@cubist-labs/cubesigner-sdk 0.4.254 → 0.4.260

package/src/schema.ts

@@ -884,6 +884,12 @@ export interface paths {
      * but extends the output with an `id_token`.
      *
      * This `id_token` can then be used with any CubeSigner endpoint that requires an OIDC token.
+     * Callers must request *at least* scopes `tweet.read` and `users.read` during auth with twitter.
+     *
+     * By default, the id token does not contain a confirmed email;
+     * callers can request this field be populated by requesting the `users.email` scope
+     * and adding `fetch_email` as a URL parameter to this route.
+     *
      *
      * > [!IMPORTANT]
      * > This endpoint will fail unless the org is configured to allow the issuer `https://shim.oauth2.cubist.dev/twitter` and client ID being used for Twitter.
@@ -947,6 +953,33 @@ export interface paths {
      */
     patch: operations["siweComplete"];
   };
+  "/v0/org/{org_id}/oidc/siws": {
+    /**
+     * Initiate login via Sign-in With Solana (SIWS).
+     * @description Initiate login via Sign-in With Solana (SIWS).
+     *
+     * This endpoint generates a challenge which can be answered (via the corresponding PATCH endpoint)
+     * to obtain an OIDC token. The OIDC token can then be exchanged for a user session via the standard
+     * OIDC auth route.
+     *
+     * > [!IMPORTANT]
+     * > For this endpoint to succeed, the org must be configured to:
+     * > Allow the issuer `https://shim.oauth2.cubist.dev/siws` with the Org ID as the client ID
+     */
+    post: operations["siwsInit"];
+    /**
+     * Complete login via Sign-in With Solana (SIWS)
+     * @description Complete login via Sign-in With Solana (SIWS)
+     *
+     * If the challenge (issued by the corresponding POST endpoint) is answered correctly, this endpoint
+     * generates an OIDC token that can then be exchanged for a user session via the standard OIDC auth route.
+     *
+     * > [!IMPORTANT]
+     * > For this endpoint to succeed, the org must be configured to:
+     * > Allow the issuer `https://shim.oauth2.cubist.dev/siws` with the Org ID as the client ID
+     */
+    patch: operations["siwsComplete"];
+  };
   "/v0/org/{org_id}/oidc/telegram": {
     /**
      * Allows a user to authenticate with the telegram API using the tgWebAppData value
@@ -1310,6 +1343,13 @@ export interface paths {
      *
      * If a `role` query parameter is provided, **ALL** session for **THAT ROLE** are revoked
      * (if the current user has permissions to revoke sessions for the role).
+     *
+     * If a `role_created_by` query parameter is provided, **ROLE** sessions created by **THAT USER**
+     * are revoked (gated by the same permissions as revoking that user's own sessions: the current
+     * user must be that user or an org owner). User sessions are not affected. Unless the current
+     * user is an org owner, only sessions for roles the current user is **still a member of** are
+     * revoked (so a user cannot revoke sessions for a role they have since been removed from); org
+     * owners revoke across all roles.
      */
     delete: operations["revokeSessions"];
   };
@@ -1760,6 +1800,9 @@ export interface components {
         {
           BinanceDryRun: components["schemas"]["BinanceDryRunArgs"];
         },
+        {
+          BybitDryRun: components["schemas"]["BybitDryRunArgs"];
+        },
         {
           CoinbaseDryRun: components["schemas"]["CoinbaseDryRunArgs"];
         },
@@ -1769,7 +1812,12 @@ export interface components {
       ]
     >;
     /** @enum {string} */
-    AcceptedValueCode: "SignDryRun" | "BinanceDryRun" | "CoinbaseDryRun" | "MfaRequired";
+    AcceptedValueCode:
+      | "SignDryRun"
+      | "BinanceDryRun"
+      | "BybitDryRun"
+      | "CoinbaseDryRun"
+      | "MfaRequired";
     /**
      * @description Determines who controls the keys within an org
      * @enum {string}
@@ -2862,6 +2910,8 @@ export interface components {
       | "KeyNotFound"
       | "SiweChallengeNotFound"
       | "SiweInvalidRequest"
+      | "SiwsChallengeNotFound"
+      | "SiwsInvalidRequest"
       | "UserExportDerivedKey"
       | "UserExportPublicKeyInvalid"
       | "NistP256PublicKeyInvalid"
@@ -2876,8 +2926,10 @@ export interface components {
       | "InvalidPropertiesForKeyType"
       | "MismatchedKeyPropertiesPatch"
       | "MissingBinanceApiKey"
+      | "MissingBybitApiKey"
       | "MissingCoinbaseApiKey"
       | "BinanceKeyMasterMismatch"
+      | "BybitAccountMismatch"
       | "InvalidKeyMaterial"
       | "InvalidHexValue"
       | "InvalidBase32Value"
@@ -2920,6 +2972,7 @@ export interface components {
       | "LimitWindowTooLong"
       | "Erc20ContractDisallowed"
       | "EmptyRuleError"
+      | "PolicyFieldValidationError"
       | "OptionalListEmpty"
       | "MultipleExclusiveFieldsProvided"
       | "DuplicateFieldEntry"
@@ -3004,6 +3057,7 @@ export interface components {
       | "InvalidPolicyReference"
       | "PolicyEngineDisabled"
       | "InvalidWasmPolicy"
+      | "CelProgramTooLarge"
       | "InvalidPolicy"
       | "RedundantDerivationPath"
       | "ImportKeyMissing"
@@ -3154,6 +3208,7 @@ export interface components {
       | "BabylonStaking"
       | "BabylonCovSign"
       | "BinanceSign"
+      | "BybitSign"
       | "CoinbaseSign"
       | "BlobSign"
       | "BtcMessageSign"
@@ -3181,6 +3236,8 @@ export interface components {
       | "EmailOtpAuth"
       | "SiweInit"
       | "SiweComplete"
+      | "SiwsInit"
+      | "SiwsComplete"
       | "TelegramAuth"
       | "CreateOidcUser"
       | "DeleteOidcUser"
@@ -3201,7 +3258,9 @@ export interface components {
       | "RpcGetTransaction"
       | "RpcListTransactions"
       | "RpcRetryTransaction"
+      | "RpcCancelTransaction"
       | "RpcBinance"
+      | "RpcBybit"
       | "RpcCoinbase"
       | "CustomChainRpcCall"
       | "EsploraApiCall"
@@ -3261,6 +3320,18 @@ export interface components {
       recvWindow?: number | null;
     };
     /** @description Parameters envelope for all Binance RPC methods. */
+    BinanceDepositHistoryParams: components["schemas"]["DepositHistoryRequest"] & {
+      dryRun?: components["schemas"]["BinanceDryRunMode"] | null;
+      keyId: components["schemas"]["Id"];
+      /**
+       * Format: float
+       * @description Optional "receive window", i.e., for how long the request stays valid.
+       * May only be specified in milliseconds, with up to three decimal places of precision.
+       * If omitted, defaults to 10000. Must not be greater than 60000.
+       */
+      recvWindow?: number | null;
+    };
+    /** @description Parameters envelope for all Binance RPC methods. */
     BinanceDepositParams: components["schemas"]["DepositRequest"] & {
       dryRun?: components["schemas"]["BinanceDryRunMode"] | null;
       keyId: components["schemas"]["Id"];
@@ -3350,6 +3421,11 @@ export interface components {
           method: "cs_binanceDeposit";
           params: components["schemas"]["BinanceDepositParams"];
         }
+      | {
+          /** @enum {string} */
+          method: "cs_binanceDepositHistory";
+          params: components["schemas"]["BinanceDepositHistoryParams"];
+        }
       | {
           /** @enum {string} */
           method: "cs_binanceListSubAccounts";
@@ -3754,9 +3830,495 @@ export interface components {
       metadata?: unknown;
       owner: components["schemas"]["Id"];
     };
+    /**
+     * @description Wire-format patch payload for [`KeyProperties::BybitApi`].
+     *
+     * Every field follows the same per-field PATCH semantics: a missing field
+     * leaves the existing value alone, a JSON `null` clears it, and a value sets it.
+     */
+    BybitApiPropertiesPatch: {
+      /** @description The Bybit-issued API key string. Encrypted server-side before storage. */
+      api_key?: string | null;
+      /** @description Arbitrary label. Useful for storing the corresponding API key label on the Bybit side. */
+      label?: string | null;
+    };
+    /** @description One entry in [`BybitQueryCoinsBalanceResponse::balance`]. */
+    BybitCoinBalance: {
+      /** @description Bonus / promotional balance, as a decimal string. */
+      bonus?: string | null;
+      /** @description Coin symbol, uppercase (e.g. `USDT`, `BTC`). */
+      coin: string;
+      /** @description Portion of `wallet_balance` that can be transferred out. */
+      transferBalance: string;
+      /** @description Total wallet balance for `coin`, as a decimal string. */
+      walletBalance: string;
+    };
+    /** @description One entry in [`BybitQueryDepositAddressResponse::chains`]. */
+    BybitDepositChain: {
+      /** @description Deposit address on this chain. */
+      addressDeposit: string;
+      /** @description Single-deposit cap for this coin on this chain; `"-1"` means no limit. */
+      batchReleaseLimit?: string | null;
+      /** @description Short chain code (e.g. `ETH`, `TRX`). */
+      chain: string;
+      /** @description Human-readable chain name (e.g. `Ethereum (ERC20)`). */
+      chainType?: string | null;
+      /**
+       * @description Token contract address on this chain. Bybit only returns the last 6
+       * characters; empty for native coins.
+       */
+      contractAddress?: string | null;
+      /**
+       * @description Memo / tag required for chains that use one (e.g. XRP, EOS). Empty for
+       * chains that don't.
+       */
+      tagDeposit?: string | null;
+    };
+    BybitDryRunArgs: {
+      /** @description The Bybit API method that would have been used */
+      method: string;
+      /** @description The request body (for POST endpoints) or query string (for GET endpoints). */
+      payload: string;
+      /** @description The Bybit API url that would have been called */
+      url: string;
+    };
+    /**
+     * @description "Dry run" modes for Bybit requests.
+     * @enum {string}
+     */
+    BybitDryRunMode: "NO_SIGN" | "NO_SUBMIT";
+    /**
+     * @description Parameters envelope for all Bybit RPC variants whose payload schema is
+     * derived from a `*Request` struct. (`BybitQueryUserParams` and
+     * `BybitQuerySubMembersParams` have no per-variant payload and are defined
+     * directly below.)
+     */
+    BybitQueryCoinsBalanceParams: components["schemas"]["BybitQueryCoinsBalanceRequest"] & {
+      dryRun?: components["schemas"]["BybitDryRunMode"] | null;
+      keyId: components["schemas"]["Id"];
+      /**
+       * Format: int32
+       * @description Optional "receive window", i.e., for how long the request stays valid.
+       * Specified in milliseconds. If omitted, defaults to 10000.
+       */
+      recvWindow?: number | null;
+    };
+    /** @description Parameters for `GET /v5/asset/transfer/query-account-coins-balance`. */
+    BybitQueryCoinsBalanceRequest: {
+      /**
+       * @description Wallet type. Common values: `"FUND"`, `"UNIFIED"`, `"CONTRACT"`. Bybit
+       * expects this verbatim; we don't constrain it on our side.
+       */
+      accountType: string;
+      /**
+       * @description Optional list of coin symbols, comma-separated (e.g. `"BTC,USDT"`).
+       * Bybit returns balances for all coins when omitted.
+       */
+      coin?: string | null;
+      /**
+       * @description Optional sub-account UID. When supplied, the master key queries the
+       * named sub-account's balance.
+       */
+      memberId?: string | null;
+      /**
+       * @description Optional flag: `"0"` query without conversion to USD (default),
+       * `"1"` include USD valuation. Bybit accepts this as a string.
+       */
+      withBonus?: string | null;
+    };
+    /** @description Response of `GET /v5/asset/transfer/query-account-coins-balance`. */
+    BybitQueryCoinsBalanceResponse: {
+      /** @description Account type the balances belong to (e.g. `UNIFIED`, `FUND`, `CONTRACT`). */
+      accountType: string;
+      /** @description Per-coin balances. */
+      balance: components["schemas"]["BybitCoinBalance"][];
+      /** @description UID of the (sub-)account whose balance is being reported. */
+      memberId?: string | null;
+    };
+    /**
+     * @description Parameters envelope for all Bybit RPC variants whose payload schema is
+     * derived from a `*Request` struct. (`BybitQueryUserParams` and
+     * `BybitQuerySubMembersParams` have no per-variant payload and are defined
+     * directly below.)
+     */
+    BybitQueryDepositAddressParams: components["schemas"]["BybitQueryDepositAddressRequest"] & {
+      dryRun?: components["schemas"]["BybitDryRunMode"] | null;
+      keyId: components["schemas"]["Id"];
+      /**
+       * Format: int32
+       * @description Optional "receive window", i.e., for how long the request stays valid.
+       * Specified in milliseconds. If omitted, defaults to 10000.
+       */
+      recvWindow?: number | null;
+    };
+    /** @description Parameters for `GET /v5/asset/deposit/query-address`. */
+    BybitQueryDepositAddressRequest: {
+      /**
+       * @description Optional network identifier (e.g. `"ETH"`, `"TRX"`). When omitted,
+       * Bybit returns the deposit address on every supported chain.
+       */
+      chainType?: string | null;
+      /** @description Coin symbol (e.g. `"BTC"`, `"USDT"`). */
+      coin: string;
+    };
+    /** @description Response of `GET /v5/asset/deposit/query-address`. */
+    BybitQueryDepositAddressResponse: {
+      /** @description One deposit address per supported chain. */
+      chains: components["schemas"]["BybitDepositChain"][];
+      /** @description Coin symbol the deposit addresses are for (e.g. `USDT`). */
+      coin: string;
+    };
+    /**
+     * @description Parameters for [`BybitRpc::QuerySubMembers`].
+     *
+     * Bybit endpoint: `GET /v5/user/query-sub-members`. Takes no inputs beyond
+     * the common envelope.
+     */
+    BybitQuerySubMembersParams: {
+      dryRun?: components["schemas"]["BybitDryRunMode"] | null;
+      keyId: components["schemas"]["Id"];
+      /**
+       * Format: int32
+       * @description Optional receive window in milliseconds. Defaults to 10000.
+       */
+      recvWindow?: number | null;
+    };
+    /** @description Response of `GET /v5/user/query-sub-members`. */
+    BybitQuerySubMembersResponse: {
+      /** @description The sub-accounts under the calling master account. */
+      subMembers: components["schemas"]["BybitSubMember"][];
+    };
+    /**
+     * @description Parameters for [`BybitRpc::QueryUser`].
+     *
+     * Bybit endpoint: `GET /v5/user/query-api`. Takes no inputs beyond the common
+     * `recvWindow` / `timestamp` envelope; defined directly (instead of through
+     * the [`BybitParams`] generic alias) so utoipa emits a non-empty schema.
+     */
+    BybitQueryUserParams: {
+      dryRun?: components["schemas"]["BybitDryRunMode"] | null;
+      keyId: components["schemas"]["Id"];
+      /**
+       * Format: int32
+       * @description Optional receive window in milliseconds. Defaults to 10000.
+       */
+      recvWindow?: number | null;
+    };
+    /** @description Response of `GET /v5/user/query-api`. */
+    BybitQueryUserResponse: {
+      /** @description Bybit account KYC level (`"0"` = none). */
+      kycLevel?: string | null;
+      /** @description Optional free-text label set on the API key. */
+      note?: string | null;
+      /**
+       * @description Master account UID for sub-accounts, `"0"` if the calling key is a
+       * master account.
+       */
+      parentUid: string;
+      /** @description API permissions assigned to the key. */
+      permissions?: unknown;
+      /**
+       * Format: int64
+       * @description Bybit-assigned account UID of the API key.
+       */
+      userID: number;
+      /** @description VIP level. */
+      vipLevel?: string | null;
+      [key: string]: unknown;
+    };
+    /**
+     * @description Bybit-family RPC methods. Each variant authenticates as the
+     * [`KeyType::HmacSha256`] key in its `params.key_id` (which must carry
+     * [`KeyProperties::BybitApi`]).
+     */
+    BybitRpc:
+      | {
+          /** @enum {string} */
+          method: "cs_bybitQueryUser";
+          params: components["schemas"]["BybitQueryUserParams"];
+        }
+      | {
+          /** @enum {string} */
+          method: "cs_bybitQuerySubMembers";
+          params: components["schemas"]["BybitQuerySubMembersParams"];
+        }
+      | {
+          /** @enum {string} */
+          method: "cs_bybitQueryCoinsBalance";
+          params: components["schemas"]["BybitQueryCoinsBalanceParams"];
+        }
+      | {
+          /** @enum {string} */
+          method: "cs_bybitQueryDepositAddress";
+          params: components["schemas"]["BybitQueryDepositAddressParams"];
+        }
+      | {
+          /** @enum {string} */
+          method: "cs_bybitUniversalTransfer";
+          params: components["schemas"]["BybitUniversalTransferParams"];
+        }
+      | {
+          /** @enum {string} */
+          method: "cs_bybitWithdraw";
+          params: components["schemas"]["BybitWithdrawParams"];
+        }
+      | {
+          /** @enum {string} */
+          method: "cs_bybitWithdrawals";
+          params: components["schemas"]["BybitWithdrawalsParams"];
+        };
+    /** @description Response returned by the typed `bybit_sign` endpoint. */
+    BybitSignResponse: {
+      /** @description Optional policy evaluation tree. */
+      policy_eval_tree?: unknown;
+    } & {
+      /**
+       * @description The Bybit-bound payload (URL-encoded query for GET, JSON body for
+       * POST). Submitted verbatim by the rpc-api lambda; the payload bytes are
+       * also part of the signing input.
+       */
+      payload: string;
+      /**
+       * Format: int32
+       * @description Effective receive window in milliseconds.
+       */
+      recv_window: number;
+      /**
+       * @description Hex-encoded HMAC-SHA256 signature of
+       * `timestamp || apiKey || recvWindow || payload`. Goes into the
+       * `X-BAPI-SIGN` header.
+       */
+      signature_hex: string;
+      /**
+       * Format: int64
+       * @description Signing timestamp (ms since epoch). Picked by the signer.
+       */
+      timestamp_ms: number;
+    };
+    /** @description One entry in [`BybitQuerySubMembersResponse::sub_members`]. */
+    BybitSubMember: {
+      /**
+       * Format: int32
+       * @description Trading account configuration: `1` Classic, `3` UTA1.0, `4` UTA1.0 Pro,
+       * `5` UTA2.0, `6` UTA2.0 Pro.
+       */
+      accountMode?: number | null;
+      /**
+       * Format: int32
+       * @description Sub-account category: `1` standard, `6` custodial.
+       */
+      memberType?: number | null;
+      /** @description Free-text remark associated with the sub-account. */
+      remark?: string | null;
+      /**
+       * Format: int32
+       * @description Account state: `1` active, `2` login-restricted, `4` frozen.
+       */
+      status?: number | null;
+      /** @description Sub-account UID. */
+      uid: string;
+      /** @description Display name of the sub-account. */
+      username?: string | null;
+      [key: string]: unknown;
+    };
+    /**
+     * @description Parameters envelope for all Bybit RPC variants whose payload schema is
+     * derived from a `*Request` struct. (`BybitQueryUserParams` and
+     * `BybitQuerySubMembersParams` have no per-variant payload and are defined
+     * directly below.)
+     */
+    BybitUniversalTransferParams: components["schemas"]["BybitUniversalTransferRequest"] & {
+      dryRun?: components["schemas"]["BybitDryRunMode"] | null;
+      keyId: components["schemas"]["Id"];
+      /**
+       * Format: int32
+       * @description Optional "receive window", i.e., for how long the request stays valid.
+       * Specified in milliseconds. If omitted, defaults to 10000.
+       */
+      recvWindow?: number | null;
+    };
+    /** @description Parameters for `POST /v5/asset/transfer/universal-transfer`. */
+    BybitUniversalTransferRequest: {
+      /** @description Amount as a decimal string (e.g. `"1.5"`). Sent verbatim. */
+      amount: string;
+      /** @description Coin symbol (e.g. `"USDT"`). */
+      coin: string;
+      /**
+       * @description Source wallet type. Defaults to `"FUND"` if omitted; the signer
+       * substitutes the default before signing so the signed and submitted
+       * payloads match.
+       */
+      fromAccountType?: string | null;
+      /**
+       * Format: int64
+       * @description Source account UID. For "self", the manager substitutes the caller's
+       * own UID before this struct reaches the signer.
+       */
+      fromMemberId: number;
+      /** @description Destination wallet type. Defaults to `"FUND"` if omitted. */
+      toAccountType?: string | null;
+      /**
+       * Format: int64
+       * @description Destination account UID.
+       */
+      toMemberId: number;
+      /**
+       * @description Client-supplied transfer id (UUID). Bybit echoes it back as the
+       * canonical reference for this transfer.
+       */
+      transferId: string;
+    };
+    /** @description Response of `POST /v5/asset/transfer/universal-transfer`. */
+    BybitUniversalTransferResponse: {
+      /**
+       * @description Transfer state: one of `SUCCESS`, `PENDING`, `FAILED`, or
+       * `STATUS_UNKNOWN`.
+       */
+      status?: string | null;
+      /**
+       * @description UUID Bybit assigned to the transfer; the caller-supplied `transferId`
+       * echoed back.
+       */
+      transferId: string;
+    };
+    /** @description One entry in [`BybitWithdrawalsResponse::rows`]. */
+    BybitWithdrawEntry: {
+      /** @description Withdrawal amount as a decimal string. */
+      amount: string;
+      /** @description Short chain code (e.g. `ETH`, `TRX`). */
+      chain: string;
+      /** @description Coin symbol, uppercase (e.g. `USDT`). */
+      coin: string;
+      /** @description Creation timestamp, in milliseconds since epoch (as a string). */
+      createTime: string;
+      /**
+       * @description Withdrawal state, e.g. `success`, `pending`, `failed`, `cancelled`. See
+       * the Bybit docs for the full set, which depends on `withdraw_type`.
+       */
+      status: string;
+      /** @description Memo / tag for chains that use one (e.g. XRP, EOS). */
+      tag?: string | null;
+      /** @description Destination: an on-chain address, or a Bybit UID for internal transfers. */
+      toAddress: string;
+      /**
+       * @description On-chain transaction hash; empty for failed/cancelled withdrawals and
+       * for in-flight on-chain withdrawals before broadcast.
+       */
+      txId?: string | null;
+      /** @description Timestamp of the most recent status change, in milliseconds since epoch. */
+      updateTime: string;
+      /** @description Network / processing fee charged for the withdrawal, as a decimal string. */
+      withdrawFee: string;
+      /** @description Bybit-assigned withdrawal id. */
+      withdrawId: string;
+      /**
+       * Format: int32
+       * @description Withdrawal classification: `0` on-chain, `1` off-chain (internal).
+       */
+      withdrawType?: number | null;
+      [key: string]: unknown;
+    };
+    /**
+     * @description Parameters envelope for all Bybit RPC variants whose payload schema is
+     * derived from a `*Request` struct. (`BybitQueryUserParams` and
+     * `BybitQuerySubMembersParams` have no per-variant payload and are defined
+     * directly below.)
+     */
+    BybitWithdrawParams: components["schemas"]["BybitWithdrawRequest"] & {
+      dryRun?: components["schemas"]["BybitDryRunMode"] | null;
+      keyId: components["schemas"]["Id"];
+      /**
+       * Format: int32
+       * @description Optional "receive window", i.e., for how long the request stays valid.
+       * Specified in milliseconds. If omitted, defaults to 10000.
+       */
+      recvWindow?: number | null;
+    };
+    /** @description Parameters for `POST /v5/asset/withdraw/create`. Master-only. */
+    BybitWithdrawRequest: {
+      /**
+       * @description Source wallet (`"FUND"` or `"SPOT"`). Defaults to Bybit's account-level
+       * default when omitted.
+       */
+      accountType?: string | null;
+      /** @description Destination address. Must already be in Bybit's address book. */
+      address: string;
+      /** @description Amount as a decimal string. Sent verbatim. */
+      amount: string;
+      /** @description Network identifier (e.g. `"ETH"`, `"TRX"`). Required by Bybit. */
+      chain: string;
+      /** @description Coin symbol (e.g. `"USDT"`, `"BTC"`). */
+      coin: string;
+      /**
+       * Format: int32
+       * @description Force-chain flag: `0` (default), `1`, or `2`. See Bybit docs.
+       */
+      forceChain?: number | null;
+      /** @description Client-supplied request id (UUID). Used by Bybit for idempotency. */
+      requestId: string;
+      /** @description Optional memo / tag (e.g. for XRP, XLM). */
+      tag?: string | null;
+      /**
+       * Format: int64
+       * @description Server-supplied timestamp (ms since epoch). Set by the signer just before
+       * signing; clients leave this `None` (because the server will ignore it anyway).
+       */
+      timestamp?: number | null;
+    };
+    /** @description Response of `POST /v5/asset/withdraw/create`. */
+    BybitWithdrawResponse: {
+      /** @description Bybit-assigned withdrawal id. */
+      id: string;
+    };
+    /**
+     * @description Parameters envelope for all Bybit RPC variants whose payload schema is
+     * derived from a `*Request` struct. (`BybitQueryUserParams` and
+     * `BybitQuerySubMembersParams` have no per-variant payload and are defined
+     * directly below.)
+     */
+    BybitWithdrawalsParams: components["schemas"]["BybitWithdrawalsRequest"] & {
+      dryRun?: components["schemas"]["BybitDryRunMode"] | null;
+      keyId: components["schemas"]["Id"];
+      /**
+       * Format: int32
+       * @description Optional "receive window", i.e., for how long the request stays valid.
+       * Specified in milliseconds. If omitted, defaults to 10000.
+       */
+      recvWindow?: number | null;
+    };
+    /** @description Parameters for `GET /v5/asset/withdraw/query-record`. */
+    BybitWithdrawalsRequest: {
+      /** @description Filter by coin symbol. */
+      coin?: string | null;
+      /**
+       * Format: int32
+       * @description Page size.
+       */
+      limit?: number | null;
+      /**
+       * @description Filter by Bybit-assigned withdrawal id (the `id` returned by
+       * [`BybitRpc::Withdraw`]).
+       */
+      withdrawID?: string | null;
+    };
+    /** @description Response of `GET /v5/asset/withdraw/query-record`. */
+    BybitWithdrawalsResponse: {
+      /**
+       * @description Opaque cursor to pass back as `cursor` on the next request to fetch
+       * the next page; absent on the last page.
+       */
+      nextPageCursor?: string | null;
+      /** @description Withdrawal records matching the query. */
+      rows: components["schemas"]["BybitWithdrawEntry"][];
+    };
     CancelInvitationRequest: {
       email: components["schemas"]["Email"];
     };
+    /** @description Parameters for the [`cs_cancelTransaction`](RpcMethod::CancelTransaction) method. */
+    CancelTransactionRequest: {
+      /** @description The transaction id. */
+      id: string;
+    };
     /**
      * @description Supported Canton environments.
      * @enum {string}
@@ -3907,6 +4469,8 @@ export interface components {
       withdrawFee?: string | null;
       /** @description Step size for withdrawal amounts, as a decimal string. */
       withdrawIntegerMultiple?: string | null;
+      /** @description Minimum internal transfer amount */
+      withdrawInternalMin?: string | null;
       /** @description Maximum withdrawal amount, as a decimal string. */
       withdrawMax?: string | null;
       /** @description Minimum withdrawal amount, as a decimal string. */
@@ -4497,6 +5061,11 @@ export interface components {
           method: "cs_retryTransaction";
           params: components["schemas"]["RetryTransactionRequest"];
         },
+        {
+          /** @enum {string} */
+          method: "cs_cancelTransaction";
+          params: components["schemas"]["CancelTransactionRequest"];
+        },
         {
           /** @enum {string} */
           method: "cs_getTransaction";
@@ -4541,6 +5110,121 @@ export interface components {
       /** @description Custom EVM chains. */
       evm: components["schemas"]["EvmCustomChain"][];
     };
+    /** @description One deposit entry in [`DepositHistoryResponse`]. */
+    DepositHistoryEntry: {
+      /** @description Destination address the deposit was sent to. */
+      address: string;
+      /**
+       * @description Secondary address identifier (e.g. memo for XRP, tag for XLM). Empty
+       * string when the asset does not use one.
+       */
+      addressTag?: string | null;
+      /** @description Deposit amount, as a decimal string. */
+      amount: string;
+      /** @description Asset symbol (e.g. `"USDT"`, `"BTC"`). */
+      coin: string;
+      /**
+       * Format: int64
+       * @description Represents deposit completion datetime, available for deposits after 6-Mar-2025.
+       */
+      completeTime?: number | null;
+      /** @description On-chain confirmation progress (e.g. `"1/1"`). */
+      confirmTimes?: string | null;
+      /** @description Binance-assigned deposit id. */
+      id?: string | null;
+      /**
+       * Format: int64
+       * @description Time the deposit record was created (ms since epoch).
+       */
+      insertTime: number;
+      /** @description Blockchain network identifier (e.g. `"BSC"`, `"ETH"`). */
+      network: string;
+      /** @description Returned when 'includeSource' in the request is set to true */
+      sourceAddress?: string | null;
+      /**
+       * Format: int32
+       * @description Deposit status. Binance values: `0` = pending, `6` = credited but
+       * cannot withdraw, `7` = wrong deposit, `8` = waiting user confirm,
+       * `1` = success. Left as `u8` for forward compatibility.
+       */
+      status: number;
+      /**
+       * Format: int32
+       * @description `0` = external transfer, `1` = internal (Binance↔Binance) transfer.
+       */
+      transferType: number;
+      /**
+       * Format: int32
+       * @description 0: travel rule not required OR info already provided and funds ready to use;
+       * 1: travel rule required to provide deposit info
+       */
+      travelRuleStatus: number;
+      /** @description On-chain transaction hash of the deposit. */
+      txId: string;
+      /**
+       * Format: int32
+       * @description Confirmations after which the deposit is unlocked for trading.
+       */
+      unlockConfirm?: number | null;
+      /**
+       * Format: int32
+       * @description Destination wallet: `0` = spot wallet, `1` = funding wallet.
+       */
+      walletType: number;
+    };
+    /**
+     * @description Parameters for `GET /sapi/v1/capital/deposit/hisrec`.
+     *
+     * Returns the calling account's deposit history. All filters are optional;
+     * if `start_time`/`end_time` are omitted, Binance returns the most recent 90
+     * days. Use `tx_id` to look up a specific deposit by its on-chain
+     * transaction hash, or `coin`/`status` to narrow the result set.
+     */
+    DepositHistoryRequest: {
+      /** @description Filter to a specific asset (e.g. `"USDT"`, `"BTC"`). */
+      coin?: string | null;
+      /**
+       * Format: int64
+       * @description Window end (ms since epoch, Binance default: present timestamp).
+       */
+      endTime?: number | null;
+      /**
+       * @description If `true`, include the deposit's source address in each entry. Binance
+       * defaults to `false`.
+       */
+      includeSource?: boolean | null;
+      /**
+       * Format: int32
+       * @description Page size (Binance default and max: 1000).
+       */
+      limit?: number | null;
+      /**
+       * Format: int32
+       * @description Pagination offset (Binance default: 0).
+       */
+      offset?: number | null;
+      /**
+       * Format: int64
+       * @description Window start (ms since epoch, Binance default: 90 days from current timestamp).
+       */
+      startTime?: number | null;
+      /**
+       * Format: int32
+       * @description Filter by deposit status. Binance values: `0` = pending, `6` = credited
+       * but cannot withdraw, `7` = wrong deposit, `8` = waiting user confirm,
+       * `1` = success, `2` = rejected. Left as `u8` for forward compatibility.
+       */
+      status?: number | null;
+      /** @description Look up a specific deposit by its on-chain transaction hash. */
+      txId?: string | null;
+    };
+    /**
+     * @description Response returned by `cs_binanceDepositHistory`.
+     *
+     * Binance returns a top-level JSON array; this newtype preserves that wire
+     * format while giving the response a named type in the OpenAPI schema.
+     */
+    DepositHistoryResponse: components["schemas"]["DepositHistoryEntry"][];
     /**
      * @description Parameters for `GET /sapi/v1/capital/deposit/address`.
      *
@@ -4565,7 +5249,7 @@ export interface components {
     DepositResponse: {
       /** @description Deposit address. */
       address: string;
-      /** @description Asset symbol (echoes [`DepositRequest::coin`]). */
+      /** @description Asset symbol (echoes the request's `coin` field). */
       coin: string;
       /**
        * @description Secondary address identifier required by some assets (e.g. memo for
@@ -5424,8 +6108,17 @@ export interface components {
       | "sign:binance:withdraw"
       | "sign:binance:withdrawHistory"
       | "sign:binance:deposit"
+      | "sign:binance:depositHistory"
       | "sign:binance:listSubAccounts"
       | "sign:binance:coinInfo"
+      | "sign:bybit:*"
+      | "sign:bybit:queryUser"
+      | "sign:bybit:querySubMembers"
+      | "sign:bybit:queryCoinsBalance"
+      | "sign:bybit:queryDepositAddress"
+      | "sign:bybit:universalTransfer"
+      | "sign:bybit:withdraw"
+      | "sign:bybit:withdrawals"
       | "sign:coinbase:*"
       | "sign:coinbase:accounts:list"
       | "sign:coinbase:portfolios:list"
@@ -5660,9 +6353,11 @@ export interface components {
       | "rpc:createTransaction:*"
       | "rpc:createTransaction:evm"
       | "rpc:retryTransaction"
+      | "rpc:cancelTransaction"
       | "rpc:getTransaction"
       | "rpc:listTransactions"
       | "rpc:binance"
+      | "rpc:bybit"
       | "rpc:coinbase";
     /**
      * @description This type specifies the interpretation of the `fee` field in Babylon
@@ -5811,6 +6506,8 @@ export interface components {
       | "SiweChallengeExpired"
       | "SiweMessageNotValid"
       | "SiweMessageInvalidSignature"
+      | "SiwsChallengeExpired"
+      | "SiwsMessageInvalid"
       | "Acl";
     /**
      * @description Specifies a fork of the `BeaconChain`, to prevent replay attacks.
@@ -6359,8 +7056,16 @@ export interface components {
       | components["schemas"]["WithdrawResponse"]
       | components["schemas"]["WithdrawHistoryResponse"]
       | components["schemas"]["DepositResponse"]
+      | components["schemas"]["DepositHistoryResponse"]
       | components["schemas"]["ListSubAccountsResponse"]
       | components["schemas"]["CoinInfoResponse"]
+      | components["schemas"]["BybitQueryUserResponse"]
+      | components["schemas"]["BybitQuerySubMembersResponse"]
+      | components["schemas"]["BybitQueryCoinsBalanceResponse"]
+      | components["schemas"]["BybitQueryDepositAddressResponse"]
+      | components["schemas"]["BybitUniversalTransferResponse"]
+      | components["schemas"]["BybitWithdrawResponse"]
+      | components["schemas"]["BybitWithdrawalsResponse"]
       | components["schemas"]["CoinbaseListAccountsResponse"]
       | components["schemas"]["CoinbaseListPortfoliosResponse"]
       | components["schemas"]["CoinbaseMoveFundsResponse"];
@@ -6512,6 +7217,10 @@ export interface components {
           /** @enum {string} */
           kind: "CoinbaseApi";
         },
+        components["schemas"]["BybitApiPropertiesPatch"] & {
+          /** @enum {string} */
+          kind: "BybitApi";
+        },
       ]
     >;
     /** @enum {string} */
@@ -6558,7 +7267,8 @@ export interface components {
       | "SecpLtcTest"
       | "SecpXrpAddr"
       | "Ed25519XrpAddr"
-      | "BabyJubjub";
+      | "BabyJubjub"
+      | "HmacSha256";
     KeyTypeAndDerivationPath: {
       /**
        * @description List of derivation paths for which to derive.
@@ -7066,11 +7776,32 @@ export interface components {
       | "BabylonCovSign"
       | "BabylonRegistration"
       | "BabylonStaking"
-      | "BinanceSign"
+      | "BinanceSubToMaster"
+      | "BinanceSubToSub"
+      | "BinanceUniversalTransfer"
+      | "BinanceSubAccountAssets"
+      | "BinanceAccountInfo"
+      | "BinanceSubAccountTransferHistory"
+      | "BinanceUniversalTransferHistory"
+      | "BinanceWithdraw"
+      | "BinanceWithdrawHistory"
+      | "BinanceDeposit"
+      | "BinanceDepositHistory"
+      | "BinanceListSubAccounts"
+      | "BinanceCoinInfo"
       | "BlobSign"
       | "BtcMessageSign"
       | "BtcSign"
-      | "CoinbaseSign"
+      | "BybitQueryUser"
+      | "BybitQuerySubMembers"
+      | "BybitQueryCoinsBalance"
+      | "BybitQueryDepositAddress"
+      | "BybitUniversalTransfer"
+      | "BybitWithdraw"
+      | "BybitWithdrawals"
+      | "CoinbaseListAccounts"
+      | "CoinbaseListPortfolios"
+      | "CoinbaseMoveFunds"
       | "DiffieHellman"
       | "PsbtSign"
       | "TaprootSign"
@@ -8095,6 +8826,7 @@ export interface components {
       | "PsbtSigningDisallowed"
       | "BabylonStakingDisallowed"
       | "TimeLocked"
+      | "CelPolicyDenied"
       | "BabylonStakingNetwork"
       | "BabylonStakingParamsVersion"
       | "BabylonStakingExplicitParams"
@@ -8114,7 +8846,8 @@ export interface components {
       | "WasmPolicyDenied"
       | "WasmPolicyFailed"
       | "WebhookPoliciesDisabled"
-      | "DeniedByWebhook";
+      | "DeniedByWebhook"
+      | "ExplicitlyDenied";
     /** @description A struct containing all the information about a specific version of a policy. */
     PolicyInfo: {
       /** @description The access-control entries for the policy. */
@@ -8867,24 +9600,21 @@ export interface components {
       | components["schemas"]["SignerClientErrorCode"]
       | components["schemas"]["RpcEvmErrorCode"];
     /** @enum {string} */
-    RpcApiErrorOwnCodes: "MfaRequired" | "ConcurrentTransactionFailed";
+    RpcApiErrorOwnCodes: "MfaRequired" | "ConcurrentTransactionFailed" | "InvalidTxStatus";
     /** @enum {string} */
-    RpcEvmErrorCode:
-      | "SubmissionFailed"
-      | "FailedToReserveNonce"
-      | "InvalidTxStatus"
-      | "MissingTxFrom";
+    RpcEvmErrorCode: "SubmissionFailed" | "FailedToReserveNonce" | "MissingTxField" | "Signer";
     /**
      * @description The RPC API method and matching parameters.
      *
      * Top-level dispatch. Wire format is preserved by `#[serde(untagged)]`: each
      * inbound request is matched against one of the internally-tagged inner enums
      * ([`CsRpc`] for the core methods, [`BinanceRpc`] for the Binance family,
-     * [`CoinbaseRpc`] for the Coinbase family).
+     * [`BybitRpc`] for the Bybit family, [`CoinbaseRpc`] for the Coinbase family).
      */
     RpcMethod:
       | components["schemas"]["CsRpc"]
       | components["schemas"]["BinanceRpc"]
+      | components["schemas"]["BybitRpc"]
       | components["schemas"]["CoinbaseRpc"];
     /** @description All scopes for accessing CubeSigner APIs */
     Scope: components["schemas"]["ExplicitScope"] | string;
@@ -9043,6 +9773,37 @@ export interface components {
       /** @description Optional policy evaluation tree, if requested */
       policy_eval_tree?: unknown;
     };
+    /**
+     * @description The structured input to a Sign-In With Solana request (`SolanaSignInInput` in the spec).
+     *
+     * The relying party fills in `domain`/`address`/`uri`/... and the wallet renders it into the
+     * human-readable message (see [SignInInput::to_message_text]) that it signs.
+     */
+    SignInInput: {
+      /** @description The base58-encoded Solana (ed25519) public key performing the sign-in. */
+      address: string;
+      chainId?: components["schemas"]["SolanaNetwork"] | null;
+      /** @description The RFC 3986 authority that is requesting the sign-in. */
+      domain: string;
+      /** @description The ISO 8601 datetime string after which the signed message is no longer valid. */
+      expirationTime?: string | null;
+      /** @description The ISO 8601 datetime string of the time the message was issued. */
+      issuedAt?: string | null;
+      /** @description A randomized token used to prevent replay attacks; at least 8 alphanumeric characters. */
+      nonce?: string | null;
+      /** @description The ISO 8601 datetime string before which the signed message is not yet valid. */
+      notBefore?: string | null;
+      /** @description A system-specific identifier that may be used to uniquely refer to the sign-in request. */
+      requestId?: string | null;
+      /** @description A list of RFC 3986 URIs the user wishes to have resolved as part of the authentication. */
+      resources?: string[] | null;
+      /** @description A human-readable ASCII assertion that the user will sign; must not contain a newline. */
+      statement?: string | null;
+      /** @description An RFC 3986 URI referring to the resource that is the subject of the sign-in. */
+      uri?: string | null;
+      /** @description The version of the message (currently always `1`). */
+      version?: string | null;
+    };
     SignResponse: {
       /** @description Optional policy evaluation tree. */
       policy_eval_tree?: unknown;
@@ -9151,6 +9912,56 @@ export interface components {
       /** @description The message to sign following the EIP-191 standard. */
       message: string;
     };
+    /** @description Answer to a Sign-in with Solana challenge. */
+    SiwsCompleteRequest: {
+      challenge_id: components["schemas"]["Id"];
+      /** @description The base58-encoded ed25519 signature of `signed_message`. */
+      signature: string;
+      /** @description The base58-encoded UTF-8 bytes of the message that was signed (the rendered `SignInInput`). */
+      signed_message: string;
+    };
+    /** @description Returned upon a successful SIWS authentication. */
+    SiwsCompleteResponse: {
+      /** @description The OIDC token corresponding to the user with the requested SIWS identity. */
+      id_token: string;
+    };
+    /**
+     * @description Initialize the request to sign in with Solana. The response will contain a structured
+     * `SignInInput` that the client must render to text, sign, and submit via the corresponding PATCH
+     * endpoint within 5 minutes.
+     */
+    SiwsInitRequest: {
+      /** @description The base58-encoded Solana (ed25519) public key performing the signing. */
+      address: string;
+      chain_id?: components["schemas"]["SolanaNetwork"] | null;
+      /** @description The RFC 3986 authority that is requesting the signing. */
+      domain: string;
+      /** @description The ISO 8601 datetime string that, if present, indicates when the signed authentication message is no longer valid. */
+      expiration_time?: string | null;
+      /** @description The ISO 8601 datetime string that, if present, indicates when the signed authentication message will become valid. */
+      not_before?: string | null;
+      /** @description A system-specific identifier that may be used to uniquely refer to the sign-in request. */
+      request_id?: string | null;
+      /** @description A list of RFC 3986 URIs the user wishes to have resolved as part of authentication by the relying party. */
+      resources?: string[];
+      /** @description A human-readable ASCII assertion that the user will sign, and it must not contain '\n' (the byte 0x0a). */
+      statement?: string | null;
+      /** @description An RFC 3986 URI referring to the resource that is the subject of the signing (as in the subject of a claim). */
+      uri?: string | null;
+    };
+    /**
+     * @description A challenge returned in response to a Sign-In with Solana request.
+     *
+     * Contains a structured [SignInInput] that the client must render to its canonical text and sign
+     * (ed25519) with the requested key in order to complete authentication.
+     *
+     * The client has until the message expires (but no more than 5 minutes) to complete the challenge.
+     */
+    SiwsInitResponse: {
+      /** @description The ID of the challenge (to include in the request when calling the PATCH ('complete') endpoint) */
+      challenge_id: string;
+      sign_in_input: components["schemas"]["SignInInput"];
+    };
     /** @description A Solana address and the cluster it is on. */
     SolanaAddressInfo: {
       /**
@@ -9165,6 +9976,19 @@ export interface components {
      * @enum {string}
      */
     SolanaCluster: "mainnet" | "devnet";
+    /**
+     * @description The Solana network a SIWS message is bound to (the `Chain ID` field).
+     * @enum {string}
+     */
+    SolanaNetwork:
+      | "mainnet"
+      | "testnet"
+      | "devnet"
+      | "localnet"
+      | "solana:mainnet"
+      | "solana:testnet"
+      | "solana:devnet"
+      | "solana:localnet";
     /**
      * @description Solana signing request
      * @example {
@@ -9957,8 +10781,8 @@ export interface components {
       asset: string;
       /**
        * @description Optional client-supplied transfer id. If set, Binance echoes it back
-       * on [`UniversalTransferResponse::client_tran_id`] and lets it be used
-       * as a filter on
+       * as `client_tran_id` on the `UniversalTransferResponse` and lets it be
+       * used as a filter on
        * [`UniversalTransferHistoryRequest::client_tran_id`].
        */
       clientTranId?: string | null;
@@ -10833,7 +11657,7 @@ export interface components {
       endTime?: number | null;
       /**
        * @description Comma-separated list of Binance-assigned withdrawal ids (the `id`
-       * field of [`WithdrawResponse`]). Up to 45 ids per query, per Binance.
+       * field of `WithdrawResponse`). Up to 45 ids per query, per Binance.
        */
       idList?: string | null;
       /**
@@ -11100,6 +11924,38 @@ export interface components {
         };
       };
     };
+    /** @description Response returned by the typed `bybit_sign` endpoint. */
+    BybitSignResponse: {
+      content: {
+        "application/json": {
+          /** @description Optional policy evaluation tree. */
+          policy_eval_tree?: unknown;
+        } & {
+          /**
+           * @description The Bybit-bound payload (URL-encoded query for GET, JSON body for
+           * POST). Submitted verbatim by the rpc-api lambda; the payload bytes are
+           * also part of the signing input.
+           */
+          payload: string;
+          /**
+           * Format: int32
+           * @description Effective receive window in milliseconds.
+           */
+          recv_window: number;
+          /**
+           * @description Hex-encoded HMAC-SHA256 signature of
+           * `timestamp || apiKey || recvWindow || payload`. Goes into the
+           * `X-BAPI-SIGN` header.
+           */
+          signature_hex: string;
+          /**
+           * Format: int64
+           * @description Signing timestamp (ms since epoch). Picked by the signer.
+           */
+          timestamp_ms: number;
+        };
+      };
+    };
     /** @description Response returned by the typed `coinbase_sign` endpoint. */
     CoinbaseSignResponse: {
       content: {
@@ -12429,6 +13285,32 @@ export interface components {
         };
       };
     };
+    /** @description Returned upon a successful SIWS authentication. */
+    SiwsCompleteResponse: {
+      content: {
+        "application/json": {
+          /** @description The OIDC token corresponding to the user with the requested SIWS identity. */
+          id_token: string;
+        };
+      };
+    };
+    /**
+     * @description A challenge returned in response to a Sign-In with Solana request.
+     *
+     * Contains a structured [SignInInput] that the client must render to its canonical text and sign
+     * (ed25519) with the requested key in order to complete authentication.
+     *
+     * The client has until the message expires (but no more than 5 minutes) to complete the challenge.
+     */
+    SiwsInitResponse: {
+      content: {
+        "application/json": {
+          /** @description The ID of the challenge (to include in the request when calling the PATCH ('complete') endpoint) */
+          challenge_id: string;
+          sign_in_input: components["schemas"]["SignInInput"];
+        };
+      };
+    };
     StakeResponse: {
       content: {
         "application/json": ({
@@ -12928,6 +13810,11 @@ export interface operations {
     };
     responses: {
       200: components["responses"]["UpdateOrgResponse"];
+      202: {
+        content: {
+          "application/json": components["schemas"]["AcceptedResponse"];
+        };
+      };
       default: {
         content: {
           "application/json": components["schemas"]["ErrorResponse"];
@@ -15583,12 +16470,21 @@ export interface operations {
    * but extends the output with an `id_token`.
    *
    * This `id_token` can then be used with any CubeSigner endpoint that requires an OIDC token.
+   * Callers must request *at least* scopes `tweet.read` and `users.read` during auth with twitter.
+   *
+   * By default, the id token does not contain a confirmed email;
+   * callers can request this field be populated by requesting the `users.email` scope
+   * and adding `fetch_email` as a URL parameter to this route.
+   *
    *
    * > [!IMPORTANT]
    * > This endpoint will fail unless the org is configured to allow the issuer `https://shim.oauth2.cubist.dev/twitter` and client ID being used for Twitter.
    */
   oauth2Twitter: {
     parameters: {
+      query?: {
+        fetch_email?: boolean | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -15761,6 +16657,77 @@ export interface operations {
       };
     };
   };
+  /**
+   * Initiate login via Sign-in With Solana (SIWS).
+   * @description Initiate login via Sign-in With Solana (SIWS).
+   *
+   * This endpoint generates a challenge which can be answered (via the corresponding PATCH endpoint)
+   * to obtain an OIDC token. The OIDC token can then be exchanged for a user session via the standard
+   * OIDC auth route.
+   *
+   * > [!IMPORTANT]
+   * > For this endpoint to succeed, the org must be configured to:
+   * > Allow the issuer `https://shim.oauth2.cubist.dev/siws` with the Org ID as the client ID
+   */
+  siwsInit: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["SiwsInitRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["SiwsInitResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Complete login via Sign-in With Solana (SIWS)
+   * @description Complete login via Sign-in With Solana (SIWS)
+   *
+   * If the challenge (issued by the corresponding POST endpoint) is answered correctly, this endpoint
+   * generates an OIDC token that can then be exchanged for a user session via the standard OIDC auth route.
+   *
+   * > [!IMPORTANT]
+   * > For this endpoint to succeed, the org must be configured to:
+   * > Allow the issuer `https://shim.oauth2.cubist.dev/siws` with the Org ID as the client ID
+   */
+  siwsComplete: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["SiwsCompleteRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["SiwsCompleteResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Allows a user to authenticate with the telegram API using the tgWebAppData value
    * @description Allows a user to authenticate with the telegram API using the tgWebAppData value
@@ -17105,16 +18072,23 @@ export interface operations {
         "page.start"?: string | null;
         /**
          * @description If provided, the name or ID of a role to operate on.
-         * Cannot be specified together with `user`.
+         * Cannot be specified together with other selectors.
          * @example my-role
          */
         role?: string | null;
         /**
          * @description If provided, the ID of a user to operate on.
-         * Cannot be specified together with `role`.
+         * Cannot be specified together with other selectors.
          * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         user?: string | null;
+        /**
+         * @description If provided, the ID of the user whose created role sessions to operate on.
+         * Selects all *role* sessions created by that user (user sessions are not affected).
+         * Cannot be specified together with other selectors.
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_created_by?: string | null;
       };
       path: {
         /**
@@ -17177,22 +18151,36 @@ export interface operations {
    *
    * If a `role` query parameter is provided, **ALL** session for **THAT ROLE** are revoked
    * (if the current user has permissions to revoke sessions for the role).
+   *
+   * If a `role_created_by` query parameter is provided, **ROLE** sessions created by **THAT USER**
+   * are revoked (gated by the same permissions as revoking that user's own sessions: the current
+   * user must be that user or an org owner). User sessions are not affected. Unless the current
+   * user is an org owner, only sessions for roles the current user is **still a member of** are
+   * revoked (so a user cannot revoke sessions for a role they have since been removed from); org
+   * owners revoke across all roles.
    */
   revokeSessions: {
     parameters: {
       query?: {
         /**
          * @description If provided, the name or ID of a role to operate on.
-         * Cannot be specified together with `user`.
+         * Cannot be specified together with other selectors.
          * @example my-role
          */
         role?: string | null;
         /**
          * @description If provided, the ID of a user to operate on.
-         * Cannot be specified together with `role`.
+         * Cannot be specified together with other selectors.
          * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         user?: string | null;
+        /**
+         * @description If provided, the ID of the user whose created role sessions to operate on.
+         * Selects all *role* sessions created by that user (user sessions are not affected).
+         * Cannot be specified together with other selectors.
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_created_by?: string | null;
       };
       path: {
         /**
@@ -18032,6 +19020,9 @@ export interface operations {
    */
   deleteOidcUser: {
     parameters: {
+      query?: {
+        revoke_role_sessions_they_created?: boolean | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -18173,6 +19164,9 @@ export interface operations {
    */
   deleteUser: {
     parameters: {
+      query?: {
+        revoke_role_sessions_they_created?: boolean | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org