderBuiltin",
-                "ProviderMem0",
-                "ProviderOpenViking"
+                "MessageFormatPlain",
+                "MessageFormatMarkdown",
+                "MessageFormatRich"
             ]
         },
-        "adapters.ProviderUpdateRequest": {
+        "channel.MessagePart": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "name": {
+                "channel_identity_id": {
                     "type": "string"
-                }
-            }
-        },
-        "adapters.RebuildResult": {
-            "type": "object",
-            "properties": {
-                "fs_count": {
-                    "type": "integer"
                 },
-                "missing_count": {
-                    "type": "integer"
+                "emoji": {
+                    "type": "string"
                 },
-                "restored_count": {
-                    "type": "integer"
+                "language": {
+                    "type": "string"
                 },
-                "storage_count": {
-                    "type": "integer"
-                }
-            }
-        },
-        "adapters.SearchResponse": {
-            "type": "object",
-            "properties": {
-                "relations": {
-                    "type": "array",
-                    "items": {}
+                "metadata": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "results": {
+                "styles": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/adapters.MemoryItem"
+                        "$ref": "#/definitions/channel.MessageTextStyle"
                     }
-                }
-            }
-        },
-        "adapters.TopKBucket": {
-            "type": "object",
-            "properties": {
-                "index": {
-                    "description": "sparse dimension index (term hash)",
-                    "type": "integer"
-                },
-                "value": {
-                    "description": "weight (term frequency)",
-                    "type": "number"
-                }
-            }
-        },
-        "adapters.UsageResponse": {
-            "type": "object",
-            "properties": {
-                "avg_text_bytes": {
-                    "type": "integer"
                 },
-                "count": {
-                    "type": "integer"
+                "text": {
+                    "type": "string"
                 },
-                "estimated_storage_bytes": {
-                    "type": "integer"
+                "type": {
+                    "$ref": "#/definitions/channel.MessagePartType"
                 },
-                "total_text_bytes": {
-                    "type": "integer"
+                "url": {
+                    "type": "string"
                 }
             }
         },
-        "audio.ConfigSchema": {
-            "type": "object",
-            "properties": {
-                "fields": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/audio.FieldSchema"
-                    }
-                }
-            }
+        "channel.MessagePartType": {
+            "type": "string",
+            "enum": [
+                "text",
+                "link",
+                "code_block",
+                "mention",
+                "emoji"
+            ],
+            "x-enum-varnames": [
+                "MessagePartText",
+                "MessagePartLink",
+                "MessagePartCodeBlock",
+                "MessagePartMention",
+                "MessagePartEmoji"
+            ]
         },
-        "audio.FieldSchema": {
+        "channel.MessageTextStyle": {
+            "type": "string",
+            "enum": [
+                "bold",
+                "italic",
+                "strikethrough",
+                "code"
+            ],
+            "x-enum-varnames": [
+                "MessageStyleBold",
+                "MessageStyleItalic",
+                "MessageStyleStrikethrough",
+                "MessageStyleCode"
+            ]
+        },
+        "channel.ReplyRef": {
             "type": "object",
             "properties": {
-                "advanced": {
-                    "type": "boolean"
-                },
-                "description": {
+                "message_id": {
                     "type": "string"
                 },
-                "enum": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
-                },
-                "example": {},
-                "key": {
+                "preview": {
                     "type": "string"
                 },
-                "order": {
-                    "type": "integer"
-                },
-                "required": {
-                    "type": "boolean"
-                },
-                "title": {
+                "sender": {
                     "type": "string"
                 },
-                "type": {
+                "target": {
                     "type": "string"
                 }
             }
         },
-        "audio.ImportModelsResponse": {
+        "channel.SendRequest": {
             "type": "object",
             "properties": {
-                "created": {
-                    "type": "integer"
+                "channel_identity_id": {
+                    "type": "string"
                 },
-                "models": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                "message": {
+                    "$ref": "#/definitions/channel.Message"
                 },
-                "skipped": {
-                    "type": "integer"
+                "target": {
+                    "type": "string"
                 }
             }
         },
-        "audio.ModelCapabilities": {
+        "channel.TargetHint": {
             "type": "object",
             "properties": {
-                "config_schema": {
-                    "$ref": "#/definitions/audio.ConfigSchema"
-                },
-                "formats": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
-                },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {
-                        "type": "string"
-                    }
-                },
-                "pitch": {
-                    "$ref": "#/definitions/audio.ParamConstraint"
+                "example": {
+                    "type": "string"
                 },
-                "speed": {
-                    "$ref": "#/definitions/audio.ParamConstraint"
+                "label": {
+                    "type": "string"
+                }
+            }
+        },
+        "channel.TargetSpec": {
+            "type": "object",
+            "properties": {
+                "format": {
+                    "type": "string"
                 },
-                "voices": {
+                "hints": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/audio.VoiceInfo"
+                        "$ref": "#/definitions/channel.TargetHint"
                     }
                 }
             }
         },
-        "audio.ModelInfo": {
+        "channel.ThreadRef": {
             "type": "object",
             "properties": {
-                "capabilities": {
-                    "$ref": "#/definitions/audio.ModelCapabilities"
-                },
-                "config_schema": {
-                    "$ref": "#/definitions/audio.ConfigSchema"
-                },
-                "description": {
-                    "type": "string"
-                },
                 "id": {
                     "type": "string"
-                },
-                "name": {
-                    "type": "string"
-                },
-                "template_only": {
-                    "type": "boolean"
                 }
             }
         },
-        "audio.ParamConstraint": {
+        "channel.UpdateChannelStatusRequest": {
             "type": "object",
             "properties": {
-                "default": {
-                    "type": "number"
-                },
-                "max": {
-                    "type": "number"
-                },
-                "min": {
-                    "type": "number"
-                },
-                "options": {
-                    "type": "array",
-                    "items": {
-                        "type": "number"
-                    }
+                "disabled": {
+                    "type": "boolean"
                 }
             }
         },
-        "audio.ProviderMetaResponse": {
+        "channel.UpsertChannelIdentityConfigRequest": {
             "type": "object",
             "properties": {
-                "config_schema": {
-                    "$ref": "#/definitions/audio.ConfigSchema"
-                },
-                "default_model": {
-                    "type": "string"
-                },
-                "default_synthesis_model": {
-                    "type": "string"
-                },
-                "default_transcription_model": {
-                    "type": "string"
-                },
-                "description": {
-                    "type": "string"
-                },
-                "display_name": {
-                    "type": "string"
-                },
-                "models": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/audio.ModelInfo"
-                    }
-                },
-                "provider": {
-                    "type": "string"
-                },
-                "supports_synthesis_list": {
-                    "type": "boolean"
-                },
-                "supports_transcription_list": {
-                    "type": "boolean"
-                },
-                "synthesis_models": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/audio.ModelInfo"
-                    }
-                },
-                "transcription_models": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/audio.ModelInfo"
-                    }
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
                 }
             }
         },
-        "audio.SpeechModelResponse": {
+        "channel.UpsertConfigRequest": {
             "type": "object",
             "properties": {
-                "config": {
+                "credentials": {
                     "type": "object",
                     "additionalProperties": {}
                 },
-                "created_at": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "string"
+                "disabled": {
+                    "type": "boolean"
                 },
-                "model_id": {
+                "external_identity": {
                     "type": "string"
                 },
-                "name": {
-                    "type": "string"
+                "routing": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "provider_id": {
-                    "type": "string"
+                "self_identity": {
+                    "type": "object",
+                    "additionalProperties": {}
                 },
-                "provider_type": {
+                "verified_at": {
                     "type": "string"
+                }
+            }
+        },
+        "compaction.ListLogsResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/compaction.Log"
+                    }
                 },
-                "updated_at": {
-                    "type": "string"
+                "total_count": {
+                    "type": "integer"
                 }
             }
         },
-        "audio.SpeechProviderResponse": {
+        "compaction.Log": {
             "type": "object",
             "properties": {
-                "client_type": {
+                "bot_id": {
                     "type": "string"
                 },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "created_at": {
+                "completed_at": {
                     "type": "string"
                 },
-                "enable": {
-                    "type": "boolean"
-                },
-                "icon": {
+                "error_message": {
                     "type": "string"
                 },
                 "id": {
                     "type": "string"
                 },
-                "name": {
-                    "type": "string"
+                "message_count": {
+                    "type": "integer"
                 },
-                "updated_at": {
+                "model_id": {
                     "type": "string"
-                }
-            }
-        },
-        "audio.TestSynthesizeRequest": {
-            "type": "object",
-            "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
                 },
-                "text": {
+                "session_id": {
                     "type": "string"
-                }
-            }
-        },
-        "audio.TestTranscriptionResponse": {
-            "type": "object",
-            "properties": {
-                "duration_seconds": {
-                    "type": "number"
                 },
-                "language": {
+                "started_at": {
                     "type": "string"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "status": {
+                    "type": "string"
                 },
-                "text": {
+                "summary": {
                     "type": "string"
                 },
-                "words": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/audio.TranscriptionWord"
-                    }
-                }
+                "usage": {}
             }
         },
-        "audio.TranscriptionModelResponse": {
+        "email.BindingResponse": {
             "type": "object",
             "properties": {
+                "bot_id": {
+                    "type": "string"
+                },
+                "can_delete": {
+                    "type": "boolean"
+                },
+                "can_read": {
+                    "type": "boolean"
+                },
+                "can_write": {
+                    "type": "boolean"
+                },
                 "config": {
                     "type": "object",
                     "additionalProperties": {}
@@ -10609,19 +12634,13 @@
                 "created_at": {
                     "type": "string"
                 },
-                "id": {
-                    "type": "string"
-                },
-                "model_id": {
-                    "type": "string"
-                },
-                "name": {
+                "email_address": {
                     "type": "string"
                 },
-                "provider_id": {
+                "email_provider_id": {
                     "type": "string"
                 },
-                "provider_type": {
+                "id": {
                     "type": "string"
                 },
                 "updated_at": {
@@ -10629,24 +12648,42 @@
                 }
             }
         },
-        "audio.TranscriptionWord": {
+        "email.ConfigSchema": {
             "type": "object",
             "properties": {
-                "end": {
-                    "type": "number"
+                "fields": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/email.FieldSchema"
+                    }
+                }
+            }
+        },
+        "email.CreateBindingRequest": {
+            "type": "object",
+            "properties": {
+                "can_delete": {
+                    "type": "boolean"
                 },
-                "speaker_id": {
-                    "type": "string"
+                "can_read": {
+                    "type": "boolean"
                 },
-                "start": {
-                    "type": "number"
+                "can_write": {
+                    "type": "boolean"
                 },
-                "text": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "email_address": {
+                    "type": "string"
+                },
+                "email_provider_id": {
                     "type": "string"
                 }
             }
         },
-        "audio.UpdateSpeechModelRequest": {
+        "email.CreateProviderRequest": {
             "type": "object",
             "properties": {
                 "config": {
@@ -10655,1081 +12692,880 @@
                 },
                 "name": {
                     "type": "string"
+                },
+                "provider": {
+                    "type": "string"
                 }
             }
         },
-        "audio.VoiceInfo": {
+        "email.FieldSchema": {
             "type": "object",
             "properties": {
-                "id": {
+                "description": {
                     "type": "string"
                 },
-                "lang": {
+                "enum": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
+                "example": {},
+                "key": {
                     "type": "string"
                 },
-                "name": {
+                "order": {
+                    "type": "integer"
+                },
+                "required": {
+                    "type": "boolean"
+                },
+                "title": {
+                    "type": "string"
+                },
+                "type": {
                     "type": "string"
                 }
             }
         },
-        "bots.Bot": {
+        "email.OutboxItemResponse": {
             "type": "object",
             "properties": {
-                "avatar_url": {
+                "attachments": {
+                    "type": "array",
+                    "items": {}
+                },
+                "body_html": {
                     "type": "string"
                 },
-                "check_issue_count": {
-                    "type": "integer"
+                "body_text": {
+                    "type": "string"
                 },
-                "check_state": {
+                "bot_id": {
                     "type": "string"
                 },
                 "created_at": {
                     "type": "string"
                 },
-                "display_name": {
+                "error": {
+                    "type": "string"
+                },
+                "from": {
                     "type": "string"
                 },
                 "id": {
                     "type": "string"
                 },
-                "is_active": {
-                    "type": "boolean"
+                "message_id": {
+                    "type": "string"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "provider_id": {
+                    "type": "string"
                 },
-                "owner_user_id": {
+                "sent_at": {
                     "type": "string"
                 },
                 "status": {
                     "type": "string"
                 },
-                "timezone": {
+                "subject": {
                     "type": "string"
                 },
-                "updated_at": {
-                    "type": "string"
+                "to": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 }
             }
         },
-        "bots.BotCheck": {
+        "email.ProviderMeta": {
             "type": "object",
             "properties": {
-                "detail": {
-                    "type": "string"
+                "config_schema": {
+                    "$ref": "#/definitions/email.ConfigSchema"
                 },
-                "id": {
+                "display_name": {
                     "type": "string"
                 },
-                "metadata": {
+                "provider": {
+                    "type": "string"
+                }
+            }
+        },
+        "email.ProviderResponse": {
+            "type": "object",
+            "properties": {
+                "config": {
                     "type": "object",
                     "additionalProperties": {}
                 },
-                "status": {
+                "created_at": {
                     "type": "string"
                 },
-                "subtitle": {
+                "id": {
                     "type": "string"
                 },
-                "summary": {
+                "name": {
                     "type": "string"
                 },
-                "title_key": {
+                "provider": {
                     "type": "string"
                 },
-                "type": {
+                "updated_at": {
                     "type": "string"
                 }
             }
         },
-        "bots.CreateBotRequest": {
+        "email.UpdateBindingRequest": {
             "type": "object",
             "properties": {
-                "acl_preset": {
-                    "type": "string"
-                },
-                "avatar_url": {
-                    "type": "string"
+                "can_delete": {
+                    "type": "boolean"
                 },
-                "display_name": {
-                    "type": "string"
+                "can_read": {
+                    "type": "boolean"
                 },
-                "is_active": {
+                "can_write": {
                     "type": "boolean"
                 },
-                "metadata": {
+                "config": {
                     "type": "object",
                     "additionalProperties": {}
                 },
-                "timezone": {
+                "email_address": {
                     "type": "string"
                 }
             }
         },
-        "bots.ListBotsResponse": {
-            "type": "object",
-            "properties": {
-                "items": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/bots.Bot"
-                    }
-                }
-            }
-        },
-        "bots.ListChecksResponse": {
-            "type": "object",
-            "properties": {
-                "items": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/bots.BotCheck"
-                    }
-                }
-            }
-        },
-        "bots.TransferBotRequest": {
+        "email.UpdateProviderRequest": {
             "type": "object",
             "properties": {
-                "owner_user_id": {
+                "config": {
+                    "type": "object",
+                    "additionalProperties": {}
+                },
+                "name": {
+                    "type": "string"
+                },
+                "provider": {
                     "type": "string"
                 }
             }
         },
-        "bots.UpdateBotRequest": {
+        "github_com_memohai_memoh_internal_accounts.Account": {
             "type": "object",
             "properties": {
                 "avatar_url": {
                     "type": "string"
                 },
+                "created_at": {
+                    "type": "string"
+                },
                 "display_name": {
                     "type": "string"
                 },
+                "email": {
+                    "type": "string"
+                },
+                "id": {
+                    "type": "string"
+                },
                 "is_active": {
                     "type": "boolean"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "last_login_at": {
+                    "type": "string"
                 },
                 "timezone": {
                     "type": "string"
+                },
+                "updated_at": {
+                    "type": "string"
+                },
+                "username": {
+                    "type": "string"
                 }
             }
         },
-        "browsercontexts.BrowserContext": {
+        "github_com_memohai_memoh_internal_accounts.CreateAccountRequest": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "array",
-                    "items": {
-                        "type": "integer"
-                    }
+                "avatar_url": {
+                    "type": "string"
                 },
-                "created_at": {
+                "display_name": {
                     "type": "string"
                 },
-                "id": {
+                "email": {
                     "type": "string"
                 },
-                "name": {
+                "is_active": {
+                    "type": "boolean"
+                },
+                "password": {
                     "type": "string"
                 },
-                "updated_at": {
+                "username": {
                     "type": "string"
                 }
             }
         },
-        "browsercontexts.CreateRequest": {
+        "github_com_memohai_memoh_internal_accounts.ListAccountsResponse": {
             "type": "object",
             "properties": {
-                "config": {
+                "items": {
                     "type": "array",
                     "items": {
-                        "type": "integer"
+                        "$ref": "#/definitions/github_com_memohai_memoh_internal_accounts.Account"
                     }
-                },
-                "name": {
+                }
+            }
+        },
+        "github_com_memohai_memoh_internal_accounts.ResetPasswordRequest": {
+            "type": "object",
+            "properties": {
+                "new_password": {
                     "type": "string"
                 }
             }
         },
-        "browsercontexts.UpdateRequest": {
+        "github_com_memohai_memoh_internal_accounts.UpdateAccountRequest": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "array",
-                    "items": {
-                        "type": "integer"
-                    }
+                "avatar_url": {
+                    "type": "string"
                 },
-                "name": {
+                "display_name": {
                     "type": "string"
+                },
+                "is_active": {
+                    "type": "boolean"
                 }
             }
         },
-        "channel.Action": {
+        "github_com_memohai_memoh_internal_accounts.UpdatePasswordRequest": {
             "type": "object",
             "properties": {
-                "label": {
+                "current_password": {
                     "type": "string"
                 },
-                "type": {
+                "new_password": {
+                    "type": "string"
+                }
+            }
+        },
+        "github_com_memohai_memoh_internal_accounts.UpdateProfileRequest": {
+            "type": "object",
+            "properties": {
+                "avatar_url": {
                     "type": "string"
                 },
-                "url": {
+                "display_name": {
                     "type": "string"
                 },
-                "value": {
+                "timezone": {
                     "type": "string"
                 }
             }
         },
-        "channel.Attachment": {
+        "github_com_memohai_memoh_internal_mcp.Connection": {
             "type": "object",
             "properties": {
-                "base64": {
-                    "description": "data URL for agent delivery",
-                    "type": "string"
-                },
-                "caption": {
+                "auth_type": {
                     "type": "string"
                 },
-                "content_hash": {
+                "bot_id": {
                     "type": "string"
                 },
-                "duration_ms": {
-                    "type": "integer"
-                },
-                "height": {
-                    "type": "integer"
-                },
-                "metadata": {
+                "config": {
                     "type": "object",
                     "additionalProperties": {}
                 },
-                "mime": {
+                "created_at": {
                     "type": "string"
                 },
-                "name": {
+                "id": {
                     "type": "string"
                 },
-                "path": {
-                    "description": "container-local filesystem path",
-                    "type": "string"
+                "is_active": {
+                    "type": "boolean"
                 },
-                "platform_key": {
+                "last_probed_at": {
                     "type": "string"
                 },
-                "size": {
-                    "type": "integer"
+                "name": {
+                    "type": "string"
                 },
-                "source_platform": {
+                "status": {
                     "type": "string"
                 },
-                "thumbnail_url": {
+                "status_message": {
                     "type": "string"
                 },
-                "type": {
-                    "$ref": "#/definitions/channel.AttachmentType"
+                "tools_cache": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/mcp.ToolDescriptor"
+                    }
                 },
-                "url": {
-                    "description": "HTTP(S) or data URL",
+                "type": {
                     "type": "string"
                 },
-                "width": {
-                    "type": "integer"
+                "updated_at": {
+                    "type": "string"
                 }
             }
         },
-        "channel.AttachmentType": {
-            "type": "string",
-            "enum": [
-                "image",
-                "audio",
-                "video",
-                "voice",
-                "file",
-                "gif"
-            ],
-            "x-enum-varnames": [
-                "AttachmentImage",
-                "AttachmentAudio",
-                "AttachmentVideo",
-                "AttachmentVoice",
-                "AttachmentFile",
-                "AttachmentGIF"
-            ]
+        "handlers.BatchDeleteRequest": {
+            "type": "object",
+            "properties": {
+                "ids": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                }
+            }
         },
-        "channel.ChannelCapabilities": {
+        "handlers.BrowserCoresResponse": {
             "type": "object",
             "properties": {
-                "attachments": {
-                    "type": "boolean"
-                },
-                "block_streaming": {
-                    "type": "boolean"
-                },
-                "buttons": {
-                    "type": "boolean"
-                },
-                "chat_types": {
+                "cores": {
                     "type": "array",
                     "items": {
                         "type": "string"
                     }
-                },
-                "edit": {
-                    "type": "boolean"
-                },
-                "markdown": {
-                    "type": "boolean"
-                },
-                "media": {
-                    "type": "boolean"
-                },
-                "native_commands": {
-                    "type": "boolean"
-                },
-                "polls": {
-                    "type": "boolean"
-                },
-                "reactions": {
-                    "type": "boolean"
-                },
-                "reply": {
-                    "type": "boolean"
-                },
-                "rich_text": {
-                    "type": "boolean"
-                },
-                "streaming": {
-                    "type": "boolean"
-                },
-                "text": {
-                    "type": "boolean"
-                },
-                "threads": {
-                    "type": "boolean"
-                },
-                "unsend": {
-                    "type": "boolean"
                 }
             }
         },
-        "channel.ChannelConfig": {
+        "handlers.CacheStats": {
             "type": "object",
             "properties": {
-                "bot_id": {
-                    "type": "string"
-                },
-                "channel_type": {
-                    "$ref": "#/definitions/channel.ChannelType"
-                },
-                "created_at": {
-                    "type": "string"
-                },
-                "credentials": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "disabled": {
-                    "type": "boolean"
-                },
-                "external_identity": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "string"
-                },
-                "routing": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "cache_hit_rate": {
+                    "type": "number"
                 },
-                "self_identity": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "cache_read_tokens": {
+                    "type": "integer"
                 },
-                "updated_at": {
-                    "type": "string"
+                "cache_write_tokens": {
+                    "type": "integer"
                 },
-                "verified_at": {
-                    "type": "string"
+                "total_input_tokens": {
+                    "type": "integer"
                 }
             }
         },
-        "channel.ChannelIdentityBinding": {
+        "handlers.ChannelMeta": {
             "type": "object",
             "properties": {
-                "channel_identity_id": {
-                    "type": "string"
+                "capabilities": {
+                    "$ref": "#/definitions/channel.ChannelCapabilities"
                 },
-                "channel_type": {
-                    "$ref": "#/definitions/channel.ChannelType"
+                "config_schema": {
+                    "$ref": "#/definitions/channel.ConfigSchema"
                 },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "configless": {
+                    "type": "boolean"
                 },
-                "created_at": {
+                "display_name": {
                     "type": "string"
                 },
-                "id": {
-                    "type": "string"
+                "target_spec": {
+                    "$ref": "#/definitions/channel.TargetSpec"
                 },
-                "updated_at": {
+                "type": {
                     "type": "string"
-                }
-            }
-        },
-        "channel.ChannelType": {
-            "type": "string",
-            "enum": [
-                "telegram",
-                "feishu",
-                "dingtalk",
-                "matrix",
-                "discord",
-                "qq",
-                "wecom",
-                "weixin",
-                "wechatoa",
-                "local",
-                "slack"
-            ],
-            "x-enum-varnames": [
-                "ChannelTypeTelegram",
-                "ChannelTypeFeishu",
-                "ChannelTypeDingtalk",
-                "ChannelTypeMatrix",
-                "ChannelTypeDiscord",
-                "ChannelTypeQQ",
-                "ChannelTypeWecom",
-                "ChannelTypeWeixin",
-                "ChannelTypeWeChatOA",
-                "ChannelTypeLocal",
-                "ChannelTypeSlack"
-            ]
+                },
+                "user_config_schema": {
+                    "$ref": "#/definitions/channel.ConfigSchema"
+                }
+            }
         },
-        "channel.ConfigSchema": {
+        "handlers.ContainerCPUMetricsResponse": {
             "type": "object",
             "properties": {
-                "fields": {
-                    "type": "object",
-                    "additionalProperties": {
-                        "$ref": "#/definitions/channel.FieldSchema"
-                    }
+                "kernel_nanoseconds": {
+                    "type": "integer"
                 },
-                "version": {
+                "usage_nanocores": {
+                    "type": "integer"
+                },
+                "usage_nanoseconds": {
+                    "type": "integer"
+                },
+                "usage_percent": {
+                    "type": "number"
+                },
+                "user_nanoseconds": {
                     "type": "integer"
                 }
             }
         },
-        "channel.FieldSchema": {
+        "handlers.ContainerGPURequest": {
             "type": "object",
             "properties": {
-                "description": {
-                    "type": "string"
-                },
-                "enum": {
+                "devices": {
                     "type": "array",
                     "items": {
                         "type": "string"
                     }
+                }
+            }
+        },
+        "handlers.ContainerMemoryMetricsResponse": {
+            "type": "object",
+            "properties": {
+                "limit_bytes": {
+                    "type": "integer"
                 },
-                "example": {},
-                "order": {
+                "usage_bytes": {
                     "type": "integer"
                 },
-                "required": {
-                    "type": "boolean"
+                "usage_percent": {
+                    "type": "number"
+                }
+            }
+        },
+        "handlers.ContainerMetricsPayloadResponse": {
+            "type": "object",
+            "properties": {
+                "cpu": {
+                    "$ref": "#/definitions/handlers.ContainerCPUMetricsResponse"
                 },
-                "title": {
-                    "type": "string"
+                "memory": {
+                    "$ref": "#/definitions/handlers.ContainerMemoryMetricsResponse"
                 },
-                "type": {
-                    "$ref": "#/definitions/channel.FieldType"
+                "storage": {
+                    "$ref": "#/definitions/handlers.ContainerStorageMetricsResponse"
                 }
             }
         },
-        "channel.FieldType": {
-            "type": "string",
-            "enum": [
-                "string",
-                "secret",
-                "bool",
-                "number",
-                "enum"
-            ],
-            "x-enum-varnames": [
-                "FieldString",
-                "FieldSecret",
-                "FieldBool",
-                "FieldNumber",
-                "FieldEnum"
-            ]
+        "handlers.ContainerMetricsStatusResponse": {
+            "type": "object",
+            "properties": {
+                "exists": {
+                    "type": "boolean"
+                },
+                "task_running": {
+                    "type": "boolean"
+                }
+            }
         },
-        "channel.Message": {
+        "handlers.ContainerStorageMetricsResponse": {
             "type": "object",
             "properties": {
-                "actions": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/channel.Action"
-                    }
+                "path": {
+                    "type": "string"
                 },
-                "attachments": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/channel.Attachment"
-                    }
+                "used_bytes": {
+                    "type": "integer"
+                }
+            }
+        },
+        "handlers.ContextUsage": {
+            "type": "object",
+            "properties": {
+                "context_window": {
+                    "type": "integer"
                 },
-                "format": {
-                    "$ref": "#/definitions/channel.MessageFormat"
+                "used_tokens": {
+                    "type": "integer"
+                }
+            }
+        },
+        "handlers.CreateContainerRequest": {
+            "type": "object",
+            "properties": {
+                "gpu": {
+                    "$ref": "#/definitions/handlers.ContainerGPURequest"
                 },
-                "id": {
+                "image": {
                     "type": "string"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "parts": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/channel.MessagePart"
-                    }
+                "local_workspace_path": {
+                    "type": "string"
                 },
-                "reply": {
-                    "$ref": "#/definitions/channel.ReplyRef"
+                "restore_data": {
+                    "type": "boolean"
                 },
-                "text": {
+                "snapshotter": {
                     "type": "string"
                 },
-                "thread": {
-                    "$ref": "#/definitions/channel.ThreadRef"
+                "workspace_backend": {
+                    "type": "string"
                 }
             }
         },
-        "channel.MessageFormat": {
-            "type": "string",
-            "enum": [
-                "plain",
-                "markdown",
-                "rich"
-            ],
-            "x-enum-varnames": [
-                "MessageFormatPlain",
-                "MessageFormatMarkdown",
-                "MessageFormatRich"
-            ]
-        },
-        "channel.MessagePart": {
+        "handlers.CreateContainerResponse": {
             "type": "object",
             "properties": {
-                "channel_identity_id": {
-                    "type": "string"
+                "cdi_devices": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
                 },
-                "emoji": {
+                "container_id": {
                     "type": "string"
                 },
-                "language": {
+                "container_path": {
                     "type": "string"
                 },
-                "metadata": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "data_restored": {
+                    "type": "boolean"
                 },
-                "styles": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/channel.MessageTextStyle"
-                    }
+                "has_preserved_data": {
+                    "type": "boolean"
                 },
-                "text": {
+                "image": {
                     "type": "string"
                 },
-                "type": {
-                    "$ref": "#/definitions/channel.MessagePartType"
+                "snapshotter": {
+                    "type": "string"
                 },
-                "url": {
+                "started": {
+                    "type": "boolean"
+                },
+                "workspace_backend": {
                     "type": "string"
                 }
             }
         },
-        "channel.MessagePartType": {
-            "type": "string",
-            "enum": [
-                "text",
-                "link",
-                "code_block",
-                "mention",
-                "emoji"
-            ],
-            "x-enum-varnames": [
-                "MessagePartText",
-                "MessagePartLink",
-                "MessagePartCodeBlock",
-                "MessagePartMention",
-                "MessagePartEmoji"
-            ]
-        },
-        "channel.MessageTextStyle": {
-            "type": "string",
-            "enum": [
-                "bold",
-                "italic",
-                "strikethrough",
-                "code"
-            ],
-            "x-enum-varnames": [
-                "MessageStyleBold",
-                "MessageStyleItalic",
-                "MessageStyleStrikethrough",
-                "MessageStyleCode"
-            ]
+        "handlers.CreateSnapshotRequest": {
+            "type": "object",
+            "properties": {
+                "snapshot_name": {
+                    "type": "string"
+                }
+            }
         },
-        "channel.ReplyRef": {
+        "handlers.CreateSnapshotResponse": {
             "type": "object",
             "properties": {
-                "message_id": {
+                "container_id": {
                     "type": "string"
                 },
-                "preview": {
+                "display_name": {
                     "type": "string"
                 },
-                "sender": {
+                "runtime_snapshot_name": {
                     "type": "string"
                 },
-                "target": {
-                    "type": "string"
-                }
-            }
-        },
-        "channel.SendRequest": {
-            "type": "object",
-            "properties": {
-                "channel_identity_id": {
+                "snapshot_name": {
                     "type": "string"
                 },
-                "message": {
-                    "$ref": "#/definitions/channel.Message"
+                "snapshotter": {
+                    "type": "string"
                 },
-                "target": {
+                "source": {
                     "type": "string"
+                },
+                "version": {
+                    "type": "integer"
                 }
             }
         },
-        "channel.TargetHint": {
+        "handlers.DailyTokenUsage": {
             "type": "object",
             "properties": {
-                "example": {
-                    "type": "string"
+                "cache_read_tokens": {
+                    "type": "integer"
                 },
-                "label": {
+                "cache_write_tokens": {
+                    "type": "integer"
+                },
+                "day": {
                     "type": "string"
+                },
+                "input_tokens": {
+                    "type": "integer"
+                },
+                "output_tokens": {
+                    "type": "integer"
+                },
+                "reasoning_tokens": {
+                    "type": "integer"
                 }
             }
         },
-        "channel.TargetSpec": {
+        "handlers.ErrorResponse": {
             "type": "object",
             "properties": {
-                "format": {
+                "message": {
                     "type": "string"
-                },
-                "hints": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/channel.TargetHint"
-                    }
                 }
             }
         },
-        "channel.ThreadRef": {
+        "handlers.ExchangeSSOCodeRequest": {
             "type": "object",
             "properties": {
-                "id": {
+                "code": {
                     "type": "string"
                 }
             }
         },
-        "channel.UpdateChannelStatusRequest": {
+        "handlers.FSDeleteRequest": {
             "type": "object",
             "properties": {
-                "disabled": {
+                "path": {
+                    "type": "string"
+                },
+                "recursive": {
                     "type": "boolean"
                 }
             }
         },
-        "channel.UpsertChannelIdentityConfigRequest": {
-            "type": "object",
-            "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                }
-            }
-        },
-        "channel.UpsertConfigRequest": {
+        "handlers.FSFileInfo": {
             "type": "object",
             "properties": {
-                "credentials": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "disabled": {
+                "isDir": {
                     "type": "boolean"
                 },
-                "external_identity": {
+                "modTime": {
                     "type": "string"
                 },
-                "routing": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "mode": {
+                    "type": "string"
                 },
-                "self_identity": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "name": {
+                    "type": "string"
                 },
-                "verified_at": {
+                "path": {
                     "type": "string"
+                },
+                "size": {
+                    "type": "integer"
                 }
             }
         },
-        "compaction.ListLogsResponse": {
+        "handlers.FSListResponse": {
             "type": "object",
             "properties": {
-                "items": {
+                "entries": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/compaction.Log"
+                        "$ref": "#/definitions/handlers.FSFileInfo"
                     }
                 },
-                "total_count": {
-                    "type": "integer"
+                "path": {
+                    "type": "string"
                 }
             }
         },
-        "compaction.Log": {
+        "handlers.FSMkdirRequest": {
             "type": "object",
             "properties": {
-                "bot_id": {
-                    "type": "string"
-                },
-                "completed_at": {
-                    "type": "string"
-                },
-                "error_message": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "string"
-                },
-                "message_count": {
-                    "type": "integer"
-                },
-                "model_id": {
-                    "type": "string"
-                },
-                "session_id": {
-                    "type": "string"
-                },
-                "started_at": {
-                    "type": "string"
-                },
-                "status": {
-                    "type": "string"
-                },
-                "summary": {
+                "path": {
                     "type": "string"
-                },
-                "usage": {}
+                }
             }
         },
-        "email.BindingResponse": {
+        "handlers.FSReadResponse": {
             "type": "object",
             "properties": {
-                "bot_id": {
-                    "type": "string"
-                },
-                "can_delete": {
-                    "type": "boolean"
-                },
-                "can_read": {
-                    "type": "boolean"
-                },
-                "can_write": {
-                    "type": "boolean"
-                },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "created_at": {
-                    "type": "string"
-                },
-                "email_address": {
-                    "type": "string"
-                },
-                "email_provider_id": {
+                "content": {
                     "type": "string"
                 },
-                "id": {
+                "path": {
                     "type": "string"
                 },
-                "updated_at": {
-                    "type": "string"
+                "size": {
+                    "type": "integer"
                 }
             }
         },
-        "email.ConfigSchema": {
+        "handlers.FSRenameRequest": {
             "type": "object",
             "properties": {
-                "fields": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/email.FieldSchema"
-                    }
+                "newPath": {
+                    "type": "string"
+                },
+                "oldPath": {
+                    "type": "string"
                 }
             }
         },
-        "email.CreateBindingRequest": {
+        "handlers.FSUploadResponse": {
             "type": "object",
             "properties": {
-                "can_delete": {
-                    "type": "boolean"
-                },
-                "can_read": {
-                    "type": "boolean"
-                },
-                "can_write": {
-                    "type": "boolean"
-                },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "email_address": {
+                "path": {
                     "type": "string"
                 },
-                "email_provider_id": {
-                    "type": "string"
+                "size": {
+                    "type": "integer"
                 }
             }
         },
-        "email.CreateProviderRequest": {
+        "handlers.FSWriteRequest": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
-                "name": {
+                "content": {
                     "type": "string"
                 },
-                "provider": {
+                "path": {
                     "type": "string"
                 }
             }
         },
-        "email.FieldSchema": {
+        "handlers.GetContainerMetricsResponse": {
             "type": "object",
             "properties": {
-                "description": {
+                "backend": {
                     "type": "string"
                 },
-                "enum": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                "metrics": {
+                    "$ref": "#/definitions/handlers.ContainerMetricsPayloadResponse"
                 },
-                "example": {},
-                "key": {
+                "sampled_at": {
                     "type": "string"
                 },
-                "order": {
-                    "type": "integer"
+                "status": {
+                    "$ref": "#/definitions/handlers.ContainerMetricsStatusResponse"
                 },
-                "required": {
+                "supported": {
                     "type": "boolean"
                 },
-                "title": {
-                    "type": "string"
-                },
-                "type": {
+                "unsupported_reason": {
                     "type": "string"
                 }
             }
         },
-        "email.OutboxItemResponse": {
+        "handlers.GetContainerResponse": {
             "type": "object",
             "properties": {
-                "attachments": {
+                "cdi_devices": {
                     "type": "array",
-                    "items": {}
-                },
-                "body_html": {
-                    "type": "string"
+                    "items": {
+                        "type": "string"
+                    }
                 },
-                "body_text": {
+                "container_id": {
                     "type": "string"
                 },
-                "bot_id": {
+                "container_path": {
                     "type": "string"
                 },
                 "created_at": {
                     "type": "string"
                 },
-                "error": {
-                    "type": "string"
-                },
-                "from": {
-                    "type": "string"
-                },
-                "id": {
-                    "type": "string"
+                "has_preserved_data": {
+                    "type": "boolean"
                 },
-                "message_id": {
+                "image": {
                     "type": "string"
                 },
-                "provider_id": {
-                    "type": "string"
+                "legacy": {
+                    "type": "boolean"
                 },
-                "sent_at": {
+                "namespace": {
                     "type": "string"
                 },
                 "status": {
                     "type": "string"
                 },
-                "subject": {
+                "task_running": {
+                    "type": "boolean"
+                },
+                "updated_at": {
                     "type": "string"
                 },
-                "to": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                "workspace_backend": {
+                    "type": "string"
                 }
             }
         },
-        "email.ProviderMeta": {
+        "handlers.IAMGroupMemberRequest": {
             "type": "object",
             "properties": {
-                "config_schema": {
-                    "$ref": "#/definitions/email.ConfigSchema"
+                "provider_id": {
+                    "type": "string"
                 },
-                "display_name": {
+                "source": {
                     "type": "string"
                 },
-                "provider": {
+                "user_id": {
                     "type": "string"
                 }
             }
         },
-        "email.ProviderResponse": {
+        "handlers.IAMGroupMemberResponse": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
                 "created_at": {
                     "type": "string"
                 },
-                "id": {
+                "display_name": {
                     "type": "string"
                 },
-                "name": {
+                "email": {
                     "type": "string"
                 },
-                "provider": {
+                "group_id": {
                     "type": "string"
                 },
-                "updated_at": {
+                "provider_id": {
                     "type": "string"
-                }
-            }
-        },
-        "email.UpdateBindingRequest": {
-            "type": "object",
-            "properties": {
-                "can_delete": {
-                    "type": "boolean"
-                },
-                "can_read": {
-                    "type": "boolean"
                 },
-                "can_write": {
-                    "type": "boolean"
+                "source": {
+                    "type": "string"
                 },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "user_id": {
+                    "type": "string"
                 },
-                "email_address": {
+                "username": {
                     "type": "string"
                 }
             }
         },
-        "email.UpdateProviderRequest": {
+        "handlers.IAMGroupRequest": {
             "type": "object",
             "properties": {
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
+                "display_name": {
+                    "type": "string"
                 },
-                "name": {
+                "external_id": {
                     "type": "string"
                 },
-                "provider": {
+                "key": {
+                    "type": "string"
+                },
+                "metadata": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
+                },
+                "source": {
                     "type": "string"
                 }
             }
         },
-        "github_com_memohai_memoh_internal_mcp.Connection": {
+        "handlers.IAMGroupResponse": {
             "type": "object",
             "properties": {
-                "auth_type": {
-                    "type": "string"
-                },
-                "bot_id": {
-                    "type": "string"
-                },
-                "config": {
-                    "type": "object",
-                    "additionalProperties": {}
-                },
                 "created_at": {
                     "type": "string"
                 },
-                "id": {
-                    "type": "string"
-                },
-                "is_active": {
-                    "type": "boolean"
-                },
-                "last_probed_at": {
+                "display_name": {
                     "type": "string"
                 },
-                "name": {
+                "external_id": {
                     "type": "string"
                 },
-                "status": {
+                "id": {
                     "type": "string"
                 },
-                "status_message": {
+                "key": {
                     "type": "string"
                 },
-                "tools_cache": {
+                "metadata": {
                     "type": "array",
                     "items": {
-                        "$ref": "#/definitions/mcp.ToolDescriptor"
+                        "type": "integer"
                     }
                 },
-                "type": {
+                "source": {
                     "type": "string"
                 },
                 "updated_at": {
@@ -11737,452 +13573,274 @@
                 }
             }
         },
-        "handlers.BatchDeleteRequest": {
+        "handlers.IAMListGroupMembersResponse": {
             "type": "object",
             "properties": {
-                "ids": {
+                "items": {
                     "type": "array",
                     "items": {
-                        "type": "string"
+                        "$ref": "#/definitions/handlers.IAMGroupMemberResponse"
                     }
                 }
             }
         },
-        "handlers.BrowserCoresResponse": {
+        "handlers.IAMListGroupsResponse": {
             "type": "object",
             "properties": {
-                "cores": {
+                "items": {
                     "type": "array",
                     "items": {
-                        "type": "string"
+                        "$ref": "#/definitions/handlers.IAMGroupResponse"
                     }
                 }
             }
         },
-        "handlers.CacheStats": {
-            "type": "object",
-            "properties": {
-                "cache_hit_rate": {
-                    "type": "number"
-                },
-                "cache_read_tokens": {
-                    "type": "integer"
-                },
-                "cache_write_tokens": {
-                    "type": "integer"
-                },
-                "total_input_tokens": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.ChannelMeta": {
-            "type": "object",
-            "properties": {
-                "capabilities": {
-                    "$ref": "#/definitions/channel.ChannelCapabilities"
-                },
-                "config_schema": {
-                    "$ref": "#/definitions/channel.ConfigSchema"
-                },
-                "configless": {
-                    "type": "boolean"
-                },
-                "display_name": {
-                    "type": "string"
-                },
-                "target_spec": {
-                    "$ref": "#/definitions/channel.TargetSpec"
-                },
-                "type": {
-                    "type": "string"
-                },
-                "user_config_schema": {
-                    "$ref": "#/definitions/channel.ConfigSchema"
-                }
-            }
-        },
-        "handlers.ContainerCPUMetricsResponse": {
-            "type": "object",
-            "properties": {
-                "kernel_nanoseconds": {
-                    "type": "integer"
-                },
-                "usage_nanocores": {
-                    "type": "integer"
-                },
-                "usage_nanoseconds": {
-                    "type": "integer"
-                },
-                "usage_percent": {
-                    "type": "number"
-                },
-                "user_nanoseconds": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.ContainerGPURequest": {
+        "handlers.IAMListPrincipalRolesResponse": {
             "type": "object",
             "properties": {
-                "devices": {
+                "items": {
                     "type": "array",
                     "items": {
-                        "type": "string"
+                        "$ref": "#/definitions/handlers.IAMPrincipalRoleResponse"
                     }
                 }
             }
         },
-        "handlers.ContainerMemoryMetricsResponse": {
-            "type": "object",
-            "properties": {
-                "limit_bytes": {
-                    "type": "integer"
-                },
-                "usage_bytes": {
-                    "type": "integer"
-                },
-                "usage_percent": {
-                    "type": "number"
-                }
-            }
-        },
-        "handlers.ContainerMetricsPayloadResponse": {
-            "type": "object",
-            "properties": {
-                "cpu": {
-                    "$ref": "#/definitions/handlers.ContainerCPUMetricsResponse"
-                },
-                "memory": {
-                    "$ref": "#/definitions/handlers.ContainerMemoryMetricsResponse"
-                },
-                "storage": {
-                    "$ref": "#/definitions/handlers.ContainerStorageMetricsResponse"
-                }
-            }
-        },
-        "handlers.ContainerMetricsStatusResponse": {
-            "type": "object",
-            "properties": {
-                "exists": {
-                    "type": "boolean"
-                },
-                "task_running": {
-                    "type": "boolean"
-                }
-            }
-        },
-        "handlers.ContainerStorageMetricsResponse": {
-            "type": "object",
-            "properties": {
-                "path": {
-                    "type": "string"
-                },
-                "used_bytes": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.ContextUsage": {
+        "handlers.IAMListRolesResponse": {
             "type": "object",
             "properties": {
-                "context_window": {
-                    "type": "integer"
-                },
-                "used_tokens": {
-                    "type": "integer"
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/handlers.IAMRoleResponse"
+                    }
                 }
             }
         },
-        "handlers.CreateContainerRequest": {
+        "handlers.IAMListSSOGroupMappingsResponse": {
             "type": "object",
             "properties": {
-                "gpu": {
-                    "$ref": "#/definitions/handlers.ContainerGPURequest"
-                },
-                "image": {
-                    "type": "string"
-                },
-                "local_workspace_path": {
-                    "type": "string"
-                },
-                "restore_data": {
-                    "type": "boolean"
-                },
-                "snapshotter": {
-                    "type": "string"
-                },
-                "workspace_backend": {
-                    "type": "string"
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/handlers.IAMSSOGroupMappingResponse"
+                    }
                 }
             }
         },
-        "handlers.CreateContainerResponse": {
+        "handlers.IAMListSSOProvidersResponse": {
             "type": "object",
             "properties": {
-                "cdi_devices": {
+                "items": {
                     "type": "array",
                     "items": {
-                        "type": "string"
+                        "$ref": "#/definitions/handlers.IAMSSOProviderResponse"
                     }
-                },
-                "container_id": {
-                    "type": "string"
-                },
-                "container_path": {
-                    "type": "string"
-                },
-                "data_restored": {
-                    "type": "boolean"
-                },
-                "has_preserved_data": {
-                    "type": "boolean"
-                },
-                "image": {
-                    "type": "string"
-                },
-                "snapshotter": {
-                    "type": "string"
-                },
-                "started": {
-                    "type": "boolean"
-                },
-                "workspace_backend": {
-                    "type": "string"
                 }
             }
         },
-        "handlers.CreateSnapshotRequest": {
+        "handlers.IAMPrincipalRoleRequest": {
             "type": "object",
             "properties": {
-                "snapshot_name": {
+                "principal_id": {
+                    "type": "string"
+                },
+                "principal_type": {
+                    "type": "string"
+                },
+                "role_key": {
                     "type": "string"
                 }
             }
         },
-        "handlers.CreateSnapshotResponse": {
+        "handlers.IAMPrincipalRoleResponse": {
             "type": "object",
             "properties": {
-                "container_id": {
+                "created_at": {
                     "type": "string"
                 },
-                "display_name": {
+                "group_display_name": {
                     "type": "string"
                 },
-                "runtime_snapshot_name": {
+                "group_key": {
                     "type": "string"
                 },
-                "snapshot_name": {
+                "id": {
                     "type": "string"
                 },
-                "snapshotter": {
+                "principal_id": {
                     "type": "string"
                 },
-                "source": {
+                "principal_type": {
                     "type": "string"
                 },
-                "version": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.DailyTokenUsage": {
-            "type": "object",
-            "properties": {
-                "cache_read_tokens": {
-                    "type": "integer"
-                },
-                "cache_write_tokens": {
-                    "type": "integer"
-                },
-                "day": {
+                "provider_id": {
                     "type": "string"
                 },
-                "input_tokens": {
-                    "type": "integer"
-                },
-                "output_tokens": {
-                    "type": "integer"
-                },
-                "reasoning_tokens": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.ErrorResponse": {
-            "type": "object",
-            "properties": {
-                "message": {
+                "resource_id": {
                     "type": "string"
-                }
-            }
-        },
-        "handlers.FSDeleteRequest": {
-            "type": "object",
-            "properties": {
-                "path": {
+                },
+                "resource_type": {
                     "type": "string"
                 },
-                "recursive": {
-                    "type": "boolean"
-                }
-            }
-        },
-        "handlers.FSFileInfo": {
-            "type": "object",
-            "properties": {
-                "isDir": {
-                    "type": "boolean"
+                "role_id": {
+                    "type": "string"
                 },
-                "modTime": {
+                "role_key": {
                     "type": "string"
                 },
-                "mode": {
+                "role_scope": {
                     "type": "string"
                 },
-                "name": {
+                "source": {
                     "type": "string"
                 },
-                "path": {
+                "user_display_name": {
                     "type": "string"
                 },
-                "size": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.FSListResponse": {
-            "type": "object",
-            "properties": {
-                "entries": {
-                    "type": "array",
-                    "items": {
-                        "$ref": "#/definitions/handlers.FSFileInfo"
-                    }
+                "user_email": {
+                    "type": "string"
                 },
-                "path": {
+                "user_username": {
                     "type": "string"
                 }
             }
         },
-        "handlers.FSMkdirRequest": {
+        "handlers.IAMRoleResponse": {
             "type": "object",
             "properties": {
-                "path": {
+                "created_at": {
                     "type": "string"
-                }
-            }
-        },
-        "handlers.FSReadResponse": {
-            "type": "object",
-            "properties": {
-                "content": {
+                },
+                "id": {
                     "type": "string"
                 },
-                "path": {
+                "is_system": {
+                    "type": "boolean"
+                },
+                "key": {
                     "type": "string"
                 },
-                "size": {
-                    "type": "integer"
+                "scope": {
+                    "type": "string"
                 }
             }
         },
-        "handlers.FSRenameRequest": {
+        "handlers.IAMSSOGroupMappingRequest": {
             "type": "object",
             "properties": {
-                "newPath": {
+                "external_group": {
                     "type": "string"
                 },
-                "oldPath": {
+                "group_id": {
                     "type": "string"
                 }
             }
         },
-        "handlers.FSUploadResponse": {
+        "handlers.IAMSSOGroupMappingResponse": {
             "type": "object",
             "properties": {
-                "path": {
+                "created_at": {
                     "type": "string"
                 },
-                "size": {
-                    "type": "integer"
-                }
-            }
-        },
-        "handlers.FSWriteRequest": {
-            "type": "object",
-            "properties": {
-                "content": {
+                "external_group": {
                     "type": "string"
                 },
-                "path": {
+                "group_display_name": {
+                    "type": "string"
+                },
+                "group_id": {
+                    "type": "string"
+                },
+                "group_key": {
+                    "type": "string"
+                },
+                "provider_id": {
                     "type": "string"
                 }
             }
         },
-        "handlers.GetContainerMetricsResponse": {
+        "handlers.IAMSSOProviderRequest": {
             "type": "object",
             "properties": {
-                "backend": {
+                "attribute_mapping": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
+                },
+                "config": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
+                },
+                "email_linking_policy": {
                     "type": "string"
                 },
-                "metrics": {
-                    "$ref": "#/definitions/handlers.ContainerMetricsPayloadResponse"
+                "enabled": {
+                    "type": "boolean"
                 },
-                "sampled_at": {
+                "jit_enabled": {
+                    "type": "boolean"
+                },
+                "key": {
                     "type": "string"
                 },
-                "status": {
-                    "$ref": "#/definitions/handlers.ContainerMetricsStatusResponse"
+                "name": {
+                    "type": "string"
                 },
-                "supported": {
+                "trust_email": {
                     "type": "boolean"
                 },
-                "unsupported_reason": {
+                "type": {
                     "type": "string"
                 }
             }
         },
-        "handlers.GetContainerResponse": {
+        "handlers.IAMSSOProviderResponse": {
             "type": "object",
             "properties": {
-                "cdi_devices": {
+                "attribute_mapping": {
                     "type": "array",
                     "items": {
-                        "type": "string"
+                        "type": "integer"
                     }
                 },
-                "container_id": {
-                    "type": "string"
+                "config": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    }
                 },
-                "container_path": {
+                "created_at": {
                     "type": "string"
                 },
-                "created_at": {
+                "email_linking_policy": {
                     "type": "string"
                 },
-                "has_preserved_data": {
+                "enabled": {
                     "type": "boolean"
                 },
-                "image": {
+                "id": {
                     "type": "string"
                 },
-                "legacy": {
+                "jit_enabled": {
                     "type": "boolean"
                 },
-                "namespace": {
+                "key": {
                     "type": "string"
                 },
-                "status": {
+                "name": {
                     "type": "string"
                 },
-                "task_running": {
+                "trust_email": {
                     "type": "boolean"
                 },
-                "updated_at": {
+                "type": {
                     "type": "string"
                 },
-                "workspace_backend": {
+                "updated_at": {
                     "type": "string"
                 }
             }
@@ -12209,6 +13867,17 @@
                 }
             }
         },
+        "handlers.ListSSOProvidersResponse": {
+            "type": "object",
+            "properties": {
+                "items": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/handlers.SSOProviderResponse"
+                    }
+                }
+            }
+        },
         "handlers.ListSnapshotsResponse": {
             "type": "object",
             "properties": {
@@ -12260,7 +13929,7 @@
                 "expires_at": {
                     "type": "string"
                 },
-                "role": {
+                "session_id": {
                     "type": "string"
                 },
                 "timezone": {
@@ -12343,6 +14012,14 @@
                 }
             }
         },
+        "handlers.OIDCStartResponse": {
+            "type": "object",
+            "properties": {
+                "redirect_url": {
+                    "type": "string"
+                }
+            }
+        },
         "handlers.PingResponse": {
             "type": "object",
             "properties": {
@@ -12408,6 +14085,26 @@
                 }
             }
         },
+        "handlers.SSOProviderResponse": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                },
+                "id": {
+                    "type": "string"
+                },
+                "key": {
+                    "type": "string"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "type": {
+                    "$ref": "#/definitions/sso.ProviderType"
+                }
+            }
+        },
         "handlers.SessionInfoResponse": {
             "type": "object",
             "properties": {
@@ -14368,6 +16065,17 @@
                     "type": "string"
                 }
             }
+        },
+        "sso.ProviderType": {
+            "type": "string",
+            "enum": [
+                "oidc",
+                "saml"
+            ],
+            "x-enum-varnames": [
+                "ProviderTypeOIDC",
+                "ProviderTypeSAML"
+            ]
         }
     }
 }
\ No newline at end of file
diff --git a/spec/swagger.yaml b/spec/swagger.yaml
index cc4ec1620..0ef5c620b 100644
--- a/spec/swagger.yaml
+++ b/spec/swagger.yaml
@@ -1,85 +1,4 @@
 definitions:
-  accounts.Account:
-    properties:
-      avatar_url:
-        type: string
-      created_at:
-        type: string
-      display_name:
-        type: string
-      email:
-        type: string
-      id:
-        type: string
-      is_active:
-        type: boolean
-      last_login_at:
-        type: string
-      role:
-        type: string
-      timezone:
-        type: string
-      updated_at:
-        type: string
-      username:
-        type: string
-    type: object
-  accounts.CreateAccountRequest:
-    properties:
-      avatar_url:
-        type: string
-      display_name:
-        type: string
-      email:
-        type: string
-      is_active:
-        type: boolean
-      password:
-        type: string
-      role:
-        type: string
-      username:
-        type: string
-    type: object
-  accounts.ListAccountsResponse:
-    properties:
-      items:
-        items:
-          $ref: '#/definitions/accounts.Account'
-        type: array
-    type: object
-  accounts.ResetPasswordRequest:
-    properties:
-      new_password:
-        type: string
-    type: object
-  accounts.UpdateAccountRequest:
-    properties:
-      avatar_url:
-        type: string
-      display_name:
-        type: string
-      is_active:
-        type: boolean
-      role:
-        type: string
-    type: object
-  accounts.UpdatePasswordRequest:
-    properties:
-      current_password:
-        type: string
-      new_password:
-        type: string
-    type: object
-  accounts.UpdateProfileRequest:
-    properties:
-      avatar_url:
-        type: string
-      display_name:
-        type: string
-      timezone:
-        type: string
-    type: object
   acl.ChannelIdentityCandidate:
     properties:
       avatar_url:
@@ -1416,6 +1335,81 @@ definitions:
       provider:
         type: string
     type: object
+  github_com_memohai_memoh_internal_accounts.Account:
+    properties:
+      avatar_url:
+        type: string
+      created_at:
+        type: string
+      display_name:
+        type: string
+      email:
+        type: string
+      id:
+        type: string
+      is_active:
+        type: boolean
+      last_login_at:
+        type: string
+      timezone:
+        type: string
+      updated_at:
+        type: string
+      username:
+        type: string
+    type: object
+  github_com_memohai_memoh_internal_accounts.CreateAccountRequest:
+    properties:
+      avatar_url:
+        type: string
+      display_name:
+        type: string
+      email:
+        type: string
+      is_active:
+        type: boolean
+      password:
+        type: string
+      username:
+        type: string
+    type: object
+  github_com_memohai_memoh_internal_accounts.ListAccountsResponse:
+    properties:
+      items:
+        items:
+          $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.Account'
+        type: array
+    type: object
+  github_com_memohai_memoh_internal_accounts.ResetPasswordRequest:
+    properties:
+      new_password:
+        type: string
+    type: object
+  github_com_memohai_memoh_internal_accounts.UpdateAccountRequest:
+    properties:
+      avatar_url:
+        type: string
+      display_name:
+        type: string
+      is_active:
+        type: boolean
+    type: object
+  github_com_memohai_memoh_internal_accounts.UpdatePasswordRequest:
+    properties:
+      current_password:
+        type: string
+      new_password:
+        type: string
+    type: object
+  github_com_memohai_memoh_internal_accounts.UpdateProfileRequest:
+    properties:
+      avatar_url:
+        type: string
+      display_name:
+        type: string
+      timezone:
+        type: string
+    type: object
   github_com_memohai_memoh_internal_mcp.Connection:
     properties:
       auth_type:
@@ -1629,6 +1623,11 @@ definitions:
       message:
         type: string
     type: object
+  handlers.ExchangeSSOCodeRequest:
+    properties:
+      code:
+        type: string
+    type: object
   handlers.FSDeleteRequest:
     properties:
       path:
@@ -1739,1098 +1738,857 @@ definitions:
       workspace_backend:
         type: string
     type: object
-  handlers.InstallMcpRequest:
-    properties:
-      env:
-        additionalProperties:
-          type: string
-        type: object
-      mcp_id:
-        type: string
-    type: object
-  handlers.InstallSkillRequest:
-    properties:
-      skill_id:
-        type: string
-    type: object
-  handlers.ListSnapshotsResponse:
-    properties:
-      snapshots:
-        items:
-          $ref: '#/definitions/handlers.SnapshotInfo'
-        type: array
-      snapshotter:
-        type: string
-    type: object
-  handlers.LocalChannelMessageRequest:
+  handlers.IAMGroupMemberRequest:
     properties:
-      message:
-        $ref: '#/definitions/channel.Message'
-      model_id:
-        type: string
-      reasoning_effort:
+      provider_id:
         type: string
-    type: object
-  handlers.LoginRequest:
-    properties:
-      password:
+      source:
         type: string
-      username:
+      user_id:
         type: string
     type: object
-  handlers.LoginResponse:
+  handlers.IAMGroupMemberResponse:
     properties:
-      access_token:
+      created_at:
         type: string
       display_name:
         type: string
-      expires_at:
+      email:
         type: string
-      role:
+      group_id:
         type: string
-      timezone:
+      provider_id:
         type: string
-      token_type:
+      source:
         type: string
       user_id:
         type: string
       username:
         type: string
     type: object
-  handlers.MCPStdioRequest:
+  handlers.IAMGroupRequest:
     properties:
-      args:
-        items:
-          type: string
-        type: array
-      command:
-        type: string
-      cwd:
+      display_name:
         type: string
-      env:
-        additionalProperties:
-          type: string
-        type: object
-      name:
+      external_id:
         type: string
-    type: object
-  handlers.MCPStdioResponse:
-    properties:
-      connection_id:
+      key:
         type: string
-      tools:
+      metadata:
         items:
-          type: string
+          type: integer
         type: array
-      url:
+      source:
         type: string
     type: object
-  handlers.ModelTokenUsage:
+  handlers.IAMGroupResponse:
     properties:
-      input_tokens:
-        type: integer
-      model_id:
-        type: string
-      model_name:
+      created_at:
         type: string
-      model_slug:
+      display_name:
         type: string
-      output_tokens:
-        type: integer
-      provider_name:
+      external_id:
         type: string
-    type: object
-  handlers.PingResponse:
-    properties:
-      commit_hash:
+      id:
         type: string
-      container_backend:
+      key:
         type: string
-      local_workspace_enabled:
-        type: boolean
-      snapshot_supported:
-        type: boolean
-      status:
+      metadata:
+        items:
+          type: integer
+        type: array
+      source:
         type: string
-      version:
+      updated_at:
         type: string
     type: object
-  handlers.ProbeResponse:
+  handlers.IAMListGroupMembersResponse:
     properties:
-      auth_required:
-        type: boolean
-      error:
-        type: string
-      status:
-        type: string
-      tools:
+      items:
         items:
-          $ref: '#/definitions/mcp.ToolDescriptor'
+          $ref: '#/definitions/handlers.IAMGroupMemberResponse'
         type: array
     type: object
-  handlers.RefreshResponse:
-    properties:
-      access_token:
-        type: string
-      expires_at:
-        type: string
-      token_type:
-        type: string
-    type: object
-  handlers.RollbackRequest:
-    properties:
-      version:
-        type: integer
-    type: object
-  handlers.SessionInfoResponse:
+  handlers.IAMListGroupsResponse:
     properties:
-      cache_stats:
-        $ref: '#/definitions/handlers.CacheStats'
-      context_usage:
-        $ref: '#/definitions/handlers.ContextUsage'
-      message_count:
-        type: integer
-      skills:
+      items:
         items:
-          type: string
+          $ref: '#/definitions/handlers.IAMGroupResponse'
         type: array
     type: object
-  handlers.SkillItem:
-    properties:
-      content:
-        type: string
-      description:
-        type: string
-      managed:
-        type: boolean
-      metadata:
-        additionalProperties: {}
-        type: object
-      name:
-        type: string
-      raw:
-        type: string
-      shadowed_by:
-        type: string
-      source_kind:
-        type: string
-      source_path:
-        type: string
-      source_root:
-        type: string
-      state:
-        type: string
-    type: object
-  handlers.SkillsActionRequest:
+  handlers.IAMListPrincipalRolesResponse:
     properties:
-      action:
-        type: string
-      target_path:
-        type: string
+      items:
+        items:
+          $ref: '#/definitions/handlers.IAMPrincipalRoleResponse'
+        type: array
     type: object
-  handlers.SkillsDeleteRequest:
+  handlers.IAMListRolesResponse:
     properties:
-      names:
+      items:
         items:
-          type: string
+          $ref: '#/definitions/handlers.IAMRoleResponse'
         type: array
     type: object
-  handlers.SkillsResponse:
+  handlers.IAMListSSOGroupMappingsResponse:
     properties:
-      skills:
+      items:
         items:
-          $ref: '#/definitions/handlers.SkillItem'
+          $ref: '#/definitions/handlers.IAMSSOGroupMappingResponse'
         type: array
     type: object
-  handlers.SkillsUpsertRequest:
+  handlers.IAMListSSOProvidersResponse:
     properties:
-      skills:
+      items:
         items:
-          type: string
+          $ref: '#/definitions/handlers.IAMSSOProviderResponse'
         type: array
     type: object
-  handlers.SnapshotInfo:
+  handlers.IAMPrincipalRoleRequest:
+    properties:
+      principal_id:
+        type: string
+      principal_type:
+        type: string
+      role_key:
+        type: string
+    type: object
+  handlers.IAMPrincipalRoleResponse:
     properties:
       created_at:
         type: string
-      display_name:
+      group_display_name:
         type: string
-      kind:
+      group_key:
         type: string
-      labels:
-        additionalProperties:
-          type: string
-        type: object
-      managed:
-        type: boolean
-      name:
+      id:
         type: string
-      parent:
+      principal_id:
         type: string
-      runtime_snapshot_name:
+      principal_type:
         type: string
-      snapshotter:
+      provider_id:
+        type: string
+      resource_id:
+        type: string
+      resource_type:
+        type: string
+      role_id:
+        type: string
+      role_key:
+        type: string
+      role_scope:
         type: string
       source:
         type: string
-      updated_at:
+      user_display_name:
         type: string
-      version:
-        type: integer
-    type: object
-  handlers.SupermarketAuthor:
-    properties:
-      email:
+      user_email:
         type: string
-      name:
+      user_username:
         type: string
     type: object
-  handlers.SupermarketConfigVar:
+  handlers.IAMRoleResponse:
     properties:
-      defaultValue:
+      created_at:
         type: string
-      description:
+      id:
         type: string
+      is_system:
+        type: boolean
       key:
         type: string
+      scope:
+        type: string
     type: object
-  handlers.SupermarketMcpEntry:
+  handlers.IAMSSOGroupMappingRequest:
     properties:
-      args:
-        items:
-          type: string
-        type: array
-      author:
-        $ref: '#/definitions/handlers.SupermarketAuthor'
-      command:
+      external_group:
         type: string
-      description:
+      group_id:
         type: string
-      env:
-        items:
-          $ref: '#/definitions/handlers.SupermarketConfigVar'
-        type: array
-      headers:
-        items:
-          $ref: '#/definitions/handlers.SupermarketConfigVar'
-        type: array
-      homepage:
+    type: object
+  handlers.IAMSSOGroupMappingResponse:
+    properties:
+      created_at:
         type: string
-      icon:
+      external_group:
         type: string
-      id:
+      group_display_name:
         type: string
-      name:
+      group_id:
         type: string
-      tags:
-        items:
-          type: string
-        type: array
-      transport:
+      group_key:
         type: string
-      url:
+      provider_id:
         type: string
     type: object
-  handlers.SupermarketMcpListResponse:
+  handlers.IAMSSOProviderRequest:
     properties:
-      data:
+      attribute_mapping:
         items:
-          $ref: '#/definitions/handlers.SupermarketMcpEntry'
+          type: integer
         type: array
-      limit:
-        type: integer
-      page:
-        type: integer
-      total:
-        type: integer
-    type: object
-  handlers.SupermarketSkillEntry:
-    properties:
-      content:
-        type: string
-      description:
-        type: string
-      files:
+      config:
         items:
-          type: string
+          type: integer
         type: array
-      id:
+      email_linking_policy:
+        type: string
+      enabled:
+        type: boolean
+      jit_enabled:
+        type: boolean
+      key:
         type: string
-      metadata:
-        $ref: '#/definitions/handlers.SupermarketSkillMetadata'
       name:
         type: string
+      trust_email:
+        type: boolean
+      type:
+        type: string
     type: object
-  handlers.SupermarketSkillListResponse:
-    properties:
-      data:
-        items:
-          $ref: '#/definitions/handlers.SupermarketSkillEntry'
-        type: array
-      limit:
-        type: integer
-      page:
-        type: integer
-      total:
-        type: integer
-    type: object
-  handlers.SupermarketSkillMetadata:
+  handlers.IAMSSOProviderResponse:
     properties:
-      author:
-        $ref: '#/definitions/handlers.SupermarketAuthor'
-      homepage:
-        type: string
-      tags:
+      attribute_mapping:
         items:
-          type: string
+          type: integer
         type: array
-    type: object
-  handlers.SupermarketTagsResponse:
-    properties:
-      tags:
+      config:
         items:
-          type: string
+          type: integer
         type: array
-    type: object
-  handlers.TokenUsageRecord:
-    properties:
-      cache_read_tokens:
-        type: integer
-      cache_write_tokens:
-        type: integer
       created_at:
         type: string
+      email_linking_policy:
+        type: string
+      enabled:
+        type: boolean
       id:
         type: string
-      input_tokens:
-        type: integer
-      model_id:
+      jit_enabled:
+        type: boolean
+      key:
         type: string
-      model_name:
+      name:
         type: string
-      model_slug:
+      trust_email:
+        type: boolean
+      type:
         type: string
-      output_tokens:
-        type: integer
-      provider_name:
+      updated_at:
         type: string
-      reasoning_tokens:
-        type: integer
-      session_id:
+    type: object
+  handlers.InstallMcpRequest:
+    properties:
+      env:
+        additionalProperties:
+          type: string
+        type: object
+      mcp_id:
         type: string
-      session_type:
+    type: object
+  handlers.InstallSkillRequest:
+    properties:
+      skill_id:
         type: string
     type: object
-  handlers.TokenUsageRecordsResponse:
+  handlers.ListSSOProvidersResponse:
     properties:
       items:
         items:
-          $ref: '#/definitions/handlers.TokenUsageRecord'
+          $ref: '#/definitions/handlers.SSOProviderResponse'
         type: array
-      total:
-        type: integer
     type: object
-  handlers.TokenUsageResponse:
+  handlers.ListSnapshotsResponse:
     properties:
-      by_model:
-        items:
-          $ref: '#/definitions/handlers.ModelTokenUsage'
-        type: array
-      chat:
+      snapshots:
         items:
-          $ref: '#/definitions/handlers.DailyTokenUsage'
+          $ref: '#/definitions/handlers.SnapshotInfo'
         type: array
-      heartbeat:
-        items:
-          $ref: '#/definitions/handlers.DailyTokenUsage'
-        type: array
-      schedule:
-        items:
-          $ref: '#/definitions/handlers.DailyTokenUsage'
-        type: array
-    type: object
-  handlers.ToolApprovalDecisionRequest:
-    properties:
-      reason:
+      snapshotter:
         type: string
     type: object
-  handlers.TriggerCompactResponse:
+  handlers.LocalChannelMessageRequest:
     properties:
-      message_count:
-        type: integer
-      status:
+      message:
+        $ref: '#/definitions/channel.Message'
+      model_id:
         type: string
-      summary:
+      reasoning_effort:
         type: string
     type: object
-  handlers.createSessionRequest:
+  handlers.LoginRequest:
     properties:
-      channel_type:
+      password:
         type: string
-      metadata:
-        additionalProperties: {}
-        type: object
-      title:
+      username:
         type: string
     type: object
-  handlers.emailOAuthStatusResponse:
+  handlers.LoginResponse:
     properties:
-      configured:
-        type: boolean
-      email_address:
+      access_token:
+        type: string
+      display_name:
         type: string
-      expired:
-        type: boolean
       expires_at:
         type: string
-      has_token:
-        type: boolean
-      provider:
+      session_id:
         type: string
-    type: object
-  handlers.fsOpResponse:
-    properties:
-      ok:
-        type: boolean
-    type: object
-  handlers.listMyIdentitiesResponse:
-    properties:
-      items:
-        items:
-          $ref: '#/definitions/identities.ChannelIdentity'
-        type: array
-      user_id:
+      timezone:
         type: string
-    type: object
-  handlers.memoryAddPayload:
-    properties:
-      embedding_enabled:
-        type: boolean
-      filters:
-        additionalProperties: {}
-        type: object
-      infer:
-        type: boolean
-      message:
+      token_type:
         type: string
-      messages:
-        items:
-          $ref: '#/definitions/adapters.Message'
-        type: array
-      metadata:
-        additionalProperties: {}
-        type: object
-      namespace:
+      user_id:
         type: string
-      run_id:
+      username:
         type: string
     type: object
-  handlers.memoryCompactPayload:
-    properties:
-      decay_days:
-        type: integer
-      ratio:
-        type: number
-    type: object
-  handlers.memoryDeletePayload:
+  handlers.MCPStdioRequest:
     properties:
-      memory_ids:
+      args:
         items:
           type: string
         type: array
-    type: object
-  handlers.memorySearchPayload:
-    properties:
-      embedding_enabled:
-        type: boolean
-      filters:
-        additionalProperties: {}
+      command:
+        type: string
+      cwd:
+        type: string
+      env:
+        additionalProperties:
+          type: string
         type: object
-      limit:
-        type: integer
-      no_stats:
-        type: boolean
-      query:
+      name:
         type: string
-      run_id:
+    type: object
+  handlers.MCPStdioResponse:
+    properties:
+      connection_id:
         type: string
-      sources:
+      tools:
         items:
           type: string
         type: array
+      url:
+        type: string
     type: object
-  handlers.oauthAuthorizeRequest:
+  handlers.ModelTokenUsage:
     properties:
-      callback_url:
+      input_tokens:
+        type: integer
+      model_id:
         type: string
-      client_id:
+      model_name:
         type: string
-      client_secret:
+      model_slug:
+        type: string
+      output_tokens:
+        type: integer
+      provider_name:
         type: string
     type: object
-  handlers.oauthDiscoverRequest:
+  handlers.OIDCStartResponse:
     properties:
-      url:
+      redirect_url:
         type: string
     type: object
-  handlers.oauthExchangeRequest:
+  handlers.PingResponse:
     properties:
-      code:
+      commit_hash:
         type: string
-      state:
+      container_backend:
+        type: string
+      local_workspace_enabled:
+        type: boolean
+      snapshot_supported:
+        type: boolean
+      status:
+        type: string
+      version:
         type: string
     type: object
-  handlers.skillsOpResponse:
+  handlers.ProbeResponse:
     properties:
-      ok:
+      auth_required:
         type: boolean
+      error:
+        type: string
+      status:
+        type: string
+      tools:
+        items:
+          $ref: '#/definitions/mcp.ToolDescriptor'
+        type: array
     type: object
-  handlers.synthesizeRequest:
+  handlers.RefreshResponse:
     properties:
-      text:
+      access_token:
+        type: string
+      expires_at:
+        type: string
+      token_type:
         type: string
     type: object
-  handlers.synthesizeResponse:
+  handlers.RollbackRequest:
     properties:
-      content_type:
-        type: string
-      size:
+      version:
         type: integer
-      temp_id:
-        type: string
     type: object
-  handlers.terminalInfoResponse:
+  handlers.SSOProviderResponse:
     properties:
-      available:
+      enabled:
         type: boolean
-      shell:
+      id:
         type: string
-    type: object
-  handlers.updateSessionRequest:
-    properties:
-      metadata:
-        additionalProperties: {}
-        type: object
-      title:
+      key:
+        type: string
+      name:
         type: string
+      type:
+        $ref: '#/definitions/sso.ProviderType'
     type: object
-  heartbeat.ListLogsResponse:
+  handlers.SessionInfoResponse:
     properties:
-      items:
+      cache_stats:
+        $ref: '#/definitions/handlers.CacheStats'
+      context_usage:
+        $ref: '#/definitions/handlers.ContextUsage'
+      message_count:
+        type: integer
+      skills:
         items:
-          $ref: '#/definitions/heartbeat.Log'
+          type: string
         type: array
-      total_count:
-        type: integer
     type: object
-  heartbeat.Log:
+  handlers.SkillItem:
     properties:
-      bot_id:
+      content:
         type: string
-      completed_at:
+      description:
         type: string
-      error_message:
+      managed:
+        type: boolean
+      metadata:
+        additionalProperties: {}
+        type: object
+      name:
         type: string
-      id:
+      raw:
         type: string
-      result_text:
+      shadowed_by:
         type: string
-      session_id:
+      source_kind:
         type: string
-      started_at:
+      source_path:
         type: string
-      status:
+      source_root:
+        type: string
+      state:
         type: string
-      usage: {}
     type: object
-  identities.ChannelIdentity:
+  handlers.SkillsActionRequest:
     properties:
-      avatar_url:
-        type: string
-      channel:
-        type: string
-      channel_subject_id:
-        type: string
-      created_at:
-        type: string
-      display_name:
-        type: string
-      id:
+      action:
         type: string
-      metadata:
-        additionalProperties: {}
-        type: object
-      updated_at:
-        type: string
-      user_id:
-        type: string
-    type: object
-  mcp.AuthorizeResult:
-    properties:
-      authorization_url:
+      target_path:
         type: string
     type: object
-  mcp.DiscoveryResult:
+  handlers.SkillsDeleteRequest:
     properties:
-      authorization_endpoint:
-        type: string
-      authorization_server_url:
-        type: string
-      registration_endpoint:
-        type: string
-      resource_metadata_url:
-        type: string
-      resource_uri:
-        type: string
-      scopes_supported:
+      names:
         items:
           type: string
         type: array
-      token_endpoint:
-        type: string
-    type: object
-  mcp.ExportResponse:
-    properties:
-      mcpServers:
-        additionalProperties:
-          $ref: '#/definitions/mcp.MCPServerEntry'
-        type: object
-    type: object
-  mcp.ImportRequest:
-    properties:
-      mcpServers:
-        additionalProperties:
-          $ref: '#/definitions/mcp.MCPServerEntry'
-        type: object
     type: object
-  mcp.ListResponse:
+  handlers.SkillsResponse:
     properties:
-      items:
+      skills:
         items:
-          $ref: '#/definitions/github_com_memohai_memoh_internal_mcp.Connection'
+          $ref: '#/definitions/handlers.SkillItem'
         type: array
     type: object
-  mcp.MCPServerEntry:
+  handlers.SkillsUpsertRequest:
     properties:
-      args:
+      skills:
         items:
           type: string
         type: array
-      command:
+    type: object
+  handlers.SnapshotInfo:
+    properties:
+      created_at:
         type: string
-      cwd:
+      display_name:
         type: string
-      env:
-        additionalProperties:
-          type: string
-        type: object
-      headers:
+      kind:
+        type: string
+      labels:
         additionalProperties:
           type: string
         type: object
-      transport:
+      managed:
+        type: boolean
+      name:
         type: string
-      url:
+      parent:
         type: string
-    type: object
-  mcp.OAuthStatus:
-    properties:
-      auth_server:
+      runtime_snapshot_name:
         type: string
-      callback_url:
+      snapshotter:
         type: string
-      configured:
-        type: boolean
-      expired:
-        type: boolean
-      expires_at:
+      source:
         type: string
-      has_token:
-        type: boolean
-      scopes:
+      updated_at:
         type: string
+      version:
+        type: integer
     type: object
-  mcp.ToolDescriptor:
+  handlers.SupermarketAuthor:
     properties:
-      description:
+      email:
         type: string
-      inputSchema:
-        additionalProperties: {}
-        type: object
       name:
         type: string
     type: object
-  mcp.UpsertRequest:
+  handlers.SupermarketConfigVar:
+    properties:
+      defaultValue:
+        type: string
+      description:
+        type: string
+      key:
+        type: string
+    type: object
+  handlers.SupermarketMcpEntry:
     properties:
       args:
         items:
           type: string
         type: array
-      auth_type:
-        type: string
+      author:
+        $ref: '#/definitions/handlers.SupermarketAuthor'
       command:
         type: string
-      cwd:
+      description:
         type: string
       env:
-        additionalProperties:
-          type: string
-        type: object
+        items:
+          $ref: '#/definitions/handlers.SupermarketConfigVar'
+        type: array
       headers:
-        additionalProperties:
-          type: string
-        type: object
-      is_active:
-        type: boolean
+        items:
+          $ref: '#/definitions/handlers.SupermarketConfigVar'
+        type: array
+      homepage:
+        type: string
+      icon:
+        type: string
+      id:
+        type: string
       name:
         type: string
+      tags:
+        items:
+          type: string
+        type: array
       transport:
         type: string
       url:
         type: string
     type: object
-  message.Message:
+  handlers.SupermarketMcpListResponse:
     properties:
-      assets:
+      data:
         items:
-          $ref: '#/definitions/message.MessageAsset'
+          $ref: '#/definitions/handlers.SupermarketMcpEntry'
         type: array
-      bot_id:
+      limit:
+        type: integer
+      page:
+        type: integer
+      total:
+        type: integer
+    type: object
+  handlers.SupermarketSkillEntry:
+    properties:
+      content:
         type: string
-      compact_id:
+      description:
         type: string
-      content:
+      files:
         items:
-          type: integer
+          type: string
         type: array
-      created_at:
-        type: string
-      display_content:
-        type: string
-      event_id:
-        type: string
-      external_message_id:
-        type: string
       id:
         type: string
       metadata:
-        additionalProperties: {}
-        type: object
-      platform:
-        type: string
-      role:
-        type: string
-      sender_avatar_url:
-        type: string
-      sender_channel_identity_id:
-        type: string
-      sender_display_name:
-        type: string
-      sender_user_id:
-        type: string
-      session_id:
-        type: string
-      source_reply_to_message_id:
+        $ref: '#/definitions/handlers.SupermarketSkillMetadata'
+      name:
         type: string
-      usage:
-        items:
-          type: integer
-        type: array
     type: object
-  message.MessageAsset:
+  handlers.SupermarketSkillListResponse:
     properties:
-      content_hash:
-        type: string
-      metadata:
-        additionalProperties: {}
-        type: object
-      mime:
-        type: string
-      name:
-        type: string
-      ordinal:
+      data:
+        items:
+          $ref: '#/definitions/handlers.SupermarketSkillEntry'
+        type: array
+      limit:
         type: integer
-      role:
-        type: string
-      size_bytes:
+      page:
+        type: integer
+      total:
         type: integer
-      storage_key:
-        type: string
     type: object
-  models.AddRequest:
+  handlers.SupermarketSkillMetadata:
     properties:
-      config:
-        $ref: '#/definitions/models.ModelConfig'
-      model_id:
-        type: string
-      name:
-        type: string
-      provider_id:
+      author:
+        $ref: '#/definitions/handlers.SupermarketAuthor'
+      homepage:
         type: string
-      type:
-        $ref: '#/definitions/models.ModelType'
+      tags:
+        items:
+          type: string
+        type: array
     type: object
-  models.AddResponse:
+  handlers.SupermarketTagsResponse:
     properties:
-      id:
-        type: string
-      model_id:
-        type: string
+      tags:
+        items:
+          type: string
+        type: array
     type: object
-  models.CountResponse:
+  handlers.TokenUsageRecord:
     properties:
-      count:
+      cache_read_tokens:
         type: integer
-    type: object
-  models.GetResponse:
-    properties:
-      config:
-        $ref: '#/definitions/models.ModelConfig'
+      cache_write_tokens:
+        type: integer
+      created_at:
+        type: string
       id:
         type: string
-      model_id:
+      input_tokens:
+        type: integer
+      model_id:
         type: string
-      name:
+      model_name:
         type: string
-      provider_id:
+      model_slug:
+        type: string
+      output_tokens:
+        type: integer
+      provider_name:
+        type: string
+      reasoning_tokens:
+        type: integer
+      session_id:
+        type: string
+      session_type:
         type: string
-      type:
-        $ref: '#/definitions/models.ModelType'
     type: object
-  models.ModelConfig:
+  handlers.TokenUsageRecordsResponse:
     properties:
-      compatibilities:
+      items:
         items:
-          type: string
+          $ref: '#/definitions/handlers.TokenUsageRecord'
         type: array
-      context_window:
-        type: integer
-      dimensions:
+      total:
         type: integer
-      reasoning_efforts:
+    type: object
+  handlers.TokenUsageResponse:
+    properties:
+      by_model:
         items:
-          type: string
+          $ref: '#/definitions/handlers.ModelTokenUsage'
+        type: array
+      chat:
+        items:
+          $ref: '#/definitions/handlers.DailyTokenUsage'
+        type: array
+      heartbeat:
+        items:
+          $ref: '#/definitions/handlers.DailyTokenUsage'
+        type: array
+      schedule:
+        items:
+          $ref: '#/definitions/handlers.DailyTokenUsage'
         type: array
     type: object
-  models.ModelType:
-    enum:
-    - chat
-    - embedding
-    - speech
-    - transcription
-    type: string
-    x-enum-varnames:
-    - ModelTypeChat
-    - ModelTypeEmbedding
-    - ModelTypeSpeech
-    - ModelTypeTranscription
-  models.TestResponse:
+  handlers.ToolApprovalDecisionRequest:
     properties:
-      latency_ms:
-        type: integer
-      message:
+      reason:
         type: string
-      reachable:
-        type: boolean
-      status:
-        $ref: '#/definitions/models.TestStatus'
     type: object
-  models.TestStatus:
-    enum:
-    - ok
-    - auth_error
-    - model_not_supported
-    - error
-    type: string
-    x-enum-varnames:
-    - TestStatusOK
-    - TestStatusAuthError
-    - TestStatusModelNotSupported
-    - TestStatusError
-  models.UpdateRequest:
+  handlers.TriggerCompactResponse:
     properties:
-      config:
-        $ref: '#/definitions/models.ModelConfig'
-      model_id:
-        type: string
-      name:
+      message_count:
+        type: integer
+      status:
         type: string
-      provider_id:
+      summary:
         type: string
-      type:
-        $ref: '#/definitions/models.ModelType'
     type: object
-  providers.CountResponse:
-    properties:
-      count:
-        type: integer
-    type: object
-  providers.CreateRequest:
+  handlers.createSessionRequest:
     properties:
-      client_type:
-        type: string
-      config:
-        additionalProperties: {}
-        type: object
-      icon:
+      channel_type:
         type: string
       metadata:
         additionalProperties: {}
         type: object
-      name:
+      title:
         type: string
-    required:
-    - client_type
-    - name
     type: object
-  providers.GetResponse:
+  handlers.emailOAuthStatusResponse:
     properties:
-      client_type:
+      configured:
+        type: boolean
+      email_address:
         type: string
-      config:
-        additionalProperties: {}
-        type: object
-      created_at:
+      expired:
+        type: boolean
+      expires_at:
         type: string
-      enable:
+      has_token:
         type: boolean
-      icon:
+      provider:
         type: string
-      id:
+    type: object
+  handlers.fsOpResponse:
+    properties:
+      ok:
+        type: boolean
+    type: object
+  handlers.listMyIdentitiesResponse:
+    properties:
+      items:
+        items:
+          $ref: '#/definitions/identities.ChannelIdentity'
+        type: array
+      user_id:
+        type: string
+    type: object
+  handlers.memoryAddPayload:
+    properties:
+      embedding_enabled:
+        type: boolean
+      filters:
+        additionalProperties: {}
+        type: object
+      infer:
+        type: boolean
+      message:
         type: string
+      messages:
+        items:
+          $ref: '#/definitions/adapters.Message'
+        type: array
       metadata:
         additionalProperties: {}
         type: object
-      name:
+      namespace:
         type: string
-      updated_at:
+      run_id:
         type: string
     type: object
-  providers.ImportModelsResponse:
+  handlers.memoryCompactPayload:
     properties:
-      created:
+      decay_days:
         type: integer
-      models:
+      ratio:
+        type: number
+    type: object
+  handlers.memoryDeletePayload:
+    properties:
+      memory_ids:
         items:
           type: string
         type: array
-      skipped:
-        type: integer
     type: object
-  providers.OAuthAccount:
+  handlers.memorySearchPayload:
     properties:
-      avatar_url:
-        type: string
-      email:
+      embedding_enabled:
+        type: boolean
+      filters:
+        additionalProperties: {}
+        type: object
+      limit:
+        type: integer
+      no_stats:
+        type: boolean
+      query:
         type: string
-      label:
+      run_id:
         type: string
-      login:
+      sources:
+        items:
+          type: string
+        type: array
+    type: object
+  handlers.oauthAuthorizeRequest:
+    properties:
+      callback_url:
         type: string
-      name:
+      client_id:
         type: string
-      profile_url:
+      client_secret:
         type: string
     type: object
-  providers.OAuthAuthorizeResponse:
+  handlers.oauthDiscoverRequest:
     properties:
-      auth_url:
-        type: string
-      device:
-        $ref: '#/definitions/providers.OAuthDeviceStatus'
-      mode:
+      url:
         type: string
     type: object
-  providers.OAuthDeviceStatus:
+  handlers.oauthExchangeRequest:
     properties:
-      expires_at:
-        type: string
-      interval_seconds:
-        type: integer
-      pending:
-        type: boolean
-      user_code:
+      code:
         type: string
-      verification_uri:
+      state:
         type: string
     type: object
-  providers.OAuthStatus:
+  handlers.skillsOpResponse:
     properties:
-      account:
-        $ref: '#/definitions/providers.OAuthAccount'
-      callback_url:
-        type: string
-      configured:
-        type: boolean
-      device:
-        $ref: '#/definitions/providers.OAuthDeviceStatus'
-      expired:
-        type: boolean
-      expires_at:
-        type: string
-      has_token:
+      ok:
         type: boolean
-      mode:
-        type: string
     type: object
-  providers.TestResponse:
+  handlers.synthesizeRequest:
     properties:
-      latency_ms:
-        type: integer
-      message:
+      text:
         type: string
-      reachable:
-        type: boolean
     type: object
-  providers.UpdateRequest:
+  handlers.synthesizeResponse:
     properties:
-      client_type:
-        type: string
-      config:
-        additionalProperties: {}
-        type: object
-      enable:
-        type: boolean
-      icon:
+      content_type:
         type: string
-      metadata:
-        additionalProperties: {}
-        type: object
-      name:
+      size:
+        type: integer
+      temp_id:
         type: string
     type: object
-  schedule.CreateRequest:
+  handlers.terminalInfoResponse:
     properties:
-      command:
-        type: string
-      description:
-        type: string
-      enabled:
+      available:
         type: boolean
-      max_calls:
-        $ref: '#/definitions/schedule.NullableInt'
-      name:
+      shell:
         type: string
-      pattern:
+    type: object
+  handlers.updateSessionRequest:
+    properties:
+      metadata:
+        additionalProperties: {}
+        type: object
+      title:
         type: string
     type: object
-  schedule.ListLogsResponse:
+  heartbeat.ListLogsResponse:
     properties:
       items:
         items:
-          $ref: '#/definitions/schedule.Log'
+          $ref: '#/definitions/heartbeat.Log'
         type: array
       total_count:
         type: integer
     type: object
-  schedule.ListResponse:
-    properties:
-      items:
-        items:
-          $ref: '#/definitions/schedule.Schedule'
-        type: array
-    type: object
-  schedule.Log:
+  heartbeat.Log:
     properties:
       bot_id:
         type: string
@@ -2842,8 +2600,6 @@ definitions:
         type: string
       result_text:
         type: string
-      schedule_id:
-        type: string
       session_id:
         type: string
       started_at:
@@ -2852,433 +2608,1878 @@ definitions:
         type: string
       usage: {}
     type: object
-  schedule.NullableInt:
-    properties:
-      set:
-        type: boolean
-      value:
-        type: integer
-    type: object
-  schedule.Schedule:
+  identities.ChannelIdentity:
     properties:
-      bot_id:
+      avatar_url:
         type: string
-      command:
+      channel:
+        type: string
+      channel_subject_id:
         type: string
       created_at:
         type: string
-      current_calls:
-        type: integer
-      description:
+      display_name:
         type: string
-      enabled:
-        type: boolean
       id:
         type: string
-      max_calls:
-        type: integer
-      name:
-        type: string
-      pattern:
-        type: string
+      metadata:
+        additionalProperties: {}
+        type: object
       updated_at:
         type: string
-    type: object
-  schedule.UpdateRequest:
-    properties:
-      command:
-        type: string
-      description:
-        type: string
-      enabled:
-        type: boolean
-      max_calls:
-        $ref: '#/definitions/schedule.NullableInt'
-      name:
-        type: string
-      pattern:
+      user_id:
         type: string
     type: object
-  searchproviders.CreateRequest:
+  mcp.AuthorizeResult:
     properties:
-      config:
-        additionalProperties: {}
-        type: object
-      name:
+      authorization_url:
         type: string
-      provider:
-        $ref: '#/definitions/searchproviders.ProviderName'
     type: object
-  searchproviders.GetResponse:
+  mcp.DiscoveryResult:
     properties:
-      config:
-        additionalProperties: {}
-        type: object
-      created_at:
+      authorization_endpoint:
         type: string
-      enable:
-        type: boolean
-      id:
+      authorization_server_url:
         type: string
-      name:
+      registration_endpoint:
         type: string
-      provider:
+      resource_metadata_url:
         type: string
-      updated_at:
+      resource_uri:
+        type: string
+      scopes_supported:
+        items:
+          type: string
+        type: array
+      token_endpoint:
         type: string
     type: object
-  searchproviders.ProviderConfigSchema:
+  mcp.ExportResponse:
     properties:
-      fields:
+      mcpServers:
         additionalProperties:
-          $ref: '#/definitions/searchproviders.ProviderFieldSchema'
+          $ref: '#/definitions/mcp.MCPServerEntry'
         type: object
     type: object
-  searchproviders.ProviderFieldSchema:
+  mcp.ImportRequest:
     properties:
-      description:
-        type: string
-      enum:
+      mcpServers:
+        additionalProperties:
+          $ref: '#/definitions/mcp.MCPServerEntry'
+        type: object
+    type: object
+  mcp.ListResponse:
+    properties:
+      items:
+        items:
+          $ref: '#/definitions/github_com_memohai_memoh_internal_mcp.Connection'
+        type: array
+    type: object
+  mcp.MCPServerEntry:
+    properties:
+      args:
         items:
           type: string
         type: array
-      example: {}
-      required:
-        type: boolean
-      title:
+      command:
         type: string
-      type:
+      cwd:
+        type: string
+      env:
+        additionalProperties:
+          type: string
+        type: object
+      headers:
+        additionalProperties:
+          type: string
+        type: object
+      transport:
+        type: string
+      url:
         type: string
     type: object
-  searchproviders.ProviderMeta:
+  mcp.OAuthStatus:
     properties:
-      config_schema:
-        $ref: '#/definitions/searchproviders.ProviderConfigSchema'
-      display_name:
+      auth_server:
         type: string
-      provider:
+      callback_url:
+        type: string
+      configured:
+        type: boolean
+      expired:
+        type: boolean
+      expires_at:
+        type: string
+      has_token:
+        type: boolean
+      scopes:
         type: string
     type: object
-  searchproviders.ProviderName:
-    enum:
-    - brave
-    - bing
-    - google
-    - tavily
-    - sogou
-    - serper
-    - searxng
-    - jina
-    - exa
-    - bocha
-    - duckduckgo
-    - yandex
-    type: string
-    x-enum-varnames:
-    - ProviderBrave
-    - ProviderBing
-    - ProviderGoogle
-    - ProviderTavily
-    - ProviderSogou
-    - ProviderSerper
-    - ProviderSearXNG
-    - ProviderJina
-    - ProviderExa
-    - ProviderBocha
-    - ProviderDuckDuckGo
-    - ProviderYandex
-  searchproviders.UpdateRequest:
+  mcp.ToolDescriptor:
     properties:
-      config:
+      description:
+        type: string
+      inputSchema:
         additionalProperties: {}
         type: object
-      enable:
-        type: boolean
       name:
         type: string
-      provider:
-        $ref: '#/definitions/searchproviders.ProviderName'
     type: object
-  session.Session:
+  mcp.UpsertRequest:
     properties:
-      bot_id:
-        type: string
-      channel_type:
+      args:
+        items:
+          type: string
+        type: array
+      auth_type:
         type: string
-      created_at:
+      command:
         type: string
-      id:
+      cwd:
         type: string
-      metadata:
-        additionalProperties: {}
+      env:
+        additionalProperties:
+          type: string
         type: object
-      parent_session_id:
-        type: string
-      route_conversation_type:
-        type: string
-      route_id:
-        type: string
-      route_metadata:
-        additionalProperties: {}
+      headers:
+        additionalProperties:
+          type: string
         type: object
-      title:
+      is_active:
+        type: boolean
+      name:
         type: string
-      type:
+      transport:
         type: string
-      updated_at:
+      url:
         type: string
     type: object
-  settings.Settings:
+  message.Message:
     properties:
-      acl_default_effect:
+      assets:
+        items:
+          $ref: '#/definitions/message.MessageAsset'
+        type: array
+      bot_id:
         type: string
-      browser_context_id:
+      compact_id:
         type: string
-      chat_model_id:
+      content:
+        items:
+          type: integer
+        type: array
+      created_at:
         type: string
-      compaction_enabled:
-        type: boolean
-      compaction_model_id:
+      display_content:
         type: string
-      compaction_ratio:
-        type: integer
-      compaction_threshold:
-        type: integer
-      discuss_probe_model_id:
+      event_id:
         type: string
-      heartbeat_enabled:
-        type: boolean
-      heartbeat_interval:
-        type: integer
-      heartbeat_model_id:
+      external_message_id:
         type: string
-      image_model_id:
+      id:
         type: string
-      language:
+      metadata:
+        additionalProperties: {}
+        type: object
+      platform:
         type: string
-      memory_provider_id:
+      role:
         type: string
-      overlay_config:
+      sender_avatar_url:
+        type: string
+      sender_channel_identity_id:
+        type: string
+      sender_display_name:
+        type: string
+      sender_user_id:
+        type: string
+      session_id:
+        type: string
+      source_reply_to_message_id:
+        type: string
+      usage:
+        items:
+          type: integer
+        type: array
+    type: object
+  message.MessageAsset:
+    properties:
+      content_hash:
+        type: string
+      metadata:
         additionalProperties: {}
         type: object
-      overlay_enabled:
-        type: boolean
-      overlay_provider:
+      mime:
         type: string
-      persist_full_tool_results:
-        type: boolean
-      reasoning_effort:
+      name:
         type: string
-      reasoning_enabled:
-        type: boolean
-      search_provider_id:
+      ordinal:
+        type: integer
+      role:
         type: string
-      show_tool_calls_in_im:
-        type: boolean
-      timezone:
+      size_bytes:
+        type: integer
+      storage_key:
         type: string
-      title_model_id:
+    type: object
+  models.AddRequest:
+    properties:
+      config:
+        $ref: '#/definitions/models.ModelConfig'
+      model_id:
         type: string
-      tool_approval_config:
-        $ref: '#/definitions/settings.ToolApprovalConfig'
-      transcription_model_id:
+      name:
         type: string
-      tts_model_id:
+      provider_id:
         type: string
+      type:
+        $ref: '#/definitions/models.ModelType'
     type: object
-  settings.ToolApprovalConfig:
+  models.AddResponse:
     properties:
-      edit:
-        $ref: '#/definitions/settings.ToolApprovalFilePolicy'
-      enabled:
-        type: boolean
-      exec:
-        $ref: '#/definitions/settings.ToolApprovalExecPolicy'
-      write:
-        $ref: '#/definitions/settings.ToolApprovalFilePolicy'
+      id:
+        type: string
+      model_id:
+        type: string
     type: object
-  settings.ToolApprovalExecPolicy:
+  models.CountResponse:
     properties:
-      bypass_commands:
-        items:
-          type: string
-        type: array
-      force_review_commands:
-        items:
-          type: string
-        type: array
-      require_approval:
-        type: boolean
+      count:
+        type: integer
     type: object
-  settings.ToolApprovalFilePolicy:
+  models.GetResponse:
     properties:
-      bypass_globs:
+      config:
+        $ref: '#/definitions/models.ModelConfig'
+      id:
+        type: string
+      model_id:
+        type: string
+      name:
+        type: string
+      provider_id:
+        type: string
+      type:
+        $ref: '#/definitions/models.ModelType'
+    type: object
+  models.ModelConfig:
+    properties:
+      compatibilities:
         items:
           type: string
         type: array
-      force_review_globs:
+      context_window:
+        type: integer
+      dimensions:
+        type: integer
+      reasoning_efforts:
         items:
           type: string
         type: array
-      require_approval:
-        type: boolean
     type: object
-  settings.UpsertRequest:
+  models.ModelType:
+    enum:
+    - chat
+    - embedding
+    - speech
+    - transcription
+    type: string
+    x-enum-varnames:
+    - ModelTypeChat
+    - ModelTypeEmbedding
+    - ModelTypeSpeech
+    - ModelTypeTranscription
+  models.TestResponse:
     properties:
-      acl_default_effect:
-        type: string
-      browser_context_id:
-        type: string
-      chat_model_id:
-        type: string
-      compaction_enabled:
-        type: boolean
-      compaction_model_id:
-        type: string
-      compaction_ratio:
-        type: integer
-      compaction_threshold:
+      latency_ms:
         type: integer
-      discuss_probe_model_id:
+      message:
         type: string
-      heartbeat_enabled:
+      reachable:
         type: boolean
-      heartbeat_interval:
-        type: integer
-      heartbeat_model_id:
+      status:
+        $ref: '#/definitions/models.TestStatus'
+    type: object
+  models.TestStatus:
+    enum:
+    - ok
+    - auth_error
+    - model_not_supported
+    - error
+    type: string
+    x-enum-varnames:
+    - TestStatusOK
+    - TestStatusAuthError
+    - TestStatusModelNotSupported
+    - TestStatusError
+  models.UpdateRequest:
+    properties:
+      config:
+        $ref: '#/definitions/models.ModelConfig'
+      model_id:
         type: string
-      image_model_id:
+      name:
         type: string
-      language:
+      provider_id:
         type: string
-      memory_provider_id:
+      type:
+        $ref: '#/definitions/models.ModelType'
+    type: object
+  providers.CountResponse:
+    properties:
+      count:
+        type: integer
+    type: object
+  providers.CreateRequest:
+    properties:
+      client_type:
         type: string
-      overlay_config:
+      config:
         additionalProperties: {}
         type: object
-      overlay_enabled:
-        type: boolean
-      overlay_provider:
-        type: string
-      persist_full_tool_results:
-        type: boolean
-      reasoning_effort:
+      icon:
         type: string
-      reasoning_enabled:
-        type: boolean
-      search_provider_id:
+      metadata:
+        additionalProperties: {}
+        type: object
+      name:
         type: string
-      show_tool_calls_in_im:
-        type: boolean
+    required:
+    - client_type
+    - name
+    type: object
+  providers.GetResponse:
+    properties:
+      client_type:
+        type: string
+      config:
+        additionalProperties: {}
+        type: object
+      created_at:
+        type: string
+      enable:
+        type: boolean
+      icon:
+        type: string
+      id:
+        type: string
+      metadata:
+        additionalProperties: {}
+        type: object
+      name:
+        type: string
+      updated_at:
+        type: string
+    type: object
+  providers.ImportModelsResponse:
+    properties:
+      created:
+        type: integer
+      models:
+        items:
+          type: string
+        type: array
+      skipped:
+        type: integer
+    type: object
+  providers.OAuthAccount:
+    properties:
+      avatar_url:
+        type: string
+      email:
+        type: string
+      label:
+        type: string
+      login:
+        type: string
+      name:
+        type: string
+      profile_url:
+        type: string
+    type: object
+  providers.OAuthAuthorizeResponse:
+    properties:
+      auth_url:
+        type: string
+      device:
+        $ref: '#/definitions/providers.OAuthDeviceStatus'
+      mode:
+        type: string
+    type: object
+  providers.OAuthDeviceStatus:
+    properties:
+      expires_at:
+        type: string
+      interval_seconds:
+        type: integer
+      pending:
+        type: boolean
+      user_code:
+        type: string
+      verification_uri:
+        type: string
+    type: object
+  providers.OAuthStatus:
+    properties:
+      account:
+        $ref: '#/definitions/providers.OAuthAccount'
+      callback_url:
+        type: string
+      configured:
+        type: boolean
+      device:
+        $ref: '#/definitions/providers.OAuthDeviceStatus'
+      expired:
+        type: boolean
+      expires_at:
+        type: string
+      has_token:
+        type: boolean
+      mode:
+        type: string
+    type: object
+  providers.TestResponse:
+    properties:
+      latency_ms:
+        type: integer
+      message:
+        type: string
+      reachable:
+        type: boolean
+    type: object
+  providers.UpdateRequest:
+    properties:
+      client_type:
+        type: string
+      config:
+        additionalProperties: {}
+        type: object
+      enable:
+        type: boolean
+      icon:
+        type: string
+      metadata:
+        additionalProperties: {}
+        type: object
+      name:
+        type: string
+    type: object
+  schedule.CreateRequest:
+    properties:
+      command:
+        type: string
+      description:
+        type: string
+      enabled:
+        type: boolean
+      max_calls:
+        $ref: '#/definitions/schedule.NullableInt'
+      name:
+        type: string
+      pattern:
+        type: string
+    type: object
+  schedule.ListLogsResponse:
+    properties:
+      items:
+        items:
+          $ref: '#/definitions/schedule.Log'
+        type: array
+      total_count:
+        type: integer
+    type: object
+  schedule.ListResponse:
+    properties:
+      items:
+        items:
+          $ref: '#/definitions/schedule.Schedule'
+        type: array
+    type: object
+  schedule.Log:
+    properties:
+      bot_id:
+        type: string
+      completed_at:
+        type: string
+      error_message:
+        type: string
+      id:
+        type: string
+      result_text:
+        type: string
+      schedule_id:
+        type: string
+      session_id:
+        type: string
+      started_at:
+        type: string
+      status:
+        type: string
+      usage: {}
+    type: object
+  schedule.NullableInt:
+    properties:
+      set:
+        type: boolean
+      value:
+        type: integer
+    type: object
+  schedule.Schedule:
+    properties:
+      bot_id:
+        type: string
+      command:
+        type: string
+      created_at:
+        type: string
+      current_calls:
+        type: integer
+      description:
+        type: string
+      enabled:
+        type: boolean
+      id:
+        type: string
+      max_calls:
+        type: integer
+      name:
+        type: string
+      pattern:
+        type: string
+      updated_at:
+        type: string
+    type: object
+  schedule.UpdateRequest:
+    properties:
+      command:
+        type: string
+      description:
+        type: string
+      enabled:
+        type: boolean
+      max_calls:
+        $ref: '#/definitions/schedule.NullableInt'
+      name:
+        type: string
+      pattern:
+        type: string
+    type: object
+  searchproviders.CreateRequest:
+    properties:
+      config:
+        additionalProperties: {}
+        type: object
+      name:
+        type: string
+      provider:
+        $ref: '#/definitions/searchproviders.ProviderName'
+    type: object
+  searchproviders.GetResponse:
+    properties:
+      config:
+        additionalProperties: {}
+        type: object
+      created_at:
+        type: string
+      enable:
+        type: boolean
+      id:
+        type: string
+      name:
+        type: string
+      provider:
+        type: string
+      updated_at:
+        type: string
+    type: object
+  searchproviders.ProviderConfigSchema:
+    properties:
+      fields:
+        additionalProperties:
+          $ref: '#/definitions/searchproviders.ProviderFieldSchema'
+        type: object
+    type: object
+  searchproviders.ProviderFieldSchema:
+    properties:
+      description:
+        type: string
+      enum:
+        items:
+          type: string
+        type: array
+      example: {}
+      required:
+        type: boolean
+      title:
+        type: string
+      type:
+        type: string
+    type: object
+  searchproviders.ProviderMeta:
+    properties:
+      config_schema:
+        $ref: '#/definitions/searchproviders.ProviderConfigSchema'
+      display_name:
+        type: string
+      provider:
+        type: string
+    type: object
+  searchproviders.ProviderName:
+    enum:
+    - brave
+    - bing
+    - google
+    - tavily
+    - sogou
+    - serper
+    - searxng
+    - jina
+    - exa
+    - bocha
+    - duckduckgo
+    - yandex
+    type: string
+    x-enum-varnames:
+    - ProviderBrave
+    - ProviderBing
+    - ProviderGoogle
+    - ProviderTavily
+    - ProviderSogou
+    - ProviderSerper
+    - ProviderSearXNG
+    - ProviderJina
+    - ProviderExa
+    - ProviderBocha
+    - ProviderDuckDuckGo
+    - ProviderYandex
+  searchproviders.UpdateRequest:
+    properties:
+      config:
+        additionalProperties: {}
+        type: object
+      enable:
+        type: boolean
+      name:
+        type: string
+      provider:
+        $ref: '#/definitions/searchproviders.ProviderName'
+    type: object
+  session.Session:
+    properties:
+      bot_id:
+        type: string
+      channel_type:
+        type: string
+      created_at:
+        type: string
+      id:
+        type: string
+      metadata:
+        additionalProperties: {}
+        type: object
+      parent_session_id:
+        type: string
+      route_conversation_type:
+        type: string
+      route_id:
+        type: string
+      route_metadata:
+        additionalProperties: {}
+        type: object
+      title:
+        type: string
+      type:
+        type: string
+      updated_at:
+        type: string
+    type: object
+  settings.Settings:
+    properties:
+      acl_default_effect:
+        type: string
+      browser_context_id:
+        type: string
+      chat_model_id:
+        type: string
+      compaction_enabled:
+        type: boolean
+      compaction_model_id:
+        type: string
+      compaction_ratio:
+        type: integer
+      compaction_threshold:
+        type: integer
+      discuss_probe_model_id:
+        type: string
+      heartbeat_enabled:
+        type: boolean
+      heartbeat_interval:
+        type: integer
+      heartbeat_model_id:
+        type: string
+      image_model_id:
+        type: string
+      language:
+        type: string
+      memory_provider_id:
+        type: string
+      overlay_config:
+        additionalProperties: {}
+        type: object
+      overlay_enabled:
+        type: boolean
+      overlay_provider:
+        type: string
+      persist_full_tool_results:
+        type: boolean
+      reasoning_effort:
+        type: string
+      reasoning_enabled:
+        type: boolean
+      search_provider_id:
+        type: string
+      show_tool_calls_in_im:
+        type: boolean
+      timezone:
+        type: string
+      title_model_id:
+        type: string
+      tool_approval_config:
+        $ref: '#/definitions/settings.ToolApprovalConfig'
+      transcription_model_id:
+        type: string
+      tts_model_id:
+        type: string
+    type: object
+  settings.ToolApprovalConfig:
+    properties:
+      edit:
+        $ref: '#/definitions/settings.ToolApprovalFilePolicy'
+      enabled:
+        type: boolean
+      exec:
+        $ref: '#/definitions/settings.ToolApprovalExecPolicy'
+      write:
+        $ref: '#/definitions/settings.ToolApprovalFilePolicy'
+    type: object
+  settings.ToolApprovalExecPolicy:
+    properties:
+      bypass_commands:
+        items:
+          type: string
+        type: array
+      force_review_commands:
+        items:
+          type: string
+        type: array
+      require_approval:
+        type: boolean
+    type: object
+  settings.ToolApprovalFilePolicy:
+    properties:
+      bypass_globs:
+        items:
+          type: string
+        type: array
+      force_review_globs:
+        items:
+          type: string
+        type: array
+      require_approval:
+        type: boolean
+    type: object
+  settings.UpsertRequest:
+    properties:
+      acl_default_effect:
+        type: string
+      browser_context_id:
+        type: string
+      chat_model_id:
+        type: string
+      compaction_enabled:
+        type: boolean
+      compaction_model_id:
+        type: string
+      compaction_ratio:
+        type: integer
+      compaction_threshold:
+        type: integer
+      discuss_probe_model_id:
+        type: string
+      heartbeat_enabled:
+        type: boolean
+      heartbeat_interval:
+        type: integer
+      heartbeat_model_id:
+        type: string
+      image_model_id:
+        type: string
+      language:
+        type: string
+      memory_provider_id:
+        type: string
+      overlay_config:
+        additionalProperties: {}
+        type: object
+      overlay_enabled:
+        type: boolean
+      overlay_provider:
+        type: string
+      persist_full_tool_results:
+        type: boolean
+      reasoning_effort:
+        type: string
+      reasoning_enabled:
+        type: boolean
+      search_provider_id:
+        type: string
+      show_tool_calls_in_im:
+        type: boolean
       timezone:
         type: string
-      title_model_id:
+      title_model_id:
+        type: string
+      tool_approval_config:
+        $ref: '#/definitions/settings.ToolApprovalConfig'
+      transcription_model_id:
+        type: string
+      tts_model_id:
+        type: string
+    type: object
+  sso.ProviderType:
+    enum:
+    - oidc
+    - saml
+    type: string
+    x-enum-varnames:
+    - ProviderTypeOIDC
+    - ProviderTypeSAML
+info:
+  contact: {}
+  title: Memoh API
+  version: 1.0.0
+paths:
+  /auth/login:
+    post:
+      description: Validate user credentials and issue a JWT
+      parameters:
+      - description: Login request
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/handlers.LoginRequest'
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.LoginResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Login
+      tags:
+      - auth
+  /auth/refresh:
+    post:
+      description: Issue a new JWT after validating the active IAM session
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.RefreshResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      security:
+      - BearerAuth: []
+      summary: Refresh Token
+      tags:
+      - auth
+  /auth/sso/{provider_id}/callback:
+    get:
+      description: Exchange the provider code, create an IAM session, and redirect
+        to the web login callback with a short-lived login code
+      parameters:
+      - description: SSO provider ID or key
+        in: path
+        name: provider_id
+        required: true
+        type: string
+      - description: OIDC authorization code
+        in: query
+        name: code
+        required: true
+        type: string
+      - description: OIDC state
+        in: query
+        name: state
+        required: true
+        type: string
+      responses:
+        "302":
+          description: Found
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Complete OIDC login
+      tags:
+      - auth
+  /auth/sso/{provider_id}/saml/acs:
+    post:
+      description: Validate the SAML response, create an IAM session, and redirect
+        to the web login callback with a short-lived login code
+      parameters:
+      - description: SSO provider ID or key
+        in: path
+        name: provider_id
+        required: true
+        type: string
+      responses:
+        "302":
+          description: Found
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Complete SAML login
+      tags:
+      - auth
+  /auth/sso/{provider_id}/saml/metadata:
+    get:
+      description: Return the SAML service provider metadata XML for an SSO provider
+      parameters:
+      - description: SSO provider ID or key
+        in: path
+        name: provider_id
+        required: true
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            type: string
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Get SAML SP metadata
+      tags:
+      - auth
+  /auth/sso/{provider_id}/saml/start:
+    get:
+      description: Create a SAML AuthnRequest, set the transient SAML state cookie,
+        and redirect to the IdP
+      parameters:
+      - description: SSO provider ID or key
+        in: path
+        name: provider_id
+        required: true
+        type: string
+      responses:
+        "302":
+          description: Found
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Start SAML login
+      tags:
+      - auth
+  /auth/sso/{provider_id}/start:
+    get:
+      description: Build the provider authorization URL and set the transient OIDC
+        state cookie
+      parameters:
+      - description: SSO provider ID or key
+        in: path
+        name: provider_id
+        required: true
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.OIDCStartResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Start OIDC login
+      tags:
+      - auth
+  /auth/sso/exchange:
+    post:
+      description: Exchange a one-time SSO login code for a session JWT
+      parameters:
+      - description: SSO exchange request
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/handlers.ExchangeSSOCodeRequest'
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.LoginResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Exchange SSO login code
+      tags:
+      - auth
+  /auth/sso/providers:
+    get:
+      description: List enabled OIDC and SAML SSO providers available for login
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.ListSSOProvidersResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: List SSO providers
+      tags:
+      - auth
+  /bots:
+    get:
+      description: List bots accessible to current user (admin can specify owner_id)
+      parameters:
+      - description: Owner user ID (admin only)
+        in: query
+        name: owner_id
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/bots.ListBotsResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: List bots
+      tags:
+      - bots
+    post:
+      description: Create a bot user owned by current user (or admin-specified owner)
+      parameters:
+      - description: Bot payload
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/bots.CreateBotRequest'
+      responses:
+        "201":
+          description: Created
+          schema:
+            $ref: '#/definitions/bots.Bot'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Create bot user
+      tags:
+      - bots
+  /bots/{bot_id}/acl/channel-identities:
+    get:
+      description: Search locally observed channel identities for building ACL rules
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Search query
+        in: query
+        name: q
+        type: string
+      - description: Max results
+        in: query
+        name: limit
+        type: integer
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/acl.ChannelIdentityCandidateListResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Search ACL channel identity candidates
+      tags:
+      - bots
+  /bots/{bot_id}/acl/channel-identities/{channel_identity_id}/conversations:
+    get:
+      description: List previously observed conversation candidates for a channel
+        identity, for scoped rule building
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Channel Identity ID
+        in: path
+        name: channel_identity_id
+        required: true
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/acl.ObservedConversationCandidateListResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: List observed conversations for a channel identity
+      tags:
+      - bots
+  /bots/{bot_id}/acl/channel-types/{channel_type}/conversations:
+    get:
+      description: List previously observed group/thread conversation candidates for
+        a channel type under this bot
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Channel type (e.g. telegram, discord)
+        in: path
+        name: channel_type
+        required: true
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/acl.ObservedConversationCandidateListResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: List observed conversations for a platform type
+      tags:
+      - bots
+  /bots/{bot_id}/acl/default-effect:
+    get:
+      description: Get the fallback effect when no rule matches
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/acl.DefaultEffectResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Get bot ACL default effect
+      tags:
+      - bots
+    put:
+      description: Set the fallback effect when no rule matches (allow or deny)
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Default effect payload
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/acl.DefaultEffectResponse'
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Set bot ACL default effect
+      tags:
+      - bots
+  /bots/{bot_id}/acl/rules:
+    get:
+      description: List all ACL rules for a bot ordered by priority
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/acl.ListRulesResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: List bot ACL rules
+      tags:
+      - bots
+    post:
+      description: Create a new priority-ordered ACL rule for chat.trigger
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Rule payload
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/acl.CreateRuleRequest'
+      responses:
+        "201":
+          description: Created
+          schema:
+            $ref: '#/definitions/acl.Rule'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Create ACL rule
+      tags:
+      - bots
+  /bots/{bot_id}/acl/rules/{rule_id}:
+    delete:
+      description: Delete an ACL rule by ID
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Rule ID
+        in: path
+        name: rule_id
+        required: true
+        type: string
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Delete ACL rule
+      tags:
+      - bots
+    put:
+      description: Update an existing ACL rule
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Rule ID
+        in: path
+        name: rule_id
+        required: true
+        type: string
+      - description: Rule payload
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/acl.UpdateRuleRequest'
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/acl.Rule'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Update ACL rule
+      tags:
+      - bots
+  /bots/{bot_id}/acl/rules/reorder:
+    put:
+      description: Batch-update priorities for multiple ACL rules
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Reorder payload
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/acl.ReorderRequest'
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Reorder ACL rules
+      tags:
+      - bots
+  /bots/{bot_id}/compaction/logs:
+    delete:
+      description: Delete all compaction logs for a bot
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
         type: string
-      tool_approval_config:
-        $ref: '#/definitions/settings.ToolApprovalConfig'
-      transcription_model_id:
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Delete compaction logs
+      tags:
+      - compaction
+    get:
+      description: List compaction logs for a bot
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
         type: string
-      tts_model_id:
+      - default: 50
+        description: Limit
+        in: query
+        name: limit
+        type: integer
+      - default: 0
+        description: Offset
+        in: query
+        name: offset
+        type: integer
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/compaction.ListLogsResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: List compaction logs
+      tags:
+      - compaction
+  /bots/{bot_id}/container:
+    delete:
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Export /data before deletion
+        in: query
+        name: preserve_data
+        type: boolean
+      responses:
+        "204":
+          description: No Content
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Delete MCP container for bot
+      tags:
+      - containerd
+    get:
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.GetContainerResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Get container info for bot
+      tags:
+      - containerd
+    post:
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Create container payload
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/handlers.CreateContainerRequest'
+      responses:
+        "200":
+          description: SSE stream of container creation events
+          schema:
+            $ref: '#/definitions/handlers.CreateContainerResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Create and start MCP container for bot
+      tags:
+      - containerd
+  /bots/{bot_id}/container/data/export:
+    post:
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      produces:
+      - application/gzip
+      responses:
+        "200":
+          description: OK
+          schema:
+            type: file
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Export container /data as a tar.gz archive
+      tags:
+      - containerd
+  /bots/{bot_id}/container/data/import:
+    post:
+      consumes:
+      - multipart/form-data
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: tar.gz archive
+        in: formData
+        name: file
+        required: true
+        type: file
+      responses:
+        "200":
+          description: OK
+          schema:
+            type: object
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Import a tar.gz archive into container /data
+      tags:
+      - containerd
+  /bots/{bot_id}/container/data/restore:
+    post:
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            type: object
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Restore previously preserved data into container
+      tags:
+      - containerd
+  /bots/{bot_id}/container/fs:
+    get:
+      description: Returns metadata about a file or directory at the given container
+        path
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Container path
+        in: query
+        name: path
+        required: true
         type: string
-    type: object
-info:
-  contact: {}
-  title: Memoh API
-  version: 1.0.0
-paths:
-  /auth/login:
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.FSFileInfo'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Get file or directory info
+      tags:
+      - containerd
+  /bots/{bot_id}/container/fs/delete:
     post:
-      description: Validate user credentials and issue a JWT
+      description: Deletes a file or directory at the given container path
       parameters:
-      - description: Login request
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Delete request
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.LoginRequest'
+          $ref: '#/definitions/handlers.FSDeleteRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.LoginResponse'
+            $ref: '#/definitions/handlers.fsOpResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "401":
-          description: Unauthorized
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Login
+      summary: Delete a file or directory
       tags:
-      - auth
-  /auth/refresh:
-    post:
-      description: Issue a new JWT using the existing claims with updated expiration
+      - containerd
+  /bots/{bot_id}/container/fs/download:
+    get:
+      description: Downloads a file from the container with appropriate Content-Type
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Container file path
+        in: query
+        name: path
+        required: true
+        type: string
+      produces:
+      - application/octet-stream
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.RefreshResponse'
-        "401":
-          description: Unauthorized
+            type: file
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      security:
-      - BearerAuth: []
-      summary: Refresh Token
+      summary: Download a file as binary stream
       tags:
-      - auth
-  /bots:
+      - containerd
+  /bots/{bot_id}/container/fs/list:
     get:
-      description: List bots accessible to current user (admin can specify owner_id)
+      description: Lists files and directories at the given container path
       parameters:
-      - description: Owner user ID (admin only)
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Container directory path
         in: query
-        name: owner_id
+        name: path
+        required: true
         type: string
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/bots.ListBotsResponse'
+            $ref: '#/definitions/handlers.FSListResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List bots
+      summary: List directory contents
       tags:
-      - bots
+      - containerd
+  /bots/{bot_id}/container/fs/mkdir:
     post:
-      description: Create a bot user owned by current user (or admin-specified owner)
+      description: Creates a directory (and parents) at the given container path
       parameters:
-      - description: Bot payload
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Mkdir request
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/bots.CreateBotRequest'
+          $ref: '#/definitions/handlers.FSMkdirRequest'
       responses:
-        "201":
-          description: Created
+        "200":
+          description: OK
           schema:
-            $ref: '#/definitions/bots.Bot'
+            $ref: '#/definitions/handlers.fsOpResponse'
         "400":
           description: Bad Request
           schema:
@@ -3291,66 +4492,63 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create bot user
+      summary: Create a directory
       tags:
-      - bots
-  /bots/{bot_id}/acl/channel-identities:
+      - containerd
+  /bots/{bot_id}/container/fs/read:
     get:
-      description: Search locally observed channel identities for building ACL rules
+      description: Reads the content of a file and returns it as a JSON string
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Search query
+      - description: Container file path
         in: query
-        name: q
+        name: path
+        required: true
         type: string
-      - description: Max results
-        in: query
-        name: limit
-        type: integer
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/acl.ChannelIdentityCandidateListResponse'
+            $ref: '#/definitions/handlers.FSReadResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Search ACL channel identity candidates
+      summary: Read file content as text
       tags:
-      - bots
-  /bots/{bot_id}/acl/channel-identities/{channel_identity_id}/conversations:
-    get:
-      description: List previously observed conversation candidates for a channel
-        identity, for scoped rule building
+      - containerd
+  /bots/{bot_id}/container/fs/rename:
+    post:
+      description: Renames or moves a file/directory from oldPath to newPath
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Channel Identity ID
-        in: path
-        name: channel_identity_id
+      - description: Rename request
+        in: body
+        name: payload
         required: true
-        type: string
+        schema:
+          $ref: '#/definitions/handlers.FSRenameRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/acl.ObservedConversationCandidateListResponse'
+            $ref: '#/definitions/handlers.fsOpResponse'
         "400":
           description: Bad Request
           schema:
@@ -3359,33 +4557,43 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List observed conversations for a channel identity
+      summary: Rename or move a file/directory
       tags:
-      - bots
-  /bots/{bot_id}/acl/channel-types/{channel_type}/conversations:
-    get:
-      description: List previously observed group/thread conversation candidates for
-        a channel type under this bot
+      - containerd
+  /bots/{bot_id}/container/fs/upload:
+    post:
+      consumes:
+      - multipart/form-data
+      description: Uploads a binary file to the given container path
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Channel type (e.g. telegram, discord)
-        in: path
-        name: channel_type
+      - description: Destination container path
+        in: formData
+        name: path
         required: true
         type: string
+      - description: File to upload
+        in: formData
+        name: file
+        required: true
+        type: file
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/acl.ObservedConversationCandidateListResponse'
+            $ref: '#/definitions/handlers.FSUploadResponse'
         "400":
           description: Bad Request
           schema:
@@ -3398,23 +4606,29 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List observed conversations for a platform type
+      summary: Upload a file via multipart form
       tags:
-      - bots
-  /bots/{bot_id}/acl/default-effect:
-    get:
-      description: Get the fallback effect when no rule matches
+      - containerd
+  /bots/{bot_id}/container/fs/write:
+    post:
+      description: Creates or overwrites a file with the provided text content
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
+      - description: Write request
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/handlers.FSWriteRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/acl.DefaultEffectResponse'
+            $ref: '#/definitions/handlers.fsOpResponse'
         "400":
           description: Bad Request
           schema:
@@ -3427,44 +4641,64 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get bot ACL default effect
+      summary: Write text content to a file
       tags:
-      - bots
-    put:
-      description: Set the fallback effect when no rule matches (allow or deny)
+      - containerd
+  /bots/{bot_id}/container/metrics:
+    get:
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Default effect payload
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.GetContainerMetricsResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Get current container metrics for bot
+      tags:
+      - containerd
+  /bots/{bot_id}/container/skills:
+    delete:
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Delete skills payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/acl.DefaultEffectResponse'
+          $ref: '#/definitions/handlers.SkillsDeleteRequest'
       responses:
-        "204":
-          description: No Content
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.skillsOpResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Set bot ACL default effect
+      summary: Delete Memoh-managed skills
       tags:
-      - bots
-  /bots/{bot_id}/acl/rules:
+      - containerd
     get:
-      description: List all ACL rules for a bot ordered by priority
       parameters:
       - description: Bot ID
         in: path
@@ -3475,163 +4709,178 @@ paths:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/acl.ListRulesResponse'
+            $ref: '#/definitions/handlers.SkillsResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List bot ACL rules
+      summary: List skills from the bot container
       tags:
-      - bots
+      - containerd
     post:
-      description: Create a new priority-ordered ACL rule for chat.trigger
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Rule payload
+      - description: Skills payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/acl.CreateRuleRequest'
+          $ref: '#/definitions/handlers.SkillsUpsertRequest'
       responses:
-        "201":
-          description: Created
+        "200":
+          description: OK
           schema:
-            $ref: '#/definitions/acl.Rule'
+            $ref: '#/definitions/handlers.skillsOpResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create ACL rule
+      summary: Upload skills into Memoh-managed directory
       tags:
-      - bots
-  /bots/{bot_id}/acl/rules/{rule_id}:
-    delete:
-      description: Delete an ACL rule by ID
+      - containerd
+  /bots/{bot_id}/container/skills/actions:
+    post:
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Rule ID
-        in: path
-        name: rule_id
+      - description: Skill action payload
+        in: body
+        name: payload
         required: true
-        type: string
+        schema:
+          $ref: '#/definitions/handlers.SkillsActionRequest'
       responses:
-        "204":
-          description: No Content
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.skillsOpResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete ACL rule
+      summary: Apply an action to a discovered or managed skill source
       tags:
-      - bots
-    put:
-      description: Update an existing ACL rule
+      - containerd
+  /bots/{bot_id}/container/snapshots:
+    get:
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Rule ID
+      - description: Snapshotter name
+        in: query
+        name: snapshotter
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.ListSnapshotsResponse'
+        "501":
+          description: Snapshots currently not supported on this backend
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: List snapshots
+      tags:
+      - containerd
+    post:
+      parameters:
+      - description: Bot ID
         in: path
-        name: rule_id
+        name: bot_id
         required: true
         type: string
-      - description: Rule payload
+      - description: Create snapshot payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/acl.UpdateRuleRequest'
+          $ref: '#/definitions/handlers.CreateSnapshotRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/acl.Rule'
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+            $ref: '#/definitions/handlers.CreateSnapshotResponse'
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update ACL rule
+        "501":
+          description: Snapshots currently not supported on this backend
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Create container snapshot for bot
       tags:
-      - bots
-  /bots/{bot_id}/acl/rules/reorder:
-    put:
-      description: Batch-update priorities for multiple ACL rules
+      - containerd
+  /bots/{bot_id}/container/snapshots/rollback:
+    post:
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Reorder payload
+      - description: Rollback payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/acl.ReorderRequest'
+          $ref: '#/definitions/handlers.RollbackRequest'
       responses:
-        "204":
-          description: No Content
+        "200":
+          description: OK
+          schema:
+            type: object
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Reorder ACL rules
+      summary: Rollback container to a previous snapshot version
       tags:
-      - bots
-  /bots/{bot_id}/compaction/logs:
-    delete:
-      description: Delete all compaction logs for a bot
+      - containerd
+  /bots/{bot_id}/container/start:
+    post:
       parameters:
       - description: Bot ID
         in: path
@@ -3639,79 +4888,102 @@ paths:
         required: true
         type: string
       responses:
-        "204":
-          description: No Content
-        "400":
-          description: Bad Request
+        "200":
+          description: OK
+          schema:
+            type: object
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete compaction logs
+      summary: Start container task for bot
       tags:
-      - compaction
-    get:
-      description: List compaction logs for a bot
+      - containerd
+  /bots/{bot_id}/container/stop:
+    post:
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - default: 50
-        description: Limit
-        in: query
-        name: limit
-        type: integer
-      - default: 0
-        description: Offset
-        in: query
-        name: offset
-        type: integer
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/compaction.ListLogsResponse'
-        "400":
-          description: Bad Request
+            type: object
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List compaction logs
+      summary: Stop container task for bot
       tags:
-      - compaction
-  /bots/{bot_id}/container:
-    delete:
+      - containerd
+  /bots/{bot_id}/container/terminal:
+    get:
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Export /data before deletion
-        in: query
-        name: preserve_data
-        type: boolean
       responses:
-        "204":
-          description: No Content
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.terminalInfoResponse'
         "404":
           description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Check terminal availability for bot container
+      tags:
+      - containerd
+  /bots/{bot_id}/container/terminal/ws:
+    get:
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - default: 80
+        description: Initial terminal columns
+        in: query
+        name: cols
+        type: integer
+      - default: 24
+        description: Initial terminal rows
+        in: query
+        name: rows
+        type: integer
+      - description: Auth token
+        in: query
+        name: token
+        type: string
+      responses:
+        "101":
+          description: WebSocket upgrade
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete MCP container for bot
+      summary: Interactive WebSocket terminal for bot container
       tags:
       - containerd
+  /bots/{bot_id}/email-bindings:
     get:
       parameters:
       - description: Bot ID
@@ -3719,40 +4991,44 @@ paths:
         name: bot_id
         required: true
         type: string
+      produces:
+      - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.GetContainerResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
+            items:
+              $ref: '#/definitions/email.BindingResponse'
+            type: array
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get container info for bot
+      summary: List email bindings for a bot
       tags:
-      - containerd
+      - email-bindings
     post:
+      consumes:
+      - application/json
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Create container payload
+      - description: Binding configuration
         in: body
-        name: payload
+        name: request
         required: true
         schema:
-          $ref: '#/definitions/handlers.CreateContainerRequest'
+          $ref: '#/definitions/email.CreateBindingRequest'
+      produces:
+      - application/json
       responses:
-        "200":
-          description: SSE stream of container creation events
+        "201":
+          description: Created
           schema:
-            $ref: '#/definitions/handlers.CreateContainerResponse'
+            $ref: '#/definitions/email.BindingResponse'
         "400":
           description: Bad Request
           schema:
@@ -3761,51 +5037,59 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create and start MCP container for bot
+      summary: Bind an email provider to a bot
       tags:
-      - containerd
-  /bots/{bot_id}/container/data/export:
-    post:
+      - email-bindings
+  /bots/{bot_id}/email-bindings/{id}:
+    delete:
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      produces:
-      - application/gzip
+      - description: Binding ID
+        in: path
+        name: id
+        required: true
+        type: string
       responses:
-        "200":
-          description: OK
-          schema:
-            type: file
+        "204":
+          description: No Content
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Export container /data as a tar.gz archive
+      summary: Remove an email binding
       tags:
-      - containerd
-  /bots/{bot_id}/container/data/import:
-    post:
+      - email-bindings
+    put:
       consumes:
-      - multipart/form-data
+      - application/json
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: tar.gz archive
-        in: formData
-        name: file
+      - description: Binding ID
+        in: path
+        name: id
         required: true
-        type: file
+        type: string
+      - description: Updated binding
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/email.UpdateBindingRequest'
+      produces:
+      - application/json
       responses:
         "200":
           description: OK
           schema:
-            type: object
+            $ref: '#/definitions/email.BindingResponse'
         "400":
           description: Bad Request
           schema:
@@ -3814,201 +5098,185 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Import a tar.gz archive into container /data
+      summary: Update an email binding
       tags:
-      - containerd
-  /bots/{bot_id}/container/data/restore:
-    post:
+      - email-bindings
+  /bots/{bot_id}/email-outbox:
+    get:
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
+      - default: 20
+        description: Limit
+        in: query
+        name: limit
+        type: integer
+      - default: 0
+        description: Offset
+        in: query
+        name: offset
+        type: integer
+      produces:
+      - application/json
       responses:
         "200":
           description: OK
           schema:
+            additionalProperties: true
             type: object
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Restore previously preserved data into container
+      summary: List outbox emails for a bot (audit)
       tags:
-      - containerd
-  /bots/{bot_id}/container/fs:
+      - email-outbox
+  /bots/{bot_id}/email-outbox/{id}:
     get:
-      description: Returns metadata about a file or directory at the given container
-        path
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Container path
-        in: query
-        name: path
+      - description: Email ID
+        in: path
+        name: id
         required: true
         type: string
+      produces:
+      - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.FSFileInfo'
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
+            $ref: '#/definitions/email.OutboxItemResponse'
         "404":
           description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get file or directory info
+      summary: Get outbox email detail
       tags:
-      - containerd
-  /bots/{bot_id}/container/fs/delete:
-    post:
-      description: Deletes a file or directory at the given container path
+      - email-outbox
+  /bots/{bot_id}/heartbeat/logs:
+    delete:
+      description: Delete all heartbeat execution logs for a bot
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Delete request
-        in: body
-        name: payload
-        required: true
-        schema:
-          $ref: '#/definitions/handlers.FSDeleteRequest'
       responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/handlers.fsOpResponse'
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete a file or directory
+      summary: Delete heartbeat logs
       tags:
-      - containerd
-  /bots/{bot_id}/container/fs/download:
+      - heartbeat
     get:
-      description: Downloads a file from the container with appropriate Content-Type
+      description: List heartbeat execution logs for a bot
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Container file path
+      - default: 50
+        description: Limit
         in: query
-        name: path
-        required: true
-        type: string
-      produces:
-      - application/octet-stream
+        name: limit
+        type: integer
+      - default: 0
+        description: Offset
+        in: query
+        name: offset
+        type: integer
       responses:
         "200":
           description: OK
           schema:
-            type: file
+            $ref: '#/definitions/heartbeat.ListLogsResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Download a file as binary stream
+      summary: List heartbeat logs
       tags:
-      - containerd
-  /bots/{bot_id}/container/fs/list:
-    get:
-      description: Lists files and directories at the given container path
+      - heartbeat
+  /bots/{bot_id}/local/messages:
+    post:
+      consumes:
+      - application/json
+      description: Post a user message (with optional attachments) through the local
+        channel pipeline.
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Container directory path
-        in: query
-        name: path
+      - description: Message payload
+        in: body
+        name: payload
         required: true
-        type: string
+        schema:
+          $ref: '#/definitions/handlers.LocalChannelMessageRequest'
+      produces:
+      - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.FSListResponse'
+            additionalProperties:
+              type: string
+            type: object
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List directory contents
+      summary: Send a message to a local channel
       tags:
-      - containerd
-  /bots/{bot_id}/container/fs/mkdir:
-    post:
-      description: Creates a directory (and parents) at the given container path
+      - local-channel
+  /bots/{bot_id}/local/stream:
+    get:
+      description: Open a persistent SSE connection to receive real-time stream events
+        for the given bot.
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Mkdir request
-        in: body
-        name: payload
-        required: true
-        schema:
-          $ref: '#/definitions/handlers.FSMkdirRequest'
+      produces:
+      - text/event-stream
       responses:
         "200":
-          description: OK
+          description: SSE stream
           schema:
-            $ref: '#/definitions/handlers.fsOpResponse'
+            type: string
         "400":
           description: Bad Request
           schema:
@@ -4021,32 +5289,55 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create a directory
+      summary: Subscribe to local channel events via SSE
       tags:
-      - containerd
-  /bots/{bot_id}/container/fs/read:
+      - local-channel
+  /bots/{bot_id}/local/ws:
     get:
-      description: Reads the content of a file and returns it as a JSON string
+      description: Upgrade to WebSocket for bidirectional chat streaming with abort
+        support.
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Container file path
-        in: query
-        name: path
-        required: true
-        type: string
+      responses:
+        "101":
+          description: Switching Protocols
+          schema:
+            type: string
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: WebSocket chat endpoint
+      tags:
+      - local-channel
+  /bots/{bot_id}/mcp:
+    get:
+      description: List MCP connections for a bot
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.FSReadResponse'
+            $ref: '#/definitions/mcp.ListResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
@@ -4055,29 +5346,23 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Read file content as text
+      summary: List MCP connections
       tags:
-      - containerd
-  /bots/{bot_id}/container/fs/rename:
+      - mcp
     post:
-      description: Renames or moves a file/directory from oldPath to newPath
+      description: Create a MCP connection for a bot
       parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Rename request
+      - description: MCP payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.FSRenameRequest'
+          $ref: '#/definitions/mcp.UpsertRequest'
       responses:
-        "200":
-          description: OK
+        "201":
+          description: Created
           schema:
-            $ref: '#/definitions/handlers.fsOpResponse'
+            $ref: '#/definitions/github_com_memohai_memoh_internal_mcp.Connection'
         "400":
           description: Bad Request
           schema:
@@ -4094,35 +5379,22 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Rename or move a file/directory
+      summary: Create MCP connection
       tags:
-      - containerd
-  /bots/{bot_id}/container/fs/upload:
+      - mcp
+  /bots/{bot_id}/mcp-ops/batch-delete:
     post:
-      consumes:
-      - multipart/form-data
-      description: Uploads a binary file to the given container path
+      description: Delete multiple MCP connections by IDs.
       parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Destination container path
-        in: formData
-        name: path
-        required: true
-        type: string
-      - description: File to upload
-        in: formData
-        name: file
+      - description: IDs to delete
+        in: body
+        name: payload
         required: true
-        type: file
+        schema:
+          $ref: '#/definitions/handlers.BatchDeleteRequest'
       responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/handlers.FSUploadResponse'
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
@@ -4135,83 +5407,70 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Upload a file via multipart form
+      summary: Batch delete MCP connections
       tags:
-      - containerd
-  /bots/{bot_id}/container/fs/write:
+      - mcp
+  /bots/{bot_id}/mcp-stdio:
     post:
-      description: Creates or overwrites a file with the provided text content
+      description: Start a stdio MCP process in the bot container and expose it as
+        MCP HTTP endpoint.
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Write request
+      - description: Stdio MCP payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.FSWriteRequest'
+          $ref: '#/definitions/handlers.MCPStdioRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.fsOpResponse'
+            $ref: '#/definitions/handlers.MCPStdioResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Write text content to a file
+      summary: Create MCP stdio proxy
       tags:
       - containerd
-  /bots/{bot_id}/container/metrics:
-    get:
+  /bots/{bot_id}/mcp-stdio/{connection_id}:
+    post:
+      description: Proxies MCP JSON-RPC requests to a stdio MCP process in the container.
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/handlers.GetContainerMetricsResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get current container metrics for bot
-      tags:
-      - containerd
-  /bots/{bot_id}/container/skills:
-    delete:
-      parameters:
-      - description: Bot ID
+      - description: Connection ID
         in: path
-        name: bot_id
+        name: connection_id
         required: true
         type: string
-      - description: Delete skills payload
+      - description: JSON-RPC request
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.SkillsDeleteRequest'
+          type: object
       responses:
         "200":
-          description: OK
+          description: 'JSON-RPC response: {jsonrpc,id,result|error}'
           schema:
-            $ref: '#/definitions/handlers.skillsOpResponse'
+            type: object
         "400":
           description: Bad Request
           schema:
@@ -4224,25 +5483,29 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete Memoh-managed skills
+      summary: MCP stdio proxy (JSON-RPC)
       tags:
       - containerd
-    get:
+  /bots/{bot_id}/mcp/{id}:
+    delete:
+      description: Delete a MCP connection by ID
       parameters:
-      - description: Bot ID
+      - description: MCP ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
       responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/handlers.SkillsResponse'
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
@@ -4251,31 +5514,30 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List skills from the bot container
+      summary: Delete MCP connection
       tags:
-      - containerd
-    post:
+      - mcp
+    get:
+      description: Get a MCP connection by ID
       parameters:
-      - description: Bot ID
+      - description: MCP ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Skills payload
-        in: body
-        name: payload
-        required: true
-        schema:
-          $ref: '#/definitions/handlers.SkillsUpsertRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.skillsOpResponse'
+            $ref: '#/definitions/github_com_memohai_memoh_internal_mcp.Connection'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
@@ -4284,32 +5546,36 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Upload skills into Memoh-managed directory
+      summary: Get MCP connection
       tags:
-      - containerd
-  /bots/{bot_id}/container/skills/actions:
-    post:
+      - mcp
+    put:
+      description: Update a MCP connection by ID
       parameters:
-      - description: Bot ID
+      - description: MCP ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Skill action payload
+      - description: MCP payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.SkillsActionRequest'
+          $ref: '#/definitions/mcp.UpsertRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.skillsOpResponse'
+            $ref: '#/definitions/github_com_memohai_memoh_internal_mcp.Connection'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
@@ -4318,133 +5584,161 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Apply an action to a discovered or managed skill source
+      summary: Update MCP connection
       tags:
-      - containerd
-  /bots/{bot_id}/container/snapshots:
-    get:
+      - mcp
+  /bots/{bot_id}/mcp/{id}/oauth/authorize:
+    post:
+      description: Generate PKCE and return authorization URL for the user to authorize
       parameters:
-      - description: Bot ID
+      - description: MCP connection ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Snapshotter name
-        in: query
-        name: snapshotter
-        type: string
+      - description: Optional client_id
+        in: body
+        name: payload
+        schema:
+          $ref: '#/definitions/handlers.oauthAuthorizeRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.ListSnapshotsResponse'
-        "501":
-          description: Snapshots currently not supported on this backend
+            $ref: '#/definitions/mcp.AuthorizeResult'
+        "400":
+          description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List snapshots
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Start OAuth authorization flow
       tags:
-      - containerd
+      - mcp
+  /bots/{bot_id}/mcp/{id}/oauth/discover:
     post:
+      description: Probe MCP server URL for OAuth requirements and discover authorization
+        server metadata
       parameters:
-      - description: Bot ID
+      - description: MCP connection ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Create snapshot payload
+      - description: Optional URL override
         in: body
         name: payload
-        required: true
         schema:
-          $ref: '#/definitions/handlers.CreateSnapshotRequest'
+          $ref: '#/definitions/handlers.oauthDiscoverRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.CreateSnapshotResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+            $ref: '#/definitions/mcp.DiscoveryResult'
+        "400":
+          description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "501":
-          description: Snapshots currently not supported on this backend
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create container snapshot for bot
+      summary: Discover OAuth configuration for MCP server
       tags:
-      - containerd
-  /bots/{bot_id}/container/snapshots/rollback:
+      - mcp
+  /bots/{bot_id}/mcp/{id}/oauth/exchange:
     post:
+      description: Frontend callback page calls this to exchange the authorization
+        code for access/refresh tokens
       parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Rollback payload
+      - description: Authorization code and state
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.RollbackRequest'
+          $ref: '#/definitions/handlers.oauthExchangeRequest'
       responses:
         "200":
           description: OK
           schema:
+            additionalProperties:
+              type: boolean
             type: object
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Rollback container to a previous snapshot version
+      summary: Exchange OAuth authorization code for tokens
       tags:
-      - containerd
-  /bots/{bot_id}/container/start:
-    post:
+      - mcp
+  /bots/{bot_id}/mcp/{id}/oauth/status:
+    get:
+      description: Returns the current OAuth status including whether tokens are available
       parameters:
-      - description: Bot ID
+      - description: MCP connection ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
       responses:
         "200":
           description: OK
           schema:
-            type: object
+            $ref: '#/definitions/mcp.OAuthStatus'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+      summary: Get OAuth status for MCP connection
+      tags:
+      - mcp
+  /bots/{bot_id}/mcp/{id}/oauth/token:
+    delete:
+      description: Clears stored OAuth tokens
+      parameters:
+      - description: MCP connection ID
+        in: path
+        name: id
+        required: true
+        type: string
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Start container task for bot
+      summary: Revoke OAuth tokens for MCP connection
       tags:
-      - containerd
-  /bots/{bot_id}/container/stop:
+      - mcp
+  /bots/{bot_id}/mcp/{id}/probe:
     post:
+      description: Probe a MCP connection to discover tools and verify connectivity
       parameters:
-      - description: Bot ID
+      - description: MCP connection ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
       responses:
         "200":
           description: OK
           schema:
-            type: object
+            $ref: '#/definitions/handlers.ProbeResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
@@ -4453,225 +5747,198 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Stop container task for bot
+      summary: Probe MCP connection
       tags:
-      - containerd
-  /bots/{bot_id}/container/terminal:
+      - mcp
+  /bots/{bot_id}/mcp/export:
     get:
-      parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
+      description: Export all MCP connections for a bot in standard mcpServers format.
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.terminalInfoResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Check terminal availability for bot container
-      tags:
-      - containerd
-  /bots/{bot_id}/container/terminal/ws:
-    get:
-      parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - default: 80
-        description: Initial terminal columns
-        in: query
-        name: cols
-        type: integer
-      - default: 24
-        description: Initial terminal rows
-        in: query
-        name: rows
-        type: integer
-      - description: Auth token
-        in: query
-        name: token
-        type: string
-      responses:
-        "101":
-          description: WebSocket upgrade
+            $ref: '#/definitions/mcp.ExportResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Interactive WebSocket terminal for bot container
+      summary: Export MCP connections
       tags:
-      - containerd
-  /bots/{bot_id}/email-bindings:
-    get:
+      - mcp
+  /bots/{bot_id}/mcp/import:
+    put:
+      description: Batch import MCP connections from standard mcpServers format. Existing
+        connections (matched by name) get config updated with is_active preserved.
+        New connections are created as active.
       parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
+      - description: mcpServers dict
+        in: body
+        name: payload
         required: true
-        type: string
-      produces:
-      - application/json
+        schema:
+          $ref: '#/definitions/mcp.ImportRequest'
       responses:
         "200":
           description: OK
           schema:
-            items:
-              $ref: '#/definitions/email.BindingResponse'
-            type: array
+            $ref: '#/definitions/mcp.ListResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List email bindings for a bot
+      summary: Import MCP connections
       tags:
-      - email-bindings
-    post:
+      - mcp
+  /bots/{bot_id}/memory:
+    delete:
       consumes:
       - application/json
+      description: Delete specific memories by IDs, or delete all memories if no IDs
+        are provided
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Binding configuration
+      - description: 'Optional: specify memory_ids to delete; if omitted, deletes
+          all'
         in: body
-        name: request
-        required: true
+        name: payload
         schema:
-          $ref: '#/definitions/email.CreateBindingRequest'
+          $ref: '#/definitions/handlers.memoryDeletePayload'
       produces:
       - application/json
       responses:
-        "201":
-          description: Created
+        "200":
+          description: OK
           schema:
-            $ref: '#/definitions/email.BindingResponse'
+            $ref: '#/definitions/adapters.DeleteResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Bind an email provider to a bot
-      tags:
-      - email-bindings
-  /bots/{bot_id}/email-bindings/{id}:
-    delete:
-      parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Binding ID
-        in: path
-        name: id
-        required: true
-        type: string
-      responses:
-        "204":
-          description: No Content
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Remove an email binding
+        "503":
+          description: Service Unavailable
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Delete memories
       tags:
-      - email-bindings
-    put:
-      consumes:
-      - application/json
+      - memory
+    get:
+      description: List all memories in the bot-shared namespace
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Binding ID
-        in: path
-        name: id
-        required: true
-        type: string
-      - description: Updated binding
-        in: body
-        name: request
-        required: true
-        schema:
-          $ref: '#/definitions/email.UpdateBindingRequest'
+      - description: Skip optional stats in memory search response
+        in: query
+        name: no_stats
+        type: boolean
       produces:
       - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/email.BindingResponse'
+            $ref: '#/definitions/adapters.SearchResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update an email binding
+        "503":
+          description: Service Unavailable
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Get all memories
       tags:
-      - email-bindings
-  /bots/{bot_id}/email-outbox:
-    get:
+      - memory
+    post:
+      consumes:
+      - application/json
+      description: Add memory into the bot-shared namespace
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - default: 20
-        description: Limit
-        in: query
-        name: limit
-        type: integer
-      - default: 0
-        description: Offset
-        in: query
-        name: offset
-        type: integer
+      - description: Memory add payload
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/handlers.memoryAddPayload'
       produces:
       - application/json
       responses:
         "200":
           description: OK
           schema:
-            additionalProperties: true
-            type: object
+            $ref: '#/definitions/adapters.SearchResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List outbox emails for a bot (audit)
+        "503":
+          description: Service Unavailable
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Add memory
       tags:
-      - email-outbox
-  /bots/{bot_id}/email-outbox/{id}:
-    get:
+      - memory
+  /bots/{bot_id}/memory/{id}:
+    delete:
+      description: Delete a single memory by its ID
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Email ID
+      - description: Memory ID
         in: path
         name: id
         required: true
@@ -4682,98 +5949,141 @@ paths:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/email.OutboxItemResponse'
-        "404":
-          description: Not Found
+            $ref: '#/definitions/adapters.DeleteResponse'
+        "400":
+          description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get outbox email detail
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "503":
+          description: Service Unavailable
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Delete a single memory
       tags:
-      - email-outbox
-  /bots/{bot_id}/heartbeat/logs:
-    delete:
-      description: Delete all heartbeat execution logs for a bot
+      - memory
+  /bots/{bot_id}/memory/compact:
+    post:
+      consumes:
+      - application/json
+      description: |-
+        Consolidate memories by merging similar/redundant entries using LLM.
+
+        **ratio** (required, range (0,1]):
+        - 0.8 = light compression, mostly dedup, keep ~80% of entries
+        - 0.5 = moderate compression, merge similar facts, keep ~50%
+        - 0.3 = aggressive compression, heavily consolidate, keep ~30%
+
+        **decay_days** (optional): enable time decay — memories older than N days are treated as low priority and more likely to be merged/dropped.
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
+      - description: ratio (0,1] required; decay_days optional
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/handlers.memoryCompactPayload'
+      produces:
+      - application/json
       responses:
-        "204":
-          description: No Content
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/adapters.CompactResult'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete heartbeat logs
+        "503":
+          description: Service Unavailable
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Compact memories
       tags:
-      - heartbeat
-    get:
-      description: List heartbeat execution logs for a bot
+      - memory
+  /bots/{bot_id}/memory/rebuild:
+    post:
+      description: Read memory files from the container filesystem (source of truth)
+        and restore missing entries to memory storage
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - default: 50
-        description: Limit
-        in: query
-        name: limit
-        type: integer
-      - default: 0
-        description: Offset
-        in: query
-        name: offset
-        type: integer
+      produces:
+      - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/heartbeat.ListLogsResponse'
+            $ref: '#/definitions/adapters.RebuildResult'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List heartbeat logs
+        "503":
+          description: Service Unavailable
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Rebuild memories from filesystem
       tags:
-      - heartbeat
-  /bots/{bot_id}/local/messages:
+      - memory
+  /bots/{bot_id}/memory/search:
     post:
       consumes:
       - application/json
-      description: Post a user message (with optional attachments) through the local
-        channel pipeline.
+      description: Search memory in the bot-shared namespace
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Message payload
+      - description: Memory search payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.LocalChannelMessageRequest'
+          $ref: '#/definitions/handlers.memorySearchPayload'
       produces:
       - application/json
       responses:
         "200":
           description: OK
           schema:
-            additionalProperties:
-              type: string
-            type: object
+            $ref: '#/definitions/adapters.SearchResponse'
         "400":
           description: Bad Request
           schema:
@@ -4782,17 +6092,25 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Send a message to a local channel
+        "503":
+          description: Service Unavailable
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Search memory
       tags:
-      - local-channel
-  /bots/{bot_id}/local/stream:
+      - memory
+  /bots/{bot_id}/memory/status:
     get:
-      description: Open a persistent SSE connection to receive real-time stream events
-        for the given bot.
+      description: Get the resolved memory runtime status for a bot, including index
+        health and source counts
       parameters:
       - description: Bot ID
         in: path
@@ -4800,12 +6118,12 @@ paths:
         required: true
         type: string
       produces:
-      - text/event-stream
+      - application/json
       responses:
         "200":
-          description: SSE stream
+          description: OK
           schema:
-            type: string
+            $ref: '#/definitions/adapters.MemoryStatusResponse'
         "400":
           description: Bad Request
           schema:
@@ -4814,51 +6132,37 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Subscribe to local channel events via SSE
+        "503":
+          description: Service Unavailable
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Get memory runtime status
       tags:
-      - local-channel
-  /bots/{bot_id}/local/ws:
+      - memory
+  /bots/{bot_id}/memory/usage:
     get:
-      description: Upgrade to WebSocket for bidirectional chat streaming with abort
-        support.
+      description: Query the estimated storage usage of current memories
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      responses:
-        "101":
-          description: Switching Protocols
-          schema:
-            type: string
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: WebSocket chat endpoint
-      tags:
-      - local-channel
-  /bots/{bot_id}/mcp:
-    get:
-      description: List MCP connections for a bot
+      produces:
+      - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/mcp.ListResponse'
+            $ref: '#/definitions/adapters.UsageResponse'
         "400":
           description: Bad Request
           schema:
@@ -4867,31 +6171,31 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List MCP connections
+        "503":
+          description: Service Unavailable
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Get memory usage
       tags:
-      - mcp
-    post:
-      description: Create a MCP connection for a bot
+      - memory
+  /bots/{bot_id}/messages:
+    delete:
+      description: Clear all persisted bot-level history messages
       parameters:
-      - description: MCP payload
-        in: body
-        name: payload
+      - description: Bot ID
+        in: path
+        name: bot_id
         required: true
-        schema:
-          $ref: '#/definitions/mcp.UpsertRequest'
-      responses:
-        "201":
-          description: Created
-          schema:
-            $ref: '#/definitions/github_com_memohai_memoh_internal_mcp.Connection'
+        type: string
+      produces:
+      - application/json
+      responses:
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
@@ -4900,30 +6204,40 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create MCP connection
+      summary: Delete all bot history messages
       tags:
-      - mcp
-  /bots/{bot_id}/mcp-ops/batch-delete:
-    post:
-      description: Delete multiple MCP connections by IDs.
+      - messages
+    get:
+      description: List messages for a bot history with optional pagination
       parameters:
-      - description: IDs to delete
-        in: body
-        name: payload
+      - description: Bot ID
+        in: path
+        name: bot_id
         required: true
-        schema:
-          $ref: '#/definitions/handlers.BatchDeleteRequest'
+        type: string
+      - description: Limit
+        in: query
+        name: limit
+        type: integer
+      - description: Before
+        in: query
+        name: before
+        type: string
+      produces:
+      - application/json
       responses:
-        "204":
-          description: No Content
+        "200":
+          description: OK
+          schema:
+            additionalProperties:
+              items:
+                $ref: '#/definitions/message.Message'
+              type: array
+            type: object
         "400":
           description: Bad Request
           schema:
@@ -4936,90 +6250,58 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Batch delete MCP connections
+      summary: List bot history messages
       tags:
-      - mcp
-  /bots/{bot_id}/mcp-stdio:
-    post:
-      description: Start a stdio MCP process in the bot container and expose it as
-        MCP HTTP endpoint.
-      parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Stdio MCP payload
-        in: body
-        name: payload
-        required: true
-        schema:
-          $ref: '#/definitions/handlers.MCPStdioRequest'
+      - messages
+  /bots/{bot_id}/schedule:
+    get:
+      description: List schedules for current user
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.MCPStdioResponse'
+            $ref: '#/definitions/schedule.ListResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create MCP stdio proxy
+      summary: List schedules
       tags:
-      - containerd
-  /bots/{bot_id}/mcp-stdio/{connection_id}:
+      - schedule
     post:
-      description: Proxies MCP JSON-RPC requests to a stdio MCP process in the container.
+      description: Create a schedule for current user
       parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Connection ID
-        in: path
-        name: connection_id
-        required: true
-        type: string
-      - description: JSON-RPC request
+      - description: Schedule payload
         in: body
         name: payload
         required: true
         schema:
-          type: object
+          $ref: '#/definitions/schedule.CreateRequest'
       responses:
-        "200":
-          description: 'JSON-RPC response: {jsonrpc,id,result|error}'
+        "201":
+          description: Created
           schema:
-            type: object
+            $ref: '#/definitions/schedule.Schedule'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: MCP stdio proxy (JSON-RPC)
+      summary: Create schedule
       tags:
-      - containerd
-  /bots/{bot_id}/mcp/{id}:
+      - schedule
+  /bots/{bot_id}/schedule/{id}:
     delete:
-      description: Delete a MCP connection by ID
+      description: Delete a schedule by ID
       parameters:
-      - description: MCP ID
+      - description: Schedule ID
         in: path
         name: id
         required: true
@@ -5031,25 +6313,17 @@ paths:
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete MCP connection
+      summary: Delete schedule
       tags:
-      - mcp
+      - schedule
     get:
-      description: Get a MCP connection by ID
+      description: Get a schedule by ID
       parameters:
-      - description: MCP ID
+      - description: Schedule ID
         in: path
         name: id
         required: true
@@ -5058,15 +6332,11 @@ paths:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/github_com_memohai_memoh_internal_mcp.Connection'
+            $ref: '#/definitions/schedule.Schedule'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
@@ -5075,191 +6345,209 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get MCP connection
+      summary: Get schedule
       tags:
-      - mcp
+      - schedule
     put:
-      description: Update a MCP connection by ID
+      description: Update a schedule by ID
       parameters:
-      - description: MCP ID
+      - description: Schedule ID
         in: path
         name: id
         required: true
         type: string
-      - description: MCP payload
+      - description: Schedule payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/mcp.UpsertRequest'
+          $ref: '#/definitions/schedule.UpdateRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/github_com_memohai_memoh_internal_mcp.Connection'
+            $ref: '#/definitions/schedule.Schedule'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update MCP connection
+      summary: Update schedule
       tags:
-      - mcp
-  /bots/{bot_id}/mcp/{id}/oauth/authorize:
-    post:
-      description: Generate PKCE and return authorization URL for the user to authorize
+      - schedule
+  /bots/{bot_id}/schedule/{id}/logs:
+    get:
+      description: List execution logs for a specific schedule
       parameters:
-      - description: MCP connection ID
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Schedule ID
         in: path
         name: id
         required: true
         type: string
-      - description: Optional client_id
-        in: body
-        name: payload
-        schema:
-          $ref: '#/definitions/handlers.oauthAuthorizeRequest'
+      - default: 50
+        description: Limit
+        in: query
+        name: limit
+        type: integer
+      - default: 0
+        description: Offset
+        in: query
+        name: offset
+        type: integer
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/mcp.AuthorizeResult'
+            $ref: '#/definitions/schedule.ListLogsResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "500":
+          description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Start OAuth authorization flow
+      summary: List schedule logs by schedule
       tags:
-      - mcp
-  /bots/{bot_id}/mcp/{id}/oauth/discover:
-    post:
-      description: Probe MCP server URL for OAuth requirements and discover authorization
-        server metadata
+      - schedule
+  /bots/{bot_id}/schedule/logs:
+    delete:
+      description: Delete all schedule execution logs for a bot
       parameters:
-      - description: MCP connection ID
+      - description: Bot ID
         in: path
-        name: id
+        name: bot_id
         required: true
         type: string
-      - description: Optional URL override
-        in: body
-        name: payload
-        schema:
-          $ref: '#/definitions/handlers.oauthDiscoverRequest'
       responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/mcp.DiscoveryResult'
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "500":
+          description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Discover OAuth configuration for MCP server
+      summary: Delete schedule logs
       tags:
-      - mcp
-  /bots/{bot_id}/mcp/{id}/oauth/exchange:
-    post:
-      description: Frontend callback page calls this to exchange the authorization
-        code for access/refresh tokens
+      - schedule
+    get:
+      description: List schedule execution logs for a bot
       parameters:
-      - description: Authorization code and state
-        in: body
-        name: payload
+      - description: Bot ID
+        in: path
+        name: bot_id
         required: true
-        schema:
-          $ref: '#/definitions/handlers.oauthExchangeRequest'
+        type: string
+      - default: 50
+        description: Limit
+        in: query
+        name: limit
+        type: integer
+      - default: 0
+        description: Offset
+        in: query
+        name: offset
+        type: integer
       responses:
         "200":
           description: OK
           schema:
-            additionalProperties:
-              type: boolean
-            type: object
+            $ref: '#/definitions/schedule.ListLogsResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Exchange OAuth authorization code for tokens
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: List schedule logs
       tags:
-      - mcp
-  /bots/{bot_id}/mcp/{id}/oauth/status:
+      - schedule
+  /bots/{bot_id}/sessions:
     get:
-      description: Returns the current OAuth status including whether tokens are available
       parameters:
-      - description: MCP connection ID
+      - description: Bot ID
         in: path
-        name: id
+        name: bot_id
         required: true
         type: string
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/mcp.OAuthStatus'
+            additionalProperties:
+              items:
+                $ref: '#/definitions/session.Session'
+              type: array
+            type: object
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get OAuth status for MCP connection
+      summary: List bot sessions
       tags:
-      - mcp
-  /bots/{bot_id}/mcp/{id}/oauth/token:
-    delete:
-      description: Clears stored OAuth tokens
+      - sessions
+    post:
       parameters:
-      - description: MCP connection ID
+      - description: Bot ID
         in: path
-        name: id
+        name: bot_id
         required: true
         type: string
+      - description: Session data
+        in: body
+        name: body
+        required: true
+        schema:
+          $ref: '#/definitions/handlers.createSessionRequest'
       responses:
-        "204":
-          description: No Content
+        "201":
+          description: Created
+          schema:
+            $ref: '#/definitions/session.Session'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Revoke OAuth tokens for MCP connection
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Create a new chat session
       tags:
-      - mcp
-  /bots/{bot_id}/mcp/{id}/probe:
-    post:
-      description: Probe a MCP connection to discover tools and verify connectivity
+      - sessions
+  /bots/{bot_id}/sessions/{session_id}:
+    delete:
       parameters:
-      - description: MCP connection ID
+      - description: Bot ID
         in: path
-        name: id
+        name: bot_id
+        required: true
+        type: string
+      - description: Session ID
+        in: path
+        name: session_id
         required: true
         type: string
       responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/handlers.ProbeResponse'
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
@@ -5268,25 +6556,26 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Probe MCP connection
+      summary: Soft-delete a session
       tags:
-      - mcp
-  /bots/{bot_id}/mcp/export:
+      - sessions
     get:
-      description: Export all MCP connections for a bot in standard mcpServers format.
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Session ID
+        in: path
+        name: session_id
+        required: true
+        type: string
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/mcp.ExportResponse'
+            $ref: '#/definitions/session.Session'
         "400":
           description: Bad Request
           schema:
@@ -5295,30 +6584,36 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Export MCP connections
+      summary: Get a session by ID
       tags:
-      - mcp
-  /bots/{bot_id}/mcp/import:
-    put:
-      description: Batch import MCP connections from standard mcpServers format. Existing
-        connections (matched by name) get config updated with is_active preserved.
-        New connections are created as active.
+      - sessions
+    patch:
       parameters:
-      - description: mcpServers dict
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Session ID
+        in: path
+        name: session_id
+        required: true
+        type: string
+      - description: Fields to update
         in: body
-        name: payload
+        name: body
         required: true
         schema:
-          $ref: '#/definitions/mcp.ImportRequest'
+          $ref: '#/definitions/handlers.updateSessionRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/mcp.ListResponse'
+            $ref: '#/definitions/session.Session'
         "400":
           description: Bad Request
           schema:
@@ -5327,76 +6622,67 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Import MCP connections
+      summary: Update a session
       tags:
-      - mcp
-  /bots/{bot_id}/memory:
-    delete:
-      consumes:
-      - application/json
-      description: Delete specific memories by IDs, or delete all memories if no IDs
-        are provided
+      - sessions
+  /bots/{bot_id}/sessions/{session_id}/compact:
+    post:
+      description: Run context compaction synchronously for a session
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: 'Optional: specify memory_ids to delete; if omitted, deletes
-          all'
-        in: body
-        name: payload
-        schema:
-          $ref: '#/definitions/handlers.memoryDeletePayload'
-      produces:
-      - application/json
+      - description: Session ID
+        in: path
+        name: session_id
+        required: true
+        type: string
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/adapters.DeleteResponse'
+            $ref: '#/definitions/handlers.TriggerCompactResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "503":
-          description: Service Unavailable
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete memories
+      summary: Trigger immediate context compaction
       tags:
-      - memory
+      - compaction
+  /bots/{bot_id}/sessions/{session_id}/status:
     get:
-      description: List all memories in the bot-shared namespace
+      description: Get aggregated info for a chat session including message count,
+        context usage, cache stats, and used skills
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Skip optional stats in memory search response
+      - description: Session ID
+        in: path
+        name: session_id
+        required: true
+        type: string
+      - description: Optional model UUID override for context window
         in: query
-        name: no_stats
-        type: boolean
-      produces:
-      - application/json
+        name: model_id
+        type: string
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/adapters.SearchResponse'
+            $ref: '#/definitions/handlers.SessionInfoResponse'
         "400":
           description: Bad Request
           schema:
@@ -5409,250 +6695,193 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "503":
-          description: Service Unavailable
+      summary: Get session info
+      tags:
+      - sessions
+  /bots/{bot_id}/settings:
+    delete:
+      description: Remove agent settings for current user
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get all memories
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Delete user settings
       tags:
-      - memory
-    post:
-      consumes:
-      - application/json
-      description: Add memory into the bot-shared namespace
-      parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Memory add payload
-        in: body
-        name: payload
-        required: true
-        schema:
-          $ref: '#/definitions/handlers.memoryAddPayload'
-      produces:
-      - application/json
+      - settings
+    get:
+      description: Get agent settings for current user
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/adapters.SearchResponse'
+            $ref: '#/definitions/settings.Settings'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "503":
-          description: Service Unavailable
+          description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Add memory
+      summary: Get user settings
       tags:
-      - memory
-  /bots/{bot_id}/memory/{id}:
-    delete:
-      description: Delete a single memory by its ID
+      - settings
+    post:
+      description: Update or create agent settings for current user
       parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Memory ID
-        in: path
-        name: id
+      - description: Settings payload
+        in: body
+        name: payload
         required: true
-        type: string
-      produces:
-      - application/json
+        schema:
+          $ref: '#/definitions/settings.UpsertRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/adapters.DeleteResponse'
+            $ref: '#/definitions/settings.Settings'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "503":
-          description: Service Unavailable
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete a single memory
+      summary: Update user settings
       tags:
-      - memory
-  /bots/{bot_id}/memory/compact:
-    post:
-      consumes:
-      - application/json
-      description: |-
-        Consolidate memories by merging similar/redundant entries using LLM.
-
-        **ratio** (required, range (0,1]):
-        - 0.8 = light compression, mostly dedup, keep ~80% of entries
-        - 0.5 = moderate compression, merge similar facts, keep ~50%
-        - 0.3 = aggressive compression, heavily consolidate, keep ~30%
-
-        **decay_days** (optional): enable time decay — memories older than N days are treated as low priority and more likely to be merged/dropped.
+      - settings
+    put:
+      description: Update or create agent settings for current user
       parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: ratio (0,1] required; decay_days optional
+      - description: Settings payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.memoryCompactPayload'
-      produces:
-      - application/json
+          $ref: '#/definitions/settings.UpsertRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/adapters.CompactResult'
+            $ref: '#/definitions/settings.Settings'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "503":
-          description: Service Unavailable
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Compact memories
+      summary: Update user settings
       tags:
-      - memory
-  /bots/{bot_id}/memory/rebuild:
+      - settings
+  /bots/{bot_id}/supermarket/install-mcp:
     post:
-      description: Read memory files from the container filesystem (source of truth)
-        and restore missing entries to memory storage
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      produces:
-      - application/json
+      - description: Install MCP request
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/handlers.InstallMcpRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/adapters.RebuildResult'
+            $ref: '#/definitions/github_com_memohai_memoh_internal_mcp.Connection'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "409":
-          description: Conflict
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "503":
-          description: Service Unavailable
+        "502":
+          description: Bad Gateway
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Rebuild memories from filesystem
+      summary: Install MCP from supermarket to bot
       tags:
-      - memory
-  /bots/{bot_id}/memory/search:
+      - supermarket
+  /bots/{bot_id}/supermarket/install-skill:
     post:
-      consumes:
-      - application/json
-      description: Search memory in the bot-shared namespace
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Memory search payload
+      - description: Install skill request
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.memorySearchPayload'
-      produces:
-      - application/json
+          $ref: '#/definitions/handlers.InstallSkillRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/adapters.SearchResponse'
+            additionalProperties:
+              type: boolean
+            type: object
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "503":
-          description: Service Unavailable
+        "502":
+          description: Bad Gateway
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Search memory
+      summary: Install skill from supermarket to bot container
       tags:
-      - memory
-  /bots/{bot_id}/memory/status:
+      - supermarket
+  /bots/{bot_id}/token-usage:
     get:
-      description: Get the resolved memory runtime status for a bot, including index
-        health and source counts
+      description: Get daily aggregated token usage for a bot, split by chat, heartbeat,
+        and schedule session types, with optional model filter and per-model breakdown
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      produces:
-      - application/json
+      - description: Start date (YYYY-MM-DD)
+        in: query
+        name: from
+        required: true
+        type: string
+      - description: End date exclusive (YYYY-MM-DD)
+        in: query
+        name: to
+        required: true
+        type: string
+      - description: Optional model UUID to filter by
+        in: query
+        name: model_id
+        type: string
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/adapters.MemoryStatusResponse'
+            $ref: '#/definitions/handlers.TokenUsageResponse'
         "400":
           description: Bad Request
           schema:
@@ -5661,37 +6890,57 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "409":
-          description: Conflict
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "503":
-          description: Service Unavailable
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get memory runtime status
+      summary: Get token usage statistics
       tags:
-      - memory
-  /bots/{bot_id}/memory/usage:
+      - token-usage
+  /bots/{bot_id}/token-usage/records:
     get:
-      description: Query the estimated storage usage of current memories
+      description: Paginated list of individual LLM call records (assistant messages
+        with usage) for a bot, with optional model and session type filters
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
+      - description: Start date (YYYY-MM-DD)
+        in: query
+        name: from
+        required: true
+        type: string
+      - description: End date exclusive (YYYY-MM-DD)
+        in: query
+        name: to
+        required: true
+        type: string
+      - description: Optional model UUID to filter by
+        in: query
+        name: model_id
+        type: string
+      - description: 'Optional session type: chat, heartbeat, or schedule'
+        in: query
+        name: session_type
+        type: string
+      - description: Page size (default 20, max 100)
+        in: query
+        name: limit
+        type: integer
+      - default: 0
+        description: Offset
+        in: query
+        name: offset
+        type: integer
       produces:
       - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/adapters.UsageResponse'
+            $ref: '#/definitions/handlers.TokenUsageRecordsResponse'
         "400":
           description: Bad Request
           schema:
@@ -5704,27 +6953,34 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "503":
-          description: Service Unavailable
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get memory usage
+      summary: List per-call token usage records
       tags:
-      - memory
-  /bots/{bot_id}/messages:
-    delete:
-      description: Clear all persisted bot-level history messages
+      - token-usage
+  /bots/{bot_id}/tool-approvals/{approval_id}/approve:
+    post:
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      produces:
-      - application/json
+      - description: Approval ID
+        in: path
+        name: approval_id
+        required: true
+        type: string
+      - description: Approval payload
+        in: body
+        name: payload
+        schema:
+          $ref: '#/definitions/handlers.ToolApprovalDecisionRequest'
       responses:
-        "204":
-          description: No Content
+        "200":
+          description: OK
+          schema:
+            additionalProperties:
+              type: string
+            type: object
         "400":
           description: Bad Request
           schema:
@@ -5737,35 +6993,33 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete all bot history messages
+      summary: Approve a pending tool call
       tags:
-      - messages
-    get:
-      description: List messages for a bot history with optional pagination
+      - tool-approvals
+  /bots/{bot_id}/tool-approvals/{approval_id}/reject:
+    post:
       parameters:
       - description: Bot ID
         in: path
         name: bot_id
         required: true
         type: string
-      - description: Limit
-        in: query
-        name: limit
-        type: integer
-      - description: Before
-        in: query
-        name: before
+      - description: Approval ID
+        in: path
+        name: approval_id
+        required: true
         type: string
-      produces:
-      - application/json
+      - description: Rejection payload
+        in: body
+        name: payload
+        schema:
+          $ref: '#/definitions/handlers.ToolApprovalDecisionRequest'
       responses:
         "200":
           description: OK
           schema:
             additionalProperties:
-              items:
-                $ref: '#/definitions/message.Message'
-              type: array
+              type: string
             type: object
         "400":
           description: Bad Request
@@ -5779,42 +7033,69 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List bot history messages
+      summary: Reject a pending tool call
       tags:
-      - messages
-  /bots/{bot_id}/schedule:
-    get:
-      description: List schedules for current user
+      - tool-approvals
+  /bots/{bot_id}/tools:
+    post:
+      description: MCP endpoint for tool discovery and invocation.
+      parameters:
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: JSON-RPC request
+        in: body
+        name: payload
+        required: true
+        schema:
+          type: object
       responses:
         "200":
-          description: OK
+          description: 'JSON-RPC response: {jsonrpc,id,result|error}'
           schema:
-            $ref: '#/definitions/schedule.ListResponse'
+            type: object
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List schedules
+      summary: Unified MCP tools gateway
       tags:
-      - schedule
+      - containerd
+  /bots/{bot_id}/tts/synthesize:
     post:
-      description: Create a schedule for current user
+      consumes:
+      - application/json
+      description: Stream-synthesize text using the bot's configured TTS model, write
+        to temp file
       parameters:
-      - description: Schedule payload
+      - description: Bot ID
+        in: path
+        name: bot_id
+        required: true
+        type: string
+      - description: Text to synthesize
         in: body
-        name: payload
+        name: request
         required: true
         schema:
-          $ref: '#/definitions/schedule.CreateRequest'
+          $ref: '#/definitions/handlers.synthesizeRequest'
+      produces:
+      - application/json
       responses:
-        "201":
-          description: Created
+        "200":
+          description: OK
           schema:
-            $ref: '#/definitions/schedule.Schedule'
+            $ref: '#/definitions/handlers.synthesizeResponse'
         "400":
           description: Bad Request
           schema:
@@ -5823,36 +7104,48 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create schedule
+      summary: Synthesize speech for a bot
       tags:
-      - schedule
-  /bots/{bot_id}/schedule/{id}:
+      - bots
+  /bots/{id}:
     delete:
-      description: Delete a schedule by ID
+      description: Delete a bot user when the current user has bot.delete
       parameters:
-      - description: Schedule ID
+      - description: Bot ID
         in: path
         name: id
         required: true
         type: string
       responses:
-        "204":
-          description: No Content
+        "202":
+          description: Accepted
+          schema:
+            additionalProperties:
+              type: string
+            type: object
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete schedule
+      summary: Delete bot
       tags:
-      - schedule
+      - bots
     get:
-      description: Get a schedule by ID
+      description: Get a bot by ID when the current user has bot.read
       parameters:
-      - description: Schedule ID
+      - description: Bot ID
         in: path
         name: id
         required: true
@@ -5861,11 +7154,15 @@ paths:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/schedule.Schedule'
+            $ref: '#/definitions/bots.Bot'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
@@ -5874,86 +7171,59 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get schedule
+      summary: Get bot details
       tags:
-      - schedule
+      - bots
     put:
-      description: Update a schedule by ID
+      description: Update bot profile when the current user has bot.update
       parameters:
-      - description: Schedule ID
+      - description: Bot ID
         in: path
         name: id
         required: true
         type: string
-      - description: Schedule payload
+      - description: Bot update payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/schedule.UpdateRequest'
+          $ref: '#/definitions/bots.UpdateBotRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/schedule.Schedule'
+            $ref: '#/definitions/bots.Bot'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update schedule
-      tags:
-      - schedule
-  /bots/{bot_id}/schedule/{id}/logs:
-    get:
-      description: List execution logs for a specific schedule
-      parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Schedule ID
-        in: path
-        name: id
-        required: true
-        type: string
-      - default: 50
-        description: Limit
-        in: query
-        name: limit
-        type: integer
-      - default: 0
-        description: Offset
-        in: query
-        name: offset
-        type: integer
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/schedule.ListLogsResponse'
-        "400":
-          description: Bad Request
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List schedule logs by schedule
+      summary: Update bot details
       tags:
-      - schedule
-  /bots/{bot_id}/schedule/logs:
+      - bots
+  /bots/{id}/channel/{platform}:
     delete:
-      description: Delete all schedule execution logs for a bot
+      description: Remove bot channel configuration
       parameters:
       - description: Bot ID
         in: path
-        name: bot_id
+        name: id
+        required: true
+        type: string
+      - description: Channel platform
+        in: path
+        name: platform
         required: true
         type: string
       responses:
@@ -5963,64 +7233,35 @@ paths:
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete schedule logs
+      summary: Delete bot channel config
       tags:
-      - schedule
+      - bots
     get:
-      description: List schedule execution logs for a bot
+      description: Get bot channel configuration
       parameters:
       - description: Bot ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - default: 50
-        description: Limit
-        in: query
-        name: limit
-        type: integer
-      - default: 0
-        description: Offset
-        in: query
-        name: offset
-        type: integer
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/schedule.ListLogsResponse'
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List schedule logs
-      tags:
-      - schedule
-  /bots/{bot_id}/sessions:
-    get:
-      parameters:
-      - description: Bot ID
+      - description: Channel platform
         in: path
-        name: bot_id
+        name: platform
         required: true
         type: string
       responses:
         "200":
           description: OK
           schema:
-            additionalProperties:
-              items:
-                $ref: '#/definitions/session.Session'
-              type: array
-            type: object
+            $ref: '#/definitions/channel.ChannelConfig'
         "400":
           description: Bad Request
           schema:
@@ -6029,27 +7270,41 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List bot sessions
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Get bot channel config
       tags:
-      - sessions
-    post:
+      - bots
+    put:
+      description: Update bot channel configuration
       parameters:
       - description: Bot ID
         in: path
-        name: bot_id
+        name: id
+        required: true
+        type: string
+      - description: Channel platform
+        in: path
+        name: platform
         required: true
         type: string
-      - description: Session data
+      - description: Channel config payload
         in: body
-        name: body
+        name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.createSessionRequest'
+          $ref: '#/definitions/channel.UpsertConfigRequest'
       responses:
-        "201":
-          description: Created
+        "200":
+          description: OK
           schema:
-            $ref: '#/definitions/session.Session'
+            $ref: '#/definitions/channel.ChannelConfig'
         "400":
           description: Bad Request
           schema:
@@ -6058,25 +7313,44 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create a new chat session
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Update bot channel config
       tags:
-      - sessions
-  /bots/{bot_id}/sessions/{session_id}:
-    delete:
+      - bots
+  /bots/{id}/channel/{platform}/send:
+    post:
+      description: Send a message using bot channel configuration
       parameters:
       - description: Bot ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Session ID
+      - description: Channel platform
         in: path
-        name: session_id
+        name: platform
         required: true
         type: string
+      - description: Send payload
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/channel.SendRequest'
       responses:
-        "204":
-          description: No Content
+        "200":
+          description: OK
+          schema:
+            additionalProperties:
+              type: string
+            type: object
         "400":
           description: Bad Request
           schema:
@@ -6085,64 +7359,88 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Soft-delete a session
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Send message via bot channel
       tags:
-      - sessions
-    get:
+      - bots
+  /bots/{id}/channel/{platform}/send_chat:
+    post:
+      description: Send a message using a session-scoped token (reply only)
       parameters:
       - description: Bot ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Session ID
+      - description: Channel platform
         in: path
-        name: session_id
+        name: platform
         required: true
         type: string
+      - description: Send payload
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/channel.SendRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/session.Session'
+            additionalProperties:
+              type: string
+            type: object
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "403":
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "500":
+          description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get a session by ID
+      summary: Send message via bot channel session token
       tags:
-      - sessions
+      - bots
+  /bots/{id}/channel/{platform}/status:
     patch:
+      description: Update bot channel enabled/disabled status
       parameters:
       - description: Bot ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Session ID
+      - description: Channel platform
         in: path
-        name: session_id
+        name: platform
         required: true
         type: string
-      - description: Fields to update
+      - description: Channel status payload
         in: body
-        name: body
+        name: payload
         required: true
         schema:
-          $ref: '#/definitions/handlers.updateSessionRequest'
+          $ref: '#/definitions/channel.UpdateChannelStatusRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/session.Session'
+            $ref: '#/definitions/channel.ChannelConfig'
         "400":
           description: Bad Request
           schema:
@@ -6155,63 +7453,66 @@ paths:
           description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update a session
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Update bot channel status
       tags:
-      - sessions
-  /bots/{bot_id}/sessions/{session_id}/compact:
-    post:
-      description: Run context compaction synchronously for a session
+      - bots
+  /bots/{id}/checks:
+    get:
+      description: Evaluate bot attached resource checks in runtime
       parameters:
       - description: Bot ID
         in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Session ID
-        in: path
-        name: session_id
+        name: id
         required: true
         type: string
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.TriggerCompactResponse'
+            $ref: '#/definitions/bots.ListChecksResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Trigger immediate context compaction
+      summary: List bot runtime checks
       tags:
-      - compaction
-  /bots/{bot_id}/sessions/{session_id}/status:
-    get:
-      description: Get aggregated info for a chat session including message count,
-        context usage, cache stats, and used skills
+      - bots
+  /bots/{id}/owner:
+    put:
+      description: Transfer bot ownership to another human user
       parameters:
       - description: Bot ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Session ID
-        in: path
-        name: session_id
+      - description: Transfer payload
+        in: body
+        name: payload
         required: true
-        type: string
-      - description: Optional model UUID override for context window
-        in: query
-        name: model_id
-        type: string
+        schema:
+          $ref: '#/definitions/bots.TransferBotRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.SessionInfoResponse'
+            $ref: '#/definitions/bots.Bot'
         "400":
           description: Bad Request
           schema:
@@ -6220,62 +7521,54 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get session info
-      tags:
-      - sessions
-  /bots/{bot_id}/settings:
-    delete:
-      description: Remove agent settings for current user
-      responses:
-        "204":
-          description: No Content
-        "400":
-          description: Bad Request
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete user settings
+      summary: Transfer bot owner (system admin only)
       tags:
-      - settings
+      - bots
+  /browser-contexts:
     get:
-      description: Get agent settings for current user
+      description: List all browser context configurations
+      produces:
+      - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/settings.Settings'
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
+            items:
+              $ref: '#/definitions/browsercontexts.BrowserContext'
+            type: array
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get user settings
+      summary: List browser contexts
       tags:
-      - settings
+      - browser-contexts
     post:
-      description: Update or create agent settings for current user
+      consumes:
+      - application/json
+      description: Create a browser context configuration
       parameters:
-      - description: Settings payload
+      - description: Browser context configuration
         in: body
-        name: payload
+        name: request
         required: true
         schema:
-          $ref: '#/definitions/settings.UpsertRequest'
+          $ref: '#/definitions/browsercontexts.CreateRequest'
+      produces:
+      - application/json
       responses:
-        "200":
-          description: OK
+        "201":
+          description: Created
           schema:
-            $ref: '#/definitions/settings.Settings'
+            $ref: '#/definitions/browsercontexts.BrowserContext'
         "400":
           description: Bad Request
           schema:
@@ -6284,23 +7577,21 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update user settings
+      summary: Create a browser context
       tags:
-      - settings
-    put:
-      description: Update or create agent settings for current user
+      - browser-contexts
+  /browser-contexts/{id}:
+    delete:
+      description: Delete browser context by ID
       parameters:
-      - description: Settings payload
-        in: body
-        name: payload
+      - description: Browser Context ID
+        in: path
+        name: id
         required: true
-        schema:
-          $ref: '#/definitions/settings.UpsertRequest'
+        type: string
       responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/settings.Settings'
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
@@ -6309,28 +7600,24 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update user settings
+      summary: Delete a browser context
       tags:
-      - settings
-  /bots/{bot_id}/supermarket/install-mcp:
-    post:
+      - browser-contexts
+    get:
+      description: Get browser context by ID
       parameters:
-      - description: Bot ID
+      - description: Browser Context ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Install MCP request
-        in: body
-        name: payload
-        required: true
-        schema:
-          $ref: '#/definitions/handlers.InstallMcpRequest'
+      produces:
+      - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/github_com_memohai_memoh_internal_mcp.Connection'
+            $ref: '#/definitions/browsercontexts.BrowserContext'
         "400":
           description: Bad Request
           schema:
@@ -6339,292 +7626,215 @@ paths:
           description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "502":
-          description: Bad Gateway
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Install MCP from supermarket to bot
+      summary: Get a browser context
       tags:
-      - supermarket
-  /bots/{bot_id}/supermarket/install-skill:
-    post:
+      - browser-contexts
+    put:
+      consumes:
+      - application/json
+      description: Update browser context by ID
       parameters:
-      - description: Bot ID
+      - description: Browser Context ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Install skill request
+      - description: Updated configuration
         in: body
-        name: payload
+        name: request
         required: true
         schema:
-          $ref: '#/definitions/handlers.InstallSkillRequest'
+          $ref: '#/definitions/browsercontexts.UpdateRequest'
+      produces:
+      - application/json
       responses:
         "200":
           description: OK
           schema:
-            additionalProperties:
-              type: boolean
-            type: object
+            $ref: '#/definitions/browsercontexts.BrowserContext'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "500":
+          description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Update a browser context
+      tags:
+      - browser-contexts
+  /browser-contexts/cores:
+    get:
+      description: Get the list of browser cores available in the Browser Gateway
+        container
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.BrowserCoresResponse'
         "502":
           description: Bad Gateway
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Install skill from supermarket to bot container
+      summary: Get available browser cores
       tags:
-      - supermarket
-  /bots/{bot_id}/token-usage:
+      - browser-contexts
+  /channels:
     get:
-      description: Get daily aggregated token usage for a bot, split by chat, heartbeat,
-        and schedule session types, with optional model filter and per-model breakdown
+      description: List channel meta information including capabilities and schemas
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              $ref: '#/definitions/handlers.ChannelMeta'
+            type: array
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: List channel capabilities and schemas
+      tags:
+      - channel
+  /channels/{platform}:
+    get:
+      description: Get channel meta information including capabilities and schemas
       parameters:
-      - description: Bot ID
+      - description: Channel platform
         in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Start date (YYYY-MM-DD)
-        in: query
-        name: from
-        required: true
-        type: string
-      - description: End date exclusive (YYYY-MM-DD)
-        in: query
-        name: to
+        name: platform
         required: true
         type: string
-      - description: Optional model UUID to filter by
-        in: query
-        name: model_id
-        type: string
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.TokenUsageResponse'
+            $ref: '#/definitions/handlers.ChannelMeta'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+        "404":
+          description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get token usage statistics
+      summary: Get channel capabilities and schemas
       tags:
-      - token-usage
-  /bots/{bot_id}/token-usage/records:
+      - channel
+  /email-providers:
     get:
-      description: Paginated list of individual LLM call records (assistant messages
-        with usage) for a bot, with optional model and session type filters
       parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Start date (YYYY-MM-DD)
-        in: query
-        name: from
-        required: true
-        type: string
-      - description: End date exclusive (YYYY-MM-DD)
-        in: query
-        name: to
-        required: true
-        type: string
-      - description: Optional model UUID to filter by
-        in: query
-        name: model_id
-        type: string
-      - description: 'Optional session type: chat, heartbeat, or schedule'
+      - description: Provider type filter
         in: query
-        name: session_type
+        name: provider
         type: string
-      - description: Page size (default 20, max 100)
-        in: query
-        name: limit
-        type: integer
-      - default: 0
-        description: Offset
-        in: query
-        name: offset
-        type: integer
       produces:
       - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.TokenUsageRecordsResponse'
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
+            items:
+              $ref: '#/definitions/email.ProviderResponse'
+            type: array
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List per-call token usage records
+      summary: List email providers
       tags:
-      - token-usage
-  /bots/{bot_id}/tool-approvals/{approval_id}/approve:
+      - email-providers
     post:
+      consumes:
+      - application/json
       parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Approval ID
-        in: path
-        name: approval_id
-        required: true
-        type: string
-      - description: Approval payload
+      - description: Email provider configuration
         in: body
-        name: payload
+        name: request
+        required: true
         schema:
-          $ref: '#/definitions/handlers.ToolApprovalDecisionRequest'
+          $ref: '#/definitions/email.CreateProviderRequest'
+      produces:
+      - application/json
       responses:
-        "200":
-          description: OK
+        "201":
+          description: Created
           schema:
-            additionalProperties:
-              type: string
-            type: object
+            $ref: '#/definitions/email.ProviderResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Approve a pending tool call
+      summary: Create an email provider
       tags:
-      - tool-approvals
-  /bots/{bot_id}/tool-approvals/{approval_id}/reject:
-    post:
+      - email-providers
+  /email-providers/{id}:
+    delete:
       parameters:
-      - description: Bot ID
-        in: path
-        name: bot_id
-        required: true
-        type: string
-      - description: Approval ID
+      - description: Provider ID
         in: path
-        name: approval_id
+        name: id
         required: true
         type: string
-      - description: Rejection payload
-        in: body
-        name: payload
-        schema:
-          $ref: '#/definitions/handlers.ToolApprovalDecisionRequest'
       responses:
-        "200":
-          description: OK
-          schema:
-            additionalProperties:
-              type: string
-            type: object
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
+        "204":
+          description: No Content
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Reject a pending tool call
+      summary: Delete an email provider
       tags:
-      - tool-approvals
-  /bots/{bot_id}/tools:
-    post:
-      description: MCP endpoint for tool discovery and invocation.
+      - email-providers
+    get:
       parameters:
-      - description: Bot ID
+      - description: Provider ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: JSON-RPC request
-        in: body
-        name: payload
-        required: true
-        schema:
-          type: object
+      produces:
+      - application/json
       responses:
         "200":
-          description: 'JSON-RPC response: {jsonrpc,id,result|error}'
-          schema:
-            type: object
-        "400":
-          description: Bad Request
+          description: OK
           schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
+            $ref: '#/definitions/email.ProviderResponse'
         "404":
           description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Unified MCP tools gateway
+      summary: Get an email provider
       tags:
-      - containerd
-  /bots/{bot_id}/tts/synthesize:
-    post:
+      - email-providers
+    put:
       consumes:
       - application/json
-      description: Stream-synthesize text using the bot's configured TTS model, write
-        to temp file
       parameters:
-      - description: Bot ID
+      - description: Provider ID
         in: path
-        name: bot_id
+        name: id
         required: true
         type: string
-      - description: Text to synthesize
+      - description: Updated configuration
         in: body
         name: request
         required: true
         schema:
-          $ref: '#/definitions/handlers.synthesizeRequest'
+          $ref: '#/definitions/email.UpdateProviderRequest'
       produces:
       - application/json
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.synthesizeResponse'
+            $ref: '#/definitions/email.ProviderResponse'
         "400":
           description: Bad Request
           schema:
@@ -6633,21 +7843,21 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Synthesize speech for a bot
+      summary: Update an email provider
       tags:
-      - bots
-  /bots/{id}:
-    delete:
-      description: Delete a bot user (owner/admin only)
+      - email-providers
+  /email-providers/{id}/oauth/authorize:
+    get:
+      description: Returns the authorization URL to redirect the user to
       parameters:
-      - description: Bot ID
+      - description: Email provider ID
         in: path
         name: id
         required: true
         type: string
       responses:
-        "202":
-          description: Accepted
+        "200":
+          description: OK
           schema:
             additionalProperties:
               type: string
@@ -6656,25 +7866,17 @@ paths:
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete bot
+      summary: Start OAuth2 authorization for an email provider
       tags:
-      - bots
+      - email-oauth
+  /email-providers/{id}/oauth/status:
     get:
-      description: Get a bot by ID (owner/admin only)
       parameters:
-      - description: Bot ID
+      - description: Email provider ID
         in: path
         name: id
         required: true
@@ -6683,45 +7885,69 @@ paths:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/bots.Bot'
+            $ref: '#/definitions/handlers.emailOAuthStatusResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      summary: Get OAuth2 status for an email provider
+      tags:
+      - email-oauth
+  /email-providers/{id}/oauth/token:
+    delete:
+      parameters:
+      - description: Email provider ID
+        in: path
+        name: id
+        required: true
+        type: string
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "404":
           description: Not Found
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+      summary: Revoke stored OAuth2 tokens for an email provider
+      tags:
+      - email-oauth
+  /email-providers/meta:
+    get:
+      description: List available email provider types and config schemas
+      responses:
+        "200":
+          description: OK
           schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get bot details
+            items:
+              $ref: '#/definitions/email.ProviderMeta'
+            type: array
+      summary: List email provider metadata
       tags:
-      - bots
-    put:
-      description: Update bot profile (owner/admin only)
+      - email-providers
+  /email/mailgun/webhook/{config_id}:
+    post:
+      description: Receives inbound emails from Mailgun
       parameters:
-      - description: Bot ID
+      - description: Email provider config ID
         in: path
-        name: id
+        name: config_id
         required: true
         type: string
-      - description: Bot update payload
-        in: body
-        name: payload
-        required: true
-        schema:
-          $ref: '#/definitions/bots.UpdateBotRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/bots.Bot'
+            additionalProperties:
+              type: string
+            type: object
         "400":
           description: Bad Request
           schema:
@@ -6730,202 +7956,196 @@ paths:
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update bot details
+      summary: Mailgun inbound email webhook
       tags:
-      - bots
-  /bots/{id}/channel/{platform}:
-    delete:
-      description: Remove bot channel configuration
+      - email-webhook
+  /email/oauth/callback:
+    get:
+      description: Handles the OAuth2 callback, exchanges the code for tokens
       parameters:
-      - description: Bot ID
-        in: path
-        name: id
+      - description: Authorization code
+        in: query
+        name: code
         required: true
         type: string
-      - description: Channel platform
-        in: path
-        name: platform
+      - description: State parameter
+        in: query
+        name: state
         required: true
         type: string
       responses:
-        "204":
-          description: No Content
+        "200":
+          description: OK
+          schema:
+            additionalProperties:
+              type: string
+            type: object
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete bot channel config
+      summary: OAuth2 callback for email providers
       tags:
-      - bots
+      - email-oauth
+  /iam/bots/{bot_id}/principal-roles:
     get:
-      description: Get bot channel configuration
+      description: List user and group role assignments for a bot
       parameters:
       - description: Bot ID
         in: path
-        name: id
-        required: true
-        type: string
-      - description: Channel platform
-        in: path
-        name: platform
+        name: bot_id
         required: true
         type: string
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/channel.ChannelConfig'
+            $ref: '#/definitions/handlers.IAMListPrincipalRolesResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "401":
+          description: Unauthorized
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get bot channel config
+      security:
+      - BearerAuth: []
+      summary: List bot role assignments
       tags:
-      - bots
-    put:
-      description: Update bot channel configuration
+      - iam
+    post:
+      description: Assign a bot-scoped role to a user or group
       parameters:
       - description: Bot ID
         in: path
-        name: id
-        required: true
-        type: string
-      - description: Channel platform
-        in: path
-        name: platform
+        name: bot_id
         required: true
         type: string
-      - description: Channel config payload
+      - description: Principal role payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/channel.UpsertConfigRequest'
+          $ref: '#/definitions/handlers.IAMPrincipalRoleRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/channel.ChannelConfig'
+            additionalProperties:
+              type: string
+            type: object
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "403":
           description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      security:
+      - BearerAuth: []
+      summary: Assign bot role
+      tags:
+      - iam
+  /iam/groups:
+    get:
+      description: List IAM groups
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/handlers.IAMListGroupsResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update bot channel config
+      security:
+      - BearerAuth: []
+      summary: List IAM groups
       tags:
-      - bots
-  /bots/{id}/channel/{platform}/send:
+      - iam
     post:
-      description: Send a message using bot channel configuration
-      parameters:
-      - description: Bot ID
-        in: path
-        name: id
-        required: true
-        type: string
-      - description: Channel platform
-        in: path
-        name: platform
-        required: true
-        type: string
-      - description: Send payload
+      description: Create or update an IAM group
+      parameters:
+      - description: Group payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/channel.SendRequest'
+          $ref: '#/definitions/handlers.IAMGroupRequest'
       responses:
         "200":
           description: OK
           schema:
-            additionalProperties:
-              type: string
-            type: object
+            $ref: '#/definitions/handlers.IAMGroupResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "401":
+          description: Unauthorized
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Send message via bot channel
+      security:
+      - BearerAuth: []
+      summary: Upsert IAM group
       tags:
-      - bots
-  /bots/{id}/channel/{platform}/send_chat:
-    post:
-      description: Send a message using a session-scoped token (reply only)
+      - iam
+  /iam/groups/{id}:
+    delete:
+      description: Delete an IAM group
       parameters:
-      - description: Bot ID
+      - description: Group ID
         in: path
         name: id
         required: true
         type: string
-      - description: Channel platform
-        in: path
-        name: platform
-        required: true
-        type: string
-      - description: Send payload
-        in: body
-        name: payload
-        required: true
-        schema:
-          $ref: '#/definitions/channel.SendRequest'
       responses:
-        "200":
-          description: OK
-          schema:
-            additionalProperties:
-              type: string
-            type: object
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
@@ -6942,58 +8162,55 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Send message via bot channel session token
+      security:
+      - BearerAuth: []
+      summary: Delete IAM group
       tags:
-      - bots
-  /bots/{id}/channel/{platform}/status:
-    patch:
-      description: Update bot channel enabled/disabled status
+      - iam
+    put:
+      description: Create or update an IAM group
       parameters:
-      - description: Bot ID
+      - description: Group ID
         in: path
         name: id
-        required: true
-        type: string
-      - description: Channel platform
-        in: path
-        name: platform
-        required: true
         type: string
-      - description: Channel status payload
+      - description: Group payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/channel.UpdateChannelStatusRequest'
+          $ref: '#/definitions/handlers.IAMGroupRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/channel.ChannelConfig'
+            $ref: '#/definitions/handlers.IAMGroupResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "401":
+          description: Unauthorized
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update bot channel status
+      security:
+      - BearerAuth: []
+      summary: Upsert IAM group
       tags:
-      - bots
-  /bots/{id}/checks:
+      - iam
+  /iam/groups/{id}/members:
     get:
-      description: Evaluate bot attached resource checks in runtime
+      description: List members of an IAM group
       parameters:
-      - description: Bot ID
+      - description: Group ID
         in: path
         name: id
         required: true
@@ -7002,122 +8219,84 @@ paths:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/bots.ListChecksResponse'
+            $ref: '#/definitions/handlers.IAMListGroupMembersResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
+        "401":
+          description: Unauthorized
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List bot runtime checks
+      security:
+      - BearerAuth: []
+      summary: List IAM group members
       tags:
-      - bots
-  /bots/{id}/owner:
-    put:
-      description: Transfer bot ownership to another human user
+      - iam
+    post:
+      description: Add a user to an IAM group
       parameters:
-      - description: Bot ID
+      - description: Group ID
         in: path
         name: id
         required: true
         type: string
-      - description: Transfer payload
+      - description: Group member payload
         in: body
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/bots.TransferBotRequest'
+          $ref: '#/definitions/handlers.IAMGroupMemberRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/bots.Bot'
+            additionalProperties:
+              type: string
+            type: object
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "403":
-          description: Forbidden
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Transfer bot owner (admin only)
-      tags:
-      - bots
-  /browser-contexts:
-    get:
-      description: List all browser context configurations
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            items:
-              $ref: '#/definitions/browsercontexts.BrowserContext'
-            type: array
-        "500":
-          description: Internal Server Error
+        "401":
+          description: Unauthorized
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List browser contexts
-      tags:
-      - browser-contexts
-    post:
-      consumes:
-      - application/json
-      description: Create a browser context configuration
-      parameters:
-      - description: Browser context configuration
-        in: body
-        name: request
-        required: true
-        schema:
-          $ref: '#/definitions/browsercontexts.CreateRequest'
-      produces:
-      - application/json
-      responses:
-        "201":
-          description: Created
-          schema:
-            $ref: '#/definitions/browsercontexts.BrowserContext'
-        "400":
-          description: Bad Request
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create a browser context
+      security:
+      - BearerAuth: []
+      summary: Add IAM group member
       tags:
-      - browser-contexts
-  /browser-contexts/{id}:
+      - iam
+  /iam/groups/{id}/members/{user_id}:
     delete:
-      description: Delete browser context by ID
+      description: Remove a user from an IAM group
       parameters:
-      - description: Browser Context ID
+      - description: Group ID
         in: path
         name: id
         required: true
         type: string
+      - description: User ID
+        in: path
+        name: user_id
+        required: true
+        type: string
       responses:
         "204":
           description: No Content
@@ -7125,188 +8304,150 @@ paths:
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+        "401":
+          description: Unauthorized
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete a browser context
-      tags:
-      - browser-contexts
-    get:
-      description: Get browser context by ID
-      parameters:
-      - description: Browser Context ID
-        in: path
-        name: id
-        required: true
-        type: string
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/browsercontexts.BrowserContext'
-        "400":
-          description: Bad Request
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "500":
+          description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get a browser context
+      security:
+      - BearerAuth: []
+      summary: Delete IAM group member
       tags:
-      - browser-contexts
-    put:
-      consumes:
-      - application/json
-      description: Update browser context by ID
+      - iam
+  /iam/principal-roles/{id}:
+    delete:
+      description: Delete a user or group role assignment
       parameters:
-      - description: Browser Context ID
+      - description: Principal role assignment ID
         in: path
         name: id
         required: true
         type: string
-      - description: Updated configuration
-        in: body
-        name: request
-        required: true
-        schema:
-          $ref: '#/definitions/browsercontexts.UpdateRequest'
-      produces:
-      - application/json
       responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/browsercontexts.BrowserContext'
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+        "401":
+          description: Unauthorized
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update a browser context
-      tags:
-      - browser-contexts
-  /browser-contexts/cores:
-    get:
-      description: Get the list of browser cores available in the Browser Gateway
-        container
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/handlers.BrowserCoresResponse'
-        "502":
-          description: Bad Gateway
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get available browser cores
-      tags:
-      - browser-contexts
-  /channels:
-    get:
-      description: List channel meta information including capabilities and schemas
-      responses:
-        "200":
-          description: OK
-          schema:
-            items:
-              $ref: '#/definitions/handlers.ChannelMeta'
-            type: array
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List channel capabilities and schemas
+      security:
+      - BearerAuth: []
+      summary: Delete role assignment
       tags:
-      - channel
-  /channels/{platform}:
+      - iam
+  /iam/roles:
     get:
-      description: Get channel meta information including capabilities and schemas
-      parameters:
-      - description: Channel platform
-        in: path
-        name: platform
-        required: true
-        type: string
+      description: List built-in IAM roles
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.ChannelMeta'
-        "400":
-          description: Bad Request
+            $ref: '#/definitions/handlers.IAMListRolesResponse'
+        "401":
+          description: Unauthorized
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get channel capabilities and schemas
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      security:
+      - BearerAuth: []
+      summary: List IAM roles
       tags:
-      - channel
-  /email-providers:
+      - iam
+  /iam/sso/providers:
     get:
-      parameters:
-      - description: Provider type filter
-        in: query
-        name: provider
-        type: string
-      produces:
-      - application/json
+      description: List all IAM SSO providers for administration
       responses:
         "200":
           description: OK
           schema:
-            items:
-              $ref: '#/definitions/email.ProviderResponse'
-            type: array
+            $ref: '#/definitions/handlers.IAMListSSOProvidersResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: List email providers
+      security:
+      - BearerAuth: []
+      summary: List IAM SSO providers
       tags:
-      - email-providers
+      - iam
     post:
-      consumes:
-      - application/json
+      description: Create or update an IAM SSO provider
       parameters:
-      - description: Email provider configuration
+      - description: SSO provider ID
+        in: path
+        name: id
+        type: string
+      - description: SSO provider payload
         in: body
-        name: request
+        name: payload
         required: true
         schema:
-          $ref: '#/definitions/email.CreateProviderRequest'
-      produces:
-      - application/json
+          $ref: '#/definitions/handlers.IAMSSOProviderRequest'
       responses:
-        "201":
-          description: Created
+        "200":
+          description: OK
           schema:
-            $ref: '#/definitions/email.ProviderResponse'
+            $ref: '#/definitions/handlers.IAMSSOProviderResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Create an email provider
+      security:
+      - BearerAuth: []
+      summary: Upsert IAM SSO provider
       tags:
-      - email-providers
-  /email-providers/{id}:
+      - iam
+  /iam/sso/providers/{id}:
     delete:
+      description: Delete an IAM SSO provider
       parameters:
-      - description: Provider ID
+      - description: SSO provider ID
         in: path
         name: id
         required: true
@@ -7314,98 +8455,71 @@ paths:
       responses:
         "204":
           description: No Content
-        "500":
-          description: Internal Server Error
+        "400":
+          description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Delete an email provider
-      tags:
-      - email-providers
-    get:
-      parameters:
-      - description: Provider ID
-        in: path
-        name: id
-        required: true
-        type: string
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
+        "401":
+          description: Unauthorized
           schema:
-            $ref: '#/definitions/email.ProviderResponse'
-        "404":
-          description: Not Found
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get an email provider
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+      security:
+      - BearerAuth: []
+      summary: Delete IAM SSO provider
       tags:
-      - email-providers
+      - iam
     put:
-      consumes:
-      - application/json
+      description: Create or update an IAM SSO provider
       parameters:
-      - description: Provider ID
+      - description: SSO provider ID
         in: path
         name: id
-        required: true
         type: string
-      - description: Updated configuration
+      - description: SSO provider payload
         in: body
-        name: request
+        name: payload
         required: true
         schema:
-          $ref: '#/definitions/email.UpdateProviderRequest'
-      produces:
-      - application/json
+          $ref: '#/definitions/handlers.IAMSSOProviderRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/email.ProviderResponse'
+            $ref: '#/definitions/handlers.IAMSSOProviderResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "500":
-          description: Internal Server Error
+        "401":
+          description: Unauthorized
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Update an email provider
-      tags:
-      - email-providers
-  /email-providers/{id}/oauth/authorize:
-    get:
-      description: Returns the authorization URL to redirect the user to
-      parameters:
-      - description: Email provider ID
-        in: path
-        name: id
-        required: true
-        type: string
-      responses:
-        "200":
-          description: OK
-          schema:
-            additionalProperties:
-              type: string
-            type: object
-        "400":
-          description: Bad Request
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "500":
+          description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Start OAuth2 authorization for an email provider
+      security:
+      - BearerAuth: []
+      summary: Upsert IAM SSO provider
       tags:
-      - email-oauth
-  /email-providers/{id}/oauth/status:
+      - iam
+  /iam/sso/providers/{id}/group-mappings:
     get:
+      description: List external group to IAM group mappings for an SSO provider
       parameters:
-      - description: Email provider ID
+      - description: SSO provider ID
         in: path
         name: id
         required: true
@@ -7414,62 +8528,42 @@ paths:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/handlers.emailOAuthStatusResponse'
+            $ref: '#/definitions/handlers.IAMListSSOGroupMappingsResponse'
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "401":
+          description: Unauthorized
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Get OAuth2 status for an email provider
-      tags:
-      - email-oauth
-  /email-providers/{id}/oauth/token:
-    delete:
-      parameters:
-      - description: Email provider ID
-        in: path
-        name: id
-        required: true
-        type: string
-      responses:
-        "204":
-          description: No Content
-        "400":
-          description: Bad Request
+        "403":
+          description: Forbidden
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-        "404":
-          description: Not Found
+        "500":
+          description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Revoke stored OAuth2 tokens for an email provider
-      tags:
-      - email-oauth
-  /email-providers/meta:
-    get:
-      description: List available email provider types and config schemas
-      responses:
-        "200":
-          description: OK
-          schema:
-            items:
-              $ref: '#/definitions/email.ProviderMeta'
-            type: array
-      summary: List email provider metadata
+      security:
+      - BearerAuth: []
+      summary: List SSO group mappings
       tags:
-      - email-providers
-  /email/mailgun/webhook/{config_id}:
+      - iam
     post:
-      description: Receives inbound emails from Mailgun
+      description: Create or update an external group to IAM group mapping
       parameters:
-      - description: Email provider config ID
+      - description: SSO provider ID
         in: path
-        name: config_id
+        name: id
         required: true
         type: string
+      - description: SSO group mapping payload
+        in: body
+        name: payload
+        required: true
+        schema:
+          $ref: '#/definitions/handlers.IAMSSOGroupMappingRequest'
       responses:
         "200":
           description: OK
@@ -7481,6 +8575,10 @@ paths:
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "403":
           description: Forbidden
           schema:
@@ -7489,41 +8587,49 @@ paths:
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: Mailgun inbound email webhook
+      security:
+      - BearerAuth: []
+      summary: Upsert SSO group mapping
       tags:
-      - email-webhook
-  /email/oauth/callback:
-    get:
-      description: Handles the OAuth2 callback, exchanges the code for tokens
+      - iam
+  /iam/sso/providers/{id}/group-mappings/{external_group}:
+    delete:
+      description: Delete an external group mapping from an SSO provider
       parameters:
-      - description: Authorization code
-        in: query
-        name: code
+      - description: SSO provider ID
+        in: path
+        name: id
         required: true
         type: string
-      - description: State parameter
-        in: query
-        name: state
+      - description: External group
+        in: path
+        name: external_group
         required: true
         type: string
       responses:
-        "200":
-          description: OK
-          schema:
-            additionalProperties:
-              type: string
-            type: object
+        "204":
+          description: No Content
         "400":
           description: Bad Request
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
+        "403":
+          description: Forbidden
+          schema:
+            $ref: '#/definitions/handlers.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/handlers.ErrorResponse'
-      summary: OAuth2 callback for email providers
+      security:
+      - BearerAuth: []
+      summary: Delete SSO group mapping
       tags:
-      - email-oauth
+      - iam
   /memory-providers:
     get:
       description: List configured memory providers
@@ -9234,7 +10340,7 @@ paths:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/accounts.ListAccountsResponse'
+            $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.ListAccountsResponse'
         "400":
           description: Bad Request
           schema:
@@ -9258,12 +10364,12 @@ paths:
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/accounts.CreateAccountRequest'
+          $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.CreateAccountRequest'
       responses:
         "201":
           description: Created
           schema:
-            $ref: '#/definitions/accounts.Account'
+            $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.Account'
         "400":
           description: Bad Request
           schema:
@@ -9292,7 +10398,7 @@ paths:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/accounts.Account'
+            $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.Account'
         "400":
           description: Bad Request
           schema:
@@ -9325,12 +10431,12 @@ paths:
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/accounts.UpdateAccountRequest'
+          $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.UpdateAccountRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/accounts.Account'
+            $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.Account'
         "400":
           description: Bad Request
           schema:
@@ -9364,7 +10470,7 @@ paths:
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/accounts.ResetPasswordRequest'
+          $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.ResetPasswordRequest'
       responses:
         "204":
           description: No Content
@@ -9394,7 +10500,7 @@ paths:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/accounts.Account'
+            $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.Account'
         "400":
           description: Bad Request
           schema:
@@ -9414,12 +10520,12 @@ paths:
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/accounts.UpdateProfileRequest'
+          $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.UpdateProfileRequest'
       responses:
         "200":
           description: OK
           schema:
-            $ref: '#/definitions/accounts.Account'
+            $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.Account'
         "400":
           description: Bad Request
           schema:
@@ -9522,7 +10628,7 @@ paths:
         name: payload
         required: true
         schema:
-          $ref: '#/definitions/accounts.UpdatePasswordRequest'
+          $ref: '#/definitions/github_com_memohai_memoh_internal_accounts.UpdatePasswordRequest'
       responses:
         "204":
           description: No Content

From 3c74419b34a149b15a7ab707a8a9b9ba7f4f8bc5 Mon Sep 17 00:00:00 2001
From: StringKE <stringke.me@gmail.com>
Date: Sat, 2 May 2026 20:29:06 +0400
Subject: [PATCH 2/2] test(command): fix permission resolver race

---
 internal/command/handler_test.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/internal/command/handler_test.go b/internal/command/handler_test.go
index e237c2e4a..5ab30a144 100644
--- a/internal/command/handler_test.go
+++ b/internal/command/handler_test.go
@@ -3,6 +3,7 @@ package command
 import (
 	"context"
 	"strings"
+	"sync"
 	"testing"
 
 	"github.com/jackc/pgx/v5"
@@ -18,12 +19,15 @@ import (
 // --- fake services ---
 
 type fakePermissionResolver struct {
+	mu      sync.Mutex
 	allowed bool
 	err     error
 	checks  []rbac.PermissionKey
 }
 
 func (f *fakePermissionResolver) HasBotPermission(_ context.Context, _, _ string, permission rbac.PermissionKey) (bool, error) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
 	f.checks = append(f.checks, permission)
 	return f.allowed, f.err
 }