@cubist-labs/cubesigner-sdk 0.1.77 → 0.2.15

package/src/schema.ts

@@ -8,7 +8,6 @@ export interface paths {
   "/v0/about_me": {
     /**
      * User Info
-     * @deprecated
      * @description User Info
      *
      * Retrieves information about the current user.
@@ -386,6 +385,13 @@ export interface paths {
      * If no query parameters are provided, information for the current session is returned
      */
     get: operations["listSessions"];
+    /**
+     * Create new user session (management and/or signing)
+     * @description Create new user session (management and/or signing)
+     *
+     * Create a new user session
+     */
+    post: operations["createSession"];
     /**
      * Revoke existing session(s)
      * @description Revoke existing session(s)
@@ -395,6 +401,15 @@ export interface paths {
      */
     delete: operations["revokeSessions"];
   };
+  "/v0/org/{org_id}/session/self": {
+    /**
+     * Revoke current session
+     * @description Revoke current session
+     *
+     * Immediately revokes the current session, preventing it from being used or refreshed
+     */
+    delete: operations["revokeCurrentSession"];
+  };
   "/v0/org/{org_id}/session/{session_id}": {
     /**
      * Get session information
@@ -437,6 +452,42 @@ export interface paths {
      */
     get: operations["aboutMe"];
   };
+  "/v0/org/{org_id}/user/me/export": {
+    /**
+     * List outstanding user-export requests
+     * @description List outstanding user-export requests
+     */
+    get: operations["userExportList"];
+    /**
+     * Initiate a user-export request
+     * @description Initiate a user-export request
+     *
+     * This starts a delay (whose length is determined by Org-wide settings)
+     * before export can be completed, and returns a ticket that can be used
+     * to complete the export once the timer has expired.
+     *
+     * Only one user-export request can be active for a given key. If there
+     * is already an active export, this endpoint will return an error. To
+     * create a new request, first delete the existing one.
+     */
+    post: operations["userExportInit"];
+    /**
+     * Delete an existing user-export request
+     * @description Delete an existing user-export request
+     */
+    delete: operations["userExportDelete"];
+    /**
+     * Complete a user-export request
+     * @description Complete a user-export request
+     *
+     * This endpoint can be called only after initiating a user-export request via
+     * the `user_export_init` API, and only within the subsequent export window
+     * (i.e., after the export delay has passed and before the request has expired).
+     *
+     * To check on the status of an export request, see the `user_export_list` API.
+     */
+    patch: operations["userExportComplete"];
+  };
   "/v0/org/{org_id}/user/me/fido": {
     /**
      * Initiate registration of a FIDO key
@@ -711,6 +762,10 @@ export interface components {
       mfa_policy?: Record<string, unknown> | null;
       role: components["schemas"]["MemberRole"];
     };
+    AddThirdPartyUserResponse: {
+      /** @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f */
+      user_id: string;
+    };
     ApprovalInfo: {
       timestamp: components["schemas"]["EpochDateTime"];
     };
@@ -860,6 +915,10 @@ export interface components {
        */
       tx: Record<string, never>;
     };
+    AvaSignResponse: {
+      /** @description The hex-encoded signature. */
+      signature: string;
+    };
     /** @description Wrapper around a zeroizing 32-byte fixed-size array */
     B32: string;
     /**
@@ -876,6 +935,10 @@ export interface components {
        */
       message_base64: string;
     };
+    BlobSignResponse: {
+      /** @description The hex-encoded signature. */
+      signature: string;
+    };
     /** @enum {string} */
     BtcSighashType: "All" | "None" | "Single" | "AllPlusAnyoneCanPay" | "NonePlusAnyoneCanPay" | "SinglePlusAnyoneCanPay";
     BtcSignRequest: {
@@ -883,6 +946,13 @@ export interface components {
       /** @description The bitcoin transaction to sign */
       tx: Record<string, never>;
     };
+    BtcSignResponse: {
+      /**
+       * @description The hex-encoded signature in compact format.
+       * @example 0x454aef27c21df7dd8f537dc869f4cd65286ce239a52d36470f4d85be85a891b02789e5ffd8560b32a98110e5d0096802e4c14145cf6c44f10a768c87755eaa4800
+       */
+      signature: string;
+    };
     BtcSignatureKind: {
       /** @description Segregated Witness */
       Segwit: {
@@ -936,6 +1006,18 @@ export interface components {
       /** @enum {string} */
       type: "fido";
     };
+    CreateKeyImportKeyResponse: components["schemas"]["KeyImportKey"] & {
+      /**
+       * @description An attestation document from a secure enclave, including an
+       * RSA signing key used to sign the contents of this message.
+       */
+      enclave_attestation: string;
+      /**
+       * @description An RSA-PSS-SHA256 signature on the public key and encrypted
+       * secrets attesting to their generation inside a secure enclave.
+       */
+      enclave_signature: string;
+    };
     CreateKeyRequest: {
       /**
        * Format: int64
@@ -956,6 +1038,10 @@ export interface components {
        */
       owner?: string | null;
     };
+    CreateKeyResponse: {
+      /** @description The info about the created keys */
+      keys: components["schemas"]["KeyInfo"][];
+    };
     /** @description Optional create role request body */
     CreateRoleRequest: {
       /**
@@ -964,6 +1050,33 @@ export interface components {
        */
       name: string;
     };
+    /** @description The newly created role information */
+    CreateRoleResponse: {
+      /**
+       * @description A human-readable name for the role.
+       * @example my_role
+       */
+      name?: string | null;
+      /**
+       * @description The id of the newly created role
+       * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
+       */
+      role_id: string;
+    };
+    CreateSessionRequest: components["schemas"]["RatchetConfig"] & {
+      /**
+       * @description A human readable description of the session's purpose
+       * @example Manage keys on server foo.bar
+       */
+      purpose: string;
+      /**
+       * @description Controls what capabilities this session will have.
+       * @example [
+       *   "manage:key:*"
+       * ]
+       */
+      scopes: string[];
+    };
     CreateTokenRequest: components["schemas"]["RatchetConfig"] & ({
       /**
        * @description A human readable description of the purpose of the key
@@ -1126,8 +1239,20 @@ export interface components {
       /** @description EIP-712 typed data. Refer to the JSON schema defined in EIP-712. */
       typed_data: Record<string, never>;
     };
+    Eip712SignResponse: {
+      /**
+       * @description Hex-encoded signature comprising 65 bytes in the format required
+       * by ecrecover: 32-byte r, 32-byte s, and one-byte recovery-id v
+       * which is either 27 or 28.
+       * @example 0x4355c47d63924e8a72e509b65029052eb6c299d53a04e167c5775fd466751c9d07299936d304c153f6443dfa05f40ff007d72911b6f72307f996231605b915621c
+       */
+      signature: string;
+    };
     /** @default null */
     Empty: Record<string, unknown> | null;
+    EmptyImpl: {
+      status: string;
+    };
     /**
      * @description Epoch is a quoted `uint64`.
      * @example 256
@@ -1177,6 +1302,13 @@ export interface components {
        */
       tx: Record<string, never>;
     };
+    Eth1SignResponse: {
+      /**
+       * @description Hex-encoded RLP encoding of the transaction and its signature
+       * @example 0x22895118000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000001201d58656b0e22aaa68fdc692db41979098c3886ed33015d7467de9211609cdac000000000000000000000000000000000000000000000000000000000000000308b0c2900324d3ff9adfba7fdfe5af3f9b2cdbeef7b280437bbf1b1c59a093d615afe3e5dfed9622b540cdd9b49b3c5ad00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002001000000000000000000000049011adbcc3bc9c0307bb07f37dda1a1a9c69d2e0000000000000000000000000000000000000000000000000000000000000060903db8525674b8e7904f9b7d7d9ec55a0a42d33cf58be25469b0c21bbb6d06172bc5bb5fd1aed8e4f35936968958116b0619553c2cb1c52e7323074c6f8eb3d5a7074fc6580148df907837fa3b164ad7fbc2288dad1e8a5b021095b57c8a36d4
+       */
+      rlp_signed_tx: string;
+    };
     /**
      * @example {
      *   "eth2_sign_request": {
@@ -1206,18 +1338,39 @@ export interface components {
       eth2_sign_request: Record<string, never>;
       network: components["schemas"]["Network"];
     };
+    Eth2SignResponse: {
+      /**
+       * @description Hex encoded signature prefixed with 0x e.g. "0x0000..."
+       * @example 0xb4f2ef9d12a54e1f569596c07c97d6d730535b6ffc0d287761dc78103a86326782471a04c75ce7a6faea08ca9a4a0830031cdcb893da8711d54aa22619f1a7e71b8185ddf4c6bfd9babbd735960e35e56bd6eeb89625b04850e7a9ef8846e549
+       */
+      signature: string;
+    };
     /** @description Sent from the client to the server to answer a fido challenge */
     FidoAssertAnswer: {
       /** @description The ID of the challenge that was returned from the POST endpoint */
       challenge_id: string;
       credential: components["schemas"]["PublicKeyCredential"];
     };
+    FidoAssertChallenge: {
+      /** @description The id of the challenge. Must be supplied when answering the challenge. */
+      challenge_id: string;
+      options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+    };
     /** @description Sent from the client to the server to answer a fido challenge */
     FidoCreateChallengeAnswer: {
       /** @description The ID of the challenge that was returned from the POST endpoint */
       challenge_id: string;
       credential: components["schemas"]["PublicKeyCredential"];
     };
+    /**
+     * @description Sent by the server to the client. Contains the challenge data that must be
+     * used to generate a new credential
+     */
+    FidoCreateChallengeResponse: {
+      /** @description The id of the challenge. Must be supplied when answering the challenge. */
+      challenge_id: string;
+      options: components["schemas"]["PublicKeyCredentialCreationOptions"];
+    };
     /** @description Declares intent to register a new FIDO key */
     FidoCreateRequest: {
       /**
@@ -1275,6 +1428,10 @@ export interface components {
     GetKeysInOrgRequest: {
       key_type?: components["schemas"]["KeyType"] | null;
     };
+    GetUsersInOrgResponse: {
+      /** @description The list of users in the org */
+      users: components["schemas"]["UserIdInfo"][];
+    };
     /** @description Stats pertaining the the sender `cube3signer` instance */
     HeartbeatRequest: {
       /**
@@ -1407,6 +1564,101 @@ export interface components {
        */
       skip_email: boolean;
     };
+    /**
+     * @description Key material contained inside a [`JsonKeyPackage`], which can be either
+     * a raw secret or a mnemonic, password, and derivation path.
+     */
+    JsonKeyMaterial: {
+      /** @enum {string} */
+      material_type: "raw_secret";
+      /** @description The value of the raw secret */
+      secret: string;
+    } | {
+      /** @description The derivation path */
+      derivation_path: string;
+      /** @enum {string} */
+      material_type: "english_mnemonic";
+      /** @description The mnemonic */
+      mnemonic: string;
+      /** @description The password (which may be empty) */
+      password: string;
+    };
+    /**
+     * @description A [`KeyPackage`] serialized into a format that gives a tidier JSON
+     * representation suitable for encryption in the user-export flow.
+     *
+     * We construct values of this type rather than constructing `serde_json::Value`s
+     * directly with `json!()` because this allows us to zeroize values on drop, which
+     * doesn't work with `serde_json::Value`.
+     *
+     * Examples of serialized material:
+     *
+     * - `JsonKeyMaterial::EnglishMnemonic`:
+     *
+     * ```
+     * use cubist_signer_utils::{
+     * DerivationPath, KeyPackage, Mnemonic, MnemonicPackage, Secp256k1Pkg,
+     * };
+     * use serde_json::json;
+     *
+     * const MNEMONIC: &str = "deposit fiscal brain swarm surround cousin horn glare fix love render believe guide shuffle stem cram broccoli resemble beach artefact language gift jar permit";
+     * const DER_PATH: &str = "m/44'/60'/0'/0/0";
+     * const KEY_TYPE: &str = "ecdsa:secp256k1";
+     *
+     * let mne = Mnemonic::try_from(MNEMONIC).expect("good mnemonic");
+     * let derp = DerivationPath::try_from(DER_PATH).expect("good der path");
+     * let mne_pkg = MnemonicPackage::new(mne, "", derp);
+     * let key_pkg = KeyPackage::<Secp256k1Pkg>::EnglishMnemonic(mne_pkg);
+     * let json_pkg = key_pkg.into_json(KEY_TYPE);
+     *
+     * let json_expect = json!({
+     * "key_type": KEY_TYPE,
+     * "material_type": "english_mnemonic",
+     * "mnemonic": MNEMONIC,
+     * "password": "",
+     * "derivation_path": DER_PATH,
+     * });
+     *
+     * assert_eq!(
+     * serde_json::to_value(&json_pkg).expect("json serialization"),
+     * json_expect,
+     * );
+     * ```
+     *
+     * - `JsonKeyMaterial::RawSecret`:
+     *
+     * ```
+     * use cubist_signer_utils::{
+     * get_random_byte_array, hex_encode, KeyPackage, RngCore, Secp256k1Pkg,
+     * };
+     * use serde_json::json;
+     *
+     * const KEY_TYPE: &str = "ecdsa:secp256k1";
+     *
+     * // random 32-byte secret
+     * let sk: [u8; 32] = *get_random_byte_array();
+     *
+     * let key_pkg = KeyPackage::<Secp256k1Pkg>::Secret(sk);
+     * let json_pkg = key_pkg.into_json(KEY_TYPE);
+     *
+     * let json_expect = json!({
+     * "key_type": KEY_TYPE,
+     * "material_type": "raw_secret",
+     * "secret": hex_encode(&sk),
+     * });
+     *
+     * assert_eq!(
+     * serde_json::to_value(&json_pkg).expect("json serialization"),
+     * json_expect,
+     * );
+     * ```
+     */
+    JsonKeyPackage: {
+      material_type: "JsonKeyPackage";
+    } & Omit<components["schemas"]["JsonKeyMaterial"], "material_type"> & {
+      /** @description The type of key this package represents */
+      key_type: string;
+    };
     /** @description Derivation-related metadata for keys derived from a long-lived mnemonic */
     KeyDerivationInfo: {
       /** @description The derivation path used to derive this key */
@@ -1500,6 +1752,9 @@ export interface components {
        */
       purpose: string;
     };
+    KeyInfos: {
+      keys: components["schemas"]["KeyInfo"][];
+    };
     /** @enum {string} */
     KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "SecpAvaAddr" | "SecpAvaTestAddr" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr" | "Ed25519CardanoAddrVk" | "Ed25519StellarAddr" | "Mnemonic" | "Stark";
     /**
@@ -1509,6 +1764,13 @@ export interface components {
      * so that they can pass this back to us as a url query parameter.
      */
     LastEvalKey: string;
+    ListMfaResponse: {
+      /** @description All pending MFA requests */
+      mfa_requests: components["schemas"]["MfaRequestInfo"][];
+    };
+    ListTokensResponse: {
+      tokens: components["schemas"]["TokenInfo"][];
+    };
     /**
      * @description Describes whether a user in an org is an Owner or just a regular member
      * @enum {string}
@@ -1550,11 +1812,6 @@ export interface components {
      * a single OIDC user to multiple `User`s in CubeSigner
      */
     OIDCIdentity: {
-      /**
-       * @description Free-form additional user info.
-       * @example null
-       */
-      disambiguator?: string | null;
       /**
        * @description The root-level issuer who administrates this user. Frome the OIDC spec:
        * Issuer Identifier for the Issuer of the response. The iss
@@ -1577,6 +1834,8 @@ export interface components {
       sub: string;
     };
     OidcLoginRequest: {
+      /** @description A human readable description of the purpose of the session */
+      purpose?: string | null;
       /**
        * @description Controls what capabilities this session will have.
        * @example [
@@ -1626,6 +1885,22 @@ export interface components {
        * ]
        */
       policy?: Record<string, never>[];
+      /**
+       * Format: int64
+       * @description The organization's currently configured user-export delay, i.e., the minimum
+       * amount of time (in seconds) between when a user-export is initiated and when
+       * it may be completed. (This value is meaningless for organizations that use
+       * org-wide export.)
+       */
+      user_export_delay: number;
+      /**
+       * Format: int64
+       * @description The organization's currently configured user-export window, i.e., the amount
+       * of time (in seconds) between when the user-export delay is completed and when
+       * the user export request has expired and can no longer be completed. (This value
+       * is meaningless for organizations that use org-wide export.)
+       */
+      user_export_window: number;
     };
     /**
      * @description The rocket query parameter representing the page from which to start a paginated query.
@@ -1648,6 +1923,94 @@ export interface components {
        */
       "page.start"?: string | null;
     };
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListKeysResponse: {
+      keys: components["schemas"]["KeyInfo"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListRoleKeysResponse: {
+      /** @description All keys in a role */
+      keys: components["schemas"]["KeyInRoleInfo"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListRoleUsersResponse: {
+      /** @description All users in a role */
+      users: components["schemas"]["UserInRoleInfo"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListRolesResponse: {
+      /** @description All roles in an organization. */
+      roles: components["schemas"]["RoleInfo"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedSessionsResponse: {
+      /** @description The list of sessions */
+      sessions: components["schemas"]["SessionInfo"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedUserExportListResponse: {
+      export_requests: components["schemas"]["UserExportInitResponse"][];
+    } & ({
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    });
     /**
      * @description This type represents a wire-encodable form of the PublicKeyCredential interface
      * Clients may need to manually encode into this format to communicate with the server
@@ -1692,7 +2055,7 @@ export interface components {
      */
     PublicKeyCredentialCreationOptions: {
       attestation?: components["schemas"]["AttestationConveyancePreference"];
-      authenticator_selection?: components["schemas"]["AuthenticatorSelectionCriteria"] | null;
+      authenticatorSelection?: components["schemas"]["AuthenticatorSelectionCriteria"] | null;
       /**
        * @description This member contains a challenge intended to be used for generating the
        * newly created credential’s attestation object. See the § 13.4.3
@@ -1710,7 +2073,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-excludecredentials
        */
-      exclude_credentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
+      excludeCredentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
       /**
        * @description This member contains additional parameters requesting additional
        * processing by the client and authenticator. For example, the caller may
@@ -1732,7 +2095,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-pubkeycredparams
        */
-      pub_key_cred_params: components["schemas"]["PublicKeyCredentialParameters"][];
+      pubKeyCredParams: components["schemas"]["PublicKeyCredentialParameters"][];
       rp: components["schemas"]["PublicKeyCredentialRpEntity"];
       /**
        * Format: int32
@@ -1743,7 +2106,7 @@ export interface components {
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-timeout
        */
       timeout?: number | null;
-      user?: components["schemas"]["PublicKeyCredentialUserEntity"] | null;
+      user: components["schemas"]["PublicKeyCredentialUserEntity"];
     };
     /**
      * @description This dictionary contains the attributes that are specified by a caller when
@@ -1808,7 +2171,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-allowcredentials
        */
-      allow_credentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
+      allowCredentials?: components["schemas"]["PublicKeyCredentialDescriptor"][];
       /**
        * @description This member represents a challenge that the selected authenticator
        * signs, along with other data, when producing an authentication
@@ -1825,7 +2188,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-rpid
        */
-      rp_id?: string | null;
+      rpId?: string | null;
       /**
        * Format: int32
        * @description This OPTIONAL member specifies a time, in milliseconds, that the caller
@@ -1835,7 +2198,7 @@ export interface components {
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-timeout
        */
       timeout?: number | null;
-      user_verification?: components["schemas"]["UserVerificationRequirement"];
+      userVerification?: components["schemas"]["UserVerificationRequirement"];
     };
     /**
      * @description The PublicKeyCredentialRpEntity dictionary is used to supply additional
@@ -1849,7 +2212,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrpentity-id
        */
-      id: string;
+      id?: string | null;
       /**
        * @description A human-palatable name for the entity. Its function depends on what the
        * PublicKeyCredentialEntity represents: When inherited by
@@ -1993,6 +2356,13 @@ export interface components {
      * @enum {string}
      */
     ResidentKeyRequirement: "discouraged" | "preferred" | "required";
+    RevokeTokenResponse: {
+      token?: components["schemas"]["TokenInfo"] | null;
+    };
+    RevokeTokensResponse: {
+      /** @description Tokens that were revoked. */
+      revoked: components["schemas"]["TokenInfo"][];
+    };
     RoleInfo: {
       /**
        * @description Whether the role is enabled
@@ -2006,6 +2376,22 @@ export interface components {
        * @example my_role
        */
       name?: string | null;
+      /**
+       * @description Policy that is checked whenever a key is accessed for signing via this role.
+       * @example [
+       *   {
+       *     "SourceIpAllowlist": [
+       *       "123.456.78.9/16"
+       *     ]
+       *   },
+       *   {
+       *     "RequireMfa": {
+       *       "count": 1
+       *     }
+       *   }
+       * ]
+       */
+      policy?: Record<string, never>[];
       /**
        * @description The ID of the role
        * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
@@ -2032,10 +2418,24 @@ export interface components {
        */
       session_id: string;
     };
-    SignRequest: {
-      message: Record<string, never>;
+    /** @description The response from any operation operating on multiple sessions */
+    SessionsResponse: {
+      /** @description The list of sessions */
+      sessions: components["schemas"]["SessionInfo"][];
+    };
+    /**
+     * @example {
+     *   "message_base64": "AQABA8OKVzLEjststN4xXr39kLKHT8d58eQY1QEs6MeXwEFBrxTAlULX1troLbWxuAXQqgbQofGi6z8fJi7KAAIf7YMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJK0tn39k28s+X86W47EvbRRKnYBVQ8Q/l2m1EbfT7+vAQICAAEMAgAAAGQAAAAAAAAA"
+     * }
+     */
+    SolanaSignRequest: {
+      /** @description Solana base64-encoded serialized Message */
+      message_base64: string;
+    };
+    SolanaSignResponse: {
+      /** @description The hex-encoded signature. */
+      signature: string;
     };
-    SolanaSignRequest: components["schemas"]["SignRequest"] & Record<string, never>;
     StakeRequest: {
       /**
        * Format: int64
@@ -2064,6 +2464,14 @@ export interface components {
        */
       withdrawal_addr: string;
     };
+    StakeResponse: {
+      /**
+       * @description The validator key id ("Key#...")
+       * @example Key#db1731f8-3659-45c0-885b-e11e1f5b7be2
+       */
+      created_validator_key_id: string;
+      deposit_tx: components["schemas"]["DepositTxn"];
+    };
     Status: {
       /** @description Users who are allowed to approve. Must be non-empty. */
       allowed_approvers: string[];
@@ -2103,6 +2511,23 @@ export interface components {
       /** @description The ID of the challenge that was returned from the POST endpoint */
       totp_id: string;
     };
+    TotpInfo: {
+      /**
+       * @description The ID of the TOTP challenge.
+       * @example TotpChallenge#7892ebba-563e-485b-bb7d-e26267363286
+       */
+      totp_id: string;
+      /**
+       * @description Standard TOTP url which includes everything needed to initialize TOTP.
+       * @example otpauth://totp/Cubist:alice-%40example.com?secret=DAHF7KCOTQWSOMK4XFEMNHXO4J433OD7&issuer=Cubist
+       */
+      totp_url: string;
+    };
+    /** @description Request to reset TOTP. */
+    TotpResetRequest: {
+      /** @description The name of the issuer; defaults to "Cubist". */
+      issuer?: string | null;
+    };
     /** @description Options that should be set only for local devnet testing. */
     UnsafeConf: {
       /**
@@ -2149,6 +2574,22 @@ export interface components {
        */
       validator_index: string;
     };
+    /**
+     * @description Unstake responses are signed voluntary exit messages.
+     * The schema for this message is defined
+     * [here](https://github.com/ethereum/consensus-specs/blob/v1.0.1/specs/phase0/beacon-chain.md#signedvoluntaryexit).
+     * This message can be directly POSTed to the Beacon node's
+     * `/eth/v1/beacon/pool/voluntary_exits` end-point (see expected schema
+     * [here](https://ethereum.github.io/beacon-APIs/#/Beacon/submitPoolVoluntaryExit)).
+     */
+    UnstakeResponse: {
+      message: components["schemas"]["VoluntaryExit"];
+      /**
+       * @description BLS signature.
+       * @example 0x910c7cd537ed91cc8c4a82f3cbd832e9be8c24a22e9c86df479f7ce42025ea6a09619b418b666a060e260d2aae31b8e50e9d05ca3442c7eed3b507e5207e14674275f68c2ba84c4bf6b8dd364a304acac8cfab3681e2514b4400f9242bc61164
+       */
+      signature: string;
+    };
     UpdateKeyRequest: {
       /**
        * @description If set, updates the keys's `enabled` property to this value.
@@ -2201,14 +2642,174 @@ export interface components {
        *   }
        * ]
        */
-      policy?: Record<string, never>[] | null;
+      policy?: Record<string, never>[] | null;
+      /**
+       * Format: int64
+       * @description If set, update this org's user-export delay, i.e., the amount of time
+       * (in seconds) between a user's initiating an export and the time when
+       * export is allowed. For security, this delay cannot be set to less than
+       * 172800, i.e., 2 days.
+       */
+      user_export_delay?: number | null;
+      /**
+       * Format: int64
+       * @description If set, update this org's user-export window, i.e., the amount of time
+       * (in seconds) that export is allowed after the user-export delay. After
+       * this amount of time, the export is canceled and must be re-initiated.
+       * For security, this window cannot be set to greater than 259200, i.e.,
+       * 3 days.
+       */
+      user_export_window?: number | null;
+    };
+    UpdateOrgResponse: {
+      /** @description The new value of the 'enabled' property */
+      enabled?: boolean | null;
+      /**
+       * @description The new human-readable name for the org (must be alphanumeric)
+       * @example my_org_name
+       */
+      name?: string | null;
+      /**
+       * @description The ID of the organization
+       * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+       */
+      org_id: string;
+      /**
+       * @description The new value of org-wide policies
+       * @example [
+       *   {
+       *     "MaxDailyUnstake": 5
+       *   },
+       *   {
+       *     "OriginAllowlist": [
+       *       "https://example.com"
+       *     ]
+       *   }
+       * ]
+       */
+      policy?: Record<string, never>[] | null;
+      /**
+       * Format: int64
+       * @description The new value of user-export delay
+       */
+      user_export_delay?: number | null;
+      /**
+       * Format: int64
+       * @description The new value of user-export window
+       */
+      user_export_window?: number | null;
+    };
+    UpdateRoleRequest: {
+      /**
+       * @description If set, updates the role's `enabled` property to this value.
+       * Once disabled, a role cannot be used; and it's tokens cannot be used for signing.
+       */
+      enabled?: boolean | null;
+      /**
+       * @description If set, update this role's key policies (old policies will be overwritten!).
+       * Only "deny" style policies may be set.
+       * @example [
+       *   {
+       *     "SourceIpAllowlist": [
+       *       "123.456.78.9/16"
+       *     ]
+       *   }
+       * ]
+       */
+      policy?: Record<string, never>[] | null;
+    };
+    /** @description A request to complete a user export */
+    UserExportCompleteRequest: {
+      /**
+       * @description The id of the key to be exported. The key-id must correspond to the one in
+       * the specified export request, and the caller must own this key.
+       * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
+       */
+      key_id: string;
+      /**
+       * @description The NIST P-256 public key (base64-encoded SEC1 with or without compression)
+       * to which the export will be encrypted. If a public key was provided when
+       * `user_export_init` was called, this key must match that one.
+       * @example AkpLT/3dXApJzXSduaPQ7apyT0ADBwqkt1es/aT0iWWf
+       */
+      public_key: string;
+    };
+    /** @description An encrypted user-export */
+    UserExportCompleteResponse: {
+      /**
+       * @description The exported key material, encrypted with AES-256-GCM under a key
+       * derived from the public key supplied in the request via HPKE (RFC9180)
+       * with DHKEM(P-256, HKDF-SHA256) and base64 encoded.
+       */
+      encrypted_key_material: string;
+      /**
+       * @description The ephemeral public key used for HPKE key derivation as base64-encoded
+       * uncompressed SEC1 serialization.
+       */
+      ephemeral_public_key: string;
+      /** @description The user-id to which this key belongs. */
+      user_id: string;
     };
-    UpdateRoleRequest: {
+    /** @description A request to initiate a user export */
+    UserExportInitRequest: {
       /**
-       * @description If set, updates the role's `enabled` property to this value.
-       * Once disabled, a role cannot be used; and it's tokens cannot be used for signing.
+       * @description The id of the key to be exported. This key must be owned by the caller.
+       * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
        */
-      enabled?: boolean | null;
+      key_id: string;
+      /**
+       * @description An optional NIST P-256 public key (base64-encoded SEC1 with or without
+       * compression) to which the export will be encrypted. If provided, this
+       * public key MUST be the one used to encrypt the export once the delay has
+       * expired. Otherwise, the user can provide any public key when completing
+       * the export request post delay.
+       *
+       * This option may provide extra security when the user has a secure hardware
+       * device (e.g., a phone's secure element or a YubiKey) in which a NIST P-256
+       * secret key can be generated. Providing the corresponding public key here
+       * ensures that only that specific device will be capable of decrypting
+       * the export ciphertext.
+       *
+       * If no secure hardware device is available to store the secret key, this
+       * option SHOULD NOT be used because of the risk of secret key theft during
+       * the export delay period.
+       * @example AkpLT/3dXApJzXSduaPQ7apyT0ADBwqkt1es/aT0iWWf
+       */
+      public_key?: string | null;
+    };
+    /** @description The response to a successful user-export init request */
+    UserExportInitResponse: components["schemas"]["UserExportRequest"] & {
+      /**
+       * @description The key-id being requested.
+       * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
+       */
+      key_id: string;
+    };
+    /** @description Pending user-export request as stored in the database. */
+    UserExportRequest: {
+      exp_epoch: components["schemas"]["EpochDateTime"];
+      /**
+       * @description The org-id in which the key is housed.
+       * @example Org#f361ed6b-5d19-4ccf-a4d5-eba935dc0b90
+       */
+      org_id: string;
+      /**
+       * @description The SHA-256 hash of the public key provided at export initiation,
+       * if any. If a key was provided, only that key can be used to complete
+       * the export procedure. Otherwise, any key can be used.
+       *
+       * IMPORTANT: if a public key is supplied at export initiation, it is
+       * STRONGLY RECOMMENDED that the corresponding secret key be stored in
+       * a secure hardware device, e.g., a YubiKey or a phone's secure element.
+       * If no such hardware is available, supplying a public key at export
+       * initiation is STRONGLY DISCOURAGED because of the risk of theft during
+       * the export delay period.
+       *
+       * (See also the comment in the `public_key` field of `UserInitRequest`.)
+       * @example df457a98d5538540f54d1316b597a0f39b8d96f488f10a2e31a955c146fdf1d3
+       */
+      public_key_hash?: string | null;
+      valid_epoch: components["schemas"]["EpochDateTime"];
     };
     UserIdInfo: {
       /**
@@ -2617,6 +3218,22 @@ export interface components {
            * ]
            */
           policy?: Record<string, never>[];
+          /**
+           * Format: int64
+           * @description The organization's currently configured user-export delay, i.e., the minimum
+           * amount of time (in seconds) between when a user-export is initiated and when
+           * it may be completed. (This value is meaningless for organizations that use
+           * org-wide export.)
+           */
+          user_export_delay: number;
+          /**
+           * Format: int64
+           * @description The organization's currently configured user-export window, i.e., the amount
+           * of time (in seconds) between when the user-export delay is completed and when
+           * the user export request has expired and can no longer be completed. (This value
+           * is meaningless for organizations that use org-wide export.)
+           */
+          user_export_window: number;
         };
       };
     };
@@ -2694,6 +3311,20 @@ export interface components {
         });
       };
     };
+    PaginatedUserExportListResponse: {
+      content: {
+        "application/json": {
+          export_requests: components["schemas"]["UserExportInitResponse"][];
+        } & ({
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        });
+      };
+    };
     RevokeTokenResponse: {
       content: {
         "application/json": {
@@ -2724,6 +3355,22 @@ export interface components {
            * @example my_role
            */
           name?: string | null;
+          /**
+           * @description Policy that is checked whenever a key is accessed for signing via this role.
+           * @example [
+           *   {
+           *     "SourceIpAllowlist": [
+           *       "123.456.78.9/16"
+           *     ]
+           *   },
+           *   {
+           *     "RequireMfa": {
+           *       "count": 1
+           *     }
+           *   }
+           * ]
+           */
+          policy?: Record<string, never>[];
           /**
            * @description The ID of the role
            * @example Role#bfe3eccb-731e-430d-b1e5-ac1363e6b06b
@@ -2854,6 +3501,48 @@ export interface components {
            * ]
            */
           policy?: Record<string, never>[] | null;
+          /**
+           * Format: int64
+           * @description The new value of user-export delay
+           */
+          user_export_delay?: number | null;
+          /**
+           * Format: int64
+           * @description The new value of user-export window
+           */
+          user_export_window?: number | null;
+        };
+      };
+    };
+    /** @description An encrypted user-export */
+    UserExportCompleteResponse: {
+      content: {
+        "application/json": {
+          /**
+           * @description The exported key material, encrypted with AES-256-GCM under a key
+           * derived from the public key supplied in the request via HPKE (RFC9180)
+           * with DHKEM(P-256, HKDF-SHA256) and base64 encoded.
+           */
+          encrypted_key_material: string;
+          /**
+           * @description The ephemeral public key used for HPKE key derivation as base64-encoded
+           * uncompressed SEC1 serialization.
+           */
+          ephemeral_public_key: string;
+          /** @description The user-id to which this key belongs. */
+          user_id: string;
+        };
+      };
+    };
+    /** @description The response to a successful user-export init request */
+    UserExportInitResponse: {
+      content: {
+        "application/json": components["schemas"]["UserExportRequest"] & {
+          /**
+           * @description The key-id being requested.
+           * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
+           */
+          key_id: string;
         };
       };
     };
@@ -2896,7 +3585,6 @@ export interface operations {
 
   /**
    * User Info
-   * @deprecated
    * @description User Info
    *
    * Retrieves information about the current user.
@@ -3856,7 +4544,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["EmptyImpl"];
+      200: components["responses"]["RoleInfo"];
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -4230,6 +4918,36 @@ export interface operations {
       };
     };
   };
+  /**
+   * Create new user session (management and/or signing)
+   * @description Create new user session (management and/or signing)
+   *
+   * Create a new user session
+   */
+  createSession: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["CreateSessionRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["NewSessionResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Revoke existing session(s)
    * @description Revoke existing session(s)
@@ -4263,6 +4981,31 @@ export interface operations {
       };
     };
   };
+  /**
+   * Revoke current session
+   * @description Revoke current session
+   *
+   * Immediately revokes the current session, preventing it from being used or refreshed
+   */
+  revokeCurrentSession: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Get session information
    * @description Get session information
@@ -4412,6 +5155,171 @@ export interface operations {
       };
     };
   };
+  /**
+   * List outstanding user-export requests
+   * @description List outstanding user-export requests
+   */
+  userExportList: {
+    parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+        /**
+         * @description If provided, the user-id whose user-export requests to list. Defaults to the
+         * current user.  Only the org owner may list requests for another user.
+         * @example User#806c9544-f1fa-4bad-8d4d-1097a1844726
+         */
+        user_id?: string | null;
+        /**
+         * @description If provided, the key-id for which to list an existing user-export request.
+         * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
+         */
+        key_id?: string | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["PaginatedUserExportListResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Initiate a user-export request
+   * @description Initiate a user-export request
+   *
+   * This starts a delay (whose length is determined by Org-wide settings)
+   * before export can be completed, and returns a ticket that can be used
+   * to complete the export once the timer has expired.
+   *
+   * Only one user-export request can be active for a given key. If there
+   * is already an active export, this endpoint will return an error. To
+   * create a new request, first delete the existing one.
+   */
+  userExportInit: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["UserExportInitRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["UserExportInitResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Delete an existing user-export request
+   * @description Delete an existing user-export request
+   */
+  userExportDelete: {
+    parameters: {
+      query: {
+        /**
+         * @description The key-id whose export request should be deleted
+         * @example Key#0x3c4d90Cc5Af1644C3A3B013Baa5488997381D7C8
+         */
+        key_id: string;
+        /**
+         * @description The user-id who owns this request. If omitted, defaults to the current user.
+         * Only the org owner may delete user-export requests for another user.
+         * @example User#806c9544-f1fa-4bad-8d4d-1097a1844726
+         */
+        user_id?: string | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["EmptyImpl"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Complete a user-export request
+   * @description Complete a user-export request
+   *
+   * This endpoint can be called only after initiating a user-export request via
+   * the `user_export_init` API, and only within the subsequent export window
+   * (i.e., after the export delay has passed and before the request has expired).
+   *
+   * To check on the status of an export request, see the `user_export_list` API.
+   */
+  userExportComplete: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["UserExportCompleteRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["UserExportCompleteResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Initiate registration of a FIDO key
    * @description Initiate registration of a FIDO key
@@ -4499,9 +5407,9 @@ export interface operations {
         org_id: string;
       };
     };
-    requestBody: {
+    requestBody?: {
       content: {
-        "application/json": components["schemas"]["Empty"];
+        "application/json": components["schemas"]["TotpResetRequest"] | null;
       };
     };
     responses: {
@@ -4722,9 +5630,9 @@ export interface operations {
    * otherwise, MFA is required.
    */
   resetTotpInitLegacy: {
-    requestBody: {
+    requestBody?: {
       content: {
-        "application/json": components["schemas"]["Empty"];
+        "application/json": components["schemas"]["TotpResetRequest"] | null;
       };
     };
     responses: {