@1claw/openapi-spec 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +12 -0
  2. package/openapi.json +296 -1
  3. package/openapi.yaml +199 -1
  4. package/package.json +1 -1
package/README.md CHANGED
@@ -40,6 +40,18 @@ openapi-generator generate \
40
40
  import spec from "@1claw/openapi-spec/openapi.json";
41
41
  ```
42
42
 
43
+ ## What's in the spec (v2.1.0)
44
+
45
+ - **Vaults** — CRUD, CMEK enable/disable, key rotation with job tracking
46
+ - **Secrets** — CRUD, versioning, CMEK-encrypted flag
47
+ - **Agents** — CRUD with `token_ttl_seconds`, `vault_ids`, crypto proxy, transaction guardrails
48
+ - **Policies** — Glob-based access control
49
+ - **Sharing** — Links, user/agent shares, accept/decline
50
+ - **Billing** — Subscriptions, credits, x402
51
+ - **Audit** — Hash-chained event log
52
+ - **Chains** — Supported blockchain registry
53
+ - **Auth** — JWT, API keys, agent tokens, MFA, device flow, Google OAuth
54
+
43
55
  ## Included files
44
56
 
45
57
  - `openapi.yaml` — The canonical YAML specification
package/openapi.json CHANGED
@@ -2,7 +2,7 @@
2
2
  "openapi": "3.1.0",
3
3
  "info": {
4
4
  "title": "1Claw API",
5
- "version": "2.0.0",
5
+ "version": "2.1.0",
6
6
  "description": "Secure secret management for AI agents. Provides vaults, secrets,\npolicy-based access control, agent identity, crypto transaction proxy,\nsharing, billing, and audit logging.\n\nAll endpoints require JWT Bearer authentication unless marked with\n`security: []`.\n",
7
7
  "contact": {
8
8
  "email": "ops@1claw.xyz"
@@ -850,6 +850,173 @@
850
850
  }
851
851
  }
852
852
  },
853
+ "/v1/vaults/{vault_id}/cmek": {
854
+ "post": {
855
+ "tags": [
856
+ "CMEK"
857
+ ],
858
+ "summary": "Enable CMEK on a vault",
859
+ "operationId": "enableCmek",
860
+ "description": "Enable client-side encryption on a vault. Requires Business or Enterprise plan.\nOnly the key's SHA-256 fingerprint is stored — the key never touches the server.\n",
861
+ "parameters": [
862
+ {
863
+ "$ref": "#/components/parameters/VaultId"
864
+ }
865
+ ],
866
+ "requestBody": {
867
+ "required": true,
868
+ "content": {
869
+ "application/json": {
870
+ "schema": {
871
+ "$ref": "#/components/schemas/EnableCmekRequest"
872
+ }
873
+ }
874
+ }
875
+ },
876
+ "responses": {
877
+ "200": {
878
+ "description": "CMEK enabled",
879
+ "content": {
880
+ "application/json": {
881
+ "schema": {
882
+ "$ref": "#/components/schemas/VaultResponse"
883
+ }
884
+ }
885
+ }
886
+ },
887
+ "400": {
888
+ "$ref": "#/components/responses/BadRequest"
889
+ },
890
+ "403": {
891
+ "$ref": "#/components/responses/Forbidden"
892
+ }
893
+ }
894
+ },
895
+ "delete": {
896
+ "tags": [
897
+ "CMEK"
898
+ ],
899
+ "summary": "Disable CMEK on a vault",
900
+ "operationId": "disableCmek",
901
+ "description": "Disable client-side encryption. Existing CMEK-encrypted secrets still require\nthe key to decrypt. New secrets will use HSM-only encryption.\n",
902
+ "parameters": [
903
+ {
904
+ "$ref": "#/components/parameters/VaultId"
905
+ }
906
+ ],
907
+ "responses": {
908
+ "200": {
909
+ "description": "CMEK disabled",
910
+ "content": {
911
+ "application/json": {
912
+ "schema": {
913
+ "$ref": "#/components/schemas/VaultResponse"
914
+ }
915
+ }
916
+ }
917
+ },
918
+ "400": {
919
+ "$ref": "#/components/responses/BadRequest"
920
+ }
921
+ }
922
+ }
923
+ },
924
+ "/v1/vaults/{vault_id}/cmek-rotate": {
925
+ "post": {
926
+ "tags": [
927
+ "CMEK"
928
+ ],
929
+ "summary": "Start server-assisted CMEK key rotation",
930
+ "operationId": "rotateCmek",
931
+ "description": "Re-encrypts all secrets from the old CMEK key to the new one.\nKeys are passed in headers (TLS-only) and exist in server memory\nonly during the rotation. Batched in groups of 100 secrets.\n",
932
+ "parameters": [
933
+ {
934
+ "$ref": "#/components/parameters/VaultId"
935
+ },
936
+ {
937
+ "name": "x-cmek-old-key",
938
+ "in": "header",
939
+ "required": true,
940
+ "schema": {
941
+ "type": "string"
942
+ },
943
+ "description": "Base64-encoded old CMEK key (32 bytes)"
944
+ },
945
+ {
946
+ "name": "x-cmek-new-key",
947
+ "in": "header",
948
+ "required": true,
949
+ "schema": {
950
+ "type": "string"
951
+ },
952
+ "description": "Base64-encoded new CMEK key (32 bytes)"
953
+ }
954
+ ],
955
+ "requestBody": {
956
+ "required": true,
957
+ "content": {
958
+ "application/json": {
959
+ "schema": {
960
+ "$ref": "#/components/schemas/CmekRotateRequest"
961
+ }
962
+ }
963
+ }
964
+ },
965
+ "responses": {
966
+ "202": {
967
+ "description": "Rotation job started",
968
+ "content": {
969
+ "application/json": {
970
+ "schema": {
971
+ "$ref": "#/components/schemas/CmekRotationJobResponse"
972
+ }
973
+ }
974
+ }
975
+ },
976
+ "400": {
977
+ "$ref": "#/components/responses/BadRequest"
978
+ }
979
+ }
980
+ }
981
+ },
982
+ "/v1/vaults/{vault_id}/cmek-rotate/{job_id}": {
983
+ "get": {
984
+ "tags": [
985
+ "CMEK"
986
+ ],
987
+ "summary": "Get CMEK rotation job status",
988
+ "operationId": "getCmekRotationJob",
989
+ "parameters": [
990
+ {
991
+ "$ref": "#/components/parameters/VaultId"
992
+ },
993
+ {
994
+ "name": "job_id",
995
+ "in": "path",
996
+ "required": true,
997
+ "schema": {
998
+ "type": "string",
999
+ "format": "uuid"
1000
+ }
1001
+ }
1002
+ ],
1003
+ "responses": {
1004
+ "200": {
1005
+ "description": "Rotation job status",
1006
+ "content": {
1007
+ "application/json": {
1008
+ "schema": {
1009
+ "$ref": "#/components/schemas/CmekRotationJobResponse"
1010
+ }
1011
+ }
1012
+ }
1013
+ },
1014
+ "404": {
1015
+ "$ref": "#/components/responses/NotFound"
1016
+ }
1017
+ }
1018
+ }
1019
+ },
853
1020
  "/v1/vaults/{vault_id}/secrets": {
854
1021
  "get": {
855
1022
  "tags": [
@@ -3251,6 +3418,14 @@
3251
3418
  "created_at": {
3252
3419
  "type": "string",
3253
3420
  "format": "date-time"
3421
+ },
3422
+ "cmek_enabled": {
3423
+ "type": "boolean",
3424
+ "description": "Whether client-managed encryption is enabled"
3425
+ },
3426
+ "cmek_fingerprint": {
3427
+ "type": "string",
3428
+ "description": "SHA-256 fingerprint of the CMEK key (64 hex chars)"
3254
3429
  }
3255
3430
  }
3256
3431
  },
@@ -3265,6 +3440,87 @@
3265
3440
  }
3266
3441
  }
3267
3442
  },
3443
+ "EnableCmekRequest": {
3444
+ "type": "object",
3445
+ "required": [
3446
+ "fingerprint"
3447
+ ],
3448
+ "properties": {
3449
+ "fingerprint": {
3450
+ "type": "string",
3451
+ "description": "SHA-256 hex fingerprint of the CMEK key (64 chars)"
3452
+ }
3453
+ }
3454
+ },
3455
+ "CmekRotateRequest": {
3456
+ "type": "object",
3457
+ "required": [
3458
+ "new_fingerprint"
3459
+ ],
3460
+ "properties": {
3461
+ "new_fingerprint": {
3462
+ "type": "string",
3463
+ "description": "SHA-256 hex fingerprint of the new CMEK key"
3464
+ }
3465
+ }
3466
+ },
3467
+ "CmekRotationJobResponse": {
3468
+ "type": "object",
3469
+ "required": [
3470
+ "id",
3471
+ "vault_id",
3472
+ "status",
3473
+ "total_secrets",
3474
+ "processed",
3475
+ "created_at"
3476
+ ],
3477
+ "properties": {
3478
+ "id": {
3479
+ "type": "string",
3480
+ "format": "uuid"
3481
+ },
3482
+ "vault_id": {
3483
+ "type": "string",
3484
+ "format": "uuid"
3485
+ },
3486
+ "old_fingerprint": {
3487
+ "type": "string"
3488
+ },
3489
+ "new_fingerprint": {
3490
+ "type": "string"
3491
+ },
3492
+ "status": {
3493
+ "type": "string",
3494
+ "enum": [
3495
+ "pending",
3496
+ "running",
3497
+ "completed",
3498
+ "failed"
3499
+ ]
3500
+ },
3501
+ "total_secrets": {
3502
+ "type": "integer"
3503
+ },
3504
+ "processed": {
3505
+ "type": "integer"
3506
+ },
3507
+ "error": {
3508
+ "type": "string"
3509
+ },
3510
+ "started_at": {
3511
+ "type": "string",
3512
+ "format": "date-time"
3513
+ },
3514
+ "completed_at": {
3515
+ "type": "string",
3516
+ "format": "date-time"
3517
+ },
3518
+ "created_at": {
3519
+ "type": "string",
3520
+ "format": "date-time"
3521
+ }
3522
+ }
3523
+ },
3268
3524
  "PutSecretRequest": {
3269
3525
  "type": "object",
3270
3526
  "required": [
@@ -3374,6 +3630,10 @@
3374
3630
  "expires_at": {
3375
3631
  "type": "string",
3376
3632
  "format": "date-time"
3633
+ },
3634
+ "cmek_encrypted": {
3635
+ "type": "boolean",
3636
+ "description": "Whether this secret value is CMEK-encrypted (requires client-side decryption)"
3377
3637
  }
3378
3638
  }
3379
3639
  },
@@ -3557,6 +3817,19 @@
3557
3817
  "items": {
3558
3818
  "type": "string"
3559
3819
  }
3820
+ },
3821
+ "token_ttl_seconds": {
3822
+ "type": "integer",
3823
+ "nullable": true,
3824
+ "description": "Per-agent token TTL in seconds (overrides global default)"
3825
+ },
3826
+ "vault_ids": {
3827
+ "type": "array",
3828
+ "items": {
3829
+ "type": "string",
3830
+ "format": "uuid"
3831
+ },
3832
+ "description": "Restrict agent to specific vault UUIDs (empty = all vaults in org)"
3560
3833
  }
3561
3834
  }
3562
3835
  },
@@ -3599,6 +3872,17 @@
3599
3872
  "items": {
3600
3873
  "type": "string"
3601
3874
  }
3875
+ },
3876
+ "token_ttl_seconds": {
3877
+ "type": "integer",
3878
+ "nullable": true
3879
+ },
3880
+ "vault_ids": {
3881
+ "type": "array",
3882
+ "items": {
3883
+ "type": "string",
3884
+ "format": "uuid"
3885
+ }
3602
3886
  }
3603
3887
  }
3604
3888
  },
@@ -3656,6 +3940,17 @@
3656
3940
  "type": "string"
3657
3941
  }
3658
3942
  },
3943
+ "token_ttl_seconds": {
3944
+ "type": "integer",
3945
+ "nullable": true
3946
+ },
3947
+ "vault_ids": {
3948
+ "type": "array",
3949
+ "items": {
3950
+ "type": "string",
3951
+ "format": "uuid"
3952
+ }
3953
+ },
3659
3954
  "created_at": {
3660
3955
  "type": "string",
3661
3956
  "format": "date-time"
package/openapi.yaml CHANGED
@@ -2,7 +2,7 @@ openapi: 3.1.0
2
2
 
3
3
  info:
4
4
  title: 1Claw API
5
- version: 2.0.0
5
+ version: 2.1.0
6
6
  description: |
7
7
  Secure secret management for AI agents. Provides vaults, secrets,
8
8
  policy-based access control, agent identity, crypto transaction proxy,
@@ -548,6 +548,118 @@ paths:
548
548
  "404":
549
549
  $ref: "#/components/responses/NotFound"
550
550
 
551
+ # ---------------------------------------------------------------------------
552
+ # CMEK (Customer-Managed Encryption Keys)
553
+ # ---------------------------------------------------------------------------
554
+
555
+ /v1/vaults/{vault_id}/cmek:
556
+ post:
557
+ tags: [CMEK]
558
+ summary: Enable CMEK on a vault
559
+ operationId: enableCmek
560
+ description: |
561
+ Enable client-side encryption on a vault. Requires Business or Enterprise plan.
562
+ Only the key's SHA-256 fingerprint is stored — the key never touches the server.
563
+ parameters:
564
+ - $ref: "#/components/parameters/VaultId"
565
+ requestBody:
566
+ required: true
567
+ content:
568
+ application/json:
569
+ schema:
570
+ $ref: "#/components/schemas/EnableCmekRequest"
571
+ responses:
572
+ "200":
573
+ description: CMEK enabled
574
+ content:
575
+ application/json:
576
+ schema:
577
+ $ref: "#/components/schemas/VaultResponse"
578
+ "400":
579
+ $ref: "#/components/responses/BadRequest"
580
+ "403":
581
+ $ref: "#/components/responses/Forbidden"
582
+ delete:
583
+ tags: [CMEK]
584
+ summary: Disable CMEK on a vault
585
+ operationId: disableCmek
586
+ description: |
587
+ Disable client-side encryption. Existing CMEK-encrypted secrets still require
588
+ the key to decrypt. New secrets will use HSM-only encryption.
589
+ parameters:
590
+ - $ref: "#/components/parameters/VaultId"
591
+ responses:
592
+ "200":
593
+ description: CMEK disabled
594
+ content:
595
+ application/json:
596
+ schema:
597
+ $ref: "#/components/schemas/VaultResponse"
598
+ "400":
599
+ $ref: "#/components/responses/BadRequest"
600
+
601
+ /v1/vaults/{vault_id}/cmek-rotate:
602
+ post:
603
+ tags: [CMEK]
604
+ summary: Start server-assisted CMEK key rotation
605
+ operationId: rotateCmek
606
+ description: |
607
+ Re-encrypts all secrets from the old CMEK key to the new one.
608
+ Keys are passed in headers (TLS-only) and exist in server memory
609
+ only during the rotation. Batched in groups of 100 secrets.
610
+ parameters:
611
+ - $ref: "#/components/parameters/VaultId"
612
+ - name: x-cmek-old-key
613
+ in: header
614
+ required: true
615
+ schema:
616
+ type: string
617
+ description: Base64-encoded old CMEK key (32 bytes)
618
+ - name: x-cmek-new-key
619
+ in: header
620
+ required: true
621
+ schema:
622
+ type: string
623
+ description: Base64-encoded new CMEK key (32 bytes)
624
+ requestBody:
625
+ required: true
626
+ content:
627
+ application/json:
628
+ schema:
629
+ $ref: "#/components/schemas/CmekRotateRequest"
630
+ responses:
631
+ "202":
632
+ description: Rotation job started
633
+ content:
634
+ application/json:
635
+ schema:
636
+ $ref: "#/components/schemas/CmekRotationJobResponse"
637
+ "400":
638
+ $ref: "#/components/responses/BadRequest"
639
+
640
+ /v1/vaults/{vault_id}/cmek-rotate/{job_id}:
641
+ get:
642
+ tags: [CMEK]
643
+ summary: Get CMEK rotation job status
644
+ operationId: getCmekRotationJob
645
+ parameters:
646
+ - $ref: "#/components/parameters/VaultId"
647
+ - name: job_id
648
+ in: path
649
+ required: true
650
+ schema:
651
+ type: string
652
+ format: uuid
653
+ responses:
654
+ "200":
655
+ description: Rotation job status
656
+ content:
657
+ application/json:
658
+ schema:
659
+ $ref: "#/components/schemas/CmekRotationJobResponse"
660
+ "404":
661
+ $ref: "#/components/responses/NotFound"
662
+
551
663
  # ---------------------------------------------------------------------------
552
664
  # Secrets
553
665
  # ---------------------------------------------------------------------------
@@ -2101,6 +2213,12 @@ components:
2101
2213
  created_at:
2102
2214
  type: string
2103
2215
  format: date-time
2216
+ cmek_enabled:
2217
+ type: boolean
2218
+ description: Whether client-managed encryption is enabled
2219
+ cmek_fingerprint:
2220
+ type: string
2221
+ description: SHA-256 fingerprint of the CMEK key (64 hex chars)
2104
2222
 
2105
2223
  VaultListResponse:
2106
2224
  type: object
@@ -2110,6 +2228,57 @@ components:
2110
2228
  items:
2111
2229
  $ref: "#/components/schemas/VaultResponse"
2112
2230
 
2231
+ # --- CMEK ---
2232
+
2233
+ EnableCmekRequest:
2234
+ type: object
2235
+ required: [fingerprint]
2236
+ properties:
2237
+ fingerprint:
2238
+ type: string
2239
+ description: SHA-256 hex fingerprint of the CMEK key (64 chars)
2240
+
2241
+ CmekRotateRequest:
2242
+ type: object
2243
+ required: [new_fingerprint]
2244
+ properties:
2245
+ new_fingerprint:
2246
+ type: string
2247
+ description: SHA-256 hex fingerprint of the new CMEK key
2248
+
2249
+ CmekRotationJobResponse:
2250
+ type: object
2251
+ required: [id, vault_id, status, total_secrets, processed, created_at]
2252
+ properties:
2253
+ id:
2254
+ type: string
2255
+ format: uuid
2256
+ vault_id:
2257
+ type: string
2258
+ format: uuid
2259
+ old_fingerprint:
2260
+ type: string
2261
+ new_fingerprint:
2262
+ type: string
2263
+ status:
2264
+ type: string
2265
+ enum: [pending, running, completed, failed]
2266
+ total_secrets:
2267
+ type: integer
2268
+ processed:
2269
+ type: integer
2270
+ error:
2271
+ type: string
2272
+ started_at:
2273
+ type: string
2274
+ format: date-time
2275
+ completed_at:
2276
+ type: string
2277
+ format: date-time
2278
+ created_at:
2279
+ type: string
2280
+ format: date-time
2281
+
2113
2282
  # --- Secrets ---
2114
2283
 
2115
2284
  PutSecretRequest:
@@ -2183,6 +2352,9 @@ components:
2183
2352
  expires_at:
2184
2353
  type: string
2185
2354
  format: date-time
2355
+ cmek_encrypted:
2356
+ type: boolean
2357
+ description: Whether this secret value is CMEK-encrypted (requires client-side decryption)
2186
2358
 
2187
2359
  SecretListResponse:
2188
2360
  type: object
@@ -2306,6 +2478,16 @@ components:
2306
2478
  type: array
2307
2479
  items:
2308
2480
  type: string
2481
+ token_ttl_seconds:
2482
+ type: integer
2483
+ nullable: true
2484
+ description: Per-agent token TTL in seconds (overrides global default)
2485
+ vault_ids:
2486
+ type: array
2487
+ items:
2488
+ type: string
2489
+ format: uuid
2490
+ description: Restrict agent to specific vault UUIDs (empty = all vaults in org)
2309
2491
 
2310
2492
  UpdateAgentRequest:
2311
2493
  type: object
@@ -2335,6 +2517,14 @@ components:
2335
2517
  type: array
2336
2518
  items:
2337
2519
  type: string
2520
+ token_ttl_seconds:
2521
+ type: integer
2522
+ nullable: true
2523
+ vault_ids:
2524
+ type: array
2525
+ items:
2526
+ type: string
2527
+ format: uuid
2338
2528
 
2339
2529
  AgentResponse:
2340
2530
  type: object
@@ -2369,6 +2559,14 @@ components:
2369
2559
  type: array
2370
2560
  items:
2371
2561
  type: string
2562
+ token_ttl_seconds:
2563
+ type: integer
2564
+ nullable: true
2565
+ vault_ids:
2566
+ type: array
2567
+ items:
2568
+ type: string
2569
+ format: uuid
2372
2570
  created_at:
2373
2571
  type: string
2374
2572
  format: date-time
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@1claw/openapi-spec",
3
- "version": "0.1.0",
3
+ "version": "0.2.0",
4
4
  "description": "OpenAPI 3.1.0 specification for the 1Claw Vault API — generate clients in any language",
5
5
  "license": "PolyForm-Noncommercial-1.0.0",
6
6
  "repository": {