@cubist-labs/cubesigner-sdk 0.2.28 → 0.3.8

package/src/schema.ts

@@ -3,6 +3,14 @@
  * Do not make direct changes to the file.
  */
 
+/** OneOf type helpers */
+type Without<T, U> = { [P in Exclude<keyof T, keyof U>]?: never };
+type XOR<T, U> = T | U extends object ? (Without<T, U> & U) | (Without<U, T> & T) : T | U;
+type OneOf<T extends any[]> = T extends [infer Only]
+  ? Only
+  : T extends [infer A, infer B, ...infer Rest]
+    ? OneOf<[XOR<A, B>, ...Rest]>
+    : never;
 
 export interface paths {
   "/v0/about_me": {
@@ -60,6 +68,15 @@ export interface paths {
      */
     put: operations["deriveKey"];
   };
+  "/v0/org/{org_id}/evm/eip191/sign/{pubkey}": {
+    /**
+     * Sign EIP-191 Data
+     * @description Sign EIP-191 Data
+     *
+     * Signs a message using EIP-191 personal_sign with a given Secp256k1 key.
+     */
+    post: operations["eip191Sign"];
+  };
   "/v0/org/{org_id}/evm/eip712/sign/{pubkey}": {
     /**
      * Sign EIP-712 Typed Data
@@ -175,6 +192,15 @@ export interface paths {
      */
     patch: operations["updateKey"];
   };
+  "/v0/org/{org_id}/keys/{key_id}/roles": {
+    /**
+     * List Key Roles
+     * @description List Key Roles
+     *
+     * Get all roles the key is in
+     */
+    get: operations["listKeyRoles"];
+  };
   "/v0/org/{org_id}/mfa": {
     /**
      * List Pending MFA Requests
@@ -194,46 +220,52 @@ export interface paths {
      */
     get: operations["mfaGet"];
     /**
-     * Approve MFA Request
-     * @description Approve MFA Request
+     * Approve or Reject MFA Request
+     * @description Approve or Reject MFA Request
+     *
+     * Approve or reject request after logging in with CubeSigner.
      *
-     * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+     * If approving, adds the currently-logged user as an approver
      * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
      * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
      * resume the original HTTP request.
+     *
+     * If rejecting, immediately deletes the pending MFA request.
      */
-    patch: operations["mfaApproveCs"];
+    patch: operations["mfaVoteCs"];
   };
   "/v0/org/{org_id}/mfa/{mfa_id}/fido": {
     /**
-     * Initiate Approving an MFA Request with FIDO
-     * @description Initiate Approving an MFA Request with FIDO
+     * Initiate a FIDO MFA Approval/Rejection
+     * @description Initiate a FIDO MFA Approval/Rejection
      *
-     * Initiates the approval process of an MFA Request using FIDO.
+     * Initiates the approval/rejection process of an MFA Request using FIDO.
      */
-    post: operations["mfaApproveFido"];
+    post: operations["mfaFidoInit"];
     /**
-     * Finalize a FIDO MFA Approval
-     * @description Finalize a FIDO MFA Approval
-     *
-     * Adds an approver to a pending MFA request.
+     * Finalize a FIDO MFA Approval/Rejection
+     * @description Finalize a FIDO MFA Approval/Rejection
      *
+     * If approving, adds an approver to a pending MFA request.
      * If the required number of approvers is reached, the MFA request is approved;
      * the confirmation receipt can be used to resume the original HTTP request.
+     *
+     * If rejecting, immediately deletes the pending MFA request.
      */
-    patch: operations["mfaApproveFidoComplete"];
+    patch: operations["mfaVoteFidoComplete"];
   };
   "/v0/org/{org_id}/mfa/{mfa_id}/totp": {
     /**
-     * Approve a TOTP MFA Request
-     * @description Approve a TOTP MFA Request
+     * Approve/Reject a TOTP MFA Request
+     * @description Approve/Reject a TOTP MFA Request
      *
-     * Adds the current user as approver to a pending MFA request by providing TOTP code.
+     * If approving, adds the current user as approver to a pending MFA request by
+     * providing TOTP code. If the required number of approvers is reached, the MFA request is
+     * approved; the confirmation receipt can be used to resume the original HTTP request.
      *
-     * If the required number of approvers is reached, the MFA request is approved;
-     * the confirmation receipt can be used to resume the original HTTP request.
+     * If rejecting, immediately deletes the pending MFA request.
      */
-    patch: operations["mfaApproveTotp"];
+    patch: operations["mfaVoteTotp"];
   };
   "/v0/org/{org_id}/oidc": {
     /**
@@ -274,14 +306,15 @@ export interface paths {
      * @description Delete Role
      *
      * Deletes a role in an organization.
-     * Only organization owners can perform this action.
+     * Only users in the role can perform this action.
      */
     delete: operations["deleteRole"];
     /**
      * Update Role
      * @description Update Role
      *
-     * Enables or disables a role.
+     * Enables or disables a role (this requires the `manage:role:update:enable` scope).
+     * Updates the role's policies (this requires the `manage:role:update:policy` scope).
      * The user must be in the role or an owner of the organization.
      */
     patch: operations["updateRole"];
@@ -377,6 +410,16 @@ export interface paths {
      */
     get: operations["listRoleUsers"];
   };
+  "/v0/org/{org_id}/roles/{role_id}/users/{user_id}": {
+    /**
+     * Remove User
+     * @description Remove User
+     *
+     * Removes an existing user from an existing role.
+     * Only users in the role or org owners can remove users from a role.
+     */
+    delete: operations["removeUserFromRole"];
+  };
   "/v0/org/{org_id}/session": {
     /**
      * List sessions
@@ -389,7 +432,8 @@ export interface paths {
      * Create new user session (management and/or signing)
      * @description Create new user session (management and/or signing)
      *
-     * Create a new user session
+     * Creates a new user session, silently truncating requested session and auth lifetimes
+     * to be at most requestor's session and auth lifetime, respectively.
      */
     post: operations["createSession"];
     /**
@@ -731,6 +775,8 @@ export interface components {
         session?: components["schemas"]["NewSessionResponse"] | null;
       };
     };
+    /** @enum {string} */
+    AcceptedValueCode: "MfaRequired";
     AddKeysToRoleRequest: {
       /**
        * @description A list of keys to add to a role
@@ -775,7 +821,12 @@ export interface components {
       email: string;
       identity: components["schemas"]["OIDCIdentity"];
       /** @description Optional login MFA policy */
-      mfa_policy?: Record<string, unknown> | null;
+      mfa_policy?: unknown;
+      /**
+       * @description Optional user full name
+       * @example Alice Wonderland
+       */
+      name?: string | null;
       role: components["schemas"]["MemberRole"];
     };
     AddThirdPartyUserResponse: {
@@ -937,6 +988,90 @@ export interface components {
     };
     /** @description Wrapper around a zeroizing 32-byte fixed-size array */
     B32: string;
+    /** @enum {string} */
+    BadRequestErrorCode:
+      | "GenericBadRequest"
+      | "InvalidBody"
+      | "InvalidMfaReceipt"
+      | "InvalidMfaPolicyCount"
+      | "InvalidMfaPolicyNumAuthFactors"
+      | "InvalidMfaPolicyNumAllowedApprovers"
+      | "InvalidMfaPolicyRedundantRule"
+      | "InvalidCreateKeyCount"
+      | "OrgInviteExistingUser"
+      | "OrgNameTaken"
+      | "RoleNameTaken"
+      | "AddKeyToRoleCountTooHigh"
+      | "InvalidKeyId"
+      | "InvalidKeyMetadataLength"
+      | "InvalidKeyMetadata"
+      | "InvalidKeyMaterialId"
+      | "KeyNotFound"
+      | "UserExportDerivedKey"
+      | "UserExportPublicKeyInvalid"
+      | "UserExportInProgress"
+      | "RoleNotFound"
+      | "InvalidMfaReceiptOrgIdMissing"
+      | "InvalidMfaReceiptInvalidOrgId"
+      | "MfaRequestNotFound"
+      | "InvalidKeyType"
+      | "InvalidKeyMaterial"
+      | "InvalidHexValue"
+      | "InvalidBase32Value"
+      | "InvalidBase58Value"
+      | "InvalidForkVersionLength"
+      | "InvalidEthAddress"
+      | "InvalidStellarAddress"
+      | "InvalidOrgNameOrId"
+      | "InvalidStakeDeposit"
+      | "InvalidBlobSignRequest"
+      | "InvalidSolanaSignRequest"
+      | "InvalidEip712SignRequest"
+      | "InvalidEvmSignRequest"
+      | "InvalidEth2SignRequest"
+      | "InvalidDeriveKeyRequest"
+      | "InvalidStakingAmount"
+      | "CustomStakingAmountNotAllowedForWrapperContract"
+      | "InvalidUnstakeRequest"
+      | "InvalidCreateUserRequest"
+      | "UserAlreadyExists"
+      | "UserNotFound"
+      | "PolicyRuleKeyMismatch"
+      | "EmptyScopes"
+      | "InvalidScopesForRoleSession"
+      | "InvalidLifetime"
+      | "NoSingleKeyForUser"
+      | "InvalidOrgPolicyRule"
+      | "SourceIpAllowlistEmpty"
+      | "InvalidOrgPolicyRepeatedRule"
+      | "AvaSignHashError"
+      | "AvaSignError"
+      | "BtcSegwitHashError"
+      | "BtcSignError"
+      | "Eip712SignError"
+      | "InvalidMemberRoleInUserAdd"
+      | "ThirdPartyUserAlreadyExists"
+      | "ThirdPartyUserNotFound"
+      | "DeleteOidcUserError"
+      | "SessionRoleMismatch"
+      | "InvalidOidcToken"
+      | "OidcIssuerUnsupported"
+      | "OidcIssuerNotAllowed"
+      | "OidcIssuerNoApplicableJwk"
+      | "FidoCredentialMissing"
+      | "FidoKeyAlreadyRegistered"
+      | "FidoKeySignCountTooLow"
+      | "FidoVerificationFailed"
+      | "FidoChallengeMfaMismatch"
+      | "UnsupportedLegacyCognitoSession"
+      | "InvalidIdentityProof"
+      | "PaginationDataExpired"
+      | "ExistingKeysViolateExclusiveKeyAccess"
+      | "ExportDelayTooShort"
+      | "ExportWindowTooLong"
+      | "InvalidTotpFailureLimit"
+      | "InvalidEip191SignRequest"
+      | "CannotResendUserInvitation";
     /**
      * @example {
      *   "message_base64": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTYK"
@@ -956,7 +1091,13 @@ export interface components {
       signature: string;
     };
     /** @enum {string} */
-    BtcSighashType: "All" | "None" | "Single" | "AllPlusAnyoneCanPay" | "NonePlusAnyoneCanPay" | "SinglePlusAnyoneCanPay";
+    BtcSighashType:
+      | "All"
+      | "None"
+      | "Single"
+      | "AllPlusAnyoneCanPay"
+      | "NonePlusAnyoneCanPay"
+      | "SinglePlusAnyoneCanPay";
     BtcSignRequest: {
       sig_kind: components["schemas"]["BtcSignatureKind"];
       /** @description The bitcoin transaction to sign */
@@ -991,6 +1132,19 @@ export interface components {
         value: number;
       };
     };
+    /** @description Describes how to derive a WebAuthn challenge value. */
+    ChallengePieces: {
+      /**
+       * @description A base64url encoding of UTF8 JSON. The data in that JSON is endpoint specific, and describes what this FIDO challenge will be used for.
+       *
+       * Clients can use `preimage` along with `random_seed` to reconstruct the challenge like so:
+       *
+       * `challenge = HMAC-SHA256(key=random_seed, message=preimage)`
+       */
+      preimage: string;
+      /** @description A random seed that prevents replay attacks */
+      random_seed: string;
+    };
     /**
      * @description Session information sent to the client.
      * This struct works in tandem with its server-side counterpart [`SessionData`].
@@ -1011,17 +1165,19 @@ export interface components {
       /** @description Session ID */
       session_id: string;
     };
-    ConfiguredMfa: {
-      /** @enum {string} */
-      type: "totp";
-    } | {
-      /** @description A unique credential id */
-      id: string;
-      /** @description A human-readable name given to the key */
-      name: string;
-      /** @enum {string} */
-      type: "fido";
-    };
+    ConfiguredMfa:
+      | {
+          /** @enum {string} */
+          type: "totp";
+        }
+      | {
+          /** @description A unique credential id */
+          id: string;
+          /** @description A human-readable name given to the key */
+          name: string;
+          /** @enum {string} */
+          type: "fido";
+        };
     CreateKeyImportKeyResponse: components["schemas"]["KeyImportKey"] & {
       /**
        * @description An attestation document from a secure enclave, including an
@@ -1093,7 +1249,7 @@ export interface components {
        */
       scopes: string[];
     };
-    CreateTokenRequest: components["schemas"]["RatchetConfig"] & ({
+    CreateTokenRequest: components["schemas"]["RatchetConfig"] & {
       /**
        * @description A human readable description of the purpose of the key
        * @example Validator Signing
@@ -1107,12 +1263,23 @@ export interface components {
        * ]
        */
       scopes?: string[] | null;
-    });
+    };
+    /**
+     * @description An extended form of `PublicKeyCredentialCreationOptions` that allows clients to derive the WebAuthn challenge
+     * from a structured preimage.
+     *
+     * This ensures that the webuathn signature can only be used for a specific purpose
+     */
+    CreationOptionsWithHash: components["schemas"]["ChallengePieces"] & {
+      options: components["schemas"]["PublicKeyCredentialCreationOptions"];
+    };
     CubeSignerUserInfo: {
       /** @description All multi-factor authentication methods configured for this user */
       configured_mfa: components["schemas"]["ConfiguredMfa"][];
       /** @description Set once the user successfully logs into CubeSigner */
       initialized: boolean;
+      /** @description Optional human name for the user */
+      name?: string | null;
       /** @description CubeSigner's user identifier */
       user_id: string;
     };
@@ -1160,6 +1327,22 @@ export interface components {
        */
       mnemonic_id: string;
     };
+    Eip191Or712SignResponse: {
+      /**
+       * @description Hex-encoded signature comprising 65 bytes in the format required
+       * by ecrecover: 32-byte r, 32-byte s, and one-byte recovery-id v
+       * which is either 27 or 28.
+       * @example 0x4355c47d63924e8a72e509b65029052eb6c299d53a04e167c5775fd466751c9d07299936d304c153f6443dfa05f40ff007d72911b6f72307f996231605b915621c
+       */
+      signature: string;
+    };
+    Eip191SignRequest: {
+      /**
+       * @description EIP-191 data to sign as hex-encoded bytes.
+       * @example 0xdeadbeef13c0ffee
+       */
+      data: string;
+    };
     /**
      * @example {
      *   "chain_id": 1337,
@@ -1255,17 +1438,8 @@ export interface components {
       /** @description EIP-712 typed data. Refer to the JSON schema defined in EIP-712. */
       typed_data: Record<string, never>;
     };
-    Eip712SignResponse: {
-      /**
-       * @description Hex-encoded signature comprising 65 bytes in the format required
-       * by ecrecover: 32-byte r, 32-byte s, and one-byte recovery-id v
-       * which is either 27 or 28.
-       * @example 0x4355c47d63924e8a72e509b65029052eb6c299d53a04e167c5775fd466751c9d07299936d304c153f6443dfa05f40ff007d72911b6f72307f996231605b915621c
-       */
-      signature: string;
-    };
     /** @default null */
-    Empty: Record<string, unknown> | null;
+    Empty: unknown;
     EmptyImpl: {
       status: string;
     };
@@ -1284,6 +1458,7 @@ export interface components {
     /** @description The structure of ErrorResponse must match the response template that AWS uses */
     ErrorResponse: {
       accepted?: components["schemas"]["AcceptedValue"] | null;
+      error_code: components["schemas"]["SignerErrorCode"];
       /** @description Error message */
       message: string;
       /** @description Optional request identifier */
@@ -1361,16 +1536,37 @@ export interface components {
        */
       signature: string;
     };
+    /** @enum {string} */
+    EvmTxDepositErrorCode:
+      | "EvmTxDepositReceiverMismatch"
+      | "EvmTxDepositEmptyData"
+      | "EvmTxDepositEmptyChainId"
+      | "EvmTxDepositEmptyReceiver"
+      | "EvmTxDepositUnexpectedValue"
+      | "EvmTxDepositUnexpectedDataLength"
+      | "EvmTxDepositNoAbi"
+      | "EvmTxDepositNoDepositFunction"
+      | "EvmTxDepositUnexpectedFunctionName"
+      | "EvmTxDepositUnexpectedValidatorKey"
+      | "EvmTxDepositInvalidValidatorKey"
+      | "EvmTxDepositMissingDepositArg"
+      | "EvmTxDepositWrongDepositArgType"
+      | "EvmTxDepositWrongValidatorArgValue"
+      | "EvmTxDepositValidatorKeyNotInRole"
+      | "EvmTxDepositUnexpectedWithdrawalCredentials"
+      | "EvmTxDepositUnresolvedRole"
+      | "EvmTxDepositInvalidDepositEncoding";
     /** @description Sent from the client to the server to answer a fido challenge */
     FidoAssertAnswer: {
       /** @description The ID of the challenge that was returned from the POST endpoint */
       challenge_id: string;
       credential: components["schemas"]["PublicKeyCredential"];
     };
-    FidoAssertChallenge: {
+    FidoAssertChallenge: (components["schemas"]["ChallengePieces"] & {
+      options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+    }) & {
       /** @description The id of the challenge. Must be supplied when answering the challenge. */
       challenge_id: string;
-      options: components["schemas"]["PublicKeyCredentialRequestOptions"];
     };
     /** @description Sent from the client to the server to answer a fido challenge */
     FidoCreateChallengeAnswer: {
@@ -1382,10 +1578,11 @@ export interface components {
      * @description Sent by the server to the client. Contains the challenge data that must be
      * used to generate a new credential
      */
-    FidoCreateChallengeResponse: {
+    FidoCreateChallengeResponse: (components["schemas"]["ChallengePieces"] & {
+      options: components["schemas"]["PublicKeyCredentialCreationOptions"];
+    }) & {
       /** @description The id of the challenge. Must be supplied when answering the challenge. */
       challenge_id: string;
-      options: components["schemas"]["PublicKeyCredentialCreationOptions"];
     };
     /** @description Declares intent to register a new FIDO key */
     FidoCreateRequest: {
@@ -1395,6 +1592,64 @@ export interface components {
        */
       name: string;
     };
+    /** @enum {string} */
+    ForbiddenErrorCode:
+      | "FidoRequiredToRemoveTotp"
+      | "MfaChallengeExpired"
+      | "ChainIdNotAllowed"
+      | "InvalidOrg"
+      | "SessionForWrongOrg"
+      | "OrgDisabled"
+      | "OrgNotFound"
+      | "OrgWithoutOwner"
+      | "OrphanedUser"
+      | "OidcUserNotFound"
+      | "UserNotInOrg"
+      | "UserNotOrgOwner"
+      | "UserNotKeyOwner"
+      | "InvalidRole"
+      | "DisabledRole"
+      | "KeyDisabled"
+      | "RoleNotInOrg"
+      | "KeyNotInRole"
+      | "KeyNotInOrg"
+      | "UserExportRequestNotInOrg"
+      | "UserExportRequestInvalid"
+      | "UserNotOriginalKeyOwner"
+      | "UserNotInRole"
+      | "MustBeFullMember"
+      | "SessionExpired"
+      | "SessionRevoked"
+      | "ExpectedUserSession"
+      | "SessionRoleChanged"
+      | "ScopedNameNotFound"
+      | "SessionInvalidEpochToken"
+      | "SessionInvalidRefreshToken"
+      | "SessionRefreshTokenExpired"
+      | "InvalidAuthHeader"
+      | "SessionNotFound"
+      | "InvalidArn"
+      | "SessionInvalidAuthToken"
+      | "SessionAuthTokenExpired"
+      | "SessionPossiblyStolenToken"
+      | "MfaDisallowedIdentity"
+      | "MfaDisallowedApprover"
+      | "MfaTypeNotAllowed"
+      | "MfaNotApprovedYet"
+      | "MfaConfirmationCodeMismatch"
+      | "MfaHttpRequestMismatch"
+      | "MfaApprovalFromUserSession"
+      | "MfaRemoveBelowMin"
+      | "TotpAlreadyConfigured"
+      | "TotpConfigurationChanged"
+      | "MfaTotpBadConfiguration"
+      | "MfaTotpBadCode"
+      | "MfaTotpRateLimit"
+      | "ImproperSessionScope"
+      | "FullSessionRequired"
+      | "SessionWithoutAnyScopeUnder"
+      | "UserRoleUnprivileged"
+      | "MfaNotConfigured";
     /**
      * @description Specifies a fork of the `BeaconChain`, to prevent replay attacks.
      * The schema of `Fork` is defined in the [Beacon chain
@@ -1460,6 +1715,8 @@ export interface components {
        * @description Number of requests currently being processed by cube3signer
        */
       current_num_requests_processing: number;
+      /** @description Do not record metric data from this heartbeat */
+      ignore?: boolean;
       /**
        * Format: int64
        * @description Number of new requests during this heartbeat period
@@ -1506,7 +1763,7 @@ export interface components {
      */
     HttpRequest: {
       /** @description HTTP request body */
-      body?: Record<string, unknown> | null;
+      body?: unknown;
       /** @description HTTP method of the request */
       method: string;
       /** @description HTTP path of the request (including host or not?) */
@@ -1516,7 +1773,7 @@ export interface components {
      * @description Proof that an end-user provided CubeSigner with a valid auth token
      * (either an OIDC token or a CubeSigner session token)
      */
-    IdentityProof: ({
+    IdentityProof: {
       /**
        * @description OIDC audience; set only if the proof was obtained by using OIDC token.
        *
@@ -1531,7 +1788,7 @@ export interface components {
       exp_epoch: components["schemas"]["EpochDateTime"];
       identity?: components["schemas"]["OIDCIdentity"] | null;
       user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
-    }) & {
+    } & {
       /** @description An opaque identifier for the proof */
       id: string;
     };
@@ -1557,6 +1814,60 @@ export interface components {
        */
       salt: string;
     };
+    /** @enum {string} */
+    InternalErrorCode:
+      | "SystemTimeError"
+      | "ReqwestError"
+      | "DbQueryError"
+      | "DbGetError"
+      | "DbDeleteError"
+      | "DbPutError"
+      | "DbUpdateError"
+      | "SerdeError"
+      | "TestAndSetError"
+      | "DbGetItemsError"
+      | "DbWriteError"
+      | "CubistSignerError"
+      | "CwPutMetricDataError"
+      | "KmsGenerateRandomError"
+      | "MalformedTotpBytes"
+      | "KmsGenerateRandomNoResponseError"
+      | "CreateKeyError"
+      | "ParseDerivationPathError"
+      | "SplitSignerError"
+      | "CreateImportKeyError"
+      | "CognitoDeleteUserError"
+      | "CognitoListUsersError"
+      | "CognitoGetUserError"
+      | "MissingUserEmail"
+      | "CognitoResendUserInvitation"
+      | "CognitoSetUserPasswordError"
+      | "GenericInternalError"
+      | "OidcAuthWithoutOrg"
+      | "MissingKeyMetadata"
+      | "KmsKeyWithoutId"
+      | "KmsEnableKeyError"
+      | "KmsDisableKeyError"
+      | "SerializeEncryptedExportKeyError"
+      | "DeserializeEncryptedExportKeyError"
+      | "ReEncryptUserExport"
+      | "S3UploadError"
+      | "S3DownloadError"
+      | "ManagedStateMissing"
+      | "InternalHeaderMissing"
+      | "InvalidInternalHeaderValue"
+      | "RequestLocalStateAlreadySet"
+      | "OidcOrgMismatch"
+      | "OrphanedRoleKeyId"
+      | "OidcIssuerJwkEndpointUnavailable"
+      | "OidcIssuerInvalidJwk"
+      | "InvalidPkForMaterialId"
+      | "UncheckedOrg"
+      | "AvaSignCredsMissing"
+      | "AvaSignSignatureMissing"
+      | "ExpectedRoleSession"
+      | "InvalidThirdPartyIdentity"
+      | "CognitoGetUser";
     InviteRequest: {
       /**
        * @description The user's email address
@@ -1564,7 +1875,7 @@ export interface components {
        */
       email: string;
       /** @description Optional login MFA policy */
-      mfa_policy?: Record<string, unknown> | null;
+      mfa_policy?: unknown;
       /**
        * @description The user's full name
        * @example Alice Wonderland
@@ -1650,21 +1961,24 @@ export interface components {
      * );
      * ```
      */
-    JsonKeyPackage: ({
-      /** @enum {string} */
-      material_type: "raw_secret";
-      /** @description The value of the raw secret */
-      secret: string;
-    } | {
-      /** @description The derivation path */
-      derivation_path: string;
-      /** @enum {string} */
-      material_type: "english_mnemonic";
-      /** @description The mnemonic */
-      mnemonic: string;
-      /** @description The password (which may be empty) */
-      password: string;
-    }) & {
+    JsonKeyPackage: (
+      | {
+          /** @enum {string} */
+          material_type: "raw_secret";
+          /** @description The value of the raw secret */
+          secret: string;
+        }
+      | {
+          /** @description The derivation path */
+          derivation_path: string;
+          /** @enum {string} */
+          material_type: "english_mnemonic";
+          /** @description The mnemonic */
+          mnemonic: string;
+          /** @description The password (which may be empty) */
+          password: string;
+        }
+    ) & {
       /** @description The type of key this package represents */
       key_type: string;
     };
@@ -1712,6 +2026,11 @@ export interface components {
        * ]
        */
       policy?: Record<string, never>[];
+      /**
+       * @description Role ID
+       * @example Role#e427c28a-9c5b-49cc-a257-878aea58a22c
+       */
+      role_id: string;
     };
     KeyInfo: {
       derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
@@ -1729,6 +2048,12 @@ export interface components {
        * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
        */
       material_id: string;
+      /**
+       * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
+       * it as untrusted user data (and avoid injecting metadata into HTML directly) if
+       * untrusted users can create/update keys (or their metadata).
+       */
+      metadata?: string;
       /**
        * @description Owner of the key
        * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
@@ -1765,7 +2090,21 @@ export interface components {
       keys: components["schemas"]["KeyInfo"][];
     };
     /** @enum {string} */
-    KeyType: "SecpEthAddr" | "SecpBtc" | "SecpBtcTest" | "SecpAvaAddr" | "SecpAvaTestAddr" | "BlsPub" | "BlsInactive" | "Ed25519SolanaAddr" | "Ed25519SuiAddr" | "Ed25519AptosAddr" | "Ed25519CardanoAddrVk" | "Ed25519StellarAddr" | "Mnemonic" | "Stark";
+    KeyType:
+      | "SecpEthAddr"
+      | "SecpBtc"
+      | "SecpBtcTest"
+      | "SecpAvaAddr"
+      | "SecpAvaTestAddr"
+      | "BlsPub"
+      | "BlsInactive"
+      | "Ed25519SolanaAddr"
+      | "Ed25519SuiAddr"
+      | "Ed25519AptosAddr"
+      | "Ed25519CardanoAddrVk"
+      | "Ed25519StellarAddr"
+      | "Mnemonic"
+      | "Stark";
     /**
      * @description Wrapper around encrypted [UnencryptedLastEvalKey] bytes.
      *
@@ -1794,8 +2133,25 @@ export interface components {
       request: components["schemas"]["HttpRequest"];
       status: components["schemas"]["Status"];
     };
+    MfaType: OneOf<
+      [
+        "CubeSigner",
+        "Totp",
+        "Fido",
+        {
+          /** @description Answer a FIDO challenge with a specific FIDO key */
+          FidoKey: {
+            /**
+             * @description The ID of the FIDO key that must be use to approve the request
+             * @example FidoKey#EtDd...ZZc8=
+             */
+            key_id: string;
+          };
+        },
+      ]
+    >;
     /** @enum {string} */
-    MfaType: "CubeSigner" | "Totp" | "Fido";
+    MfaVote: "approve" | "reject";
     /**
      * @description Network name ('mainnet', 'prater', 'goerli')
      * @example goerli
@@ -1817,14 +2173,21 @@ export interface components {
        */
       token: string;
     };
+    /** @enum {string} */
+    NotFoundErrorCode:
+      | "UriSegmentMissing"
+      | "UriSegmentInvalid"
+      | "TotpNotConfigured"
+      | "FidoKeyNotFound"
+      | "FidoChallengeNotFound"
+      | "TotpChallengeNotFound"
+      | "UserExportRequestNotFound"
+      | "UserExportCiphertextNotFound";
     /**
      * @description Represents a globally unique OIDC-authorized user by expressing the full "path" to a user. That is:
      *
      * (iss)       (sub)
      * Issuer -> Subresource
-     *
-     * We include a non-standard third-tier `disambiguator` which allows us to map
-     * a single OIDC user to multiple `User`s in CubeSigner
      */
     OIDCIdentity: {
       /**
@@ -1945,20 +2308,35 @@ export interface components {
        */
       "page.start"?: string | null;
     };
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedListKeyRolesResponse: {
+      /** @description All roles the key is in */
+      roles: components["schemas"]["KeyInRoleInfo"][];
+    } & {
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
      */
     PaginatedListKeysResponse: {
       keys: components["schemas"]["KeyInfo"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -1966,14 +2344,14 @@ export interface components {
     PaginatedListRoleKeysResponse: {
       /** @description All keys in a role */
       keys: components["schemas"]["KeyInRoleInfo"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -1981,14 +2359,14 @@ export interface components {
     PaginatedListRoleUsersResponse: {
       /** @description All users in a role */
       users: components["schemas"]["UserInRoleInfo"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -1996,14 +2374,14 @@ export interface components {
     PaginatedListRolesResponse: {
       /** @description All roles in an organization. */
       roles: components["schemas"]["RoleInfo"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -2011,28 +2389,64 @@ export interface components {
     PaginatedSessionsResponse: {
       /** @description The list of sessions */
       sessions: components["schemas"]["SessionInfo"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
      */
     PaginatedUserExportListResponse: {
       export_requests: components["schemas"]["UserExportInitResponse"][];
-    } & ({
+    } & {
       /**
        * @description If set, the content of `response` does not contain the entire result set.
        * To fetch the next page of the result set, call the same endpoint
        * but specify this value as the 'page.start' query parameter.
        */
       last_evaluated_key?: string | null;
-    });
+    };
+    PolicyErrorCode:
+      | components["schemas"]["PolicyErrorOwnCodes"]
+      | components["schemas"]["EvmTxDepositErrorCode"];
+    /** @enum {string} */
+    PolicyErrorOwnCodes:
+      | "EvmTxReceiverMismatch"
+      | "EvmTxSenderMismatch"
+      | "PolicyDisjunctionError"
+      | "PolicyNegationError"
+      | "Eth2ExceededMaxUnstake"
+      | "Eth2ConcurrentUnstaking"
+      | "NotInIpv4Allowlist"
+      | "NotInOriginAllowlist"
+      | "InvalidSourceIp"
+      | "RawSigningNotAllowed"
+      | "Eip712SigningNotAllowed"
+      | "OidcSourceNotAllowed"
+      | "NoOidcAuthSourcesDefined"
+      | "AddKeyToRoleDisallowed"
+      | "KeysAlreadyInRole"
+      | "KeyInMultipleRoles"
+      | "KeyAccessError"
+      | "Eip191SigningNotAllowed";
+    PreconditionErrorCode:
+      | components["schemas"]["PreconditionErrorOwnCodes"]
+      | components["schemas"]["PolicyErrorCode"];
+    /** @enum {string} */
+    PreconditionErrorOwnCodes:
+      | "Eth2ProposerSlotTooLow"
+      | "Eth2AttestationSourceEpochTooLow"
+      | "Eth2AttestationTargetEpochTooLow"
+      | "Eth2ConcurrentBlockSigning"
+      | "Eth2ConcurrentAttestationSigning"
+      | "Eth2MultiDepositToNonGeneratedKey"
+      | "Eth2MultiDepositUnknownInitialDeposit"
+      | "Eth2MultiDepositWithdrawalAddressMismatch";
     /**
      * @description This type represents a wire-encodable form of the PublicKeyCredential interface
      * Clients may need to manually encode into this format to communicate with the server
@@ -2057,7 +2471,7 @@ export interface components {
        * This operation returns the value of [[clientExtensionsResults]], which is a map containing extension identifier → client extension output entries produced by the extension’s client extension processing.
        * https://www.w3.org/TR/webauthn-2/#ref-for-dom-publickeycredential-getclientextensionresults
        */
-      clientExtensionResults?: Record<string, unknown> | null;
+      clientExtensionResults?: unknown;
       /**
        * @description This internal slot contains the credential ID, chosen by the
        * authenticator. The credential ID is used to look up credentials for use,
@@ -2068,7 +2482,9 @@ export interface components {
        */
       id: string;
       /** @description Authenticators respond to Relying Party requests by returning an object derived from the AuthenticatorResponse interface */
-      response: components["schemas"]["AuthenticatorAttestationResponse"] | components["schemas"]["AuthenticatorAssertionResponse"];
+      response:
+        | components["schemas"]["AuthenticatorAttestationResponse"]
+        | components["schemas"]["AuthenticatorAssertionResponse"];
     };
     /**
      * @description Defines the parameters for the creation of a new public key credential
@@ -2108,7 +2524,7 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-extensions
        */
-      extensions?: Record<string, unknown> | null;
+      extensions?: unknown;
       /**
        * @description This member contains information about the desired properties of the
        * credential to be created. The sequence is ordered from most preferred to
@@ -2202,7 +2618,7 @@ export interface components {
        * https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialrequestoptions-challenge
        */
       challenge: string;
-      extensions?: Record<string, unknown> | null;
+      extensions?: unknown;
       /**
        * @description This OPTIONAL member specifies the relying party identifier claimed by
        * the caller. If omitted, its value will be the CredentialsContainer
@@ -2349,13 +2765,13 @@ export interface components {
       name: string;
     };
     RatchetConfig: {
-      /** @default 300 */
+      /** @default default_auth_lifetime */
       auth_lifetime?: components["schemas"]["Seconds"];
       /** @default default_grace_lifetime */
       grace_lifetime?: components["schemas"]["Seconds"];
-      /** @default 86400 */
+      /** @default default_refresh_lifetime */
       refresh_lifetime?: components["schemas"]["Seconds"];
-      /** @default 31536000 */
+      /** @default default_session_lifetime */
       session_lifetime?: components["schemas"]["Seconds"];
     };
     /** @description Receipt that an MFA request was approved. */
@@ -2369,6 +2785,15 @@ export interface components {
       final_approver: string;
       timestamp: components["schemas"]["EpochDateTime"];
     };
+    /**
+     * @description An extended form of `PublicKeyCredentialRequestOptions` that allows clients to derive the WebAuthn challenge
+     * from a structured preimage.
+     *
+     * This ensures that the webuathn signature can only be used for a specific purpose
+     */
+    RequestOptionsWithHash: components["schemas"]["ChallengePieces"] & {
+      options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+    };
     /**
      * @description This enumeration’s values describe the Relying Party's requirements for
      * client-side discoverable credentials (formerly known as resident credentials
@@ -2445,6 +2870,17 @@ export interface components {
       /** @description The list of sessions */
       sessions: components["schemas"]["SessionInfo"][];
     };
+    SignerErrorCode:
+      | components["schemas"]["SignerErrorOwnCodes"]
+      | components["schemas"]["AcceptedValueCode"]
+      | components["schemas"]["BadRequestErrorCode"]
+      | components["schemas"]["NotFoundErrorCode"]
+      | components["schemas"]["ForbiddenErrorCode"]
+      | components["schemas"]["UnauthorizedErrorCode"]
+      | components["schemas"]["PreconditionErrorCode"]
+      | components["schemas"]["InternalErrorCode"];
+    /** @enum {string} */
+    SignerErrorOwnCodes: "UnhandledError" | "ProxyStartError" | "EnclaveError";
     /**
      * @example {
      *   "message_base64": "AQABA8OKVzLEjststN4xXr39kLKHT8d58eQY1QEs6MeXwEFBrxTAlULX1troLbWxuAXQqgbQofGi6z8fJi7KAAIf7YMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJK0tn39k28s+X86W47EvbRRKnYBVQ8Q/l2m1EbfT7+vAQICAAEMAgAAAGQAAAAAAAAA"
@@ -2550,6 +2986,12 @@ export interface components {
       /** @description The name of the issuer; defaults to "Cubist". */
       issuer?: string | null;
     };
+    /** @enum {string} */
+    UnauthorizedErrorCode:
+      | "ClaimsHeaderMissing"
+      | "ClaimsParseError"
+      | "OidcIdentityHeaderMissing"
+      | "OidcIdentityParseError";
     /** @description Options that should be set only for local devnet testing. */
     UnsafeConf: {
       /**
@@ -2618,6 +3060,11 @@ export interface components {
        * Once disabled, a key cannot be used for signing.
        */
       enabled?: boolean | null;
+      /**
+       * @description If set, update this key's metadata. Validation regex: ^[A-Za-z0-9_=+/ \-\.\,]{0,1024}$
+       * @example Contract admin key
+       */
+      metadata?: string | null;
       /**
        * @description If set, updates key's owner to this value.
        * The new owner must be an existing user who is a member of the same org.
@@ -2860,12 +3307,20 @@ export interface components {
       user_id: string;
     };
     UserInfo: {
-      /** @example alice@example.com */
+      /**
+       * @description Optional email
+       * @example alice@example.com
+       */
       email: string;
       /** @description All multi-factor authentication methods configured for this user */
       mfa: components["schemas"]["ConfiguredMfa"][];
       /** @description MFA policy, applies before logging in and other sensitive operations */
-      mfa_policy?: Record<string, unknown> | null;
+      mfa_policy?: unknown;
+      /**
+       * @description Optional name
+       * @example Alice
+       */
+      name?: string | null;
       /**
        * @description All organizations the user belongs to
        * @example [
@@ -2978,7 +3433,7 @@ export interface components {
         };
       };
     };
-    Eip712SignResponse: {
+    Eip191Or712SignResponse: {
       content: {
         "application/json": {
           /**
@@ -3022,10 +3477,11 @@ export interface components {
     };
     FidoAssertChallenge: {
       content: {
-        "application/json": {
+        "application/json": (components["schemas"]["ChallengePieces"] & {
+          options: components["schemas"]["PublicKeyCredentialRequestOptions"];
+        }) & {
           /** @description The id of the challenge. Must be supplied when answering the challenge. */
           challenge_id: string;
-          options: components["schemas"]["PublicKeyCredentialRequestOptions"];
         };
       };
     };
@@ -3035,10 +3491,11 @@ export interface components {
      */
     FidoCreateChallengeResponse: {
       content: {
-        "application/json": {
+        "application/json": (components["schemas"]["ChallengePieces"] & {
+          options: components["schemas"]["PublicKeyCredentialCreationOptions"];
+        }) & {
           /** @description The id of the challenge. Must be supplied when answering the challenge. */
           challenge_id: string;
-          options: components["schemas"]["PublicKeyCredentialCreationOptions"];
         };
       };
     };
@@ -3056,7 +3513,7 @@ export interface components {
      */
     IdentityProof: {
       content: {
-        "application/json": ({
+        "application/json": {
           /**
            * @description OIDC audience; set only if the proof was obtained by using OIDC token.
            *
@@ -3071,7 +3528,7 @@ export interface components {
           exp_epoch: components["schemas"]["EpochDateTime"];
           identity?: components["schemas"]["OIDCIdentity"] | null;
           user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
-        }) & {
+        } & {
           /** @description An opaque identifier for the proof */
           id: string;
         };
@@ -3127,6 +3584,12 @@ export interface components {
            * @example 0x8e3484687e66cdd26cf04c3647633ab4f3570148
            */
           material_id: string;
+          /**
+           * @description User-defined metadata. When rendering (e.g., in the browser) you should treat
+           * it as untrusted user data (and avoid injecting metadata into HTML directly) if
+           * untrusted users can create/update keys (or their metadata).
+           */
+          metadata?: string;
           /**
            * @description Owner of the key
            * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
@@ -3283,18 +3746,33 @@ export interface components {
         };
       };
     };
+    PaginatedListKeyRolesResponse: {
+      content: {
+        "application/json": {
+          /** @description All roles the key is in */
+          roles: components["schemas"]["KeyInRoleInfo"][];
+        } & {
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        };
+      };
+    };
     PaginatedListKeysResponse: {
       content: {
         "application/json": {
           keys: components["schemas"]["KeyInfo"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     PaginatedListRoleKeysResponse: {
@@ -3302,14 +3780,14 @@ export interface components {
         "application/json": {
           /** @description All keys in a role */
           keys: components["schemas"]["KeyInRoleInfo"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     PaginatedListRoleUsersResponse: {
@@ -3317,14 +3795,14 @@ export interface components {
         "application/json": {
           /** @description All users in a role */
           users: components["schemas"]["UserInRoleInfo"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     PaginatedListRolesResponse: {
@@ -3332,14 +3810,14 @@ export interface components {
         "application/json": {
           /** @description All roles in an organization. */
           roles: components["schemas"]["RoleInfo"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     PaginatedSessionsResponse: {
@@ -3347,28 +3825,28 @@ export interface components {
         "application/json": {
           /** @description The list of sessions */
           sessions: components["schemas"]["SessionInfo"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     PaginatedUserExportListResponse: {
       content: {
         "application/json": {
           export_requests: components["schemas"]["UserExportInitResponse"][];
-        } & ({
+        } & {
           /**
            * @description If set, the content of `response` does not contain the entire result set.
            * To fetch the next page of the result set, call the same endpoint
            * but specify this value as the 'page.start' query parameter.
            */
           last_evaluated_key?: string | null;
-        });
+        };
       };
     };
     RevokeTokenResponse: {
@@ -3600,12 +4078,20 @@ export interface components {
     UserInfo: {
       content: {
         "application/json": {
-          /** @example alice@example.com */
+          /**
+           * @description Optional email
+           * @example alice@example.com
+           */
           email: string;
           /** @description All multi-factor authentication methods configured for this user */
           mfa: components["schemas"]["ConfiguredMfa"][];
           /** @description MFA policy, applies before logging in and other sensitive operations */
-          mfa_policy?: Record<string, unknown> | null;
+          mfa_policy?: unknown;
+          /**
+           * @description Optional name
+           * @example Alice
+           */
+          name?: string | null;
           /**
            * @description All organizations the user belongs to
            * @example [
@@ -3633,7 +4119,6 @@ export type $defs = Record<string, never>;
 export type external = Record<string, never>;
 
 export interface operations {
-
   /**
    * User Info
    * @description User Info
@@ -3818,6 +4303,46 @@ export interface operations {
       };
     };
   };
+  /**
+   * Sign EIP-191 Data
+   * @description Sign EIP-191 Data
+   *
+   * Signs a message using EIP-191 personal_sign with a given Secp256k1 key.
+   */
+  eip191Sign: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Hex-encoded EVM address of the Secp256k1 key
+         * @example 0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E
+         */
+        pubkey: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["Eip191SignRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["Eip191Or712SignResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Sign EIP-712 Typed Data
    * @description Sign EIP-712 Typed Data
@@ -3833,7 +4358,7 @@ export interface operations {
          */
         org_id: string;
         /**
-         * @description Hex-encoded ethereum address of the secp key
+         * @description Hex-encoded EVM address of the Secp256k1 key
          * @example 0x49011adbCC3bC9c0307BB07F37Dda1a1a9c69d2E
          */
         pubkey: string;
@@ -3845,7 +4370,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["Eip712SignResponse"];
+      200: components["responses"]["Eip191Or712SignResponse"];
       202: {
         content: {
           "application/json": components["schemas"]["AcceptedResponse"];
@@ -3943,8 +4468,7 @@ export interface operations {
         "application/json": components["schemas"]["IdentityProof"];
       };
     };
-    responses: {
-    };
+    responses: {};
   };
   /**
    * Create Key-Import Key
@@ -4202,6 +4726,51 @@ export interface operations {
       };
     };
   };
+  /**
+   * List Key Roles
+   * @description List Key Roles
+   *
+   * Get all roles the key is in
+   */
+  listKeyRoles: {
+    parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: components["schemas"]["LastEvalKey"] | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        key_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["PaginatedListKeyRolesResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * List Pending MFA Requests
    * @description List Pending MFA Requests
@@ -4259,16 +4828,23 @@ export interface operations {
     };
   };
   /**
-   * Approve MFA Request
-   * @description Approve MFA Request
+   * Approve or Reject MFA Request
+   * @description Approve or Reject MFA Request
    *
-   * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+   * Approve or reject request after logging in with CubeSigner.
+   *
+   * If approving, adds the currently-logged user as an approver
    * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
    * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
    * resume the original HTTP request.
+   *
+   * If rejecting, immediately deletes the pending MFA request.
    */
-  mfaApproveCs: {
+  mfaVoteCs: {
     parameters: {
+      query?: {
+        mfa_vote?: components["schemas"]["MfaVote"] | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -4292,12 +4868,12 @@ export interface operations {
     };
   };
   /**
-   * Initiate Approving an MFA Request with FIDO
-   * @description Initiate Approving an MFA Request with FIDO
+   * Initiate a FIDO MFA Approval/Rejection
+   * @description Initiate a FIDO MFA Approval/Rejection
    *
-   * Initiates the approval process of an MFA Request using FIDO.
+   * Initiates the approval/rejection process of an MFA Request using FIDO.
    */
-  mfaApproveFido: {
+  mfaFidoInit: {
     parameters: {
       path: {
         /**
@@ -4322,16 +4898,20 @@ export interface operations {
     };
   };
   /**
-   * Finalize a FIDO MFA Approval
-   * @description Finalize a FIDO MFA Approval
-   *
-   * Adds an approver to a pending MFA request.
+   * Finalize a FIDO MFA Approval/Rejection
+   * @description Finalize a FIDO MFA Approval/Rejection
    *
+   * If approving, adds an approver to a pending MFA request.
    * If the required number of approvers is reached, the MFA request is approved;
    * the confirmation receipt can be used to resume the original HTTP request.
+   *
+   * If rejecting, immediately deletes the pending MFA request.
    */
-  mfaApproveFidoComplete: {
+  mfaVoteFidoComplete: {
     parameters: {
+      query?: {
+        mfa_vote?: components["schemas"]["MfaVote"] | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -4360,16 +4940,20 @@ export interface operations {
     };
   };
   /**
-   * Approve a TOTP MFA Request
-   * @description Approve a TOTP MFA Request
+   * Approve/Reject a TOTP MFA Request
+   * @description Approve/Reject a TOTP MFA Request
    *
-   * Adds the current user as approver to a pending MFA request by providing TOTP code.
+   * If approving, adds the current user as approver to a pending MFA request by
+   * providing TOTP code. If the required number of approvers is reached, the MFA request is
+   * approved; the confirmation receipt can be used to resume the original HTTP request.
    *
-   * If the required number of approvers is reached, the MFA request is approved;
-   * the confirmation receipt can be used to resume the original HTTP request.
+   * If rejecting, immediately deletes the pending MFA request.
    */
-  mfaApproveTotp: {
+  mfaVoteTotp: {
     parameters: {
+      query?: {
+        mfa_vote?: components["schemas"]["MfaVote"] | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -4541,7 +5125,7 @@ export interface operations {
    * @description Delete Role
    *
    * Deletes a role in an organization.
-   * Only organization owners can perform this action.
+   * Only users in the role can perform this action.
    */
   deleteRole: {
     parameters: {
@@ -4571,7 +5155,8 @@ export interface operations {
    * Update Role
    * @description Update Role
    *
-   * Enables or disables a role.
+   * Enables or disables a role (this requires the `manage:role:update:enable` scope).
+   * Updates the role's policies (this requires the `manage:role:update:policy` scope).
    * The user must be in the role or an owner of the organization.
    */
   updateRole: {
@@ -4629,8 +5214,7 @@ export interface operations {
         "application/json": components["schemas"]["AddKeysToRoleRequest"];
       };
     };
-    responses: {
-    };
+    responses: {};
   };
   /**
    * Add User
@@ -4659,8 +5243,7 @@ export interface operations {
         user_id: string;
       };
     };
-    responses: {
-    };
+    responses: {};
   };
   /**
    * List Role Keys
@@ -4733,8 +5316,7 @@ export interface operations {
         key_id: string;
       };
     };
-    responses: {
-    };
+    responses: {};
   };
   /**
    * List a single page of Tokens (Deprecated)
@@ -4924,6 +5506,35 @@ export interface operations {
       };
     };
   };
+  /**
+   * Remove User
+   * @description Remove User
+   *
+   * Removes an existing user from an existing role.
+   * Only users in the role or org owners can remove users from a role.
+   */
+  removeUserFromRole: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description Name or ID of the desired Role
+         * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_id: string;
+        /**
+         * @description ID of the desired User
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        user_id: string;
+      };
+    };
+    responses: {};
+  };
   /**
    * List sessions
    * @description List sessions
@@ -4973,7 +5584,8 @@ export interface operations {
    * Create new user session (management and/or signing)
    * @description Create new user session (management and/or signing)
    *
-   * Create a new user session
+   * Creates a new user session, silently truncating requested session and auth lifetimes
+   * to be at most requestor's session and auth lifetime, respectively.
    */
   createSession: {
     parameters: {
@@ -5875,9 +6487,9 @@ export interface operations {
         org_id: string;
       };
     };
-    requestBody: {
+    requestBody?: {
       content: {
-        "application/json": components["schemas"]["HeartbeatRequest"];
+        "application/json": components["schemas"]["HeartbeatRequest"] | null;
       };
     };
     responses: {