fix: fix build error

Signed-off-by: allanice001 <allanice001@gmail.com>
fix: bg jobs sequencing
2026-02-13 21:00:06 +01:00 · 2025-12-10 14:19:10 +00:00 · 2025-12-10 13:25:12 +00:00 · 2025-12-10 12:35:10 +00:00 · 2025-12-10 12:34:11 +00:00 · 2025-12-10 11:38:00 +00:00
318 changed files with 49006 additions and 6365 deletions
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -33,7 +33,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

      # Install the cosign tool except on PR
      # https://github.com/sigstore/cosign-installer
@@ -63,7 +63,7 @@ jobs:
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
--- a/.semgrep.yml
+++ b/.semgrep.yml
@@ -0,0 +1,100 @@
+# AutoGlue Semgrep configuration
+# Use with: opengrep scan --config .semgrep.yml .
+
+rules:
+
+  #
+  # 1. Suppress known benign “direct write to ResponseWriter” warnings
+  #
+  - id: autoglue.ignore.direct-write-static
+    message: Ignore direct writes for static or binary responses
+    languages: [go]
+    severity: INFO
+    metadata:
+      category: suppression
+      project: autoglue
+    patterns:
+      - pattern: |
+          _, _ = $W.Write($DATA)
+    pattern-inside: |
+      func $F($X...) {
+        ...
+      }
+    paths:
+      include:
+        - internal/api/utils.go
+        - internal/handlers/ssh_keys.go
+
+
+  #
+  # 2. Enforce Allowed Origins checking in writePostMessageHTML
+  #
+  - id: autoglue.auth.require-origin-validation
+    message: >
+      writePostMessageHTML must validate `origin` against known allowed origins
+      to prevent token exfiltration via crafted state/redirect parameters.
+    languages: [go]
+    severity: ERROR
+    metadata:
+      category: security
+      project: autoglue
+
+    # Look for the JS snippet inside the Go string literal using a regex.
+    # This is NOT Go code, so we must use pattern-regex, not pattern.
+    pattern-regex: |
+      window\.opener\.postMessage\(\{ type: 'autoglue:auth', payload: data \}, .*?\);
+
+    paths:
+      include:
+        - internal/handlers/auth.go
+
+
+  #
+  # 3. Require httpOnly+Secure cookies for JWT cookies
+  #
+  - id: autoglue.cookies.ensure-secure-jwt
+    message: >
+      JWT cookies must always have a Secure field (true in prod, false only for localhost dev).
+    languages: [go]
+    severity: WARNING
+    metadata:
+      category: security
+      project: autoglue
+
+    patterns:
+      # 1) Find any SetCookie for ag_jwt
+      - pattern: |
+          http.SetCookie($W, &http.Cookie{
+            Name: "ag_jwt",
+            ...
+          })
+      # 2) BUT ignore cases where the Secure field is present
+      - pattern-not: |
+          http.SetCookie($W, &http.Cookie{
+            Name: "ag_jwt",
+            Secure: $SECURE,
+            ...
+          })
+
+    paths:
+      include:
+        - internal/handlers/auth.go
+
+
+  #
+  # 4. Ban path.Clean for user-controlled paths
+  #
+  - id: autoglue.filesystem.no-path-clean
+    message: Use securejoin instead of path.Clean() for file paths.
+    languages: [go]
+    severity: WARNING
+    metadata:
+      category: security
+      project: autoglue
+
+    pattern: |
+      path.Clean($X)
+
+    paths:
+      include:
+        - internal/web/static.go
--- a/4
+++ b/4
@@ -1,7 +1,7 @@
 #################################
 # Builder: Go + Node in one
 #################################
-FROM golang:1.25.4-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS builder
+FROM golang:1.25.5-alpine@sha256:26111811bc967321e7b6f852e914d14bede324cd1accb7f81811929a6a57fea9 AS builder

 RUN apk add --no-cache \
    bash git ca-certificates tzdata \
@@ -24,7 +24,7 @@ RUN make build
 #################################
 # Runtime
 #################################
-FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412
+FROM alpine:3.23@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375

 RUN apk add --no-cache ca-certificates tzdata postgresql17-client \
 && addgroup -S app && adduser -S app -G app
--- a/17
+++ b/17
@@ -30,6 +30,7 @@ UI_SSG_ROUTES ?= /,/login,/docs,/pricing

 # Go versioning (go.mod uses major.minor; you’re on 1.25.4)
 GO_VERSION   ?= 1.25.4
+SWAG_FLAGS   ?= --v3.1 --outputTypes json,yaml,go

 # SDK / package settings (TypeScript)
 SDK_TS_OUTDIR     ?= sdk/ts
@@ -98,8 +99,8 @@ SDK_PKG_CLEAN       := $(call trim,$(SDK_PKG))
        validate-spec check-tags doctor diff-swagger

 # --- inputs/outputs for swagger (incremental) ---
-DOCS_JSON := docs/swagger.json
-DOCS_YAML := docs/swagger.yaml
+DOCS_JSON := docs/openapi.json
+DOCS_YAML := docs/openapi.yaml
 # Prefer git for speed; fall back to find. Exclude UI dir.
 #GO_SRCS := $(shell (git ls-files '*.go' ':!$(UI_DIR)/**' 2>/dev/null || find . -name '*.go' -not -path './$(UI_DIR)/*' -type f))
 GO_SRCS := $(shell ( \
@@ -111,11 +112,14 @@ GO_SRCS := $(shell ( \
 $(DOCS_JSON) $(DOCS_YAML): $(GO_SRCS)
 	@echo ">> Generating Swagger docs..."
 	@if ! command -v swag >/dev/null 2>&1; then \
-		echo "Installing swag/v2 CLI @v2.0.0-rc4..."; \
-		$(GOINSTALL) github.com/swaggo/swag/v2/cmd/swag@v2.0.0-rc4; \
+		echo "Installing swag/v2 CLI @latest..."; \
+		$(GOINSTALL) github.com/swaggo/swag/v2/cmd/swag@latest; \
 	fi
-	@rm -rf docs/swagger.* docs/docs.go
-	@swag init -g $(MAIN) -o docs
+	@rm -rf docs/openapi.* docs/docs.go
+	@swag fmt --exclude main.go -d .
+	@swag init $(SWAG_FLAGS) -g $(MAIN) -o docs
+	@mv docs/swagger.json $(DOCS_JSON)
+	@mv docs/swagger.yaml $(DOCS_YAML)

 # --- spec validation + tag guard ---
 validate-spec: $(DOCS_JSON) ## Validate docs/swagger.json and pin the core OpenAPI Generator version
@@ -200,6 +204,7 @@ swagger: $(DOCS_JSON) ## Generate Swagger docs if stale
 # --- build ---
 build: prepare ui swagger sdk-all ## Build everything: Go hygiene, UI, Swagger, SDKs, then Go binary
 	@echo ">> Building Go binary: $(BIN)"
+	@$(GOCMD) get github.com/swaggo/swag/v2@v2.0.0-rc4
 	@$(GOCMD) build -trimpath -ldflags "$(LDFLAGS)" -o $(BIN) $(MAIN)

 # Handy: print resolved version metadata
--- a/README.md
+++ b/README.md
@@ -60,6 +60,7 @@ Create your org (http://localhost:8080/me) - you should be redirected here after

 Once you have an org - create a set of api keys for your org:
 They will be in the format of:
+Example values only; these are not real secrets.
 ```text
 Org Key: org_lnJwmyyWH7JC-JgZo5v3Kw
 Org Secret: fqd9yebGMfK6h5HSgWn4sXrwr9xlFbvbIYtNylRElMQ
--- a/atlas.hcl
+++ b/atlas.hcl
@@ -0,0 +1,20 @@
+data "external_schema" "gorm" {
+  program = [
+    "go",
+    "run",
+    "-mod=mod",
+    "ariga.io/atlas-provider-gorm",
+    "load",
+    "--path", "./internal/models",
+    "--dialect", "postgres",
+  ]
+}
+
+env "gorm" {
+  src = data.external_schema.gorm.url
+  dev = "postgres://autoglue:autoglue@localhost:5432/autoglue_dev"
+}
+
+env "gorm-src" {
+  src = data.external_schema.gorm.url
+}
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -115,6 +115,47 @@ var serveCmd = &cobra.Command{
 			if err != nil {
 				log.Printf("failed to enqueue bootstrap_bastion: %v", err)
 			}
+
+			_, err = jobs.Enqueue(
+				context.Background(),
+				uuid.NewString(),
+				"prepare_cluster",
+				bg.ClusterPrepareArgs{IntervalS: 120},
+				archer.WithMaxRetries(3),
+				archer.WithScheduleTime(time.Now().Add(60*time.Second)),
+			)
+			if err != nil {
+				log.Printf("failed to enqueue prepare_cluster: %v", err)
+			}
+
+			_, err = jobs.Enqueue(
+				context.Background(),
+				uuid.NewString(),
+				"cluster_setup",
+				bg.ClusterSetupArgs{
+					IntervalS: 120,
+				},
+				archer.WithMaxRetries(3),
+				archer.WithScheduleTime(time.Now().Add(60*time.Second)),
+			)
+
+			if err != nil {
+				log.Printf("failed to enqueue cluster setup: %v", err)
+			}
+
+			_, err = jobs.Enqueue(
+				context.Background(),
+				uuid.NewString(),
+				"cluster_bootstrap",
+				bg.ClusterBootstrapArgs{
+					IntervalS: 120,
+				},
+				archer.WithMaxRetries(3),
+				archer.WithScheduleTime(time.Now().Add(60*time.Second)),
+			)
+			if err != nil {
+				log.Printf("failed to enqueue cluster bootstrap: %v", err)
+			}
 		}

 		_ = auth.Refresh(rt.DB, rt.Cfg.JWTPrivateEncKey)
@@ -134,7 +175,7 @@ var serveCmd = &cobra.Command{
 				dbURL = cfg.DbURL
 			}

-			studio, err := api.PgwebHandler(
+			studio, err := api.MountDbStudio(
 				dbURL,
 				"db-studio",
 				false,
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,18 +1,4 @@
 services:
-  autoglue:
-    # image: ghcr.io/glueops/autoglue:latest
-    build: .
-    ports:
-      - 8080:8080
-    expose:
-      - 8080
-    env_file: .env
-    environment:
-      AUTOGLUE_DATABASE_DSN: postgres://$DB_USER:$DB_PASSWORD@postgres:5432/$DB_NAME
-      AUTOGLUE_BIND_ADDRESS: 0.0.0.0
-    depends_on:
-      - postgres
-
  postgres:
    build:
      context: postgres
@@ -28,19 +14,6 @@ services:
    volumes:
      - postgres_data:/var/lib/postgresql/data

-  pgweb:
-    image: sosedoff/pgweb@sha256:8f1ed22e10c9da0912169b98b62ddc54930dc39a5ae07b0f1354d2a93d44c6ed
-    restart: always
-    ports:
-      - "8081:8081"
-    links:
-      - postgres:postgres
-    env_file: .env
-    environment:
-      PGWEB_DATABASE_URL: postgres://$DB_USER:$DB_PASSWORD@postgres:5432/$DB_NAME
-    depends_on:
-      - postgres
-
  mailpit:
    image: axllent/mailpit@sha256:e22dce5b36f93c77082e204a3942fb6b283b7896e057458400a4c88344c3df68
    restart: always
--- a/docs/docs.go
+++ b/docs/docs.go
--- a/docs/efs.go
+++ b/docs/efs.go
@@ -2,8 +2,8 @@ package docs

 import _ "embed"

-//go:embed swagger.json
+//go:embed openapi.json
 var SwaggerJSON []byte

-//go:embed swagger.yaml
+//go:embed openapi.yaml
 var SwaggerYAML []byte
--- a/docs/openapi.json
+++ b/docs/openapi.json
--- a/docs/openapi.yaml
+++ b/docs/openapi.yaml
--- a/docs/swagger.json
+++ b/docs/swagger.json
--- a/docs/swagger.yaml
+++ b/docs/swagger.yaml
--- a/go.mod
+++ b/go.mod
@@ -4,13 +4,14 @@ go 1.25.4

 require (
 	github.com/alexedwards/argon2id v1.0.0
-	github.com/aws/aws-sdk-go-v2 v1.39.6
-	github.com/aws/aws-sdk-go-v2/config v1.31.18
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.22
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.59.4
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0
-	github.com/coreos/go-oidc/v3 v3.16.0
-	github.com/dyaksa/archer v1.1.3
+	github.com/aws/aws-sdk-go-v2 v1.41.0
+	github.com/aws/aws-sdk-go-v2/config v1.32.5
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.5
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.62.0
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.93.2
+	github.com/coreos/go-oidc/v3 v3.17.0
+	github.com/dyaksa/archer v1.1.5
+	github.com/fergusstrange/embedded-postgres v1.33.0
 	github.com/gin-gonic/gin v1.11.0
 	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-chi/cors v1.2.2
@@ -20,17 +21,17 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
 	github.com/rs/zerolog v1.34.0
-	github.com/sosedoff/pgweb v0.16.2
-	github.com/spf13/cobra v1.10.1
+	github.com/sosedoff/pgweb v0.17.0
+	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
-	github.com/swaggo/http-swagger/v2 v2.0.2
 	github.com/swaggo/swag/v2 v2.0.0-rc4
-	golang.org/x/crypto v0.44.0
-	golang.org/x/oauth2 v0.33.0
+	golang.org/x/crypto v0.46.0
+	golang.org/x/oauth2 v0.34.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/datatypes v1.2.7
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/gorm v1.31.1
+	github.com/swaggo/swag/v2 v2.0.0-rc4
 )

 require (
@@ -38,25 +39,27 @@ require (
 	github.com/BurntSushi/toml v1.1.0 // indirect
 	github.com/KyleBanks/depth v1.2.1 // indirect
 	github.com/ScaleFT/sshkeys v0.0.0-20200327173127-6142f742bca5 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.40.0 // indirect
-	github.com/aws/smithy-go v1.23.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 // indirect
+	github.com/aws/smithy-go v1.24.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bytedance/sonic v1.14.0 // indirect
 	github.com/bytedance/sonic/loader v0.3.0 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
@@ -89,18 +92,21 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-sqlite3 v1.14.28 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/quic-go/quic-go v0.54.0 // indirect
+	github.com/rogpeppe/go-internal v1.13.1 // indirect
 	github.com/sagikazarmark/locafero v0.11.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
@@ -109,22 +115,21 @@ require (
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/sv-tools/openapi v0.2.1 // indirect
-	github.com/swaggo/files/v2 v2.0.0 // indirect
-	github.com/swaggo/swag v1.8.1 // indirect
 	github.com/tuvistavie/securerandom v0.0.0-20140719024926-15512123a948 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.0 // indirect
+	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
 	go.uber.org/mock v0.5.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/net v0.46.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
+	golang.org/x/mod v0.30.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gorm.io/driver/mysql v1.5.6 // indirect
+	gorm.io/driver/mysql v1.5.7 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -8,94 +8,73 @@ github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc
 github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
 github.com/ScaleFT/sshkeys v0.0.0-20200327173127-6142f742bca5 h1:VauE2GcJNZFun2Och6tIT2zJZK1v6jxALQDA9BIji/E=
 github.com/ScaleFT/sshkeys v0.0.0-20200327173127-6142f742bca5/go.mod h1:gxOHeajFfvGQh/fxlC8oOKBe23xnnJTif00IFFbiT+o=
-github.com/agiledragon/gomonkey/v2 v2.3.1 h1:k+UnUY0EMNYUFUAQVETGY9uUTxjMdnUkP0ARyJS1zzs=
-github.com/agiledragon/gomonkey/v2 v2.3.1/go.mod h1:ap1AmDzcVOAz1YpeJ3TCzIgstoaWLA6jbbgxfB4w2iY=
 github.com/alexedwards/argon2id v1.0.0 h1:wJzDx66hqWX7siL/SRUmgz3F8YMrd/nfX/xHHcQQP0w=
 github.com/alexedwards/argon2id v1.0.0/go.mod h1:tYKkqIjzXvZdzPvADMWOEZ+l6+BD6CtBXMj5fnJppiw=
-github.com/aws/aws-sdk-go-v2 v1.39.6 h1:2JrPCVgWJm7bm83BDwY5z8ietmeJUbh3O2ACnn+Xsqk=
-github.com/aws/aws-sdk-go-v2 v1.39.6/go.mod h1:c9pm7VwuW0UPxAEYGyTmyurVcNrbF6Rt/wixFqDhcjE=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3 h1:DHctwEM8P8iTXFxC/QK0MRjwEpWQeM9yzidCRjldUz0=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.3/go.mod h1:xdCzcZEtnSTKVDOmUZs4l/j3pSV6rpo1WXl5ugNsL8Y=
-github.com/aws/aws-sdk-go-v2/config v1.31.18 h1:RouG3AcF2fLFhw+Z0qbnuIl9HZ0Kh4E/U9sKwTMRpMI=
-github.com/aws/aws-sdk-go-v2/config v1.31.18/go.mod h1:aXZ13mSQC8S2VEHwGfL1COMuJ1Zty6pX5xU7hyqjvCg=
-github.com/aws/aws-sdk-go-v2/config v1.31.19 h1:qdUtOw4JhZr2YcKO3g0ho/IcFXfXrrb8xlX05Y6EvSw=
-github.com/aws/aws-sdk-go-v2/config v1.31.19/go.mod h1:tMJ8bur01t8eEm0atLadkIIFA154OJ4JCKZeQ+o+R7k=
-github.com/aws/aws-sdk-go-v2/config v1.31.20 h1:/jWF4Wu90EhKCgjTdy1DGxcbcbNrjfBHvksEL79tfQc=
-github.com/aws/aws-sdk-go-v2/config v1.31.20/go.mod h1:95Hh1Tc5VYKL9NJ7tAkDcqeKt+MCXQB1hQZaRdJIZE0=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.22 h1:hyIVGBHhQPaNP9D4BaVRwpjLMCwMMdAkHqB3gGMiykU=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.22/go.mod h1:B9E2qHs3/YGfeQZ4jrIE/nPvqxtyafZrJ5EQiZBG6pk=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.23 h1:IQILcxVgMO2BVLaJ2aAv21dKWvE1MduNrbvuK43XL2Q=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.23/go.mod h1:JRodHszhVdh5TPUknxDzJzrMiznG+M+FfR3WSWKgCI8=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.24 h1:iJ2FmPT35EaIB0+kMa6TnQ+PwG5A1prEdAw+PsMzfHg=
-github.com/aws/aws-sdk-go-v2/credentials v1.18.24/go.mod h1:U91+DrfjAiXPDEGYhh/x29o4p0qHX5HDqG7y5VViv64=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 h1:T1brd5dR3/fzNFAQch/iBKeX07/ffu/cLu+q+RuzEWk=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13/go.mod h1:Peg/GBAQ6JDt+RoBf4meB1wylmAipb7Kg2ZFakZTlwk=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 h1:a+8/MLcWlIxo1lF9xaGt3J/u3yOZx+CdSveSNwjhD40=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13/go.mod h1:oGnKwIYZ4XttyU2JWxFrwvhF6YKiK/9/wmE3v3Iu9K8=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 h1:HBSI2kDkMdWz4ZM7FjwE7e/pWDEZ+nR95x8Ztet1ooY=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13/go.mod h1:YE94ZoDArI7awZqJzBAZ3PDD2zSfuP7w6P2knOzIn8M=
+github.com/aws/aws-sdk-go-v2 v1.41.0 h1:tNvqh1s+v0vFYdA1xq0aOJH+Y5cRyZ5upu6roPgPKd4=
+github.com/aws/aws-sdk-go-v2 v1.41.0/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 h1:489krEF9xIGkOaaX3CE/Be2uWjiXrkCH6gUX+bZA/BU=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4/go.mod h1:IOAPF6oT9KCsceNTvvYMNHy0+kMF8akOjeDvPENWxp4=
+github.com/aws/aws-sdk-go-v2/config v1.32.5 h1:pz3duhAfUgnxbtVhIK39PGF/AHYyrzGEyRD9Og0QrE8=
+github.com/aws/aws-sdk-go-v2/config v1.32.5/go.mod h1:xmDjzSUs/d0BB7ClzYPAZMmgQdrodNjPPhd6bGASwoE=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.5 h1:xMo63RlqP3ZZydpJDMBsH9uJ10hgHYfQFIk1cHDXrR4=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.5/go.mod h1:hhbH6oRcou+LpXfA/0vPElh/e0M3aFeOblE1sssAAEk=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16 h1:80+uETIWS1BqjnN9uJ0dBUaETh+P1XwFy5vwHwK5r9k=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.16/go.mod h1:wOOsYuxYuB/7FlnVtzeBYRcjSRtQpAW0hCP7tIULMwo=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16 h1:rgGwPzb82iBYSvHMHXc8h9mRoOUBZIGFgKb9qniaZZc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.16/go.mod h1:L/UxsGeKpGoIj6DxfhOWHWQ/kGKcd4I1VncE4++IyKA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16 h1:1jtGzuV7c82xnqOVfx2F0xmJcOw5374L7N6juGW6x6U=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.16/go.mod h1:M2E5OQf+XLe+SZGmmpaI2yy+J326aFf6/+54PoxSANc=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13 h1:eg/WYAa12vqTphzIdWMzqYRVKKnCboVPRlvaybNCqPA=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.13/go.mod h1:/FDdxWhz1486obGrKKC1HONd7krpk38LBt+dutLcN9k=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 h1:x2Ibm/Af8Fi+BH+Hsn9TXGdT+hKbDd5XOTZxTMxDk7o=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3/go.mod h1:IW1jwyrQgMdhisceG8fQLmQIydcT/jWY21rFhzgaKwo=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4 h1:NvMjwvv8hpGUILarKw7Z4Q0w1H9anXKsesMxtw++MA4=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.4/go.mod h1:455WPHSwaGj2waRSpQp7TsnpOnBfw8iDfPfbwl7KPJE=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 h1:kDqdFvMY4AtKoACfzIGD8A0+hbT41KTKF//gq7jITfM=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13/go.mod h1:lmKuogqSU3HzQCwZ9ZtcqOc5XGMqtDK7OIc2+DxiUEg=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13 h1:zhBJXdhWIFZ1acfDYIhu4+LCzdUS2Vbcum7D01dXlHQ=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.13/go.mod h1:JaaOeCE368qn2Hzi3sEzY6FgAZVCIYcC2nwbro2QCh8=
-github.com/aws/aws-sdk-go-v2/service/route53 v1.59.4 h1:KEszjusgJ2dAqE5nSJY+5AHBkakfah8Sx6Vk3pjgrq8=
-github.com/aws/aws-sdk-go-v2/service/route53 v1.59.4/go.mod h1:TUbfYOisWZWyT2qjmlMh93ERw1Ry8G4q/yT2Q8TsDag=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0 h1:ef6gIJR+xv/JQWwpa5FYirzoQctfSJm7tuDe3SZsUf8=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.90.0/go.mod h1:+wArOOrcHUevqdto9k1tKOF5++YTe9JEcPSc9Tx2ZSw=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.90.1 h1:kKJk9r6iLMfCGy8RL9GWg3n9gUE1IpSwqYP3/5bdL1s=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.90.1/go.mod h1:+wArOOrcHUevqdto9k1tKOF5++YTe9JEcPSc9Tx2ZSw=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.90.2 h1:DhdbtDl4FdNlj31+xiRXANxEE+eC7n8JQz+/ilwQ8Uc=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.90.2/go.mod h1:+wArOOrcHUevqdto9k1tKOF5++YTe9JEcPSc9Tx2ZSw=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.1 h1:0JPwLz1J+5lEOfy/g0SURC9cxhbQ1lIMHMa+AHZSzz0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.1/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.2 h1:/p6MxkbQoCzaGQT3WO0JwG0FlQyG9RD8VmdmoKc5xqU=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.2/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.3 h1:NjShtS1t8r5LUfFVtFeI8xLAHQNTa7UI0VawXlrBMFQ=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.3/go.mod h1:fKvyjJcz63iL/ftA6RaM8sRCtN4r4zl4tjL3qw5ec7k=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5 h1:OWs0/j2UYR5LOGi88sD5/lhN6TDLG6SfA7CqsQO9zF0=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.5/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.6 h1:0dES42T2dhICCbVB3JSTTn7+Bz93wfJEK1b7jksZIyQ=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.6/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7 h1:gTsnx0xXNQ6SBbymoDvcoRHL+q4l/dAFsQuKfDWSaGc=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7/go.mod h1:klO+ejMvYsB4QATfEOIXk8WAEwN4N0aBfJpvC+5SZBo=
-github.com/aws/aws-sdk-go-v2/service/sts v1.40.0 h1:ZGDJVmlpPFiNFCb/I42nYVKUanJAdFUiSmUo/32AqPQ=
-github.com/aws/aws-sdk-go-v2/service/sts v1.40.0/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
-github.com/aws/aws-sdk-go-v2/service/sts v1.40.1 h1:5sbIM57lHLaEaNWdIx23JH30LNBsSDkjN/QXGcRLAFc=
-github.com/aws/aws-sdk-go-v2/service/sts v1.40.1/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
-github.com/aws/aws-sdk-go-v2/service/sts v1.40.2 h1:HK5ON3KmQV2HcAunnx4sKLB9aPf3gKGwVAf7xnx0QT0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.40.2/go.mod h1:E19xDjpzPZC7LS2knI9E6BaRFDK43Eul7vd6rSq2HWk=
-github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
-github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16 h1:CjMzUs78RDDv4ROu3JnJn/Ig1r6ZD7/T2DXLLRpejic=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.16/go.mod h1:uVW4OLBqbJXSHJYA9svT9BluSvvwbzLQ2Crf6UPzR3c=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7 h1:DIBqIrJ7hv+e4CmIk2z3pyKT+3B6qVMgRsawHiR3qso=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.7/go.mod h1:vLm00xmBke75UmpNvOcZQ/Q30ZFjbczeLFqGx5urmGo=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16 h1:oHjJHeUy0ImIV0bsrX0X91GkV5nJAyv1l1CC9lnO0TI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.16/go.mod h1:iRSNGgOYmiYwSCXxXaKb9HfOEj40+oTKn8pTxMlYkRM=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16 h1:NSbvS17MlI2lurYgXnCOLvCFX38sBW4eiVER7+kkgsU=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.16/go.mod h1:SwT8Tmqd4sA6G1qaGdzWCJN99bUmPGHfRwwq3G5Qb+A=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.62.0 h1:80pDB3Tpmb2RCSZORrK9/3iQxsd+w6vSzVqpT1FGiwE=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.62.0/go.mod h1:6EZUGGNLPLh5Unt30uEoA+KQcByERfXIkax9qrc80nA=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.93.2 h1:U3ygWUhCpiSPYSHOrRhb3gOl9T5Y3kB8k5Vjs//57bE=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.93.2/go.mod h1:79S2BdqCJpScXZA2y+cpZuocWsjGjJINyXnOsf5DTz8=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.4 h1:HpI7aMmJ+mm1wkSHIA2t5EaFFv5EFYXePW30p1EIrbQ=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.4/go.mod h1:C5RdGMYGlfM0gYq/tifqgn4EbyX99V15P2V3R+VHbQU=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.7 h1:eYnlt6QxnFINKzwxP5/Ucs1vkG7VT3Iezmvfgc2waUw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.7/go.mod h1:+fWt2UHSb4kS7Pu8y+BMBvJF0EWx+4H0hzNwtDNRTrg=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12 h1:AHDr0DaHIAo8c9t1emrzAlVDFp+iMMKnPdYy6XO4MCE=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.12/go.mod h1:GQ73XawFFiWxyWXMHWfhiomvP3tXtdNar/fi8z18sx0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.5 h1:SciGFVNZ4mHdm7gpD1dgZYnCuVdX1s+lFTg4+4DOy70=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.5/go.mod h1:iW40X4QBmUxdP+fZNOpfmkdMZqsovezbAeO+Ubiv2pk=
+github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk=
+github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=
 github.com/bytedance/sonic v1.14.0/go.mod h1:WoEbx8WTcFJfzCe0hbmyTGrfjt8PzNEBdxlNUO24NhA=
 github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
 github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
 github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
-github.com/coreos/go-oidc/v3 v3.16.0 h1:qRQUCFstKpXwmEjDQTIbyY/5jF00+asXzSkmkoa/mow=
-github.com/coreos/go-oidc/v3 v3.16.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
+github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
+github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a h1:saTgr5tMLFnmy/yg3qDTft4rE5DY2uJ/cCxCe3q0XTU=
 github.com/dchest/bcrypt_pbkdf v0.0.0-20150205184540-83f37f9c154a/go.mod h1:Bw9BbhOJVNR+t0jCqx2GC6zv0TGBsShs56Y3gfSCvl0=
-github.com/dyaksa/archer v1.1.3 h1:jfe51tSNzzscFpu+Vilm4SKb0Lnv6FR1yaGspjab4x4=
-github.com/dyaksa/archer v1.1.3/go.mod h1:IYSp67u14JHTNuvvy6gG1eaX2TPywXvfk1FiyZwVEK4=
+github.com/dyaksa/archer v1.1.5 h1:e9ZrR8PnMYEax19Fd+QbvQqDL5cbi78luMEtaSAIHxU=
+github.com/dyaksa/archer v1.1.5/go.mod h1:IYSp67u14JHTNuvvy6gG1eaX2TPywXvfk1FiyZwVEK4=
+github.com/fergusstrange/embedded-postgres v1.33.0 h1:ka8vmRpm4IDsES7NPXQ/NThAp1fc/f+crcXYjCW7wK0=
+github.com/fergusstrange/embedded-postgres v1.33.0/go.mod h1:w0YvnCgf19o6tskInrOOACtnqfVlOvluz3hlNLY7tRk=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
@@ -208,8 +187,8 @@ github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
-github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.28 h1:ThEiQrnbtumT+QMknw63Befp/ce/nUPgBPMlRFEum7A=
+github.com/mattn/go-sqlite3 v1.14.28/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/microsoft/go-mssqldb v1.7.2 h1:CHkFJiObW7ItKTJfHo1QX7QBBD1iV+mn1eOyRP3b/PA=
 github.com/microsoft/go-mssqldb v1.7.2/go.mod h1:kOvZKUdrhhFQmxLZqbwUV0rHkNkZpthMITIb2Ko1IoA=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
@@ -222,18 +201,17 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY
 github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
 github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/otiai10/copy v1.7.0 h1:hVoPiN+t+7d2nzzwMiDHPSOogsWAStewq3TwU05+clE=
-github.com/otiai10/copy v1.7.0/go.mod h1:rmRl6QPdJj6EiUqXQ/4Nn2lLXoNQjFCQbbNrxgc/t3U=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
 github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
-github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
-github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
 github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
@@ -242,8 +220,8 @@ github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
 github.com/quic-go/quic-go v0.54.0 h1:6s1YB9QotYI6Ospeiguknbp2Znb/jZYjZLRXn9kMQBg=
 github.com/quic-go/quic-go v0.54.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
@@ -252,16 +230,16 @@ github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDc
 github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/sosedoff/pgweb v0.16.2 h1:1F1CWlCLSEgSctMva+nYuUibdhyiCUzlXyU5MQUJbFM=
-github.com/sosedoff/pgweb v0.16.2/go.mod h1:ER7fsBddI3h7MQKO5RsUPi7Q/PWZYSKcI61kTp369Rw=
+github.com/sosedoff/pgweb v0.17.0 h1:2WSPajNyqStS5oulvfdKIBaWQTy/qNBREBp51h4yiLU=
+github.com/sosedoff/pgweb v0.17.0/go.mod h1:fY82HStJ/n/JCvzHsJmVT6BDYiWxSQG6CvqH+biuUbM=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
 github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
-github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
-github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
 github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -285,12 +263,6 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/sv-tools/openapi v0.2.1 h1:ES1tMQMJFGibWndMagvdoo34T1Vllxr1Nlm5wz6b1aA=
 github.com/sv-tools/openapi v0.2.1/go.mod h1:k5VuZamTw1HuiS9p2Wl5YIDWzYnHG6/FgPOSFXLAhGg=
-github.com/swaggo/files/v2 v2.0.0 h1:hmAt8Dkynw7Ssz46F6pn8ok6YmGZqHSVLZ+HQM7i0kw=
-github.com/swaggo/files/v2 v2.0.0/go.mod h1:24kk2Y9NYEJ5lHuCra6iVwkMjIekMCaFq/0JQj66kyM=
-github.com/swaggo/http-swagger/v2 v2.0.2 h1:FKCdLsl+sFCx60KFsyM0rDarwiUSZ8DqbfSyIKC9OBg=
-github.com/swaggo/http-swagger/v2 v2.0.2/go.mod h1:r7/GBkAWIfK6E/OLnE8fXnviHiDeAHmgIyooa4xm3AQ=
-github.com/swaggo/swag v1.8.1 h1:JuARzFX1Z1njbCGz+ZytBR15TFJwF2Q7fu8puJHhQYI=
-github.com/swaggo/swag v1.8.1/go.mod h1:ugemnJsPZm/kRwFUnzBlbHRd0JY9zE1M4F+uy2pAaPQ=
 github.com/swaggo/swag/v2 v2.0.0-rc4 h1:SZ8cK68gcV6cslwrJMIOqPkJELRwq4gmjvk77MrvHvY=
 github.com/swaggo/swag/v2 v2.0.0-rc4/go.mod h1:Ow7Y8gF16BTCDn8YxZbyKn8FkMLRUHekv1kROJZpbvE=
 github.com/tuvistavie/securerandom v0.0.0-20140719024926-15512123a948 h1:yL0l/u242MzDP6D0B5vGC+wxm5WRY+alQZy+dJk3bFI=
@@ -299,11 +271,15 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
 github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
+github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
+github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
 github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
 go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
@@ -314,27 +290,27 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
-golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
-golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
-golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200219091948-cb0a6d8edb6c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -350,29 +326,29 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
 google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
@@ -390,8 +366,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/datatypes v1.2.7 h1:ww9GAhF1aGXZY3EB3cJPJ7//JiuQo7DlQA7NNlVaTdk=
 gorm.io/datatypes v1.2.7/go.mod h1:M2iO+6S3hhi4nAyYe444Pcb0dcIiOMJ7QHaUXxyiNZY=
-gorm.io/driver/mysql v1.5.6 h1:Ld4mkIickM+EliaQZQx3uOJDJHtrd70MxAUqWqlx3Y8=
-gorm.io/driver/mysql v1.5.6/go.mod h1:sEtPWMiqiN1N1cMXoXmBbd8C6/l+TESwriotuRRpkDM=
+gorm.io/driver/mysql v1.5.7 h1:MndhOPYOfEp2rHKgkZIhJ16eVUIRf2HmzgoPmh7FCWo=
+gorm.io/driver/mysql v1.5.7/go.mod h1:sEtPWMiqiN1N1cMXoXmBbd8C6/l+TESwriotuRRpkDM=
 gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
 gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
 gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=
--- a/internal/api/mount_api_routes.go
+++ b/internal/api/mount_api_routes.go
@@ -32,6 +32,8 @@ func mountAPIRoutes(r chi.Router, db *gorm.DB, jobs *bg.Jobs) {
 			mountAnnotationRoutes(v1, db, authOrg)
 			mountNodePoolRoutes(v1, db, authOrg)
 			mountDNSRoutes(v1, db, authOrg)
+			mountLoadBalancerRoutes(v1, db, authOrg)
+			mountClusterRoutes(v1, db, authOrg)
 		})
 	})
 }
--- a/internal/api/mount_cluster_routes.go
+++ b/internal/api/mount_cluster_routes.go
@@ -0,0 +1,41 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountClusterRoutes(r chi.Router, db *gorm.DB, authOrg func(http.Handler) http.Handler) {
+	r.Route("/clusters", func(c chi.Router) {
+		c.Use(authOrg)
+		c.Get("/", handlers.ListClusters(db))
+		c.Post("/", handlers.CreateCluster(db))
+
+		c.Get("/{clusterID}", handlers.GetCluster(db))
+		c.Patch("/{clusterID}", handlers.UpdateCluster(db))
+		c.Delete("/{clusterID}", handlers.DeleteCluster(db))
+
+		c.Post("/{clusterID}/captain-domain", handlers.AttachCaptainDomain(db))
+		c.Delete("/{clusterID}/captain-domain", handlers.DetachCaptainDomain(db))
+
+		c.Post("/{clusterID}/control-plane-record-set", handlers.AttachControlPlaneRecordSet(db))
+		c.Delete("/{clusterID}/control-plane-record-set", handlers.DetachControlPlaneRecordSet(db))
+
+		c.Post("/{clusterID}/apps-load-balancer", handlers.AttachAppsLoadBalancer(db))
+		c.Delete("/{clusterID}/apps-load-balancer", handlers.DetachAppsLoadBalancer(db))
+		c.Post("/{clusterID}/glueops-load-balancer", handlers.AttachGlueOpsLoadBalancer(db))
+		c.Delete("/{clusterID}/glueops-load-balancer", handlers.DetachGlueOpsLoadBalancer(db))
+
+		c.Post("/{clusterID}/bastion", handlers.AttachBastionServer(db))
+		c.Delete("/{clusterID}/bastion", handlers.DetachBastionServer(db))
+
+		c.Post("/{clusterID}/kubeconfig", handlers.SetClusterKubeconfig(db))
+		c.Delete("/{clusterID}/kubeconfig", handlers.ClearClusterKubeconfig(db))
+
+		c.Post("/{clusterID}/node-pools", handlers.AttachNodePool(db))
+		c.Delete("/{clusterID}/node-pools/{nodePoolID}", handlers.DeleteNodePool(db))
+	})
+}
--- a/internal/api/mount_db_studio.go
+++ b/internal/api/mount_db_studio.go
@@ -10,7 +10,7 @@ import (
 	pgcmd "github.com/sosedoff/pgweb/pkg/command"
 )

-func PgwebHandler(dbURL, prefix string, readonly bool) (http.Handler, error) {
+func MountDbStudio(dbURL, prefix string, readonly bool) (http.Handler, error) {
 	// Normalize prefix for pgweb:
 	//  - no leading slash
 	//  - always trailing slash if not empty
--- a/internal/api/mount_load_balancer_routes.go
+++ b/internal/api/mount_load_balancer_routes.go
@@ -0,0 +1,20 @@
+package api
+
+import (
+	"net/http"
+
+	"github.com/glueops/autoglue/internal/handlers"
+	"github.com/go-chi/chi/v5"
+	"gorm.io/gorm"
+)
+
+func mountLoadBalancerRoutes(r chi.Router, db *gorm.DB, authOrg func(http.Handler) http.Handler) {
+	r.Route("/load-balancers", func(l chi.Router) {
+		l.Use(authOrg)
+		l.Get("/", handlers.ListLoadBalancers(db))
+		l.Post("/", handlers.CreateLoadBalancer(db))
+		l.Get("/{id}", handlers.GetLoadBalancer(db))
+		l.Patch("/{id}", handlers.UpdateLoadBalancer(db))
+		l.Delete("/{id}", handlers.DeleteLoadBalancer(db))
+	})
+}
--- a/internal/api/mount_swagger_routes.go
+++ b/internal/api/mount_swagger_routes.go
@@ -1,15 +1,87 @@
 package api

 import (
+	"fmt"
+	"html/template"
+	"net/http"
+
 	"github.com/glueops/autoglue/docs"
 	"github.com/go-chi/chi/v5"
-	httpSwagger "github.com/swaggo/http-swagger/v2"
 )

 func mountSwaggerRoutes(r chi.Router) {
-	r.Get("/swagger/*", httpSwagger.Handler(
-		httpSwagger.URL("swagger.json"),
-	))
-	r.Get("/swagger/swagger.json", serveSwaggerFromEmbed(docs.SwaggerJSON, "application/json"))
-	r.Get("/swagger/swagger.yaml", serveSwaggerFromEmbed(docs.SwaggerYAML, "application/x-yaml"))
+	r.Get("/swagger", RapidDocHandler("/swagger/swagger.yaml"))
+	r.Get("/swagger/index.html", RapidDocHandler("/swagger/swagger.yaml"))
+	r.Get("/swagger/openapi.json", serveSwaggerFromEmbed(docs.SwaggerJSON, "application/json"))
+	r.Get("/swagger/openapi.yaml", serveSwaggerFromEmbed(docs.SwaggerYAML, "application/x-yaml"))
+}
+
+var rapidDocTmpl = template.Must(template.New("redoc").Parse(`<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <title>AutoGlue API Docs</title>
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <meta charset="utf-8">
+  <style>
+    body { margin: 0; padding: 0; }
+    .redoc-container { height: 100vh; }
+  </style>
+</head>
+<body>
+  <rapi-doc
+    id="autoglue-docs"
+    spec-url="{{.SpecURL}}"
+    render-style="read"
+    theme="dark"
+    show-header="false"
+    persist-auth="true"
+	allow-advanced-search="true"
+	schema-description-expanded="true"                                                                                                                                   
+	allow-schema-description-expand-toggle="false"                                                                                                                       
+	allow-spec-file-download="true"                                                                                                                                      
+	allow-spec-file-load="false"                                                                                                                                         
+	allow-spec-url-load="false"                       
+    allow-try="true"
+    schema-style="tree"
+	fetch-credentials="include"
+    default-api-server="{{.DefaultServer}}"
+ 	api-key-name="X-ORG-ID"
+  	api-key-location="header"
+  	api-key-value=""
+  />
+  <script type="module" src="https://unpkg.com/rapidoc/dist/rapidoc-min.js"></script>
+  <script>
+    window.addEventListener('DOMContentLoaded', () => {
+      const rd = document.getElementById('autoglue-docs');
+      if (!rd) return;
+
+      const storedOrg = localStorage.getItem('autoglue.org');
+      if (storedOrg) {
+        rd.setAttribute('api-key-value', storedOrg);
+      }
+    }
+  </script>
+</body>
+</html>`))
+
+func RapidDocHandler(specURL string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		scheme := "http"
+		if r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https" {
+			scheme = "https"
+		}
+
+		host := r.Host
+		defaultServer := fmt.Sprintf("%s://%s/api/v1", scheme, host)
+
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		if err := rapidDocTmpl.Execute(w, map[string]string{
+			"SpecURL":       specURL,
+			"DefaultServer": defaultServer,
+		}); err != nil {
+			http.Error(w, "failed to render docs", http.StatusInternalServerError)
+			return
+		}
+	}
 }
--- a/internal/api/mw_security.go
+++ b/internal/api/mw_security.go
@@ -29,14 +29,14 @@ func SecurityHeaders(next http.Handler) http.Handler {
 				"base-uri 'self'",
 				"form-action 'self'",
 				// Vite dev & inline preamble/eval:
-				"script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:5173",
+				"script-src 'self' 'unsafe-inline' 'unsafe-eval' http://localhost:5173 https://unpkg.com",
 				// allow dev style + Google Fonts
 				"style-src 'self' 'unsafe-inline' http://localhost:5173 https://fonts.googleapis.com",
 				"img-src 'self' data: blob:",
 				// Google font files
 				"font-src 'self' data: https://fonts.gstatic.com",
 				// HMR connections
-				"connect-src 'self' http://localhost:5173 ws://localhost:5173 ws://localhost:8080 https://api.github.com",
+				"connect-src 'self' http://localhost:5173 ws://localhost:5173 ws://localhost:8080 https://api.github.com https://unpkg.com",
 				"frame-ancestors 'none'",
 			}, "; "))
 		} else {
@@ -49,11 +49,11 @@ func SecurityHeaders(next http.Handler) http.Handler {
 				"default-src 'self'",
 				"base-uri 'self'",
 				"form-action 'self'",
-				"script-src 'self' 'unsafe-inline'",
+				"script-src 'self' 'unsafe-inline' https://unpkg.com",
 				"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
 				"img-src 'self' data: blob:",
 				"font-src 'self' data: https://fonts.gstatic.com",
-				"connect-src 'self' ws://localhost:8080 https://api.github.com",
+				"connect-src 'self' ws://localhost:8080 https://api.github.com https://unpkg.com",
 				"frame-ancestors 'none'",
 			}, "; "))
 		}
--- a/internal/api/routes.go
+++ b/internal/api/routes.go
@@ -38,6 +38,7 @@ func NewRouter(db *gorm.DB, jobs *bg.Jobs, studio http.Handler) http.Handler {
 	r.Use(SecurityHeaders)
 	r.Use(requestBodyLimit(10 << 20))
 	r.Use(httprate.LimitByIP(100, 1*time.Minute))
+	r.Use(middleware.StripSlashes)

 	allowed := getAllowedOrigins()
 	r.Use(cors.Handler(cors.Options{
@@ -103,18 +104,19 @@ func NewRouter(db *gorm.DB, jobs *bg.Jobs, studio http.Handler) http.Handler {
 		mux := http.NewServeMux()
 		mux.Handle("/api/", r)
 		mux.Handle("/api", r)
+		mux.Handle("/swagger", r)
 		mux.Handle("/swagger/", r)
 		mux.Handle("/db-studio/", r)
 		mux.Handle("/debug/pprof/", r)
 		mux.Handle("/", proxy)
 		return mux
-	}
-
-	fmt.Println("Running in production mode")
-	if h, err := web.SPAHandler(); err == nil {
-		r.NotFound(h.ServeHTTP)
 	} else {
-		log.Error().Err(err).Msg("spa handler init failed")
+		fmt.Println("Running in production mode")
+		if h, err := web.SPAHandler(); err == nil {
+			r.NotFound(h.ServeHTTP)
+		} else {
+			log.Error().Err(err).Msg("spa handler init failed")
+		}
 	}

 	return r
--- a/internal/api/utils.go
+++ b/internal/api/utils.go
@@ -40,6 +40,7 @@ func serveSwaggerFromEmbed(data []byte, contentType string) http.HandlerFunc {
 	return func(w http.ResponseWriter, _ *http.Request) {
 		w.Header().Set("Content-Type", contentType)
 		w.WriteHeader(http.StatusOK)
+		// nosemgrep: go.lang.security.audit.xss.no-direct-write-to-responsewriter
 		_, _ = w.Write(data)
 	}
 }
--- a/internal/app/runtime.go
+++ b/internal/app/runtime.go
@@ -39,10 +39,11 @@ func NewRuntime() *Runtime {
 		&models.Label{},
 		&models.Annotation{},
 		&models.NodePool{},
-		&models.Cluster{},
 		&models.Credential{},
 		&models.Domain{},
 		&models.RecordSet{},
+		&models.LoadBalancer{},
+		&models.Cluster{},
 	)

 	if err != nil {
--- a/internal/bg/bastion.go
+++ b/internal/bg/bastion.go
@@ -140,10 +140,7 @@ func BastionBootstrapWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
 				_ = setServerStatus(db, s.ID, "failed")
 				continue
 			}
-
 			ok++
-			//  logHostInfo(jobID, s, "done", "host completed",
-			//	  "elapsed_ms", time.Since(hostStart).Milliseconds())
 		}

 		res := BastionBootstrapResult{
--- a/internal/bg/bg.go
+++ b/internal/bg/bg.go
@@ -107,6 +107,28 @@ func NewJobs(gdb *gorm.DB, dbUrl string) (*Jobs, error) {
 		archer.WithInstances(1),
 		archer.WithTimeout(2*time.Minute),
 	)
+
+	c.Register(
+		"prepare_cluster",
+		ClusterPrepareWorker(gdb, jobs),
+		archer.WithInstances(1),
+		archer.WithTimeout(2*time.Minute),
+	)
+
+	c.Register(
+		"cluster_setup",
+		ClusterSetupWorker(gdb, jobs),
+		archer.WithInstances(1),
+		archer.WithTimeout(2*time.Minute),
+	)
+
+	c.Register(
+		"cluster_bootstrap",
+		ClusterBootstrapWorker(gdb, jobs),
+		archer.WithInstances(1),
+		archer.WithTimeout(60*time.Minute),
+	)
+
 	return jobs, nil
 }

--- a/internal/bg/cluster_bootstrap.go
+++ b/internal/bg/cluster_bootstrap.go
@@ -0,0 +1,121 @@
+package bg
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/dyaksa/archer"
+	"github.com/dyaksa/archer/job"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/google/uuid"
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+)
+
+type ClusterBootstrapArgs struct {
+	IntervalS int `json:"interval_seconds,omitempty"`
+}
+
+type ClusterBootstrapResult struct {
+	Status    string      `json:"status"`
+	Processed int         `json:"processed"`
+	Ready     int         `json:"ready"`
+	Failed    int         `json:"failed"`
+	ElapsedMs int         `json:"elapsed_ms"`
+	FailedIDs []uuid.UUID `json:"failed_cluster_ids"`
+}
+
+func ClusterBootstrapWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
+	return func(ctx context.Context, j job.Job) (any, error) {
+		args := ClusterBootstrapArgs{IntervalS: 120}
+		jobID := j.ID
+		start := time.Now()
+
+		_ = j.ParseArguments(&args)
+		if args.IntervalS <= 0 {
+			args.IntervalS = 120
+		}
+
+		var clusters []models.Cluster
+		if err := db.
+			Preload("BastionServer.SshKey").
+			Where("status = ?", clusterStatusPending).
+			Find(&clusters).Error; err != nil {
+			log.Error().Err(err).Msg("[cluster_bootstrap] query clusters failed")
+			return nil, err
+		}
+
+		proc, ready, failCount := 0, 0, 0
+		var failedIDs []uuid.UUID
+
+		perClusterTimeout := 60 * time.Minute
+
+		for i := range clusters {
+			c := &clusters[i]
+			proc++
+
+			if c.BastionServer.ID == uuid.Nil || c.BastionServer.Status != "ready" {
+				continue
+			}
+
+			logger := log.With().
+				Str("job", jobID).
+				Str("cluster_id", c.ID.String()).
+				Str("cluster_name", c.Name).
+				Logger()
+
+			logger.Info().Msg("[cluster_bootstrap] running make bootstrap")
+
+			runCtx, cancel := context.WithTimeout(ctx, perClusterTimeout)
+			out, err := runMakeOnBastion(runCtx, db, c, "setup")
+			cancel()
+
+			if err != nil {
+				failCount++
+				failedIDs = append(failedIDs, c.ID)
+				logger.Error().Err(err).Str("output", out).Msg("[cluster_bootstrap] make setup failed")
+				_ = setClusterStatus(db, c.ID, clusterStatusFailed, fmt.Sprintf("make setup: %v", err))
+				continue
+			}
+
+			// you can choose a different terminal status here if you like
+			if err := setClusterStatus(db, c.ID, clusterStatusReady, ""); err != nil {
+				failCount++
+				failedIDs = append(failedIDs, c.ID)
+				logger.Error().Err(err).Msg("[cluster_bootstrap] failed to mark cluster ready")
+				continue
+			}
+
+			ready++
+			logger.Info().Msg("[cluster_bootstrap] cluster marked ready")
+		}
+
+		res := ClusterBootstrapResult{
+			Status:    "ok",
+			Processed: proc,
+			Ready:     ready,
+			Failed:    failCount,
+			ElapsedMs: int(time.Since(start).Milliseconds()),
+			FailedIDs: failedIDs,
+		}
+
+		log.Info().
+			Int("processed", proc).
+			Int("ready", ready).
+			Int("failed", failCount).
+			Msg("[cluster_bootstrap] reconcile tick ok")
+
+		// self-reschedule
+		next := time.Now().Add(time.Duration(args.IntervalS) * time.Second)
+		_, _ = jobs.Enqueue(
+			ctx,
+			uuid.NewString(),
+			"cluster_bootstrap",
+			args,
+			archer.WithScheduleTime(next),
+			archer.WithMaxRetries(1),
+		)
+		return res, nil
+	}
+}
--- a/internal/bg/cluster_setup.go
+++ b/internal/bg/cluster_setup.go
@@ -0,0 +1,120 @@
+package bg
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/dyaksa/archer"
+	"github.com/dyaksa/archer/job"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/google/uuid"
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+)
+
+type ClusterSetupArgs struct {
+	IntervalS int `json:"interval_seconds,omitempty"`
+}
+
+type ClusterSetupResult struct {
+	Status        string      `json:"status"`
+	Processed     int         `json:"processed"`
+	Provisioning  int         `json:"provisioning"`
+	Failed        int         `json:"failed"`
+	ElapsedMs     int         `json:"elapsed_ms"`
+	FailedCluster []uuid.UUID `json:"failed_cluster_ids"`
+}
+
+func ClusterSetupWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
+	return func(ctx context.Context, j job.Job) (any, error) {
+		args := ClusterSetupArgs{IntervalS: 120}
+		jobID := j.ID
+		start := time.Now()
+
+		_ = j.ParseArguments(&args)
+		if args.IntervalS <= 0 {
+			args.IntervalS = 120
+		}
+
+		var clusters []models.Cluster
+		if err := db.
+			Preload("BastionServer.SshKey").
+			Where("status = ?", clusterStatusPending).
+			Find(&clusters).Error; err != nil {
+			log.Error().Err(err).Msg("[cluster_setup] query clusters failed")
+			return nil, err
+		}
+
+		proc, prov, failCount := 0, 0, 0
+		var failedIDs []uuid.UUID
+
+		perClusterTimeout := 30 * time.Minute
+
+		for i := range clusters {
+			c := &clusters[i]
+			proc++
+
+			if c.BastionServer.ID == uuid.Nil || c.BastionServer.Status != "ready" {
+				continue
+			}
+
+			logger := log.With().
+				Str("job", jobID).
+				Str("cluster_id", c.ID.String()).
+				Str("cluster_name", c.Name).
+				Logger()
+
+			logger.Info().Msg("[cluster_setup] running make setup")
+
+			runCtx, cancel := context.WithTimeout(ctx, perClusterTimeout)
+			out, err := runMakeOnBastion(runCtx, db, c, "ping-servers")
+			cancel()
+
+			if err != nil {
+				failCount++
+				failedIDs = append(failedIDs, c.ID)
+				logger.Error().Err(err).Str("output", out).Msg("[cluster_setup] make setup failed")
+				_ = setClusterStatus(db, c.ID, clusterStatusFailed, fmt.Sprintf("make setup: %v", err))
+				continue
+			}
+
+			if err := setClusterStatus(db, c.ID, clusterStatusProvisioning, ""); err != nil {
+				failCount++
+				failedIDs = append(failedIDs, c.ID)
+				logger.Error().Err(err).Msg("[cluster_setup] failed to mark cluster provisioning")
+				continue
+			}
+
+			prov++
+			logger.Info().Msg("[cluster_setup] cluster moved to provisioning")
+		}
+
+		res := ClusterSetupResult{
+			Status:        "ok",
+			Processed:     proc,
+			Provisioning:  prov,
+			Failed:        failCount,
+			ElapsedMs:     int(time.Since(start).Milliseconds()),
+			FailedCluster: failedIDs,
+		}
+
+		log.Info().
+			Int("processed", proc).
+			Int("provisioning", prov).
+			Int("failed", failCount).
+			Msg("[cluster_setup] reconcile tick ok")
+
+		// self-reschedule
+		next := time.Now().Add(time.Duration(args.IntervalS) * time.Second)
+		_, _ = jobs.Enqueue(
+			ctx,
+			uuid.NewString(),
+			"cluster_setup",
+			args,
+			archer.WithScheduleTime(next),
+			archer.WithMaxRetries(1),
+		)
+		return res, nil
+	}
+}
--- a/internal/bg/prepare_cluster.go
+++ b/internal/bg/prepare_cluster.go
@@ -0,0 +1,530 @@
+package bg
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/dyaksa/archer"
+	"github.com/dyaksa/archer/job"
+	"github.com/glueops/autoglue/internal/mapper"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/glueops/autoglue/internal/utils"
+	"github.com/google/uuid"
+	"github.com/rs/zerolog/log"
+	"golang.org/x/crypto/ssh"
+	"gorm.io/gorm"
+)
+
+type ClusterPrepareArgs struct {
+	IntervalS int `json:"interval_seconds,omitempty"`
+}
+
+type ClusterPrepareFailure struct {
+	ClusterID uuid.UUID `json:"cluster_id"`
+	Step      string    `json:"step"`
+	Reason    string    `json:"reason"`
+}
+
+type ClusterPrepareResult struct {
+	Status        string                  `json:"status"`
+	Processed     int                     `json:"processed"`
+	MarkedPending int                     `json:"marked_pending"`
+	Failed        int                     `json:"failed"`
+	ElapsedMs     int                     `json:"elapsed_ms"`
+	FailedIDs     []uuid.UUID             `json:"failed_cluster_ids"`
+	Failures      []ClusterPrepareFailure `json:"failures"`
+}
+
+// Alias the status constants from models to avoid string drift.
+const (
+	clusterStatusPrePending   = models.ClusterStatusPrePending
+	clusterStatusPending      = models.ClusterStatusPending
+	clusterStatusProvisioning = models.ClusterStatusProvisioning
+	clusterStatusReady        = models.ClusterStatusReady
+	clusterStatusFailed       = models.ClusterStatusFailed
+)
+
+func ClusterPrepareWorker(db *gorm.DB, jobs *Jobs) archer.WorkerFn {
+	return func(ctx context.Context, j job.Job) (any, error) {
+		args := ClusterPrepareArgs{IntervalS: 120}
+		jobID := j.ID
+		start := time.Now()
+
+		_ = j.ParseArguments(&args)
+		if args.IntervalS <= 0 {
+			args.IntervalS = 120
+		}
+
+		// Load all clusters that are pre_pending; we’ll filter for bastion.ready in memory.
+		var clusters []models.Cluster
+		if err := db.
+			Preload("BastionServer.SshKey").
+			Preload("CaptainDomain").
+			Preload("ControlPlaneRecordSet").
+			Preload("AppsLoadBalancer").
+			Preload("GlueOpsLoadBalancer").
+			Preload("NodePools").
+			Preload("NodePools.Labels").
+			Preload("NodePools.Annotations").
+			Preload("NodePools.Taints").
+			Preload("NodePools.Servers.SshKey").
+			Where("status = ?", clusterStatusPrePending).
+			Find(&clusters).Error; err != nil {
+			log.Error().Err(err).Msg("[cluster_prepare] query clusters failed")
+			return nil, err
+		}
+
+		proc, ok, fail := 0, 0, 0
+		var failedIDs []uuid.UUID
+		var failures []ClusterPrepareFailure
+
+		perClusterTimeout := 8 * time.Minute
+
+		for i := range clusters {
+			c := &clusters[i]
+			proc++
+
+			// bastion must exist and be ready
+			if c.BastionServer == nil || c.BastionServerID == nil || *c.BastionServerID == uuid.Nil || c.BastionServer.Status != "ready" {
+				continue
+			}
+
+			clusterLog := log.With().
+				Str("job", jobID).
+				Str("cluster_id", c.ID.String()).
+				Str("cluster_name", c.Name).
+				Logger()
+
+			clusterLog.Info().Msg("[cluster_prepare] starting")
+
+			if err := validateClusterForPrepare(c); err != nil {
+				fail++
+				failedIDs = append(failedIDs, c.ID)
+				failures = append(failures, ClusterPrepareFailure{
+					ClusterID: c.ID,
+					Step:      "validate",
+					Reason:    err.Error(),
+				})
+				clusterLog.Error().Err(err).Msg("[cluster_prepare] validation failed")
+				_ = setClusterStatus(db, c.ID, clusterStatusFailed, err.Error())
+				continue
+			}
+
+			allServers := flattenClusterServers(c)
+			keyPayloads, sshConfig, err := buildSSHAssetsForCluster(db, c, allServers)
+			if err != nil {
+				fail++
+				failedIDs = append(failedIDs, c.ID)
+				failures = append(failures, ClusterPrepareFailure{
+					ClusterID: c.ID,
+					Step:      "build_ssh_assets",
+					Reason:    err.Error(),
+				})
+				clusterLog.Error().Err(err).Msg("[cluster_prepare] build ssh assets failed")
+				_ = setClusterStatus(db, c.ID, clusterStatusFailed, err.Error())
+				continue
+			}
+
+			dtoCluster := mapper.ClusterToDTO(*c)
+
+			payloadJSON, err := json.MarshalIndent(dtoCluster, "", "  ")
+			if err != nil {
+				fail++
+				failedIDs = append(failedIDs, c.ID)
+				failures = append(failures, ClusterPrepareFailure{
+					ClusterID: c.ID,
+					Step:      "marshal_payload",
+					Reason:    err.Error(),
+				})
+				clusterLog.Error().Err(err).Msg("[cluster_prepare] json marshal failed")
+				_ = setClusterStatus(db, c.ID, clusterStatusFailed, err.Error())
+				continue
+			}
+
+			runCtx, cancel := context.WithTimeout(ctx, perClusterTimeout)
+			err = pushAssetsToBastion(runCtx, db, c, sshConfig, keyPayloads, payloadJSON)
+			cancel()
+
+			if err != nil {
+				fail++
+				failedIDs = append(failedIDs, c.ID)
+				failures = append(failures, ClusterPrepareFailure{
+					ClusterID: c.ID,
+					Step:      "ssh_push",
+					Reason:    err.Error(),
+				})
+				clusterLog.Error().Err(err).Msg("[cluster_prepare] failed to push assets to bastion")
+				_ = setClusterStatus(db, c.ID, clusterStatusFailed, err.Error())
+				continue
+			}
+
+			if err := setClusterStatus(db, c.ID, clusterStatusPending, ""); err != nil {
+				fail++
+				failedIDs = append(failedIDs, c.ID)
+				failures = append(failures, ClusterPrepareFailure{
+					ClusterID: c.ID,
+					Step:      "set_pending",
+					Reason:    err.Error(),
+				})
+				clusterLog.Error().Err(err).Msg("[cluster_prepare] failed to mark cluster pending")
+				continue
+			}
+
+			ok++
+			clusterLog.Info().Msg("[cluster_prepare] cluster marked pending")
+		}
+
+		res := ClusterPrepareResult{
+			Status:        "ok",
+			Processed:     proc,
+			MarkedPending: ok,
+			Failed:        fail,
+			ElapsedMs:     int(time.Since(start).Milliseconds()),
+			FailedIDs:     failedIDs,
+			Failures:      failures,
+		}
+
+		log.Info().
+			Int("processed", proc).
+			Int("pending", ok).
+			Int("failed", fail).
+			Msg("[cluster_prepare] reconcile tick ok")
+
+		next := time.Now().Add(time.Duration(args.IntervalS) * time.Second)
+		_, _ = jobs.Enqueue(
+			ctx,
+			uuid.NewString(),
+			"prepare_cluster",
+			args,
+			archer.WithScheduleTime(next),
+			archer.WithMaxRetries(1),
+		)
+		return res, nil
+	}
+}
+
+// ---------- helpers ----------
+
+func validateClusterForPrepare(c *models.Cluster) error {
+	if c.BastionServer == nil || c.BastionServerID == nil || *c.BastionServerID == uuid.Nil {
+		return fmt.Errorf("missing bastion server")
+	}
+	if c.BastionServer.Status != "ready" {
+		return fmt.Errorf("bastion server not ready (status=%s)", c.BastionServer.Status)
+	}
+
+	// CaptainDomain is a value type; presence is via *ID
+	if c.CaptainDomainID == nil || *c.CaptainDomainID == uuid.Nil {
+		return fmt.Errorf("missing captain domain for cluster")
+	}
+
+	// ControlPlaneRecordSet is a pointer; presence is via *ID + non-nil struct
+	if c.ControlPlaneRecordSetID == nil || *c.ControlPlaneRecordSetID == uuid.Nil || c.ControlPlaneRecordSet == nil {
+		return fmt.Errorf("missing control_plane_record_set for cluster")
+	}
+
+	if len(c.NodePools) == 0 {
+		return fmt.Errorf("cluster has no node pools")
+	}
+
+	hasServer := false
+	for i := range c.NodePools {
+		if len(c.NodePools[i].Servers) > 0 {
+			hasServer = true
+			break
+		}
+	}
+	if !hasServer {
+		return fmt.Errorf("cluster has no servers attached to node pools")
+	}
+
+	return nil
+}
+
+func flattenClusterServers(c *models.Cluster) []*models.Server {
+	var out []*models.Server
+	for i := range c.NodePools {
+		for j := range c.NodePools[i].Servers {
+			s := &c.NodePools[i].Servers[j]
+			out = append(out, s)
+		}
+	}
+	return out
+}
+
+type keyPayload struct {
+	FileName      string
+	PrivateKeyB64 string
+}
+
+// build ssh-config for all servers + decrypt keys.
+// ssh-config is intended to live on the bastion and connect via *private* IPs.
+func buildSSHAssetsForCluster(db *gorm.DB, c *models.Cluster, servers []*models.Server) (map[uuid.UUID]keyPayload, string, error) {
+	var sb strings.Builder
+	keys := make(map[uuid.UUID]keyPayload)
+
+	for _, s := range servers {
+		// Defensive checks
+		if strings.TrimSpace(s.PrivateIPAddress) == "" {
+			return nil, "", fmt.Errorf("server %s missing private ip", s.ID)
+		}
+		if s.SshKeyID == uuid.Nil {
+			return nil, "", fmt.Errorf("server %s missing ssh key relation", s.ID)
+		}
+
+		// de-dupe keys: many servers may share the same ssh key
+		if _, ok := keys[s.SshKeyID]; !ok {
+			priv, err := utils.DecryptForOrg(
+				s.OrganizationID,
+				s.SshKey.EncryptedPrivateKey,
+				s.SshKey.PrivateIV,
+				s.SshKey.PrivateTag,
+				db,
+			)
+			if err != nil {
+				return nil, "", fmt.Errorf("decrypt key for server %s: %w", s.ID, err)
+			}
+
+			fname := fmt.Sprintf("%s.pem", s.SshKeyID.String())
+			keys[s.SshKeyID] = keyPayload{
+				FileName:      fname,
+				PrivateKeyB64: base64.StdEncoding.EncodeToString([]byte(priv)),
+			}
+		}
+
+		// ssh config entry per server
+		keyFile := keys[s.SshKeyID].FileName
+
+		hostAlias := s.Hostname
+		if hostAlias == "" {
+			hostAlias = s.ID.String()
+		}
+
+		sb.WriteString(fmt.Sprintf("Host %s\n", hostAlias))
+		sb.WriteString(fmt.Sprintf("  HostName %s\n", s.PrivateIPAddress))
+		sb.WriteString(fmt.Sprintf("  User %s\n", s.SSHUser))
+		sb.WriteString(fmt.Sprintf("  IdentityFile ~/.ssh/autoglue/keys/%s\n", keyFile))
+		sb.WriteString("  IdentitiesOnly yes\n")
+		sb.WriteString("  StrictHostKeyChecking accept-new\n\n")
+	}
+
+	return keys, sb.String(), nil
+}
+
+func pushAssetsToBastion(
+	ctx context.Context,
+	db *gorm.DB,
+	c *models.Cluster,
+	sshConfig string,
+	keyPayloads map[uuid.UUID]keyPayload,
+	payloadJSON []byte,
+) error {
+	bastion := c.BastionServer
+	if bastion == nil {
+		return fmt.Errorf("bastion server is nil")
+	}
+
+	if bastion.PublicIPAddress == nil || strings.TrimSpace(*bastion.PublicIPAddress) == "" {
+		return fmt.Errorf("bastion server missing public ip")
+	}
+
+	privKey, err := utils.DecryptForOrg(
+		bastion.OrganizationID,
+		bastion.SshKey.EncryptedPrivateKey,
+		bastion.SshKey.PrivateIV,
+		bastion.SshKey.PrivateTag,
+		db,
+	)
+	if err != nil {
+		return fmt.Errorf("decrypt bastion key: %w", err)
+	}
+
+	signer, err := ssh.ParsePrivateKey([]byte(privKey))
+	if err != nil {
+		return fmt.Errorf("parse bastion private key: %w", err)
+	}
+
+	hkcb := makeDBHostKeyCallback(db, bastion)
+
+	config := &ssh.ClientConfig{
+		User:            bastion.SSHUser,
+		Auth:            []ssh.AuthMethod{ssh.PublicKeys(signer)},
+		HostKeyCallback: hkcb,
+		Timeout:         30 * time.Second,
+	}
+
+	host := net.JoinHostPort(*bastion.PublicIPAddress, "22")
+
+	dialer := &net.Dialer{}
+	conn, err := dialer.DialContext(ctx, "tcp", host)
+	if err != nil {
+		return fmt.Errorf("dial bastion: %w", err)
+	}
+	defer conn.Close()
+
+	cconn, chans, reqs, err := ssh.NewClientConn(conn, host, config)
+	if err != nil {
+		return fmt.Errorf("ssh handshake bastion: %w", err)
+	}
+	client := ssh.NewClient(cconn, chans, reqs)
+	defer client.Close()
+
+	sess, err := client.NewSession()
+	if err != nil {
+		return fmt.Errorf("ssh session: %w", err)
+	}
+	defer sess.Close()
+
+	// build one shot script to:
+	// - mkdir ~/.ssh/autoglue/keys
+	// - write cluster-specific ssh-config
+	// - write all private keys
+	// - write payload.json
+	clusterDir := fmt.Sprintf("$HOME/autoglue/clusters/%s", c.ID.String())
+	configPath := fmt.Sprintf("$HOME/.ssh/autoglue/cluster-%s.config", c.ID.String())
+
+	var script bytes.Buffer
+
+	script.WriteString("set -euo pipefail\n")
+	script.WriteString("mkdir -p \"$HOME/.ssh/autoglue/keys\"\n")
+	script.WriteString("mkdir -p " + clusterDir + "\n")
+	script.WriteString("chmod 700 \"$HOME/.ssh\" || true\n")
+
+	// ssh-config
+	script.WriteString("cat > " + configPath + " <<'EOF_CFG'\n")
+	script.WriteString(sshConfig)
+	script.WriteString("EOF_CFG\n")
+	script.WriteString("chmod 600 " + configPath + "\n")
+
+	// keys
+	for id, kp := range keyPayloads {
+		tag := "KEY_" + id.String()
+		target := fmt.Sprintf("$HOME/.ssh/autoglue/keys/%s", kp.FileName)
+
+		script.WriteString("cat <<'" + tag + "' | base64 -d > " + target + "\n")
+		script.WriteString(kp.PrivateKeyB64 + "\n")
+		script.WriteString(tag + "\n")
+		script.WriteString("chmod 600 " + target + "\n")
+	}
+
+	// payload.json
+	payloadPath := clusterDir + "/payload.json"
+	script.WriteString("cat > " + payloadPath + " <<'EOF_PAYLOAD'\n")
+	script.Write(payloadJSON)
+	script.WriteString("\nEOF_PAYLOAD\n")
+	script.WriteString("chmod 600 " + payloadPath + "\n")
+
+	// If you later want to always include cluster configs automatically, you can
+	// optionally manage ~/.ssh/config here (kept simple for now).
+
+	sess.Stdin = strings.NewReader(script.String())
+	out, runErr := sess.CombinedOutput("bash -s")
+
+	if runErr != nil {
+		return wrapSSHError(runErr, string(out))
+	}
+	return nil
+}
+
+func setClusterStatus(db *gorm.DB, id uuid.UUID, status, lastError string) error {
+	updates := map[string]any{
+		"status":     status,
+		"updated_at": time.Now(),
+	}
+	if lastError != "" {
+		updates["last_error"] = lastError
+	}
+	return db.Model(&models.Cluster{}).
+		Where("id = ?", id).
+		Updates(updates).Error
+}
+
+// runMakeOnBastion runs `make <target>` from the cluster's directory on the bastion.
+func runMakeOnBastion(
+	ctx context.Context,
+	db *gorm.DB,
+	c *models.Cluster,
+	target string,
+) (string, error) {
+	logger := log.With().
+		Str("cluster_id", c.ID.String()).
+		Str("cluster_name", c.Name).
+		Logger()
+
+	bastion := c.BastionServer
+	if bastion == nil {
+		return "", fmt.Errorf("bastion server is nil")
+	}
+
+	if bastion.PublicIPAddress == nil || strings.TrimSpace(*bastion.PublicIPAddress) == "" {
+		return "", fmt.Errorf("bastion server missing public ip")
+	}
+
+	privKey, err := utils.DecryptForOrg(
+		bastion.OrganizationID,
+		bastion.SshKey.EncryptedPrivateKey,
+		bastion.SshKey.PrivateIV,
+		bastion.SshKey.PrivateTag,
+		db,
+	)
+	if err != nil {
+		return "", fmt.Errorf("decrypt bastion key: %w", err)
+	}
+
+	signer, err := ssh.ParsePrivateKey([]byte(privKey))
+	if err != nil {
+		return "", fmt.Errorf("parse bastion private key: %w", err)
+	}
+
+	hkcb := makeDBHostKeyCallback(db, bastion)
+
+	config := &ssh.ClientConfig{
+		User:            bastion.SSHUser,
+		Auth:            []ssh.AuthMethod{ssh.PublicKeys(signer)},
+		HostKeyCallback: hkcb,
+		Timeout:         30 * time.Second,
+	}
+
+	host := net.JoinHostPort(*bastion.PublicIPAddress, "22")
+
+	dialer := &net.Dialer{}
+	conn, err := dialer.DialContext(ctx, "tcp", host)
+	if err != nil {
+		return "", fmt.Errorf("dial bastion: %w", err)
+	}
+	defer conn.Close()
+
+	cconn, chans, reqs, err := ssh.NewClientConn(conn, host, config)
+	if err != nil {
+		return "", fmt.Errorf("ssh handshake bastion: %w", err)
+	}
+	client := ssh.NewClient(cconn, chans, reqs)
+	defer client.Close()
+
+	sess, err := client.NewSession()
+	if err != nil {
+		return "", fmt.Errorf("ssh session: %w", err)
+	}
+	defer sess.Close()
+
+	clusterDir := fmt.Sprintf("$HOME/autoglue/clusters/%s", c.ID.String())
+	sshDir := fmt.Sprintf("$HOME/.ssh")
+
+	cmd := fmt.Sprintf("cd %s && docker run -v %s:/root/.ssh -v ./payload.json:/opt/gluekube/platform.json %s:%s make %s", clusterDir, sshDir, c.DockerImage, c.DockerTag, target)
+
+	logger.Info().
+		Str("cmd", cmd).
+		Msg("[runMakeOnBastion] executing remote command")
+
+	out, runErr := sess.CombinedOutput(cmd)
+	if runErr != nil {
+		return string(out), wrapSSHError(runErr, string(out))
+	}
+	return string(out), nil
+}
--- a/internal/handlers/annotations.go
+++ b/internal/handlers/annotations.go
@@ -22,7 +22,6 @@ import (
 //	@Summary		List annotations (org scoped)
 //	@Description	Returns annotations for the organization in X-Org-ID. Filters: `key`, `value`, and `q` (key contains). Add `include=node_pools` to include linked node pools.
 //	@Tags			Annotations
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header		string	false	"Organization UUID"
 //	@Param			key			query		string	false	"Exact key"
@@ -75,7 +74,6 @@ func ListAnnotations(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Get annotation by ID (org scoped)
 //	@Description	Returns one annotation. Add `include=node_pools` to include node pools.
 //	@Tags			Annotations
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header		string	false	"Organization UUID"
 //	@Param			id			path		string	true	"Annotation ID (UUID)"
@@ -255,11 +253,10 @@ func UpdateAnnotation(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Delete annotation (org scoped)
 //	@Description	Permanently deletes the annotation.
 //	@Tags			Annotations
-//	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header		string	false	"Organization UUID"
-//	@Param			id			path		string	true	"Annotation ID (UUID)"
-//	@Success		204			{string}	string	"No Content"
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			id			path	string	true	"Annotation ID (UUID)"
+//	@Success		204			"No Content"
 //	@Failure		400			{string}	string	"invalid id"
 //	@Failure		401			{string}	string	"Unauthorized"
 //	@Failure		403			{string}	string	"organization required"
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -2,7 +2,9 @@ package handlers

 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
+	"html/template"
 	"net/http"
 	"net/url"
 	"strings"
@@ -252,10 +254,11 @@ func AuthCallback(db *gorm.DB) http.HandlerFunc {
 		accessTTL := 1 * time.Hour
 		refreshTTL := 30 * 24 * time.Hour

+		cfgLoaded, _ := config.Load()
 		access, err := auth.IssueAccessToken(auth.IssueOpts{
 			Subject:  user.ID.String(),
-			Issuer:   cfg.JWTIssuer,
-			Audience: cfg.JWTAudience,
+			Issuer:   cfgLoaded.JWTIssuer,
+			Audience: cfgLoaded.JWTAudience,
 			TTL:      accessTTL,
 			Claims: map[string]any{
 				"email": email,
@@ -273,7 +276,10 @@ func AuthCallback(db *gorm.DB) http.HandlerFunc {
 			return
 		}

-		secure := strings.HasPrefix(cfg.OAuthRedirectBase, "https://")
+		secure := true
+		if u, err := url.Parse(cfg.OAuthRedirectBase); err == nil && isLocalDev(u) {
+			secure = false
+		}
 		if xf := r.Header.Get("X-Forwarded-Proto"); xf != "" {
 			secure = strings.EqualFold(xf, "https")
 		}
@@ -291,14 +297,7 @@ func AuthCallback(db *gorm.DB) http.HandlerFunc {
 		// If the state indicates SPA popup mode, postMessage tokens to the opener and close
 		state := r.URL.Query().Get("state")
 		if strings.Contains(state, "mode=spa") {
-			origin := ""
-			for _, part := range strings.Split(state, "|") {
-				if strings.HasPrefix(part, "origin=") {
-					origin, _ = url.QueryUnescape(strings.TrimPrefix(part, "origin="))
-					break
-				}
-			}
-			// fallback: restrict to backend origin if none supplied
+			origin := canonicalOrigin(cfg.OAuthRedirectBase)
 			if origin == "" {
 				origin = cfg.OAuthRedirectBase
 			}
@@ -371,7 +370,10 @@ func Refresh(db *gorm.DB) http.HandlerFunc {
 			return
 		}

-		secure := strings.HasPrefix(cfg.OAuthRedirectBase, "https://")
+		secure := true
+		if uParsed, err := url.Parse(cfg.OAuthRedirectBase); err == nil && isLocalDev(uParsed) {
+			secure = false
+		}
 		if xf := r.Header.Get("X-Forwarded-Proto"); xf != "" {
 			secure = strings.EqualFold(xf, "https")
 		}
@@ -424,6 +426,11 @@ func Logout(db *gorm.DB) http.HandlerFunc {
 		}

 	clearCookie:
+		secure := true
+		if uParsed, err := url.Parse(cfg.OAuthRedirectBase); err == nil && isLocalDev(uParsed) {
+			secure = false
+		}
+
 		http.SetCookie(w, &http.Cookie{
 			Name:     "ag_jwt",
 			Value:    "",
@@ -432,11 +439,10 @@ func Logout(db *gorm.DB) http.HandlerFunc {
 			MaxAge:   -1,
 			Expires:  time.Unix(0, 0),
 			SameSite: http.SameSiteLaxMode,
-			Secure:   strings.HasPrefix(cfg.OAuthRedirectBase, "https"),
+			Secure:   secure,
 		})

 		w.WriteHeader(204)
-
 	}
 }

@@ -506,21 +512,63 @@ func ensureAutoMembership(db *gorm.DB, userID uuid.UUID, email string) error {
 	}).Error
 }

+// postMessage HTML template
+var postMessageTpl = template.Must(template.New("postmsg").Parse(`<!doctype html>
+<html>
+  <body>
+    <script>
+      (function(){
+        try {
+          var data = JSON.parse(atob("{{.PayloadB64}}"));
+          if (window.opener) {
+            window.opener.postMessage(
+              { type: 'autoglue:auth', payload: data },
+              "{{.Origin}}"
+            );
+          }
+        } catch (e) {}
+        window.close();
+      })();
+    </script>
+  </body>
+</html>`))
+
+type postMessageData struct {
+	Origin     string
+	PayloadB64 string
+}
+
 // writePostMessageHTML sends a tiny HTML page that posts tokens to the SPA and closes the window.
 func writePostMessageHTML(w http.ResponseWriter, origin string, payload dto.TokenPair) {
 	b, _ := json.Marshal(payload)
+
+	data := postMessageData{
+		Origin:     origin,
+		PayloadB64: base64.StdEncoding.EncodeToString(b),
+	}
+
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	w.Header().Set("Cache-Control", "no-store")
 	w.WriteHeader(http.StatusOK)
-	_, _ = w.Write([]byte(`<!doctype html><html><body><script>
-(function(){
-  try {
-    var data = ` + string(b) + `;
-    if (window.opener) {
-      window.opener.postMessage({ type: 'autoglue:auth', payload: data }, '` + origin + `');
-    }
-  } catch (e) {}
-  window.close();
-})();
-</script></body></html>`))
+	_ = postMessageTpl.Execute(w, data)
+}
+
+// canonicalOrigin returns scheme://host[:port] for a given URL, or "" if invalid.
+func canonicalOrigin(raw string) string {
+	u, err := url.Parse(raw)
+	if err != nil || u.Scheme == "" || u.Host == "" {
+		return ""
+	}
+
+	// Normalize: no path/query/fragment — just the origin.
+	return (&url.URL{
+		Scheme: u.Scheme,
+		Host:   u.Host,
+	}).String()
+}
+
+func isLocalDev(u *url.URL) bool {
+	host := strings.ToLower(u.Hostname())
+	return u.Scheme == "http" &&
+		(host == "localhost" || host == "127.0.0.1")
 }
--- a/internal/handlers/clusters.go
+++ b/internal/handlers/clusters.go
--- a/internal/handlers/credentials.go
+++ b/internal/handlers/credentials.go
@@ -23,24 +23,24 @@ import (
 )

 // ListCredentials godoc
-// @ID ListCredentials
-// @Summary List credentials (metadata only)
-// @Description Returns credential metadata for the current org. Secrets are never returned.
-// @Tags Credentials
-// @Accept json
-// @Produce json
-// @Param X-Org-ID header string false "Organization ID (UUID)"
-// @Param provider query string false "Filter by provider (e.g., aws)"
-// @Param kind query string false "Filter by kind (e.g., aws_access_key)"
-// @Param scope_kind query string false "Filter by scope kind (provider/service/resource)"
-// @Success 200 {array} dto.CredentialOut
-// @Failure		401	{string}	string	"Unauthorized"
-// @Failure		403	{string}	string	"organization required"
-// @Failure 500 {string} string "internal server error"
-// @Router /credentials [get]
-// @Security		BearerAuth
-// @Security		OrgKeyAuth
-// @Security		OrgSecretAuth
+//
+//	@ID				ListCredentials
+//	@Summary		List credentials (metadata only)
+//	@Description	Returns credential metadata for the current org. Secrets are never returned.
+//	@Tags			Credentials
+//	@Produce		json
+//	@Param			X-Org-ID			header		string	false	"Organization ID (UUID)"
+//	@Param			credential_provider	query		string	false	"Filter by provider (e.g., aws)"
+//	@Param			kind				query		string	false	"Filter by kind (e.g., aws_access_key)"
+//	@Param			scope_kind			query		string	false	"Filter by scope kind (credential_provider/service/resource)"
+//	@Success		200					{array}		dto.CredentialOut
+//	@Failure		401					{string}	string	"Unauthorized"
+//	@Failure		403					{string}	string	"organization required"
+//	@Failure		500					{string}	string	"internal server error"
+//	@Router			/credentials [get]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
 func ListCredentials(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -49,7 +49,7 @@ func ListCredentials(db *gorm.DB) http.HandlerFunc {
 			return
 		}
 		q := db.Where("organization_id = ?", orgID)
-		if v := r.URL.Query().Get("provider"); v != "" {
+		if v := r.URL.Query().Get("credential_provider"); v != "" {
 			q = q.Where("provider = ?", v)
 		}
 		if v := r.URL.Query().Get("kind"); v != "" {
@@ -73,21 +73,21 @@ func ListCredentials(db *gorm.DB) http.HandlerFunc {
 }

 // GetCredential godoc
-// @ID GetCredential
-// @Summary Get credential by ID (metadata only)
-// @Tags Credentials
-// @Accept json
-// @Produce json
-// @Param X-Org-ID header string false "Organization ID (UUID)"
-// @Param id path string true "Credential ID (UUID)"
-// @Success 200 {object} dto.CredentialOut
-// @Failure		401	{string}	string	"Unauthorized"
-// @Failure		403	{string}	string	"organization required"
-// @Failure 500 {string} string "internal server error"
-// @Router /credentials/{id} [get]
-// @Security		BearerAuth
-// @Security		OrgKeyAuth
-// @Security		OrgSecretAuth
+//
+//	@ID			GetCredential
+//	@Summary	Get credential by ID (metadata only)
+//	@Tags		Credentials
+//	@Produce	json
+//	@Param		X-Org-ID	header		string	false	"Organization ID (UUID)"
+//	@Param		id			path		string	true	"Credential ID (UUID)"
+//	@Success	200			{object}	dto.CredentialOut
+//	@Failure	401			{string}	string	"Unauthorized"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	500			{string}	string	"internal server error"
+//	@Router		/credentials/{id} [get]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func GetCredential(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -117,21 +117,22 @@ func GetCredential(db *gorm.DB) http.HandlerFunc {
 }

 // CreateCredential godoc
-// @ID CreateCredential
-// @Summary Create a credential (encrypts secret)
-// @Tags Credentials
-// @Accept json
-// @Produce json
-// @Param X-Org-ID header string false "Organization ID (UUID)"
-// @Param body body dto.CreateCredentialRequest true "Credential payload"
-// @Success 201 {object} dto.CredentialOut
-// @Failure		401	{string}	string	"Unauthorized"
-// @Failure		403	{string}	string	"organization required"
-// @Failure 500 {string} string "internal server error"
-// @Router /credentials [post]
-// @Security		BearerAuth
-// @Security		OrgKeyAuth
-// @Security		OrgSecretAuth
+//
+//	@ID			CreateCredential
+//	@Summary	Create a credential (encrypts secret)
+//	@Tags		Credentials
+//	@Accept		json
+//	@Produce	json
+//	@Param		X-Org-ID	header		string						false	"Organization ID (UUID)"
+//	@Param		body		body		dto.CreateCredentialRequest	true	"Credential payload"
+//	@Success	201			{object}	dto.CredentialOut
+//	@Failure	401			{string}	string	"Unauthorized"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	500			{string}	string	"internal server error"
+//	@Router		/credentials [post]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func CreateCredential(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -153,7 +154,7 @@ func CreateCredential(db *gorm.DB) http.HandlerFunc {

 		cred, err := SaveCredentialWithScope(
 			r.Context(), db, orgID,
-			in.Provider, in.Kind, in.SchemaVersion,
+			in.CredentialProvider, in.Kind, in.SchemaVersion,
 			in.ScopeKind, in.ScopeVersion, json.RawMessage(in.Scope), json.RawMessage(in.Secret),
 			in.Name, in.AccountID, in.Region,
 		)
@@ -166,21 +167,22 @@ func CreateCredential(db *gorm.DB) http.HandlerFunc {
 }

 // UpdateCredential godoc
-// @ID UpdateCredential
-// @Summary Update credential metadata and/or rotate secret
-// @Tags Credentials
-// @Accept json
-// @Produce json
-// @Param X-Org-ID header string false "Organization ID (UUID)"
-// @Param id path string true "Credential ID (UUID)"
-// @Param body body dto.UpdateCredentialRequest true "Fields to update"
-// @Success 200 {object} dto.CredentialOut
-// @Failure		403	{string}	string	"X-Org-ID required"
-// @Failure		404	{string}	string	"not found"
-// @Router /credentials/{id} [patch]
-// @Security		BearerAuth
-// @Security		OrgKeyAuth
-// @Security		OrgSecretAuth
+//
+//	@ID			UpdateCredential
+//	@Summary	Update credential metadata and/or rotate secret
+//	@Tags		Credentials
+//	@Accept		json
+//	@Produce	json
+//	@Param		X-Org-ID	header		string						false	"Organization ID (UUID)"
+//	@Param		id			path		string						true	"Credential ID (UUID)"
+//	@Param		body		body		dto.UpdateCredentialRequest	true	"Fields to update"
+//	@Success	200			{object}	dto.CredentialOut
+//	@Failure	403			{string}	string	"X-Org-ID required"
+//	@Failure	404			{string}	string	"not found"
+//	@Router		/credentials/{id} [patch]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func UpdateCredential(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -296,19 +298,19 @@ func UpdateCredential(db *gorm.DB) http.HandlerFunc {
 }

 // DeleteCredential godoc
-// @ID DeleteCredential
-// @Summary Delete credential
-// @Tags Credentials
-// @Accept json
-// @Produce json
-// @Param X-Org-ID header string false "Organization ID (UUID)"
-// @Param id path string true "Credential ID (UUID)"
-// @Success 204
-// @Failure		404	{string}	string	"not found"
-// @Router /credentials/{id} [delete]
-// @Security		BearerAuth
-// @Security		OrgKeyAuth
-// @Security		OrgSecretAuth
+//
+//	@ID			DeleteCredential
+//	@Summary	Delete credential
+//	@Tags		Credentials
+//	@Produce	json
+//	@Param		X-Org-ID	header	string	false	"Organization ID (UUID)"
+//	@Param		id			path	string	true	"Credential ID (UUID)"
+//	@Success	204
+//	@Failure	404	{string}	string	"not found"
+//	@Router		/credentials/{id} [delete]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func DeleteCredential(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -335,20 +337,21 @@ func DeleteCredential(db *gorm.DB) http.HandlerFunc {
 }

 // RevealCredential godoc
-// @ID RevealCredential
-// @Summary Reveal decrypted secret (one-time read)
-// @Tags Credentials
-// @Accept json
-// @Produce json
-// @Param X-Org-ID header string false "Organization ID (UUID)"
-// @Param id path string true "Credential ID (UUID)"
-// @Success 200 {object} map[string]any
-// @Failure		403	{string}	string	"organization required"
-// @Failure		404	{string}	string	"not found"
-// @Router /credentials/{id}/reveal [post]
-// @Security		BearerAuth
-// @Security		OrgKeyAuth
-// @Security		OrgSecretAuth
+//
+//	@ID			RevealCredential
+//	@Summary	Reveal decrypted secret (one-time read)
+//	@Tags		Credentials
+//	@Accept		json
+//	@Produce	json
+//	@Param		X-Org-ID	header		string	false	"Organization ID (UUID)"
+//	@Param		id			path		string	true	"Credential ID (UUID)"
+//	@Success	200			{object}	map[string]any
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Router		/credentials/{id}/reveal [post]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func RevealCredential(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -545,17 +548,17 @@ func SaveCredentialWithScope(
 // credOut converts model → response DTO
 func credOut(c *models.Credential) dto.CredentialOut {
 	return dto.CredentialOut{
-		ID:            c.ID.String(),
-		Provider:      c.Provider,
-		Kind:          c.Kind,
-		SchemaVersion: c.SchemaVersion,
-		Name:          c.Name,
-		ScopeKind:     c.ScopeKind,
-		ScopeVersion:  c.ScopeVersion,
-		Scope:         dto.RawJSON(c.Scope),
-		AccountID:     c.AccountID,
-		Region:        c.Region,
-		CreatedAt:     c.CreatedAt.UTC().Format(time.RFC3339),
-		UpdatedAt:     c.UpdatedAt.UTC().Format(time.RFC3339),
+		ID:                 c.ID.String(),
+		CredentialProvider: c.Provider,
+		Kind:               c.Kind,
+		SchemaVersion:      c.SchemaVersion,
+		Name:               c.Name,
+		ScopeKind:          c.ScopeKind,
+		ScopeVersion:       c.ScopeVersion,
+		Scope:              dto.RawJSON(c.Scope),
+		AccountID:          c.AccountID,
+		Region:             c.Region,
+		CreatedAt:          c.CreatedAt.UTC().Format(time.RFC3339),
+		UpdatedAt:          c.UpdatedAt.UTC().Format(time.RFC3339),
 	}
 }
--- a/internal/handlers/dns.go
+++ b/internal/handlers/dns.go
@@ -166,7 +166,6 @@ func mustSameOrgDomainWithCredential(db *gorm.DB, orgID uuid.UUID, credID uuid.U
 //	@Summary		List domains (org scoped)
 //	@Description	Returns domains for X-Org-ID. Filters: `domain_name`, `status`, `q` (contains).
 //	@Tags			DNS
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header		string	false	"Organization UUID"
 //	@Param			domain_name	query		string	false	"Exact domain name (lowercase, no trailing dot)"
@@ -213,21 +212,20 @@ func ListDomains(db *gorm.DB) http.HandlerFunc {

 // GetDomain godoc
 //
-//	@ID				GetDomain
-//	@Summary		Get a domain (org scoped)
-//	@Tags			DNS
-//	@Accept			json
-//	@Produce		json
-//	@Param			X-Org-ID	header	string	false	"Organization UUID"
-//	@Param			id			path	string	true	"Domain ID (UUID)"
-//	@Success		200			{object}	dto.DomainResponse
-//	@Failure		401			{string}	string	"Unauthorized"
-//	@Failure		403			{string}	string	"organization required"
-//	@Failure		404			{string}	string	"not found"
-//	@Router			/dns/domains/{id} [get]
-//	@Security		BearerAuth
-//	@Security		OrgKeyAuth
-//	@Security		OrgSecretAuth
+//	@ID			GetDomain
+//	@Summary	Get a domain (org scoped)
+//	@Tags		DNS
+//	@Produce	json
+//	@Param		X-Org-ID	header		string	false	"Organization UUID"
+//	@Param		id			path		string	true	"Domain ID (UUID)"
+//	@Success	200			{object}	dto.DomainResponse
+//	@Failure	401			{string}	string	"Unauthorized"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Router		/dns/domains/{id} [get]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func GetDomain(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -261,7 +259,7 @@ func GetDomain(db *gorm.DB) http.HandlerFunc {
 //	@Tags			DNS
 //	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header		string	false	"Organization UUID"
+//	@Param			X-Org-ID	header		string					false	"Organization UUID"
 //	@Param			body		body		dto.CreateDomainRequest	true	"Domain payload"
 //	@Success		201			{object}	dto.DomainResponse
 //	@Failure		400			{string}	string	"validation error"
@@ -312,22 +310,22 @@ func CreateDomain(db *gorm.DB) http.HandlerFunc {

 // UpdateDomain godoc
 //
-//	@ID				UpdateDomain
-//	@Summary		Update a domain (org scoped)
-//	@Tags			DNS
-//	@Accept			json
-//	@Produce		json
-//	@Param			X-Org-ID	header	string	false	"Organization UUID"
-//	@Param			id			path	string	true	"Domain ID (UUID)"
-//	@Param			body		body	dto.UpdateDomainRequest true "Fields to update"
-//	@Success		200			{object} dto.DomainResponse
-//	@Failure		400			{string} string "validation error"
-//	@Failure		403			{string} string "organization required"
-//	@Failure		404			{string} string "not found"
-//	@Router			/dns/domains/{id} [patch]
-//	@Security		BearerAuth
-//	@Security		OrgKeyAuth
-//	@Security		OrgSecretAuth
+//	@ID			UpdateDomain
+//	@Summary	Update a domain (org scoped)
+//	@Tags		DNS
+//	@Accept		json
+//	@Produce	json
+//	@Param		X-Org-ID	header		string					false	"Organization UUID"
+//	@Param		id			path		string					true	"Domain ID (UUID)"
+//	@Param		body		body		dto.UpdateDomainRequest	true	"Fields to update"
+//	@Success	200			{object}	dto.DomainResponse
+//	@Failure	400			{string}	string	"validation error"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Router		/dns/domains/{id} [patch]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func UpdateDomain(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -390,20 +388,19 @@ func UpdateDomain(db *gorm.DB) http.HandlerFunc {

 // DeleteDomain godoc
 //
-//	@ID				DeleteDomain
-//	@Summary		Delete a domain
-//	@Tags			DNS
-//	@Accept			json
-//	@Produce		json
-//	@Param			X-Org-ID	header	string	false	"Organization UUID"
-//	@Param			id			path	string	true	"Domain ID (UUID)"
-//	@Success		204
-//	@Failure		403			{string}	string	"organization required"
-//	@Failure		404			{string}	string	"not found"
-//	@Router			/dns/domains/{id} [delete]
-//	@Security		BearerAuth
-//	@Security		OrgKeyAuth
-//	@Security		OrgSecretAuth
+//	@ID			DeleteDomain
+//	@Summary	Delete a domain
+//	@Tags		DNS
+//	@Produce	json
+//	@Param		X-Org-ID	header	string	false	"Organization UUID"
+//	@Param		id			path	string	true	"Domain ID (UUID)"
+//	@Success	204
+//	@Failure	403	{string}	string	"organization required"
+//	@Failure	404	{string}	string	"not found"
+//	@Router		/dns/domains/{id} [delete]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func DeleteDomain(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -437,13 +434,12 @@ func DeleteDomain(db *gorm.DB) http.HandlerFunc {
 //	@Summary		List record sets for a domain
 //	@Description	Filters: `name`, `type`, `status`.
 //	@Tags			DNS
-//	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header	string	false	"Organization UUID"
-//	@Param			domain_id	path	string	true	"Domain ID (UUID)"
-//	@Param			name		query	string	false	"Exact relative name or FQDN (server normalizes)"
-//	@Param			type		query	string	false	"RR type (A, AAAA, CNAME, TXT, MX, NS, SRV, CAA)"
-//	@Param			status		query	string	false	"pending|provisioning|ready|failed"
+//	@Param			X-Org-ID	header		string	false	"Organization UUID"
+//	@Param			domain_id	path		string	true	"Domain ID (UUID)"
+//	@Param			name		query		string	false	"Exact relative name or FQDN (server normalizes)"
+//	@Param			type		query		string	false	"RR type (A, AAAA, CNAME, TXT, MX, NS, SRV, CAA)"
+//	@Param			status		query		string	false	"pending|provisioning|ready|failed"
 //	@Success		200			{array}		dto.RecordSetResponse
 //	@Failure		403			{string}	string	"organization required"
 //	@Failure		404			{string}	string	"domain not found"
@@ -509,22 +505,22 @@ func ListRecordSets(db *gorm.DB) http.HandlerFunc {

 // CreateRecordSet godoc
 //
-//	@ID				CreateRecordSet
-//	@Summary		Create a record set (pending; Archer will UPSERT to Route 53)
-//	@Tags			DNS
-//	@Accept			json
-//	@Produce		json
-//	@Param			X-Org-ID	header	string	false	"Organization UUID"
-//	@Param			domain_id	path	string	true	"Domain ID (UUID)"
-//	@Param			body		body	dto.CreateRecordSetRequest true "Record set payload"
-//	@Success		201			{object} dto.RecordSetResponse
-//	@Failure		400			{string} string "validation error"
-//	@Failure		403			{string} string "organization required"
-//	@Failure		404			{string} string "domain not found"
-//	@Router			/dns/domains/{domain_id}/records [post]
-//	@Security		BearerAuth
-//	@Security		OrgKeyAuth
-//	@Security		OrgSecretAuth
+//	@ID			CreateRecordSet
+//	@Summary	Create a record set (pending; Archer will UPSERT to Route 53)
+//	@Tags		DNS
+//	@Accept		json
+//	@Produce	json
+//	@Param		X-Org-ID	header		string						false	"Organization UUID"
+//	@Param		domain_id	path		string						true	"Domain ID (UUID)"
+//	@Param		body		body		dto.CreateRecordSetRequest	true	"Record set payload"
+//	@Success	201			{object}	dto.RecordSetResponse
+//	@Failure	400			{string}	string	"validation error"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"domain not found"
+//	@Router		/dns/domains/{domain_id}/records [post]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func CreateRecordSet(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -610,22 +606,22 @@ func CreateRecordSet(db *gorm.DB) http.HandlerFunc {

 // UpdateRecordSet godoc
 //
-//	@ID				UpdateRecordSet
-//	@Summary		Update a record set (flips to pending for reconciliation)
-//	@Tags			DNS
-//	@Accept			json
-//	@Produce		json
-//	@Param			X-Org-ID	header	string	false	"Organization UUID"
-//	@Param			id			path	string	true	"Record Set ID (UUID)"
-//	@Param			body		body	dto.UpdateRecordSetRequest true "Fields to update"
-//	@Success		200			{object} dto.RecordSetResponse
-//	@Failure		400			{string} string "validation error"
-//	@Failure		403			{string} string "organization required"
-//	@Failure		404			{string} string "not found"
-//	@Router			/dns/records/{id} [patch]
-//	@Security		BearerAuth
-//	@Security		OrgKeyAuth
-//	@Security		OrgSecretAuth
+//	@ID			UpdateRecordSet
+//	@Summary	Update a record set (flips to pending for reconciliation)
+//	@Tags		DNS
+//	@Accept		json
+//	@Produce	json
+//	@Param		X-Org-ID	header		string						false	"Organization UUID"
+//	@Param		id			path		string						true	"Record Set ID (UUID)"
+//	@Param		body		body		dto.UpdateRecordSetRequest	true	"Fields to update"
+//	@Success	200			{object}	dto.RecordSetResponse
+//	@Failure	400			{string}	string	"validation error"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Router		/dns/records/{id} [patch]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func UpdateRecordSet(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
@@ -720,20 +716,19 @@ func UpdateRecordSet(db *gorm.DB) http.HandlerFunc {

 // DeleteRecordSet godoc
 //
-//	@ID				DeleteRecordSet
-//	@Summary		Delete a record set (API removes row; worker can optionally handle external deletion policy)
-//	@Tags			DNS
-//	@Accept			json
-//	@Produce		json
-//	@Param			X-Org-ID	header	string	false	"Organization UUID"
-//	@Param			id			path	string	true	"Record Set ID (UUID)"
-//	@Success		204
-//	@Failure		403			{string}	string	"organization required"
-//	@Failure		404			{string}	string	"not found"
-//	@Router			/dns/records/{id} [delete]
-//	@Security		BearerAuth
-//	@Security		OrgKeyAuth
-//	@Security		OrgSecretAuth
+//	@ID			DeleteRecordSet
+//	@Summary	Delete a record set (API removes row; worker can optionally handle external deletion policy)
+//	@Tags		DNS
+//	@Produce	json
+//	@Param		X-Org-ID	header	string	false	"Organization UUID"
+//	@Param		id			path	string	true	"Record Set ID (UUID)"
+//	@Success	204
+//	@Failure	403	{string}	string	"organization required"
+//	@Failure	404	{string}	string	"not found"
+//	@Router		/dns/records/{id} [delete]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
 func DeleteRecordSet(db *gorm.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
--- a/internal/handlers/dto/clusters.go
+++ b/internal/handlers/dto/clusters.go
@@ -7,28 +7,63 @@ import (
 )

 type ClusterResponse struct {
-	ID                  uuid.UUID          `json:"id"`
-	Name                string             `json:"name"`
-	Provider            string             `json:"provider"`
-	Region              string             `json:"region"`
-	Status              string             `json:"status"`
-	CaptainDomain       string             `json:"captain_domain"`
-	ClusterLoadBalancer string             `json:"cluster_load_balancer"`
-	RandomToken         string             `json:"random_token"`
-	CertificateKey      string             `json:"certificate_key"`
-	ControlLoadBalancer string             `json:"control_load_balancer"`
-	NodePools           []NodePoolResponse `json:"node_pools,omitempty"`
-	BastionServer       *ServerResponse    `json:"bastion_server,omitempty"`
-	CreatedAt           time.Time          `json:"created_at"`
-	UpdatedAt           time.Time          `json:"updated_at"`
+	ID                    uuid.UUID             `json:"id"`
+	Name                  string                `json:"name"`
+	CaptainDomain         *DomainResponse       `json:"captain_domain,omitempty"`
+	ControlPlaneRecordSet *RecordSetResponse    `json:"control_plane_record_set,omitempty"`
+	ControlPlaneFQDN      *string               `json:"control_plane_fqdn,omitempty"`
+	AppsLoadBalancer      *LoadBalancerResponse `json:"apps_load_balancer,omitempty"`
+	GlueOpsLoadBalancer   *LoadBalancerResponse `json:"glueops_load_balancer,omitempty"`
+	BastionServer         *ServerResponse       `json:"bastion_server,omitempty"`
+	Provider              string                `json:"cluster_provider"`
+	Region                string                `json:"region"`
+	Status                string                `json:"status"`
+	LastError             string                `json:"last_error"`
+	RandomToken           string                `json:"random_token"`
+	CertificateKey        string                `json:"certificate_key"`
+	NodePools             []NodePoolResponse    `json:"node_pools,omitempty"`
+	DockerImage           string                `json:"docker_image"`
+	DockerTag             string                `json:"docker_tag"`
+	CreatedAt             time.Time             `json:"created_at"`
+	UpdatedAt             time.Time             `json:"updated_at"`
 }

 type CreateClusterRequest struct {
-	Name                string  `json:"name"`
-	Provider            string  `json:"provider"`
-	Region              string  `json:"region"`
-	Status              string  `json:"status"`
-	CaptainDomain       string  `json:"captain_domain"`
-	ClusterLoadBalancer *string `json:"cluster_load_balancer"`
-	ControlLoadBalancer *string `json:"control_load_balancer"`
+	Name            string `json:"name"`
+	ClusterProvider string `json:"cluster_provider"`
+	Region          string `json:"region"`
+	DockerImage     string `json:"docker_image"`
+	DockerTag       string `json:"docker_tag"`
+}
+
+type UpdateClusterRequest struct {
+	Name            *string `json:"name,omitempty"`
+	ClusterProvider *string `json:"cluster_provider,omitempty"`
+	Region          *string `json:"region,omitempty"`
+	DockerImage     *string `json:"docker_image,omitempty"`
+	DockerTag       *string `json:"docker_tag,omitempty"`
+}
+
+type AttachCaptainDomainRequest struct {
+	DomainID uuid.UUID `json:"domain_id"`
+}
+
+type AttachRecordSetRequest struct {
+	RecordSetID uuid.UUID `json:"record_set_id"`
+}
+
+type AttachLoadBalancerRequest struct {
+	LoadBalancerID uuid.UUID `json:"load_balancer_id"`
+}
+
+type AttachBastionRequest struct {
+	ServerID uuid.UUID `json:"server_id"`
+}
+
+type SetKubeconfigRequest struct {
+	Kubeconfig string `json:"kubeconfig"`
+}
+
+type AttachNodePoolRequest struct {
+	NodePoolID uuid.UUID `json:"node_pool_id"`
 }
--- a/internal/handlers/dto/credentials.go
+++ b/internal/handlers/dto/credentials.go
@@ -97,16 +97,16 @@ var ScopeRegistry = map[string]map[string]map[int]ScopeDef{

 // CreateCredentialRequest represents the POST /credentials payload
 type CreateCredentialRequest struct {
-	Provider      string  `json:"provider" validate:"required,oneof=aws cloudflare hetzner digitalocean generic"`
-	Kind          string  `json:"kind" validate:"required"`                 // aws_access_key, api_token, basic_auth, oauth2
-	SchemaVersion int     `json:"schema_version" validate:"required,gte=1"` // secret schema version
-	Name          string  `json:"name" validate:"omitempty,max=100"`        // human label
-	ScopeKind     string  `json:"scope_kind" validate:"required,oneof=provider service resource"`
-	ScopeVersion  int     `json:"scope_version" validate:"required,gte=1"`        // scope schema version
-	Scope         RawJSON `json:"scope" validate:"required" swaggertype:"object"` // {"service":"route53"} or {"arn":"..."}
-	AccountID     string  `json:"account_id,omitempty" validate:"omitempty,max=32"`
-	Region        string  `json:"region,omitempty" validate:"omitempty,max=32"`
-	Secret        RawJSON `json:"secret" validate:"required" swaggertype:"object"` // encrypted later
+	CredentialProvider string  `json:"credential_provider" validate:"required,oneof=aws cloudflare hetzner digitalocean generic"`
+	Kind               string  `json:"kind" validate:"required"`                 // aws_access_key, api_token, basic_auth, oauth2
+	SchemaVersion      int     `json:"schema_version" validate:"required,gte=1"` // secret schema version
+	Name               string  `json:"name" validate:"omitempty,max=100"`        // human label
+	ScopeKind          string  `json:"scope_kind" validate:"required,oneof=credential_provider service resource"`
+	ScopeVersion       int     `json:"scope_version" validate:"required,gte=1"`        // scope schema version
+	Scope              RawJSON `json:"scope" validate:"required" swaggertype:"object"` // {"service":"route53"} or {"arn":"..."}
+	AccountID          string  `json:"account_id,omitempty" validate:"omitempty,max=32"`
+	Region             string  `json:"region,omitempty" validate:"omitempty,max=32"`
+	Secret             RawJSON `json:"secret" validate:"required" swaggertype:"object"` // encrypted later
 }

 // UpdateCredentialRequest represents PATCH /credentials/{id}
@@ -123,16 +123,16 @@ type UpdateCredentialRequest struct {

 // CredentialOut is what we return (no secrets)
 type CredentialOut struct {
-	ID            string  `json:"id"`
-	Provider      string  `json:"provider"`
-	Kind          string  `json:"kind"`
-	SchemaVersion int     `json:"schema_version"`
-	Name          string  `json:"name"`
-	ScopeKind     string  `json:"scope_kind"`
-	ScopeVersion  int     `json:"scope_version"`
-	Scope         RawJSON `json:"scope" swaggertype:"object"`
-	AccountID     string  `json:"account_id,omitempty"`
-	Region        string  `json:"region,omitempty"`
-	CreatedAt     string  `json:"created_at"`
-	UpdatedAt     string  `json:"updated_at"`
+	ID                 string  `json:"id"`
+	CredentialProvider string  `json:"credential_provider"`
+	Kind               string  `json:"kind"`
+	SchemaVersion      int     `json:"schema_version"`
+	Name               string  `json:"name"`
+	ScopeKind          string  `json:"scope_kind"`
+	ScopeVersion       int     `json:"scope_version"`
+	Scope              RawJSON `json:"scope" swaggertype:"object"`
+	AccountID          string  `json:"account_id,omitempty"`
+	Region             string  `json:"region,omitempty"`
+	CreatedAt          string  `json:"created_at"`
+	UpdatedAt          string  `json:"updated_at"`
 }
--- a/internal/handlers/dto/load_balancers.go
+++ b/internal/handlers/dto/load_balancers.go
@@ -0,0 +1,32 @@
+package dto
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type LoadBalancerResponse struct {
+	ID               uuid.UUID `json:"id"`
+	OrganizationID   uuid.UUID `json:"organization_id"`
+	Name             string    `json:"name"`
+	Kind             string    `json:"kind"`
+	PublicIPAddress  string    `json:"public_ip_address"`
+	PrivateIPAddress string    `json:"private_ip_address"`
+	CreatedAt        time.Time `json:"created_at"`
+	UpdatedAt        time.Time `json:"updated_at"`
+}
+
+type CreateLoadBalancerRequest struct {
+	Name             string `json:"name" example:"glueops"`
+	Kind             string `json:"kind" example:"public" enums:"glueops,public"`
+	PublicIPAddress  string `json:"public_ip_address" example:"8.8.8.8"`
+	PrivateIPAddress string `json:"private_ip_address" example:"192.168.0.2"`
+}
+
+type UpdateLoadBalancerRequest struct {
+	Name             *string `json:"name" example:"glue"`
+	Kind             *string `json:"kind" example:"public" enums:"glueops,public"`
+	PublicIPAddress  *string `json:"public_ip_address" example:"8.8.8.8"`
+	PrivateIPAddress *string `json:"private_ip_address" example:"192.168.0.2"`
+}
--- a/internal/handlers/health.go
+++ b/internal/handlers/health.go
@@ -16,7 +16,6 @@ type HealthStatus struct {
 //	@Description	Returns 200 OK when the service is up
 //	@Tags			Health
 //	@ID				HealthCheck               // operationId
-//	@Accept			json
 //	@Produce		json
 //	@Success		200	{object}	HealthStatus
 //	@Router			/healthz [get]
--- a/internal/handlers/jobs.go
+++ b/internal/handlers/jobs.go
@@ -25,7 +25,6 @@ import (
 //	@Summary		List Archer jobs (admin)
 //	@Description	Paginated background jobs with optional filters. Search `q` may match id, type, error, payload (implementation-dependent).
 //	@Tags			ArcherAdmin
-//	@Accept			json
 //	@Produce		json
 //	@Param			status		query		string	false	"Filter by status"	Enums(queued,running,succeeded,failed,canceled,retrying,scheduled)
 //	@Param			queue		query		string	false	"Filter by queue name / worker name"
@@ -283,7 +282,6 @@ func AdminCancelArcherJob(db *gorm.DB) http.HandlerFunc {
 //	@Summary		List Archer queues (admin)
 //	@Description	Summary metrics per queue (pending, running, failed, scheduled).
 //	@Tags			ArcherAdmin
-//	@Accept			json
 //	@Produce		json
 //	@Success		200	{array}		dto.QueueInfo
 //	@Failure		401	{string}	string	"Unauthorized"
--- a/internal/handlers/labels.go
+++ b/internal/handlers/labels.go
@@ -22,7 +22,6 @@ import (
 //	@Summary		List node labels (org scoped)
 //	@Description	Returns node labels for the organization in X-Org-ID. Filters: `key`, `value`, and `q` (key contains). Add `include=node_pools` to include linked node groups.
 //	@Tags			Labels
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header		string	false	"Organization UUID"
 //	@Param			key			query		string	false	"Exact key"
@@ -74,7 +73,6 @@ func ListLabels(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Get label by ID (org scoped)
 //	@Description	Returns one label.
 //	@Tags			Labels
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header		string	false	"Organization UUID"
 //	@Param			id			path		string	true	"Label ID (UUID)"
@@ -253,11 +251,10 @@ func UpdateLabel(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Delete label (org scoped)
 //	@Description	Permanently deletes the label.
 //	@Tags			Labels
-//	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header		string	false	"Organization UUID"
-//	@Param			id			path		string	true	"Label ID (UUID)"
-//	@Success		204			{string}	string	"No Content"
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			id			path	string	true	"Label ID (UUID)"
+//	@Success		204			"No Content"
 //	@Failure		400			{string}	string	"invalid id"
 //	@Failure		401			{string}	string	"Unauthorized"
 //	@Failure		403			{string}	string	"organization required"
--- a/internal/handlers/load_balancers.go
+++ b/internal/handlers/load_balancers.go
@@ -0,0 +1,286 @@
+package handlers
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/glueops/autoglue/internal/api/httpmiddleware"
+	"github.com/glueops/autoglue/internal/handlers/dto"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/glueops/autoglue/internal/utils"
+	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+// ListLoadBalancers godoc
+//
+//	@ID				ListLoadBalancers
+//	@Summary		List load balancers (org scoped)
+//	@Description	Returns load balancers for the organization in X-Org-ID.
+//	@Tags			LoadBalancers
+//	@Produce		json
+//	@Param			X-Org-ID	header		string	false	"Organization UUID"
+//	@Success		200			{array}		dto.LoadBalancerResponse
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		500			{string}	string	"failed to list clusters"
+//	@Router			/load-balancers [get]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func ListLoadBalancers(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		var rows []models.LoadBalancer
+		if err := db.Where("organization_id = ?", orgID).Find(&rows).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+		out := make([]dto.LoadBalancerResponse, 0, len(rows))
+		for _, row := range rows {
+			out = append(out, loadBalancerOut(&row))
+		}
+		utils.WriteJSON(w, http.StatusOK, out)
+	}
+}
+
+// GetLoadBalancer godoc
+//
+//	@ID				GetLoadBalancers
+//	@Summary		Get a load balancer (org scoped)
+//	@Description	Returns load balancer for the organization in X-Org-ID.
+//	@Tags			LoadBalancers
+//	@Produce		json
+//	@Param			X-Org-ID	header		string	false	"Organization UUID"
+//	@Param			id			path		string	true	"LoadBalancer ID (UUID)"
+//	@Success		200			{array}		dto.LoadBalancerResponse
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		500			{string}	string	"failed to list clusters"
+//	@Router			/load-balancers/{id} [get]
+//	@Security		BearerAuth
+//	@Security		OrgKeyAuth
+//	@Security		OrgSecretAuth
+func GetLoadBalancer(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_id", "invalid UUID")
+			return
+		}
+
+		var row models.LoadBalancer
+		if err := db.Where("id = ? AND organization_id = ?", id, orgID).First(&row).Error; err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				utils.WriteError(w, http.StatusNotFound, "not_found", "load balancer not found")
+				return
+			}
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", "db error")
+			return
+		}
+		out := loadBalancerOut(&row)
+		utils.WriteJSON(w, http.StatusOK, out)
+	}
+}
+
+// CreateLoadBalancer godoc
+//
+//	@ID			CreateLoadBalancer
+//	@Summary	Create a load balancer
+//	@Tags		LoadBalancers
+//	@Accept		json
+//	@Produce	json
+//	@Param		X-Org-ID	header		string							false	"Organization UUID"
+//	@Param		body		body		dto.CreateLoadBalancerRequest	true	"Record set payload"
+//	@Success	201			{object}	dto.LoadBalancerResponse
+//	@Failure	400			{string}	string	"validation error"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"domain not found"
+//	@Router		/load-balancers [post]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
+func CreateLoadBalancer(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		var in dto.CreateLoadBalancerRequest
+		if err := json.NewDecoder(r.Body).Decode(&in); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_json", err.Error())
+			return
+		}
+
+		if strings.ToLower(in.Kind) != "glueops" && strings.ToLower(in.Kind) != "public" {
+			fmt.Println(in.Kind)
+			utils.WriteError(w, http.StatusBadRequest, "bad_kind", "invalid kind only 'glueops' or 'public'")
+			return
+		}
+
+		row := &models.LoadBalancer{
+			OrganizationID:   orgID,
+			Name:             in.Name,
+			Kind:             strings.ToLower(in.Kind),
+			PublicIPAddress:  in.PublicIPAddress,
+			PrivateIPAddress: in.PrivateIPAddress,
+		}
+		if err := db.Create(row).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+		utils.WriteJSON(w, http.StatusCreated, loadBalancerOut(row))
+	}
+}
+
+// UpdateLoadBalancer godoc
+//
+//	@ID			UpdateLoadBalancer
+//	@Summary	Update a load balancer (org scoped)
+//	@Tags		LoadBalancers
+//	@Accept		json
+//	@Produce	json
+//	@Param		X-Org-ID	header		string							false	"Organization UUID"
+//	@Param		id			path		string							true	"Load Balancer ID (UUID)"
+//	@Param		body		body		dto.UpdateLoadBalancerRequest	true	"Fields to update"
+//	@Success	200			{object}	dto.LoadBalancerResponse
+//	@Failure	400			{string}	string	"validation error"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Router		/load-balancers/{id} [patch]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
+func UpdateLoadBalancer(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_id", "invalid UUID")
+			return
+		}
+
+		row := &models.LoadBalancer{}
+		if err := db.Where("organization_id = ? AND id = ?", orgID, id).First(&row).Error; err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				utils.WriteError(w, http.StatusNotFound, "not_found", "load balancer not found")
+				return
+			}
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+
+		var in dto.UpdateLoadBalancerRequest
+		if err := json.NewDecoder(r.Body).Decode(&in); err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_json", err.Error())
+			return
+		}
+		if in.Name != nil {
+			row.Name = *in.Name
+		}
+		if in.Kind != nil {
+			fmt.Println(*in.Kind)
+			if strings.ToLower(*in.Kind) != "glueops" && strings.ToLower(*in.Kind) != "public" {
+				utils.WriteError(w, http.StatusBadRequest, "bad_kind", "invalid kind only 'glueops' or 'public'")
+				return
+			}
+			row.Kind = strings.ToLower(*in.Kind)
+		}
+		if in.PublicIPAddress != nil {
+			row.PublicIPAddress = *in.PublicIPAddress
+		}
+		if in.PrivateIPAddress != nil {
+			row.PrivateIPAddress = *in.PrivateIPAddress
+		}
+		if err := db.Save(row).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+		utils.WriteJSON(w, http.StatusOK, loadBalancerOut(row))
+
+	}
+}
+
+// DeleteLoadBalancer godoc
+//
+//	@ID			DeleteLoadBalancer
+//	@Summary	Delete a load balancer
+//	@Tags		LoadBalancers
+//	@Produce	json
+//	@Param		X-Org-ID	header	string	false	"Organization UUID"
+//	@Param		id			path	string	true	"Load Balancer ID (UUID)"
+//	@Success	204
+//	@Failure	403	{string}	string	"organization required"
+//	@Failure	404	{string}	string	"not found"
+//	@Router		/load-balancers/{id} [delete]
+//	@Security	BearerAuth
+//	@Security	OrgKeyAuth
+//	@Security	OrgSecretAuth
+func DeleteLoadBalancer(db *gorm.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		orgID, ok := httpmiddleware.OrgIDFrom(r.Context())
+		if !ok {
+			utils.WriteError(w, http.StatusForbidden, "org_required", "specify X-Org-ID")
+			return
+		}
+
+		id, err := uuid.Parse(chi.URLParam(r, "id"))
+		if err != nil {
+			utils.WriteError(w, http.StatusBadRequest, "bad_id", "invalid UUID")
+			return
+		}
+
+		row := &models.LoadBalancer{}
+		if err := db.Where("organization_id = ? AND id = ?", orgID, id).First(&row).Error; err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				utils.WriteError(w, http.StatusNotFound, "not_found", "load balancer not found")
+				return
+			}
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+
+		if err := db.Delete(row).Error; err != nil {
+			utils.WriteError(w, http.StatusInternalServerError, "db_error", err.Error())
+			return
+		}
+		w.WriteHeader(http.StatusNoContent)
+	}
+}
+
+// ---------- Out mappers ----------
+
+func loadBalancerOut(m *models.LoadBalancer) dto.LoadBalancerResponse {
+	return dto.LoadBalancerResponse{
+		ID:               m.ID,
+		OrganizationID:   m.OrganizationID,
+		Name:             m.Name,
+		Kind:             m.Kind,
+		PublicIPAddress:  m.PublicIPAddress,
+		PrivateIPAddress: m.PrivateIPAddress,
+		CreatedAt:        m.CreatedAt.UTC(),
+		UpdatedAt:        m.UpdatedAt.UTC(),
+	}
+}
--- a/internal/handlers/node_pools.go
+++ b/internal/handlers/node_pools.go
@@ -25,14 +25,13 @@ import (
 //	@Summary		List node pools (org scoped)
 //	@Description	Returns node pools for the organization in X-Org-ID.
 //	@Tags			NodePools
-//	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header	string	false	"Organization UUID"
-//	@Param			q			query	string	false	"Name contains (case-insensitive)"
-//	@Success		200	{array}		dto.NodePoolResponse
-//	@Failure		401	{string}	string	"Unauthorized"
-//	@Failure		403	{string}	string	"organization required"
-//	@Failure		500	{string}	string	"failed to list node pools"
+//	@Param			X-Org-ID	header		string	false	"Organization UUID"
+//	@Param			q			query		string	false	"Name contains (case-insensitive)"
+//	@Success		200			{array}		dto.NodePoolResponse
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		500			{string}	string	"failed to list node pools"
 //	@Router			/node-pools [get]
 //	@Security		BearerAuth
 //	@Security		OrgKeyAuth
@@ -145,16 +144,15 @@ func ListNodePools(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Get node pool by ID (org scoped)
 //	@Description	Returns one node pool. Add `include=servers` to include servers.
 //	@Tags			NodePools
-//	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header	string	false	"Organization UUID"
-//	@Param			id			path	string	true	"Node Pool ID (UUID)"
-//	@Success		200	{object}	dto.NodePoolResponse
-//	@Failure		400	{string}	string	"invalid id"
-//	@Failure		401	{string}	string	"Unauthorized"
-//	@Failure		403	{string}	string	"organization required"
-//	@Failure		404	{string}	string	"not found"
-//	@Failure		500	{string}	string	"fetch failed"
+//	@Param			X-Org-ID	header		string	false	"Organization UUID"
+//	@Param			id			path		string	true	"Node Pool ID (UUID)"
+//	@Success		200			{object}	dto.NodePoolResponse
+//	@Failure		400			{string}	string	"invalid id"
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		404			{string}	string	"not found"
+//	@Failure		500			{string}	string	"fetch failed"
 //	@Router			/node-pools/{id} [get]
 //	@Security		BearerAuth
 //	@Security		OrgKeyAuth
@@ -194,13 +192,13 @@ func GetNodePool(db *gorm.DB) http.HandlerFunc {
 //	@Tags			NodePools
 //	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header	string					false	"Organization UUID"
-//	@Param			body		body	dto.CreateNodePoolRequest	true	"NodePool payload"
-//	@Success		201	{object}	dto.NodePoolResponse
-//	@Failure		400	{string}	string	"invalid json / missing fields / invalid server_ids"
-//	@Failure		401	{string}	string	"Unauthorized"
-//	@Failure		403	{string}	string	"organization required"
-//	@Failure		500	{string}	string	"create failed"
+//	@Param			X-Org-ID	header		string						false	"Organization UUID"
+//	@Param			body		body		dto.CreateNodePoolRequest	true	"NodePool payload"
+//	@Success		201			{object}	dto.NodePoolResponse
+//	@Failure		400			{string}	string	"invalid json / missing fields / invalid server_ids"
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		500			{string}	string	"create failed"
 //	@Router			/node-pools [post]
 //	@Security		BearerAuth
 //	@Security		OrgKeyAuth
@@ -257,15 +255,15 @@ func CreateNodePool(db *gorm.DB) http.HandlerFunc {
 //	@Tags			NodePools
 //	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header	string					false	"Organization UUID"
-//	@Param			id			path	string					true	"Node Pool ID (UUID)"
-//	@Param			body		body	dto.UpdateNodePoolRequest	true	"Fields to update"
-//	@Success		200	{object}	dto.NodePoolResponse
-//	@Failure		400	{string}	string	"invalid id / invalid json"
-//	@Failure		401	{string}	string	"Unauthorized"
-//	@Failure		403	{string}	string	"organization required"
-//	@Failure		404	{string}	string	"not found"
-//	@Failure		500	{string}	string	"update failed"
+//	@Param			X-Org-ID	header		string						false	"Organization UUID"
+//	@Param			id			path		string						true	"Node Pool ID (UUID)"
+//	@Param			body		body		dto.UpdateNodePoolRequest	true	"Fields to update"
+//	@Success		200			{object}	dto.NodePoolResponse
+//	@Failure		400			{string}	string	"invalid id / invalid json"
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		404			{string}	string	"not found"
+//	@Failure		500			{string}	string	"update failed"
 //	@Router			/node-pools/{id} [patch]
 //	@Security		BearerAuth
 //	@Security		OrgKeyAuth
@@ -327,15 +325,14 @@ func UpdateNodePool(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Delete node pool (org scoped)
 //	@Description	Permanently deletes the node pool.
 //	@Tags			NodePools
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header	string	false	"Organization UUID"
 //	@Param			id			path	string	true	"Node Pool ID (UUID)"
-//	@Success		204	{string}	string	"No Content"
-//	@Failure		400	{string}	string	"invalid id"
-//	@Failure		401	{string}	string	"Unauthorized"
-//	@Failure		403	{string}	string	"organization required"
-//	@Failure		500	{string}	string	"delete failed"
+//	@Success		204			"No Content"
+//	@Failure		400			{string}	string	"invalid id"
+//	@Failure		401			{string}	string	"Unauthorized"
+//	@Failure		403			{string}	string	"organization required"
+//	@Failure		500			{string}	string	"delete failed"
 //	@Router			/node-pools/{id} [delete]
 //	@Security		BearerAuth
 //	@Security		OrgKeyAuth
@@ -369,16 +366,15 @@ func DeleteNodePool(db *gorm.DB) http.HandlerFunc {
 //	@ID			ListNodePoolServers
 //	@Summary	List servers attached to a node pool (org scoped)
 //	@Tags		NodePools
-//	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string	false	"Organization UUID"
-//	@Param		id			path	string	true	"Node Pool ID (UUID)"
-//	@Success	200	{array}		dto.ServerResponse
-//	@Failure	400	{string}	string	"invalid id"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"fetch failed"
+//	@Param		X-Org-ID	header		string	false	"Organization UUID"
+//	@Param		id			path		string	true	"Node Pool ID (UUID)"
+//	@Success	200			{array}		dto.ServerResponse
+//	@Failure	400			{string}	string	"invalid id"
+//	@Failure	401			{string}	string	"Unauthorized"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Failure	500			{string}	string	"fetch failed"
 //	@Router		/node-pools/{id}/servers [get]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -434,15 +430,15 @@ func ListNodePoolServers(db *gorm.DB) http.HandlerFunc {
 //	@Tags		NodePools
 //	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string					false	"Organization UUID"
-//	@Param		id			path	string					true	"Node Pool ID (UUID)"
-//	@Param		body		body	dto.AttachServersRequest	true	"Server IDs to attach"
-//	@Success	204	{string}	string	"No Content"
-//	@Failure	400	{string}	string	"invalid id / invalid server_ids"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"attach failed"
+//	@Param		X-Org-ID	header		string						false	"Organization UUID"
+//	@Param		id			path		string						true	"Node Pool ID (UUID)"
+//	@Param		body		body		dto.AttachServersRequest	true	"Server IDs to attach"
+//	@Success	204			{string}	string						"No Content"
+//	@Failure	400			{string}	string						"invalid id / invalid server_ids"
+//	@Failure	401			{string}	string						"Unauthorized"
+//	@Failure	403			{string}	string						"organization required"
+//	@Failure	404			{string}	string						"not found"
+//	@Failure	500			{string}	string						"attach failed"
 //	@Router		/node-pools/{id}/servers [post]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -521,17 +517,16 @@ func AttachNodePoolServers(db *gorm.DB) http.HandlerFunc {
 //	@ID			DetachNodePoolServer
 //	@Summary	Detach one server from a node pool (org scoped)
 //	@Tags		NodePools
-//	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string	false	"Organization UUID"
-//	@Param		id			path	string	true	"Node Pool ID (UUID)"
-//	@Param		serverId	path	string	true	"Server ID (UUID)"
-//	@Success	204	{string}	string	"No Content"
-//	@Failure	400	{string}	string	"invalid id"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"detach failed"
+//	@Param		X-Org-ID	header		string	false	"Organization UUID"
+//	@Param		id			path		string	true	"Node Pool ID (UUID)"
+//	@Param		serverId	path		string	true	"Server ID (UUID)"
+//	@Success	204			{string}	string	"No Content"
+//	@Failure	400			{string}	string	"invalid id"
+//	@Failure	401			{string}	string	"Unauthorized"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Failure	500			{string}	string	"detach failed"
 //	@Router		/node-pools/{id}/servers/{serverId} [delete]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -588,16 +583,15 @@ func DetachNodePoolServer(db *gorm.DB) http.HandlerFunc {
 //	@ID			ListNodePoolTaints
 //	@Summary	List taints attached to a node pool (org scoped)
 //	@Tags		NodePools
-//	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string	false	"Organization UUID"
-//	@Param		id			path	string	true	"Node Pool ID (UUID)"
-//	@Success	200	{array}		dto.TaintResponse
-//	@Failure	400	{string}	string	"invalid id"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"fetch failed"
+//	@Param		X-Org-ID	header		string	false	"Organization UUID"
+//	@Param		id			path		string	true	"Node Pool ID (UUID)"
+//	@Success	200			{array}		dto.TaintResponse
+//	@Failure	400			{string}	string	"invalid id"
+//	@Failure	401			{string}	string	"Unauthorized"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Failure	500			{string}	string	"fetch failed"
 //	@Router		/node-pools/{id}/taints [get]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -646,15 +640,15 @@ func ListNodePoolTaints(db *gorm.DB) http.HandlerFunc {
 //	@Tags		NodePools
 //	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string					false	"Organization UUID"
-//	@Param		id			path	string					true	"Node Pool ID (UUID)"
-//	@Param		body		body	dto.AttachTaintsRequest	true	"Taint IDs to attach"
-//	@Success	204	{string}	string	"No Content"
-//	@Failure	400	{string}	string	"invalid id / invalid taint_ids"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"attach failed"
+//	@Param		X-Org-ID	header		string					false	"Organization UUID"
+//	@Param		id			path		string					true	"Node Pool ID (UUID)"
+//	@Param		body		body		dto.AttachTaintsRequest	true	"Taint IDs to attach"
+//	@Success	204			{string}	string					"No Content"
+//	@Failure	400			{string}	string					"invalid id / invalid taint_ids"
+//	@Failure	401			{string}	string					"Unauthorized"
+//	@Failure	403			{string}	string					"organization required"
+//	@Failure	404			{string}	string					"not found"
+//	@Failure	500			{string}	string					"attach failed"
 //	@Router		/node-pools/{id}/taints [post]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -730,17 +724,16 @@ func AttachNodePoolTaints(db *gorm.DB) http.HandlerFunc {
 //	@ID			DetachNodePoolTaint
 //	@Summary	Detach one taint from a node pool (org scoped)
 //	@Tags		NodePools
-//	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string	false	"Organization UUID"
-//	@Param		id			path	string	true	"Node Pool ID (UUID)"
-//	@Param		taintId	path	string	true	"Taint ID (UUID)"
-//	@Success	204	{string}	string	"No Content"
-//	@Failure	400	{string}	string	"invalid id"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"detach failed"
+//	@Param		X-Org-ID	header		string	false	"Organization UUID"
+//	@Param		id			path		string	true	"Node Pool ID (UUID)"
+//	@Param		taintId		path		string	true	"Taint ID (UUID)"
+//	@Success	204			{string}	string	"No Content"
+//	@Failure	400			{string}	string	"invalid id"
+//	@Failure	401			{string}	string	"Unauthorized"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Failure	500			{string}	string	"detach failed"
 //	@Router		/node-pools/{id}/taints/{taintId} [delete]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -798,16 +791,15 @@ func DetachNodePoolTaint(db *gorm.DB) http.HandlerFunc {
 //	@ID			ListNodePoolLabels
 //	@Summary	List labels attached to a node pool (org scoped)
 //	@Tags		NodePools
-//	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string	false	"Organization UUID"
-//	@Param		id			path	string	true	"Label Pool ID (UUID)"
-//	@Success	200	{array}		dto.LabelResponse
-//	@Failure	400	{string}	string	"invalid id"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"fetch failed"
+//	@Param		X-Org-ID	header		string	false	"Organization UUID"
+//	@Param		id			path		string	true	"Label Pool ID (UUID)"
+//	@Success	200			{array}		dto.LabelResponse
+//	@Failure	400			{string}	string	"invalid id"
+//	@Failure	401			{string}	string	"Unauthorized"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Failure	500			{string}	string	"fetch failed"
 //	@Router		/node-pools/{id}/labels [get]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -859,15 +851,15 @@ func ListNodePoolLabels(db *gorm.DB) http.HandlerFunc {
 //	@Tags		NodePools
 //	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string					false	"Organization UUID"
-//	@Param		id			path	string					true	"Node Pool ID (UUID)"
-//	@Param		body		body	dto.AttachLabelsRequest	true	"Label IDs to attach"
-//	@Success	204	{string}	string	"No Content"
-//	@Failure	400	{string}	string	"invalid id / invalid server_ids"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"attach failed"
+//	@Param		X-Org-ID	header		string					false	"Organization UUID"
+//	@Param		id			path		string					true	"Node Pool ID (UUID)"
+//	@Param		body		body		dto.AttachLabelsRequest	true	"Label IDs to attach"
+//	@Success	204			{string}	string					"No Content"
+//	@Failure	400			{string}	string					"invalid id / invalid server_ids"
+//	@Failure	401			{string}	string					"Unauthorized"
+//	@Failure	403			{string}	string					"organization required"
+//	@Failure	404			{string}	string					"not found"
+//	@Failure	500			{string}	string					"attach failed"
 //	@Router		/node-pools/{id}/labels [post]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -940,17 +932,16 @@ func AttachNodePoolLabels(db *gorm.DB) http.HandlerFunc {
 //	@ID			DetachNodePoolLabel
 //	@Summary	Detach one label from a node pool (org scoped)
 //	@Tags		NodePools
-//	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string	false	"Organization UUID"
-//	@Param		id			path	string	true	"Node Pool ID (UUID)"
-//	@Param		labelId	path	string	true	"Label ID (UUID)"
-//	@Success	204	{string}	string	"No Content"
-//	@Failure	400	{string}	string	"invalid id"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"detach failed"
+//	@Param		X-Org-ID	header		string	false	"Organization UUID"
+//	@Param		id			path		string	true	"Node Pool ID (UUID)"
+//	@Param		labelId		path		string	true	"Label ID (UUID)"
+//	@Success	204			{string}	string	"No Content"
+//	@Failure	400			{string}	string	"invalid id"
+//	@Failure	401			{string}	string	"Unauthorized"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Failure	500			{string}	string	"detach failed"
 //	@Router		/node-pools/{id}/labels/{labelId} [delete]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -1008,16 +999,15 @@ func DetachNodePoolLabel(db *gorm.DB) http.HandlerFunc {
 //	@ID			ListNodePoolAnnotations
 //	@Summary	List annotations attached to a node pool (org scoped)
 //	@Tags		NodePools
-//	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string	false	"Organization UUID"
-//	@Param		id			path	string	true	"Node Pool ID (UUID)"
-//	@Success	200	{array}		dto.AnnotationResponse
-//	@Failure	400	{string}	string	"invalid id"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"fetch failed"
+//	@Param		X-Org-ID	header		string	false	"Organization UUID"
+//	@Param		id			path		string	true	"Node Pool ID (UUID)"
+//	@Success	200			{array}		dto.AnnotationResponse
+//	@Failure	400			{string}	string	"invalid id"
+//	@Failure	401			{string}	string	"Unauthorized"
+//	@Failure	403			{string}	string	"organization required"
+//	@Failure	404			{string}	string	"not found"
+//	@Failure	500			{string}	string	"fetch failed"
 //	@Router		/node-pools/{id}/annotations [get]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -1069,15 +1059,15 @@ func ListNodePoolAnnotations(db *gorm.DB) http.HandlerFunc {
 //	@Tags		NodePools
 //	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string					false	"Organization UUID"
-//	@Param		id			path	string					true	"Node Group ID (UUID)"
-//	@Param		body		body	dto.AttachAnnotationsRequest	true	"Annotation IDs to attach"
-//	@Success	204	{string}	string	"No Content"
-//	@Failure	400	{string}	string	"invalid id / invalid server_ids"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"attach failed"
+//	@Param		X-Org-ID	header		string							false	"Organization UUID"
+//	@Param		id			path		string							true	"Node Group ID (UUID)"
+//	@Param		body		body		dto.AttachAnnotationsRequest	true	"Annotation IDs to attach"
+//	@Success	204			{string}	string							"No Content"
+//	@Failure	400			{string}	string							"invalid id / invalid server_ids"
+//	@Failure	401			{string}	string							"Unauthorized"
+//	@Failure	403			{string}	string							"organization required"
+//	@Failure	404			{string}	string							"not found"
+//	@Failure	500			{string}	string							"attach failed"
 //	@Router		/node-pools/{id}/annotations [post]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
@@ -1151,17 +1141,16 @@ func AttachNodePoolAnnotations(db *gorm.DB) http.HandlerFunc {
 //	@ID			DetachNodePoolAnnotation
 //	@Summary	Detach one annotation from a node pool (org scoped)
 //	@Tags		NodePools
-//	@Accept		json
 //	@Produce	json
-//	@Param		X-Org-ID	header	string	false	"Organization UUID"
-//	@Param		id			path	string	true	"Node Pool ID (UUID)"
-//	@Param		annotationId	path	string	true	"Annotation ID (UUID)"
-//	@Success	204	{string}	string	"No Content"
-//	@Failure	400	{string}	string	"invalid id"
-//	@Failure	401	{string}	string	"Unauthorized"
-//	@Failure	403	{string}	string	"organization required"
-//	@Failure	404	{string}	string	"not found"
-//	@Failure	500	{string}	string	"detach failed"
+//	@Param		X-Org-ID		header		string	false	"Organization UUID"
+//	@Param		id				path		string	true	"Node Pool ID (UUID)"
+//	@Param		annotationId	path		string	true	"Annotation ID (UUID)"
+//	@Success	204				{string}	string	"No Content"
+//	@Failure	400				{string}	string	"invalid id"
+//	@Failure	401				{string}	string	"Unauthorized"
+//	@Failure	403				{string}	string	"organization required"
+//	@Failure	404				{string}	string	"not found"
+//	@Failure	500				{string}	string	"detach failed"
 //	@Router		/node-pools/{id}/annotations/{annotationId} [delete]
 //	@Security	BearerAuth
 //	@Security	OrgKeyAuth
--- a/internal/handlers/node_pools_test.go
+++ b/internal/handlers/node_pools_test.go
@@ -0,0 +1,381 @@
+package handlers
+
+import (
+	"os"
+	"testing"
+
+	"github.com/glueops/autoglue/internal/common"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/glueops/autoglue/internal/testutil/pgtest"
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+func TestMain(m *testing.M) {
+	code := m.Run()
+	pgtest.Stop()
+	os.Exit(code)
+}
+
+func TestParseUUIDs_Success(t *testing.T) {
+	u1 := uuid.New()
+	u2 := uuid.New()
+
+	got, err := parseUUIDs([]string{u1.String(), u2.String()})
+	if err != nil {
+		t.Fatalf("parseUUIDs returned error: %v", err)
+	}
+	if len(got) != 2 {
+		t.Fatalf("expected 2 UUIDs, got %d", len(got))
+	}
+	if got[0] != u1 || got[1] != u2 {
+		t.Fatalf("unexpected UUIDs: got=%v", got)
+	}
+}
+
+func TestParseUUIDs_Invalid(t *testing.T) {
+	_, err := parseUUIDs([]string{"not-a-uuid"})
+	if err == nil {
+		t.Fatalf("expected error for invalid UUID, got nil")
+	}
+}
+
+// --- ensureServersBelongToOrg ---
+
+func TestEnsureServersBelongToOrg_AllBelong(t *testing.T) {
+	db := pgtest.DB(t)
+
+	org := models.Organization{Name: "org-a"}
+	if err := db.Create(&org).Error; err != nil {
+		t.Fatalf("create org: %v", err)
+	}
+
+	sshKey := createTestSshKey(t, db, org.ID, "org-a-key")
+
+	s1 := models.Server{
+		OrganizationID: org.ID,
+		Hostname:       "srv-1",
+		SSHUser:        "ubuntu",
+		SshKeyID:       sshKey.ID,
+		Role:           "worker",
+		Status:         "pending",
+	}
+	s2 := models.Server{
+		OrganizationID: org.ID,
+		Hostname:       "srv-2",
+		SSHUser:        "ubuntu",
+		SshKeyID:       sshKey.ID,
+		Role:           "worker",
+		Status:         "pending",
+	}
+
+	if err := db.Create(&s1).Error; err != nil {
+		t.Fatalf("create server 1: %v", err)
+	}
+	if err := db.Create(&s2).Error; err != nil {
+		t.Fatalf("create server 2: %v", err)
+	}
+
+	ids := []uuid.UUID{s1.ID, s2.ID}
+	if err := ensureServersBelongToOrg(org.ID, ids, db); err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+}
+
+func TestEnsureServersBelongToOrg_ForeignOrgFails(t *testing.T) {
+	db := pgtest.DB(t)
+
+	orgA := models.Organization{Name: "org-a"}
+	orgB := models.Organization{Name: "org-b"}
+
+	if err := db.Create(&orgA).Error; err != nil {
+		t.Fatalf("create orgA: %v", err)
+	}
+	if err := db.Create(&orgB).Error; err != nil {
+		t.Fatalf("create orgB: %v", err)
+	}
+
+	sshKeyA := createTestSshKey(t, db, orgA.ID, "org-a-key")
+	sshKeyB := createTestSshKey(t, db, orgB.ID, "org-b-key")
+
+	s1 := models.Server{
+		OrganizationID: orgA.ID,
+		Hostname:       "srv-a-1",
+		SSHUser:        "ubuntu",
+		SshKeyID:       sshKeyA.ID,
+		Role:           "worker",
+		Status:         "pending",
+	}
+	s2 := models.Server{
+		OrganizationID: orgB.ID,
+		Hostname:       "srv-b-1",
+		SSHUser:        "ubuntu",
+		SshKeyID:       sshKeyB.ID,
+		Role:           "worker",
+		Status:         "pending",
+	}
+
+	if err := db.Create(&s1).Error; err != nil {
+		t.Fatalf("create server s1: %v", err)
+	}
+	if err := db.Create(&s2).Error; err != nil {
+		t.Fatalf("create server s2: %v", err)
+	}
+
+	ids := []uuid.UUID{s1.ID, s2.ID}
+	if err := ensureServersBelongToOrg(orgA.ID, ids, db); err == nil {
+		t.Fatalf("expected error when one server belongs to a different org")
+	}
+}
+
+// --- ensureTaintsBelongToOrg ---
+
+func TestEnsureTaintsBelongToOrg_AllBelong(t *testing.T) {
+	db := pgtest.DB(t)
+
+	org := models.Organization{Name: "org-taints"}
+	if err := db.Create(&org).Error; err != nil {
+		t.Fatalf("create org: %v", err)
+	}
+
+	t1 := models.Taint{
+		OrganizationID: org.ID,
+		Key:            "key1",
+		Value:          "val1",
+		Effect:         "NoSchedule",
+	}
+	t2 := models.Taint{
+		OrganizationID: org.ID,
+		Key:            "key2",
+		Value:          "val2",
+		Effect:         "PreferNoSchedule",
+	}
+
+	if err := db.Create(&t1).Error; err != nil {
+		t.Fatalf("create taint 1: %v", err)
+	}
+	if err := db.Create(&t2).Error; err != nil {
+		t.Fatalf("create taint 2: %v", err)
+	}
+
+	ids := []uuid.UUID{t1.ID, t2.ID}
+	if err := ensureTaintsBelongToOrg(org.ID, ids, db); err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+}
+
+func TestEnsureTaintsBelongToOrg_ForeignOrgFails(t *testing.T) {
+	db := pgtest.DB(t)
+
+	orgA := models.Organization{Name: "org-a"}
+	orgB := models.Organization{Name: "org-b"}
+	if err := db.Create(&orgA).Error; err != nil {
+		t.Fatalf("create orgA: %v", err)
+	}
+	if err := db.Create(&orgB).Error; err != nil {
+		t.Fatalf("create orgB: %v", err)
+	}
+
+	t1 := models.Taint{
+		OrganizationID: orgA.ID,
+		Key:            "key1",
+		Value:          "val1",
+		Effect:         "NoSchedule",
+	}
+	t2 := models.Taint{
+		OrganizationID: orgB.ID,
+		Key:            "key2",
+		Value:          "val2",
+		Effect:         "NoSchedule",
+	}
+
+	if err := db.Create(&t1).Error; err != nil {
+		t.Fatalf("create taint 1: %v", err)
+	}
+	if err := db.Create(&t2).Error; err != nil {
+		t.Fatalf("create taint 2: %v", err)
+	}
+
+	ids := []uuid.UUID{t1.ID, t2.ID}
+	if err := ensureTaintsBelongToOrg(orgA.ID, ids, db); err == nil {
+		t.Fatalf("expected error when a taint belongs to another org")
+	}
+}
+
+// --- ensureLabelsBelongToOrg ---
+
+func TestEnsureLabelsBelongToOrg_AllBelong(t *testing.T) {
+	db := pgtest.DB(t)
+
+	org := models.Organization{Name: "org-labels"}
+	if err := db.Create(&org).Error; err != nil {
+		t.Fatalf("create org: %v", err)
+	}
+
+	l1 := models.Label{
+		AuditFields: common.AuditFields{
+			OrganizationID: org.ID,
+		},
+		Key:   "env",
+		Value: "dev",
+	}
+	l2 := models.Label{
+		AuditFields: common.AuditFields{
+			OrganizationID: org.ID,
+		},
+		Key:   "env",
+		Value: "prod",
+	}
+
+	if err := db.Create(&l1).Error; err != nil {
+		t.Fatalf("create label 1: %v", err)
+	}
+	if err := db.Create(&l2).Error; err != nil {
+		t.Fatalf("create label 2: %v", err)
+	}
+
+	ids := []uuid.UUID{l1.ID, l2.ID}
+	if err := ensureLabelsBelongToOrg(org.ID, ids, db); err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+}
+
+func TestEnsureLabelsBelongToOrg_ForeignOrgFails(t *testing.T) {
+	db := pgtest.DB(t)
+
+	orgA := models.Organization{Name: "org-a"}
+	orgB := models.Organization{Name: "org-b"}
+	if err := db.Create(&orgA).Error; err != nil {
+		t.Fatalf("create orgA: %v", err)
+	}
+	if err := db.Create(&orgB).Error; err != nil {
+		t.Fatalf("create orgB: %v", err)
+	}
+
+	l1 := models.Label{
+		AuditFields: common.AuditFields{
+			OrganizationID: orgA.ID,
+		},
+		Key:   "env",
+		Value: "dev",
+	}
+	l2 := models.Label{
+		AuditFields: common.AuditFields{
+			OrganizationID: orgB.ID,
+		},
+		Key:   "env",
+		Value: "prod",
+	}
+
+	if err := db.Create(&l1).Error; err != nil {
+		t.Fatalf("create label 1: %v", err)
+	}
+	if err := db.Create(&l2).Error; err != nil {
+		t.Fatalf("create label 2: %v", err)
+	}
+
+	ids := []uuid.UUID{l1.ID, l2.ID}
+	if err := ensureLabelsBelongToOrg(orgA.ID, ids, db); err == nil {
+		t.Fatalf("expected error when a label belongs to another org")
+	}
+}
+
+// --- ensureAnnotaionsBelongToOrg (typo in original name is preserved) ---
+
+func TestEnsureAnnotationsBelongToOrg_AllBelong(t *testing.T) {
+	db := pgtest.DB(t)
+
+	org := models.Organization{Name: "org-annotations"}
+	if err := db.Create(&org).Error; err != nil {
+		t.Fatalf("create org: %v", err)
+	}
+
+	a1 := models.Annotation{
+		AuditFields: common.AuditFields{
+			OrganizationID: org.ID,
+		},
+		Key:   "team",
+		Value: "core",
+	}
+	a2 := models.Annotation{
+		AuditFields: common.AuditFields{
+			OrganizationID: org.ID,
+		},
+		Key:   "team",
+		Value: "platform",
+	}
+
+	if err := db.Create(&a1).Error; err != nil {
+		t.Fatalf("create annotation 1: %v", err)
+	}
+	if err := db.Create(&a2).Error; err != nil {
+		t.Fatalf("create annotation 2: %v", err)
+	}
+
+	ids := []uuid.UUID{a1.ID, a2.ID}
+	if err := ensureAnnotaionsBelongToOrg(org.ID, ids, db); err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+}
+
+func TestEnsureAnnotationsBelongToOrg_ForeignOrgFails(t *testing.T) {
+	db := pgtest.DB(t)
+
+	orgA := models.Organization{Name: "org-a"}
+	orgB := models.Organization{Name: "org-b"}
+	if err := db.Create(&orgA).Error; err != nil {
+		t.Fatalf("create orgA: %v", err)
+	}
+	if err := db.Create(&orgB).Error; err != nil {
+		t.Fatalf("create orgB: %v", err)
+	}
+
+	a1 := models.Annotation{
+		AuditFields: common.AuditFields{
+			OrganizationID: orgA.ID,
+		},
+		Key:   "team",
+		Value: "core",
+	}
+	a2 := models.Annotation{
+		AuditFields: common.AuditFields{
+			OrganizationID: orgB.ID,
+		},
+		Key:   "team",
+		Value: "platform",
+	}
+
+	if err := db.Create(&a1).Error; err != nil {
+		t.Fatalf("create annotation 1: %v", err)
+	}
+	if err := db.Create(&a2).Error; err != nil {
+		t.Fatalf("create annotation 2: %v", err)
+	}
+
+	ids := []uuid.UUID{a1.ID, a2.ID}
+	if err := ensureAnnotaionsBelongToOrg(orgA.ID, ids, db); err == nil {
+		t.Fatalf("expected error when an annotation belongs to another org")
+	}
+}
+
+func createTestSshKey(t *testing.T, db *gorm.DB, orgID uuid.UUID, name string) models.SshKey {
+	t.Helper()
+
+	key := models.SshKey{
+		AuditFields: common.AuditFields{
+			OrganizationID: orgID,
+		},
+		Name:                name,
+		PublicKey:           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAITestKey",
+		EncryptedPrivateKey: "encrypted",
+		PrivateIV:           "iv",
+		PrivateTag:          "tag",
+		Fingerprint:         "fp-" + name,
+	}
+
+	if err := db.Create(&key).Error; err != nil {
+		t.Fatalf("create ssh key %s: %v", name, err)
+	}
+
+	return key
+}
--- a/internal/handlers/servers.go
+++ b/internal/handlers/servers.go
@@ -22,7 +22,6 @@ import (
 //	@Summary		List servers (org scoped)
 //	@Description	Returns servers for the organization in X-Org-ID. Optional filters: status, role.
 //	@Tags			Servers
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header		string	false	"Organization UUID"
 //	@Param			status		query		string	false	"Filter by status (pending|provisioning|ready|failed)"
@@ -89,7 +88,6 @@ func ListServers(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Get server by ID (org scoped)
 //	@Description	Returns one server in the given organization.
 //	@Tags			Servers
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header		string	false	"Organization UUID"
 //	@Param			id			path		string	true	"Server ID (UUID)"
@@ -329,11 +327,10 @@ func UpdateServer(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Delete server (org scoped)
 //	@Description	Permanently deletes the server.
 //	@Tags			Servers
-//	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header		string	false	"Organization UUID"
-//	@Param			id			path		string	true	"Server ID (UUID)"
-//	@Success		204			{string}	string	"No Content"
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			id			path	string	true	"Server ID (UUID)"
+//	@Success		204			"No Content"
 //	@Failure		400			{string}	string	"invalid id"
 //	@Failure		401			{string}	string	"Unauthorized"
 //	@Failure		403			{string}	string	"organization required"
--- a/internal/handlers/servers_test.go
+++ b/internal/handlers/servers_test.go
@@ -0,0 +1,78 @@
+package handlers
+
+import (
+	"testing"
+
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/glueops/autoglue/internal/testutil/pgtest"
+	"github.com/google/uuid"
+)
+
+func TestValidStatus(t *testing.T) {
+	// known-good statuses from servers.go
+	valid := []string{"pending", "provisioning", "ready", "failed"}
+	for _, s := range valid {
+		if !validStatus(s) {
+			t.Errorf("expected validStatus(%q) = true, got false", s)
+		}
+	}
+
+	invalid := []string{"foobar", "unknown"}
+	for _, s := range invalid {
+		if validStatus(s) {
+			t.Errorf("expected validStatus(%q) = false, got true", s)
+		}
+	}
+}
+
+func TestEnsureKeyBelongsToOrg_Success(t *testing.T) {
+	db := pgtest.DB(t)
+
+	org := models.Organization{Name: "servers-org"}
+	if err := db.Create(&org).Error; err != nil {
+		t.Fatalf("create org: %v", err)
+	}
+
+	key := createTestSshKey(t, db, org.ID, "org-key")
+
+	if err := ensureKeyBelongsToOrg(org.ID, key.ID, db); err != nil {
+		t.Fatalf("expected no error, got %v", err)
+	}
+}
+
+func TestEnsureKeyBelongsToOrg_WrongOrg(t *testing.T) {
+	db := pgtest.DB(t)
+
+	orgA := models.Organization{Name: "org-a"}
+	orgB := models.Organization{Name: "org-b"}
+
+	if err := db.Create(&orgA).Error; err != nil {
+		t.Fatalf("create orgA: %v", err)
+	}
+	if err := db.Create(&orgB).Error; err != nil {
+		t.Fatalf("create orgB: %v", err)
+	}
+
+	keyA := createTestSshKey(t, db, orgA.ID, "org-a-key")
+
+	// ask for orgB with a key that belongs to orgA → should fail
+	if err := ensureKeyBelongsToOrg(orgB.ID, keyA.ID, db); err == nil {
+		t.Fatalf("expected error when ssh key belongs to a different org, got nil")
+	}
+}
+
+func TestEnsureKeyBelongsToOrg_NotFound(t *testing.T) {
+	db := pgtest.DB(t)
+
+	org := models.Organization{Name: "org-nokey"}
+	if err := db.Create(&org).Error; err != nil {
+		t.Fatalf("create org: %v", err)
+	}
+
+	// random keyID that doesn't exist
+	randomKeyID := uuid.New()
+
+	if err := ensureKeyBelongsToOrg(org.ID, randomKeyID, db); err == nil {
+		t.Fatalf("expected error when ssh key does not exist, got nil")
+	}
+}
--- a/internal/handlers/ssh_keys.go
+++ b/internal/handlers/ssh_keys.go
@@ -31,7 +31,6 @@ import (
 //	@Summary		List ssh keys (org scoped)
 //	@Description	Returns ssh keys for the organization in X-Org-ID.
 //	@Tags			Ssh
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header		string	false	"Organization UUID"
 //	@Success		200			{array}		dto.SshResponse
@@ -189,7 +188,6 @@ func CreateSSHKey(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Get ssh key by ID (org scoped)
 //	@Description	Returns public key fields. Append `?reveal=true` to include the private key PEM.
 //	@Tags			Ssh
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header		string	false	"Organization UUID"
 //	@Param			id			path		string	true	"SSH Key ID (UUID)"
@@ -283,11 +281,10 @@ func GetSSHKey(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Delete ssh keypair (org scoped)
 //	@Description	Permanently deletes a keypair.
 //	@Tags			Ssh
-//	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header		string	false	"Organization UUID"
-//	@Param			id			path		string	true	"SSH Key ID (UUID)"
-//	@Success		204			{string}	string	"No Content"
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			id			path	string	true	"SSH Key ID (UUID)"
+//	@Success		204			"No Content"
 //	@Failure		400			{string}	string	"invalid id"
 //	@Failure		401			{string}	string	"Unauthorized"
 //	@Failure		403			{string}	string	"organization required"
--- a/internal/handlers/taints.go
+++ b/internal/handlers/taints.go
@@ -22,7 +22,6 @@ import (
 //	@Summary		List node pool taints (org scoped)
 //	@Description	Returns node taints for the organization in X-Org-ID. Filters: `key`, `value`, and `q` (key contains). Add `include=node_pools` to include linked node pools.
 //	@Tags			Taints
-//	@Accept			json
 //	@Produce		json
 //	@Param			X-Org-ID	header		string	false	"Organization UUID"
 //	@Param			key			query		string	false	"Exact key"
@@ -70,7 +69,6 @@ func ListTaints(db *gorm.DB) http.HandlerFunc {
 //	@ID			GetTaint
 //	@Summary	Get node taint by ID (org scoped)
 //	@Tags		Taints
-//	@Accept		json
 //	@Produce	json
 //	@Param		X-Org-ID	header		string	false	"Organization UUID"
 //	@Param		id			path		string	true	"Node Taint ID (UUID)"
@@ -279,11 +277,10 @@ func UpdateTaint(db *gorm.DB) http.HandlerFunc {
 //	@Summary		Delete taint (org scoped)
 //	@Description	Permanently deletes the taint.
 //	@Tags			Taints
-//	@Accept			json
 //	@Produce		json
-//	@Param			X-Org-ID	header		string	false	"Organization UUID"
-//	@Param			id			path		string	true	"Node Taint ID (UUID)"
-//	@Success		204			{string}	string	"No Content"
+//	@Param			X-Org-ID	header	string	false	"Organization UUID"
+//	@Param			id			path	string	true	"Node Taint ID (UUID)"
+//	@Success		204			"No Content"
 //	@Failure		400			{string}	string	"invalid id"
 //	@Failure		401			{string}	string	"Unauthorized"
 //	@Failure		403			{string}	string	"organization required"
--- a/internal/handlers/version.go
+++ b/internal/handlers/version.go
@@ -30,7 +30,6 @@ type VersionResponse struct {
 //	@Description	Returns build/runtime metadata for the running service.
 //	@Tags			Meta
 //	@ID				Version                 // operationId
-//	@Accept			json
 //	@Produce		json
 //	@Success		200	{object}	VersionResponse
 //	@Router			/version [get]
--- a/internal/mapper/cluster.go
+++ b/internal/mapper/cluster.go
@@ -0,0 +1,182 @@
+package mapper
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/glueops/autoglue/internal/common"
+	"github.com/glueops/autoglue/internal/handlers/dto"
+	"github.com/glueops/autoglue/internal/models"
+	"github.com/google/uuid"
+)
+
+func ClusterToDTO(c models.Cluster) dto.ClusterResponse {
+	var bastion *dto.ServerResponse
+	if c.BastionServer != nil {
+		b := ServerToDTO(*c.BastionServer)
+		bastion = &b
+	}
+
+	var captainDomain *dto.DomainResponse
+	if c.CaptainDomainID != nil && c.CaptainDomain.ID != uuid.Nil {
+		dr := DomainToDTO(c.CaptainDomain)
+		captainDomain = &dr
+	}
+
+	var controlPlane *dto.RecordSetResponse
+	if c.ControlPlaneRecordSet != nil {
+		rr := RecordSetToDTO(*c.ControlPlaneRecordSet)
+		controlPlane = &rr
+	}
+
+	var cfqdn *string
+	if captainDomain != nil && controlPlane != nil {
+		fq := fmt.Sprintf("%s.%s", controlPlane.Name, captainDomain.DomainName)
+		cfqdn = &fq
+	}
+
+	var appsLB *dto.LoadBalancerResponse
+	if c.AppsLoadBalancer != nil {
+		lr := LoadBalancerToDTO(*c.AppsLoadBalancer)
+		appsLB = &lr
+	}
+
+	var glueOpsLB *dto.LoadBalancerResponse
+	if c.GlueOpsLoadBalancer != nil {
+		lr := LoadBalancerToDTO(*c.GlueOpsLoadBalancer)
+		glueOpsLB = &lr
+	}
+
+	nps := make([]dto.NodePoolResponse, 0, len(c.NodePools))
+	for _, np := range c.NodePools {
+		nps = append(nps, NodePoolToDTO(np))
+	}
+
+	return dto.ClusterResponse{
+		ID:                    c.ID,
+		Name:                  c.Name,
+		CaptainDomain:         captainDomain,
+		ControlPlaneRecordSet: controlPlane,
+		ControlPlaneFQDN:      cfqdn,
+		AppsLoadBalancer:      appsLB,
+		GlueOpsLoadBalancer:   glueOpsLB,
+		BastionServer:         bastion,
+		Provider:              c.Provider,
+		Region:                c.Region,
+		Status:                c.Status,
+		LastError:             c.LastError,
+		RandomToken:           c.RandomToken,
+		CertificateKey:        c.CertificateKey,
+		NodePools:             nps,
+		DockerImage:           c.DockerImage,
+		DockerTag:             c.DockerTag,
+		CreatedAt:             c.CreatedAt,
+		UpdatedAt:             c.UpdatedAt,
+	}
+}
+
+func NodePoolToDTO(np models.NodePool) dto.NodePoolResponse {
+	labels := make([]dto.LabelResponse, 0, len(np.Labels))
+	for _, l := range np.Labels {
+		labels = append(labels, dto.LabelResponse{
+			Key:   l.Key,
+			Value: l.Value,
+		})
+	}
+
+	annotations := make([]dto.AnnotationResponse, 0, len(np.Annotations))
+	for _, a := range np.Annotations {
+		annotations = append(annotations, dto.AnnotationResponse{
+			Key:   a.Key,
+			Value: a.Value,
+		})
+	}
+
+	taints := make([]dto.TaintResponse, 0, len(np.Taints))
+	for _, t := range np.Taints {
+		taints = append(taints, dto.TaintResponse{
+			Key:    t.Key,
+			Value:  t.Value,
+			Effect: t.Effect,
+		})
+	}
+
+	servers := make([]dto.ServerResponse, 0, len(np.Servers))
+	for _, s := range np.Servers {
+		servers = append(servers, ServerToDTO(s))
+	}
+
+	return dto.NodePoolResponse{
+		AuditFields: common.AuditFields{
+			ID:             np.ID,
+			OrganizationID: np.OrganizationID,
+			CreatedAt:      np.CreatedAt,
+			UpdatedAt:      np.UpdatedAt,
+		},
+		Name:        np.Name,
+		Role:        dto.NodeRole(np.Role),
+		Labels:      labels,
+		Annotations: annotations,
+		Taints:      taints,
+		Servers:     servers,
+	}
+}
+
+func ServerToDTO(s models.Server) dto.ServerResponse {
+	return dto.ServerResponse{
+		ID:               s.ID,
+		Hostname:         s.Hostname,
+		PrivateIPAddress: s.PrivateIPAddress,
+		PublicIPAddress:  s.PublicIPAddress,
+		Role:             s.Role,
+		Status:           s.Status,
+		SSHUser:          s.SSHUser,
+		SshKeyID:         s.SshKeyID,
+		CreatedAt:        s.CreatedAt.UTC().Format(time.RFC3339),
+		UpdatedAt:        s.UpdatedAt.UTC().Format(time.RFC3339),
+	}
+}
+
+func DomainToDTO(d models.Domain) dto.DomainResponse {
+	return dto.DomainResponse{
+		ID:             d.ID.String(),
+		OrganizationID: d.OrganizationID.String(),
+		DomainName:     d.DomainName,
+		ZoneID:         d.ZoneID,
+		Status:         d.Status,
+		LastError:      d.LastError,
+		CredentialID:   d.CredentialID.String(),
+		CreatedAt:      d.CreatedAt.UTC().Format(time.RFC3339),
+		UpdatedAt:      d.UpdatedAt.UTC().Format(time.RFC3339),
+	}
+}
+
+func RecordSetToDTO(rs models.RecordSet) dto.RecordSetResponse {
+	return dto.RecordSetResponse{
+		ID:          rs.ID.String(),
+		DomainID:    rs.DomainID.String(),
+		Name:        rs.Name,
+		Type:        rs.Type,
+		TTL:         rs.TTL,
+		Values:      []byte(rs.Values),
+		Fingerprint: rs.Fingerprint,
+		Status:      rs.Status,
+		Owner:       rs.Owner,
+		LastError:   rs.LastError,
+		CreatedAt:   rs.CreatedAt.UTC().Format(time.RFC3339),
+		UpdatedAt:   rs.UpdatedAt.UTC().Format(time.RFC3339),
+	}
+}
+
+func LoadBalancerToDTO(lb models.LoadBalancer) dto.LoadBalancerResponse {
+	return dto.LoadBalancerResponse{
+		ID:               lb.ID,
+		OrganizationID:   lb.OrganizationID,
+		Name:             lb.Name,
+		Kind:             lb.Kind,
+		PublicIPAddress:  lb.PublicIPAddress,
+		PrivateIPAddress: lb.PrivateIPAddress,
+		CreatedAt:        lb.CreatedAt,
+		UpdatedAt:        lb.UpdatedAt,
+	}
+}
--- a/internal/models/cluster.go
+++ b/internal/models/cluster.go
@@ -6,28 +6,42 @@ import (
 	"github.com/google/uuid"
 )

+const (
+	ClusterStatusPrePending   = "pre_pending" // needs validation
+	ClusterStatusIncomplete   = "incomplete"  // invalid/missing shape
+	ClusterStatusPending      = "pending"     // valid shape, waiting for provisioning
+	ClusterStatusProvisioning = "provisioning"
+	ClusterStatusReady        = "ready"
+	ClusterStatusFailed       = "failed" // provisioning/runtime failure
+)
+
 type Cluster struct {
-	ID                  uuid.UUID    `gorm:"type:uuid;default:gen_random_uuid();primaryKey" json:"id"`
-	OrganizationID      uuid.UUID    `gorm:"type:uuid;not null" json:"organization_id"`
-	Organization        Organization `gorm:"foreignKey:OrganizationID;constraint:OnDelete:CASCADE" json:"organization"`
-	Name                string       `gorm:"not null" json:"name"`
-	Provider            string       `json:"provider"`
-	Region              string       `json:"region"`
-	Status              string       `json:"status"`
-	CaptainDomain       string       `gorm:"not null" json:"captain_domain"` // nonprod.earth.onglueops.rocks
-	AppsLoadBalancer    string       `json:"cluster_load_balancer"`          // {public_ip: 1.2.3.4, private_ip: 10.0.30.1, name: apps.CaqptainDomain}
-	GlueOpsLoadBalancer string       `json:"control_load_balancer"`          // {public_ip: 5.6.7.8, private_ip: 10.0.22.1, name: CaptainDomain}
-
-	ControlPlane string `json:"control_plane"` // <- dns cntlpn
-
-	RandomToken         string     `json:"random_token"`
-	CertificateKey      string     `json:"certificate_key"`
-	EncryptedKubeconfig string     `gorm:"type:text" json:"-"`
-	KubeIV              string     `json:"-"`
-	KubeTag             string     `json:"-"`
-	NodePools           []NodePool `gorm:"many2many:cluster_node_pools;constraint:OnDelete:CASCADE" json:"node_pools,omitempty"`
-	BastionServerID     *uuid.UUID `gorm:"type:uuid" json:"bastion_server_id,omitempty"`
-	BastionServer       *Server    `gorm:"foreignKey:BastionServerID" json:"bastion_server,omitempty"`
-	CreatedAt           time.Time  `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
-	UpdatedAt           time.Time  `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
+	ID                      uuid.UUID     `gorm:"type:uuid;default:gen_random_uuid();primaryKey" json:"id"`
+	OrganizationID          uuid.UUID     `gorm:"type:uuid;not null" json:"organization_id"`
+	Organization            Organization  `gorm:"foreignKey:OrganizationID;constraint:OnDelete:CASCADE" json:"organization"`
+	Name                    string        `gorm:"not null" json:"name"`
+	Provider                string        `json:"provider"`
+	Region                  string        `json:"region"`
+	Status                  string        `gorm:"type:varchar(20);not null;default:'pre_pending'" json:"status"`
+	LastError               string        `gorm:"type:text;not null;default:''" json:"last_error"`
+	CaptainDomainID         *uuid.UUID    `gorm:"type:uuid" json:"captain_domain_id"`
+	CaptainDomain           Domain        `gorm:"foreignKey:CaptainDomainID" json:"captain_domain"`
+	ControlPlaneRecordSetID *uuid.UUID    `gorm:"type:uuid" json:"control_plane_record_set_id,omitempty"`
+	ControlPlaneRecordSet   *RecordSet    `gorm:"foreignKey:ControlPlaneRecordSetID" json:"control_plane_record_set,omitempty"`
+	AppsLoadBalancerID      *uuid.UUID    `gorm:"type:uuid" json:"apps_load_balancer_id,omitempty"`
+	AppsLoadBalancer        *LoadBalancer `gorm:"foreignKey:AppsLoadBalancerID" json:"apps_load_balancer,omitempty"`
+	GlueOpsLoadBalancerID   *uuid.UUID    `gorm:"type:uuid" json:"glueops_load_balancer_id,omitempty"`
+	GlueOpsLoadBalancer     *LoadBalancer `gorm:"foreignKey:GlueOpsLoadBalancerID" json:"glueops_load_balancer,omitempty"`
+	BastionServerID         *uuid.UUID    `gorm:"type:uuid" json:"bastion_server_id,omitempty"`
+	BastionServer           *Server       `gorm:"foreignKey:BastionServerID" json:"bastion_server,omitempty"`
+	NodePools               []NodePool    `gorm:"many2many:cluster_node_pools;constraint:OnDelete:CASCADE" json:"node_pools,omitempty"`
+	RandomToken             string        `json:"random_token"`
+	CertificateKey          string        `json:"certificate_key"`
+	EncryptedKubeconfig     string        `gorm:"type:text" json:"-"`
+	KubeIV                  string        `json:"-"`
+	KubeTag                 string        `json:"-"`
+	DockerImage             string        `json:"docker_image"`
+	DockerTag               string        `json:"docker_tag"`
+	CreatedAt               time.Time     `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
+	UpdatedAt               time.Time     `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
 }
--- a/internal/models/load_balancer.go
+++ b/internal/models/load_balancer.go
@@ -0,0 +1,19 @@
+package models
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type LoadBalancer struct {
+	ID               uuid.UUID    `json:"id" gorm:"primaryKey;type:uuid;default:gen_random_uuid()"`
+	OrganizationID   uuid.UUID    `json:"organization_id" gorm:"type:uuid;index"`
+	Organization     Organization `json:"organization" gorm:"foreignKey:OrganizationID;constraint:OnDelete:CASCADE"`
+	Name             string       `json:"name" gorm:"not null"`
+	Kind             string       `json:"kind" gorm:"not null"`
+	PublicIPAddress  string       `json:"public_ip_address" gorm:"not null"`
+	PrivateIPAddress string       `json:"private_ip_address" gorm:"not null"`
+	CreatedAt        time.Time    `json:"created_at,omitempty" gorm:"type:timestamptz;column:created_at;not null;default:now()"`
+	UpdatedAt        time.Time    `json:"updated_at,omitempty" gorm:"type:timestamptz;autoUpdateTime;column:updated_at;not null;default:now()"`
+}
--- a/internal/testutil/pgtest/pgtest.go
+++ b/internal/testutil/pgtest/pgtest.go
@@ -0,0 +1,119 @@
+package pgtest
+
+import (
+	"fmt"
+	"log"
+	"sync"
+	"testing"
+	"time"
+
+	embeddedpostgres "github.com/fergusstrange/embedded-postgres"
+	"github.com/glueops/autoglue/internal/db"
+	"github.com/glueops/autoglue/internal/models"
+	"gorm.io/driver/postgres"
+	"gorm.io/gorm"
+)
+
+var (
+	once    sync.Once
+	epg     *embeddedpostgres.EmbeddedPostgres
+	gdb     *gorm.DB
+	initErr error
+	dsn     string
+)
+
+// initDB is called once via sync.Once. It starts embedded Postgres,
+// opens a GORM connection and runs the same migrations as NewRuntime.
+func initDB() {
+	const port uint32 = 55432
+
+	cfg := embeddedpostgres.
+		DefaultConfig().
+		Database("autoglue_test").
+		Username("autoglue").
+		Password("autoglue").
+		Port(port).
+		StartTimeout(30 * time.Second)
+
+	epg = embeddedpostgres.NewDatabase(cfg)
+	if err := epg.Start(); err != nil {
+		initErr = fmt.Errorf("start embedded postgres: %w", err)
+		return
+	}
+
+	dsn = fmt.Sprintf(
+		"host=127.0.0.1 port=%d user=%s password=%s dbname=%s sslmode=disable",
+		port,
+		"autoglue",
+		"autoglue",
+		"autoglue_test",
+	)
+
+	dbConn, err := gorm.Open(postgres.Open(dsn), &gorm.Config{})
+	if err != nil {
+		initErr = fmt.Errorf("open gorm: %w", err)
+		return
+	}
+
+	// Use the same model list as app.NewRuntime so schema matches prod
+	if err := db.Run(
+		dbConn,
+		&models.Job{},
+		&models.MasterKey{},
+		&models.SigningKey{},
+		&models.User{},
+		&models.Organization{},
+		&models.Account{},
+		&models.Membership{},
+		&models.APIKey{},
+		&models.UserEmail{},
+		&models.RefreshToken{},
+		&models.OrganizationKey{},
+		&models.SshKey{},
+		&models.Server{},
+		&models.Taint{},
+		&models.Label{},
+		&models.Annotation{},
+		&models.NodePool{},
+		&models.Cluster{},
+		&models.Credential{},
+		&models.Domain{},
+		&models.RecordSet{},
+	); err != nil {
+		initErr = fmt.Errorf("migrate: %w", err)
+		return
+	}
+
+	gdb = dbConn
+}
+
+// DB returns a lazily-initialized *gorm.DB backed by embedded Postgres.
+//
+// Call this from any test that needs a real DB. If init fails, the test
+// will fail immediately with a clear message.
+func DB(t *testing.T) *gorm.DB {
+	t.Helper()
+	once.Do(initDB)
+	if initErr != nil {
+		t.Fatalf("failed to init embedded postgres: %v", initErr)
+	}
+	return gdb
+}
+
+// URL returns the DSN for the embedded Postgres instance, useful for code
+// that expects a DB URL (e.g. bg.NewJobs).
+func URL(t *testing.T) string {
+	t.Helper()
+	DB(t) // ensure initialized
+	return dsn
+}
+
+// Stop stops the embedded Postgres process. Call from TestMain in at
+// least one package, or let the OS clean it up on process exit.
+func Stop() {
+	if epg != nil {
+		if err := epg.Stop(); err != nil {
+			log.Printf("stop embedded postgres: %v", err)
+		}
+	}
+}
--- a/internal/web/dist/assets/index-52pog1DZ.js
+++ b/internal/web/dist/assets/index-52pog1DZ.js
--- a/internal/web/dist/assets/index-52pog1DZ.js.br
+++ b/internal/web/dist/assets/index-52pog1DZ.js.br
--- a/internal/web/dist/assets/index-52pog1DZ.js.gz
+++ b/internal/web/dist/assets/index-52pog1DZ.js.gz
--- a/internal/web/dist/assets/index-52pog1DZ.js.map
+++ b/internal/web/dist/assets/index-52pog1DZ.js.map
--- a/internal/web/dist/assets/index-CyGsiYei.js
+++ b/internal/web/dist/assets/index-CyGsiYei.js
--- a/internal/web/dist/assets/index-CyGsiYei.js.br
+++ b/internal/web/dist/assets/index-CyGsiYei.js.br
--- a/internal/web/dist/assets/index-CyGsiYei.js.gz
+++ b/internal/web/dist/assets/index-CyGsiYei.js.gz
--- a/internal/web/dist/assets/index-CyGsiYei.js.map
+++ b/internal/web/dist/assets/index-CyGsiYei.js.map
--- a/internal/web/dist/assets/index-VHZG0dIU.css
+++ b/internal/web/dist/assets/index-VHZG0dIU.css
--- a/internal/web/dist/assets/index-VHZG0dIU.css.br
+++ b/internal/web/dist/assets/index-VHZG0dIU.css.br
--- a/internal/web/dist/assets/index-VHZG0dIU.css.gz
+++ b/internal/web/dist/assets/index-VHZG0dIU.css.gz
--- a/internal/web/dist/assets/index-tX4seA_J.css
+++ b/internal/web/dist/assets/index-tX4seA_J.css
--- a/internal/web/dist/assets/index-tX4seA_J.css.br
+++ b/internal/web/dist/assets/index-tX4seA_J.css.br
--- a/internal/web/dist/assets/index-tX4seA_J.css.gz
+++ b/internal/web/dist/assets/index-tX4seA_J.css.gz
--- a/internal/web/dist/assets/react-B75e6Si-.js
+++ b/internal/web/dist/assets/react-B75e6Si-.js
--- a/internal/web/dist/assets/react-B75e6Si-.js.br
+++ b/internal/web/dist/assets/react-B75e6Si-.js.br
--- a/internal/web/dist/assets/react-B75e6Si-.js.gz
+++ b/internal/web/dist/assets/react-B75e6Si-.js.gz
--- a/internal/web/dist/assets/react-B75e6Si-.js.map
+++ b/internal/web/dist/assets/react-B75e6Si-.js.map
--- a/internal/web/dist/assets/react-Dt2M6tWj.js
+++ b/internal/web/dist/assets/react-Dt2M6tWj.js
--- a/internal/web/dist/assets/react-Dt2M6tWj.js.br
+++ b/internal/web/dist/assets/react-Dt2M6tWj.js.br
--- a/internal/web/dist/assets/react-Dt2M6tWj.js.gz
+++ b/internal/web/dist/assets/react-Dt2M6tWj.js.gz
--- a/internal/web/dist/assets/react-Dt2M6tWj.js.map
+++ b/internal/web/dist/assets/react-Dt2M6tWj.js.map
--- a/internal/web/dist/index.html
+++ b/internal/web/dist/index.html
@@ -5,9 +5,9 @@
    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>AutoGlue</title>
-    <script type="module" crossorigin src="/assets/index-52pog1DZ.js"></script>
-    <link rel="modulepreload" crossorigin href="/assets/react-B75e6Si-.js">
-    <link rel="stylesheet" crossorigin href="/assets/index-tX4seA_J.css">
+    <script type="module" crossorigin src="/assets/index-CyGsiYei.js"></script>
+    <link rel="modulepreload" crossorigin href="/assets/react-Dt2M6tWj.js">
+    <link rel="stylesheet" crossorigin href="/assets/index-VHZG0dIU.css">
  </head>
  <body>
    <div id="root"></div>
--- a/internal/web/dist/index.html.br
+++ b/internal/web/dist/index.html.br
--- a/internal/web/dist/index.html.gz
+++ b/internal/web/dist/index.html.gz
--- a/internal/web/static.go
+++ b/internal/web/static.go
@@ -67,7 +67,13 @@ func SPAHandler() (http.Handler, error) {
 			return
 		}

-		filePath := strings.TrimPrefix(path.Clean(r.URL.Path), "/")
+		raw := strings.TrimSpace(r.URL.Path)
+		if raw == "" || raw == "/" {
+			raw = "/index.html"
+		}
+
+		clean := path.Clean("/" + raw) // nosemgrep: autoglue.filesystem.no-path-clean
+		filePath := strings.TrimPrefix(clean, "/")
 		if filePath == "" {
 			filePath = "index.html"
 		}
--- a/main.go
+++ b/main.go
@@ -1,44 +1,46 @@
 package main

 import (
-	"os"
-
 	"github.com/glueops/autoglue/cmd"
 	"github.com/glueops/autoglue/docs"
-	"github.com/joho/godotenv"
+	"github.com/glueops/autoglue/internal/version"
 )

-//	@title			AutoGlue API
-//	@version		1.0
-//	@description	API for managing K3s clusters across cloud providers
+// @title AutoGlue API
+// @version dev
+// @description API for managing K3s clusters across cloud providers
+// @contact.name GlueOps

-//	@contact.name	GlueOps
+// @servers.url https://autoglue.glueopshosted.com/api/v1
+// @servers.description Production API
+// @servers.url https://autoglue.glueopshosted.rocks/api/v1
+// @servers.description Pre-Production API
+// @servers.url https://autoglue.apps.nonprod.earth.onglueops.rocks/api/v1
+// @servers.description Staging API
+// @servers.url http://localhost:8080/api/v1
+// @servers.description Local dev

-//	@BasePath	/api/v1
-//	@schemes	http https
+// @securityDefinitions.apikey BearerAuth
+// @in header
+// @name Authorization
+// @description Bearer token authentication

-//	@securityDefinitions.apikey	BearerAuth
-//	@in							header
-//	@name						Authorization
-//	@description				Bearer token authentication
+// @securityDefinitions.apikey ApiKeyAuth
+// @in header
+// @name X-API-KEY
+// @description	User API key

-//	@securityDefinitions.apikey	ApiKeyAuth
-//	@in							header
-//	@name						X-API-KEY
-//	@description				User API key
+// @securityDefinitions.apikey OrgKeyAuth
+// @in header
+// @name X-ORG-KEY
+// @description Org-level key/secret authentication

-//	@securityDefinitions.apikey	OrgKeyAuth
-//	@in							header
-//	@name						X-ORG-KEY
-//	@description				Org-level key/secret authentication
-
-//	@securityDefinitions.apikey	OrgSecretAuth
-//	@in							header
-//	@name						X-ORG-SECRET
-//	@description				Org-level secret
+// @securityDefinitions.apikey OrgSecretAuth
+// @in header
+// @name X-ORG-SECRET
+// @description	Org-level secret

 func main() {
-	_ = godotenv.Load()
-	docs.SwaggerInfo.Host = os.Getenv("SWAGGER_HOST")
+	docs.SwaggerInfo.Version = version.Version
 	cmd.Execute()
 }
--- a/postgres/Dockerfile
+++ b/postgres/Dockerfile
@@ -6,5 +6,4 @@ RUN cd /var/lib/postgresql/ && \
    openssl req -x509 -in server.req -text -key server.key -out server.crt && \
    chmod 600 server.key && \
    chown postgres:postgres server.key
-
 CMD ["postgres", "-c", "ssl=on", "-c", "ssl_cert_file=/var/lib/postgresql/server.crt", "-c", "ssl_key_file=/var/lib/postgresql/server.key" ]
--- a/schema.sql
+++ b/schema.sql
@@ -0,0 +1,435 @@
+-- Add new schema named "public"
+CREATE SCHEMA IF NOT EXISTS "public";
+-- Set comment to schema: "public"
+COMMENT ON SCHEMA "public" IS 'standard public schema';
+-- Create "jobs" table
+CREATE TABLE "public"."jobs" (
+  "id" character varying NOT NULL,
+  "queue_name" character varying NOT NULL,
+  "status" character varying NOT NULL,
+  "arguments" jsonb NOT NULL DEFAULT '{}',
+  "result" jsonb NOT NULL DEFAULT '{}',
+  "last_error" character varying NULL,
+  "retry_count" bigint NOT NULL DEFAULT 0,
+  "max_retry" bigint NOT NULL DEFAULT 0,
+  "retry_interval" bigint NOT NULL DEFAULT 0,
+  "scheduled_at" timestamptz NULL DEFAULT now(),
+  "started_at" timestamptz NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id")
+);
+-- Create index "idx_jobs_scheduled_at" to table: "jobs"
+CREATE INDEX "idx_jobs_scheduled_at" ON "public"."jobs" ("scheduled_at");
+-- Create index "idx_jobs_started_at" to table: "jobs"
+CREATE INDEX "idx_jobs_started_at" ON "public"."jobs" ("started_at");
+-- Create "api_keys" table
+CREATE TABLE "public"."api_keys" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "name" text NOT NULL DEFAULT '',
+  "key_hash" text NOT NULL,
+  "scope" text NOT NULL DEFAULT '',
+  "user_id" text NULL,
+  "org_id" text NULL,
+  "secret_hash" text NULL,
+  "expires_at" timestamptz NULL,
+  "revoked" boolean NOT NULL DEFAULT false,
+  "prefix" text NULL,
+  "last_used_at" timestamptz NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id")
+);
+-- Create index "idx_api_keys_key_hash" to table: "api_keys"
+CREATE UNIQUE INDEX "idx_api_keys_key_hash" ON "public"."api_keys" ("key_hash");
+-- Create "refresh_tokens" table
+CREATE TABLE "public"."refresh_tokens" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "user_id" text NOT NULL,
+  "family_id" uuid NOT NULL,
+  "token_hash" text NOT NULL,
+  "expires_at" timestamptz NOT NULL,
+  "revoked_at" timestamptz NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id")
+);
+-- Create index "idx_refresh_tokens_family_id" to table: "refresh_tokens"
+CREATE INDEX "idx_refresh_tokens_family_id" ON "public"."refresh_tokens" ("family_id");
+-- Create index "idx_refresh_tokens_token_hash" to table: "refresh_tokens"
+CREATE UNIQUE INDEX "idx_refresh_tokens_token_hash" ON "public"."refresh_tokens" ("token_hash");
+-- Create index "idx_refresh_tokens_user_id" to table: "refresh_tokens"
+CREATE INDEX "idx_refresh_tokens_user_id" ON "public"."refresh_tokens" ("user_id");
+-- Create "users" table
+CREATE TABLE "public"."users" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "display_name" text NULL,
+  "primary_email" text NULL,
+  "avatar_url" text NULL,
+  "is_disabled" boolean NULL,
+  "is_admin" boolean NULL DEFAULT false,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id")
+);
+-- Create "signing_keys" table
+CREATE TABLE "public"."signing_keys" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "kid" text NOT NULL,
+  "alg" text NOT NULL,
+  "use" text NOT NULL DEFAULT 'sig',
+  "is_active" boolean NOT NULL DEFAULT true,
+  "public_pem" text NOT NULL,
+  "private_pem" text NOT NULL,
+  "not_before" timestamptz NULL,
+  "expires_at" timestamptz NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  "rotated_from" text NULL,
+  PRIMARY KEY ("id")
+);
+-- Create index "idx_signing_keys_kid" to table: "signing_keys"
+CREATE UNIQUE INDEX "idx_signing_keys_kid" ON "public"."signing_keys" ("kid");
+-- Create "accounts" table
+CREATE TABLE "public"."accounts" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "user_id" uuid NOT NULL,
+  "provider" text NOT NULL,
+  "subject" text NOT NULL,
+  "email" text NULL,
+  "email_verified" boolean NOT NULL DEFAULT false,
+  "profile" jsonb NOT NULL DEFAULT '{}',
+  "secret_hash" text NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_accounts_user" FOREIGN KEY ("user_id") REFERENCES "public"."users" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION
+);
+-- Create index "idx_accounts_user_id" to table: "accounts"
+CREATE INDEX "idx_accounts_user_id" ON "public"."accounts" ("user_id");
+-- Create "organizations" table
+CREATE TABLE "public"."organizations" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "name" text NOT NULL,
+  "domain" text NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id")
+);
+-- Create index "idx_organizations_domain" to table: "organizations"
+CREATE INDEX "idx_organizations_domain" ON "public"."organizations" ("domain");
+-- Create "annotations" table
+CREATE TABLE "public"."annotations" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  "key" text NOT NULL,
+  "value" text NOT NULL,
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_annotations_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create index "idx_annotations_organization_id" to table: "annotations"
+CREATE INDEX "idx_annotations_organization_id" ON "public"."annotations" ("organization_id");
+-- Create "credentials" table
+CREATE TABLE "public"."credentials" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NOT NULL,
+  "provider" character varying(50) NOT NULL,
+  "kind" character varying(50) NOT NULL,
+  "scope_kind" character varying(20) NOT NULL,
+  "scope" jsonb NOT NULL DEFAULT '{}',
+  "scope_fingerprint" character(64) NOT NULL,
+  "schema_version" bigint NOT NULL DEFAULT 1,
+  "name" character varying(100) NOT NULL DEFAULT '',
+  "scope_version" bigint NOT NULL DEFAULT 1,
+  "account_id" character varying(32) NULL,
+  "region" character varying(32) NULL,
+  "encrypted_data" text NOT NULL,
+  "iv" text NOT NULL,
+  "tag" text NOT NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_credentials_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create index "idx_credentials_organization_id" to table: "credentials"
+CREATE INDEX "idx_credentials_organization_id" ON "public"."credentials" ("organization_id");
+-- Create index "idx_credentials_scope_fingerprint" to table: "credentials"
+CREATE INDEX "idx_credentials_scope_fingerprint" ON "public"."credentials" ("scope_fingerprint");
+-- Create index "idx_kind_scope" to table: "credentials"
+CREATE INDEX "idx_kind_scope" ON "public"."credentials" ("kind", "scope");
+-- Create index "idx_provider_kind" to table: "credentials"
+CREATE INDEX "idx_provider_kind" ON "public"."credentials" ("provider", "kind");
+-- Create index "uniq_org_provider_scopekind_scope" to table: "credentials"
+CREATE UNIQUE INDEX "uniq_org_provider_scopekind_scope" ON "public"."credentials" ("organization_id", "provider", "scope_kind", "scope_fingerprint");
+-- Create "backups" table
+CREATE TABLE "public"."backups" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NOT NULL,
+  "enabled" boolean NOT NULL DEFAULT false,
+  "credential_id" uuid NOT NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_backups_credential" FOREIGN KEY ("credential_id") REFERENCES "public"."credentials" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION,
+  CONSTRAINT "fk_backups_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create index "idx_backups_organization_id" to table: "backups"
+CREATE INDEX "idx_backups_organization_id" ON "public"."backups" ("organization_id");
+-- Create index "uniq_org_credential" to table: "backups"
+CREATE UNIQUE INDEX "uniq_org_credential" ON "public"."backups" ("organization_id", "credential_id");
+-- Create "load_balancers" table
+CREATE TABLE "public"."load_balancers" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NULL,
+  "name" text NOT NULL,
+  "kind" text NOT NULL,
+  "public_ip_address" text NOT NULL,
+  "private_ip_address" text NOT NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_load_balancers_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create index "idx_load_balancers_organization_id" to table: "load_balancers"
+CREATE INDEX "idx_load_balancers_organization_id" ON "public"."load_balancers" ("organization_id");
+-- Create "ssh_keys" table
+CREATE TABLE "public"."ssh_keys" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  "name" text NOT NULL,
+  "public_key" text NOT NULL,
+  "encrypted_private_key" text NOT NULL,
+  "private_iv" text NOT NULL,
+  "private_tag" text NOT NULL,
+  "fingerprint" text NOT NULL,
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_ssh_keys_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create index "idx_ssh_keys_fingerprint" to table: "ssh_keys"
+CREATE INDEX "idx_ssh_keys_fingerprint" ON "public"."ssh_keys" ("fingerprint");
+-- Create index "idx_ssh_keys_organization_id" to table: "ssh_keys"
+CREATE INDEX "idx_ssh_keys_organization_id" ON "public"."ssh_keys" ("organization_id");
+-- Create "servers" table
+CREATE TABLE "public"."servers" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NOT NULL,
+  "hostname" text NULL,
+  "public_ip_address" text NULL,
+  "private_ip_address" text NOT NULL,
+  "ssh_user" text NOT NULL,
+  "ssh_key_id" uuid NOT NULL,
+  "role" text NOT NULL,
+  "status" text NULL DEFAULT 'pending',
+  "ssh_host_key" text NULL,
+  "ssh_host_key_algo" text NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_servers_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE,
+  CONSTRAINT "fk_servers_ssh_key" FOREIGN KEY ("ssh_key_id") REFERENCES "public"."ssh_keys" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION
+);
+-- Create "domains" table
+CREATE TABLE "public"."domains" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NOT NULL,
+  "domain_name" character varying(253) NOT NULL,
+  "zone_id" character varying(128) NOT NULL DEFAULT '',
+  "status" character varying(20) NOT NULL DEFAULT 'pending',
+  "last_error" text NOT NULL DEFAULT '',
+  "credential_id" uuid NOT NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_domains_credential" FOREIGN KEY ("credential_id") REFERENCES "public"."credentials" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION,
+  CONSTRAINT "fk_domains_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create index "idx_domains_organization_id" to table: "domains"
+CREATE INDEX "idx_domains_organization_id" ON "public"."domains" ("organization_id");
+-- Create index "uniq_org_domain" to table: "domains"
+CREATE UNIQUE INDEX "uniq_org_domain" ON "public"."domains" ("organization_id", "domain_name");
+-- Create "record_sets" table
+CREATE TABLE "public"."record_sets" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "domain_id" uuid NOT NULL,
+  "name" character varying(253) NOT NULL,
+  "type" character varying(10) NOT NULL,
+  "ttl" bigint NULL,
+  "values" jsonb NOT NULL DEFAULT '[]',
+  "fingerprint" character(64) NOT NULL,
+  "status" character varying(20) NOT NULL DEFAULT 'pending',
+  "owner" character varying(16) NOT NULL DEFAULT 'unknown',
+  "last_error" text NOT NULL DEFAULT '',
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_record_sets_domain" FOREIGN KEY ("domain_id") REFERENCES "public"."domains" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create index "idx_record_sets_domain_id" to table: "record_sets"
+CREATE INDEX "idx_record_sets_domain_id" ON "public"."record_sets" ("domain_id");
+-- Create index "idx_record_sets_fingerprint" to table: "record_sets"
+CREATE INDEX "idx_record_sets_fingerprint" ON "public"."record_sets" ("fingerprint");
+-- Create index "idx_record_sets_type" to table: "record_sets"
+CREATE INDEX "idx_record_sets_type" ON "public"."record_sets" ("type");
+-- Create "clusters" table
+CREATE TABLE "public"."clusters" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NOT NULL,
+  "name" text NOT NULL,
+  "provider" text NULL,
+  "region" text NULL,
+  "status" character varying(20) NOT NULL DEFAULT 'pre_pending',
+  "last_error" text NOT NULL DEFAULT '',
+  "captain_domain_id" uuid NULL,
+  "control_plane_record_set_id" uuid NULL,
+  "apps_load_balancer_id" uuid NULL,
+  "glue_ops_load_balancer_id" uuid NULL,
+  "bastion_server_id" uuid NULL,
+  "random_token" text NULL,
+  "certificate_key" text NULL,
+  "encrypted_kubeconfig" text NULL,
+  "kube_iv" text NULL,
+  "kube_tag" text NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_clusters_apps_load_balancer" FOREIGN KEY ("apps_load_balancer_id") REFERENCES "public"."load_balancers" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION,
+  CONSTRAINT "fk_clusters_bastion_server" FOREIGN KEY ("bastion_server_id") REFERENCES "public"."servers" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION,
+  CONSTRAINT "fk_clusters_captain_domain" FOREIGN KEY ("captain_domain_id") REFERENCES "public"."domains" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION,
+  CONSTRAINT "fk_clusters_control_plane_record_set" FOREIGN KEY ("control_plane_record_set_id") REFERENCES "public"."record_sets" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION,
+  CONSTRAINT "fk_clusters_glue_ops_load_balancer" FOREIGN KEY ("glue_ops_load_balancer_id") REFERENCES "public"."load_balancers" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION,
+  CONSTRAINT "fk_clusters_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create "node_pools" table
+CREATE TABLE "public"."node_pools" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  "name" text NOT NULL,
+  "role" text NULL,
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_node_pools_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create index "idx_node_pools_organization_id" to table: "node_pools"
+CREATE INDEX "idx_node_pools_organization_id" ON "public"."node_pools" ("organization_id");
+-- Create "cluster_node_pools" table
+CREATE TABLE "public"."cluster_node_pools" (
+  "node_pool_id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "cluster_id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  PRIMARY KEY ("node_pool_id", "cluster_id"),
+  CONSTRAINT "fk_cluster_node_pools_cluster" FOREIGN KEY ("cluster_id") REFERENCES "public"."clusters" ("id") ON UPDATE NO ACTION ON DELETE CASCADE,
+  CONSTRAINT "fk_cluster_node_pools_node_pool" FOREIGN KEY ("node_pool_id") REFERENCES "public"."node_pools" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create "labels" table
+CREATE TABLE "public"."labels" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  "key" text NOT NULL,
+  "value" text NOT NULL,
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_labels_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create index "idx_labels_organization_id" to table: "labels"
+CREATE INDEX "idx_labels_organization_id" ON "public"."labels" ("organization_id");
+-- Create "memberships" table
+CREATE TABLE "public"."memberships" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "user_id" uuid NOT NULL,
+  "organization_id" uuid NOT NULL,
+  "role" text NOT NULL DEFAULT 'member',
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_memberships_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE,
+  CONSTRAINT "fk_memberships_user" FOREIGN KEY ("user_id") REFERENCES "public"."users" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION
+);
+-- Create index "idx_memberships_organization_id" to table: "memberships"
+CREATE INDEX "idx_memberships_organization_id" ON "public"."memberships" ("organization_id");
+-- Create index "idx_memberships_user_id" to table: "memberships"
+CREATE INDEX "idx_memberships_user_id" ON "public"."memberships" ("user_id");
+-- Create "node_annotations" table
+CREATE TABLE "public"."node_annotations" (
+  "node_pool_id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "annotation_id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  PRIMARY KEY ("node_pool_id", "annotation_id"),
+  CONSTRAINT "fk_node_annotations_annotation" FOREIGN KEY ("annotation_id") REFERENCES "public"."annotations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE,
+  CONSTRAINT "fk_node_annotations_node_pool" FOREIGN KEY ("node_pool_id") REFERENCES "public"."node_pools" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create "node_labels" table
+CREATE TABLE "public"."node_labels" (
+  "node_pool_id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "label_id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  PRIMARY KEY ("node_pool_id", "label_id"),
+  CONSTRAINT "fk_node_labels_label" FOREIGN KEY ("label_id") REFERENCES "public"."labels" ("id") ON UPDATE NO ACTION ON DELETE CASCADE,
+  CONSTRAINT "fk_node_labels_node_pool" FOREIGN KEY ("node_pool_id") REFERENCES "public"."node_pools" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create "node_servers" table
+CREATE TABLE "public"."node_servers" (
+  "server_id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "node_pool_id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  PRIMARY KEY ("server_id", "node_pool_id"),
+  CONSTRAINT "fk_node_servers_node_pool" FOREIGN KEY ("node_pool_id") REFERENCES "public"."node_pools" ("id") ON UPDATE NO ACTION ON DELETE CASCADE,
+  CONSTRAINT "fk_node_servers_server" FOREIGN KEY ("server_id") REFERENCES "public"."servers" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create "taints" table
+CREATE TABLE "public"."taints" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NOT NULL,
+  "key" text NOT NULL,
+  "value" text NOT NULL,
+  "effect" text NOT NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_taints_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create "node_taints" table
+CREATE TABLE "public"."node_taints" (
+  "taint_id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "node_pool_id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  PRIMARY KEY ("taint_id", "node_pool_id"),
+  CONSTRAINT "fk_node_taints_node_pool" FOREIGN KEY ("node_pool_id") REFERENCES "public"."node_pools" ("id") ON UPDATE NO ACTION ON DELETE CASCADE,
+  CONSTRAINT "fk_node_taints_taint" FOREIGN KEY ("taint_id") REFERENCES "public"."taints" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create "master_keys" table
+CREATE TABLE "public"."master_keys" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "key" text NOT NULL,
+  "is_active" boolean NULL DEFAULT true,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id")
+);
+-- Create "organization_keys" table
+CREATE TABLE "public"."organization_keys" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "organization_id" uuid NOT NULL,
+  "master_key_id" uuid NOT NULL,
+  "encrypted_key" text NOT NULL,
+  "iv" text NOT NULL,
+  "tag" text NOT NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_organization_keys_master_key" FOREIGN KEY ("master_key_id") REFERENCES "public"."master_keys" ("id") ON UPDATE NO ACTION ON DELETE CASCADE,
+  CONSTRAINT "fk_organization_keys_organization" FOREIGN KEY ("organization_id") REFERENCES "public"."organizations" ("id") ON UPDATE NO ACTION ON DELETE CASCADE
+);
+-- Create "user_emails" table
+CREATE TABLE "public"."user_emails" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "user_id" uuid NOT NULL,
+  "email" text NOT NULL,
+  "is_verified" boolean NOT NULL DEFAULT false,
+  "is_primary" boolean NOT NULL DEFAULT false,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "fk_user_emails_user" FOREIGN KEY ("user_id") REFERENCES "public"."users" ("id") ON UPDATE NO ACTION ON DELETE NO ACTION
+);
+-- Create index "idx_user_emails_user_id" to table: "user_emails"
+CREATE INDEX "idx_user_emails_user_id" ON "public"."user_emails" ("user_id");
--- a/sdk/ts/.gitignore
+++ b/sdk/ts/.gitignore
@@ -0,0 +1,4 @@
+wwwroot/*.js
+node_modules
+typings
+dist
--- a/sdk/ts/.npmignore
+++ b/sdk/ts/.npmignore
@@ -0,0 +1 @@
+README.md
--- a/sdk/ts/.openapi-generator-ignore
+++ b/sdk/ts/.openapi-generator-ignore
@@ -0,0 +1,23 @@
+# OpenAPI Generator Ignore
+# Generated by openapi-generator https://github.com/openapitools/openapi-generator
+
+# Use this file to prevent files from being overwritten by the generator.
+# The patterns follow closely to .gitignore or .dockerignore.
+
+# As an example, the C# client generator defines ApiClient.cs.
+# You can make changes and tell OpenAPI Generator to ignore just this file by uncommenting the following line:
+#ApiClient.cs
+
+# You can match any string of characters against a directory, file or extension with a single asterisk (*):
+#foo/*/qux
+# The above matches foo/bar/qux and foo/baz/qux, but not foo/bar/baz/qux
+
+# You can recursively match patterns against a directory, file or extension with a double asterisk (**):
+#foo/**/qux
+# This matches foo/bar/qux, foo/baz/qux, and foo/bar/baz/qux
+
+# You can also negate patterns with an exclamation (!).
+# For example, you can ignore all files in a docs folder with the file extension .md:
+#docs/*.md
+# Then explicitly reverse the ignore rule for a single file:
+#!docs/README.md
--- a/sdk/ts/.openapi-generator/FILES
+++ b/sdk/ts/.openapi-generator/FILES
@@ -0,0 +1,189 @@
+.gitignore
+.npmignore
+.openapi-generator-ignore
+README.md
+docs/AnnotationsApi.md
+docs/ArcherAdminApi.md
+docs/AuthApi.md
+docs/ClustersApi.md
+docs/CredentialsApi.md
+docs/DNSApi.md
+docs/DtoAnnotationResponse.md
+docs/DtoAttachAnnotationsRequest.md
+docs/DtoAttachBastionRequest.md
+docs/DtoAttachCaptainDomainRequest.md
+docs/DtoAttachLabelsRequest.md
+docs/DtoAttachLoadBalancerRequest.md
+docs/DtoAttachNodePoolRequest.md
+docs/DtoAttachRecordSetRequest.md
+docs/DtoAttachServersRequest.md
+docs/DtoAttachTaintsRequest.md
+docs/DtoAuthStartResponse.md
+docs/DtoClusterResponse.md
+docs/DtoCreateAnnotationRequest.md
+docs/DtoCreateClusterRequest.md
+docs/DtoCreateCredentialRequest.md
+docs/DtoCreateDomainRequest.md
+docs/DtoCreateLabelRequest.md
+docs/DtoCreateLoadBalancerRequest.md
+docs/DtoCreateNodePoolRequest.md
+docs/DtoCreateRecordSetRequest.md
+docs/DtoCreateSSHRequest.md
+docs/DtoCreateServerRequest.md
+docs/DtoCreateTaintRequest.md
+docs/DtoCredentialOut.md
+docs/DtoDomainResponse.md
+docs/DtoEnqueueRequest.md
+docs/DtoJWK.md
+docs/DtoJWKS.md
+docs/DtoJob.md
+docs/DtoJobStatus.md
+docs/DtoLabelResponse.md
+docs/DtoLoadBalancerResponse.md
+docs/DtoLogoutRequest.md
+docs/DtoNodePoolResponse.md
+docs/DtoPageJob.md
+docs/DtoQueueInfo.md
+docs/DtoRecordSetResponse.md
+docs/DtoRefreshRequest.md
+docs/DtoServerResponse.md
+docs/DtoSetKubeconfigRequest.md
+docs/DtoSshResponse.md
+docs/DtoSshRevealResponse.md
+docs/DtoTaintResponse.md
+docs/DtoTokenPair.md
+docs/DtoUpdateAnnotationRequest.md
+docs/DtoUpdateClusterRequest.md
+docs/DtoUpdateCredentialRequest.md
+docs/DtoUpdateDomainRequest.md
+docs/DtoUpdateLabelRequest.md
+docs/DtoUpdateLoadBalancerRequest.md
+docs/DtoUpdateNodePoolRequest.md
+docs/DtoUpdateRecordSetRequest.md
+docs/DtoUpdateServerRequest.md
+docs/DtoUpdateTaintRequest.md
+docs/GetSSHKey200Response.md
+docs/HandlersCreateUserKeyRequest.md
+docs/HandlersHealthStatus.md
+docs/HandlersMeResponse.md
+docs/HandlersMemberOut.md
+docs/HandlersMemberUpsertReq.md
+docs/HandlersOrgCreateReq.md
+docs/HandlersOrgKeyCreateReq.md
+docs/HandlersOrgKeyCreateResp.md
+docs/HandlersOrgUpdateReq.md
+docs/HandlersUpdateMeRequest.md
+docs/HandlersUserAPIKeyOut.md
+docs/HandlersVersionResponse.md
+docs/HealthApi.md
+docs/LabelsApi.md
+docs/LoadBalancersApi.md
+docs/MeAPIKeysApi.md
+docs/MeApi.md
+docs/MetaApi.md
+docs/ModelsAPIKey.md
+docs/ModelsOrganization.md
+docs/ModelsUser.md
+docs/ModelsUserEmail.md
+docs/NodePoolsApi.md
+docs/OrgsApi.md
+docs/ServersApi.md
+docs/SshApi.md
+docs/TaintsApi.md
+docs/UtilsErrorResponse.md
+package.json
+src/apis/AnnotationsApi.ts
+src/apis/ArcherAdminApi.ts
+src/apis/AuthApi.ts
+src/apis/ClustersApi.ts
+src/apis/CredentialsApi.ts
+src/apis/DNSApi.ts
+src/apis/HealthApi.ts
+src/apis/LabelsApi.ts
+src/apis/LoadBalancersApi.ts
+src/apis/MeAPIKeysApi.ts
+src/apis/MeApi.ts
+src/apis/MetaApi.ts
+src/apis/NodePoolsApi.ts
+src/apis/OrgsApi.ts
+src/apis/ServersApi.ts
+src/apis/SshApi.ts
+src/apis/TaintsApi.ts
+src/apis/index.ts
+src/index.ts
+src/models/DtoAnnotationResponse.ts
+src/models/DtoAttachAnnotationsRequest.ts
+src/models/DtoAttachBastionRequest.ts
+src/models/DtoAttachCaptainDomainRequest.ts
+src/models/DtoAttachLabelsRequest.ts
+src/models/DtoAttachLoadBalancerRequest.ts
+src/models/DtoAttachNodePoolRequest.ts
+src/models/DtoAttachRecordSetRequest.ts
+src/models/DtoAttachServersRequest.ts
+src/models/DtoAttachTaintsRequest.ts
+src/models/DtoAuthStartResponse.ts
+src/models/DtoClusterResponse.ts
+src/models/DtoCreateAnnotationRequest.ts
+src/models/DtoCreateClusterRequest.ts
+src/models/DtoCreateCredentialRequest.ts
+src/models/DtoCreateDomainRequest.ts
+src/models/DtoCreateLabelRequest.ts
+src/models/DtoCreateLoadBalancerRequest.ts
+src/models/DtoCreateNodePoolRequest.ts
+src/models/DtoCreateRecordSetRequest.ts
+src/models/DtoCreateSSHRequest.ts
+src/models/DtoCreateServerRequest.ts
+src/models/DtoCreateTaintRequest.ts
+src/models/DtoCredentialOut.ts
+src/models/DtoDomainResponse.ts
+src/models/DtoEnqueueRequest.ts
+src/models/DtoJWK.ts
+src/models/DtoJWKS.ts
+src/models/DtoJob.ts
+src/models/DtoJobStatus.ts
+src/models/DtoLabelResponse.ts
+src/models/DtoLoadBalancerResponse.ts
+src/models/DtoLogoutRequest.ts
+src/models/DtoNodePoolResponse.ts
+src/models/DtoPageJob.ts
+src/models/DtoQueueInfo.ts
+src/models/DtoRecordSetResponse.ts
+src/models/DtoRefreshRequest.ts
+src/models/DtoServerResponse.ts
+src/models/DtoSetKubeconfigRequest.ts
+src/models/DtoSshResponse.ts
+src/models/DtoSshRevealResponse.ts
+src/models/DtoTaintResponse.ts
+src/models/DtoTokenPair.ts
+src/models/DtoUpdateAnnotationRequest.ts
+src/models/DtoUpdateClusterRequest.ts
+src/models/DtoUpdateCredentialRequest.ts
+src/models/DtoUpdateDomainRequest.ts
+src/models/DtoUpdateLabelRequest.ts
+src/models/DtoUpdateLoadBalancerRequest.ts
+src/models/DtoUpdateNodePoolRequest.ts
+src/models/DtoUpdateRecordSetRequest.ts
+src/models/DtoUpdateServerRequest.ts
+src/models/DtoUpdateTaintRequest.ts
+src/models/GetSSHKey200Response.ts
+src/models/HandlersCreateUserKeyRequest.ts
+src/models/HandlersHealthStatus.ts
+src/models/HandlersMeResponse.ts
+src/models/HandlersMemberOut.ts
+src/models/HandlersMemberUpsertReq.ts
+src/models/HandlersOrgCreateReq.ts
+src/models/HandlersOrgKeyCreateReq.ts
+src/models/HandlersOrgKeyCreateResp.ts
+src/models/HandlersOrgUpdateReq.ts
+src/models/HandlersUpdateMeRequest.ts
+src/models/HandlersUserAPIKeyOut.ts
+src/models/HandlersVersionResponse.ts
+src/models/ModelsAPIKey.ts
+src/models/ModelsOrganization.ts
+src/models/ModelsUser.ts
+src/models/ModelsUserEmail.ts
+src/models/UtilsErrorResponse.ts
+src/models/index.ts
+src/runtime.ts
+tsconfig.esm.json
+tsconfig.json
--- a/sdk/ts/.openapi-generator/VERSION
+++ b/sdk/ts/.openapi-generator/VERSION
@@ -0,0 +1 @@
+7.17.0
--- a/sdk/ts/README.md
+++ b/sdk/ts/README.md
@@ -0,0 +1,325 @@
+# @glueops/autoglue-sdk-go@0.1.0
+
+A TypeScript SDK client for the autoglue.glueopshosted.com API.
+
+## Usage
+
+First, install the SDK from npm.
+
+```bash
+npm install @glueops/autoglue-sdk-go --save
+```
+
+Next, try it out.
+
+```ts
+import {
+  Configuration,
+  AnnotationsApi,
+} from '@glueops/autoglue-sdk-go';
+import type { CreateAnnotationRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new AnnotationsApi(config);
+
+  const body = {
+    // DtoCreateAnnotationRequest | Annotation payload
+    dtoCreateAnnotationRequest: ...,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies CreateAnnotationRequest;
+
+  try {
+    const data = await api.createAnnotation(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+## Documentation
+
+### API Endpoints
+
+All URIs are relative to *https://autoglue.glueopshosted.com/api/v1*
+
+| Class              | Method                                                                             | HTTP request                                              | Description                                                                                  |
+| ------------------ | ---------------------------------------------------------------------------------- | --------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
+| _AnnotationsApi_   | [**createAnnotation**](docs/AnnotationsApi.md#createannotation)                    | **POST** /annotations                                     | Create annotation (org scoped)                                                               |
+| _AnnotationsApi_   | [**deleteAnnotation**](docs/AnnotationsApi.md#deleteannotation)                    | **DELETE** /annotations/{id}                              | Delete annotation (org scoped)                                                               |
+| _AnnotationsApi_   | [**getAnnotation**](docs/AnnotationsApi.md#getannotation)                          | **GET** /annotations/{id}                                 | Get annotation by ID (org scoped)                                                            |
+| _AnnotationsApi_   | [**listAnnotations**](docs/AnnotationsApi.md#listannotations)                      | **GET** /annotations                                      | List annotations (org scoped)                                                                |
+| _AnnotationsApi_   | [**updateAnnotation**](docs/AnnotationsApi.md#updateannotation)                    | **PATCH** /annotations/{id}                               | Update annotation (org scoped)                                                               |
+| _ArcherAdminApi_   | [**adminCancelArcherJob**](docs/ArcherAdminApi.md#admincancelarcherjob)            | **POST** /admin/archer/jobs/{id}/cancel                   | Cancel an Archer job (admin)                                                                 |
+| _ArcherAdminApi_   | [**adminEnqueueArcherJob**](docs/ArcherAdminApi.md#adminenqueuearcherjob)          | **POST** /admin/archer/jobs                               | Enqueue a new Archer job (admin)                                                             |
+| _ArcherAdminApi_   | [**adminListArcherJobs**](docs/ArcherAdminApi.md#adminlistarcherjobs)              | **GET** /admin/archer/jobs                                | List Archer jobs (admin)                                                                     |
+| _ArcherAdminApi_   | [**adminListArcherQueues**](docs/ArcherAdminApi.md#adminlistarcherqueues)          | **GET** /admin/archer/queues                              | List Archer queues (admin)                                                                   |
+| _ArcherAdminApi_   | [**adminRetryArcherJob**](docs/ArcherAdminApi.md#adminretryarcherjob)              | **POST** /admin/archer/jobs/{id}/retry                    | Retry a failed/canceled Archer job (admin)                                                   |
+| _AuthApi_          | [**authCallback**](docs/AuthApi.md#authcallback)                                   | **GET** /auth/{provider}/callback                         | Handle social login callback                                                                 |
+| _AuthApi_          | [**authStart**](docs/AuthApi.md#authstart)                                         | **POST** /auth/{provider}/start                           | Begin social login                                                                           |
+| _AuthApi_          | [**getJWKS**](docs/AuthApi.md#getjwks)                                             | **GET** /.well-known/jwks.json                            | Get JWKS                                                                                     |
+| _AuthApi_          | [**logout**](docs/AuthApi.md#logout)                                               | **POST** /auth/logout                                     | Revoke refresh token family (logout everywhere)                                              |
+| _AuthApi_          | [**refresh**](docs/AuthApi.md#refresh)                                             | **POST** /auth/refresh                                    | Rotate refresh token                                                                         |
+| _ClustersApi_      | [**attachAppsLoadBalancer**](docs/ClustersApi.md#attachappsloadbalancer)           | **POST** /clusters/{clusterID}/apps-load-balancer         | Attach an apps load balancer to a cluster                                                    |
+| _ClustersApi_      | [**attachBastionServer**](docs/ClustersApi.md#attachbastionserver)                 | **POST** /clusters/{clusterID}/bastion                    | Attach a bastion server to a cluster                                                         |
+| _ClustersApi_      | [**attachCaptainDomain**](docs/ClustersApi.md#attachcaptaindomain)                 | **POST** /clusters/{clusterID}/captain-domain             | Attach a captain domain to a cluster                                                         |
+| _ClustersApi_      | [**attachControlPlaneRecordSet**](docs/ClustersApi.md#attachcontrolplanerecordset) | **POST** /clusters/{clusterID}/control-plane-record-set   | Attach a control plane record set to a cluster                                               |
+| _ClustersApi_      | [**attachGlueOpsLoadBalancer**](docs/ClustersApi.md#attachglueopsloadbalancer)     | **POST** /clusters/{clusterID}/glueops-load-balancer      | Attach a GlueOps/control-plane load balancer to a cluster                                    |
+| _ClustersApi_      | [**attachNodePool**](docs/ClustersApi.md#attachnodepool)                           | **POST** /clusters/{clusterID}/node-pools                 | Attach a node pool to a cluster                                                              |
+| _ClustersApi_      | [**clearClusterKubeconfig**](docs/ClustersApi.md#clearclusterkubeconfig)           | **DELETE** /clusters/{clusterID}/kubeconfig               | Clear the kubeconfig for a cluster                                                           |
+| _ClustersApi_      | [**createCluster**](docs/ClustersApi.md#createcluster)                             | **POST** /clusters                                        | Create cluster (org scoped)                                                                  |
+| _ClustersApi_      | [**deleteCluster**](docs/ClustersApi.md#deletecluster)                             | **DELETE** /clusters/{clusterID}                          | Delete a cluster (org scoped)                                                                |
+| _ClustersApi_      | [**detachAppsLoadBalancer**](docs/ClustersApi.md#detachappsloadbalancer)           | **DELETE** /clusters/{clusterID}/apps-load-balancer       | Detach the apps load balancer from a cluster                                                 |
+| _ClustersApi_      | [**detachBastionServer**](docs/ClustersApi.md#detachbastionserver)                 | **DELETE** /clusters/{clusterID}/bastion                  | Detach the bastion server from a cluster                                                     |
+| _ClustersApi_      | [**detachCaptainDomain**](docs/ClustersApi.md#detachcaptaindomain)                 | **DELETE** /clusters/{clusterID}/captain-domain           | Detach the captain domain from a cluster                                                     |
+| _ClustersApi_      | [**detachControlPlaneRecordSet**](docs/ClustersApi.md#detachcontrolplanerecordset) | **DELETE** /clusters/{clusterID}/control-plane-record-set | Detach the control plane record set from a cluster                                           |
+| _ClustersApi_      | [**detachGlueOpsLoadBalancer**](docs/ClustersApi.md#detachglueopsloadbalancer)     | **DELETE** /clusters/{clusterID}/glueops-load-balancer    | Detach the GlueOps/control-plane load balancer from a cluster                                |
+| _ClustersApi_      | [**detachNodePool**](docs/ClustersApi.md#detachnodepool)                           | **DELETE** /clusters/{clusterID}/node-pools/{nodePoolID}  | Detach a node pool from a cluster                                                            |
+| _ClustersApi_      | [**getCluster**](docs/ClustersApi.md#getcluster)                                   | **GET** /clusters/{clusterID}                             | Get a single cluster by ID (org scoped)                                                      |
+| _ClustersApi_      | [**listClusters**](docs/ClustersApi.md#listclusters)                               | **GET** /clusters                                         | List clusters (org scoped)                                                                   |
+| _ClustersApi_      | [**setClusterKubeconfig**](docs/ClustersApi.md#setclusterkubeconfig)               | **POST** /clusters/{clusterID}/kubeconfig                 | Set (or replace) the kubeconfig for a cluster                                                |
+| _ClustersApi_      | [**updateCluster**](docs/ClustersApi.md#updatecluster)                             | **PATCH** /clusters/{clusterID}                           | Update basic cluster details (org scoped)                                                    |
+| _CredentialsApi_   | [**createCredential**](docs/CredentialsApi.md#createcredential)                    | **POST** /credentials                                     | Create a credential (encrypts secret)                                                        |
+| _CredentialsApi_   | [**deleteCredential**](docs/CredentialsApi.md#deletecredential)                    | **DELETE** /credentials/{id}                              | Delete credential                                                                            |
+| _CredentialsApi_   | [**getCredential**](docs/CredentialsApi.md#getcredential)                          | **GET** /credentials/{id}                                 | Get credential by ID (metadata only)                                                         |
+| _CredentialsApi_   | [**listCredentials**](docs/CredentialsApi.md#listcredentials)                      | **GET** /credentials                                      | List credentials (metadata only)                                                             |
+| _CredentialsApi_   | [**revealCredential**](docs/CredentialsApi.md#revealcredential)                    | **POST** /credentials/{id}/reveal                         | Reveal decrypted secret (one-time read)                                                      |
+| _CredentialsApi_   | [**updateCredential**](docs/CredentialsApi.md#updatecredential)                    | **PATCH** /credentials/{id}                               | Update credential metadata and/or rotate secret                                              |
+| _DNSApi_           | [**createDomain**](docs/DNSApi.md#createdomain)                                    | **POST** /dns/domains                                     | Create a domain (org scoped)                                                                 |
+| _DNSApi_           | [**createRecordSet**](docs/DNSApi.md#createrecordset)                              | **POST** /dns/domains/{domain_id}/records                 | Create a record set (pending; Archer will UPSERT to Route 53)                                |
+| _DNSApi_           | [**deleteDomain**](docs/DNSApi.md#deletedomain)                                    | **DELETE** /dns/domains/{id}                              | Delete a domain                                                                              |
+| _DNSApi_           | [**deleteRecordSet**](docs/DNSApi.md#deleterecordset)                              | **DELETE** /dns/records/{id}                              | Delete a record set (API removes row; worker can optionally handle external deletion policy) |
+| _DNSApi_           | [**getDomain**](docs/DNSApi.md#getdomain)                                          | **GET** /dns/domains/{id}                                 | Get a domain (org scoped)                                                                    |
+| _DNSApi_           | [**listDomains**](docs/DNSApi.md#listdomains)                                      | **GET** /dns/domains                                      | List domains (org scoped)                                                                    |
+| _DNSApi_           | [**listRecordSets**](docs/DNSApi.md#listrecordsets)                                | **GET** /dns/domains/{domain_id}/records                  | List record sets for a domain                                                                |
+| _DNSApi_           | [**updateDomain**](docs/DNSApi.md#updatedomain)                                    | **PATCH** /dns/domains/{id}                               | Update a domain (org scoped)                                                                 |
+| _DNSApi_           | [**updateRecordSet**](docs/DNSApi.md#updaterecordset)                              | **PATCH** /dns/records/{id}                               | Update a record set (flips to pending for reconciliation)                                    |
+| _HealthApi_        | [**healthCheckOperationId**](docs/HealthApi.md#healthcheckoperationid)             | **GET** /healthz                                          | Basic health check                                                                           |
+| _LabelsApi_        | [**createLabel**](docs/LabelsApi.md#createlabel)                                   | **POST** /labels                                          | Create label (org scoped)                                                                    |
+| _LabelsApi_        | [**deleteLabel**](docs/LabelsApi.md#deletelabel)                                   | **DELETE** /labels/{id}                                   | Delete label (org scoped)                                                                    |
+| _LabelsApi_        | [**getLabel**](docs/LabelsApi.md#getlabel)                                         | **GET** /labels/{id}                                      | Get label by ID (org scoped)                                                                 |
+| _LabelsApi_        | [**listLabels**](docs/LabelsApi.md#listlabels)                                     | **GET** /labels                                           | List node labels (org scoped)                                                                |
+| _LabelsApi_        | [**updateLabel**](docs/LabelsApi.md#updatelabel)                                   | **PATCH** /labels/{id}                                    | Update label (org scoped)                                                                    |
+| _LoadBalancersApi_ | [**createLoadBalancer**](docs/LoadBalancersApi.md#createloadbalancer)              | **POST** /load-balancers                                  | Create a load balancer                                                                       |
+| _LoadBalancersApi_ | [**deleteLoadBalancer**](docs/LoadBalancersApi.md#deleteloadbalancer)              | **DELETE** /load-balancers/{id}                           | Delete a load balancer                                                                       |
+| _LoadBalancersApi_ | [**getLoadBalancers**](docs/LoadBalancersApi.md#getloadbalancers)                  | **GET** /load-balancers/{id}                              | Get a load balancer (org scoped)                                                             |
+| _LoadBalancersApi_ | [**listLoadBalancers**](docs/LoadBalancersApi.md#listloadbalancers)                | **GET** /load-balancers                                   | List load balancers (org scoped)                                                             |
+| _LoadBalancersApi_ | [**updateLoadBalancer**](docs/LoadBalancersApi.md#updateloadbalancer)              | **PATCH** /load-balancers/{id}                            | Update a load balancer (org scoped)                                                          |
+| _MeApi_            | [**getMe**](docs/MeApi.md#getme)                                                   | **GET** /me                                               | Get current user profile                                                                     |
+| _MeApi_            | [**updateMe**](docs/MeApi.md#updateme)                                             | **PATCH** /me                                             | Update current user profile                                                                  |
+| _MeAPIKeysApi_     | [**createUserAPIKey**](docs/MeAPIKeysApi.md#createuserapikey)                      | **POST** /me/api-keys                                     | Create a new user API key                                                                    |
+| _MeAPIKeysApi_     | [**deleteUserAPIKey**](docs/MeAPIKeysApi.md#deleteuserapikey)                      | **DELETE** /me/api-keys/{id}                              | Delete a user API key                                                                        |
+| _MeAPIKeysApi_     | [**listUserAPIKeys**](docs/MeAPIKeysApi.md#listuserapikeys)                        | **GET** /me/api-keys                                      | List my API keys                                                                             |
+| _MetaApi_          | [**versionOperationId**](docs/MetaApi.md#versionoperationid)                       | **GET** /version                                          | Service version information                                                                  |
+| _NodePoolsApi_     | [**attachNodePoolAnnotations**](docs/NodePoolsApi.md#attachnodepoolannotations)    | **POST** /node-pools/{id}/annotations                     | Attach annotation to a node pool (org scoped)                                                |
+| _NodePoolsApi_     | [**attachNodePoolLabels**](docs/NodePoolsApi.md#attachnodepoollabels)              | **POST** /node-pools/{id}/labels                          | Attach labels to a node pool (org scoped)                                                    |
+| _NodePoolsApi_     | [**attachNodePoolServers**](docs/NodePoolsApi.md#attachnodepoolservers)            | **POST** /node-pools/{id}/servers                         | Attach servers to a node pool (org scoped)                                                   |
+| _NodePoolsApi_     | [**attachNodePoolTaints**](docs/NodePoolsApi.md#attachnodepooltaints)              | **POST** /node-pools/{id}/taints                          | Attach taints to a node pool (org scoped)                                                    |
+| _NodePoolsApi_     | [**createNodePool**](docs/NodePoolsApi.md#createnodepool)                          | **POST** /node-pools                                      | Create node pool (org scoped)                                                                |
+| _NodePoolsApi_     | [**deleteNodePool**](docs/NodePoolsApi.md#deletenodepool)                          | **DELETE** /node-pools/{id}                               | Delete node pool (org scoped)                                                                |
+| _NodePoolsApi_     | [**detachNodePoolAnnotation**](docs/NodePoolsApi.md#detachnodepoolannotation)      | **DELETE** /node-pools/{id}/annotations/{annotationId}    | Detach one annotation from a node pool (org scoped)                                          |
+| _NodePoolsApi_     | [**detachNodePoolLabel**](docs/NodePoolsApi.md#detachnodepoollabel)                | **DELETE** /node-pools/{id}/labels/{labelId}              | Detach one label from a node pool (org scoped)                                               |
+| _NodePoolsApi_     | [**detachNodePoolServer**](docs/NodePoolsApi.md#detachnodepoolserver)              | **DELETE** /node-pools/{id}/servers/{serverId}            | Detach one server from a node pool (org scoped)                                              |
+| _NodePoolsApi_     | [**detachNodePoolTaint**](docs/NodePoolsApi.md#detachnodepooltaint)                | **DELETE** /node-pools/{id}/taints/{taintId}              | Detach one taint from a node pool (org scoped)                                               |
+| _NodePoolsApi_     | [**getNodePool**](docs/NodePoolsApi.md#getnodepool)                                | **GET** /node-pools/{id}                                  | Get node pool by ID (org scoped)                                                             |
+| _NodePoolsApi_     | [**listNodePoolAnnotations**](docs/NodePoolsApi.md#listnodepoolannotations)        | **GET** /node-pools/{id}/annotations                      | List annotations attached to a node pool (org scoped)                                        |
+| _NodePoolsApi_     | [**listNodePoolLabels**](docs/NodePoolsApi.md#listnodepoollabels)                  | **GET** /node-pools/{id}/labels                           | List labels attached to a node pool (org scoped)                                             |
+| _NodePoolsApi_     | [**listNodePoolServers**](docs/NodePoolsApi.md#listnodepoolservers)                | **GET** /node-pools/{id}/servers                          | List servers attached to a node pool (org scoped)                                            |
+| _NodePoolsApi_     | [**listNodePoolTaints**](docs/NodePoolsApi.md#listnodepooltaints)                  | **GET** /node-pools/{id}/taints                           | List taints attached to a node pool (org scoped)                                             |
+| _NodePoolsApi_     | [**listNodePools**](docs/NodePoolsApi.md#listnodepools)                            | **GET** /node-pools                                       | List node pools (org scoped)                                                                 |
+| _NodePoolsApi_     | [**updateNodePool**](docs/NodePoolsApi.md#updatenodepool)                          | **PATCH** /node-pools/{id}                                | Update node pool (org scoped)                                                                |
+| _OrgsApi_          | [**addOrUpdateMember**](docs/OrgsApi.md#addorupdatemember)                         | **POST** /orgs/{id}/members                               | Add or update a member (owner/admin)                                                         |
+| _OrgsApi_          | [**createOrg**](docs/OrgsApi.md#createorg)                                         | **POST** /orgs                                            | Create organization                                                                          |
+| _OrgsApi_          | [**createOrgKey**](docs/OrgsApi.md#createorgkey)                                   | **POST** /orgs/{id}/api-keys                              | Create org key/secret pair (owner/admin)                                                     |
+| _OrgsApi_          | [**deleteOrg**](docs/OrgsApi.md#deleteorg)                                         | **DELETE** /orgs/{id}                                     | Delete organization (owner)                                                                  |
+| _OrgsApi_          | [**deleteOrgKey**](docs/OrgsApi.md#deleteorgkey)                                   | **DELETE** /orgs/{id}/api-keys/{key_id}                   | Delete org key (owner/admin)                                                                 |
+| _OrgsApi_          | [**getOrg**](docs/OrgsApi.md#getorg)                                               | **GET** /orgs/{id}                                        | Get organization                                                                             |
+| _OrgsApi_          | [**listMembers**](docs/OrgsApi.md#listmembers)                                     | **GET** /orgs/{id}/members                                | List members in org                                                                          |
+| _OrgsApi_          | [**listMyOrgs**](docs/OrgsApi.md#listmyorgs)                                       | **GET** /orgs                                             | List organizations I belong to                                                               |
+| _OrgsApi_          | [**listOrgKeys**](docs/OrgsApi.md#listorgkeys)                                     | **GET** /orgs/{id}/api-keys                               | List org-scoped API keys (no secrets)                                                        |
+| _OrgsApi_          | [**removeMember**](docs/OrgsApi.md#removemember)                                   | **DELETE** /orgs/{id}/members/{user_id}                   | Remove a member (owner/admin)                                                                |
+| _OrgsApi_          | [**updateOrg**](docs/OrgsApi.md#updateorg)                                         | **PATCH** /orgs/{id}                                      | Update organization (owner/admin)                                                            |
+| _ServersApi_       | [**createServer**](docs/ServersApi.md#createserver)                                | **POST** /servers                                         | Create server (org scoped)                                                                   |
+| _ServersApi_       | [**deleteServer**](docs/ServersApi.md#deleteserver)                                | **DELETE** /servers/{id}                                  | Delete server (org scoped)                                                                   |
+| _ServersApi_       | [**getServer**](docs/ServersApi.md#getserver)                                      | **GET** /servers/{id}                                     | Get server by ID (org scoped)                                                                |
+| _ServersApi_       | [**listServers**](docs/ServersApi.md#listservers)                                  | **GET** /servers                                          | List servers (org scoped)                                                                    |
+| _ServersApi_       | [**resetServerHostKey**](docs/ServersApi.md#resetserverhostkey)                    | **POST** /servers/{id}/reset-hostkey                      | Reset SSH host key (org scoped)                                                              |
+| _ServersApi_       | [**updateServer**](docs/ServersApi.md#updateserver)                                | **PATCH** /servers/{id}                                   | Update server (org scoped)                                                                   |
+| _SshApi_           | [**createSSHKey**](docs/SshApi.md#createsshkey)                                    | **POST** /ssh                                             | Create ssh keypair (org scoped)                                                              |
+| _SshApi_           | [**deleteSSHKey**](docs/SshApi.md#deletesshkey)                                    | **DELETE** /ssh/{id}                                      | Delete ssh keypair (org scoped)                                                              |
+| _SshApi_           | [**downloadSSHKey**](docs/SshApi.md#downloadsshkey)                                | **GET** /ssh/{id}/download                                | Download ssh key files by ID (org scoped)                                                    |
+| _SshApi_           | [**getSSHKey**](docs/SshApi.md#getsshkey)                                          | **GET** /ssh/{id}                                         | Get ssh key by ID (org scoped)                                                               |
+| _SshApi_           | [**listPublicSshKeys**](docs/SshApi.md#listpublicsshkeys)                          | **GET** /ssh                                              | List ssh keys (org scoped)                                                                   |
+| _TaintsApi_        | [**createTaint**](docs/TaintsApi.md#createtaint)                                   | **POST** /taints                                          | Create node taint (org scoped)                                                               |
+| _TaintsApi_        | [**deleteTaint**](docs/TaintsApi.md#deletetaint)                                   | **DELETE** /taints/{id}                                   | Delete taint (org scoped)                                                                    |
+| _TaintsApi_        | [**getTaint**](docs/TaintsApi.md#gettaint)                                         | **GET** /taints/{id}                                      | Get node taint by ID (org scoped)                                                            |
+| _TaintsApi_        | [**listTaints**](docs/TaintsApi.md#listtaints)                                     | **GET** /taints                                           | List node pool taints (org scoped)                                                           |
+| _TaintsApi_        | [**updateTaint**](docs/TaintsApi.md#updatetaint)                                   | **PATCH** /taints/{id}                                    | Update node taint (org scoped)                                                               |
+
+### Models
+
+- [DtoAnnotationResponse](docs/DtoAnnotationResponse.md)
+- [DtoAttachAnnotationsRequest](docs/DtoAttachAnnotationsRequest.md)
+- [DtoAttachBastionRequest](docs/DtoAttachBastionRequest.md)
+- [DtoAttachCaptainDomainRequest](docs/DtoAttachCaptainDomainRequest.md)
+- [DtoAttachLabelsRequest](docs/DtoAttachLabelsRequest.md)
+- [DtoAttachLoadBalancerRequest](docs/DtoAttachLoadBalancerRequest.md)
+- [DtoAttachNodePoolRequest](docs/DtoAttachNodePoolRequest.md)
+- [DtoAttachRecordSetRequest](docs/DtoAttachRecordSetRequest.md)
+- [DtoAttachServersRequest](docs/DtoAttachServersRequest.md)
+- [DtoAttachTaintsRequest](docs/DtoAttachTaintsRequest.md)
+- [DtoAuthStartResponse](docs/DtoAuthStartResponse.md)
+- [DtoClusterResponse](docs/DtoClusterResponse.md)
+- [DtoCreateAnnotationRequest](docs/DtoCreateAnnotationRequest.md)
+- [DtoCreateClusterRequest](docs/DtoCreateClusterRequest.md)
+- [DtoCreateCredentialRequest](docs/DtoCreateCredentialRequest.md)
+- [DtoCreateDomainRequest](docs/DtoCreateDomainRequest.md)
+- [DtoCreateLabelRequest](docs/DtoCreateLabelRequest.md)
+- [DtoCreateLoadBalancerRequest](docs/DtoCreateLoadBalancerRequest.md)
+- [DtoCreateNodePoolRequest](docs/DtoCreateNodePoolRequest.md)
+- [DtoCreateRecordSetRequest](docs/DtoCreateRecordSetRequest.md)
+- [DtoCreateSSHRequest](docs/DtoCreateSSHRequest.md)
+- [DtoCreateServerRequest](docs/DtoCreateServerRequest.md)
+- [DtoCreateTaintRequest](docs/DtoCreateTaintRequest.md)
+- [DtoCredentialOut](docs/DtoCredentialOut.md)
+- [DtoDomainResponse](docs/DtoDomainResponse.md)
+- [DtoEnqueueRequest](docs/DtoEnqueueRequest.md)
+- [DtoJWK](docs/DtoJWK.md)
+- [DtoJWKS](docs/DtoJWKS.md)
+- [DtoJob](docs/DtoJob.md)
+- [DtoJobStatus](docs/DtoJobStatus.md)
+- [DtoLabelResponse](docs/DtoLabelResponse.md)
+- [DtoLoadBalancerResponse](docs/DtoLoadBalancerResponse.md)
+- [DtoLogoutRequest](docs/DtoLogoutRequest.md)
+- [DtoNodePoolResponse](docs/DtoNodePoolResponse.md)
+- [DtoPageJob](docs/DtoPageJob.md)
+- [DtoQueueInfo](docs/DtoQueueInfo.md)
+- [DtoRecordSetResponse](docs/DtoRecordSetResponse.md)
+- [DtoRefreshRequest](docs/DtoRefreshRequest.md)
+- [DtoServerResponse](docs/DtoServerResponse.md)
+- [DtoSetKubeconfigRequest](docs/DtoSetKubeconfigRequest.md)
+- [DtoSshResponse](docs/DtoSshResponse.md)
+- [DtoSshRevealResponse](docs/DtoSshRevealResponse.md)
+- [DtoTaintResponse](docs/DtoTaintResponse.md)
+- [DtoTokenPair](docs/DtoTokenPair.md)
+- [DtoUpdateAnnotationRequest](docs/DtoUpdateAnnotationRequest.md)
+- [DtoUpdateClusterRequest](docs/DtoUpdateClusterRequest.md)
+- [DtoUpdateCredentialRequest](docs/DtoUpdateCredentialRequest.md)
+- [DtoUpdateDomainRequest](docs/DtoUpdateDomainRequest.md)
+- [DtoUpdateLabelRequest](docs/DtoUpdateLabelRequest.md)
+- [DtoUpdateLoadBalancerRequest](docs/DtoUpdateLoadBalancerRequest.md)
+- [DtoUpdateNodePoolRequest](docs/DtoUpdateNodePoolRequest.md)
+- [DtoUpdateRecordSetRequest](docs/DtoUpdateRecordSetRequest.md)
+- [DtoUpdateServerRequest](docs/DtoUpdateServerRequest.md)
+- [DtoUpdateTaintRequest](docs/DtoUpdateTaintRequest.md)
+- [GetSSHKey200Response](docs/GetSSHKey200Response.md)
+- [HandlersCreateUserKeyRequest](docs/HandlersCreateUserKeyRequest.md)
+- [HandlersHealthStatus](docs/HandlersHealthStatus.md)
+- [HandlersMeResponse](docs/HandlersMeResponse.md)
+- [HandlersMemberOut](docs/HandlersMemberOut.md)
+- [HandlersMemberUpsertReq](docs/HandlersMemberUpsertReq.md)
+- [HandlersOrgCreateReq](docs/HandlersOrgCreateReq.md)
+- [HandlersOrgKeyCreateReq](docs/HandlersOrgKeyCreateReq.md)
+- [HandlersOrgKeyCreateResp](docs/HandlersOrgKeyCreateResp.md)
+- [HandlersOrgUpdateReq](docs/HandlersOrgUpdateReq.md)
+- [HandlersUpdateMeRequest](docs/HandlersUpdateMeRequest.md)
+- [HandlersUserAPIKeyOut](docs/HandlersUserAPIKeyOut.md)
+- [HandlersVersionResponse](docs/HandlersVersionResponse.md)
+- [ModelsAPIKey](docs/ModelsAPIKey.md)
+- [ModelsOrganization](docs/ModelsOrganization.md)
+- [ModelsUser](docs/ModelsUser.md)
+- [ModelsUserEmail](docs/ModelsUserEmail.md)
+- [UtilsErrorResponse](docs/UtilsErrorResponse.md)
+
+### Authorization
+
+Authentication schemes defined for the API:
+<a id="ApiKeyAuth"></a>
+
+#### ApiKeyAuth
+
+- **Type**: API key
+- **API key parameter name**: `X-API-KEY`
+- **Location**: HTTP header
+  <a id="BearerAuth"></a>
+
+#### BearerAuth
+
+- **Type**: API key
+- **API key parameter name**: `Authorization`
+- **Location**: HTTP header
+  <a id="OrgKeyAuth"></a>
+
+#### OrgKeyAuth
+
+- **Type**: API key
+- **API key parameter name**: `X-ORG-KEY`
+- **Location**: HTTP header
+  <a id="OrgSecretAuth"></a>
+
+#### OrgSecretAuth
+
+- **Type**: API key
+- **API key parameter name**: `X-ORG-SECRET`
+- **Location**: HTTP header
+
+## About
+
+This TypeScript SDK client supports the [Fetch API](https://fetch.spec.whatwg.org/)
+and is automatically generated by the
+[OpenAPI Generator](https://openapi-generator.tech) project:
+
+- API version: `dev`
+- Package version: `0.1.0`
+- Generator version: `7.17.0`
+- Build package: `org.openapitools.codegen.languages.TypeScriptFetchClientCodegen`
+
+The generated npm module supports the following:
+
+- Environments
+  - Node.js
+  - Webpack
+  - Browserify
+- Language levels
+  - ES5 - you must have a Promises/A+ library installed
+  - ES6
+- Module systems
+  - CommonJS
+  - ES6 module system
+
+## Development
+
+### Building
+
+To build the TypeScript source code, you need to have Node.js and npm installed.
+After cloning the repository, navigate to the project directory and run:
+
+```bash
+npm install
+npm run build
+```
+
+### Publishing
+
+Once you've built the package, you can publish it to npm:
+
+```bash
+npm publish
+```
+
+## License
+
+[]()
--- a/sdk/ts/docs/AnnotationsApi.md
+++ b/sdk/ts/docs/AnnotationsApi.md
@@ -0,0 +1,412 @@
+# AnnotationsApi
+
+All URIs are relative to *https://autoglue.glueopshosted.com/api/v1*
+
+| Method                                                     | HTTP request                 | Description                       |
+| ---------------------------------------------------------- | ---------------------------- | --------------------------------- |
+| [**createAnnotation**](AnnotationsApi.md#createannotation) | **POST** /annotations        | Create annotation (org scoped)    |
+| [**deleteAnnotation**](AnnotationsApi.md#deleteannotation) | **DELETE** /annotations/{id} | Delete annotation (org scoped)    |
+| [**getAnnotation**](AnnotationsApi.md#getannotation)       | **GET** /annotations/{id}    | Get annotation by ID (org scoped) |
+| [**listAnnotations**](AnnotationsApi.md#listannotations)   | **GET** /annotations         | List annotations (org scoped)     |
+| [**updateAnnotation**](AnnotationsApi.md#updateannotation) | **PATCH** /annotations/{id}  | Update annotation (org scoped)    |
+
+## createAnnotation
+
+> DtoAnnotationResponse createAnnotation(dtoCreateAnnotationRequest, xOrgID)
+
+Create annotation (org scoped)
+
+Creates an annotation.
+
+### Example
+
+```ts
+import {
+  Configuration,
+  AnnotationsApi,
+} from '@glueops/autoglue-sdk-go';
+import type { CreateAnnotationRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new AnnotationsApi(config);
+
+  const body = {
+    // DtoCreateAnnotationRequest | Annotation payload
+    dtoCreateAnnotationRequest: ...,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies CreateAnnotationRequest;
+
+  try {
+    const data = await api.createAnnotation(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                           | Type                                                        | Description        | Notes                                |
+| ------------------------------ | ----------------------------------------------------------- | ------------------ | ------------------------------------ |
+| **dtoCreateAnnotationRequest** | [DtoCreateAnnotationRequest](DtoCreateAnnotationRequest.md) | Annotation payload |                                      |
+| **xOrgID**                     | `string`                                                    | Organization UUID  | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoAnnotationResponse**](DtoAnnotationResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description                   | Response headers |
+| ----------- | ----------------------------- | ---------------- |
+| **201**     | Created                       | -                |
+| **400**     | invalid json / missing fields | -                |
+| **401**     | Unauthorized                  | -                |
+| **403**     | organization required         | -                |
+| **500**     | create failed                 | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## deleteAnnotation
+
+> deleteAnnotation(id, xOrgID)
+
+Delete annotation (org scoped)
+
+Permanently deletes the annotation.
+
+### Example
+
+```ts
+import { Configuration, AnnotationsApi } from "@glueops/autoglue-sdk-go";
+import type { DeleteAnnotationRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new AnnotationsApi(config);
+
+  const body = {
+    // string | Annotation ID (UUID)
+    id: id_example,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies DeleteAnnotationRequest;
+
+  try {
+    const data = await api.deleteAnnotation(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name       | Type     | Description          | Notes                                |
+| ---------- | -------- | -------------------- | ------------------------------------ |
+| **id**     | `string` | Annotation ID (UUID) | [Defaults to `undefined`]            |
+| **xOrgID** | `string` | Organization UUID    | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+`void` (Empty response body)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **204**     | No Content            | -                |
+| **400**     | invalid id            | -                |
+| **401**     | Unauthorized          | -                |
+| **403**     | organization required | -                |
+| **500**     | delete failed         | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## getAnnotation
+
+> DtoAnnotationResponse getAnnotation(id, xOrgID)
+
+Get annotation by ID (org scoped)
+
+Returns one annotation. Add &#x60;include&#x3D;node_pools&#x60; to include node pools.
+
+### Example
+
+```ts
+import { Configuration, AnnotationsApi } from "@glueops/autoglue-sdk-go";
+import type { GetAnnotationRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new AnnotationsApi(config);
+
+  const body = {
+    // string | Annotation ID (UUID)
+    id: id_example,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies GetAnnotationRequest;
+
+  try {
+    const data = await api.getAnnotation(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name       | Type     | Description          | Notes                                |
+| ---------- | -------- | -------------------- | ------------------------------------ |
+| **id**     | `string` | Annotation ID (UUID) | [Defaults to `undefined`]            |
+| **xOrgID** | `string` | Organization UUID    | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoAnnotationResponse**](DtoAnnotationResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **200**     | OK                    | -                |
+| **400**     | invalid id            | -                |
+| **401**     | Unauthorized          | -                |
+| **403**     | organization required | -                |
+| **404**     | not found             | -                |
+| **500**     | fetch failed          | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## listAnnotations
+
+> Array&lt;DtoAnnotationResponse&gt; listAnnotations(xOrgID, key, value, q)
+
+List annotations (org scoped)
+
+Returns annotations for the organization in X-Org-ID. Filters: &#x60;key&#x60;, &#x60;value&#x60;, and &#x60;q&#x60; (key contains). Add &#x60;include&#x3D;node_pools&#x60; to include linked node pools.
+
+### Example
+
+```ts
+import { Configuration, AnnotationsApi } from "@glueops/autoglue-sdk-go";
+import type { ListAnnotationsRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new AnnotationsApi(config);
+
+  const body = {
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+    // string | Exact key (optional)
+    key: key_example,
+    // string | Exact value (optional)
+    value: value_example,
+    // string | key contains (case-insensitive) (optional)
+    q: q_example,
+  } satisfies ListAnnotationsRequest;
+
+  try {
+    const data = await api.listAnnotations(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name       | Type     | Description                     | Notes                                |
+| ---------- | -------- | ------------------------------- | ------------------------------------ |
+| **xOrgID** | `string` | Organization UUID               | [Optional] [Defaults to `undefined`] |
+| **key**    | `string` | Exact key                       | [Optional] [Defaults to `undefined`] |
+| **value**  | `string` | Exact value                     | [Optional] [Defaults to `undefined`] |
+| **q**      | `string` | key contains (case-insensitive) | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**Array&lt;DtoAnnotationResponse&gt;**](DtoAnnotationResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description                | Response headers |
+| ----------- | -------------------------- | ---------------- |
+| **200**     | OK                         | -                |
+| **401**     | Unauthorized               | -                |
+| **403**     | organization required      | -                |
+| **500**     | failed to list annotations | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## updateAnnotation
+
+> DtoAnnotationResponse updateAnnotation(id, dtoUpdateAnnotationRequest, xOrgID)
+
+Update annotation (org scoped)
+
+Partially update annotation fields.
+
+### Example
+
+```ts
+import {
+  Configuration,
+  AnnotationsApi,
+} from '@glueops/autoglue-sdk-go';
+import type { UpdateAnnotationRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new AnnotationsApi(config);
+
+  const body = {
+    // string | Annotation ID (UUID)
+    id: id_example,
+    // DtoUpdateAnnotationRequest | Fields to update
+    dtoUpdateAnnotationRequest: ...,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies UpdateAnnotationRequest;
+
+  try {
+    const data = await api.updateAnnotation(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                           | Type                                                        | Description          | Notes                                |
+| ------------------------------ | ----------------------------------------------------------- | -------------------- | ------------------------------------ |
+| **id**                         | `string`                                                    | Annotation ID (UUID) | [Defaults to `undefined`]            |
+| **dtoUpdateAnnotationRequest** | [DtoUpdateAnnotationRequest](DtoUpdateAnnotationRequest.md) | Fields to update     |                                      |
+| **xOrgID**                     | `string`                                                    | Organization UUID    | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoAnnotationResponse**](DtoAnnotationResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description               | Response headers |
+| ----------- | ------------------------- | ---------------- |
+| **200**     | OK                        | -                |
+| **400**     | invalid id / invalid json | -                |
+| **401**     | Unauthorized              | -                |
+| **403**     | organization required     | -                |
+| **404**     | not found                 | -                |
+| **500**     | update failed             | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/sdk/ts/docs/ArcherAdminApi.md
+++ b/sdk/ts/docs/ArcherAdminApi.md
@@ -0,0 +1,373 @@
+# ArcherAdminApi
+
+All URIs are relative to *https://autoglue.glueopshosted.com/api/v1*
+
+| Method                                                               | HTTP request                            | Description                                |
+| -------------------------------------------------------------------- | --------------------------------------- | ------------------------------------------ |
+| [**adminCancelArcherJob**](ArcherAdminApi.md#admincancelarcherjob)   | **POST** /admin/archer/jobs/{id}/cancel | Cancel an Archer job (admin)               |
+| [**adminEnqueueArcherJob**](ArcherAdminApi.md#adminenqueuearcherjob) | **POST** /admin/archer/jobs             | Enqueue a new Archer job (admin)           |
+| [**adminListArcherJobs**](ArcherAdminApi.md#adminlistarcherjobs)     | **GET** /admin/archer/jobs              | List Archer jobs (admin)                   |
+| [**adminListArcherQueues**](ArcherAdminApi.md#adminlistarcherqueues) | **GET** /admin/archer/queues            | List Archer queues (admin)                 |
+| [**adminRetryArcherJob**](ArcherAdminApi.md#adminretryarcherjob)     | **POST** /admin/archer/jobs/{id}/retry  | Retry a failed/canceled Archer job (admin) |
+
+## adminCancelArcherJob
+
+> DtoJob adminCancelArcherJob(id, body)
+
+Cancel an Archer job (admin)
+
+Set job status to canceled if cancellable. For running jobs, this only affects future picks; wire to Archer if you need active kill.
+
+### Example
+
+```ts
+import { Configuration, ArcherAdminApi } from "@glueops/autoglue-sdk-go";
+import type { AdminCancelArcherJobRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new ArcherAdminApi(config);
+
+  const body = {
+    // string | Job ID
+    id: id_example,
+    // object (optional)
+    body: Object,
+  } satisfies AdminCancelArcherJobRequest;
+
+  try {
+    const data = await api.adminCancelArcherJob(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name     | Type     | Description | Notes                     |
+| -------- | -------- | ----------- | ------------------------- |
+| **id**   | `string` | Job ID      | [Defaults to `undefined`] |
+| **body** | `object` |             | [Optional]                |
+
+### Return type
+
+[**DtoJob**](DtoJob.md)
+
+### Authorization
+
+[BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description                    | Response headers |
+| ----------- | ------------------------------ | ---------------- |
+| **200**     | OK                             | -                |
+| **400**     | invalid job or not cancellable | -                |
+| **401**     | Unauthorized                   | -                |
+| **403**     | forbidden                      | -                |
+| **404**     | not found                      | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## adminEnqueueArcherJob
+
+> DtoJob adminEnqueueArcherJob(dtoEnqueueRequest)
+
+Enqueue a new Archer job (admin)
+
+Create a job immediately or schedule it for the future via &#x60;run_at&#x60;.
+
+### Example
+
+```ts
+import {
+  Configuration,
+  ArcherAdminApi,
+} from '@glueops/autoglue-sdk-go';
+import type { AdminEnqueueArcherJobRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new ArcherAdminApi(config);
+
+  const body = {
+    // DtoEnqueueRequest | Job parameters
+    dtoEnqueueRequest: ...,
+  } satisfies AdminEnqueueArcherJobRequest;
+
+  try {
+    const data = await api.adminEnqueueArcherJob(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                  | Type                                      | Description    | Notes |
+| --------------------- | ----------------------------------------- | -------------- | ----- |
+| **dtoEnqueueRequest** | [DtoEnqueueRequest](DtoEnqueueRequest.md) | Job parameters |       |
+
+### Return type
+
+[**DtoJob**](DtoJob.md)
+
+### Authorization
+
+[BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description                    | Response headers |
+| ----------- | ------------------------------ | ---------------- |
+| **200**     | OK                             | -                |
+| **400**     | invalid json or missing fields | -                |
+| **401**     | Unauthorized                   | -                |
+| **403**     | forbidden                      | -                |
+| **500**     | internal error                 | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## adminListArcherJobs
+
+> DtoPageJob adminListArcherJobs(status, queue, q, page, pageSize)
+
+List Archer jobs (admin)
+
+Paginated background jobs with optional filters. Search &#x60;q&#x60; may match id, type, error, payload (implementation-dependent).
+
+### Example
+
+```ts
+import { Configuration, ArcherAdminApi } from "@glueops/autoglue-sdk-go";
+import type { AdminListArcherJobsRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new ArcherAdminApi(config);
+
+  const body = {
+    // 'queued' | 'running' | 'succeeded' | 'failed' | 'canceled' | 'retrying' | 'scheduled' | Filter by status (optional)
+    status: status_example,
+    // string | Filter by queue name / worker name (optional)
+    queue: queue_example,
+    // string | Free-text search (optional)
+    q: q_example,
+    // number | Page number (optional)
+    page: 56,
+    // number | Items per page (optional)
+    pageSize: 56,
+  } satisfies AdminListArcherJobsRequest;
+
+  try {
+    const data = await api.adminListArcherJobs(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name         | Type                                                                            | Description                        | Notes                                                                                                          |
+| ------------ | ------------------------------------------------------------------------------- | ---------------------------------- | -------------------------------------------------------------------------------------------------------------- |
+| **status**   | `queued`, `running`, `succeeded`, `failed`, `canceled`, `retrying`, `scheduled` | Filter by status                   | [Optional] [Defaults to `undefined`] [Enum: queued, running, succeeded, failed, canceled, retrying, scheduled] |
+| **queue**    | `string`                                                                        | Filter by queue name / worker name | [Optional] [Defaults to `undefined`]                                                                           |
+| **q**        | `string`                                                                        | Free-text search                   | [Optional] [Defaults to `undefined`]                                                                           |
+| **page**     | `number`                                                                        | Page number                        | [Optional] [Defaults to `1`]                                                                                   |
+| **pageSize** | `number`                                                                        | Items per page                     | [Optional] [Defaults to `25`]                                                                                  |
+
+### Return type
+
+[**DtoPageJob**](DtoPageJob.md)
+
+### Authorization
+
+[BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description    | Response headers |
+| ----------- | -------------- | ---------------- |
+| **200**     | OK             | -                |
+| **401**     | Unauthorized   | -                |
+| **403**     | forbidden      | -                |
+| **500**     | internal error | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## adminListArcherQueues
+
+> Array&lt;DtoQueueInfo&gt; adminListArcherQueues()
+
+List Archer queues (admin)
+
+Summary metrics per queue (pending, running, failed, scheduled).
+
+### Example
+
+```ts
+import { Configuration, ArcherAdminApi } from "@glueops/autoglue-sdk-go";
+import type { AdminListArcherQueuesRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new ArcherAdminApi(config);
+
+  try {
+    const data = await api.adminListArcherQueues();
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+This endpoint does not need any parameter.
+
+### Return type
+
+[**Array&lt;DtoQueueInfo&gt;**](DtoQueueInfo.md)
+
+### Authorization
+
+[BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description    | Response headers |
+| ----------- | -------------- | ---------------- |
+| **200**     | OK             | -                |
+| **401**     | Unauthorized   | -                |
+| **403**     | forbidden      | -                |
+| **500**     | internal error | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## adminRetryArcherJob
+
+> DtoJob adminRetryArcherJob(id, body)
+
+Retry a failed/canceled Archer job (admin)
+
+Marks the job retriable (DB flip). Swap this for an Archer admin call if you expose one.
+
+### Example
+
+```ts
+import { Configuration, ArcherAdminApi } from "@glueops/autoglue-sdk-go";
+import type { AdminRetryArcherJobRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new ArcherAdminApi(config);
+
+  const body = {
+    // string | Job ID
+    id: id_example,
+    // object (optional)
+    body: Object,
+  } satisfies AdminRetryArcherJobRequest;
+
+  try {
+    const data = await api.adminRetryArcherJob(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name     | Type     | Description | Notes                     |
+| -------- | -------- | ----------- | ------------------------- |
+| **id**   | `string` | Job ID      | [Defaults to `undefined`] |
+| **body** | `object` |             | [Optional]                |
+
+### Return type
+
+[**DtoJob**](DtoJob.md)
+
+### Authorization
+
+[BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description                 | Response headers |
+| ----------- | --------------------------- | ---------------- |
+| **200**     | OK                          | -                |
+| **400**     | invalid job or not eligible | -                |
+| **401**     | Unauthorized                | -                |
+| **403**     | forbidden                   | -                |
+| **404**     | not found                   | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/sdk/ts/docs/AuthApi.md
+++ b/sdk/ts/docs/AuthApi.md
@@ -0,0 +1,314 @@
+# AuthApi
+
+All URIs are relative to *https://autoglue.glueopshosted.com/api/v1*
+
+| Method                                      | HTTP request                      | Description                                     |
+| ------------------------------------------- | --------------------------------- | ----------------------------------------------- |
+| [**authCallback**](AuthApi.md#authcallback) | **GET** /auth/{provider}/callback | Handle social login callback                    |
+| [**authStart**](AuthApi.md#authstart)       | **POST** /auth/{provider}/start   | Begin social login                              |
+| [**getJWKS**](AuthApi.md#getjwks)           | **GET** /.well-known/jwks.json    | Get JWKS                                        |
+| [**logout**](AuthApi.md#logout)             | **POST** /auth/logout             | Revoke refresh token family (logout everywhere) |
+| [**refresh**](AuthApi.md#refresh)           | **POST** /auth/refresh            | Rotate refresh token                            |
+
+## authCallback
+
+> DtoTokenPair authCallback(provider)
+
+Handle social login callback
+
+### Example
+
+```ts
+import { Configuration, AuthApi } from "@glueops/autoglue-sdk-go";
+import type { AuthCallbackRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const api = new AuthApi();
+
+  const body = {
+    // string | google|github
+    provider: provider_example,
+  } satisfies AuthCallbackRequest;
+
+  try {
+    const data = await api.authCallback(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name         | Type     | Description | Notes  |
+| ------------ | -------- | ----------- | ------ | ------------------------- |
+| **provider** | `string` | google      | github | [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoTokenPair**](DtoTokenPair.md)
+
+### Authorization
+
+No authorization required
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+| ----------- | ----------- | ---------------- |
+| **200**     | OK          | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## authStart
+
+> DtoAuthStartResponse authStart(provider)
+
+Begin social login
+
+Returns provider authorization URL for the frontend to redirect
+
+### Example
+
+```ts
+import { Configuration, AuthApi } from "@glueops/autoglue-sdk-go";
+import type { AuthStartRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const api = new AuthApi();
+
+  const body = {
+    // string | google|github
+    provider: provider_example,
+  } satisfies AuthStartRequest;
+
+  try {
+    const data = await api.authStart(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name         | Type     | Description | Notes  |
+| ------------ | -------- | ----------- | ------ | ------------------------- |
+| **provider** | `string` | google      | github | [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoAuthStartResponse**](DtoAuthStartResponse.md)
+
+### Authorization
+
+No authorization required
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+| ----------- | ----------- | ---------------- |
+| **200**     | OK          | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## getJWKS
+
+> DtoJWKS getJWKS()
+
+Get JWKS
+
+Returns the JSON Web Key Set for token verification
+
+### Example
+
+```ts
+import { Configuration, AuthApi } from "@glueops/autoglue-sdk-go";
+import type { GetJWKSRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const api = new AuthApi();
+
+  try {
+    const data = await api.getJWKS();
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+This endpoint does not need any parameter.
+
+### Return type
+
+[**DtoJWKS**](DtoJWKS.md)
+
+### Authorization
+
+No authorization required
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+| ----------- | ----------- | ---------------- |
+| **200**     | OK          | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## logout
+
+> logout(dtoLogoutRequest)
+
+Revoke refresh token family (logout everywhere)
+
+### Example
+
+```ts
+import {
+  Configuration,
+  AuthApi,
+} from '@glueops/autoglue-sdk-go';
+import type { LogoutRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const api = new AuthApi();
+
+  const body = {
+    // DtoLogoutRequest | Refresh token
+    dtoLogoutRequest: ...,
+  } satisfies LogoutRequest;
+
+  try {
+    const data = await api.logout(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                 | Type                                    | Description   | Notes |
+| -------------------- | --------------------------------------- | ------------- | ----- |
+| **dtoLogoutRequest** | [DtoLogoutRequest](DtoLogoutRequest.md) | Refresh token |       |
+
+### Return type
+
+`void` (Empty response body)
+
+### Authorization
+
+No authorization required
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: Not defined
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+| ----------- | ----------- | ---------------- |
+| **204**     | No Content  | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## refresh
+
+> DtoTokenPair refresh(dtoRefreshRequest)
+
+Rotate refresh token
+
+### Example
+
+```ts
+import {
+  Configuration,
+  AuthApi,
+} from '@glueops/autoglue-sdk-go';
+import type { RefreshRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const api = new AuthApi();
+
+  const body = {
+    // DtoRefreshRequest | Refresh token
+    dtoRefreshRequest: ...,
+  } satisfies RefreshRequest;
+
+  try {
+    const data = await api.refresh(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                  | Type                                      | Description   | Notes |
+| --------------------- | ----------------------------------------- | ------------- | ----- |
+| **dtoRefreshRequest** | [DtoRefreshRequest](DtoRefreshRequest.md) | Refresh token |       |
+
+### Return type
+
+[**DtoTokenPair**](DtoTokenPair.md)
+
+### Authorization
+
+No authorization required
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+| ----------- | ----------- | ---------------- |
+| **200**     | OK          | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/sdk/ts/docs/ClustersApi.md
+++ b/sdk/ts/docs/ClustersApi.md
--- a/sdk/ts/docs/CredentialsApi.md
+++ b/sdk/ts/docs/CredentialsApi.md
@@ -0,0 +1,472 @@
+# CredentialsApi
+
+All URIs are relative to *https://autoglue.glueopshosted.com/api/v1*
+
+| Method                                                     | HTTP request                      | Description                                     |
+| ---------------------------------------------------------- | --------------------------------- | ----------------------------------------------- |
+| [**createCredential**](CredentialsApi.md#createcredential) | **POST** /credentials             | Create a credential (encrypts secret)           |
+| [**deleteCredential**](CredentialsApi.md#deletecredential) | **DELETE** /credentials/{id}      | Delete credential                               |
+| [**getCredential**](CredentialsApi.md#getcredential)       | **GET** /credentials/{id}         | Get credential by ID (metadata only)            |
+| [**listCredentials**](CredentialsApi.md#listcredentials)   | **GET** /credentials              | List credentials (metadata only)                |
+| [**revealCredential**](CredentialsApi.md#revealcredential) | **POST** /credentials/{id}/reveal | Reveal decrypted secret (one-time read)         |
+| [**updateCredential**](CredentialsApi.md#updatecredential) | **PATCH** /credentials/{id}       | Update credential metadata and/or rotate secret |
+
+## createCredential
+
+> DtoCredentialOut createCredential(dtoCreateCredentialRequest, xOrgID)
+
+Create a credential (encrypts secret)
+
+### Example
+
+```ts
+import {
+  Configuration,
+  CredentialsApi,
+} from '@glueops/autoglue-sdk-go';
+import type { CreateCredentialRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new CredentialsApi(config);
+
+  const body = {
+    // DtoCreateCredentialRequest | Credential payload
+    dtoCreateCredentialRequest: ...,
+    // string | Organization ID (UUID) (optional)
+    xOrgID: xOrgID_example,
+  } satisfies CreateCredentialRequest;
+
+  try {
+    const data = await api.createCredential(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                           | Type                                                        | Description            | Notes                                |
+| ------------------------------ | ----------------------------------------------------------- | ---------------------- | ------------------------------------ |
+| **dtoCreateCredentialRequest** | [DtoCreateCredentialRequest](DtoCreateCredentialRequest.md) | Credential payload     |                                      |
+| **xOrgID**                     | `string`                                                    | Organization ID (UUID) | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoCredentialOut**](DtoCredentialOut.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **201**     | Created               | -                |
+| **401**     | Unauthorized          | -                |
+| **403**     | organization required | -                |
+| **500**     | internal server error | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## deleteCredential
+
+> deleteCredential(id, xOrgID)
+
+Delete credential
+
+### Example
+
+```ts
+import { Configuration, CredentialsApi } from "@glueops/autoglue-sdk-go";
+import type { DeleteCredentialRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new CredentialsApi(config);
+
+  const body = {
+    // string | Credential ID (UUID)
+    id: id_example,
+    // string | Organization ID (UUID) (optional)
+    xOrgID: xOrgID_example,
+  } satisfies DeleteCredentialRequest;
+
+  try {
+    const data = await api.deleteCredential(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name       | Type     | Description            | Notes                                |
+| ---------- | -------- | ---------------------- | ------------------------------------ |
+| **id**     | `string` | Credential ID (UUID)   | [Defaults to `undefined`]            |
+| **xOrgID** | `string` | Organization ID (UUID) | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+`void` (Empty response body)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description | Response headers |
+| ----------- | ----------- | ---------------- |
+| **204**     | No Content  | -                |
+| **404**     | not found   | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## getCredential
+
+> DtoCredentialOut getCredential(id, xOrgID)
+
+Get credential by ID (metadata only)
+
+### Example
+
+```ts
+import { Configuration, CredentialsApi } from "@glueops/autoglue-sdk-go";
+import type { GetCredentialRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new CredentialsApi(config);
+
+  const body = {
+    // string | Credential ID (UUID)
+    id: id_example,
+    // string | Organization ID (UUID) (optional)
+    xOrgID: xOrgID_example,
+  } satisfies GetCredentialRequest;
+
+  try {
+    const data = await api.getCredential(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name       | Type     | Description            | Notes                                |
+| ---------- | -------- | ---------------------- | ------------------------------------ |
+| **id**     | `string` | Credential ID (UUID)   | [Defaults to `undefined`]            |
+| **xOrgID** | `string` | Organization ID (UUID) | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoCredentialOut**](DtoCredentialOut.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **200**     | OK                    | -                |
+| **401**     | Unauthorized          | -                |
+| **403**     | organization required | -                |
+| **500**     | internal server error | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## listCredentials
+
+> Array&lt;DtoCredentialOut&gt; listCredentials(xOrgID, credentialProvider, kind, scopeKind)
+
+List credentials (metadata only)
+
+Returns credential metadata for the current org. Secrets are never returned.
+
+### Example
+
+```ts
+import { Configuration, CredentialsApi } from "@glueops/autoglue-sdk-go";
+import type { ListCredentialsRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new CredentialsApi(config);
+
+  const body = {
+    // string | Organization ID (UUID) (optional)
+    xOrgID: xOrgID_example,
+    // string | Filter by provider (e.g., aws) (optional)
+    credentialProvider: credentialProvider_example,
+    // string | Filter by kind (e.g., aws_access_key) (optional)
+    kind: kind_example,
+    // string | Filter by scope kind (credential_provider/service/resource) (optional)
+    scopeKind: scopeKind_example,
+  } satisfies ListCredentialsRequest;
+
+  try {
+    const data = await api.listCredentials(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                   | Type     | Description                                                 | Notes                                |
+| ---------------------- | -------- | ----------------------------------------------------------- | ------------------------------------ |
+| **xOrgID**             | `string` | Organization ID (UUID)                                      | [Optional] [Defaults to `undefined`] |
+| **credentialProvider** | `string` | Filter by provider (e.g., aws)                              | [Optional] [Defaults to `undefined`] |
+| **kind**               | `string` | Filter by kind (e.g., aws_access_key)                       | [Optional] [Defaults to `undefined`] |
+| **scopeKind**          | `string` | Filter by scope kind (credential_provider/service/resource) | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**Array&lt;DtoCredentialOut&gt;**](DtoCredentialOut.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **200**     | OK                    | -                |
+| **401**     | Unauthorized          | -                |
+| **403**     | organization required | -                |
+| **500**     | internal server error | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## revealCredential
+
+> { [key: string]: any; } revealCredential(id, xOrgID, body)
+
+Reveal decrypted secret (one-time read)
+
+### Example
+
+```ts
+import { Configuration, CredentialsApi } from "@glueops/autoglue-sdk-go";
+import type { RevealCredentialRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new CredentialsApi(config);
+
+  const body = {
+    // string | Credential ID (UUID)
+    id: id_example,
+    // string | Organization ID (UUID) (optional)
+    xOrgID: xOrgID_example,
+    // object (optional)
+    body: Object,
+  } satisfies RevealCredentialRequest;
+
+  try {
+    const data = await api.revealCredential(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name       | Type     | Description            | Notes                                |
+| ---------- | -------- | ---------------------- | ------------------------------------ |
+| **id**     | `string` | Credential ID (UUID)   | [Defaults to `undefined`]            |
+| **xOrgID** | `string` | Organization ID (UUID) | [Optional] [Defaults to `undefined`] |
+| **body**   | `object` |                        | [Optional]                           |
+
+### Return type
+
+**{ [key: string]: any; }**
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **200**     | OK                    | -                |
+| **403**     | organization required | -                |
+| **404**     | not found             | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## updateCredential
+
+> DtoCredentialOut updateCredential(id, dtoUpdateCredentialRequest, xOrgID)
+
+Update credential metadata and/or rotate secret
+
+### Example
+
+```ts
+import {
+  Configuration,
+  CredentialsApi,
+} from '@glueops/autoglue-sdk-go';
+import type { UpdateCredentialRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new CredentialsApi(config);
+
+  const body = {
+    // string | Credential ID (UUID)
+    id: id_example,
+    // DtoUpdateCredentialRequest | Fields to update
+    dtoUpdateCredentialRequest: ...,
+    // string | Organization ID (UUID) (optional)
+    xOrgID: xOrgID_example,
+  } satisfies UpdateCredentialRequest;
+
+  try {
+    const data = await api.updateCredential(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                           | Type                                                        | Description            | Notes                                |
+| ------------------------------ | ----------------------------------------------------------- | ---------------------- | ------------------------------------ |
+| **id**                         | `string`                                                    | Credential ID (UUID)   | [Defaults to `undefined`]            |
+| **dtoUpdateCredentialRequest** | [DtoUpdateCredentialRequest](DtoUpdateCredentialRequest.md) | Fields to update       |                                      |
+| **xOrgID**                     | `string`                                                    | Organization ID (UUID) | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoCredentialOut**](DtoCredentialOut.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description       | Response headers |
+| ----------- | ----------------- | ---------------- |
+| **200**     | OK                | -                |
+| **403**     | X-Org-ID required | -                |
+| **404**     | not found         | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/sdk/ts/docs/DNSApi.md
+++ b/sdk/ts/docs/DNSApi.md
@@ -0,0 +1,721 @@
+# DNSApi
+
+All URIs are relative to *https://autoglue.glueopshosted.com/api/v1*
+
+| Method                                           | HTTP request                              | Description                                                                                  |
+| ------------------------------------------------ | ----------------------------------------- | -------------------------------------------------------------------------------------------- |
+| [**createDomain**](DNSApi.md#createdomain)       | **POST** /dns/domains                     | Create a domain (org scoped)                                                                 |
+| [**createRecordSet**](DNSApi.md#createrecordset) | **POST** /dns/domains/{domain_id}/records | Create a record set (pending; Archer will UPSERT to Route 53)                                |
+| [**deleteDomain**](DNSApi.md#deletedomain)       | **DELETE** /dns/domains/{id}              | Delete a domain                                                                              |
+| [**deleteRecordSet**](DNSApi.md#deleterecordset) | **DELETE** /dns/records/{id}              | Delete a record set (API removes row; worker can optionally handle external deletion policy) |
+| [**getDomain**](DNSApi.md#getdomain)             | **GET** /dns/domains/{id}                 | Get a domain (org scoped)                                                                    |
+| [**listDomains**](DNSApi.md#listdomains)         | **GET** /dns/domains                      | List domains (org scoped)                                                                    |
+| [**listRecordSets**](DNSApi.md#listrecordsets)   | **GET** /dns/domains/{domain_id}/records  | List record sets for a domain                                                                |
+| [**updateDomain**](DNSApi.md#updatedomain)       | **PATCH** /dns/domains/{id}               | Update a domain (org scoped)                                                                 |
+| [**updateRecordSet**](DNSApi.md#updaterecordset) | **PATCH** /dns/records/{id}               | Update a record set (flips to pending for reconciliation)                                    |
+
+## createDomain
+
+> DtoDomainResponse createDomain(dtoCreateDomainRequest, xOrgID)
+
+Create a domain (org scoped)
+
+Creates a domain bound to a Route 53 scoped credential. Archer will backfill ZoneID if omitted.
+
+### Example
+
+```ts
+import {
+  Configuration,
+  DNSApi,
+} from '@glueops/autoglue-sdk-go';
+import type { CreateDomainRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new DNSApi(config);
+
+  const body = {
+    // DtoCreateDomainRequest | Domain payload
+    dtoCreateDomainRequest: ...,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies CreateDomainRequest;
+
+  try {
+    const data = await api.createDomain(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                       | Type                                                | Description       | Notes                                |
+| -------------------------- | --------------------------------------------------- | ----------------- | ------------------------------------ |
+| **dtoCreateDomainRequest** | [DtoCreateDomainRequest](DtoCreateDomainRequest.md) | Domain payload    |                                      |
+| **xOrgID**                 | `string`                                            | Organization UUID | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoDomainResponse**](DtoDomainResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **201**     | Created               | -                |
+| **400**     | validation error      | -                |
+| **401**     | Unauthorized          | -                |
+| **403**     | organization required | -                |
+| **500**     | db error              | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## createRecordSet
+
+> DtoRecordSetResponse createRecordSet(domainId, dtoCreateRecordSetRequest, xOrgID)
+
+Create a record set (pending; Archer will UPSERT to Route 53)
+
+### Example
+
+```ts
+import {
+  Configuration,
+  DNSApi,
+} from '@glueops/autoglue-sdk-go';
+import type { CreateRecordSetRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new DNSApi(config);
+
+  const body = {
+    // string | Domain ID (UUID)
+    domainId: domainId_example,
+    // DtoCreateRecordSetRequest | Record set payload
+    dtoCreateRecordSetRequest: ...,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies CreateRecordSetRequest;
+
+  try {
+    const data = await api.createRecordSet(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                          | Type                                                      | Description        | Notes                                |
+| ----------------------------- | --------------------------------------------------------- | ------------------ | ------------------------------------ |
+| **domainId**                  | `string`                                                  | Domain ID (UUID)   | [Defaults to `undefined`]            |
+| **dtoCreateRecordSetRequest** | [DtoCreateRecordSetRequest](DtoCreateRecordSetRequest.md) | Record set payload |                                      |
+| **xOrgID**                    | `string`                                                  | Organization UUID  | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoRecordSetResponse**](DtoRecordSetResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **201**     | Created               | -                |
+| **400**     | validation error      | -                |
+| **403**     | organization required | -                |
+| **404**     | domain not found      | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## deleteDomain
+
+> deleteDomain(id, xOrgID)
+
+Delete a domain
+
+### Example
+
+```ts
+import { Configuration, DNSApi } from "@glueops/autoglue-sdk-go";
+import type { DeleteDomainRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new DNSApi(config);
+
+  const body = {
+    // string | Domain ID (UUID)
+    id: id_example,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies DeleteDomainRequest;
+
+  try {
+    const data = await api.deleteDomain(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name       | Type     | Description       | Notes                                |
+| ---------- | -------- | ----------------- | ------------------------------------ |
+| **id**     | `string` | Domain ID (UUID)  | [Defaults to `undefined`]            |
+| **xOrgID** | `string` | Organization UUID | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+`void` (Empty response body)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **204**     | No Content            | -                |
+| **403**     | organization required | -                |
+| **404**     | not found             | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## deleteRecordSet
+
+> deleteRecordSet(id, xOrgID)
+
+Delete a record set (API removes row; worker can optionally handle external deletion policy)
+
+### Example
+
+```ts
+import { Configuration, DNSApi } from "@glueops/autoglue-sdk-go";
+import type { DeleteRecordSetRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new DNSApi(config);
+
+  const body = {
+    // string | Record Set ID (UUID)
+    id: id_example,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies DeleteRecordSetRequest;
+
+  try {
+    const data = await api.deleteRecordSet(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name       | Type     | Description          | Notes                                |
+| ---------- | -------- | -------------------- | ------------------------------------ |
+| **id**     | `string` | Record Set ID (UUID) | [Defaults to `undefined`]            |
+| **xOrgID** | `string` | Organization UUID    | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+`void` (Empty response body)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **204**     | No Content            | -                |
+| **403**     | organization required | -                |
+| **404**     | not found             | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## getDomain
+
+> DtoDomainResponse getDomain(id, xOrgID)
+
+Get a domain (org scoped)
+
+### Example
+
+```ts
+import { Configuration, DNSApi } from "@glueops/autoglue-sdk-go";
+import type { GetDomainRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new DNSApi(config);
+
+  const body = {
+    // string | Domain ID (UUID)
+    id: id_example,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies GetDomainRequest;
+
+  try {
+    const data = await api.getDomain(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name       | Type     | Description       | Notes                                |
+| ---------- | -------- | ----------------- | ------------------------------------ |
+| **id**     | `string` | Domain ID (UUID)  | [Defaults to `undefined`]            |
+| **xOrgID** | `string` | Organization UUID | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoDomainResponse**](DtoDomainResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **200**     | OK                    | -                |
+| **401**     | Unauthorized          | -                |
+| **403**     | organization required | -                |
+| **404**     | not found             | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## listDomains
+
+> Array&lt;DtoDomainResponse&gt; listDomains(xOrgID, domainName, status, q)
+
+List domains (org scoped)
+
+Returns domains for X-Org-ID. Filters: &#x60;domain_name&#x60;, &#x60;status&#x60;, &#x60;q&#x60; (contains).
+
+### Example
+
+```ts
+import { Configuration, DNSApi } from "@glueops/autoglue-sdk-go";
+import type { ListDomainsRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new DNSApi(config);
+
+  const body = {
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+    // string | Exact domain name (lowercase, no trailing dot) (optional)
+    domainName: domainName_example,
+    // string | pending|provisioning|ready|failed (optional)
+    status: status_example,
+    // string | Domain contains (case-insensitive) (optional)
+    q: q_example,
+  } satisfies ListDomainsRequest;
+
+  try {
+    const data = await api.listDomains(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name           | Type     | Description                                    | Notes                                |
+| -------------- | -------- | ---------------------------------------------- | ------------------------------------ | ----- | ------ | ------------------------------------ |
+| **xOrgID**     | `string` | Organization UUID                              | [Optional] [Defaults to `undefined`] |
+| **domainName** | `string` | Exact domain name (lowercase, no trailing dot) | [Optional] [Defaults to `undefined`] |
+| **status**     | `string` | pending                                        | provisioning                         | ready | failed | [Optional] [Defaults to `undefined`] |
+| **q**          | `string` | Domain contains (case-insensitive)             | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**Array&lt;DtoDomainResponse&gt;**](DtoDomainResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **200**     | OK                    | -                |
+| **401**     | Unauthorized          | -                |
+| **403**     | organization required | -                |
+| **500**     | db error              | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## listRecordSets
+
+> Array&lt;DtoRecordSetResponse&gt; listRecordSets(domainId, xOrgID, name, type, status)
+
+List record sets for a domain
+
+Filters: &#x60;name&#x60;, &#x60;type&#x60;, &#x60;status&#x60;.
+
+### Example
+
+```ts
+import { Configuration, DNSApi } from "@glueops/autoglue-sdk-go";
+import type { ListRecordSetsRequest } from "@glueops/autoglue-sdk-go";
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new DNSApi(config);
+
+  const body = {
+    // string | Domain ID (UUID)
+    domainId: domainId_example,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+    // string | Exact relative name or FQDN (server normalizes) (optional)
+    name: name_example,
+    // string | RR type (A, AAAA, CNAME, TXT, MX, NS, SRV, CAA) (optional)
+    type: type_example,
+    // string | pending|provisioning|ready|failed (optional)
+    status: status_example,
+  } satisfies ListRecordSetsRequest;
+
+  try {
+    const data = await api.listRecordSets(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name         | Type     | Description                                     | Notes                                |
+| ------------ | -------- | ----------------------------------------------- | ------------------------------------ | ----- | ------ | ------------------------------------ |
+| **domainId** | `string` | Domain ID (UUID)                                | [Defaults to `undefined`]            |
+| **xOrgID**   | `string` | Organization UUID                               | [Optional] [Defaults to `undefined`] |
+| **name**     | `string` | Exact relative name or FQDN (server normalizes) | [Optional] [Defaults to `undefined`] |
+| **type**     | `string` | RR type (A, AAAA, CNAME, TXT, MX, NS, SRV, CAA) | [Optional] [Defaults to `undefined`] |
+| **status**   | `string` | pending                                         | provisioning                         | ready | failed | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**Array&lt;DtoRecordSetResponse&gt;**](DtoRecordSetResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: Not defined
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **200**     | OK                    | -                |
+| **403**     | organization required | -                |
+| **404**     | domain not found      | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## updateDomain
+
+> DtoDomainResponse updateDomain(id, dtoUpdateDomainRequest, xOrgID)
+
+Update a domain (org scoped)
+
+### Example
+
+```ts
+import {
+  Configuration,
+  DNSApi,
+} from '@glueops/autoglue-sdk-go';
+import type { UpdateDomainRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new DNSApi(config);
+
+  const body = {
+    // string | Domain ID (UUID)
+    id: id_example,
+    // DtoUpdateDomainRequest | Fields to update
+    dtoUpdateDomainRequest: ...,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies UpdateDomainRequest;
+
+  try {
+    const data = await api.updateDomain(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                       | Type                                                | Description       | Notes                                |
+| -------------------------- | --------------------------------------------------- | ----------------- | ------------------------------------ |
+| **id**                     | `string`                                            | Domain ID (UUID)  | [Defaults to `undefined`]            |
+| **dtoUpdateDomainRequest** | [DtoUpdateDomainRequest](DtoUpdateDomainRequest.md) | Fields to update  |                                      |
+| **xOrgID**                 | `string`                                            | Organization UUID | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoDomainResponse**](DtoDomainResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **200**     | OK                    | -                |
+| **400**     | validation error      | -                |
+| **403**     | organization required | -                |
+| **404**     | not found             | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
+
+## updateRecordSet
+
+> DtoRecordSetResponse updateRecordSet(id, dtoUpdateRecordSetRequest, xOrgID)
+
+Update a record set (flips to pending for reconciliation)
+
+### Example
+
+```ts
+import {
+  Configuration,
+  DNSApi,
+} from '@glueops/autoglue-sdk-go';
+import type { UpdateRecordSetRequest } from '@glueops/autoglue-sdk-go';
+
+async function example() {
+  console.log("🚀 Testing @glueops/autoglue-sdk-go SDK...");
+  const config = new Configuration({
+    // To configure API key authorization: OrgKeyAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: OrgSecretAuth
+    apiKey: "YOUR API KEY",
+    // To configure API key authorization: BearerAuth
+    apiKey: "YOUR API KEY",
+  });
+  const api = new DNSApi(config);
+
+  const body = {
+    // string | Record Set ID (UUID)
+    id: id_example,
+    // DtoUpdateRecordSetRequest | Fields to update
+    dtoUpdateRecordSetRequest: ...,
+    // string | Organization UUID (optional)
+    xOrgID: xOrgID_example,
+  } satisfies UpdateRecordSetRequest;
+
+  try {
+    const data = await api.updateRecordSet(body);
+    console.log(data);
+  } catch (error) {
+    console.error(error);
+  }
+}
+
+// Run the test
+example().catch(console.error);
+```
+
+### Parameters
+
+| Name                          | Type                                                      | Description          | Notes                                |
+| ----------------------------- | --------------------------------------------------------- | -------------------- | ------------------------------------ |
+| **id**                        | `string`                                                  | Record Set ID (UUID) | [Defaults to `undefined`]            |
+| **dtoUpdateRecordSetRequest** | [DtoUpdateRecordSetRequest](DtoUpdateRecordSetRequest.md) | Fields to update     |                                      |
+| **xOrgID**                    | `string`                                                  | Organization UUID    | [Optional] [Defaults to `undefined`] |
+
+### Return type
+
+[**DtoRecordSetResponse**](DtoRecordSetResponse.md)
+
+### Authorization
+
+[OrgKeyAuth](../README.md#OrgKeyAuth), [OrgSecretAuth](../README.md#OrgSecretAuth), [BearerAuth](../README.md#BearerAuth)
+
+### HTTP request headers
+
+- **Content-Type**: `application/json`
+- **Accept**: `application/json`
+
+### HTTP response details
+
+| Status code | Description           | Response headers |
+| ----------- | --------------------- | ---------------- |
+| **200**     | OK                    | -                |
+| **400**     | validation error      | -                |
+| **403**     | organization required | -                |
+| **404**     | not found             | -                |
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/sdk/ts/docs/DtoAnnotationResponse.md
+++ b/sdk/ts/docs/DtoAnnotationResponse.md
@@ -0,0 +1,40 @@
+# DtoAnnotationResponse
+
+## Properties
+
+| Name              | Type   |
+| ----------------- | ------ |
+| `created_at`      | string |
+| `id`              | string |
+| `key`             | string |
+| `organization_id` | string |
+| `updated_at`      | string |
+| `value`           | string |
+
+## Example
+
+```typescript
+import type { DtoAnnotationResponse } from "@glueops/autoglue-sdk-go";
+
+// TODO: Update the object below with actual values
+const example = {
+  created_at: null,
+  id: null,
+  key: null,
+  organization_id: null,
+  updated_at: null,
+  value: null,
+} satisfies DtoAnnotationResponse;
+
+console.log(example);
+
+// Convert the instance to a JSON string
+const exampleJSON: string = JSON.stringify(example);
+console.log(exampleJSON);
+
+// Parse the JSON string back to an object
+const exampleParsed = JSON.parse(exampleJSON) as DtoAnnotationResponse;
+console.log(exampleParsed);
+```
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/sdk/ts/docs/DtoAttachAnnotationsRequest.md
+++ b/sdk/ts/docs/DtoAttachAnnotationsRequest.md
@@ -0,0 +1,30 @@
+# DtoAttachAnnotationsRequest
+
+## Properties
+
+| Name             | Type                |
+| ---------------- | ------------------- |
+| `annotation_ids` | Array&lt;string&gt; |
+
+## Example
+
+```typescript
+import type { DtoAttachAnnotationsRequest } from "@glueops/autoglue-sdk-go";
+
+// TODO: Update the object below with actual values
+const example = {
+  annotation_ids: null,
+} satisfies DtoAttachAnnotationsRequest;
+
+console.log(example);
+
+// Convert the instance to a JSON string
+const exampleJSON: string = JSON.stringify(example);
+console.log(exampleJSON);
+
+// Parse the JSON string back to an object
+const exampleParsed = JSON.parse(exampleJSON) as DtoAttachAnnotationsRequest;
+console.log(exampleParsed);
+```
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/sdk/ts/docs/DtoAttachBastionRequest.md
+++ b/sdk/ts/docs/DtoAttachBastionRequest.md
@@ -0,0 +1,30 @@
+# DtoAttachBastionRequest
+
+## Properties
+
+| Name        | Type   |
+| ----------- | ------ |
+| `server_id` | string |
+
+## Example
+
+```typescript
+import type { DtoAttachBastionRequest } from "@glueops/autoglue-sdk-go";
+
+// TODO: Update the object below with actual values
+const example = {
+  server_id: null,
+} satisfies DtoAttachBastionRequest;
+
+console.log(example);
+
+// Convert the instance to a JSON string
+const exampleJSON: string = JSON.stringify(example);
+console.log(exampleJSON);
+
+// Parse the JSON string back to an object
+const exampleParsed = JSON.parse(exampleJSON) as DtoAttachBastionRequest;
+console.log(exampleParsed);
+```
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/sdk/ts/docs/DtoAttachCaptainDomainRequest.md
+++ b/sdk/ts/docs/DtoAttachCaptainDomainRequest.md
@@ -0,0 +1,30 @@
+# DtoAttachCaptainDomainRequest
+
+## Properties
+
+| Name        | Type   |
+| ----------- | ------ |
+| `domain_id` | string |
+
+## Example
+
+```typescript
+import type { DtoAttachCaptainDomainRequest } from "@glueops/autoglue-sdk-go";
+
+// TODO: Update the object below with actual values
+const example = {
+  domain_id: null,
+} satisfies DtoAttachCaptainDomainRequest;
+
+console.log(example);
+
+// Convert the instance to a JSON string
+const exampleJSON: string = JSON.stringify(example);
+console.log(exampleJSON);
+
+// Parse the JSON string back to an object
+const exampleParsed = JSON.parse(exampleJSON) as DtoAttachCaptainDomainRequest;
+console.log(exampleParsed);
+```
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/sdk/ts/docs/DtoAttachLabelsRequest.md
+++ b/sdk/ts/docs/DtoAttachLabelsRequest.md
@@ -0,0 +1,30 @@
+# DtoAttachLabelsRequest
+
+## Properties
+
+| Name        | Type                |
+| ----------- | ------------------- |
+| `label_ids` | Array&lt;string&gt; |
+
+## Example
+
+```typescript
+import type { DtoAttachLabelsRequest } from "@glueops/autoglue-sdk-go";
+
+// TODO: Update the object below with actual values
+const example = {
+  label_ids: null,
+} satisfies DtoAttachLabelsRequest;
+
+console.log(example);
+
+// Convert the instance to a JSON string
+const exampleJSON: string = JSON.stringify(example);
+console.log(exampleJSON);
+
+// Parse the JSON string back to an object
+const exampleParsed = JSON.parse(exampleJSON) as DtoAttachLabelsRequest;
+console.log(exampleParsed);
+```
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/sdk/ts/docs/DtoAttachLoadBalancerRequest.md
+++ b/sdk/ts/docs/DtoAttachLoadBalancerRequest.md
@@ -0,0 +1,30 @@
+# DtoAttachLoadBalancerRequest
+
+## Properties
+
+| Name               | Type   |
+| ------------------ | ------ |
+| `load_balancer_id` | string |
+
+## Example
+
+```typescript
+import type { DtoAttachLoadBalancerRequest } from "@glueops/autoglue-sdk-go";
+
+// TODO: Update the object below with actual values
+const example = {
+  load_balancer_id: null,
+} satisfies DtoAttachLoadBalancerRequest;
+
+console.log(example);
+
+// Convert the instance to a JSON string
+const exampleJSON: string = JSON.stringify(example);
+console.log(exampleJSON);
+
+// Parse the JSON string back to an object
+const exampleParsed = JSON.parse(exampleJSON) as DtoAttachLoadBalancerRequest;
+console.log(exampleParsed);
+```
+
+[[Back to top]](#) [[Back to API list]](../README.md#api-endpoints) [[Back to Model list]](../README.md#models) [[Back to README]](../README.md)
--- a/Show More
+++ b/Show More