@cubist-labs/cubesigner-sdk 0.1.77 → 0.2.15

package/dist/src/schema.d.ts

@@ -6,7 +6,6 @@ export interface paths {
     "/v0/about_me": {
         /**
          * User Info
-         * @deprecated
          * @description User Info
          *
          * Retrieves information about the current user.
@@ -384,6 +383,13 @@ export interface paths {
          * If no query parameters are provided, information for the current session is returned
          */
         get: operations["listSessions"];
+        /**
+         * Create new user session (management and/or signing)
+         * @description Create new user session (management and/or signing)
+         *
+         * Create a new user session
+         */
+        post: operations["createSession"];
         /**
          * Revoke existing session(s)
          * @description Revoke existing session(s)
@@ -393,6 +399,15 @@ export interface paths {
          */
         delete: operations["revokeSessions"];
     };
+    "/v0/org/{org_id}/session/self": {
+        /**
+         * Revoke current session
+         * @description Revoke current session
+         *
+         * Immediately revokes the current session, preventing it from being used or refreshed
+         */
+        delete: operations["revokeCurrentSession"];
+    };
     "/v0/org/{org_id}/session/{session_id}": {
         /**
          * Get session information
@@ -435,6 +450,42 @@ export interface paths {
          */
         get: operations["aboutMe"];
     };
+    "/v0/org/{org_id}/user/me/export": {
+        /**
+         * List outstanding user-export requests
+         * @description List outstanding user-export requests
+         */
+        get: operations["userExportList"];
+        /**
+         * Initiate a user-export request
+         * @description Initiate a user-export request
+         *
+         * This starts a delay (whose length is determined by Org-wide settings)
+         * before export can be completed, and returns a ticket that can be used
+         * to complete the export once the timer has expired.
+         *
+         * Only one user-export request can be active for a given key. If there
+         * is already an active export, this endpoint will return an error. To
+         * create a new request, first delete the existing one.
+         */
+        post: operations["userExportInit"];
+        /**
+         * Delete an existing user-export request
+         * @description Delete an existing user-export request
+         */
+        delete: operations["userExportDelete"];
+        /**
+         * Complete a user-export request
+         * @description Complete a user-export request
+         *
+         * This endpoint can be called only after initiating a user-export request via
+         * the `user_export_init` API, and only within the subsequent export window
+         * (i.e., after the export delay has passed and before the request has expired).
+         *
+         * To check on the status of an export request, see the `user_export_list` API.
+         */
+        patch: operations["userExportComplete"];
+    };
     "/v0/org/{org_id}/user/me/fido": {
         /**
          * Initiate registration of a FIDO key
@@ -707,6 +758,10 @@ export interface components {
             mfa_policy?: Record<string, unknown> | null;
             role: components["schemas"]["MemberRole"];
         };
+        AddThirdPartyUserResponse: {
+            /** @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f */
+            user_id: string;
+        };
         ApprovalInfo: {
             timestamp: components["schemas"]["EpochDateTime"];
         };
@@ -856,6 +911,10 @@ export interface components {
              */
             tx: Record<string, never>;
         };
+        AvaSignResponse: {
+            /** @description The hex-encoded signature. */
+            signature: string;
+        };
         /** @description Wrapper around a zeroizing 32-byte fixed-size array */
         B32: string;
         /**
@@ -872,6 +931,10 @@ export interface components {
              */
             message_base64: string;
         };
+        BlobSignResponse: {
+            /** @description The hex-encoded signature. */
+            signature: string;
+        };
         /** @enum {string} */
         BtcSighashType: "All" | "None" | "Single" | "AllPlusAnyoneCanPay" | "NonePlusAnyoneCanPay" | "SinglePlusAnyoneCanPay";
         BtcSignRequest: {
@@ -879,6 +942,13 @@ export interface components {
             /** @description The bitcoin transaction to sign */
             tx: Record<string, never>;
         };
+        BtcSignResponse: {
+            /**
+             * @description The hex-encoded signature in compact format.
+             * @example 0x454aef27c21df7dd8f537dc869f4cd65286ce239a52d36470f4d85be85a891b02789e5ffd8560b32a98110e5d0096802e4c14145cf6c44f10a768c87755eaa4800
+             */
+            signature: string;
+        };
         BtcSignatureKind: {
             /** @description Segregated Witness */
             Segwit: {
@@ -932,6 +1002,18 @@ export interface components {
             /** @enum {string} */
             type: "fido";
         };
+        CreateKeyImportKeyResponse: components["schemas"]["KeyImportKey"] & {
+            /**
+             * @description An attestation document from a secure enclave, including an
+             * RSA signing key used to sign the contents of this message.
+             */
+            enclave_attestation: string;
+            /**
+             * @description An RSA-PSS-SHA256 signature on the public key and encrypted
+             * secrets attesting to their generation inside a secure enclave.
+             */
+            enclave_signature: string;
+        };
         CreateKeyRequest: {
             /**
              * Format: int64
@@ -952,6 +1034,10 @@ export interface components {
              */
             owner?: string | null;
         };
+        CreateKeyResponse: {
+            /** @description The info about the created keys */
+            keys: components["schemas"]["KeyInfo"][];
+        };
         /** @description Optional create role request body */
         CreateRoleRequest: {
             /**
@@ -960,6 +1046,33 @@ export interface components {
              */
             name: string;
         };
+        /** @description The newly created role information */
+        CreateRoleResponse: {
+            /**
+             * @description A human-readable name for the role.
+             * @example my_role
+             */
+            name?: string | null;
+            /**
+             * @description The id of the newly created role
+             * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
+             */
+            role_id: string;
+        };
+        CreateSessionRequest: components["schemas"]["RatchetConfig"] & {
+            /**
+             * @description A human readable description of the session's purpose
+             * @example Manage keys on server foo.bar
+             */
+            purpose: string;
+            /**
+             * @description Controls what capabilities this session will have.
+             * @example [
+             *   "manage:key:*"
+             * ]
+             */
+            scopes: string[];
+        };
         CreateTokenRequest: components["schemas"]["RatchetConfig"] & ({
             /**
              * @description A human readable description of the purpose of the key
@@ -1122,8 +1235,20 @@ export interface components {
             /** @description EIP-712 typed data. Refer to the JSON schema defined in EIP-712. */
             typed_data: Record<string, never>;
         };
+        Eip712SignResponse: {
+            /**
+             * @description Hex-encoded signature comprising 65 bytes in the format required
+             * by ecrecover: 32-byte r, 32-byte s, and one-byte recovery-id v
+             * which is either 27 or 28.
+             * @example 0x4355c47d63924e8a72e509b65029052eb6c299d53a04e167c5775fd466751c9d07299936d304c153f6443dfa05f40ff007d72911b6f72307f996231605b915621c
+             */
+            signature: string;
+        };
         /** @default null */
         Empty: Record<string, unknown> | null;
+        EmptyImpl: {
+            status: string;
+        };
         /**
          * @description Epoch is a quoted `uint64`.
          * @example 256
@@ -1173,6 +1298,13 @@ export interface components {
              */
             tx: Record<string, never>;
         };
+        Eth1SignResponse: {
+            /**
+             * @description Hex-encoded RLP encoding of the transaction and its signature
+             * @example 0x22895118000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000001201d58656b0e22aaa68fdc692db41979098c3886ed33015d7467de9211609cdac000000000000000000000000000000000000000000000000000000000000000308b0c2900324d3ff9adfba7fdfe5af3f9b2cdbeef7b280437bbf1b1c59a093d615afe3e5dfed9622b540cdd9b49b3c5ad00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002001000000000000000000000049011adbcc3bc9c0307bb07f37dda1a1a9c69d2e0000000000000000000000000000000000000000000000000000000000000060903db8525674b8e7904f9b7d7d9ec55a0a42d33cf58be25469b0c21bbb6d06172bc5bb5fd1aed8e4f35936968958116b0619553c2cb1c52e7323074c6f8eb3d5a7074fc6580148df907837fa3b164ad7fbc2288dad1e8a5b021095b57c8a36d4
+             */
+            rlp_signed_tx: string;
+        };
         /**
          * @example {
          *   "eth2_sign_request": {
@@ -1202,18 +1334,39 @@ export interface components {
             eth2_sign_request: Record<string, never>;
             network: components["schemas"]["Network"];
         };
+        Eth2SignResponse: {
+            /**
+             * @description Hex encoded signature prefixed with 0x e.g. "0x0000..."
+             * @example 0xb4f2ef9d12a54e1f569596c07c97d6d730535b6ffc0d287761dc78103a86326782471a04c75ce7a6faea08ca9a4a0830031cdcb893da8711d54aa22619f1a7e71b8185ddf4c6bfd9babbd735960e35e56bd6eeb89625b04850e7a9ef8846e549
+             */
+            signature: string;
+        };
         /** @description Sent from the client to the server to answer a fido challenge */
         FidoAssertAnswer: {
             /** @description The ID of the challenge that was returned from the POST endpoint */
             challenge_id: string;
             credential: components["schemas"]["PublicKeyCredential"];
         };
+        FidoAssertChallenge: {
+            /** @description The id of the challenge. Must be supplied when answering the challenge. */
+            challenge_id: string;
+            options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+        };
         /** @description Sent from the client to the server to answer a fido challenge */
         FidoCreateChallengeAnswer: {
             /** @description The ID of the challenge that was returned from the POST endpoint */
             challenge_id: string;
             credential: components["schemas"]["PublicKeyCredential"];
         };
+        /**
+         * @description Sent by the server to the client. Contains the challenge data that must be
+         * used to generate a new credential
+         */
+        FidoCreateChallengeResponse: {
+            /** @description The id of the challenge. Must be supplied when answering the challenge. */
+            challenge_id: string;
+            options: components["schemas"]["PublicKeyCredentialCreationOptions"];
+        };
         /** @description Declares intent to register a new FIDO key */
         FidoCreateRequest: {
             /**
@@ -1271,6 +1424,10 @@ export interface components {
         GetKeysInOrgRequest: {
             key_type?: components["schemas"]["KeyType"] | null;
         };
+        GetUsersInOrgResponse: {
+            /** @description The list of users in the org */
+            users: components["schemas"]["UserIdInfo"][];
+        };
         /** @description Stats pertaining the the sender `cube3signer` instance */
         HeartbeatRequest: {
             /**
@@ -1403,6 +1560,101 @@ export interface components {
              */
             skip_email: boolean;
         };
+        /**
+         * @description Key material contained inside a [`JsonKeyPackage`], which can be either
+         * a raw secret or a mnemonic, password, and derivation path.
+         */
+        JsonKeyMaterial: {
+            /** @enum {string} */
+            material_type: "raw_secret";
+            /** @description The value of the raw secret */
+            secret: string;
+        } | {
+            /** @description The derivation path */
+            derivation_path: string;
+            /** @enum {string} */
+            material_type: "english_mnemonic";
+            /** @description The mnemonic */
+            mnemonic: string;
+            /** @description The password (which may be empty) */
+            password: string;
+        };
+        /**
+         * @description A [`KeyPackage`] serialized into a format that gives a tidier JSON
+         * representation suitable for encryption in the user-export flow.
+         *
+         * We construct values of this type rather than constructing `serde_json::Value`s
+         * directly with `json!()` because this allows us to zeroize values on drop, which
+         * doesn't work with `serde_json::Value`.
+         *
+         * Examples of serialized material:
+         *
+         * - `JsonKeyMaterial::EnglishMnemonic`:
+         *
+         * ```
+         * use cubist_signer_utils::{
+         * DerivationPath, KeyPackage, Mnemonic, MnemonicPackage, Secp256k1Pkg,
+         * };
+         * use serde_json::json;
+         *
+         * const MNEMONIC: &str = "deposit fiscal brain swarm surround cousin horn glare fix love render believe guide shuffle stem cram broccoli resemble beach artefact language gift jar permit";
+         * const DER_PATH: &str = "m/44'/60'/0'/0/0";
+         * const KEY_TYPE: &str = "ecdsa:secp256k1";
+         *
+         * let mne = Mnemonic::try_from(MNEMONIC).expect("good mnemonic");
+         * let derp = DerivationPath::try_from(DER_PATH).expect("good der path");
+         * let mne_pkg = MnemonicPackage::new(mne, "", derp);
+         * let key_pkg = KeyPackage::<Secp256k1Pkg>::EnglishMnemonic(mne_pkg);
+         * let json_pkg = key_pkg.into_json(KEY_TYPE);
+         *
+         * let json_expect = json!({
+         * "key_type": KEY_TYPE,
+         * "material_type": "english_mnemonic",
+         * "mnemonic": MNEMONIC,
+         * "password": "",
+         * "derivation_path": DER_PATH,
+         * });
+         *
+         * assert_eq!(
+         * serde_json::to_value(&json_pkg).expect("json serialization"),
+         * json_expect,
+         * );
+         * ```
+         *
+         * - `JsonKeyMaterial::RawSecret`:
+         *
+         * ```
+         * use cubist_signer_utils::{
+         * get_random_byte_array, hex_encode, KeyPackage, RngCore, Secp256k1Pkg,
+         * };
+         * use serde_json::json;
+         *
+         * const KEY_TYPE: &str = "ecdsa:secp256k1";
+         *
+         * // random 32-byte secret
+         * let sk: [u8; 32] = *get_random_byte_array();
+         *
+         * let key_pkg = KeyPackage::<Secp256k1Pkg>::Secret(sk);
+         * let json_pkg = key_pkg.into_json(KEY_TYPE);
+         *
+         * let json_expect = json!({
+         * "key_type": KEY_TYPE,
+         * "material_type": "raw_secret",
+         * "secret": hex_encode(&sk),
+         * });
+         *
+         * assert_eq!(
+         * serde_json::to_value(&json_pkg).expect("json serialization"),
+         * json_expect,
+         * );
+         * ```
+         */
+        JsonKeyPackage: {
+            material_type: "JsonKeyPackage";
+        } & Omit<components["schemas"]["JsonKeyMaterial"], "material_type"> & {
+            /** @description The type of key this package represents */
+            key_type: string;
+        };
         /** @description Derivation-related metadata for keys derived from a long-lived mnemonic */
         KeyDerivationInfo: {
             /** @description The derivation path used to derive this key */
@@ -1496,6 +1748,9 @@ export interface components {
              */
             purpose: string;
         };
+        KeyInfos: {
+            keys: components["schemas"]["KeyInfo"][];
+        };
         /** @enum {string} */
         KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "SecpAvaAddr" | "SecpAvaTestAddr" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr" | "Ed25519CardanoAddrVk" | "Ed25519StellarAddr" | "Mnemonic" | "Stark";
         /**
@@ -1505,6 +1760,13 @@ export interface components {
          * so that they can pass this back to us as a url query parameter.
          */
         LastEvalKey: string;
+        ListMfaResponse: {
+            /** @description All pending MFA requests */
+            mfa_requests: components["schemas"]["MfaRequestInfo"][];
+        };
+        ListTokensResponse: {
+            tokens: components["schemas"]["TokenInfo"][];
+        };
         /**
          * @description Describes whether a user in an org is an Owner or just a regular member
          * @enum {string}
@@ -1546,11 +1808,6 @@ export interface components {
          * a single OIDC user to multiple `User`s in CubeSigner
          */
         OIDCIdentity: {
-            /**
-             * @description Free-form additional user info.
-             * @example null
-             */
-            disambiguator?: string | null;
             /**
              * @description The root-level issuer who administrates this user. Frome the OIDC spec:
              * Issuer Identifier for the Issuer of the response. The iss
@@ -1573,6 +1830,8 @@ export interface components {
             sub: string;
         };
         OidcLoginRequest: {
+            /** @description A human readable description of the purpose of the session */
+            purpose?: string | null;
             /**
              * @description Controls what capabilities this session will have.
              * @example [
@@ -1622,6 +1881,22 @@ export interface components {
              * ]
              */
             policy?: Record<string, never>[];
+            /**
+             * Format: int64
+             * @description The organization's currently configured user-export delay, i.e., the minimum
+             * amount of time (in seconds) between when a user-export is initiated and when
+             * it may be completed. (This value is meaningless for organizations that use
+             * org-wide export.)
+             */
+            user_export_delay: number;
+            /**
+             * Format: int64
+             * @description The organization's currently configured user-export window, i.e., the amount
+             * of time (in seconds) between when the user-export delay is completed and when
+             * the user export request has expired and can no longer be completed. (This value
+             * is meaningless for organizations that use org-wide export.)
+             */
+            user_export_window: number;
         };
         /**
          * @description The rocket query parameter representing the page from which to start a paginated query.
@@ -1644,6 +1919,94 @@ export interface components {
              */
             "page.start"?: string | null;
         };
+        /**
+         * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+         * value (which can the user pass back to use as a url query parameter to continue pagination).
+         */
+        PaginatedListKeysResponse: {
+            keys: components["schemas"]["KeyInfo"][];
+        } & ({
+            /**
+             * @description If set, the content of `response` does not contain the entire result set.
+             * To fetch the next page of the result set, call the same endpoint
+             * but specify this value as the 'page.start' query parameter.
+             */
+            last_evaluated_key?: string | null;
+        });
+        /**
+         * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+         * value (which can the user pass back to use as a url query parameter to continue pagination).
+         */
+        PaginatedListRoleKeysResponse: {
+            /** @description All keys in a role */
+            keys: components["schemas"]["KeyInRoleInfo"][];
+        } & ({
+            /**
+             * @description If set, the content of `response` does not contain the entire result set.
+             * To fetch the next page of the result set, call the same endpoint
+             * but specify this value as the 'page.start' query parameter.
+             */
+            last_evaluated_key?: string | null;
+        });
+        /**
+         * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+         * value (which can the user pass back to use as a url query parameter to continue pagination).
+         */
+        PaginatedListRoleUsersResponse: {
+            /** @description All users in a role */
+            users: components["schemas"]["UserInRoleInfo"][];
+        } & ({
+            /**
+             * @description If set, the content of `response` does not contain the entire result set.
+             * To fetch the next page of the result set, call the same endpoint
+             * but specify this value as the 'page.start' query parameter.
+             */
+            last_evaluated_key?: string | null;
+        });
+        /**
+         * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+         * value (which can the user pass back to use as a url query parameter to continue pagination).
+         */
+        PaginatedListRolesResponse: {
+            /** @description All roles in an organization. */
+            roles: components["schemas"]["RoleInfo"][];
+        } & ({
+            /**
+             * @description If set, the content of `response` does not contain the entire result set.
+             * To fetch the next page of the result set, call the same endpoint
+             * but specify this value as the 'page.start' query parameter.
+             */
+            last_evaluated_key?: string | null;
+        });
+        /**
+         * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+         * value (which can the user pass back to use as a url query parameter to continue pagination).
+         */
+        PaginatedSessionsResponse: {
+            /** @description The list of sessions */
+            sessions: components["schemas"]["SessionInfo"][];
+        } & ({
+            /**
+             * @description If set, the content of `response` does not contain the entire result set.
+             * To fetch the next page of the result set, call the same endpoint
+             * but specify this value as the 'page.start' query parameter.
+             */
+            last_evaluated_key?: string | null;
+        });
+        /**
+         * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+         * value (which can the user pass back to use as a url query parameter to continue pagination).
+         */
+        PaginatedUserExportListResponse: {
+            export_requests: components["schemas"]["UserExportInitResponse"][];
+        } & ({
+            /**
+             * @description If set, the content of `response` does not contain the entire result set.
+             * To fetch the next page of the result set, call the same endpoint
+             * but specify this value as the 'page.start' query parameter.
+             */
+            last_evaluated_key?: string | null;
+        });
         /**
          * @description This type represents a wire-encodable form of the PublicKeyCredential interface
          * Clients may need to manually encode into this format to communicate with the server
@@ -1688,7 +2051,7 @@ export interface components {
          */
         PublicKeyCredentialCreationOptions: {
             attestation?: components["schemas"]["AttestationConveyancePreference"];
-            authenticator_selection?: components["schemas"]["AuthenticatorSelectionCriteria"] | null;
+            authenticatorSelection?: components["schemas"]["AuthenticatorSelectionCriteria"] | null;
             /**
              * @description This member contains a challenge intended to be used for generating the
              * newly created credential’s attestation object. See the § 13.4.3
@@ -1706,7 +2069,7 @@ export interface components {
              *
              * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials
              */
-            exclude_credentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
+            excludeCredentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
             /**
              * @description This member contains additional parameters requesting additional
              * processing by the client and authenticator. For example, the caller may
@@ -1728,7 +2091,7 @@ export interface components {
              *
              * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-pubkeycredparams
              */
-            pub_key_cred_params: components["schemas"]["PublicKeyCredentialParameters"][];
+            pubKeyCredParams: components["schemas"]["PublicKeyCredentialParameters"][];
             rp: components["schemas"]["PublicKeyCredentialRpEntity"];
             /**
              * Format: int32
@@ -1739,7 +2102,7 @@ export interface components {
              * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-timeout
              */
             timeout?: number | null;
-            user?: components["schemas"]["PublicKeyCredentialUserEntity"] | null;
+            user: components["schemas"]["PublicKeyCredentialUserEntity"];
         };
         /**
          * @description This dictionary contains the attributes that are specified by a caller when
@@ -1804,7 +2167,7 @@ export interface components {
              *
              * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-allowcredentials
              */
-            allow_credentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
+            allowCredentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
             /**
              * @description This member represents a challenge that the selected authenticator
              * signs, along with other data, when producing an authentication
@@ -1821,7 +2184,7 @@ export interface components {
              *
              * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-rpid
              */
-            rp_id?: string | null;
+            rpId?: string | null;
             /**
              * Format: int32
              * @description This OPTIONAL member specifies a time, in milliseconds, that the caller
@@ -1831,7 +2194,7 @@ export interface components {
              * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-timeout
              */
             timeout?: number | null;
-            user_verification?: components["schemas"]["UserVerificationRequirement"];
+            userVerification?: components["schemas"]["UserVerificationRequirement"];
         };
         /**
          * @description The PublicKeyCredentialRpEntity dictionary is used to supply additional
@@ -1845,7 +2208,7 @@ export interface components {
              *
              * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrpentity-id
              */
-            id: string;
+            id?: string | null;
             /**
              * @description A human-palatable name for the entity. Its function depends on what the
              * PublicKeyCredentialEntity represents: When inherited by
@@ -1989,6 +2352,13 @@ export interface components {
          * @enum {string}
          */
         ResidentKeyRequirement: "discouraged" | "preferred" | "required";
+        RevokeTokenResponse: {
+            token?: components["schemas"]["TokenInfo"] | null;
+        };
+        RevokeTokensResponse: {
+            /** @description Tokens that were revoked. */
+            revoked: components["schemas"]["TokenInfo"][];
+        };
         RoleInfo: {
             /**
              * @description Whether the role is enabled
@@ -2002,6 +2372,22 @@ export interface components {
              * @example my_role
              */
             name?: string | null;
+            /**
+             * @description Policy that is checked whenever a key is accessed for signing via this role.
+             * @example [
+             *   {
+             *     "SourceIpAllowlist": [
+             *       "123.456.78.9/16"
+             *     ]
+             *   },
+             *   {
+             *     "RequireMfa": {
+             *       "count": 1
+             *     }
+             *   }
+             * ]
+             */
+            policy?: Record<string, never>[];
             /**
              * @description The ID of the role
              * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
@@ -2028,10 +2414,24 @@ export interface components {
              */
             session_id: string;
         };
-        SignRequest: {
-            message: Record<string, never>;
+        /** @description The response from any operation operating on multiple sessions */
+        SessionsResponse: {
+            /** @description The list of sessions */
+            sessions: components["schemas"]["SessionInfo"][];
+        };
+        /**
+         * @example {
+         *   "message_base64": "AQABA8OKVzLEjststN4xXr39kLKHT8d58eQY1QEs6MeXwEFBrxTAlULX1troLbWxuAXQqgbQofGi6z8fJi7KAAIf7YMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJK0tn39k28s+X86W47EvbRRKnYBVQ8Q/l2m1EbfT7+vAQICAAEMAgAAAGQAAAAAAAAA"
+         * }
+         */
+        SolanaSignRequest: {
+            /** @description Solana base64-encoded serialized Message */
+            message_base64: string;
+        };
+        SolanaSignResponse: {
+            /** @description The hex-encoded signature. */
+            signature: string;
         };
-        SolanaSignRequest: components["schemas"]["SignRequest"] & Record<string, never>;
         StakeRequest: {
             /**
              * Format: int64
@@ -2060,6 +2460,14 @@ export interface components {
              */
             withdrawal_addr: string;
         };
+        StakeResponse: {
+            /**
+             * @description The validator key id ("Key#...")
+             * @example Key#db1731f8-3659-45c0-885b-e11e1f5b7be2
+             */
+            created_validator_key_id: string;
+            deposit_tx: components["schemas"]["DepositTxn"];
+        };
         Status: {
             /** @description Users who are allowed to approve. Must be non-empty. */
             allowed_approvers: string[];
@@ -2099,6 +2507,23 @@ export interface components {
             /** @description The ID of the challenge that was returned from the POST endpoint */
             totp_id: string;
         };
+        TotpInfo: {
+            /**
+             * @description The ID of the TOTP challenge.
+             * @example TotpChallenge#7892ebba-563e-485b-bb7d-e26267363286
+             */
+            totp_id: string;
+            /**
+             * @description Standard TOTP url which includes everything needed to initialize TOTP.
+             * @example otpauth://totp/Cubist:alice-%40example.com?secret=DAHF7KCOTQWSOMK4XFEMNHXO4J433OD7&issuer=Cubist
+             */
+            totp_url: string;
+        };
+        /** @description Request to reset TOTP. */
+        TotpResetRequest: {
+            /** @description The name of the issuer; defaults to "Cubist". */
+            issuer?: string | null;
+        };
         /** @description Options that should be set only for local devnet testing. */
         UnsafeConf: {
             /**
@@ -2145,6 +2570,22 @@ export interface components {
              */
             validator_index: string;
         };
+        /**
+         * @description Unstake responses are signed voluntary exit messages.
+         * The schema for this message is defined
+         * [here](https://github.com/ethereum/consensus-specs/blob/v1.0.1/specs/phase0/beacon-chain.md#signedvoluntaryexit).
+         * This message can be directly POSTed to the Beacon node's
+         * `/eth/v1/beacon/pool/voluntary_exits` end-point (see expected schema
+         * [here](https://ethereum.github.io/beacon-APIs/#/Beacon/submitPoolVoluntaryExit)).
+         */
+        UnstakeResponse: {
+            message: components["schemas"]["VoluntaryExit"];
+            /**
+             * @description BLS signature.
+             * @example 0x910c7cd537ed91cc8c4a82f3cbd832e9be8c24a22e9c86df479f7ce42025ea6a09619b418b666a060e260d2aae31b8e50e9d05ca3442c7eed3b507e5207e14674275f68c2ba84c4bf6b8dd364a304acac8cfab3681e2514b4400f9242bc61164
+             */
+            signature: string;
+        };
         UpdateKeyRequest: {
             /**
              * @description If set, updates the keys's `enabled` property to this value.
@@ -2197,14 +2638,174 @@ export interface components {
              *   }
              * ]
              */
-            policy?: Record<string, never>[] | null;
+            policy?: Record<string, never>[] | null;
+            /**
+             * Format: int64
+             * @description If set, update this org's user-export delay, i.e., the amount of time
+             * (in seconds) between a user's initiating an export and the time when
+             * export is allowed. For security, this delay cannot be set to less than
+             * 172800, i.e., 2 days.
+             */
+            user_export_delay?: number | null;
+            /**
+             * Format: int64
+             * @description If set, update this org's user-export window, i.e., the amount of time
+             * (in seconds) that export is allowed after the user-export delay. After
+             * this amount of time, the export is canceled and must be re-initiated.
+             * For security, this window cannot be set to greater than 259200, i.e.,
+             * 3 days.
+             */
+            user_export_window?: number | null;
+        };
+        UpdateOrgResponse: {
+            /** @description The new value of the 'enabled' property */
+            enabled?: boolean | null;
+            /**
+             * @description The new human-readable name for the org (must be alphanumeric)
+             * @example my_org_name
+             */
+            name?: string | null;
+            /**
+             * @description The ID of the organization
+             * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+             */
+            org_id: string;
+            /**
+             * @description The new value of org-wide policies
+             * @example [
+             *   {
+             *     "MaxDailyUnstake": 5
+             *   },
+             *   {
+             *     "OriginAllowlist": [
+             *       "https://example.com"
+             *     ]
+             *   }
+             * ]
+             */
+            policy?: Record<string, never>[] | null;
+            /**
+             * Format: int64
+             * @description The new value of user-export delay
+             */
+            user_export_delay?: number | null;
+            /**
+             * Format: int64
+             * @description The new value of user-export window
+             */
+            user_export_window?: number | null;
+        };
+        UpdateRoleRequest: {
+            /**
+             * @description If set, updates the role's `enabled` property to this value.
+             * Once disabled, a role cannot be used; and it's tokens cannot be used for signing.
+             */
+            enabled?: boolean | null;
+            /**
+             * @description If set, update this role's key policies (old policies will be overwritten!).
+             * Only "deny" style policies may be set.
+             * @example [
+             *   {
+             *     "SourceIpAllowlist": [
+             *       "123.456.78.9/16"
+             *     ]
+             *   }
+             * ]
+             */
+            policy?: Record<string, never>[] | null;
+        };
+        /** @description A request to complete a user export */
+        UserExportCompleteRequest: {
+            /**
+             * @description The id of the key to be exported. The key-id must correspond to the one in
+             * the specified export request, and the caller must own this key.
+             * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
+             */
+            key_id: string;
+            /**
+             * @description The NIST P-256 public key (base64-encoded SEC1 with or without compression)
+             * to which the export will be encrypted. If a public key was provided when
+             * `user_export_init` was called, this key must match that one.
+             * @example AkpLT/3dXApJzXSduaPQ7apyT0ADBwqkt1es/aT0iWWf
+             */
+            public_key: string;
+        };
+        /** @description An encrypted user-export */
+        UserExportCompleteResponse: {
+            /**
+             * @description The exported key material, encrypted with AES-256-GCM under a key
+             * derived from the public key supplied in the request via HPKE (RFC9180)
+             * with DHKEM(P-256, HKDF-SHA256) and base64 encoded.
+             */
+            encrypted_key_material: string;
+            /**
+             * @description The ephemeral public key used for HPKE key derivation as base64-encoded
+             * uncompressed SEC1 serialization.
+             */
+            ephemeral_public_key: string;
+            /** @description The user-id to which this key belongs. */
+            user_id: string;
         };
-        UpdateRoleRequest: {
+        /** @description A request to initiate a user export */
+        UserExportInitRequest: {
             /**
-             * @description If set, updates the role's `enabled` property to this value.
-             * Once disabled, a role cannot be used; and it's tokens cannot be used for signing.
+             * @description The id of the key to be exported. This key must be owned by the caller.
+             * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
              */
-            enabled?: boolean | null;
+            key_id: string;
+            /**
+             * @description An optional NIST P-256 public key (base64-encoded SEC1 with or without
+             * compression) to which the export will be encrypted. If provided, this
+             * public key MUST be the one used to encrypt the export once the delay has
+             * expired. Otherwise, the user can provide any public key when completing
+             * the export request post delay.
+             *
+             * This option may provide extra security when the user has a secure hardware
+             * device (e.g., a phone's secure element or a YubiKey) in which a NIST P-256
+             * secret key can be generated. Providing the corresponding public key here
+             * ensures that only that specific device will be capable of decrypting
+             * the export ciphertext.
+             *
+             * If no secure hardware device is available to store the secret key, this
+             * option SHOULD NOT be used because of the risk of secret key theft during
+             * the export delay period.
+             * @example AkpLT/3dXApJzXSduaPQ7apyT0ADBwqkt1es/aT0iWWf
+             */
+            public_key?: string | null;
+        };
+        /** @description The response to a successful user-export init request */
+        UserExportInitResponse: components["schemas"]["UserExportRequest"] & {
+            /**
+             * @description The key-id being requested.
+             * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
+             */
+            key_id: string;
+        };
+        /** @description Pending user-export request as stored in the database. */
+        UserExportRequest: {
+            exp_epoch: components["schemas"]["EpochDateTime"];
+            /**
+             * @description The org-id in which the key is housed.
+             * @example Org#f361ed6b-5d19-4ccf-a4d5-eba935dc0b90
+             */
+            org_id: string;
+            /**
+             * @description The SHA-256 hash of the public key provided at export initiation,
+             * if any. If a key was provided, only that key can be used to complete
+             * the export procedure. Otherwise, any key can be used.
+             *
+             * IMPORTANT: if a public key is supplied at export initiation, it is
+             * STRONGLY RECOMMENDED that the corresponding secret key be stored in
+             * a secure hardware device, e.g., a YubiKey or a phone's secure element.
+             * If no such hardware is available, supplying a public key at export
+             * initiation is STRONGLY DISCOURAGED because of the risk of theft during
+             * the export delay period.
+             *
+             * (See also the comment in the `public_key` field of `UserInitRequest`.)
+             * @example df457a98d5538540f54d1316b597a0f39b8d96f488f10a2e31a955c146fdf1d3
+             */
+            public_key_hash?: string | null;
+            valid_epoch: components["schemas"]["EpochDateTime"];
         };
         UserIdInfo: {
             /**
@@ -2613,6 +3214,22 @@ export interface components {
                      * ]
                      */
                     policy?: Record<string, never>[];
+                    /**
+                     * Format: int64
+                     * @description The organization's currently configured user-export delay, i.e., the minimum
+                     * amount of time (in seconds) between when a user-export is initiated and when
+                     * it may be completed. (This value is meaningless for organizations that use
+                     * org-wide export.)
+                     */
+                    user_export_delay: number;
+                    /**
+                     * Format: int64
+                     * @description The organization's currently configured user-export window, i.e., the amount
+                     * of time (in seconds) between when the user-export delay is completed and when
+                     * the user export request has expired and can no longer be completed. (This value
+                     * is meaningless for organizations that use org-wide export.)
+                     */
+                    user_export_window: number;
                 };
             };
         };
@@ -2690,6 +3307,20 @@ export interface components {
                 });
             };
         };
+        PaginatedUserExportListResponse: {
+            content: {
+                "application/json": {
+                    export_requests: components["schemas"]["UserExportInitResponse"][];
+                } & ({
+                    /**
+                     * @description If set, the content of `response` does not contain the entire result set.
+                     * To fetch the next page of the result set, call the same endpoint
+                     * but specify this value as the 'page.start' query parameter.
+                     */
+                    last_evaluated_key?: string | null;
+                });
+            };
+        };
         RevokeTokenResponse: {
             content: {
                 "application/json": {
@@ -2720,6 +3351,22 @@ export interface components {
                      * @example my_role
                      */
                     name?: string | null;
+                    /**
+                     * @description Policy that is checked whenever a key is accessed for signing via this role.
+                     * @example [
+                     *   {
+                     *     "SourceIpAllowlist": [
+                     *       "123.456.78.9/16"
+                     *     ]
+                     *   },
+                     *   {
+                     *     "RequireMfa": {
+                     *       "count": 1
+                     *     }
+                     *   }
+                     * ]
+                     */
+                    policy?: Record<string, never>[];
                     /**
                      * @description The ID of the role
                      * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
@@ -2850,6 +3497,48 @@ export interface components {
                      * ]
                      */
                     policy?: Record<string, never>[] | null;
+                    /**
+                     * Format: int64
+                     * @description The new value of user-export delay
+                     */
+                    user_export_delay?: number | null;
+                    /**
+                     * Format: int64
+                     * @description The new value of user-export window
+                     */
+                    user_export_window?: number | null;
+                };
+            };
+        };
+        /** @description An encrypted user-export */
+        UserExportCompleteResponse: {
+            content: {
+                "application/json": {
+                    /**
+                     * @description The exported key material, encrypted with AES-256-GCM under a key
+                     * derived from the public key supplied in the request via HPKE (RFC9180)
+                     * with DHKEM(P-256, HKDF-SHA256) and base64 encoded.
+                     */
+                    encrypted_key_material: string;
+                    /**
+                     * @description The ephemeral public key used for HPKE key derivation as base64-encoded
+                     * uncompressed SEC1 serialization.
+                     */
+                    ephemeral_public_key: string;
+                    /** @description The user-id to which this key belongs. */
+                    user_id: string;
+                };
+            };
+        };
+        /** @description The response to a successful user-export init request */
+        UserExportInitResponse: {
+            content: {
+                "application/json": components["schemas"]["UserExportRequest"] & {
+                    /**
+                     * @description The key-id being requested.
+                     * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
+                     */
+                    key_id: string;
                 };
             };
         };
@@ -2888,7 +3577,6 @@ export type external = Record<string, never>;
 export interface operations {
     /**
      * User Info
-     * @deprecated
      * @description User Info
      *
      * Retrieves information about the current user.
@@ -3847,7 +4535,7 @@ export interface operations {
             };
         };
         responses: {
-            200: components["responses"]["EmptyImpl"];
+            200: components["responses"]["RoleInfo"];
             default: {
                 content: {
                     "application/json": components["schemas"]["ErrorResponse"];
@@ -4218,6 +4906,36 @@ export interface operations {
             };
         };
     };
+    /**
+     * Create new user session (management and/or signing)
+     * @description Create new user session (management and/or signing)
+     *
+     * Create a new user session
+     */
+    createSession: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["CreateSessionRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["NewSessionResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * Revoke existing session(s)
      * @description Revoke existing session(s)
@@ -4251,6 +4969,31 @@ export interface operations {
             };
         };
     };
+    /**
+     * Revoke current session
+     * @description Revoke current session
+     *
+     * Immediately revokes the current session, preventing it from being used or refreshed
+     */
+    revokeCurrentSession: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * Get session information
      * @description Get session information
@@ -4400,6 +5143,171 @@ export interface operations {
             };
         };
     };
+    /**
+     * List outstanding user-export requests
+     * @description List outstanding user-export requests
+     */
+    userExportList: {
+        parameters: {
+            query?: {
+                /**
+                 * @description Max number of items to return per page.
+                 *
+                 * If the actual number of returned items may be less that this, even if there exist more
+                 * data in the result set. To reliably determine if more data is left in the result set,
+                 * inspect the [UnencryptedLastEvalKey] value in the response object.
+                 */
+                "page.size"?: number;
+                /**
+                 * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+                 * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+                 */
+                "page.start"?: components["schemas"]["LastEvalKey"] | null;
+                /**
+                 * @description If provided, the user-id whose user-export requests to list. Defaults to the
+                 * current user.  Only the org owner may list requests for another user.
+                 * @example User#806c9544-f1fa-4bad-8d4d-1097a1844726
+                 */
+                user_id?: string | null;
+                /**
+                 * @description If provided, the key-id for which to list an existing user-export request.
+                 * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
+                 */
+                key_id?: string | null;
+            };
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["PaginatedUserExportListResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Initiate a user-export request
+     * @description Initiate a user-export request
+     *
+     * This starts a delay (whose length is determined by Org-wide settings)
+     * before export can be completed, and returns a ticket that can be used
+     * to complete the export once the timer has expired.
+     *
+     * Only one user-export request can be active for a given key. If there
+     * is already an active export, this endpoint will return an error. To
+     * create a new request, first delete the existing one.
+     */
+    userExportInit: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["UserExportInitRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["UserExportInitResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Delete an existing user-export request
+     * @description Delete an existing user-export request
+     */
+    userExportDelete: {
+        parameters: {
+            query: {
+                /**
+                 * @description The key-id whose export request should be deleted
+                 * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
+                 */
+                key_id: string;
+                /**
+                 * @description The user-id who owns this request. If omitted, defaults to the current user.
+                 * Only the org owner may delete user-export requests for another user.
+                 * @example User#806c9544-f1fa-4bad-8d4d-1097a1844726
+                 */
+                user_id?: string | null;
+            };
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["EmptyImpl"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
+    /**
+     * Complete a user-export request
+     * @description Complete a user-export request
+     *
+     * This endpoint can be called only after initiating a user-export request via
+     * the `user_export_init` API, and only within the subsequent export window
+     * (i.e., after the export delay has passed and before the request has expired).
+     *
+     * To check on the status of an export request, see the `user_export_list` API.
+     */
+    userExportComplete: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["UserExportCompleteRequest"];
+            };
+        };
+        responses: {
+            200: components["responses"]["UserExportCompleteResponse"];
+            202: {
+                content: {
+                    "application/json": components["schemas"]["AcceptedResponse"];
+                };
+            };
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * Initiate registration of a FIDO key
      * @description Initiate registration of a FIDO key
@@ -4487,9 +5395,9 @@ export interface operations {
                 org_id: string;
             };
         };
-        requestBody: {
+        requestBody?: {
             content: {
-                "application/json": components["schemas"]["Empty"];
+                "application/json": components["schemas"]["TotpResetRequest"] | null;
             };
         };
         responses: {
@@ -4710,9 +5618,9 @@ export interface operations {
      * otherwise, MFA is required.
      */
     resetTotpInitLegacy: {
-        requestBody: {
+        requestBody?: {
             content: {
-                "application/json": components["schemas"]["Empty"];
+                "application/json": components["schemas"]["TotpResetRequest"] | null;
             };
         };
         responses: {