@cubist-labs/cubesigner-sdk 0.3.1 → 0.3.11

package/dist/cjs/src/schema.d.ts

@@ -188,6 +188,15 @@ export interface paths {
          */
         patch: operations["updateKey"];
     };
+    "/v0/org/{org_id}/keys/{key_id}/roles": {
+        /**
+         * List Key Roles
+         * @description List Key Roles
+         *
+         * Get all roles the key is in
+         */
+        get: operations["listKeyRoles"];
+    };
     "/v0/org/{org_id}/mfa": {
         /**
          * List Pending MFA Requests
@@ -207,46 +216,67 @@ export interface paths {
          */
         get: operations["mfaGet"];
         /**
-         * Approve MFA Request
-         * @description Approve MFA Request
+         * Approve or Reject MFA Request
+         * @description Approve or Reject MFA Request
          *
-         * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+         * Approve or reject request after logging in with CubeSigner.
+         *
+         * If approving, adds the currently-logged user as an approver
          * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
          * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
          * resume the original HTTP request.
+         *
+         * If rejecting, immediately deletes the pending MFA request.
          */
-        patch: operations["mfaApproveCs"];
+        patch: operations["mfaVoteCs"];
     };
     "/v0/org/{org_id}/mfa/{mfa_id}/fido": {
         /**
-         * Initiate Approving an MFA Request with FIDO
-         * @description Initiate Approving an MFA Request with FIDO
+         * Initiate a FIDO MFA Approval/Rejection
+         * @description Initiate a FIDO MFA Approval/Rejection
          *
-         * Initiates the approval process of an MFA Request using FIDO.
+         * Initiates the approval/rejection process of an MFA Request using FIDO.
          */
-        post: operations["mfaApproveFido"];
+        post: operations["mfaFidoInit"];
         /**
-         * Finalize a FIDO MFA Approval
-         * @description Finalize a FIDO MFA Approval
-         *
-         * Adds an approver to a pending MFA request.
+         * Finalize a FIDO MFA Approval/Rejection
+         * @description Finalize a FIDO MFA Approval/Rejection
          *
+         * If approving, adds an approver to a pending MFA request.
          * If the required number of approvers is reached, the MFA request is approved;
          * the confirmation receipt can be used to resume the original HTTP request.
+         *
+         * If rejecting, immediately deletes the pending MFA request.
          */
-        patch: operations["mfaApproveFidoComplete"];
+        patch: operations["mfaVoteFidoComplete"];
     };
     "/v0/org/{org_id}/mfa/{mfa_id}/totp": {
         /**
-         * Approve a TOTP MFA Request
-         * @description Approve a TOTP MFA Request
+         * Approve/Reject a TOTP MFA Request
+         * @description Approve/Reject a TOTP MFA Request
          *
-         * Adds the current user as approver to a pending MFA request by providing TOTP code.
+         * If approving, adds the current user as approver to a pending MFA request by
+         * providing TOTP code. If the required number of approvers is reached, the MFA request is
+         * approved; the confirmation receipt can be used to resume the original HTTP request.
          *
-         * If the required number of approvers is reached, the MFA request is approved;
-         * the confirmation receipt can be used to resume the original HTTP request.
+         * If rejecting, immediately deletes the pending MFA request.
          */
-        patch: operations["mfaApproveTotp"];
+        patch: operations["mfaVoteTotp"];
+    };
+    "/v0/org/{org_id}/oauth2/twitter": {
+        /**
+         * Mint an OIDC ID token for Twitter
+         * @description Mint an OIDC ID token for Twitter
+         *
+         * This function acts identically to Twitter's [`oauth2/token`](https://developer.twitter.com/en/docs/authentication/api-reference/token) endpoint,
+         * but extends the output with an `id_token`.
+         *
+         * This `id_token` can then be used with any CubeSigner endpoint that requires an OIDC token.
+         *
+         * > [!IMPORTANT]
+         * > This endpoint will fail unless the org is configured to allow the issuer `https://shim.oauth2.cubist.dev/twitter` and client ID being used for Twitter.
+         */
+        post: operations["oauth2Twitter"];
     };
     "/v0/org/{org_id}/oidc": {
         /**
@@ -391,6 +421,16 @@ export interface paths {
          */
         get: operations["listRoleUsers"];
     };
+    "/v0/org/{org_id}/roles/{role_id}/users/{user_id}": {
+        /**
+         * Remove User
+         * @description Remove User
+         *
+         * Removes an existing user from an existing role.
+         * Only users in the role or org owners can remove users from a role.
+         */
+        delete: operations["removeUserFromRole"];
+    };
     "/v0/org/{org_id}/session": {
         /**
          * List sessions
@@ -744,6 +784,8 @@ export interface components {
                 session?: components["schemas"]["NewSessionResponse"] | null;
             };
         };
+        /** @enum {string} */
+        AcceptedValueCode: "MfaRequired";
         AddKeysToRoleRequest: {
             /**
              * @description A list of keys to add to a role
@@ -789,6 +831,11 @@ export interface components {
             identity: components["schemas"]["OIDCIdentity"];
             /** @description Optional login MFA policy */
             mfa_policy?: unknown;
+            /**
+             * @description Optional user full name
+             * @example Alice Wonderland
+             */
+            name?: string | null;
             role: components["schemas"]["MemberRole"];
         };
         AddThirdPartyUserResponse: {
@@ -950,6 +997,10 @@ export interface components {
         };
         /** @description Wrapper around a zeroizing 32-byte fixed-size array */
         B32: string;
+        /** @enum {string} */
+        BadGatewayErrorCode: "OAuthProviderError";
+        /** @enum {string} */
+        BadRequestErrorCode: "GenericBadRequest" | "InvalidBody" | "TokenRequestError" | "InvalidMfaReceipt" | "InvalidMfaPolicyCount" | "InvalidMfaPolicyNumAuthFactors" | "InvalidMfaPolicyNumAllowedApprovers" | "InvalidMfaPolicyRedundantRule" | "InvalidCreateKeyCount" | "OrgInviteExistingUser" | "OrgNameTaken" | "RoleNameTaken" | "AddKeyToRoleCountTooHigh" | "InvalidKeyId" | "InvalidKeyMetadataLength" | "InvalidKeyMetadata" | "InvalidKeyMaterialId" | "KeyNotFound" | "UserExportDerivedKey" | "UserExportPublicKeyInvalid" | "UserExportInProgress" | "RoleNotFound" | "InvalidMfaReceiptOrgIdMissing" | "InvalidMfaReceiptInvalidOrgId" | "MfaRequestNotFound" | "InvalidKeyType" | "InvalidKeyMaterial" | "InvalidHexValue" | "InvalidBase32Value" | "InvalidBase58Value" | "InvalidForkVersionLength" | "InvalidEthAddress" | "InvalidStellarAddress" | "InvalidOrgNameOrId" | "InvalidStakeDeposit" | "InvalidBlobSignRequest" | "InvalidSolanaSignRequest" | "InvalidEip712SignRequest" | "InvalidEvmSignRequest" | "InvalidEth2SignRequest" | "InvalidDeriveKeyRequest" | "InvalidStakingAmount" | "CustomStakingAmountNotAllowedForWrapperContract" | "InvalidUnstakeRequest" | "InvalidCreateUserRequest" | "UserAlreadyExists" | "UserNotFound" | "PolicyRuleKeyMismatch" | "EmptyScopes" | "InvalidScopesForRoleSession" | "InvalidLifetime" | "NoSingleKeyForUser" | "InvalidOrgPolicyRule" | "SourceIpAllowlistEmpty" | "InvalidOrgPolicyRepeatedRule" | "AvaSignHashError" | "AvaSignError" | "BtcSegwitHashError" | "BtcSignError" | "Eip712SignError" | "InvalidMemberRoleInUserAdd" | "ThirdPartyUserAlreadyExists" | "ThirdPartyUserNotFound" | "DeleteOidcUserError" | "SessionRoleMismatch" | "InvalidOidcToken" | "OidcIssuerUnsupported" | "OidcIssuerNotAllowed" | "OidcIssuerNoApplicableJwk" | "FidoKeyAlreadyRegistered" | "FidoKeySignCountTooLow" | "FidoVerificationFailed" | "FidoChallengeMfaMismatch" | "UnsupportedLegacyCognitoSession" | "InvalidIdentityProof" | "PaginationDataExpired" | "ExistingKeysViolateExclusiveKeyAccess" | "ExportDelayTooShort" | "ExportWindowTooLong" | "InvalidTotpFailureLimit" | "InvalidEip191SignRequest" | "CannotResendUserInvitation";
         /**
          * @example {
          *   "message_base64": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTYK"
@@ -1148,6 +1199,8 @@ export interface components {
             configured_mfa: components["schemas"]["ConfiguredMfa"][];
             /** @description Set once the user successfully logs into CubeSigner */
             initialized: boolean;
+            /** @description Optional human name for the user */
+            name?: string | null;
             /** @description CubeSigner's user identifier */
             user_id: string;
         };
@@ -1326,6 +1379,7 @@ export interface components {
         /** @description The structure of ErrorResponse must match the response template that AWS uses */
         ErrorResponse: {
             accepted?: components["schemas"]["AcceptedValue"] | null;
+            error_code: components["schemas"]["SignerErrorCode"];
             /** @description Error message */
             message: string;
             /** @description Optional request identifier */
@@ -1403,6 +1457,8 @@ export interface components {
              */
             signature: string;
         };
+        /** @enum {string} */
+        EvmTxDepositErrorCode: "EvmTxDepositReceiverMismatch" | "EvmTxDepositEmptyData" | "EvmTxDepositEmptyChainId" | "EvmTxDepositEmptyReceiver" | "EvmTxDepositUnexpectedValue" | "EvmTxDepositUnexpectedDataLength" | "EvmTxDepositNoAbi" | "EvmTxDepositNoDepositFunction" | "EvmTxDepositUnexpectedFunctionName" | "EvmTxDepositUnexpectedValidatorKey" | "EvmTxDepositInvalidValidatorKey" | "EvmTxDepositMissingDepositArg" | "EvmTxDepositWrongDepositArgType" | "EvmTxDepositWrongValidatorArgValue" | "EvmTxDepositValidatorKeyNotInRole" | "EvmTxDepositUnexpectedWithdrawalCredentials" | "EvmTxDepositUnresolvedRole" | "EvmTxDepositInvalidDepositEncoding";
         /** @description Sent from the client to the server to answer a fido challenge */
         FidoAssertAnswer: {
             /** @description The ID of the challenge that was returned from the POST endpoint */
@@ -1439,6 +1495,8 @@ export interface components {
              */
             name: string;
         };
+        /** @enum {string} */
+        ForbiddenErrorCode: "FidoRequiredToRemoveTotp" | "MfaChallengeExpired" | "ChainIdNotAllowed" | "InvalidOrg" | "SessionForWrongOrg" | "OrgDisabled" | "OrgNotFound" | "OrgWithoutOwner" | "OrphanedUser" | "OidcUserNotFound" | "UserNotInOrg" | "UserNotOrgOwner" | "UserNotKeyOwner" | "InvalidRole" | "DisabledRole" | "KeyDisabled" | "RoleNotInOrg" | "KeyNotInRole" | "KeyNotInOrg" | "UserExportRequestNotInOrg" | "UserExportRequestInvalid" | "UserNotOriginalKeyOwner" | "UserNotInRole" | "MustBeFullMember" | "SessionExpired" | "SessionRevoked" | "ExpectedUserSession" | "SessionRoleChanged" | "ScopedNameNotFound" | "SessionInvalidEpochToken" | "SessionInvalidRefreshToken" | "SessionRefreshTokenExpired" | "InvalidAuthHeader" | "SessionNotFound" | "InvalidArn" | "SessionInvalidAuthToken" | "SessionAuthTokenExpired" | "SessionPossiblyStolenToken" | "MfaDisallowedIdentity" | "MfaDisallowedApprover" | "MfaTypeNotAllowed" | "MfaNotApprovedYet" | "MfaConfirmationCodeMismatch" | "MfaHttpRequestMismatch" | "MfaRemoveBelowMin" | "TotpAlreadyConfigured" | "TotpConfigurationChanged" | "MfaTotpBadConfiguration" | "MfaTotpBadCode" | "MfaTotpRateLimit" | "ImproperSessionScope" | "FullSessionRequired" | "SessionWithoutAnyScopeUnder" | "UserRoleUnprivileged" | "MfaNotConfigured";
         /**
          * @description Specifies a fork of the `BeaconChain`, to prevent replay attacks.
          * The schema of `Fork` is defined in the [Beacon chain
@@ -1573,9 +1631,14 @@ export interface components {
              * @description The email associated with the user
              * @example user@email.com
              */
-            email: string;
+            email?: string | null;
             exp_epoch: components["schemas"]["EpochDateTime"];
             identity?: components["schemas"]["OIDCIdentity"] | null;
+            /**
+             * @description The username (if any) associated with the user
+             * @example cubistdev
+             */
+            preferred_username?: string | null;
             user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
         } & {
             /** @description An opaque identifier for the proof */
@@ -1603,6 +1666,8 @@ export interface components {
              */
             salt: string;
         };
+        /** @enum {string} */
+        InternalErrorCode: "SystemTimeError" | "ReqwestError" | "DbQueryError" | "DbGetError" | "DbDeleteError" | "DbPutError" | "DbUpdateError" | "SerdeError" | "TestAndSetError" | "DbGetItemsError" | "DbWriteError" | "CubistSignerError" | "CwPutMetricDataError" | "KmsGenerateRandomError" | "MalformedTotpBytes" | "KmsGenerateRandomNoResponseError" | "CreateKeyError" | "ParseDerivationPathError" | "SplitSignerError" | "CreateImportKeyError" | "CognitoDeleteUserError" | "CognitoListUsersError" | "CognitoGetUserError" | "MissingUserEmail" | "CognitoResendUserInvitation" | "CognitoSetUserPasswordError" | "GenericInternalError" | "OidcAuthWithoutOrg" | "MissingKeyMetadata" | "KmsKeyWithoutId" | "KmsEnableKeyError" | "KmsDisableKeyError" | "SerializeEncryptedExportKeyError" | "DeserializeEncryptedExportKeyError" | "ReEncryptUserExport" | "S3UploadError" | "S3DownloadError" | "ManagedStateMissing" | "InternalHeaderMissing" | "InvalidInternalHeaderValue" | "RequestLocalStateAlreadySet" | "OidcOrgMismatch" | "OrphanedRoleKeyId" | "OidcIssuerJwkEndpointUnavailable" | "OidcIssuerInvalidJwk" | "InvalidPkForMaterialId" | "UncheckedOrg" | "AvaSignCredsMissing" | "AvaSignSignatureMissing" | "ExpectedRoleSession" | "InvalidThirdPartyIdentity" | "CognitoGetUser";
         InviteRequest: {
             /**
              * @description The user's email address
@@ -1758,6 +1823,11 @@ export interface components {
              * ]
              */
             policy?: Record<string, never>[];
+            /**
+             * @description Role ID
+             * @example Role#e427c28a-9c5b-49cc-a257-878aea58a22c
+             */
+            role_id: string;
         };
         KeyInfo: {
             derivation_info?: components["schemas"]["KeyDerivationInfo"] | null;
@@ -1861,6 +1931,8 @@ export interface components {
                 };
             }
         ]>;
+        /** @enum {string} */
+        MfaVote: "approve" | "reject";
         /**
          * @description Network name ('mainnet', 'prater', 'goerli')
          * @example goerli
@@ -1882,14 +1954,13 @@ export interface components {
              */
             token: string;
         };
+        /** @enum {string} */
+        NotFoundErrorCode: "UriSegmentMissing" | "UriSegmentInvalid" | "TotpNotConfigured" | "FidoKeyNotFound" | "FidoChallengeNotFound" | "TotpChallengeNotFound" | "UserExportRequestNotFound" | "UserExportCiphertextNotFound";
         /**
          * @description Represents a globally unique OIDC-authorized user by expressing the full "path" to a user. That is:
          *
          * (iss)       (sub)
          * Issuer -> Subresource
-         *
-         * We include a non-standard third-tier `disambiguator` which allows us to map
-         * a single OIDC user to multiple `User`s in CubeSigner
          */
         OIDCIdentity: {
             /**
@@ -2010,6 +2081,21 @@ export interface components {
              */
             "page.start"?: string | null;
         };
+        /**
+         * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+         * value (which can the user pass back to use as a url query parameter to continue pagination).
+         */
+        PaginatedListKeyRolesResponse: {
+            /** @description All roles the key is in */
+            roles: components["schemas"]["KeyInRoleInfo"][];
+        } & {
+            /**
+             * @description If set, the content of `response` does not contain the entire result set.
+             * To fetch the next page of the result set, call the same endpoint
+             * but specify this value as the 'page.start' query parameter.
+             */
+            last_evaluated_key?: string | null;
+        };
         /**
          * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
          * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -2098,6 +2184,12 @@ export interface components {
              */
             last_evaluated_key?: string | null;
         };
+        PolicyErrorCode: components["schemas"]["PolicyErrorOwnCodes"] | components["schemas"]["EvmTxDepositErrorCode"];
+        /** @enum {string} */
+        PolicyErrorOwnCodes: "EvmTxReceiverMismatch" | "EvmTxSenderMismatch" | "PolicyDisjunctionError" | "PolicyNegationError" | "Eth2ExceededMaxUnstake" | "Eth2ConcurrentUnstaking" | "NotInIpv4Allowlist" | "NotInOriginAllowlist" | "InvalidSourceIp" | "RawSigningNotAllowed" | "Eip712SigningNotAllowed" | "OidcSourceNotAllowed" | "NoOidcAuthSourcesDefined" | "AddKeyToRoleDisallowed" | "KeysAlreadyInRole" | "KeyInMultipleRoles" | "KeyAccessError" | "Eip191SigningNotAllowed";
+        PreconditionErrorCode: components["schemas"]["PreconditionErrorOwnCodes"] | components["schemas"]["PolicyErrorCode"];
+        /** @enum {string} */
+        PreconditionErrorOwnCodes: "Eth2ProposerSlotTooLow" | "Eth2AttestationSourceEpochTooLow" | "Eth2AttestationTargetEpochTooLow" | "Eth2ConcurrentBlockSigning" | "Eth2ConcurrentAttestationSigning" | "Eth2MultiDepositToNonGeneratedKey" | "Eth2MultiDepositUnknownInitialDeposit" | "Eth2MultiDepositWithdrawalAddressMismatch";
         /**
          * @description This type represents a wire-encodable form of the PublicKeyCredential interface
          * Clients may need to manually encode into this format to communicate with the server
@@ -2519,6 +2611,9 @@ export interface components {
             /** @description The list of sessions */
             sessions: components["schemas"]["SessionInfo"][];
         };
+        SignerErrorCode: components["schemas"]["SignerErrorOwnCodes"] | components["schemas"]["AcceptedValueCode"] | components["schemas"]["BadRequestErrorCode"] | components["schemas"]["BadGatewayErrorCode"] | components["schemas"]["NotFoundErrorCode"] | components["schemas"]["ForbiddenErrorCode"] | components["schemas"]["UnauthorizedErrorCode"] | components["schemas"]["PreconditionErrorCode"] | components["schemas"]["InternalErrorCode"];
+        /** @enum {string} */
+        SignerErrorOwnCodes: "UnhandledError" | "ProxyStartError" | "EnclaveError";
         /**
          * @example {
          *   "message_base64": "AQABA8OKVzLEjststN4xXr39kLKHT8d58eQY1QEs6MeXwEFBrxTAlULX1troLbWxuAXQqgbQofGi6z8fJi7KAAIf7YMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJK0tn39k28s+X86W47EvbRRKnYBVQ8Q/l2m1EbfT7+vAQICAAEMAgAAAGQAAAAAAAAA"
@@ -2596,6 +2691,21 @@ export interface components {
             /** @description Tokens purpose */
             purpose: string;
         };
+        /**
+         * @description OAuth2 standard Token Response.
+         *
+         * https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
+         */
+        TokenResponse: {
+            /** @description The access token issued by the authorization server. */
+            access_token: string;
+            expires_in: components["schemas"]["Seconds"];
+            /** @description An OIDC token issued by Cubist, containing user information */
+            id_token?: string;
+            /** @description The type of the token issued. Value is case insensitive. */
+            token_type: string;
+            [key: string]: unknown;
+        };
         TotpApproveRequest: {
             /** @description TOTP verification code */
             code: string;
@@ -2624,6 +2734,8 @@ export interface components {
             /** @description The name of the issuer; defaults to "Cubist". */
             issuer?: string | null;
         };
+        /** @enum {string} */
+        UnauthorizedErrorCode: "ClaimsHeaderMissing" | "ClaimsParseError" | "OidcIdentityHeaderMissing" | "OidcIdentityParseError";
         /** @description Options that should be set only for local devnet testing. */
         UnsafeConf: {
             /**
@@ -2939,12 +3051,20 @@ export interface components {
             user_id: string;
         };
         UserInfo: {
-            /** @example alice@example.com */
+            /**
+             * @description Optional email
+             * @example alice@example.com
+             */
             email: string;
             /** @description All multi-factor authentication methods configured for this user */
             mfa: components["schemas"]["ConfiguredMfa"][];
             /** @description MFA policy, applies before logging in and other sensitive operations */
             mfa_policy?: unknown;
+            /**
+             * @description Optional name
+             * @example Alice
+             */
+            name?: string | null;
             /**
              * @description All organizations the user belongs to
              * @example [
@@ -3148,9 +3268,14 @@ export interface components {
                      * @description The email associated with the user
                      * @example user@email.com
                      */
-                    email: string;
+                    email?: string | null;
                     exp_epoch: components["schemas"]["EpochDateTime"];
                     identity?: components["schemas"]["OIDCIdentity"] | null;
+                    /**
+                     * @description The username (if any) associated with the user
+                     * @example cubistdev
+                     */
+                    preferred_username?: string | null;
                     user_info?: components["schemas"]["CubeSignerUserInfo"] | null;
                 } & {
                     /** @description An opaque identifier for the proof */
@@ -3370,6 +3495,21 @@ export interface components {
                 };
             };
         };
+        PaginatedListKeyRolesResponse: {
+            content: {
+                "application/json": {
+                    /** @description All roles the key is in */
+                    roles: components["schemas"]["KeyInRoleInfo"][];
+                } & {
+                    /**
+                     * @description If set, the content of `response` does not contain the entire result set.
+                     * To fetch the next page of the result set, call the same endpoint
+                     * but specify this value as the 'page.start' query parameter.
+                     */
+                    last_evaluated_key?: string | null;
+                };
+            };
+        };
         PaginatedListKeysResponse: {
             content: {
                 "application/json": {
@@ -3569,6 +3709,25 @@ export interface components {
                 };
             };
         };
+        /**
+         * @description OAuth2 standard Token Response.
+         *
+         * https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2
+         */
+        TokenResponse: {
+            content: {
+                "application/json": {
+                    /** @description The access token issued by the authorization server. */
+                    access_token: string;
+                    expires_in: components["schemas"]["Seconds"];
+                    /** @description An OIDC token issued by Cubist, containing user information */
+                    id_token?: string;
+                    /** @description The type of the token issued. Value is case insensitive. */
+                    token_type: string;
+                    [key: string]: unknown;
+                };
+            };
+        };
         TotpInfo: {
             content: {
                 "application/json": {
@@ -3687,12 +3846,20 @@ export interface components {
         UserInfo: {
             content: {
                 "application/json": {
-                    /** @example alice@example.com */
+                    /**
+                     * @description Optional email
+                     * @example alice@example.com
+                     */
                     email: string;
                     /** @description All multi-factor authentication methods configured for this user */
                     mfa: components["schemas"]["ConfiguredMfa"][];
                     /** @description MFA policy, applies before logging in and other sensitive operations */
                     mfa_policy?: unknown;
+                    /**
+                     * @description Optional name
+                     * @example Alice
+                     */
+                    name?: string | null;
                     /**
                      * @description All organizations the user belongs to
                      * @example [
@@ -4324,6 +4491,51 @@ export interface operations {
             };
         };
     };
+    /**
+     * List Key Roles
+     * @description List Key Roles
+     *
+     * Get all roles the key is in
+     */
+    listKeyRoles: {
+        parameters: {
+            query?: {
+                /**
+                 * @description Max number of items to return per page.
+                 *
+                 * If the actual number of returned items may be less that this, even if there exist more
+                 * data in the result set. To reliably determine if more data is left in the result set,
+                 * inspect the [UnencryptedLastEvalKey] value in the response object.
+                 */
+                "page.size"?: number;
+                /**
+                 * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+                 * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+                 */
+                "page.start"?: components["schemas"]["LastEvalKey"] | null;
+            };
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description ID of the desired Key
+                 * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                key_id: string;
+            };
+        };
+        responses: {
+            200: components["responses"]["PaginatedListKeyRolesResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * List Pending MFA Requests
      * @description List Pending MFA Requests
@@ -4381,16 +4593,23 @@ export interface operations {
         };
     };
     /**
-     * Approve MFA Request
-     * @description Approve MFA Request
+     * Approve or Reject MFA Request
+     * @description Approve or Reject MFA Request
      *
-     * Approve request after logging in with CubeSigner. Adds the currently-logged user as an approver
+     * Approve or reject request after logging in with CubeSigner.
+     *
+     * If approving, adds the currently-logged user as an approver
      * of a pending MFA request of the [Status::RequiredApprovers] kind. If the required number of
      * approvers is reached, the MFA request is approved; the confirmation receipt can be used to
      * resume the original HTTP request.
+     *
+     * If rejecting, immediately deletes the pending MFA request.
      */
-    mfaApproveCs: {
+    mfaVoteCs: {
         parameters: {
+            query?: {
+                mfa_vote?: components["schemas"]["MfaVote"] | null;
+            };
             path: {
                 /**
                  * @description Name or ID of the desired Org
@@ -4414,12 +4633,12 @@ export interface operations {
         };
     };
     /**
-     * Initiate Approving an MFA Request with FIDO
-     * @description Initiate Approving an MFA Request with FIDO
+     * Initiate a FIDO MFA Approval/Rejection
+     * @description Initiate a FIDO MFA Approval/Rejection
      *
-     * Initiates the approval process of an MFA Request using FIDO.
+     * Initiates the approval/rejection process of an MFA Request using FIDO.
      */
-    mfaApproveFido: {
+    mfaFidoInit: {
         parameters: {
             path: {
                 /**
@@ -4444,16 +4663,20 @@ export interface operations {
         };
     };
     /**
-     * Finalize a FIDO MFA Approval
-     * @description Finalize a FIDO MFA Approval
-     *
-     * Adds an approver to a pending MFA request.
+     * Finalize a FIDO MFA Approval/Rejection
+     * @description Finalize a FIDO MFA Approval/Rejection
      *
+     * If approving, adds an approver to a pending MFA request.
      * If the required number of approvers is reached, the MFA request is approved;
      * the confirmation receipt can be used to resume the original HTTP request.
+     *
+     * If rejecting, immediately deletes the pending MFA request.
      */
-    mfaApproveFidoComplete: {
+    mfaVoteFidoComplete: {
         parameters: {
+            query?: {
+                mfa_vote?: components["schemas"]["MfaVote"] | null;
+            };
             path: {
                 /**
                  * @description Name or ID of the desired Org
@@ -4482,16 +4705,20 @@ export interface operations {
         };
     };
     /**
-     * Approve a TOTP MFA Request
-     * @description Approve a TOTP MFA Request
+     * Approve/Reject a TOTP MFA Request
+     * @description Approve/Reject a TOTP MFA Request
      *
-     * Adds the current user as approver to a pending MFA request by providing TOTP code.
+     * If approving, adds the current user as approver to a pending MFA request by
+     * providing TOTP code. If the required number of approvers is reached, the MFA request is
+     * approved; the confirmation receipt can be used to resume the original HTTP request.
      *
-     * If the required number of approvers is reached, the MFA request is approved;
-     * the confirmation receipt can be used to resume the original HTTP request.
+     * If rejecting, immediately deletes the pending MFA request.
      */
-    mfaApproveTotp: {
+    mfaVoteTotp: {
         parameters: {
+            query?: {
+                mfa_vote?: components["schemas"]["MfaVote"] | null;
+            };
             path: {
                 /**
                  * @description Name or ID of the desired Org
@@ -4519,6 +4746,44 @@ export interface operations {
             };
         };
     };
+    /**
+     * Mint an OIDC ID token for Twitter
+     * @description Mint an OIDC ID token for Twitter
+     *
+     * This function acts identically to Twitter's [`oauth2/token`](https://developer.twitter.com/en/docs/authentication/api-reference/token) endpoint,
+     * but extends the output with an `id_token`.
+     *
+     * This `id_token` can then be used with any CubeSigner endpoint that requires an OIDC token.
+     *
+     * > [!IMPORTANT]
+     * > This endpoint will fail unless the org is configured to allow the issuer `https://shim.oauth2.cubist.dev/twitter` and client ID being used for Twitter.
+     */
+    oauth2Twitter: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+            };
+        };
+        requestBody: {
+            content: {
+                "application/json": {
+                    [key: string]: string;
+                };
+            };
+        };
+        responses: {
+            200: components["responses"]["TokenResponse"];
+            default: {
+                content: {
+                    "application/json": components["schemas"]["ErrorResponse"];
+                };
+            };
+        };
+    };
     /**
      * Login with OIDC
      * @description Login with OIDC
@@ -5044,6 +5309,35 @@ export interface operations {
             };
         };
     };
+    /**
+     * Remove User
+     * @description Remove User
+     *
+     * Removes an existing user from an existing role.
+     * Only users in the role or org owners can remove users from a role.
+     */
+    removeUserFromRole: {
+        parameters: {
+            path: {
+                /**
+                 * @description Name or ID of the desired Org
+                 * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                org_id: string;
+                /**
+                 * @description Name or ID of the desired Role
+                 * @example Role#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                role_id: string;
+                /**
+                 * @description ID of the desired User
+                 * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+                 */
+                user_id: string;
+            };
+        };
+        responses: {};
+    };
     /**
      * List sessions
      * @description List sessions