@cubist-labs/cubesigner-sdk 0.3.13 → 0.3.19

package/dist/cjs/src/schema.d.ts

@@ -283,7 +283,12 @@ export interface paths {
          * Login with OIDC
          * @description Login with OIDC
          *
-         * Exchange an OIDC ID token (passed via the `Authorization` header) for a signer session
+         * Exchange an OIDC ID token (passed via the `Authorization` header) for a signer session.
+         *
+         * MFA is required when:
+         * - an MFA policy is explicitly attached to the user logging in
+         * (e.g., an org owner can do that at user creation time to require certain kind of MFA)
+         * - the user has at least 1 MFA factor configured
          */
         post: operations["oidcAuth"];
     };
@@ -1000,7 +1005,7 @@ export interface components {
         /** @enum {string} */
         BadGatewayErrorCode: "OAuthProviderError";
         /** @enum {string} */
-        BadRequestErrorCode: "GenericBadRequest" | "InvalidBody" | "TokenRequestError" | "InvalidMfaReceipt" | "InvalidMfaPolicyCount" | "InvalidMfaPolicyNumAuthFactors" | "InvalidMfaPolicyNumAllowedApprovers" | "InvalidMfaPolicyRedundantRule" | "InvalidCreateKeyCount" | "OrgInviteExistingUser" | "OrgNameTaken" | "RoleNameTaken" | "AddKeyToRoleCountTooHigh" | "InvalidKeyId" | "InvalidKeyMetadataLength" | "InvalidKeyMetadata" | "InvalidKeyMaterialId" | "KeyNotFound" | "UserExportDerivedKey" | "UserExportPublicKeyInvalid" | "UserExportInProgress" | "RoleNotFound" | "InvalidMfaReceiptOrgIdMissing" | "InvalidMfaReceiptInvalidOrgId" | "MfaRequestNotFound" | "InvalidKeyType" | "InvalidKeyMaterial" | "InvalidHexValue" | "InvalidBase32Value" | "InvalidBase58Value" | "InvalidForkVersionLength" | "InvalidEthAddress" | "InvalidStellarAddress" | "InvalidOrgNameOrId" | "InvalidStakeDeposit" | "InvalidBlobSignRequest" | "InvalidSolanaSignRequest" | "InvalidEip712SignRequest" | "InvalidEvmSignRequest" | "InvalidEth2SignRequest" | "InvalidDeriveKeyRequest" | "InvalidStakingAmount" | "CustomStakingAmountNotAllowedForWrapperContract" | "InvalidUnstakeRequest" | "InvalidCreateUserRequest" | "UserAlreadyExists" | "UserNotFound" | "PolicyRuleKeyMismatch" | "EmptyScopes" | "InvalidScopesForRoleSession" | "InvalidLifetime" | "NoSingleKeyForUser" | "InvalidOrgPolicyRule" | "SourceIpAllowlistEmpty" | "InvalidOrgPolicyRepeatedRule" | "AvaSignHashError" | "AvaSignError" | "BtcSegwitHashError" | "BtcSignError" | "Eip712SignError" | "InvalidMemberRoleInUserAdd" | "ThirdPartyUserAlreadyExists" | "ThirdPartyUserNotFound" | "DeleteOidcUserError" | "SessionRoleMismatch" | "InvalidOidcToken" | "OidcIssuerUnsupported" | "OidcIssuerNotAllowed" | "OidcIssuerNoApplicableJwk" | "FidoKeyAlreadyRegistered" | "FidoKeySignCountTooLow" | "FidoVerificationFailed" | "FidoChallengeMfaMismatch" | "UnsupportedLegacyCognitoSession" | "InvalidIdentityProof" | "PaginationDataExpired" | "ExistingKeysViolateExclusiveKeyAccess" | "ExportDelayTooShort" | "ExportWindowTooLong" | "InvalidTotpFailureLimit" | "InvalidEip191SignRequest" | "CannotResendUserInvitation";
+        BadRequestErrorCode: "GenericBadRequest" | "InvalidBody" | "TokenRequestError" | "InvalidMfaReceipt" | "InvalidMfaPolicyCount" | "InvalidMfaPolicyNumAuthFactors" | "InvalidMfaPolicyNumAllowedApprovers" | "InvalidMfaPolicyRedundantRule" | "InvalidCreateKeyCount" | "OrgInviteExistingUser" | "OrgNameTaken" | "RoleNameTaken" | "AddKeyToRoleCountTooHigh" | "InvalidKeyId" | "InvalidKeyMetadataLength" | "InvalidKeyMetadata" | "InvalidKeyMaterialId" | "KeyNotFound" | "UserExportDerivedKey" | "UserExportPublicKeyInvalid" | "UserExportInProgress" | "RoleNotFound" | "InvalidMfaReceiptOrgIdMissing" | "InvalidMfaReceiptInvalidOrgId" | "MfaRequestNotFound" | "InvalidKeyType" | "InvalidKeyMaterial" | "InvalidHexValue" | "InvalidBase32Value" | "InvalidBase58Value" | "InvalidForkVersionLength" | "InvalidEthAddress" | "InvalidStellarAddress" | "InvalidOrgNameOrId" | "InvalidStakeDeposit" | "InvalidBlobSignRequest" | "InvalidSolanaSignRequest" | "InvalidEip712SignRequest" | "InvalidEvmSignRequest" | "InvalidEth2SignRequest" | "InvalidDeriveKeyRequest" | "InvalidStakingAmount" | "CustomStakingAmountNotAllowedForWrapperContract" | "InvalidUnstakeRequest" | "InvalidCreateUserRequest" | "UserAlreadyExists" | "UserNotFound" | "PolicyRuleKeyMismatch" | "EmptyScopes" | "InvalidScopesForRoleSession" | "InvalidLifetime" | "NoSingleKeyForUser" | "InvalidOrgPolicyRule" | "SourceIpAllowlistEmpty" | "InvalidOrgPolicyRepeatedRule" | "AvaSignHashError" | "AvaSignError" | "BtcSegwitHashError" | "BtcSignError" | "Eip712SignError" | "InvalidMemberRoleInUserAdd" | "ThirdPartyUserAlreadyExists" | "ThirdPartyUserNotFound" | "DeleteOidcUserError" | "SessionRoleMismatch" | "InvalidOidcToken" | "OidcIssuerUnsupported" | "OidcIssuerNotAllowed" | "OidcIssuerNoApplicableJwk" | "FidoKeyAlreadyRegistered" | "FidoKeySignCountTooLow" | "FidoVerificationFailed" | "FidoChallengeMfaMismatch" | "UnsupportedLegacyCognitoSession" | "InvalidIdentityProof" | "PaginationDataExpired" | "ExistingKeysViolateExclusiveKeyAccess" | "ExportDelayTooShort" | "ExportWindowTooLong" | "InvalidTotpFailureLimit" | "InvalidEip191SignRequest" | "CannotResendUserInvitation" | "InvalidNotificationEndpointCount" | "InvalidNotificationUrlProtocol" | "EmptyOneOfOrgEventFilter";
         /**
          * @example {
          *   "message_base64": "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTYK"
@@ -1548,7 +1553,7 @@ export interface components {
         };
         GetUsersInOrgResponse: {
             /** @description The list of users in the org */
-            users: components["schemas"]["UserIdInfo"][];
+            users: components["schemas"]["UserInOrgInfo"][];
         };
         /** @description Stats pertaining the the sender `cube3signer` instance */
         HeartbeatRequest: {
@@ -1667,7 +1672,7 @@ export interface components {
             salt: string;
         };
         /** @enum {string} */
-        InternalErrorCode: "SystemTimeError" | "ReqwestError" | "DbQueryError" | "DbGetError" | "DbDeleteError" | "DbPutError" | "DbUpdateError" | "SerdeError" | "TestAndSetError" | "DbGetItemsError" | "DbWriteError" | "CubistSignerError" | "CwPutMetricDataError" | "KmsGenerateRandomError" | "MalformedTotpBytes" | "KmsGenerateRandomNoResponseError" | "CreateKeyError" | "ParseDerivationPathError" | "SplitSignerError" | "CreateImportKeyError" | "CognitoDeleteUserError" | "CognitoListUsersError" | "CognitoGetUserError" | "MissingUserEmail" | "CognitoResendUserInvitation" | "CognitoSetUserPasswordError" | "GenericInternalError" | "OidcAuthWithoutOrg" | "MissingKeyMetadata" | "KmsKeyWithoutId" | "KmsEnableKeyError" | "KmsDisableKeyError" | "SerializeEncryptedExportKeyError" | "DeserializeEncryptedExportKeyError" | "ReEncryptUserExport" | "S3UploadError" | "S3DownloadError" | "ManagedStateMissing" | "InternalHeaderMissing" | "InvalidInternalHeaderValue" | "RequestLocalStateAlreadySet" | "OidcOrgMismatch" | "OrphanedRoleKeyId" | "OidcIssuerJwkEndpointUnavailable" | "OidcIssuerInvalidJwk" | "InvalidPkForMaterialId" | "UncheckedOrg" | "AvaSignCredsMissing" | "AvaSignSignatureMissing" | "ExpectedRoleSession" | "InvalidThirdPartyIdentity" | "CognitoGetUser";
+        InternalErrorCode: "SystemTimeError" | "ReqwestError" | "DbQueryError" | "DbGetError" | "DbDeleteError" | "DbPutError" | "DbUpdateError" | "SerdeError" | "TestAndSetError" | "DbGetItemsError" | "DbWriteError" | "CubistSignerError" | "CwPutMetricDataError" | "KmsGenerateRandomError" | "MalformedTotpBytes" | "KmsGenerateRandomNoResponseError" | "CreateKeyError" | "ParseDerivationPathError" | "SplitSignerError" | "CreateImportKeyError" | "CognitoDeleteUserError" | "CognitoListUsersError" | "CognitoGetUserError" | "MissingUserEmail" | "CognitoResendUserInvitation" | "CognitoSetUserPasswordError" | "GenericInternalError" | "OidcAuthWithoutOrg" | "MissingKeyMetadata" | "KmsKeyWithoutId" | "KmsEnableKeyError" | "KmsDisableKeyError" | "SerializeEncryptedExportKeyError" | "DeserializeEncryptedExportKeyError" | "ReEncryptUserExport" | "S3UploadError" | "S3DownloadError" | "ManagedStateMissing" | "InternalHeaderMissing" | "InvalidInternalHeaderValue" | "RequestLocalStateAlreadySet" | "OidcOrgMismatch" | "OrphanedRoleKeyId" | "OidcIssuerJwkEndpointUnavailable" | "OidcIssuerInvalidJwk" | "InvalidPkForMaterialId" | "UncheckedOrg" | "AvaSignCredsMissing" | "AvaSignSignatureMissing" | "ExpectedRoleSession" | "InvalidThirdPartyIdentity" | "CognitoGetUser" | "SnsSubscribeError" | "SnsUnsubscribeError" | "SnsPublishBatchError";
         InviteRequest: {
             /**
              * @description The user's email address
@@ -1956,6 +1961,12 @@ export interface components {
         };
         /** @enum {string} */
         NotFoundErrorCode: "UriSegmentMissing" | "UriSegmentInvalid" | "TotpNotConfigured" | "FidoKeyNotFound" | "FidoChallengeNotFound" | "TotpChallengeNotFound" | "UserExportRequestNotFound" | "UserExportCiphertextNotFound";
+        /** @description The configuration for an org event endpoint */
+        NotificationEndpointConfiguration: {
+            filter?: components["schemas"]["OrgEventFilter"];
+            /** @description URL of the endpoint */
+            url: string;
+        };
         /**
          * @description Represents a globally unique OIDC-authorized user by expressing the full "path" to a user. That is:
          *
@@ -1996,6 +2007,19 @@ export interface components {
             scopes: string[];
             tokens?: components["schemas"]["RatchetConfig"];
         };
+        /**
+         * @description Auto-generated discriminant enum variants
+         * @enum {string}
+         */
+        OrgEventDiscriminants: "OidcAuth" | "Eth2ConcurrentAttestationSigning" | "Eth2ConcurrentBlockSigning" | "Eth2InvalidBlockProposerSlotTooLow" | "Eth2InvalidAttestationSourceEpochTooLow" | "Eth2InvalidAttestationTargetEpochTooLow" | "Eth2Unstake" | "Eth2ExceededMaxUnstake" | "MfaRejected";
+        /** @description Filter for org events */
+        OrgEventFilter: OneOf<[
+            "All",
+            {
+                /** @description Only accepts org events that are one of the listed events */
+                OneOf: components["schemas"]["OrgEventDiscriminants"][];
+            }
+        ]>;
         OrgInfo: {
             /** @description When false, all cryptographic operations involving keys in this org are disabled. */
             enabled: boolean;
@@ -2022,6 +2046,17 @@ export interface components {
              * @example my_org_name
              */
             name?: string | null;
+            /**
+             * @description The organization's notification endpoints, which are HTTPS URLs are notified about a
+             * configurable set of events in an organization. For each event, CubeSigner sends a POST
+             * request with a JSON-formatted body that contains the event details.
+             * @example [
+             *   {
+             *     "url": "https://example.com/endpoint"
+             *   }
+             * ]
+             */
+            notification_endpoints?: Record<string, never>[];
             /**
              * @description The ID of the organization
              * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
@@ -2836,6 +2871,44 @@ export interface components {
              * @example my_org
              */
             name?: string | null;
+            /**
+             * @description If set, update this org's notification endpoints. Notification endpoints are expected to be
+             * HTTPS URLs, which accept POST requests. The body of the requests sent to these endpoints are
+             * are formatted in JSON and have the following format:
+             *
+             * ```json
+             * {
+             * "org": "...",
+             * "utc_timestamp": "...",
+             * "org_event": "...",
+             * ...
+             * }
+             * ```
+             *
+             * `org` is the org id, `utc_timestamp` is the UTC timestamp of the event in milliseconds, and
+             * `org_event` is a string identifying the type of event that has occurred. The rest of the
+             * fields provide additional information related to the type of the event.
+             *
+             * Endpoints can optionally include filters to customize the org events that they are notified
+             * about. Currently, the only supported filter type is `OneOf`, which expects a list of org
+             * event types to send to the endpoint. If no filter is configured, the system sends all org
+             * events to the endpoint.
+             * @example [
+             *   {
+             *     "url:": "https://example.com/endpoint1"
+             *   },
+             *   {
+             *     "filter": {
+             *       "OneOf": [
+             *         "Eth2ConcurrentAttestationSigning",
+             *         "Eth2ConcurrentBlockSigning"
+             *       ]
+             *     },
+             *     "url:": "https://example.com/endpoint2"
+             *   }
+             * ]
+             */
+            notification_endpoints?: Record<string, never>[] | null;
             /**
              * @description If set, update this org's policies (old policies will be overwritten!).
              * @example [
@@ -2888,6 +2961,15 @@ export interface components {
              * @example my_org_name
              */
             name?: string | null;
+            /**
+             * @description The new notification endpoint configurations
+             * @example [
+             *   {
+             *     "url": "https://example.com/endpoint"
+             *   }
+             * ]
+             */
+            notification_endpoints?: Record<string, never>[];
             /**
              * @description The ID of the organization
              * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
@@ -3035,7 +3117,7 @@ export interface components {
             public_key_hash?: string | null;
             valid_epoch: components["schemas"]["EpochDateTime"];
         };
-        UserIdInfo: {
+        UserInOrgInfo: {
             /**
              * @description The user's email
              * @example alice@example.com
@@ -3046,6 +3128,9 @@ export interface components {
              * @example User#c3b9379c-4e8c-4216-bd0a-65ace53cf98f
              */
             id: string;
+            membership: components["schemas"]["MemberRole"];
+            /** @description Optional user name. */
+            name?: string | null;
         };
         UserInRoleInfo: {
             user_id: string;
@@ -3247,7 +3332,7 @@ export interface components {
             content: {
                 "application/json": {
                     /** @description The list of users in the org */
-                    users: components["schemas"]["UserIdInfo"][];
+                    users: components["schemas"]["UserInOrgInfo"][];
                 };
             };
         };
@@ -3455,6 +3540,17 @@ export interface components {
                      * @example my_org_name
                      */
                     name?: string | null;
+                    /**
+                     * @description The organization's notification endpoints, which are HTTPS URLs are notified about a
+                     * configurable set of events in an organization. For each event, CubeSigner sends a POST
+                     * request with a JSON-formatted body that contains the event details.
+                     * @example [
+                     *   {
+                     *     "url": "https://example.com/endpoint"
+                     *   }
+                     * ]
+                     */
+                    notification_endpoints?: Record<string, never>[];
                     /**
                      * @description The ID of the organization
                      * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
@@ -3774,6 +3870,15 @@ export interface components {
                      * @example my_org_name
                      */
                     name?: string | null;
+                    /**
+                     * @description The new notification endpoint configurations
+                     * @example [
+                     *   {
+                     *     "url": "https://example.com/endpoint"
+                     *   }
+                     * ]
+                     */
+                    notification_endpoints?: Record<string, never>[];
                     /**
                      * @description The ID of the organization
                      * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
@@ -4788,7 +4893,12 @@ export interface operations {
      * Login with OIDC
      * @description Login with OIDC
      *
-     * Exchange an OIDC ID token (passed via the `Authorization` header) for a signer session
+     * Exchange an OIDC ID token (passed via the `Authorization` header) for a signer session.
+     *
+     * MFA is required when:
+     * - an MFA policy is explicitly attached to the user logging in
+     * (e.g., an org owner can do that at user creation time to require certain kind of MFA)
+     * - the user has at least 1 MFA factor configured
      */
     oidcAuth: {
         parameters: {