@1claw/openapi-spec 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +1 -1
  2. package/openapi.json +105 -6
  3. package/openapi.yaml +75 -2
  4. package/package.json +1 -1
package/README.md CHANGED
@@ -44,7 +44,7 @@ import spec from "@1claw/openapi-spec/openapi.json";
44
44
 
45
45
  - **Vaults** — CRUD, CMEK enable/disable, key rotation with job tracking
46
46
  - **Secrets** — CRUD, versioning, CMEK-encrypted flag
47
- - **Agents** — CRUD with `token_ttl_seconds`, `vault_ids`, crypto proxy, transaction guardrails
47
+ - **Agents** — CRUD with `auth_method` (api_key, mtls, oidc_client_credentials), auto-generated SSH keypairs, `token_ttl_seconds`, `vault_ids`, crypto proxy, transaction guardrails
48
48
  - **Policies** — Glob-based access control
49
49
  - **Sharing** — Links, user/agent shares, accept/decline
50
50
  - **Billing** — Subscriptions, credits, x402
package/openapi.json CHANGED
@@ -1478,10 +1478,20 @@
1478
1478
  "Transactions"
1479
1479
  ],
1480
1480
  "summary": "Submit a transaction for signing",
1481
+ "description": "Replay protection: send an optional **Idempotency-Key** header (e.g. UUID or opaque string).\nDuplicate requests with the same key within 24 hours return the cached transaction response\n(no second sign/broadcast). Omit the header for non-idempotent submissions.\n",
1481
1482
  "operationId": "submitTransaction",
1482
1483
  "parameters": [
1483
1484
  {
1484
1485
  "$ref": "#/components/parameters/AgentId"
1486
+ },
1487
+ {
1488
+ "name": "Idempotency-Key",
1489
+ "in": "header",
1490
+ "required": false,
1491
+ "description": "Optional key for replay protection; duplicate requests return cached response.",
1492
+ "schema": {
1493
+ "type": "string"
1494
+ }
1485
1495
  }
1486
1496
  ],
1487
1497
  "requestBody": {
@@ -1495,6 +1505,16 @@
1495
1505
  }
1496
1506
  },
1497
1507
  "responses": {
1508
+ "200": {
1509
+ "description": "Transaction previously created with same Idempotency-Key (replay-safe response)",
1510
+ "content": {
1511
+ "application/json": {
1512
+ "schema": {
1513
+ "$ref": "#/components/schemas/TransactionResponse"
1514
+ }
1515
+ }
1516
+ }
1517
+ },
1498
1518
  "201": {
1499
1519
  "description": "Transaction signed (and optionally broadcast)",
1500
1520
  "content": {
@@ -1508,6 +1528,16 @@
1508
1528
  "403": {
1509
1529
  "$ref": "#/components/responses/Forbidden"
1510
1530
  },
1531
+ "409": {
1532
+ "description": "Idempotency-Key in use by another in-flight request; retry later.",
1533
+ "content": {
1534
+ "application/json": {
1535
+ "schema": {
1536
+ "$ref": "#/components/schemas/ProblemDetails"
1537
+ }
1538
+ }
1539
+ }
1540
+ },
1511
1541
  "422": {
1512
1542
  "description": "Simulation reverted (when simulate_first is true)",
1513
1543
  "content": {
@@ -1529,6 +1559,9 @@
1529
1559
  "parameters": [
1530
1560
  {
1531
1561
  "$ref": "#/components/parameters/AgentId"
1562
+ },
1563
+ {
1564
+ "$ref": "#/components/parameters/IncludeSignedTx"
1532
1565
  }
1533
1566
  ],
1534
1567
  "responses": {
@@ -1564,6 +1597,9 @@
1564
1597
  "type": "string",
1565
1598
  "format": "uuid"
1566
1599
  }
1600
+ },
1601
+ {
1602
+ "$ref": "#/components/parameters/IncludeSignedTx"
1567
1603
  }
1568
1604
  ],
1569
1605
  "responses": {
@@ -2922,6 +2958,16 @@
2922
2958
  "type": "string",
2923
2959
  "format": "uuid"
2924
2960
  }
2961
+ },
2962
+ "IncludeSignedTx": {
2963
+ "name": "include_signed_tx",
2964
+ "in": "query",
2965
+ "required": false,
2966
+ "description": "Set to `true` to include the raw signed transaction hex in the response. Omitted by default to reduce key exfiltration risk.\n",
2967
+ "schema": {
2968
+ "type": "boolean",
2969
+ "default": false
2970
+ }
2925
2971
  }
2926
2972
  },
2927
2973
  "responses": {
@@ -3784,7 +3830,14 @@
3784
3830
  "type": "string"
3785
3831
  },
3786
3832
  "auth_method": {
3787
- "type": "string"
3833
+ "type": "string",
3834
+ "enum": [
3835
+ "api_key",
3836
+ "mtls",
3837
+ "oidc_client_credentials"
3838
+ ],
3839
+ "default": "api_key",
3840
+ "description": "Authentication method. api_key generates a one-time key; mtls requires client_cert_fingerprint; oidc_client_credentials requires oidc_issuer and oidc_client_id."
3788
3841
  },
3789
3842
  "scopes": {
3790
3843
  "type": "array",
@@ -3830,6 +3883,18 @@
3830
3883
  "format": "uuid"
3831
3884
  },
3832
3885
  "description": "Restrict agent to specific vault UUIDs (empty = all vaults in org)"
3886
+ },
3887
+ "client_cert_fingerprint": {
3888
+ "type": "string",
3889
+ "description": "SHA-256 fingerprint of the client certificate (required for mTLS auth)"
3890
+ },
3891
+ "oidc_issuer": {
3892
+ "type": "string",
3893
+ "description": "OIDC issuer URL (required for oidc_client_credentials auth)"
3894
+ },
3895
+ "oidc_client_id": {
3896
+ "type": "string",
3897
+ "description": "OIDC client ID (required for oidc_client_credentials auth)"
3833
3898
  }
3834
3899
  }
3835
3900
  },
@@ -3908,7 +3973,12 @@
3908
3973
  "type": "string"
3909
3974
  },
3910
3975
  "auth_method": {
3911
- "type": "string"
3976
+ "type": "string",
3977
+ "enum": [
3978
+ "api_key",
3979
+ "mtls",
3980
+ "oidc_client_credentials"
3981
+ ]
3912
3982
  },
3913
3983
  "scopes": {
3914
3984
  "type": "array",
@@ -3951,6 +4021,26 @@
3951
4021
  "format": "uuid"
3952
4022
  }
3953
4023
  },
4024
+ "client_cert_fingerprint": {
4025
+ "type": "string",
4026
+ "description": "SHA-256 fingerprint of the client certificate (mTLS agents)"
4027
+ },
4028
+ "oidc_issuer": {
4029
+ "type": "string",
4030
+ "description": "OIDC issuer URL (oidc_client_credentials agents)"
4031
+ },
4032
+ "oidc_client_id": {
4033
+ "type": "string",
4034
+ "description": "OIDC client ID (oidc_client_credentials agents)"
4035
+ },
4036
+ "ssh_public_key": {
4037
+ "type": "string",
4038
+ "description": "Ed25519 SSH public key (base64-encoded, auto-generated at creation)"
4039
+ },
4040
+ "ecdh_public_key": {
4041
+ "type": "string",
4042
+ "description": "P-256 ECDH public key (base64 SEC1 uncompressed point, auto-generated at creation)"
4043
+ },
3954
4044
  "created_at": {
3955
4045
  "type": "string",
3956
4046
  "format": "date-time"
@@ -4009,14 +4099,21 @@
4009
4099
  "last_active_at": {
4010
4100
  "type": "string",
4011
4101
  "format": "date-time"
4102
+ },
4103
+ "ssh_public_key": {
4104
+ "type": "string",
4105
+ "description": "Ed25519 SSH public key (base64-encoded)"
4106
+ },
4107
+ "ecdh_public_key": {
4108
+ "type": "string",
4109
+ "description": "P-256 ECDH public key (base64 SEC1 uncompressed point)"
4012
4110
  }
4013
4111
  }
4014
4112
  },
4015
4113
  "AgentCreatedResponse": {
4016
4114
  "type": "object",
4017
4115
  "required": [
4018
- "agent",
4019
- "api_key"
4116
+ "agent"
4020
4117
  ],
4021
4118
  "properties": {
4022
4119
  "agent": {
@@ -4024,7 +4121,7 @@
4024
4121
  },
4025
4122
  "api_key": {
4026
4123
  "type": "string",
4027
- "description": "One-time API key (store securely)"
4124
+ "description": "One-time API key (only present for api_key auth method)"
4028
4125
  }
4029
4126
  }
4030
4127
  },
@@ -4171,7 +4268,9 @@
4171
4268
  ]
4172
4269
  },
4173
4270
  "signed_tx": {
4174
- "type": "string"
4271
+ "type": "string",
4272
+ "nullable": true,
4273
+ "description": "Raw signed transaction hex. Omitted (null) by default to reduce exfiltration risk. Pass `include_signed_tx=true` query param on GET endpoints to include it. Always returned on the initial POST submission response.\n"
4175
4274
  },
4176
4275
  "tx_hash": {
4177
4276
  "type": "string"
package/openapi.yaml CHANGED
@@ -941,9 +941,19 @@ paths:
941
941
  post:
942
942
  tags: [Transactions]
943
943
  summary: Submit a transaction for signing
944
+ description: |
945
+ Replay protection: send an optional **Idempotency-Key** header (e.g. UUID or opaque string).
946
+ Duplicate requests with the same key within 24 hours return the cached transaction response
947
+ (no second sign/broadcast). Omit the header for non-idempotent submissions.
944
948
  operationId: submitTransaction
945
949
  parameters:
946
950
  - $ref: "#/components/parameters/AgentId"
951
+ - name: Idempotency-Key
952
+ in: header
953
+ required: false
954
+ description: Optional key for replay protection; duplicate requests return cached response.
955
+ schema:
956
+ type: string
947
957
  requestBody:
948
958
  required: true
949
959
  content:
@@ -957,8 +967,20 @@ paths:
957
967
  application/json:
958
968
  schema:
959
969
  $ref: "#/components/schemas/TransactionResponse"
970
+ "200":
971
+ description: Transaction previously created with same Idempotency-Key (replay-safe response)
972
+ content:
973
+ application/json:
974
+ schema:
975
+ $ref: "#/components/schemas/TransactionResponse"
960
976
  "403":
961
977
  $ref: "#/components/responses/Forbidden"
978
+ "409":
979
+ description: Idempotency-Key in use by another in-flight request; retry later.
980
+ content:
981
+ application/json:
982
+ schema:
983
+ $ref: "#/components/schemas/ProblemDetails"
962
984
  "422":
963
985
  description: Simulation reverted (when simulate_first is true)
964
986
  content:
@@ -971,6 +993,7 @@ paths:
971
993
  operationId: listTransactions
972
994
  parameters:
973
995
  - $ref: "#/components/parameters/AgentId"
996
+ - $ref: "#/components/parameters/IncludeSignedTx"
974
997
  responses:
975
998
  "200":
976
999
  description: Transaction list
@@ -992,6 +1015,7 @@ paths:
992
1015
  schema:
993
1016
  type: string
994
1017
  format: uuid
1018
+ - $ref: "#/components/parameters/IncludeSignedTx"
995
1019
  responses:
996
1020
  "200":
997
1021
  description: Transaction details
@@ -1871,6 +1895,16 @@ components:
1871
1895
  schema:
1872
1896
  type: string
1873
1897
  format: uuid
1898
+ IncludeSignedTx:
1899
+ name: include_signed_tx
1900
+ in: query
1901
+ required: false
1902
+ description: >
1903
+ Set to `true` to include the raw signed transaction hex in the response.
1904
+ Omitted by default to reduce key exfiltration risk.
1905
+ schema:
1906
+ type: boolean
1907
+ default: false
1874
1908
 
1875
1909
  responses:
1876
1910
  BadRequest:
@@ -2456,6 +2490,9 @@ components:
2456
2490
  type: string
2457
2491
  auth_method:
2458
2492
  type: string
2493
+ enum: [api_key, mtls, oidc_client_credentials]
2494
+ default: api_key
2495
+ description: Authentication method. api_key generates a one-time key; mtls requires client_cert_fingerprint; oidc_client_credentials requires oidc_issuer and oidc_client_id.
2459
2496
  scopes:
2460
2497
  type: array
2461
2498
  items:
@@ -2488,6 +2525,15 @@ components:
2488
2525
  type: string
2489
2526
  format: uuid
2490
2527
  description: Restrict agent to specific vault UUIDs (empty = all vaults in org)
2528
+ client_cert_fingerprint:
2529
+ type: string
2530
+ description: SHA-256 fingerprint of the client certificate (required for mTLS auth)
2531
+ oidc_issuer:
2532
+ type: string
2533
+ description: OIDC issuer URL (required for oidc_client_credentials auth)
2534
+ oidc_client_id:
2535
+ type: string
2536
+ description: OIDC client ID (required for oidc_client_credentials auth)
2491
2537
 
2492
2538
  UpdateAgentRequest:
2493
2539
  type: object
@@ -2539,6 +2585,7 @@ components:
2539
2585
  type: string
2540
2586
  auth_method:
2541
2587
  type: string
2588
+ enum: [api_key, mtls, oidc_client_credentials]
2542
2589
  scopes:
2543
2590
  type: array
2544
2591
  items:
@@ -2567,6 +2614,21 @@ components:
2567
2614
  items:
2568
2615
  type: string
2569
2616
  format: uuid
2617
+ client_cert_fingerprint:
2618
+ type: string
2619
+ description: SHA-256 fingerprint of the client certificate (mTLS agents)
2620
+ oidc_issuer:
2621
+ type: string
2622
+ description: OIDC issuer URL (oidc_client_credentials agents)
2623
+ oidc_client_id:
2624
+ type: string
2625
+ description: OIDC client ID (oidc_client_credentials agents)
2626
+ ssh_public_key:
2627
+ type: string
2628
+ description: Ed25519 SSH public key (base64-encoded, auto-generated at creation)
2629
+ ecdh_public_key:
2630
+ type: string
2631
+ description: P-256 ECDH public key (base64 SEC1 uncompressed point, auto-generated at creation)
2570
2632
  created_at:
2571
2633
  type: string
2572
2634
  format: date-time
@@ -2610,16 +2672,22 @@ components:
2610
2672
  last_active_at:
2611
2673
  type: string
2612
2674
  format: date-time
2675
+ ssh_public_key:
2676
+ type: string
2677
+ description: Ed25519 SSH public key (base64-encoded)
2678
+ ecdh_public_key:
2679
+ type: string
2680
+ description: P-256 ECDH public key (base64 SEC1 uncompressed point)
2613
2681
 
2614
2682
  AgentCreatedResponse:
2615
2683
  type: object
2616
- required: [agent, api_key]
2684
+ required: [agent]
2617
2685
  properties:
2618
2686
  agent:
2619
2687
  $ref: "#/components/schemas/AgentResponse"
2620
2688
  api_key:
2621
2689
  type: string
2622
- description: One-time API key (store securely)
2690
+ description: One-time API key (only present for api_key auth method)
2623
2691
 
2624
2692
  AgentListResponse:
2625
2693
  type: object
@@ -2717,6 +2785,11 @@ components:
2717
2785
  enum: [pending, signed, broadcast, failed, simulation_failed]
2718
2786
  signed_tx:
2719
2787
  type: string
2788
+ nullable: true
2789
+ description: >
2790
+ Raw signed transaction hex. Omitted (null) by default to reduce exfiltration risk.
2791
+ Pass `include_signed_tx=true` query param on GET endpoints to include it.
2792
+ Always returned on the initial POST submission response.
2720
2793
  tx_hash:
2721
2794
  type: string
2722
2795
  error_message:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@1claw/openapi-spec",
3
- "version": "0.2.0",
3
+ "version": "0.4.0",
4
4
  "description": "OpenAPI 3.1.0 specification for the 1Claw Vault API — generate clients in any language",
5
5
  "license": "PolyForm-Noncommercial-1.0.0",
6
6
  "repository": {