@cubist-labs/cubesigner-sdk 0.4.201 → 0.4.204

package/src/schema.ts

@@ -24,6 +24,15 @@ export interface paths {
      */
     get: operations["aboutMeLegacy"];
   };
+  "/v0/attestation/.well-known/jwks.json": {
+    /**
+     * JWKS endpoint for the attestation key
+     * @description JWKS endpoint for the attestation key
+     *
+     * Returns the public key used to sign Key info attestations.
+     */
+    get: operations["attestationJwkSet"];
+  };
   "/v0/email/orgs": {
     /**
      * List accessible organizations.
@@ -611,6 +620,15 @@ export interface paths {
      */
     patch: operations["updateKey"];
   };
+  "/v0/org/{org_id}/keys/{key_id}/attest": {
+    /**
+     * Attest to Key Properties
+     * @description Attest to Key Properties
+     *
+     * The response is a JWT whose claims are the key properties.
+     */
+    get: operations["attestKey"];
+  };
   "/v0/org/{org_id}/keys/{key_id}/roles": {
     /**
      * List Key Roles
@@ -1656,6 +1674,8 @@ export interface components {
         ids: string[];
         /** @description Organization id */
         org_id: string;
+        /** @description Optional policy evaluation tree (included in signer responses, when requested) */
+        policy_eval_tree?: unknown;
         session?: components["schemas"]["NewSessionResponse"] | null;
       };
     };
@@ -1914,6 +1934,12 @@ export interface components {
     AuthenticatorTransport: "usb" | "nfc" | "ble" | "internal";
     /** @description Request to sign a serialized Avalanche transaction */
     AvaSerializedTxSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -1925,6 +1951,12 @@ export interface components {
     };
     /** @description Request to sign an Avalanche transaction */
     AvaSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -1951,6 +1983,18 @@ export interface components {
     /** @description Wrapper around a zeroizing 32-byte fixed-size array */
     B32: string;
     BabylonCovSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
+      /**
+       * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
+       * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
+       */
+      metadata?: unknown;
+    } & {
       /**
        * @description The keys for the finality providers to which this transaction is being staked.
        * Each key is a hex string containing a SEC1-encoded secp256k1 public key.
@@ -2010,6 +2054,9 @@ export interface components {
       unbonding_tx: string;
     };
     BabylonCovSignResponse: {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & {
       /**
        * @description The slash-unbonding transaction signatures as an array of hex strings with no 0x prefix
        * @example [
@@ -2124,6 +2171,18 @@ export interface components {
        */
       value: number;
     }) & {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
+      /**
+       * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
+       * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
+       */
+      metadata?: unknown;
+    } & {
       /**
        * @description The Babylon address that will receive the staking rewards for this deposit.
        * Babylon requires this to be the same address that registers the deposit on
@@ -2137,6 +2196,9 @@ export interface components {
       bbn_addr: string;
     };
     BabylonRegistrationResponse: {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & {
       /**
        * @description The Babylon address that will receive the staking rewards for this deposit.
        *
@@ -2411,6 +2473,9 @@ export interface components {
           action: "slash_early_unbond";
         });
     BabylonStakingResponse: {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & {
       /**
        * Format: int64
        * @description The transaction fee in sats
@@ -2530,6 +2595,7 @@ export interface components {
       | "OrgInviteExistingUser"
       | "OrgUserAlreadyExists"
       | "OrgNameTaken"
+      | "KwkNotFoundInRegion"
       | "OrgIsNotOrgExport"
       | "RoleNameTaken"
       | "PolicyNameTaken"
@@ -2599,7 +2665,6 @@ export interface components {
       | "UserNotFound"
       | "UserWithEmailNotFound"
       | "PolicyKeyMismatch"
-      | "PolicyRuleKeyMismatch"
       | "EmptyScopes"
       | "InvalidScopesForRoleSession"
       | "InvalidLifetime"
@@ -2696,7 +2761,8 @@ export interface components {
       | "InvalidPolicyLogsRequest"
       | "UserProfileMigrationMultipleEntries"
       | "UserProfileMigrationTooManyItems"
-      | "InputTooShort";
+      | "InputTooShort"
+      | "InvalidTweakLength";
     BillingArgs: {
       billing_org: components["schemas"]["Id"];
       event_type: components["schemas"]["BillingEvent"];
@@ -2741,6 +2807,7 @@ export interface components {
       | "GetOrgExport"
       | "CreateOrg"
       | "ListKeys"
+      | "AttestKey"
       | "GetKey"
       | "GetKeyByMaterialId"
       | "ListKeyRoles"
@@ -2870,6 +2937,7 @@ export interface components {
       | "SentryApiCall"
       | "SentryApiCallPublic"
       | "MmiJwkSet"
+      | "AttestationJwkSet"
       | "UserOrgs"
       | "PublicOrgInfo"
       | "EmailMyOrgs";
@@ -2888,6 +2956,12 @@ export interface components {
      * }
      */
     BlobSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -2927,8 +3001,8 @@ export interface components {
        */
       message_base64: string;
       /**
-       * @description An optional tweak value for use *only* with Segwit (i.e., SecpBtc and SecpBtcTest)
-       * keys. This field must not be supplied for requests involving any other key type.
+       * @description An optional tweak value for use only with (some) secp256k1 key types.
+       * This field must not be supplied for requests involving any other key type.
        *
        * If this field is not present or null, no tweak is applied. Otherwise, this field
        * must contain a base-64 string encoding a vector of exactly 32 bytes. See the
@@ -2965,6 +3039,12 @@ export interface components {
     };
     /** @description Data to sign */
     BtcMessageSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -2981,6 +3061,9 @@ export interface components {
     };
     /** @description BTC message signing response */
     BtcMessageSignResponse: {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & {
       /** @description The base64-encoded signature in BIP137 format. */
       sig: string;
     };
@@ -2993,6 +3076,12 @@ export interface components {
       | "NonePlusAnyoneCanPay"
       | "SinglePlusAnyoneCanPay";
     BtcSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -3340,6 +3429,27 @@ export interface components {
     };
     /** @description Request for creating a named policy */
     CreatePolicyRequest: {
+      /**
+       * @description Access-control entries defining how the policy can be accessed, modified,
+       * attached and executed.
+       * @example [
+       *   {
+       *     "action": "attach",
+       *     "resources": [
+       *       {
+       *         "key_id": "*",
+       *         "role_id": "Role#e427c28a-9c5b-49cc-a257-878aea58a22c"
+       *       }
+       *     ],
+       *     "subjects": "*"
+       *   },
+       *   {
+       *     "action": "sign",
+       *     "subjects": "Role#e427c28a-9c5b-49cc-a257-878aea58a22c"
+       *   }
+       * ]
+       */
+      acl?: unknown[] | null;
       edit_policy?: components["schemas"]["EditPolicy"] | null;
       /** @description Optional metadata. */
       metadata?: unknown;
@@ -3526,6 +3636,12 @@ export interface components {
       mnemonic_id?: string | null;
     };
     DiffieHellmanRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -3553,7 +3669,7 @@ export interface components {
       public_key?: string | null;
     };
     /** @description The result of a Diffie Hellman key exchange */
-    DiffieHellmanResponse:
+    DiffieHellmanResponse: (
       | {
           /** @description The resulting points as base64-encoded byte strings in a key-type--dependent format. */
           points: string[];
@@ -3573,7 +3689,11 @@ export interface components {
           ephemeral_public_key: string;
           /** @enum {string} */
           response_type: "encrypted";
-        };
+        }
+    ) & {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & Record<string, never>;
     /**
      * @description A policy which governs when and who is allowed to update the entity this policy is
      * attached to (e.g., a role or a key).
@@ -3594,6 +3714,12 @@ export interface components {
       time_lock_until?: components["schemas"]["EpochDateTime"] | null;
     };
     Eip191SignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -3605,6 +3731,13 @@ export interface components {
        * @example 0xdeadbeef13c0ffee
        */
       data: string;
+      /**
+       * @description An optional tweak value that will be applied to the secret key before signing.
+       * This field must contain a base-64 string encoding a vector of exactly 32 bytes.
+       * See the CubeSigner documentation for more information on the tweaking procedure.
+       * @example F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=
+       */
+      tweak?: string | null;
     };
     /**
      * @example {
@@ -3698,6 +3831,12 @@ export interface components {
      * }
      */
     Eip712SignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -3709,6 +3848,13 @@ export interface components {
        * @description The chain-id to which this typed data will be sent
        */
       chain_id: number;
+      /**
+       * @description An optional tweak value that will be applied to the secret key before signing.
+       * This field must contain a base-64 string encoding a vector of exactly 32 bytes.
+       * See the CubeSigner documentation for more information on the tweaking procedure.
+       * @example F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=
+       */
+      tweak?: string | null;
       typed_data: components["schemas"]["TypedData"];
     };
     Email: string;
@@ -3775,6 +3921,12 @@ export interface components {
      * at a specified block height.
      */
     EotsCreateNonceRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -3800,6 +3952,9 @@ export interface components {
     };
     /** @description Response generated when creating EOTS nonces */
     EotsCreateNonceResponse: {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & {
       /**
        * @description The generated nonces as an array of 0x-prefixed hex strings
        * @example [
@@ -3811,6 +3966,12 @@ export interface components {
     };
     /** @description Request for an EOTS signature on a specified message, chain-id, block-height triple */
     EotsSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -3862,6 +4023,8 @@ export interface components {
       error_code: components["schemas"]["SignerErrorCode"];
       /** @description Error message */
       message: string;
+      /** @description Optional policy evaluation tree (included in signer responses, when requested) */
+      policy_eval_tree?: unknown;
       /** @description Optional request identifier */
       request_id?: string;
     };
@@ -3894,6 +4057,12 @@ export interface components {
      * }
      */
     Eth1SignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -3905,9 +4074,19 @@ export interface components {
        * @description The chain id to set in the given transaction.
        */
       chain_id: number;
+      /**
+       * @description An optional tweak value that will be applied to the secret key before signing.
+       * This field must contain a base-64 string encoding a vector of exactly 32 bytes.
+       * See the CubeSigner documentation for more information on the tweaking procedure.
+       * @example F41HAy2q5Gn8laF2CuMsZbRAQTmD+4Ob3VUMZ7TBGK4=
+       */
+      tweak?: string | null;
       tx: components["schemas"]["Transaction"];
     };
     Eth1SignResponse: {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & {
       /**
        * @description Hex-encoded RLP encoding of the transaction and its signature
        * @example 0x22895118000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000001201d58656b0e22aaa68fdc692db41979098c3886ed33015d7467de9211609cdac000000000000000000000000000000000000000000000000000000000000000308b0c2900324d3ff9adfba7fdfe5af3f9b2cdbeef7b280437bbf1b1c59a093d615afe3e5dfed9622b540cdd9b49b3c5ad00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002001000000000000000000000049011adbcc3bc9c0307bb07f37dda1a1a9c69d2e0000000000000000000000000000000000000000000000000000000000000060903db8525674b8e7904f9b7d7d9ec55a0a42d33cf58be25469b0c21bbb6d06172bc5bb5fd1aed8e4f35936968958116b0619553c2cb1c52e7323074c6f8eb3d5a7074fc6580148df907837fa3b164ad7fbc2288dad1e8a5b021095b57c8a36d4
@@ -3935,6 +4114,18 @@ export interface components {
      * }
      */
     Eth2SignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
+      /**
+       * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
+       * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
+       */
+      metadata?: unknown;
+    } & {
       /**
        * @description Subset of the Web3Signer Eth2 BLS signing request whose schema is defined
        * [here](https://consensys.github.io/web3signer/web3signer-eth2.html#tag/Signing/operation/ETH2_SIGN).
@@ -3943,13 +4134,6 @@ export interface components {
       eth2_sign_request: Record<string, never>;
       network: components["schemas"]["Network"];
     };
-    Eth2SignResponse: {
-      /**
-       * @description Hex encoded signature prefixed with 0x e.g. "0x0000..."
-       * @example 0xb4f2ef9d12a54e1f569596c07c97d6d730535b6ffc0d287761dc78103a86326782471a04c75ce7a6faea08ca9a4a0830031cdcb893da8711d54aa22619f1a7e71b8185ddf4c6bfd9babbd735960e35e56bd6eeb89625b04850e7a9ef8846e549
-       */
-      signature: string;
-    };
     /**
      * @description Representation of an event. This type is used to serialize events to CloudWatch Logs and to
      * deserialize them when analyzing the logs.
@@ -4048,6 +4232,190 @@ export interface components {
      * @enum {string}
      */
     ExecutionSource: "SignRequest" | "UserInvocation";
+    /**
+     * ExplicitScope
+     * @description Explicitly named scopes for accessing CubeSigner APIs
+     * @enum {string}
+     */
+    ExplicitScope:
+      | "sign:*"
+      | "sign:ava"
+      | "sign:blob"
+      | "sign:diffieHellman"
+      | "sign:btc:*"
+      | "sign:btc:segwit"
+      | "sign:btc:taproot"
+      | "sign:btc:psbt:*"
+      | "sign:btc:psbt:doge"
+      | "sign:btc:psbt:legacy"
+      | "sign:btc:psbt:segwit"
+      | "sign:btc:psbt:taproot"
+      | "sign:btc:psbt:ltcSegwit"
+      | "sign:btc:message:*"
+      | "sign:btc:message:segwit"
+      | "sign:btc:message:legacy"
+      | "sign:babylon:*"
+      | "sign:babylon:eots:*"
+      | "sign:babylon:eots:nonces"
+      | "sign:babylon:eots:sign"
+      | "sign:babylon:staking:*"
+      | "sign:babylon:staking:deposit"
+      | "sign:babylon:staking:unbond"
+      | "sign:babylon:staking:withdraw"
+      | "sign:babylon:staking:slash"
+      | "sign:babylon:registration"
+      | "sign:babylon:covenant"
+      | "sign:evm:*"
+      | "sign:evm:tx"
+      | "sign:evm:eip191"
+      | "sign:evm:eip712"
+      | "sign:eth2:*"
+      | "sign:eth2:validate"
+      | "sign:eth2:stake"
+      | "sign:eth2:unstake"
+      | "sign:solana"
+      | "sign:sui"
+      | "sign:tendermint"
+      | "sign:mmi"
+      | "manage:*"
+      | "manage:readonly"
+      | "manage:email"
+      | "manage:mfa:*"
+      | "manage:mfa:readonly"
+      | "manage:mfa:list"
+      | "manage:mfa:vote:*"
+      | "manage:mfa:vote:cs"
+      | "manage:mfa:vote:email"
+      | "manage:mfa:vote:fido"
+      | "manage:mfa:vote:totp"
+      | "manage:mfa:register:*"
+      | "manage:mfa:register:fido"
+      | "manage:mfa:register:totp"
+      | "manage:mfa:register:email"
+      | "manage:mfa:unregister:*"
+      | "manage:mfa:unregister:fido"
+      | "manage:mfa:unregister:totp"
+      | "manage:mfa:verify:*"
+      | "manage:mfa:verify:totp"
+      | "manage:key:*"
+      | "manage:key:readonly"
+      | "manage:key:get"
+      | "manage:key:attest"
+      | "manage:key:listRoles"
+      | "manage:key:list"
+      | "manage:key:history:tx:list"
+      | "manage:key:create"
+      | "manage:key:import"
+      | "manage:key:update:*"
+      | "manage:key:update:owner"
+      | "manage:key:update:policy"
+      | "manage:key:update:enabled"
+      | "manage:key:update:metadata"
+      | "manage:key:update:editPolicy"
+      | "manage:key:delete"
+      | "manage:policy:*"
+      | "manage:policy:create"
+      | "manage:policy:get"
+      | "manage:policy:list"
+      | "manage:policy:delete"
+      | "manage:policy:update:*"
+      | "manage:policy:update:owner"
+      | "manage:policy:update:name"
+      | "manage:policy:update:acl"
+      | "manage:policy:update:editPolicy"
+      | "manage:policy:update:metadata"
+      | "manage:policy:update:rule"
+      | "manage:policy:invoke"
+      | "manage:policy:wasm:*"
+      | "manage:policy:wasm:upload"
+      | "manage:policy:secrets:*"
+      | "manage:policy:secrets:get"
+      | "manage:policy:secrets:update:*"
+      | "manage:policy:secrets:update:values"
+      | "manage:policy:secrets:update:editPolicy"
+      | "manage:contact:*"
+      | "manage:contact:create"
+      | "manage:contact:get"
+      | "manage:contact:list"
+      | "manage:contact:delete"
+      | "manage:contact:update:*"
+      | "manage:contact:update:name"
+      | "manage:contact:update:addresses"
+      | "manage:contact:update:owner"
+      | "manage:contact:update:metadata"
+      | "manage:contact:update:editPolicy"
+      | "manage:contact:lookup:*"
+      | "manage:contact:lookup:address"
+      | "manage:policy:createImportKey"
+      | "manage:role:*"
+      | "manage:role:readonly"
+      | "manage:role:create"
+      | "manage:role:delete"
+      | "manage:role:get:*"
+      | "manage:role:get:keys"
+      | "manage:role:get:keys:list"
+      | "manage:role:get:keys:get"
+      | "manage:role:get:users"
+      | "manage:role:list"
+      | "manage:role:update:*"
+      | "manage:role:update:enabled"
+      | "manage:role:update:policy"
+      | "manage:role:update:editPolicy"
+      | "manage:role:update:key:*"
+      | "manage:role:update:key:add"
+      | "manage:role:update:key:remove"
+      | "manage:role:update:user:*"
+      | "manage:role:update:user:add"
+      | "manage:role:update:user:remove"
+      | "manage:role:history:tx:list"
+      | "manage:identity:*"
+      | "manage:identity:verify"
+      | "manage:identity:add"
+      | "manage:identity:remove"
+      | "manage:identity:list"
+      | "manage:org:*"
+      | "manage:org:create"
+      | "manage:org:metrics:query"
+      | "manage:org:readonly"
+      | "manage:org:addUser"
+      | "manage:org:inviteUser"
+      | "manage:org:inviteAlien"
+      | "manage:org:updateMembership"
+      | "manage:org:listUsers"
+      | "manage:org:user:get"
+      | "manage:org:deleteUser"
+      | "manage:org:get"
+      | "manage:org:user:resetMfa"
+      | "manage:session:*"
+      | "manage:session:readonly"
+      | "manage:session:get"
+      | "manage:session:list"
+      | "manage:session:create"
+      | "manage:session:extend"
+      | "manage:session:revoke"
+      | "manage:export:*"
+      | "manage:export:org:*"
+      | "manage:export:org:get"
+      | "manage:export:user:*"
+      | "manage:export:user:delete"
+      | "manage:export:user:list"
+      | "manage:authMigration:*"
+      | "manage:authMigration:identity:add"
+      | "manage:authMigration:identity:remove"
+      | "manage:authMigration:user:update"
+      | "manage:mmi:*"
+      | "manage:mmi:readonly"
+      | "manage:mmi:get"
+      | "manage:mmi:list"
+      | "manage:mmi:reject"
+      | "manage:mmi:delete"
+      | "export:*"
+      | "export:user:*"
+      | "export:user:init"
+      | "export:user:complete"
+      | "mmi:*"
+      | "orgAccess:*"
+      | "orgAccess:child:*";
     /**
      * @description This type specifies the interpretation of the `fee` field in Babylon
      * staking requests. If `sats`, the field is intpreted as a fixed value
@@ -4191,7 +4559,8 @@ export interface components {
       | "RemoveKeyFromRoleUserNotAllowed"
       | "SiweChallengeExpired"
       | "SiweMessageNotValid"
-      | "SiweMessageInvalidSignature";
+      | "SiweMessageInvalidSignature"
+      | "Acl";
     /**
      * @description Specifies a fork of the `BeaconChain`, to prevent replay attacks.
      * The schema of `Fork` is defined in the [Beacon chain
@@ -4430,6 +4799,7 @@ export interface components {
     /** @enum {string} */
     InternalErrorCode:
       | "NoMaterialId"
+      | "UnexpectedCheckerRule"
       | "UnresolvedPolicyReference"
       | "FidoKeyAssociatedWithMultipleUsers"
       | "ClaimsParseError"
@@ -4501,6 +4871,7 @@ export interface components {
       | "OidcOrgMismatch"
       | "OidcIssuerInvalidJwk"
       | "InvalidPkForMaterialId"
+      | "SegwitTweakFailed"
       | "UncheckedOrg"
       | "SessionOrgIdMissing"
       | "AvaSignCredsMissing"
@@ -4683,7 +5054,10 @@ export interface components {
       /** @description The type of key this package represents */
       key_type: string;
     };
-    JwkSetResponse: Record<string, never>;
+    JwkSetResponse: {
+      /** @description The keys included in this set */
+      keys: Record<string, never>[];
+    };
     KeyCountDimensions: {
       /** @description The key type */
       key_type: string;
@@ -4774,6 +5148,8 @@ export interface components {
        * ]
        */
       policy: unknown[];
+      /** @description The key provenance. */
+      provenance?: string | null;
       /**
        * @description Hex-encoded, serialized public key. The format used depends on the key type:
        * - Secp256k1 keys use 65-byte uncompressed SECG format;
@@ -4791,6 +5167,11 @@ export interface components {
       /** @description The region affinity for this key */
       region?: string;
     };
+    /** @description Response returned when requesting a key attestation. */
+    KeyInfoJwt: {
+      /** @description A JSON Web Token whose claims contain the `KeyInfo` structure. */
+      jwt: string;
+    };
     KeyInfos: {
       keys: components["schemas"]["KeyInfo"][];
     };
@@ -6045,6 +6426,25 @@ export interface components {
       message_tx?: components["schemas"]["TypedTransaction"] | null;
     }) &
       Record<string, never>;
+    /**
+     * @description The possible actions that can be performed on a [NamedPolicy] that are restricted by ACL.
+     * @enum {string}
+     */
+    PolicyAction:
+      | "ReadAll"
+      | "ReadPolicy"
+      | "ReadLogs"
+      | "UpdateAll"
+      | "UpdateName"
+      | "UpdateRules"
+      | "UpdateMetadata"
+      | "UpdateEditPolicy"
+      | "UpdateOwner"
+      | "UpdateAcl"
+      | "Delete"
+      | "Attach"
+      | "Sign"
+      | "Invoke";
     /** @description The id for attaching a named policy to a key, role, or key in role. */
     PolicyAttachedToId: OneOf<
       [
@@ -6162,6 +6562,8 @@ export interface components {
       | "DeniedByWebhook";
     /** @description A struct containing all the information about a specific version of a policy. */
     PolicyInfo: {
+      /** @description The access-control entries for the policy. */
+      acl?: unknown[] | null;
       /** @description A list of entities (keys, roles, etc.) the policy is attached to. */
       attached_to: components["schemas"]["PolicyAttachedToId"][];
       created: components["schemas"]["EpochDateTime"];
@@ -6238,6 +6640,7 @@ export interface components {
     /** @enum {string} */
     PreconditionErrorOwnCodes:
       | "KeyRegionLocked"
+      | "KeyRegionChangedRecently"
       | "MfaRegionLocked"
       | "Eth2ProposerSlotTooLow"
       | "Eth2AttestationSourceEpochTooLow"
@@ -6278,6 +6681,12 @@ export interface components {
     >;
     /** @description A request to sign a PSBT */
     PsbtSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -6299,6 +6708,9 @@ export interface components {
     };
     /** @description Response to a PSBT signing request */
     PsbtSignResponse: {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & {
       /**
        * @description The PSBT in standard hex serialization, without leading "0x".
        * @example 70736274ff01005e...
@@ -6846,186 +7258,7 @@ export interface components {
       users?: string[] | null;
     };
     /** @description All scopes for accessing CubeSigner APIs */
-    Scope:
-      | (
-          | "sign:*"
-          | "sign:ava"
-          | "sign:blob"
-          | "sign:diffieHellman"
-          | "sign:btc:*"
-          | "sign:btc:segwit"
-          | "sign:btc:taproot"
-          | "sign:btc:psbt:*"
-          | "sign:btc:psbt:doge"
-          | "sign:btc:psbt:legacy"
-          | "sign:btc:psbt:segwit"
-          | "sign:btc:psbt:taproot"
-          | "sign:btc:psbt:ltcSegwit"
-          | "sign:btc:message:*"
-          | "sign:btc:message:segwit"
-          | "sign:btc:message:legacy"
-          | "sign:babylon:*"
-          | "sign:babylon:eots:*"
-          | "sign:babylon:eots:nonces"
-          | "sign:babylon:eots:sign"
-          | "sign:babylon:staking:*"
-          | "sign:babylon:staking:deposit"
-          | "sign:babylon:staking:unbond"
-          | "sign:babylon:staking:withdraw"
-          | "sign:babylon:staking:slash"
-          | "sign:babylon:registration"
-          | "sign:babylon:covenant"
-          | "sign:evm:*"
-          | "sign:evm:tx"
-          | "sign:evm:eip191"
-          | "sign:evm:eip712"
-          | "sign:eth2:*"
-          | "sign:eth2:validate"
-          | "sign:eth2:stake"
-          | "sign:eth2:unstake"
-          | "sign:solana"
-          | "sign:sui"
-          | "sign:tendermint"
-          | "sign:mmi"
-          | "manage:*"
-          | "manage:readonly"
-          | "manage:email"
-          | "manage:mfa:*"
-          | "manage:mfa:readonly"
-          | "manage:mfa:list"
-          | "manage:mfa:vote:*"
-          | "manage:mfa:vote:cs"
-          | "manage:mfa:vote:email"
-          | "manage:mfa:vote:fido"
-          | "manage:mfa:vote:totp"
-          | "manage:mfa:register:*"
-          | "manage:mfa:register:fido"
-          | "manage:mfa:register:totp"
-          | "manage:mfa:register:email"
-          | "manage:mfa:unregister:*"
-          | "manage:mfa:unregister:fido"
-          | "manage:mfa:unregister:totp"
-          | "manage:mfa:verify:*"
-          | "manage:mfa:verify:totp"
-          | "manage:key:*"
-          | "manage:key:readonly"
-          | "manage:key:get"
-          | "manage:key:listRoles"
-          | "manage:key:list"
-          | "manage:key:history:tx:list"
-          | "manage:key:create"
-          | "manage:key:import"
-          | "manage:key:update:*"
-          | "manage:key:update:owner"
-          | "manage:key:update:policy"
-          | "manage:key:update:enabled"
-          | "manage:key:update:metadata"
-          | "manage:key:update:editPolicy"
-          | "manage:key:delete"
-          | "manage:policy:*"
-          | "manage:policy:create"
-          | "manage:policy:get"
-          | "manage:policy:list"
-          | "manage:policy:delete"
-          | "manage:policy:update:*"
-          | "manage:policy:update:owner"
-          | "manage:policy:update:name"
-          | "manage:policy:update:editPolicy"
-          | "manage:policy:update:metadata"
-          | "manage:policy:update:rule"
-          | "manage:policy:invoke"
-          | "manage:policy:wasm:*"
-          | "manage:policy:wasm:upload"
-          | "manage:policy:secrets:*"
-          | "manage:policy:secrets:get"
-          | "manage:policy:secrets:update:*"
-          | "manage:policy:secrets:update:values"
-          | "manage:policy:secrets:update:editPolicy"
-          | "manage:contact:*"
-          | "manage:contact:create"
-          | "manage:contact:get"
-          | "manage:contact:list"
-          | "manage:contact:delete"
-          | "manage:contact:update:*"
-          | "manage:contact:update:name"
-          | "manage:contact:update:addresses"
-          | "manage:contact:update:owner"
-          | "manage:contact:update:metadata"
-          | "manage:contact:update:editPolicy"
-          | "manage:contact:lookup:*"
-          | "manage:contact:lookup:address"
-          | "manage:policy:createImportKey"
-          | "manage:role:*"
-          | "manage:role:readonly"
-          | "manage:role:create"
-          | "manage:role:delete"
-          | "manage:role:get:*"
-          | "manage:role:get:keys"
-          | "manage:role:get:keys:list"
-          | "manage:role:get:keys:get"
-          | "manage:role:get:users"
-          | "manage:role:list"
-          | "manage:role:update:*"
-          | "manage:role:update:enabled"
-          | "manage:role:update:policy"
-          | "manage:role:update:editPolicy"
-          | "manage:role:update:key:*"
-          | "manage:role:update:key:add"
-          | "manage:role:update:key:remove"
-          | "manage:role:update:user:*"
-          | "manage:role:update:user:add"
-          | "manage:role:update:user:remove"
-          | "manage:role:history:tx:list"
-          | "manage:identity:*"
-          | "manage:identity:verify"
-          | "manage:identity:add"
-          | "manage:identity:remove"
-          | "manage:identity:list"
-          | "manage:org:*"
-          | "manage:org:create"
-          | "manage:org:metrics:query"
-          | "manage:org:readonly"
-          | "manage:org:addUser"
-          | "manage:org:inviteUser"
-          | "manage:org:inviteAlien"
-          | "manage:org:updateMembership"
-          | "manage:org:listUsers"
-          | "manage:org:user:get"
-          | "manage:org:deleteUser"
-          | "manage:org:get"
-          | "manage:org:user:resetMfa"
-          | "manage:session:*"
-          | "manage:session:readonly"
-          | "manage:session:get"
-          | "manage:session:list"
-          | "manage:session:create"
-          | "manage:session:extend"
-          | "manage:session:revoke"
-          | "manage:export:*"
-          | "manage:export:org:*"
-          | "manage:export:org:get"
-          | "manage:export:user:*"
-          | "manage:export:user:delete"
-          | "manage:export:user:list"
-          | "manage:authMigration"
-          | "manage:authMigration:identity:add"
-          | "manage:authMigration:identity:remove"
-          | "manage:authMigration:user:update"
-          | "manage:mmi:*"
-          | "manage:mmi:readonly"
-          | "manage:mmi:get"
-          | "manage:mmi:list"
-          | "manage:mmi:reject"
-          | "manage:mmi:delete"
-          | "export:*"
-          | "export:user:*"
-          | "export:user:init"
-          | "export:user:complete"
-          | "mmi:*"
-          | "orgAccess:*"
-          | "orgAccess:child:*"
-        )
-      | string;
+    Scope: components["schemas"]["ExplicitScope"] | string;
     /** @description A set of scopes. */
     ScopeSet: OneOf<
       [
@@ -7145,6 +7378,9 @@ export interface components {
       org_id: string;
     };
     SignResponse: {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & {
       /** @description The hex-encoded resulting signature. */
       signature: string;
     };
@@ -7182,7 +7418,8 @@ export interface components {
       | "JrpcError"
       | "UnhandledError"
       | "ProxyStartError"
-      | "EnclaveError";
+      | "EnclaveError"
+      | "PolicyErrorWithEvalTree";
     /** @description Answer to a Sign-in with Ethereum challenge. */
     SiweCompleteRequest: {
       challenge_id: components["schemas"]["Id"];
@@ -7238,6 +7475,12 @@ export interface components {
      * }
      */
     SolanaSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -7256,6 +7499,18 @@ export interface components {
       source_ip: string;
     };
     StakeRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
+      /**
+       * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
+       * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
+       */
+      metadata?: unknown;
+    } & {
       /**
        * Format: int64
        * @description The chain on which we will deposit
@@ -7283,13 +7538,17 @@ export interface components {
        */
       withdrawal_addr: string;
     };
-    StakeResponse: {
+    StakeResponse: ({
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & {
+      deposit_tx: components["schemas"]["DepositTxn"];
+    }) & {
       /**
        * @description The validator key id ("Key#...")
        * @example Key#db1731f8-3659-45c0-885b-e11e1f5b7be2
        */
       created_validator_key_id: string;
-      deposit_tx: components["schemas"]["DepositTxn"];
     };
     Status: {
       /** @description Users who are allowed to approve. Must be non-empty. */
@@ -7335,6 +7594,12 @@ export interface components {
     SuiChain: "mainnet" | "devnet" | "testnet";
     /** @description Request to sign a serialized SUI transaction */
     SuiSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -7350,6 +7615,12 @@ export interface components {
       tx: string;
     };
     TaprootSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -7411,6 +7682,12 @@ export interface components {
     TelegramEnvironment: "production" | "test";
     /** @description The request for using the Tendermint sign endpoint. */
     TendermintSignRequest: {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
       /**
        * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
        * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
@@ -7682,7 +7959,6 @@ export interface components {
        */
       genesis_fork_version?: string | null;
     };
-    /** @description Unstake message request. */
     UnstakeRequest: {
       epoch?: components["schemas"]["Epoch"] | null;
       fork: components["schemas"]["Fork"];
@@ -7697,15 +7973,20 @@ export interface components {
        * @example 31337
        */
       validator_index: string;
-    };
-    /**
-     * @description Unstake responses are signed voluntary exit messages.
-     * The schema for this message is defined
-     * [here](https://github.com/ethereum/consensus-specs/blob/v1.0.1/specs/phase0/beacon-chain.md#signedvoluntaryexit).
-     * This message can be directly POSTed to the Beacon node's
-     * `/eth/v1/beacon/pool/voluntary_exits` end-point (see expected schema
-     * [here](https://ethereum.github.io/beacon-APIs/#/Beacon/submitPoolVoluntaryExit)).
-     */
+    } & {
+      /**
+       * @description Request additional information to be included in the response, explaining
+       * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
+       * Defaults to false.
+       */
+      explain?: boolean;
+      /**
+       * @description Optional metadata. Passing additional information as metadata can be used to make reviewing
+       * of pending MFA requests and/or historical key transactions more transparent. It can also be used e.g., to carry additional data to WebHook policies.
+       */
+      metadata?: unknown;
+    } & Record<string, never>;
+    /** @description A response to sign an eth2 unstake request. */
     UnstakeResponse: {
       message: components["schemas"]["VoluntaryExit"];
       /**
@@ -7713,7 +7994,10 @@ export interface components {
        * @example 0x910c7cd537ed91cc8c4a82f3cbd832e9be8c24a22e9c86df479f7ce42025ea6a09619b418b666a060e260d2aae31b8e50e9d05ca3442c7eed3b507e5207e14674275f68c2ba84c4bf6b8dd364a304acac8cfab3681e2514b4400f9242bc61164
        */
       signature: string;
-    };
+    } & {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & Record<string, never>;
     /** @description The information needed to update a Contact. */
     UpdateContactRequest: {
       addresses?: components["schemas"]["AddressMap"] | null;
@@ -7735,6 +8019,13 @@ export interface components {
        * Once disabled, a key cannot be used for signing.
        */
       enabled?: boolean | null;
+      /**
+       * @description If set, change the key's region affinity to this value.
+       *
+       * This is a region-locked operation, i.e., it can only be performed
+       * from the region matching the key's current region affinity
+       */
+      region?: string;
       /**
        * Format: int64
        * @description If set, updating the metadata only succeeds if the version matches this value.
@@ -7935,6 +8226,26 @@ export interface components {
     };
     /** @description Request body for updating a named policy. */
     UpdatePolicyRequest: {
+      /**
+       * @description New Access-control entries.
+       * @example [
+       *   {
+       *     "action": "attach",
+       *     "resources": [
+       *       {
+       *         "key_id": "*",
+       *         "role_id": "Role#e427c28a-9c5b-49cc-a257-878aea58a22c"
+       *       }
+       *     ],
+       *     "subjects": "*"
+       *   },
+       *   {
+       *     "action": "sign",
+       *     "subjects": "Role#e427c28a-9c5b-49cc-a257-878aea58a22c"
+       *   }
+       * ]
+       */
+      acl?: unknown[] | null;
       edit_policy?: components["schemas"]["EditPolicy"] | null;
       /** @description A new metadata. */
       metadata?: unknown;
@@ -8315,6 +8626,9 @@ export interface components {
     BabylonCovSignResponse: {
       content: {
         "application/json": {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & {
           /**
            * @description The slash-unbonding transaction signatures as an array of hex strings with no 0x prefix
            * @example [
@@ -8348,6 +8662,9 @@ export interface components {
     BabylonRegistrationResponse: {
       content: {
         "application/json": {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & {
           /**
            * @description The Babylon address that will receive the staking rewards for this deposit.
            *
@@ -8395,6 +8712,9 @@ export interface components {
     BabylonStakingResponse: {
       content: {
         "application/json": {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & {
           /**
            * Format: int64
            * @description The transaction fee in sats
@@ -8413,6 +8733,9 @@ export interface components {
     BtcMessageSignResponse: {
       content: {
         "application/json": {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & {
           /** @description The base64-encoded signature in BIP137 format. */
           sig: string;
         };
@@ -8518,7 +8841,7 @@ export interface components {
     /** @description The result of a Diffie Hellman key exchange */
     DiffieHellmanResponse: {
       content: {
-        "application/json":
+        "application/json": (
           | {
               /** @description The resulting points as base64-encoded byte strings in a key-type--dependent format. */
               points: string[];
@@ -8538,7 +8861,11 @@ export interface components {
               ephemeral_public_key: string;
               /** @enum {string} */
               response_type: "encrypted";
-            };
+            }
+        ) & {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & Record<string, never>;
       };
     };
     /**
@@ -8570,6 +8897,9 @@ export interface components {
     EotsCreateNonceResponse: {
       content: {
         "application/json": {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & {
           /**
            * @description The generated nonces as an array of 0x-prefixed hex strings
            * @example [
@@ -8590,6 +8920,9 @@ export interface components {
     Eth1SignResponse: {
       content: {
         "application/json": {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & {
           /**
            * @description Hex-encoded RLP encoding of the transaction and its signature
            * @example 0x22895118000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000001201d58656b0e22aaa68fdc692db41979098c3886ed33015d7467de9211609cdac000000000000000000000000000000000000000000000000000000000000000308b0c2900324d3ff9adfba7fdfe5af3f9b2cdbeef7b280437bbf1b1c59a093d615afe3e5dfed9622b540cdd9b49b3c5ad00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002001000000000000000000000049011adbcc3bc9c0307bb07f37dda1a1a9c69d2e0000000000000000000000000000000000000000000000000000000000000060903db8525674b8e7904f9b7d7d9ec55a0a42d33cf58be25469b0c21bbb6d06172bc5bb5fd1aed8e4f35936968958116b0619553c2cb1c52e7323074c6f8eb3d5a7074fc6580148df907837fa3b164ad7fbc2288dad1e8a5b021095b57c8a36d4
@@ -8598,17 +8931,6 @@ export interface components {
         };
       };
     };
-    Eth2SignResponse: {
-      content: {
-        "application/json": {
-          /**
-           * @description Hex encoded signature prefixed with 0x e.g. "0x0000..."
-           * @example 0xb4f2ef9d12a54e1f569596c07c97d6d730535b6ffc0d287761dc78103a86326782471a04c75ce7a6faea08ca9a4a0830031cdcb893da8711d54aa22619f1a7e71b8185ddf4c6bfd9babbd735960e35e56bd6eeb89625b04850e7a9ef8846e549
-           */
-          signature: string;
-        };
-      };
-    };
     FidoAssertChallenge: {
       content: {
         "application/json": (components["schemas"]["ChallengePieces"] & {
@@ -8701,10 +9023,13 @@ export interface components {
         "application/json": components["schemas"]["Response"] & Record<string, never>;
       };
     };
-    /** @description A JSON Web Key set describing the key used to sign JSON Web Tokens for MMI */
+    /** @description A JSON Web Key set describing the key used to sign JSON Web Tokens */
     JwkSetResponse: {
       content: {
-        "application/json": Record<string, never>;
+        "application/json": {
+          /** @description The keys included in this set */
+          keys: Record<string, never>[];
+        };
       };
     };
     /** @description Derivation-related metadata for keys derived from a long-lived mnemonic */
@@ -8805,6 +9130,8 @@ export interface components {
            * ]
            */
           policy: unknown[];
+          /** @description The key provenance. */
+          provenance?: string | null;
           /**
            * @description Hex-encoded, serialized public key. The format used depends on the key type:
            * - Secp256k1 keys use 65-byte uncompressed SECG format;
@@ -8824,6 +9151,15 @@ export interface components {
         };
       };
     };
+    /** @description Response returned when requesting a key attestation. */
+    KeyInfoJwt: {
+      content: {
+        "application/json": {
+          /** @description A JSON Web Token whose claims contain the `KeyInfo` structure. */
+          jwt: string;
+        };
+      };
+    };
     KeyInfos: {
       content: {
         "application/json": {
@@ -9336,6 +9672,8 @@ export interface components {
     PolicyInfo: {
       content: {
         "application/json": {
+          /** @description The access-control entries for the policy. */
+          acl?: unknown[] | null;
           /** @description A list of entities (keys, roles, etc.) the policy is attached to. */
           attached_to: components["schemas"]["PolicyAttachedToId"][];
           created: components["schemas"]["EpochDateTime"];
@@ -9394,6 +9732,9 @@ export interface components {
     PsbtSignResponse: {
       content: {
         "application/json": {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & {
           /**
            * @description The PSBT in standard hex serialization, without leading "0x".
            * @example 70736274ff01005e...
@@ -9553,6 +9894,9 @@ export interface components {
     SignResponse: {
       content: {
         "application/json": {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & {
           /** @description The hex-encoded resulting signature. */
           signature: string;
         };
@@ -9587,13 +9931,17 @@ export interface components {
     };
     StakeResponse: {
       content: {
-        "application/json": {
+        "application/json": ({
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & {
+          deposit_tx: components["schemas"]["DepositTxn"];
+        }) & {
           /**
            * @description The validator key id ("Key#...")
            * @example Key#db1731f8-3659-45c0-885b-e11e1f5b7be2
            */
           created_validator_key_id: string;
-          deposit_tx: components["schemas"]["DepositTxn"];
         };
       };
     };
@@ -9642,14 +9990,7 @@ export interface components {
         };
       };
     };
-    /**
-     * @description Unstake responses are signed voluntary exit messages.
-     * The schema for this message is defined
-     * [here](https://github.com/ethereum/consensus-specs/blob/v1.0.1/specs/phase0/beacon-chain.md#signedvoluntaryexit).
-     * This message can be directly POSTed to the Beacon node's
-     * `/eth/v1/beacon/pool/voluntary_exits` end-point (see expected schema
-     * [here](https://ethereum.github.io/beacon-APIs/#/Beacon/submitPoolVoluntaryExit)).
-     */
+    /** @description A response to sign an eth2 unstake request. */
     UnstakeResponse: {
       content: {
         "application/json": {
@@ -9659,7 +10000,10 @@ export interface components {
            * @example 0x910c7cd537ed91cc8c4a82f3cbd832e9be8c24a22e9c86df479f7ce42025ea6a09619b418b666a060e260d2aae31b8e50e9d05ca3442c7eed3b507e5207e14674275f68c2ba84c4bf6b8dd364a304acac8cfab3681e2514b4400f9242bc61164
            */
           signature: string;
-        };
+        } & {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & Record<string, never>;
       };
     };
     UpdateOrgResponse: {
@@ -9879,6 +10223,22 @@ export interface operations {
       };
     };
   };
+  /**
+   * JWKS endpoint for the attestation key
+   * @description JWKS endpoint for the attestation key
+   *
+   * Returns the public key used to sign Key info attestations.
+   */
+  attestationJwkSet: {
+    responses: {
+      200: components["responses"]["JwkSetResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * List accessible organizations.
    * @description List accessible organizations.
@@ -11783,6 +12143,36 @@ export interface operations {
       };
     };
   };
+  /**
+   * Attest to Key Properties
+   * @description Attest to Key Properties
+   *
+   * The response is a JWT whose claims are the key properties.
+   */
+  attestKey: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+        /**
+         * @description ID of the desired Key
+         * @example Key#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        key_id: string;
+      };
+    };
+    responses: {
+      200: components["responses"]["KeyInfoJwt"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * List Key Roles
    * @description List Key Roles
@@ -15257,7 +15647,7 @@ export interface operations {
       };
     };
     responses: {
-      200: components["responses"]["Eth2SignResponse"];
+      200: components["responses"]["SignResponse"];
       202: {
         content: {
           "application/json": components["schemas"]["AcceptedResponse"];