npm - @1claw/sdk - Versions diffs - 0.17.0 → 0.19.0 - Mend

@1claw/sdk 0.17.0 → 0.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +25 -1
package/dist/generated/api-types.d.ts +386 -2
package/dist/generated/api-types.d.ts.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/resources/secrets.d.ts +14 -2
package/dist/resources/secrets.d.ts.map +1 -1
package/dist/resources/secrets.js +21 -1
package/dist/resources/secrets.js.map +1 -1
package/dist/resources/vault.d.ts +4 -2
package/dist/resources/vault.d.ts.map +1 -1
package/dist/resources/vault.js +13 -7
package/dist/resources/vault.js.map +1 -1
package/dist/types.d.ts +15 -0
package/dist/types.d.ts.map +1 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -76,7 +76,7 @@ await client.auth.resetPassword({ token: "...", new_password: "..." });
 | Resource           | Methods                                                                                                             |
 | ------------------ | ------------------------------------------------------------------------------------------------------------------- |
-| `client.vault`     | `create`, `get`, `list`, `delete`                                                                                   |
+| `client.vault`     | `create`, `get`, `list`, `delete`, `enableMpc`, `disableMpc`                                                        |
 | `client.secrets`   | `set`, `get`, `delete`, `list`, `rotate`                                                                            |
 | `client.access`    | `grantHuman`, `grantAgent`, `update`, `revoke`, `listGrants`                                                        |
 | `client.agents`    | `create`, `getSelf`, `get`, `list`, `update`, `delete`, `rotateKey`, `submitTransaction`, `signTransaction`, `getTransaction`, `listTransactions`, `simulateTransaction`, `simulateBundle` |
@@ -265,6 +265,30 @@ const job = await client.vault.getRotationJobStatus(vaultId, jobId);
 console.log(job.data?.status, job.data?.processed, "/", job.data?.total_secrets);
 ```
+## MPC Vault Support
+Vaults can optionally use multi-party computation (MPC) for secret splitting. When MPC is enabled, the server holds one share and the client holds another — neither party can reconstruct the secret alone.
+```typescript
+// Enable MPC on a vault
+await client.vault.enableMpc(vaultId);
+// Store a secret — response includes the client_share
+const res = await client.secrets.set(vaultId, "my-key", "secret-value");
+const clientShare = res.data?.client_share; // Save this securely on your side
+// Retrieve a secret — pass client_share to reconstruct
+const secret = await client.secrets.get(vaultId, "my-key", {
+    client_share: clientShare,
+});
+console.log(secret.data?.value);
+// Disable MPC (converts back to standard encryption)
+await client.vault.disableMpc(vaultId);
+```
+When MPC is enabled, `set` responses include a `client_share` field that must be stored client-side. The `get` method accepts an optional `client_share` parameter to reconstruct the full secret. Without the client share, the server returns only its share.
 ## Agent Token Auto-Refresh
 When using agent credentials (`agentId` + `apiKey`), the SDK automatically refreshes tokens 60 seconds before expiry. No manual token management needed:

package/dist/generated/api-types.d.ts CHANGED Viewed

@@ -539,6 +539,28 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
+    "/v1/vaults/{vault_id}/mpc": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        put?: never;
+        /**
+         * Enable MPC custody on a vault
+         * @description Enable MPC custody on an existing vault. Requires Business or Enterprise plan.
+         *     Splits secret encryption keys across multiple providers using the specified
+         *     custody mode (e.g. 2-of-2, 2-of-3).
+         */
+        post: operations["enableMpc"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
     "/v1/vaults/{vault_id}/secrets": {
         parameters: {
             query?: never;
@@ -575,6 +597,83 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
+    "/v1/vaults/{vault_id}/secret-versions/{path}": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /** List all versions of a secret */
+        get: operations["listSecretVersions"];
+        put?: never;
+        post?: never;
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
+    "/v1/vaults/{vault_id}/secret-version/{path}/{version}": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /** Retrieve a specific version of a secret */
+        get: operations["getSecretVersion"];
+        put?: never;
+        post?: never;
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
+    "/v1/vaults/{vault_id}/secret-version/{path}/{version}/disable": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        put?: never;
+        /**
+         * Disable a specific secret version
+         * @description Disables a version so it can no longer be read. The version is
+         *     retained for audit purposes but returns 410 on read attempts.
+         */
+        post: operations["disableSecretVersion"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
+    "/v1/vaults/{vault_id}/secret-rotate/{path}": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        put?: never;
+        /**
+         * Server-side secret rotation
+         * @description Generates a cryptographically random value and stores it as a new
+         *     version of the secret. The previous version is preserved in history.
+         *     Requires rotate or write permission.
+         */
+        post: operations["rotateSecret"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
     "/v1/vaults/{vault_id}/policies": {
         parameters: {
             query?: never;
@@ -1793,6 +1892,62 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
+    "/v1/shroud/threat-summary": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /**
+         * Shroud threat analytics summary
+         * @description Aggregated threat metrics for the organization from `shroud_activity` (detectors, blocked counts, recent flagged requests). Query `period` selects the window; the previous window of equal length is used for request volume trend.
+         */
+        get: {
+            parameters: {
+                query?: {
+                    /** @description Rolling window ending now */
+                    period?: "1h" | "24h" | "7d" | "30d";
+                };
+                header?: never;
+                path?: never;
+                cookie?: never;
+            };
+            requestBody?: never;
+            responses: {
+                /** @description Threat summary */
+                200: {
+                    headers: {
+                        [name: string]: unknown;
+                    };
+                    content: {
+                        "application/json": components["schemas"]["ShroudThreatSummary"];
+                    };
+                };
+                /** @description Invalid period */
+                400: {
+                    headers: {
+                        [name: string]: unknown;
+                    };
+                    content?: never;
+                };
+                /** @description Unauthorized */
+                401: {
+                    headers: {
+                        [name: string]: unknown;
+                    };
+                    content?: never;
+                };
+            };
+        };
+        put?: never;
+        post?: never;
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
 }
 export type webhooks = Record<string, never>;
 export interface components {
@@ -1991,6 +2146,8 @@ export interface components {
         CreateVaultRequest: {
             name: string;
             description?: string;
+            /** @description MPC custody mode to enable at creation (e.g. "2-of-2", "2-of-3") */
+            mpc_custody?: string;
         };
         VaultResponse: {
             /** Format: uuid */
@@ -2005,6 +2162,12 @@ export interface components {
             cmek_enabled?: boolean;
             /** @description SHA-256 fingerprint of the CMEK key (64 hex chars) */
             cmek_fingerprint?: string;
+            /** @description MPC custody mode (e.g. "2-of-2", "2-of-3"), absent when MPC is not enabled */
+            mpc_custody?: string;
+            /** @description Number of shares required to reconstruct the key */
+            mpc_threshold?: number;
+            /** @description List of MPC share providers (e.g. ["server", "client"]) */
+            mpc_providers?: string[];
         };
         VaultListResponse: {
             vaults?: components["schemas"]["VaultResponse"][];
@@ -2036,6 +2199,10 @@ export interface components {
             /** Format: date-time */
             created_at: string;
         };
+        EnableMpcRequest: {
+            /** @description MPC custody mode (e.g. "2-of-2", "2-of-3") */
+            mpc_custody: string;
+        };
         PutSecretRequest: {
             /**
              * @description Secret type (generic, password, api_key, certificate, private_key, ssh_key, env)
@@ -2066,6 +2233,25 @@ export interface components {
             created_at: string;
             /** Format: date-time */
             expires_at?: string;
+            /** @description Whether this version has been disabled (retained for audit but unreadable) */
+            is_disabled?: boolean;
+        };
+        /** @description Returned when a secret is created or updated. Extends SecretMetadataResponse with an optional client_share for MPC vaults. */
+        SecretCreatedResponse: {
+            /** Format: uuid */
+            id: string;
+            path: string;
+            type: string;
+            version: number;
+            metadata?: {
+                [key: string]: unknown;
+            };
+            /** Format: date-time */
+            created_at: string;
+            /** Format: date-time */
+            expires_at?: string;
+            /** @description Base64-encoded client key share. Returned only for MPC 2-of-2 vaults. The client must store this share securely — it is not persisted server-side. */
+            client_share?: string;
         };
         SecretResponse: {
             /** Format: uuid */
@@ -2088,6 +2274,20 @@ export interface components {
         SecretListResponse: {
             secrets?: components["schemas"]["SecretMetadataResponse"][];
         };
+        SecretVersionListResponse: {
+            versions?: components["schemas"]["SecretMetadataResponse"][];
+        };
+        RotateSecretRequest: {
+            /** @description Length of the generated value (default 32) */
+            length?: number;
+            /**
+             * @description Character set for the generated value (default hex)
+             * @enum {string}
+             */
+            charset?: "hex" | "base64" | "alphanumeric" | "ascii";
+            /** @description Override the secret type (defaults to existing secret's type) */
+            type?: string;
+        };
         CreatePolicyRequest: {
             secret_path_pattern: string;
             /** @enum {string} */
@@ -3232,6 +3432,46 @@ export interface components {
             policy_violations?: string[];
             metadata?: Record<string, never>;
         };
+        ShroudThreatSummary: {
+            /** Format: int64 */
+            total_requests?: number;
+            /** Format: int64 */
+            total_requests_prev?: number;
+            /** Format: int64 */
+            blocked_requests?: number;
+            /** Format: int64 */
+            detectors_triggered?: number;
+            /** Format: int64 */
+            active_agents?: number;
+            detectors?: components["schemas"]["ShroudDetectorStats"][];
+            flagged_requests?: components["schemas"]["ShroudFlaggedRequest"][];
+        };
+        ShroudDetectorStats: {
+            detector?: string;
+            /** Format: int64 */
+            detections?: number;
+            /** Format: int64 */
+            blocks?: number;
+            actions?: {
+                /** Format: int64 */
+                blocked?: number;
+                /** Format: int64 */
+                warned?: number;
+                /** Format: int64 */
+                logged?: number;
+            };
+        };
+        ShroudFlaggedRequest: {
+            id?: string;
+            /** Format: date-time */
+            timestamp?: string;
+            agent_id?: string;
+            agent_name?: string;
+            score?: number;
+            reason?: string;
+            /** @enum {string} */
+            action?: "blocked" | "warned" | "logged";
+        };
         HealthResponse: {
             /** @enum {string} */
             status?: "healthy" | "degraded";
@@ -4154,6 +4394,35 @@ export interface operations {
             404: components["responses"]["NotFound"];
         };
     };
+    enableMpc: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path: {
+                vault_id: components["parameters"]["VaultId"];
+            };
+            cookie?: never;
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["EnableMpcRequest"];
+            };
+        };
+        responses: {
+            /** @description MPC custody enabled */
+            200: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    "application/json": components["schemas"]["VaultResponse"];
+                };
+            };
+            400: components["responses"]["BadRequest"];
+            403: components["responses"]["Forbidden"];
+            404: components["responses"]["NotFound"];
+        };
+    };
     listSecrets: {
         parameters: {
             query?: {
@@ -4183,7 +4452,10 @@ export interface operations {
     getSecret: {
         parameters: {
             query?: never;
-            header?: never;
+            header?: {
+                /** @description Base64-encoded client key share for MPC 2-of-2 vaults. Required when the vault uses 2-of-2 MPC custody. */
+                "x-client-share"?: string;
+            };
             path: {
                 vault_id: components["parameters"]["VaultId"];
                 /** @description Secret path (e.g. "db/credentials") */
@@ -4229,7 +4501,7 @@ export interface operations {
                     [name: string]: unknown;
                 };
                 content: {
-                    "application/json": components["schemas"]["SecretMetadataResponse"];
+                    "application/json": components["schemas"]["SecretCreatedResponse"];
                 };
             };
             400: components["responses"]["BadRequest"];
@@ -4259,6 +4531,118 @@ export interface operations {
             404: components["responses"]["NotFound"];
         };
     };
+    listSecretVersions: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path: {
+                vault_id: components["parameters"]["VaultId"];
+                /** @description Secret path (e.g. "db/credentials") */
+                path: components["parameters"]["SecretPath"];
+            };
+            cookie?: never;
+        };
+        requestBody?: never;
+        responses: {
+            /** @description Version list */
+            200: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    "application/json": components["schemas"]["SecretVersionListResponse"];
+                };
+            };
+            404: components["responses"]["NotFound"];
+        };
+    };
+    getSecretVersion: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path: {
+                vault_id: components["parameters"]["VaultId"];
+                /** @description Secret path (e.g. "db/credentials") */
+                path: components["parameters"]["SecretPath"];
+                version: number;
+            };
+            cookie?: never;
+        };
+        requestBody?: never;
+        responses: {
+            /** @description Decrypted secret value at the specified version */
+            200: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    "application/json": components["schemas"]["SecretResponse"];
+                };
+            };
+            404: components["responses"]["NotFound"];
+            /** @description Version has been disabled or expired */
+            410: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content?: never;
+            };
+        };
+    };
+    disableSecretVersion: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path: {
+                vault_id: components["parameters"]["VaultId"];
+                /** @description Secret path (e.g. "db/credentials") */
+                path: components["parameters"]["SecretPath"];
+                version: number;
+            };
+            cookie?: never;
+        };
+        requestBody?: never;
+        responses: {
+            /** @description Version disabled */
+            204: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content?: never;
+            };
+            404: components["responses"]["NotFound"];
+        };
+    };
+    rotateSecret: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path: {
+                vault_id: components["parameters"]["VaultId"];
+                /** @description Secret path (e.g. "db/credentials") */
+                path: components["parameters"]["SecretPath"];
+            };
+            cookie?: never;
+        };
+        requestBody?: {
+            content: {
+                "application/json": components["schemas"]["RotateSecretRequest"];
+            };
+        };
+        responses: {
+            /** @description New version created with server-generated value */
+            201: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    "application/json": components["schemas"]["SecretCreatedResponse"];
+                };
+            };
+            400: components["responses"]["BadRequest"];
+            404: components["responses"]["NotFound"];
+        };
+    };
     listPolicies: {
         parameters: {
             query?: never;