@cubist-labs/cubesigner-sdk 0.4.231 → 0.4.237

package/src/bucket.ts

@@ -0,0 +1,30 @@
+import type { Ace, AceAttribute } from "./acl";
+import type { BucketAction, schemas } from "./schema_types";
+
+/** Access control entry for policy buckets */
+export type BucketAce = Ace<
+  BucketAction,
+  {
+    policy_ids?: AceAttribute<string>;
+    bucket_keys?: AceAttribute<string>;
+  }
+>;
+
+/** Policy bucket information (like the one from {@link schemas} but with more precise `acl`) */
+export type BucketInfo = schemas["BucketInfo"] & {
+  acl?: BucketAce[];
+};
+
+/**
+ * Coerce the less accurate `BucketInfo` type from the OpenAPI schema to a more accurate {@link BucketInfo}.
+ *
+ * @param b The bucket info received on the wire.
+ * @returns The exact same value coerced to the {@link BucketInfo} type.
+ */
+export function coerceBucketInfo(b: schemas["BucketInfo"]): BucketInfo {
+  return {
+    ...b,
+    // TODO: parse once we add Zod
+    acl: b.acl as BucketAce[],
+  };
+}

package/src/client/api_client.ts

@@ -54,7 +54,6 @@ import type {
   UpdatePolicyRequest,
   ListPoliciesResponse,
   PolicyType,
-  PolicyInfo,
   DiffieHellmanRequest,
   DiffieHellmanResponse,
   KeyInfoJwt,
@@ -67,6 +66,9 @@ import type {
   KeyAttestationQuery,
   RoleAttestationQuery,
   ErrorResponse,
+  ListBucketsResponse,
+  UpdateBucketRequest,
+  PolicyInfo,
 } from "../schema_types";
 import { encodeToBase64 } from "../util";
 import {
@@ -152,6 +154,9 @@ import {
   type GetUserByOidcResponse,
   type EmailTemplatePurpose,
   ErrResponse,
+  coerceBucketInfo,
+  coercePolicyInfo,
+  type BucketInfo,
 } from "../index";
 import { assertOk, op, type Op, type Operation, apiFetch } from "../fetch";
 import { BaseClient, type ClientConfig, signerSessionFromSessionInfo } from "./base_client";
@@ -485,7 +490,7 @@ export class ApiClient extends BaseClient {
 
   // #endregion
 
-  // #region ORGS: orgGet, orgUpdate, orgUpdateUserMembership, orgCreateOrg, orgQueryMetrics, orgConfigureEmail
+  // #region ORGS: orgGet, orgUpdate, orgUpdateUserMembership, orgCreateOrg, orgQueryMetrics, orgGetEmailConfig, orgConfigureEmail, orgDeleteEmailConfig
 
   /**
    * Obtain information about an org
@@ -590,6 +595,21 @@ export class ApiClient extends BaseClient {
     );
   }
 
+  /**
+   * Get email configuration for a given purpose.
+   *
+   * @param purpose The email template kind to get
+   * @returns The email configuration
+   */
+  async orgGetEmailConfig(
+    purpose: EmailTemplatePurpose,
+  ): Promise<schemas["GetEmailConfigResponse"]> {
+    const o = op("/v0/org/{org_id}/emails/{purpose}", "get");
+    return this.exec(o, {
+      params: { path: { purpose } },
+    });
+  }
+
   /**
    * Configure email template
    *
@@ -608,6 +628,20 @@ export class ApiClient extends BaseClient {
     });
   }
 
+  /**
+   * Delete email configuration for a given purpose.
+   *
+   * @param purpose The email template kind to delete
+   * @returns An empty response
+   */
+  async orgDeleteEmailConfig(purpose: EmailTemplatePurpose): Promise<Empty> {
+    const o = op("/v0/org/{org_id}/emails/{purpose}", "delete");
+    return this.exec(o, {
+      params: { path: { purpose } },
+      body: {},
+    });
+  }
+
   // #endregion
 
   // #region ORG USERS: orgUserInvite, orgUserDelete, orgUsersList, orgUserGet, orgUserGetByEmail, orgUserCreateOidc, orgUserDeleteOidc
@@ -1496,14 +1530,14 @@ export class ApiClient extends BaseClient {
     acl?: JsonValue[],
   ): Promise<PolicyInfo> {
     const o = op("/v0/org/{org_id}/policies", "post");
-    return (await this.exec(o, {
+    return await this.exec(o, {
       body: {
         name,
         policy_type: type,
         rules,
         acl,
       },
-    })) as PolicyInfo;
+    }).then(coercePolicyInfo);
   }
 
   /**
@@ -1515,9 +1549,9 @@ export class ApiClient extends BaseClient {
    */
   async policyGet(policyId: string, version: policy.Version): Promise<PolicyInfo> {
     const o = op("/v0/org/{org_id}/policies/{policy_id}/{version}", "get");
-    return (await this.exec(o, {
+    return await this.exec(o, {
       params: { path: { policy_id: policyId, version } },
-    })) as PolicyInfo;
+    }).then(coercePolicyInfo);
   }
 
   /**
@@ -1554,17 +1588,13 @@ export class ApiClient extends BaseClient {
     mfaReceipt?: MfaReceipts,
   ): Promise<CubeSignerResponse<PolicyInfo>> {
     const o = op("/v0/org/{org_id}/policies/{policy_id}", "patch");
-    const signFn = async (headers?: HeadersInit) =>
+    const reqFn = async (headers?: HeadersInit) =>
       this.exec(o, {
         params: { path: { policy_id: policyId } },
         body: request,
         headers,
-      });
-    return (await CubeSignerResponse.create(
-      this.env,
-      signFn,
-      mfaReceipt,
-    )) as CubeSignerResponse<PolicyInfo>;
+      }).then((resp) => mapResponse(resp, coercePolicyInfo));
+    return await CubeSignerResponse.create(this.env, reqFn, mfaReceipt);
   }
 
   /**
@@ -1609,6 +1639,62 @@ export class ApiClient extends BaseClient {
 
   // #endregion
 
+  // #region BUCKET: bucket(Get|List|Update)
+
+  /**
+   * List available meta information about all policy buckets in the org.
+   *
+   * @param page Pagination options. Defaults to fetching the entire result set.
+   * @returns Paginator for iterating over policy buckets.
+   */
+  bucketsList(page?: PageOpts): Paginator<ListBucketsResponse, BucketInfo[]> {
+    const o = op("/v0/org/{org_id}/policy/buckets", "get");
+    return Paginator.items(
+      page ?? Page.default(),
+      (pageQuery) => this.exec(o, { params: { query: { ...pageQuery } } }),
+      (r) => r.buckets,
+      (r) => r.last_evaluated_key,
+    ) as Paginator<ListBucketsResponse, BucketInfo[]>;
+  }
+
+  /**
+   * Get the meta information of a policy KV store bucket.
+   *
+   * @param bucketName The name of the bucket to get
+   * @returns The bucket information
+   */
+  async bucketGet(bucketName: string): Promise<BucketInfo> {
+    const o = op("/v0/org/{org_id}/policy/buckets/{bucket_name}", "get");
+    return await this.exec(o, {
+      params: { path: { bucket_name: bucketName } },
+    }).then(coerceBucketInfo);
+  }
+
+  /**
+   * Set or update meta information for a policy KV store bucket.
+   *
+   * @param bucketName The name of the bucket to update.
+   * @param request The update request
+   * @param mfaReceipt Option MFA receipt(s)
+   * @returns The updated bucket information
+   */
+  async bucketUpdate(
+    bucketName: string,
+    request: UpdateBucketRequest,
+    mfaReceipt?: MfaReceipts,
+  ): Promise<CubeSignerResponse<BucketInfo>> {
+    const o = op("/v0/org/{org_id}/policy/buckets/{bucket_name}", "patch");
+    const reqFn = async (headers?: HeadersInit) =>
+      this.exec(o, {
+        params: { path: { bucket_name: bucketName } },
+        body: request,
+        headers,
+      }).then((resp) => mapResponse(resp, coerceBucketInfo));
+    return await CubeSignerResponse.create(this.env, reqFn, mfaReceipt);
+  }
+
+  // #endregion
+
   // #region WASM: wasm(PolicyUpload)
 
   /**

package/src/index.ts

@@ -34,6 +34,8 @@ export * from "./contact";
 export * from "./scopes";
 /** Policies */
 export * from "./policy";
+/** Buckets */
+export * from "./bucket";
 /** Access control */
 export * from "./acl";
 /** Utils */

package/src/org.ts

@@ -292,6 +292,12 @@ export class Org {
     return (data.policy ?? []) as unknown as OrgPolicy[];
   }
 
+  /** @returns the sign policy for the org. */
+  async signPolicy(): Promise<RolePolicy> {
+    const data = await this.fetch();
+    return (data.sign_policy ?? []) as unknown as RolePolicy;
+  }
+
   /**
    * Set the policy for the org.
    *
@@ -302,6 +308,18 @@ export class Org {
     await this.update({ policy: p });
   }
 
+  /**
+   * Set the sign policy for the org.
+   *
+   * This is a global sign policy that applies to every sign operation (every key, every role) in the org.
+   * It is analogous to how role policies apply to all sign requests performed by the corresponding role sessions.
+   *
+   * @param policy The new policy for the org.
+   */
+  async setSignPolicy(policy: RolePolicy) {
+    await this.update({ sign_policy: policy });
+  }
+
   /**
    * Retrieve the organization's extended properties (uncommon features not used by most users).
    *

package/src/policy.ts

@@ -10,15 +10,15 @@ import type {
   KeyPolicyRule,
   MfaReceipts,
   PolicyAttachedToId,
-  PolicyInfo,
   PolicyType,
   RolePolicy,
   RolePolicyRule,
   UpdatePolicyRequest,
   WasmRule,
-  Acl,
   AceAttribute,
   PolicyAction,
+  Ace,
+  PolicyInfo,
 } from ".";
 
 import { loadSubtleCrypto } from ".";
@@ -32,7 +32,7 @@ export type PolicyRule = KeyPolicyRule | RolePolicyRule | WasmRule;
  * A helper type for {@link PolicyInfo} with a more detailed `acl` type.
  */
 type NamedPolicyInfo = PolicyInfo & {
-  acl?: Acl<PolicyAction, PolicyCtx>;
+  acl?: PolicyAcl;
 };
 
 /**
@@ -67,7 +67,10 @@ export type C2FInfo = WasmPolicyInfo;
 export type Version = `v${number}` | `latest`;
 
 /** A policy access control entry. */
-export type PolicyAcl = Acl<PolicyAction, PolicyCtx>;
+export type PolicyAce = Ace<PolicyAction, PolicyCtx>;
+
+/** A policy access control list. */
+export type PolicyAcl = PolicyAce[];
 
 /** Additional contexts when using policies. */
 export type PolicyCtx = {
@@ -476,7 +479,7 @@ export class C2FFunction extends NamedPolicy {
     // upload the policy object
     const hash = await uploadWasmFunction(this.apiClient, policy);
 
-    // update this policy with the new policy verison.
+    // update this policy with the new policy version.
     const body: UpdatePolicyRequest = { rules: [{ hash }] };
     this.data = (await this.update(body, mfaReceipt)) as C2FInfo;
   }

package/src/role.ts

@@ -29,6 +29,9 @@ import type { RoleAttestationClaims, RoleAttestationQuery } from "./schema_types
 
 type NameOrAddressOrNull = string | null;
 
+/** Only allow the following operations */
+export type OperationAllowlist = { OperationAllowlist: OperationKind[] };
+
 /**
  * Restrict the receiver for EVM transactions.
  *
@@ -310,6 +313,13 @@ export type BtcSegwitValueLimitWindow = {
  */
 export type SourceIpAllowlist = { SourceIpAllowlist: string[] };
 
+/**
+ * Disallow signing until the specified Unix timestamp (in seconds since epoch).
+ *
+ * @example { TimeLock: 1750000000 }
+ */
+export type TimeLock = { TimeLock: number };
+
 export type HttpRequestComparer = "Eq" | { EvmTx: EvmTxCmp } | { SolanaTx: SolanaTxCmp };
 
 /**
@@ -476,6 +486,7 @@ export type NamedPolicyReference = {
 
 /** Key policies that restrict the requests that the signing endpoints accept */
 export type KeyDenyPolicy =
+  | OperationAllowlist
   | TxReceiver
   | TxDeposit
   | TxValueLimit
@@ -487,6 +498,7 @@ export type KeyDenyPolicy =
   | SuiTxReceivers
   | BtcTxReceivers
   | SourceIpAllowlist
+  | TimeLock
   | SolanaInstructionPolicy
   | BtcSegwitValueLimit
   | RequireMfa