@cubist-labs/cubesigner-sdk 0.4.217 → 0.4.219

package/src/schema.ts

@@ -94,6 +94,13 @@ export interface paths {
      */
     patch: operations["updateOrg"];
   };
+  "/v0/org/{org_id}/audit": {
+    /**
+     * Query the audit log.
+     * @description Query the audit log.
+     */
+    post: operations["queryAuditLog"];
+  };
   "/v0/org/{org_id}/auth_migration/add_identity": {
     /**
      * Associate an OIDC identity with an arbitrary user in org <session.org>.
@@ -1803,6 +1810,50 @@ export interface components {
      * the aud value MAY be a single case-sensitive string.
      */
     Aud: string | string[];
+    AuditLogEntry: {
+      /** @description The name of the event */
+      event: string;
+      /** @description UUID of the event. Unique across all events. */
+      event_id: string;
+      org_id: components["schemas"]["Id"];
+      /**
+       * @description The id of the HTTP request which triggered the event
+       * (a single request can trigger multiple events).
+       */
+      request_id: string;
+      /** @description The time when the event was logged. */
+      time: string;
+      /**
+       * @description The id of the identity (user or role) which triggered the event
+       * (may be undefined for certain unauthenticated endpoints)
+       */
+      triggered_by?: string | null;
+      [key: string]: unknown;
+    };
+    /** @description The request type for querying the audit log. */
+    AuditLogRequest: {
+      /**
+       * Format: int64
+       * @description End time in seconds since unix epoch. If omitted, defaults to 'now'.
+       */
+      end_time?: number | null;
+      /**
+       * @description Filter the log by the event name.
+       * If omitted, all events will be included.
+       * Must not be set to an empty array
+       */
+      events?: components["schemas"]["OrgEventDiscriminants"][] | null;
+      /**
+       * Format: int64
+       * @description Start time in seconds since unix epoch.
+       */
+      start_time: number;
+    };
+    /** @description The audit log response */
+    AuditLogResponse: {
+      /** @description Audit log entries */
+      entries: components["schemas"]["AuditLogEntry"][];
+    };
     /** @description Data required for both `authenticate` and `refresh`. */
     AuthData: {
       /** Format: int32 */
@@ -1952,6 +2003,8 @@ export interface components {
     AuthenticatorTransport: "usb" | "nfc" | "ble" | "internal";
     /** @description Request to sign a serialized Avalanche transaction */
     AvaSerializedTxSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -1969,6 +2022,8 @@ export interface components {
     };
     /** @description Request to sign an Avalanche transaction */
     AvaSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -2001,6 +2056,8 @@ export interface components {
     /** @description Wrapper around a zeroizing 32-byte fixed-size array */
     B32: string;
     BabylonCovSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -2189,6 +2246,8 @@ export interface components {
        */
       value: number;
     }) & {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -2587,7 +2646,7 @@ export interface components {
       | "InvalidEmailTemplate"
       | "QueryMetricsError"
       | "InvalidTelegramData"
-      | "QueryMetricsValidationError"
+      | "ValidationError"
       | "WebhookPolicyTimeoutOutOfBounds"
       | "WebhookPolicyDisallowedUrlScheme"
       | "WebhookPolicyDisallowedUrlHost"
@@ -2906,6 +2965,7 @@ export interface components {
       | "UpdateContact"
       | "LookupContactsByAddress"
       | "QueryMetrics"
+      | "QueryAuditLog"
       | "Counts"
       | "CreateKey"
       | "ImportKey"
@@ -2983,6 +3043,8 @@ export interface components {
      * }
      */
     BlobSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -3066,6 +3128,8 @@ export interface components {
     };
     /** @description Data to sign */
     BtcMessageSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -3103,6 +3167,8 @@ export interface components {
       | "NonePlusAnyoneCanPay"
       | "SinglePlusAnyoneCanPay";
     BtcSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -3708,6 +3774,8 @@ export interface components {
       mnemonic_id?: string | null;
     };
     DiffieHellmanRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -3786,6 +3854,8 @@ export interface components {
       time_lock_until?: components["schemas"]["EpochDateTime"] | null;
     };
     Eip191SignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -3903,6 +3973,8 @@ export interface components {
      * }
      */
     Eip712SignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -3993,6 +4065,8 @@ export interface components {
      * at a specified block height.
      */
     EotsCreateNonceRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -4038,6 +4112,8 @@ export interface components {
     };
     /** @description Request for an EOTS signature on a specified message, chain-id, block-height triple */
     EotsSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -4129,6 +4205,8 @@ export interface components {
      * }
      */
     Eth1SignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -4186,6 +4264,8 @@ export interface components {
      * }
      */
     Eth2SignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -4424,6 +4504,7 @@ export interface components {
       | "manage:key:update:editPolicy"
       | "manage:key:delete"
       | "manage:policy:*"
+      | "manage:policy:readonly"
       | "manage:policy:create"
       | "manage:policy:get"
       | "manage:policy:list"
@@ -4445,6 +4526,7 @@ export interface components {
       | "manage:policy:secrets:update:acl"
       | "manage:policy:secrets:update:editPolicy"
       | "manage:contact:*"
+      | "manage:contact:readonly"
       | "manage:contact:create"
       | "manage:contact:get"
       | "manage:contact:list"
@@ -4481,6 +4563,7 @@ export interface components {
       | "manage:role:update:user:remove"
       | "manage:role:history:tx:list"
       | "manage:identity:*"
+      | "manage:identity:readonly"
       | "manage:identity:verify"
       | "manage:identity:add"
       | "manage:identity:remove"
@@ -4488,6 +4571,7 @@ export interface components {
       | "manage:org:*"
       | "manage:org:create"
       | "manage:org:metrics:query"
+      | "manage:org:audit:query"
       | "manage:org:readonly"
       | "manage:org:addUser"
       | "manage:org:inviteUser"
@@ -4506,6 +4590,7 @@ export interface components {
       | "manage:session:extend"
       | "manage:session:revoke"
       | "manage:export:*"
+      | "manage:export:readonly"
       | "manage:export:org:*"
       | "manage:export:org:get"
       | "manage:export:user:*"
@@ -4663,6 +4748,7 @@ export interface components {
       | "RemoveLastOidcIdentity"
       | "OperationNotAllowed"
       | "OrgExportRetrievalDisabled"
+      | "ChangingKeyExportRequirementIsDisabled"
       | "AutoAddBlsKeyToProtectedRole"
       | "UserNotPolicyOwner"
       | "UserNotContactOwner"
@@ -4903,6 +4989,7 @@ export interface components {
     /** @enum {string} */
     InternalErrorCode:
       | "NoMaterialId"
+      | "InvalidAuditLogEntry"
       | "UnexpectedCheckerRule"
       | "UnresolvedPolicyReference"
       | "UnexpectedAclAction"
@@ -4951,6 +5038,7 @@ export interface components {
       | "CognitoResendUserInvitation"
       | "CognitoSetUserPasswordError"
       | "GenericInternalError"
+      | "AssumeRoleWithoutEvidence"
       | "OidcAuthWithoutOrg"
       | "MissingKeyMetadata"
       | "KmsEnableKeyError"
@@ -5456,6 +5544,7 @@ export interface components {
     MfaRequirements: {
       alien_login_requirement?: components["schemas"]["SecondFactorRequirement"];
       allowed_mfa_types?: components["schemas"]["AllowedMfaMap"];
+      key_export_requirement?: components["schemas"]["SecondFactorRequirement"];
       member_login_requirement?: components["schemas"]["SecondFactorRequirement"];
     };
     MfaResetRequest: {
@@ -5788,7 +5877,10 @@ export interface components {
           user?: components["schemas"]["Id"] | null;
         }
       | {
-          /** @description The duration of the request in milliseconds */
+          /**
+           * Format: int64
+           * @description The duration of the request in milliseconds
+           */
           duration_ms: number;
           /** @description The HTTP request method */
           method: string;
@@ -6221,6 +6313,21 @@ export interface components {
        */
       "page.start"?: string | null;
     };
+    /**
+     * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
+     * value (which can the user pass back to use as a url query parameter to continue pagination).
+     */
+    PaginatedAuditLogResponse: {
+      /** @description Audit log entries */
+      entries: components["schemas"]["AuditLogEntry"][];
+    } & {
+      /**
+       * @description If set, the content of `response` does not contain the entire result set.
+       * To fetch the next page of the result set, call the same endpoint
+       * but specify this value as the 'page.start' query parameter.
+       */
+      last_evaluated_key?: string | null;
+    };
     /**
      * @description Response type that wraps another type and adds base64url-encoded encrypted `last_evaluated_key`
      * value (which can the user pass back to use as a url query parameter to continue pagination).
@@ -6807,6 +6914,8 @@ export interface components {
     >;
     /** @description A request to sign a PSBT */
     PsbtSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -7646,7 +7755,7 @@ export interface components {
      * @description Supported Solana clusters.
      * @enum {string}
      */
-    SolanaCluster: "mainnet" | "devnet" | "testnet";
+    SolanaCluster: "mainnet" | "devnet";
     /**
      * @description Solana signing request
      * @example {
@@ -7654,6 +7763,8 @@ export interface components {
      * }
      */
     SolanaSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -7678,6 +7789,8 @@ export interface components {
       source_ip: string;
     };
     StakeRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -7773,6 +7886,8 @@ export interface components {
     SuiChain: "mainnet" | "devnet" | "testnet";
     /** @description Request to sign a serialized SUI transaction */
     SuiSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -7794,6 +7909,8 @@ export interface components {
       tx: string;
     };
     TaprootSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -7861,6 +7978,8 @@ export interface components {
     TelegramEnvironment: "production" | "test";
     /** @description The request for using the Tendermint sign endpoint. */
     TendermintSignRequest: {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -8153,6 +8272,8 @@ export interface components {
        */
       validator_index: string;
     } & {
+      /** @description Optionally assume this role */
+      assume_role?: string | null;
       /**
        * @description Request additional information to be included in the response, explaining
        * the outcome (i.e., permitted vs. denied vs. MFA required) of the sign request.
@@ -8254,6 +8375,7 @@ export interface components {
       enabled?: boolean | null;
       historical_data_configuration?: components["schemas"]["HistoricalDataConfiguration"] | null;
       idp_configuration?: components["schemas"]["IdpConfig"] | null;
+      key_export_requirement?: components["schemas"]["SecondFactorRequirement"] | null;
       member_login_requirement?: components["schemas"]["SecondFactorRequirement"] | null;
       /**
        * @description If set, update this org's notification endpoints. Notification endpoints are expected to be
@@ -8366,6 +8488,7 @@ export interface components {
       enabled?: boolean | null;
       historical_data_configuration?: components["schemas"]["HistoricalDataConfiguration"] | null;
       idp_configuration?: components["schemas"]["IdpConfig"] | null;
+      key_export_requirement?: components["schemas"]["SecondFactorRequirement"] | null;
       member_login_requirement?: components["schemas"]["SecondFactorRequirement"] | null;
       /**
        * @description The new human-readable name for the org (must be alphanumeric)
@@ -9571,6 +9694,21 @@ export interface components {
         };
       };
     };
+    PaginatedAuditLogResponse: {
+      content: {
+        "application/json": {
+          /** @description Audit log entries */
+          entries: components["schemas"]["AuditLogEntry"][];
+        } & {
+          /**
+           * @description If set, the content of `response` does not contain the entire result set.
+           * To fetch the next page of the result set, call the same endpoint
+           * but specify this value as the 'page.start' query parameter.
+           */
+          last_evaluated_key?: string | null;
+        };
+      };
+    };
     PaginatedGetUsersInOrgResponse: {
       content: {
         "application/json": {
@@ -10236,6 +10374,7 @@ export interface components {
             | components["schemas"]["HistoricalDataConfiguration"]
             | null;
           idp_configuration?: components["schemas"]["IdpConfig"] | null;
+          key_export_requirement?: components["schemas"]["SecondFactorRequirement"] | null;
           member_login_requirement?: components["schemas"]["SecondFactorRequirement"] | null;
           /**
            * @description The new human-readable name for the org (must be alphanumeric)
@@ -10609,6 +10748,49 @@ export interface operations {
       };
     };
   };
+  /**
+   * Query the audit log.
+   * @description Query the audit log.
+   */
+  queryAuditLog: {
+    parameters: {
+      query?: {
+        /**
+         * @description Max number of items to return per page.
+         *
+         * If the actual number of returned items may be less that this, even if there exist more
+         * data in the result set. To reliably determine if more data is left in the result set,
+         * inspect the [UnencryptedLastEvalKey] value in the response object.
+         */
+        "page.size"?: number;
+        /**
+         * @description The start of the page.  Omit to start from the beginning; otherwise, only specify a
+         * the exact value previously returned as 'last_evaluated_key' from the same endpoint.
+         */
+        "page.start"?: string | null;
+      };
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["AuditLogRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["PaginatedAuditLogResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Associate an OIDC identity with an arbitrary user in org <session.org>.
    * @description Associate an OIDC identity with an arbitrary user in org <session.org>.

package/src/schema_types.ts

@@ -209,6 +209,9 @@ export type CreateOrgRequest = schemas["CreateOrgRequest"];
 export type OrgMetricName = schemas["MetricName"];
 export type QueryMetricsRequest = schemas["QueryMetricsRequest"];
 export type QueryMetricsResponse = schemas["QueryMetricsResponse"];
+export type AuditLogRequest = schemas["AuditLogRequest"];
+export type AuditLogResponse = schemas["PaginatedAuditLogResponse"];
+export type AuditLogEntry = schemas["AuditLogEntry"];
 
 export type DiffieHellmanRequest = schemas["DiffieHellmanRequest"];
 export type DiffieHellmanResponse = schemas["DiffieHellmanResponse"];

package/src/scopes.ts

@@ -90,6 +90,7 @@ export const AllScopes: Record<ExplicitScope, string> =
   "manage:key:update:editPolicy"                : "Allows access only to the key 'update' endpoint and restricts updates to the 'edit_policy' property",
   "manage:key:delete"                           : "Allows access only to the key 'delete' endpoint",
   "manage:policy:*"                             : "Allows access to all policy endpoints",
+  "manage:policy:readonly"                      : "Allows access to all policy readonly endpoints",
   "manage:policy:create"                        : "Allows access only to the policy creation endpoint",
   "manage:policy:get"                           : "Allows access only to the policy 'get' endpoint",
   "manage:policy:list"                          : "Allows access only to the policy 'list' endpoint",
@@ -111,6 +112,7 @@ export const AllScopes: Record<ExplicitScope, string> =
   "manage:policy:secrets:update:acl"            : "Allows access only to the policy secrets 'update' endpoint, but restricting updates to the secrets acl",
   "manage:policy:secrets:update:editPolicy"     : "Allows access only to the policy secrets 'update' endpoint, but restricting updates to the `edit_policy` property",
   "manage:contact:*"                            : "Allows access to all contact endpoints",
+  "manage:contact:readonly"                     : "Allows access to all contact readonly endpoints",
   "manage:contact:create"                       : "Allows access to the contact 'create' endpoint",
   "manage:contact:get"                          : "Allows access to the contact `get` endpoint",
   "manage:contact:list"                         : "Allows access to the contact `list` endpoint",
@@ -147,6 +149,7 @@ export const AllScopes: Record<ExplicitScope, string> =
   "manage:role:update:user:remove"              : "Allows access to the role 'update:user:remove' endpoint",
   "manage:role:history:tx:list"                 : "Allows access only to the role 'list_historical_tx' endpoint",
   "manage:identity:*"                           : "Allows access to all identity endpoints",
+  "manage:identity:readonly"                    : "Allows access to all identity readonly endpoints.",
   "manage:identity:verify"                      : "Allows access only to the identity 'verify' endpoint",
   "manage:identity:add"                         : "Allows access only to the identity 'add' endpoint",
   "manage:identity:remove"                      : "Allows access only to the identity 'remove' endpoint",
@@ -154,6 +157,7 @@ export const AllScopes: Record<ExplicitScope, string> =
   "manage:org:*"                                : "Allows access to all org endpoints",
   "manage:org:create"                           : "Allows access to the org 'create' endpoint",
   "manage:org:metrics:query"                    : "Allows access to retrieving org metrics",
+  "manage:org:audit:query"                      : "Allows access to retrieving org audit log",
   "manage:org:readonly"                         : "Allows access to all org readonly endpoints",
   "manage:org:addUser"                          : "Allows access only to the org endpoint for adding an OIDC user to the org",
   "manage:org:inviteUser"                       : "Allows access only to the org endpoint for inviting a new member or org owner to the org",
@@ -172,6 +176,7 @@ export const AllScopes: Record<ExplicitScope, string> =
   "manage:session:extend"                       : "Allows access only to the session 'create' endpoint, including the ability to extend session lifetimes",
   "manage:session:revoke"                       : "Allows access only to the session 'revoke' endpoints",
   "manage:export:*"                             : "Allows access to all export endpoints",
+  "manage:export:readonly"                      : "Allows access to all export management readonly endpoints",
   "manage:export:org:*"                         : "Allows access to all org-export management endpoints",
   "manage:export:org:get"                       : "Allows access to the org-export download endpoint",
   "manage:export:user:*"                        : "Allows access to all user-export management endpoints",