@cubist-labs/cubesigner-sdk 0.2.24 → 0.3.1

package/src/schema.ts

@@ -3,6 +3,14 @@
  * Do not make direct changes to the file.
  */
 
+/** OneOf type helpers */
+type Without<T, U> = { [P in Exclude<keyof T, keyof U>]?: never };
+type XOR<T, U> = T | U extends object ? (Without<T, U> & U) | (Without<U, T> & T) : T | U;
+type OneOf<T extends any[]> = T extends [infer Only]
+  ? Only
+  : T extends [infer A, infer B, ...infer Rest]
+    ? OneOf<[XOR<A, B>, ...Rest]>
+    : never;
 
 export interface paths {
   "/v0/about_me": {
@@ -60,6 +68,15 @@ export interface paths {
      */
     put: operations["deriveKey"];
   };
+  "/v0/org/{org_id}/evm/eip191/sign/{pubkey}": {
+    /**
+     * Sign EIP-191 Data
+     * @description Sign EIP-191 Data
+     *
+     * Signs a message using EIP-191 personal_sign with a given Secp256k1 key.
+     */
+    post: operations["eip191Sign"];
+  };
   "/v0/org/{org_id}/evm/eip712/sign/{pubkey}": {
     /**
      * Sign EIP-712 Typed Data
@@ -274,14 +291,15 @@ export interface paths {
      * @description Delete Role
      *
      * Deletes a role in an organization.
-     * Only organization owners can perform this action.
+     * Only users in the role can perform this action.
      */
     delete: operations["deleteRole"];
     /**
      * Update Role
      * @description Update Role
      *
-     * Enables or disables a role.
+     * Enables or disables a role (this requires the `manage:role:update:enable` scope).
+     * Updates the role's policies (this requires the `manage:role:update:policy` scope).
      * The user must be in the role or an owner of the organization.
      */
     patch: operations["updateRole"];
@@ -389,7 +407,8 @@ export interface paths {
      * Create new user session (management and/or signing)
      * @description Create new user session (management and/or signing)
      *
-     * Create a new user session
+     * Creates a new user session, silently truncating requested session and auth lifetimes
+     * to be at most requestor's session and auth lifetime, respectively.
      */
     post: operations["createSession"];
     /**
@@ -775,7 +794,7 @@ export interface components {
       email: string;
       identity: components["schemas"]["OIDCIdentity"];
       /** @description Optional login MFA policy */
-      mfa_policy?: Record<string, unknown> | null;
+      mfa_policy?: unknown;
       role: components["schemas"]["MemberRole"];
     };
     AddThirdPartyUserResponse: {
@@ -956,7 +975,13 @@ export interface components {
       signature: string;
     };
     /** @enum {string} */
-    BtcSighashType: "All" | "None" | "Single" | "AllPlusAnyoneCanPay" | "NonePlusAnyoneCanPay" | "SinglePlusAnyoneCanPay";
+    BtcSighashType:
+      | "All"
+      | "None"
+      | "Single"
+      | "AllPlusAnyoneCanPay"
+      | "NonePlusAnyoneCanPay"
+      | "SinglePlusAnyoneCanPay";
     BtcSignRequest: {
       sig_kind: components["schemas"]["BtcSignatureKind"];
       /** @description The bitcoin transaction to sign */
@@ -991,6 +1016,19 @@ export interface components {
         value: number;
       };
     };
+    /** @description Describes how to derive a WebAuthn challenge value. */
+    ChallengePieces: {
+      /**
+       * @description A base64url encoding of UTF8 JSON. The data in that JSON is endpoint specific, and describes what this FIDO challenge will be used for.
+       *
+       * Clients can use `preimage` along with `random_seed` to reconstruct the challenge like so:
+       *
+       * `challenge = HMAC-SHA256(key=random_seed, message=preimage)`
+       */
+      preimage: string;
+      /** @description A random seed that prevents replay attacks */
+      random_seed: string;
+    };
     /**
      * @description Session information sent to the client.
      * This struct works in tandem with its server-side counterpart [`SessionData`].
@@ -1011,17 +1049,19 @@ export interface components {
       /** @description Session ID */
       session_id: string;
     };
-    ConfiguredMfa: {
-      /** @enum {string} */
-      type: "totp";
-    } | {
-      /** @description A unique credential id */
-      id: string;
-      /** @description A human-readable name given to the key */
-      name: string;
-      /** @enum {string} */
-      type: "fido";
-    };
+    ConfiguredMfa:
+      | {
+          /** @enum {string} */
+          type: "totp";
+        }
+      | {
+          /** @description A unique credential id */
+          id: string;
+          /** @description A human-readable name given to the key */
+          name: string;
+          /** @enum {string} */
+          type: "fido";
+        };
     CreateKeyImportKeyResponse: components["schemas"]["KeyImportKey"] & {
       /**
        * @description An attestation document from a secure enclave, including an
@@ -1093,7 +1133,7 @@ export interface components {
        */
       scopes: string[];
     };
-    CreateTokenRequest: components["schemas"]["RatchetConfig"] & ({
+    CreateTokenRequest: components["schemas"]["RatchetConfig"] & {
       /**
        * @description A human readable description of the purpose of the key
        * @example Validator Signing
@@ -1107,7 +1147,16 @@ export interface components {
        * ]
        */
       scopes?: string[] | null;
-    });
+    };
+    /**
+     * @description An extended form of `PublicKeyCredentialCreationOptions` that allows clients to derive the WebAuthn challenge
+     * from a structured preimage.
+     *
+     * This ensures that the webuathn signature can only be used for a specific purpose
+     */
+    CreationOptionsWithHash: components["schemas"]["ChallengePieces"] & {
+      options: components["schemas"]["PublicKeyCredentialCreationOptions"];
+    };
     CubeSignerUserInfo: {
       /** @description All multi-factor authentication methods configured for this user */
       configured_mfa: components["schemas"]["ConfiguredMfa"][];
@@ -1160,6 +1209,22 @@ export interface components {
        */
       mnemonic_id: string;
     };
+    Eip191Or712SignResponse: {
+      /**
+       * @description Hex-encoded signature comprising 65 bytes in the format required
+       * by ecrecover: 32-byte r, 32-byte s, and one-byte recovery-id v
+       * which is either 27 or 28.
+       * @example 0x4355c47d63924e8a72e509b65029052eb6c299d53a04e167c5775fd466751c9d07299936d304c153f6443dfa05f40ff007d72911b6f72307f996231605b915621c
+       */
+      signature: string;
+    };
+    Eip191SignRequest: {
+      /**
+       * @description EIP-191 data to sign as hex-encoded bytes.
+       * @example 0xdeadbeef13c0ffee
+       */
+      data: string;
+    };
     /**
      * @example {
      *   "chain_id": 1337,
@@ -1255,17 +1320,8 @@ export interface components {
       /** @description EIP-712 typed data. Refer to the JSON schema defined in EIP-712. */
       typed_data: Record<string, never>;
     };
-    Eip712SignResponse: {
-      /**
-       * @description Hex-encoded signature comprising 65 bytes in the format required
-       * by ecrecover: 32-byte r, 32-byte s, and one-byte recovery-id v
-       * which is either 27 or 28.
-       * @example 0x4355c47d63924e8a72e509b65029052eb6c299d53a04e167c5775fd466751c9d07299936d304c153f6443dfa05f40ff007d72911b6f72307f996231605b915621c
-       */
-      signature: string;
-    };
     /** @default null */
-    Empty: Record<string, unknown> | null;
+    Empty: unknown;
     EmptyImpl: {
       status: string;
     };
@@ -1367,10 +1423,11 @@ export interface components {
       challenge_id: string;
       credential: components["schemas"]["PublicKeyCredential"];
     };
-    FidoAssertChallenge: {
+    FidoAssertChallenge: (components["schemas"]["ChallengePieces"] & {
+      options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+    }) & {
       /** @description The id of the challenge. Must be supplied when answering the challenge. */
       challenge_id: string;
-      options: components["schemas"]["PublicKeyCredentialRequestOptions"];
     };
     /** @description Sent from the client to the server to answer a fido challenge */
     FidoCreateChallengeAnswer: {
@@ -1382,10 +1439,11 @@ export interface components {
      * @description Sent by the server to the client. Contains the challenge data that must be
      * used to generate a new credential
      */
-    FidoCreateChallengeResponse: {
+    FidoCreateChallengeResponse: (components["schemas"]["ChallengePieces"] & {
+      options: components["schemas"]["PublicKeyCredentialCreationOptions"];
+    }) & {
       /** @description The id of the challenge. Must be supplied when answering the challenge. */
       challenge_id: string;
-      options: components["schemas"]["PublicKeyCredentialCreationOptions"];
     };
     /** @description Declares intent to register a new FIDO key */
     FidoCreateRequest: {
@@ -1460,6 +1518,8 @@ export interface components {
        * @description Number of requests currently being processed by cube3signer
        */
       current_num_requests_processing: number;
+      /** @description Do not record metric data from this heartbeat */
+      ignore?: boolean;
       /**
        * Format: int64
        * @description Number of new requests during this heartbeat period
@@ -1506,7 +1566,7 @@ export interface components {
      */
     HttpRequest: {
       /** @description HTTP request body */
-      body?: Record<string, unknown> | null;
+      body?: unknown;
       /** @description HTTP method of the request */
       method: string;
       /** @description HTTP path of the request (including host or not?) */
@@ -1516,7 +1576,7 @@ export interface components {
      * @description Proof that an end-user provided CubeSigner with a valid auth token
      * (either an OIDC token or a CubeSigner session token)
      */
-    IdentityProof: ({
+    IdentityProof: {
       /**
        * @description OIDC audience; set only if the proof was obtained by using OIDC token.
        *
@@ -1531,7 +1591,7 @@ export interface components {
       exp_epoch: components["schemas"]["EpochDateTime"];
       identity?: components["schemas"]["OIDCIdentity"] | null;
       user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
-    }) & {
+    } & {
       /** @description An opaque identifier for the proof */
       id: string;
     };
@@ -1564,7 +1624,7 @@ export interface components {
        */
       email: string;
       /** @description Optional login MFA policy */
-      mfa_policy?: Record<string, unknown> | null;
+      mfa_policy?: unknown;
       /**
        * @description The user's full name
        * @example Alice Wonderland
@@ -1650,21 +1710,24 @@ export interface components {
      * );
      * ```
      */
-    JsonKeyPackage: ({
-      /** @enum {string} */
-      material_type: "raw_secret";
-      /** @description The value of the raw secret */
-      secret: string;
-    } | {
-      /** @description The derivation path */
-      derivation_path: string;
-      /** @enum {string} */
-      material_type: "english_mnemonic";
-      /** @description The mnemonic */
-      mnemonic: string;
-      /** @description The password (which may be empty) */
-      password: string;
-    }) & {
+    JsonKeyPackage: (
+      | {
+          /** @enum {string} */
+          material_type: "raw_secret";
+          /** @description The value of the raw secret */
+          secret: string;
+        }
+      | {
+          /** @description The derivation path */
+          derivation_path: string;
+          /** @enum {string} */
+          material_type: "english_mnemonic";
+          /** @description The mnemonic */
+          mnemonic: string;
+          /** @description The password (which may be empty) */
+          password: string;
+        }
+    ) & {
       /** @description The type of key this package represents */
       key_type: string;
     };
@@ -1729,6 +1792,12 @@ export interface components {
        * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
        */
       material_id: string;
+      /**
+       * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
+       * it as untrusted user data (and avoid injecting metadata into HTML directly) if
+       * untrusted users can create/update keys (or their metadata).
+       */
+      metadata?: string;
       /**
        * @description Owner of the key
        * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
@@ -1765,7 +1834,21 @@ export interface components {
       keys: components["schemas"]["KeyInfo"][];
     };
     /** @enum {string} */
-    KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "SecpAvaAddr" | "SecpAvaTestAddr" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr" | "Ed25519CardanoAddrVk" | "Ed25519StellarAddr" | "Mnemonic" | "Stark";
+    KeyType:
+      | "SecpEthAddr"
+      | "SecpBtc"
+      | "SecpBtcTest"
+      | "SecpAvaAddr"
+      | "SecpAvaTestAddr"
+      | "BlsPub"
+      | "BlsInactive"
+      | "Ed25519SolanaAddr"
+      | "Ed25519SuiAddr"
+      | "Ed25519AptosAddr"
+      | "Ed25519CardanoAddrVk"
+      | "Ed25519StellarAddr"
+      | "Mnemonic"
+      | "Stark";
     /**
      * @description Wrapper around encrypted [UnencryptedLastEvalKey] bytes.
      *
@@ -1794,8 +1877,23 @@ export interface components {
       request: components["schemas"]["HttpRequest"];
       status: components["schemas"]["Status"];
     };
-    /** @enum {string} */
-    MfaType: "CubeSigner" | "Totp" | "Fido";
+    MfaType: OneOf<
+      [
+        "CubeSigner",
+        "Totp",
+        "Fido",
+        {
+          /** @description Answer a FIDO challenge with a specific FIDO key */
+          FidoKey: {
+            /**
+             * @description The ID of the FIDO key that must be use to approve the request
+             * @example FidoKey#EtDd...ZZc8=
+             */
+            key_id: string;
+          };
+        },
+      ]
+    >;
     /**
      * @description Network name ('mainnet', 'prater', 'goerli')
      * @example goerli
@@ -1951,14 +2049,14 @@ export interface components {
      */
     PaginatedListKeysResponse: {
       keys: components["schemas"]["KeyInfo"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -1966,14 +2064,14 @@ export interface components {
     PaginatedListRoleKeysResponse: {
       /** @description All keys in a role */
       keys: components["schemas"]["KeyInRoleInfo"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -1981,14 +2079,14 @@ export interface components {
     PaginatedListRoleUsersResponse: {
       /** @description All users in a role */
       users: components["schemas"]["UserInRoleInfo"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -1996,14 +2094,14 @@ export interface components {
     PaginatedListRolesResponse: {
       /** @description All roles in an organization. */
       roles: components["schemas"]["RoleInfo"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -2011,28 +2109,28 @@ export interface components {
     PaginatedSessionsResponse: {
       /** @description The list of sessions */
       sessions: components["schemas"]["SessionInfo"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
      */
     PaginatedUserExportListResponse: {
       export_requests: components["schemas"]["UserExportInitResponse"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description This type represents a wire-encodable form of the PublicKeyCredential interface
      * Clients may need to manually encode into this format to communicate with the server
@@ -2057,7 +2155,7 @@ export interface components {
        * This operation returns the value of [[clientExtensionsResults]], which is a map containing extension identifier → client extension output entries produced by the extension’s client extension processing.
        * https://www.w3.org/TR/webauthn-2/#ref-for-dom-publickeycredential-getclientextensionresults
        */
-      clientExtensionResults?: Record<string, unknown> | null;
+      clientExtensionResults?: unknown;
       /**
        * @description This internal slot contains the credential ID, chosen by the
        * authenticator. The credential ID is used to look up credentials for use,
@@ -2068,7 +2166,9 @@ export interface components {
        */
       id: string;
       /** @description Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse interface */
-      response: components["schemas"]["AuthenticatorAttestationResponse"] | components["schemas"]["AuthenticatorAssertionResponse"];
+      response:
+        | components["schemas"]["AuthenticatorAttestationResponse"]
+        | components["schemas"]["AuthenticatorAssertionResponse"];
     };
     /**
      * @description Defines the parameters for the creation of a new public key credential
@@ -2108,7 +2208,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-extensions
        */
-      extensions?: Record<string, unknown> | null;
+      extensions?: unknown;
       /**
        * @description This member contains information about the desired properties of the
        * credential to be created. The sequence is ordered from most preferred to
@@ -2202,7 +2302,7 @@ export interface components {
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-challenge
        */
       challenge: string;
-      extensions?: Record<string, unknown> | null;
+      extensions?: unknown;
       /**
        * @description This OPTIONAL member specifies the relying party identifier claimed by
        * the caller. If omitted, its value will be the CredentialsContainer
@@ -2349,13 +2449,13 @@ export interface components {
       name: string;
     };
     RatchetConfig: {
-      /** @default 300 */
+      /** @default default_auth_lifetime */
       auth_lifetime?: components["schemas"]["Seconds"];
       /** @default default_grace_lifetime */
       grace_lifetime?: components["schemas"]["Seconds"];
-      /** @default 86400 */
+      /** @default default_refresh_lifetime */
       refresh_lifetime?: components["schemas"]["Seconds"];
-      /** @default 31536000 */
+      /** @default default_session_lifetime */
       session_lifetime?: components["schemas"]["Seconds"];
     };
     /** @description Receipt that an MFA request was approved. */
@@ -2369,6 +2469,15 @@ export interface components {
       final_approver: string;
       timestamp: components["schemas"]["EpochDateTime"];
     };
+    /**
+     * @description An extended form of `PublicKeyCredentialRequestOptions` that allows clients to derive the WebAuthn challenge
+     * from a structured preimage.
+     *
+     * This ensures that the webuathn signature can only be used for a specific purpose
+     */
+    RequestOptionsWithHash: components["schemas"]["ChallengePieces"] & {
+      options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+    };
     /**
      * @description This enumeration’s values describe the Relying Party's requirements for
      * client-side discoverable credentials (formerly known as resident credentials
@@ -2618,6 +2727,11 @@ export interface components {
        * Once disabled, a key cannot be used for signing.
        */
       enabled?: boolean | null;
+      /**
+       * @description If set, update this key's metadata. Validation regex: ^[A-Za-z0-9_=+/ \-\.\,]{0,1024}$
+       * @example Contract admin key
+       */
+      metadata?: string | null;
       /**
        * @description If set, updates key's owner to this value.
        * The new owner must be an existing user who is a member of the same org.
@@ -2865,7 +2979,7 @@ export interface components {
       /** @description All multi-factor authentication methods configured for this user */
       mfa: components["schemas"]["ConfiguredMfa"][];
       /** @description MFA policy, applies before logging in and other sensitive operations */
-      mfa_policy?: Record<string, unknown> | null;
+      mfa_policy?: unknown;
       /**
        * @description All organizations the user belongs to
        * @example [
@@ -2978,7 +3092,7 @@ export interface components {
         };
       };
     };
-    Eip712SignResponse: {
+    Eip191Or712SignResponse: {
       content: {
         "application/json": {
           /**
@@ -3022,10 +3136,11 @@ export interface components {
     };
     FidoAssertChallenge: {
       content: {
-        "application/json": {
+        "application/json": (components["schemas"]["ChallengePieces"] & {
+          options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+        }) & {
           /** @description The id of the challenge. Must be supplied when answering the challenge. */
           challenge_id: string;
-          options: components["schemas"]["PublicKeyCredentialRequestOptions"];
         };
       };
     };
@@ -3035,10 +3150,11 @@ export interface components {
      */
     FidoCreateChallengeResponse: {
       content: {
-        "application/json": {
+        "application/json": (components["schemas"]["ChallengePieces"] & {
+          options: components["schemas"]["PublicKeyCredentialCreationOptions"];
+        }) & {
           /** @description The id of the challenge. Must be supplied when answering the challenge. */
           challenge_id: string;
-          options: components["schemas"]["PublicKeyCredentialCreationOptions"];
         };
       };
     };
@@ -3056,7 +3172,7 @@ export interface components {
      */
     IdentityProof: {
       content: {
-        "application/json": ({
+        "application/json": {
           /**
            * @description OIDC audience; set only if the proof was obtained by using OIDC token.
            *
@@ -3071,7 +3187,7 @@ export interface components {
           exp_epoch: components["schemas"]["EpochDateTime"];
           identity?: components["schemas"]["OIDCIdentity"] | null;
           user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
-        }) & {
+        } & {
           /** @description An opaque identifier for the proof */
           id: string;
         };
@@ -3127,6 +3243,12 @@ export interface components {
            * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
            */
           material_id: string;
+          /**
+           * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
+           * it as untrusted user data (and avoid injecting metadata into HTML directly) if
+           * untrusted users can create/update keys (or their metadata).
+           */
+          metadata?: string;
           /**
            * @description Owner of the key
            * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
@@ -3287,14 +3409,14 @@ export interface components {
       content: {
         "application/json": {
           keys: components["schemas"]["KeyInfo"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     PaginatedListRoleKeysResponse: {
@@ -3302,14 +3424,14 @@ export interface components {
         "application/json": {
           /** @description All keys in a role */
           keys: components["schemas"]["KeyInRoleInfo"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     PaginatedListRoleUsersResponse: {
@@ -3317,14 +3439,14 @@ export interface components {
         "application/json": {
           /** @description All users in a role */
           users: components["schemas"]["UserInRoleInfo"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     PaginatedListRolesResponse: {
@@ -3332,14 +3454,14 @@ export interface components {
         "application/json": {
           /** @description All roles in an organization. */
           roles: components["schemas"]["RoleInfo"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     PaginatedSessionsResponse: {
@@ -3347,28 +3469,28 @@ export interface components {
         "application/json": {
           /** @description The list of sessions */
           sessions: components["schemas"]["SessionInfo"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     PaginatedUserExportListResponse: {
       content: {
         "application/json": {
           export_requests: components["schemas"]["UserExportInitResponse"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     RevokeTokenResponse: {
@@ -3605,7 +3727,7 @@ export interface components {
           /** @description All multi-factor authentication methods configured for this user */
           mfa: components["schemas"]["ConfiguredMfa"][];
           /** @description MFA policy, applies before logging in and other sensitive operations */
-          mfa_policy?: Record<string, unknown> | null;
+          mfa_policy?: unknown;
           /**
            * @description All organizations the user belongs to
            * @example [
@@ -3633,7 +3755,6 @@ export type $defs = Record<string, never>;
 export type external = Record<string, never>;
 
 export interface operations {
-
   /**
    * User Info
    * @description User Info
@@ -3818,6 +3939,46 @@ export interface operations {
       };
     };
   };
+  /**
+   * Sign EIP-191 Data
+   * @description Sign EIP-191 Data
+   *
+   * Signs a message using EIP-191 personal_sign with a given Secp256k1 key.
+   */
+  eip191Sign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Hex-encoded EVM address of the Secp256k1 key
+         * @example 0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Eip191SignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["Eip191Or712SignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Sign EIP-712 Typed Data
    * @description Sign EIP-712 Typed Data
@@ -3833,7 +3994,7 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description Hex-encoded ethereum address of the secp key
+         * @description Hex-encoded EVM address of the Secp256k1 key
          * @example 0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E
          */
         pubkey: string;
@@ -3845,7 +4006,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["Eip712SignResponse"];
+      200: components["responses"]["Eip191Or712SignResponse"];
       202: {
         content: {
           "application/json": components["schemas"]["AcceptedResponse"];
@@ -3943,8 +4104,7 @@ export interface operations {
         "application/json": components["schemas"]["IdentityProof"];
       };
     };
-    responses: {
-    };
+    responses: {};
   };
   /**
    * Create Key-Import Key
@@ -4541,7 +4701,7 @@ export interface operations {
    * @description Delete Role
    *
    * Deletes a role in an organization.
-   * Only organization owners can perform this action.
+   * Only users in the role can perform this action.
    */
   deleteRole: {
     parameters: {
@@ -4571,7 +4731,8 @@ export interface operations {
    * Update Role
    * @description Update Role
    *
-   * Enables or disables a role.
+   * Enables or disables a role (this requires the `manage:role:update:enable` scope).
+   * Updates the role's policies (this requires the `manage:role:update:policy` scope).
    * The user must be in the role or an owner of the organization.
    */
   updateRole: {
@@ -4629,8 +4790,7 @@ export interface operations {
         "application/json": components["schemas"]["AddKeysToRoleRequest"];
       };
     };
-    responses: {
-    };
+    responses: {};
   };
   /**
    * Add User
@@ -4659,8 +4819,7 @@ export interface operations {
         user_id: string;
       };
     };
-    responses: {
-    };
+    responses: {};
   };
   /**
    * List Role Keys
@@ -4733,8 +4892,7 @@ export interface operations {
         key_id: string;
       };
     };
-    responses: {
-    };
+    responses: {};
   };
   /**
    * List a single page of Tokens (Deprecated)
@@ -4973,7 +5131,8 @@ export interface operations {
    * Create new user session (management and/or signing)
    * @description Create new user session (management and/or signing)
    *
-   * Create a new user session
+   * Creates a new user session, silently truncating requested session and auth lifetimes
+   * to be at most requestor's session and auth lifetime, respectively.
    */
   createSession: {
     parameters: {
@@ -5875,9 +6034,9 @@ export interface operations {
         org_id: string;
       };
     };
-    requestBody: {
+    requestBody?: {
       content: {
-        "application/json": components["schemas"]["HeartbeatRequest"];
+        "application/json": components["schemas"]["HeartbeatRequest"] | null;
       };
     };
     responses: {