@cubist-labs/cubesigner-sdk 0.4.259 → 0.4.260

package/src/schema.ts

@@ -884,6 +884,12 @@ export interface paths {
      * but extends the output with an `id_token`.
      *
      * This `id_token` can then be used with any CubeSigner endpoint that requires an OIDC token.
+     * Callers must request *at least* scopes `tweet.read` and `users.read` during auth with twitter.
+     *
+     * By default, the id token does not contain a confirmed email;
+     * callers can request this field be populated by requesting the `users.email` scope
+     * and adding `fetch_email` as a URL parameter to this route.
+     *
      *
      * > [!IMPORTANT]
      * > This endpoint will fail unless the org is configured to allow the issuer `https://shim.oauth2.cubist.dev/twitter` and client ID being used for Twitter.
@@ -947,6 +953,33 @@ export interface paths {
      */
     patch: operations["siweComplete"];
   };
+  "/v0/org/{org_id}/oidc/siws": {
+    /**
+     * Initiate login via Sign-in With Solana (SIWS).
+     * @description Initiate login via Sign-in With Solana (SIWS).
+     *
+     * This endpoint generates a challenge which can be answered (via the corresponding PATCH endpoint)
+     * to obtain an OIDC token. The OIDC token can then be exchanged for a user session via the standard
+     * OIDC auth route.
+     *
+     * > [!IMPORTANT]
+     * > For this endpoint to succeed, the org must be configured to:
+     * > Allow the issuer `https://shim.oauth2.cubist.dev/siws` with the Org ID as the client ID
+     */
+    post: operations["siwsInit"];
+    /**
+     * Complete login via Sign-in With Solana (SIWS)
+     * @description Complete login via Sign-in With Solana (SIWS)
+     *
+     * If the challenge (issued by the corresponding POST endpoint) is answered correctly, this endpoint
+     * generates an OIDC token that can then be exchanged for a user session via the standard OIDC auth route.
+     *
+     * > [!IMPORTANT]
+     * > For this endpoint to succeed, the org must be configured to:
+     * > Allow the issuer `https://shim.oauth2.cubist.dev/siws` with the Org ID as the client ID
+     */
+    patch: operations["siwsComplete"];
+  };
   "/v0/org/{org_id}/oidc/telegram": {
     /**
      * Allows a user to authenticate with the telegram API using the tgWebAppData value
@@ -1310,6 +1343,13 @@ export interface paths {
      *
      * If a `role` query parameter is provided, **ALL** session for **THAT ROLE** are revoked
      * (if the current user has permissions to revoke sessions for the role).
+     *
+     * If a `role_created_by` query parameter is provided, **ROLE** sessions created by **THAT USER**
+     * are revoked (gated by the same permissions as revoking that user's own sessions: the current
+     * user must be that user or an org owner). User sessions are not affected. Unless the current
+     * user is an org owner, only sessions for roles the current user is **still a member of** are
+     * revoked (so a user cannot revoke sessions for a role they have since been removed from); org
+     * owners revoke across all roles.
      */
     delete: operations["revokeSessions"];
   };
@@ -2870,6 +2910,8 @@ export interface components {
       | "KeyNotFound"
       | "SiweChallengeNotFound"
       | "SiweInvalidRequest"
+      | "SiwsChallengeNotFound"
+      | "SiwsInvalidRequest"
       | "UserExportDerivedKey"
       | "UserExportPublicKeyInvalid"
       | "NistP256PublicKeyInvalid"
@@ -2930,6 +2972,7 @@ export interface components {
       | "LimitWindowTooLong"
       | "Erc20ContractDisallowed"
       | "EmptyRuleError"
+      | "PolicyFieldValidationError"
       | "OptionalListEmpty"
       | "MultipleExclusiveFieldsProvided"
       | "DuplicateFieldEntry"
@@ -3014,6 +3057,7 @@ export interface components {
       | "InvalidPolicyReference"
       | "PolicyEngineDisabled"
       | "InvalidWasmPolicy"
+      | "CelProgramTooLarge"
       | "InvalidPolicy"
       | "RedundantDerivationPath"
       | "ImportKeyMissing"
@@ -3192,6 +3236,8 @@ export interface components {
       | "EmailOtpAuth"
       | "SiweInit"
       | "SiweComplete"
+      | "SiwsInit"
+      | "SiwsComplete"
       | "TelegramAuth"
       | "CreateOidcUser"
       | "DeleteOidcUser"
@@ -3212,6 +3258,7 @@ export interface components {
       | "RpcGetTransaction"
       | "RpcListTransactions"
       | "RpcRetryTransaction"
+      | "RpcCancelTransaction"
       | "RpcBinance"
       | "RpcBybit"
       | "RpcCoinbase"
@@ -3273,6 +3320,18 @@ export interface components {
       recvWindow?: number | null;
     };
     /** @description Parameters envelope for all Binance RPC methods. */
+    BinanceDepositHistoryParams: components["schemas"]["DepositHistoryRequest"] & {
+      dryRun?: components["schemas"]["BinanceDryRunMode"] | null;
+      keyId: components["schemas"]["Id"];
+      /**
+       * Format: float
+       * @description Optional "receive window", i.e., for how long the request stays valid.
+       * May only be specified in milliseconds, with up to three decimal places of precision.
+       * If omitted, defaults to 10000. Must not be greater than 60000.
+       */
+      recvWindow?: number | null;
+    };
+    /** @description Parameters envelope for all Binance RPC methods. */
     BinanceDepositParams: components["schemas"]["DepositRequest"] & {
       dryRun?: components["schemas"]["BinanceDryRunMode"] | null;
       keyId: components["schemas"]["Id"];
@@ -3362,6 +3421,11 @@ export interface components {
           method: "cs_binanceDeposit";
           params: components["schemas"]["BinanceDepositParams"];
         }
+      | {
+          /** @enum {string} */
+          method: "cs_binanceDepositHistory";
+          params: components["schemas"]["BinanceDepositHistoryParams"];
+        }
       | {
           /** @enum {string} */
           method: "cs_binanceListSubAccounts";
@@ -4250,6 +4314,11 @@ export interface components {
     CancelInvitationRequest: {
       email: components["schemas"]["Email"];
     };
+    /** @description Parameters for the [`cs_cancelTransaction`](RpcMethod::CancelTransaction) method. */
+    CancelTransactionRequest: {
+      /** @description The transaction id. */
+      id: string;
+    };
     /**
      * @description Supported Canton environments.
      * @enum {string}
@@ -4400,6 +4469,8 @@ export interface components {
       withdrawFee?: string | null;
       /** @description Step size for withdrawal amounts, as a decimal string. */
       withdrawIntegerMultiple?: string | null;
+      /** @description Minimum internal transfer amount */
+      withdrawInternalMin?: string | null;
       /** @description Maximum withdrawal amount, as a decimal string. */
       withdrawMax?: string | null;
       /** @description Minimum withdrawal amount, as a decimal string. */
@@ -4990,6 +5061,11 @@ export interface components {
           method: "cs_retryTransaction";
           params: components["schemas"]["RetryTransactionRequest"];
         },
+        {
+          /** @enum {string} */
+          method: "cs_cancelTransaction";
+          params: components["schemas"]["CancelTransactionRequest"];
+        },
         {
           /** @enum {string} */
           method: "cs_getTransaction";
@@ -5034,6 +5110,121 @@ export interface components {
       /** @description Custom EVM chains. */
       evm: components["schemas"]["EvmCustomChain"][];
     };
+    /** @description One deposit entry in [`DepositHistoryResponse`]. */
+    DepositHistoryEntry: {
+      /** @description Destination address the deposit was sent to. */
+      address: string;
+      /**
+       * @description Secondary address identifier (e.g. memo for XRP, tag for XLM). Empty
+       * string when the asset does not use one.
+       */
+      addressTag?: string | null;
+      /** @description Deposit amount, as a decimal string. */
+      amount: string;
+      /** @description Asset symbol (e.g. `"USDT"`, `"BTC"`). */
+      coin: string;
+      /**
+       * Format: int64
+       * @description Represents deposit completion datetime, available for deposits after 6-Mar-2025.
+       */
+      completeTime?: number | null;
+      /** @description On-chain confirmation progress (e.g. `"1/1"`). */
+      confirmTimes?: string | null;
+      /** @description Binance-assigned deposit id. */
+      id?: string | null;
+      /**
+       * Format: int64
+       * @description Time the deposit record was created (ms since epoch).
+       */
+      insertTime: number;
+      /** @description Blockchain network identifier (e.g. `"BSC"`, `"ETH"`). */
+      network: string;
+      /** @description Returned when 'includeSource' in the request is set to true */
+      sourceAddress?: string | null;
+      /**
+       * Format: int32
+       * @description Deposit status. Binance values: `0` = pending, `6` = credited but
+       * cannot withdraw, `7` = wrong deposit, `8` = waiting user confirm,
+       * `1` = success. Left as `u8` for forward compatibility.
+       */
+      status: number;
+      /**
+       * Format: int32
+       * @description `0` = external transfer, `1` = internal (Binance↔Binance) transfer.
+       */
+      transferType: number;
+      /**
+       * Format: int32
+       * @description 0: travel rule not required OR info already provided and funds ready to use;
+       * 1: travel rule required to provide deposit info
+       */
+      travelRuleStatus: number;
+      /** @description On-chain transaction hash of the deposit. */
+      txId: string;
+      /**
+       * Format: int32
+       * @description Confirmations after which the deposit is unlocked for trading.
+       */
+      unlockConfirm?: number | null;
+      /**
+       * Format: int32
+       * @description Destination wallet: `0` = spot wallet, `1` = funding wallet.
+       */
+      walletType: number;
+    };
+    /**
+     * @description Parameters for `GET /sapi/v1/capital/deposit/hisrec`.
+     *
+     * Returns the calling account's deposit history. All filters are optional;
+     * if `start_time`/`end_time` are omitted, Binance returns the most recent 90
+     * days. Use `tx_id` to look up a specific deposit by its on-chain
+     * transaction hash, or `coin`/`status` to narrow the result set.
+     */
+    DepositHistoryRequest: {
+      /** @description Filter to a specific asset (e.g. `"USDT"`, `"BTC"`). */
+      coin?: string | null;
+      /**
+       * Format: int64
+       * @description Window end (ms since epoch, Binance default: present timestamp).
+       */
+      endTime?: number | null;
+      /**
+       * @description If `true`, include the deposit's source address in each entry. Binance
+       * defaults to `false`.
+       */
+      includeSource?: boolean | null;
+      /**
+       * Format: int32
+       * @description Page size (Binance default and max: 1000).
+       */
+      limit?: number | null;
+      /**
+       * Format: int32
+       * @description Pagination offset (Binance default: 0).
+       */
+      offset?: number | null;
+      /**
+       * Format: int64
+       * @description Window start (ms since epoch, Binance default: 90 days from current timestamp).
+       */
+      startTime?: number | null;
+      /**
+       * Format: int32
+       * @description Filter by deposit status. Binance values: `0` = pending, `6` = credited
+       * but cannot withdraw, `7` = wrong deposit, `8` = waiting user confirm,
+       * `1` = success, `2` = rejected. Left as `u8` for forward compatibility.
+       */
+      status?: number | null;
+      /** @description Look up a specific deposit by its on-chain transaction hash. */
+      txId?: string | null;
+    };
+    /**
+     * @description Response returned by `cs_binanceDepositHistory`.
+     *
+     * Binance returns a top-level JSON array; this newtype preserves that wire
+     * format while giving the response a named type in the OpenAPI schema.
+     */
+    DepositHistoryResponse: components["schemas"]["DepositHistoryEntry"][];
     /**
      * @description Parameters for `GET /sapi/v1/capital/deposit/address`.
      *
@@ -5917,6 +6108,7 @@ export interface components {
       | "sign:binance:withdraw"
       | "sign:binance:withdrawHistory"
       | "sign:binance:deposit"
+      | "sign:binance:depositHistory"
       | "sign:binance:listSubAccounts"
       | "sign:binance:coinInfo"
       | "sign:bybit:*"
@@ -6161,6 +6353,7 @@ export interface components {
       | "rpc:createTransaction:*"
       | "rpc:createTransaction:evm"
       | "rpc:retryTransaction"
+      | "rpc:cancelTransaction"
       | "rpc:getTransaction"
       | "rpc:listTransactions"
       | "rpc:binance"
@@ -6313,6 +6506,8 @@ export interface components {
       | "SiweChallengeExpired"
       | "SiweMessageNotValid"
       | "SiweMessageInvalidSignature"
+      | "SiwsChallengeExpired"
+      | "SiwsMessageInvalid"
       | "Acl";
     /**
      * @description Specifies a fork of the `BeaconChain`, to prevent replay attacks.
@@ -6861,6 +7056,7 @@ export interface components {
       | components["schemas"]["WithdrawResponse"]
       | components["schemas"]["WithdrawHistoryResponse"]
       | components["schemas"]["DepositResponse"]
+      | components["schemas"]["DepositHistoryResponse"]
       | components["schemas"]["ListSubAccountsResponse"]
       | components["schemas"]["CoinInfoResponse"]
       | components["schemas"]["BybitQueryUserResponse"]
@@ -7590,6 +7786,7 @@ export interface components {
       | "BinanceWithdraw"
       | "BinanceWithdrawHistory"
       | "BinanceDeposit"
+      | "BinanceDepositHistory"
       | "BinanceListSubAccounts"
       | "BinanceCoinInfo"
       | "BlobSign"
@@ -8629,6 +8826,7 @@ export interface components {
       | "PsbtSigningDisallowed"
       | "BabylonStakingDisallowed"
       | "TimeLocked"
+      | "CelPolicyDenied"
       | "BabylonStakingNetwork"
       | "BabylonStakingParamsVersion"
       | "BabylonStakingExplicitParams"
@@ -8648,7 +8846,8 @@ export interface components {
       | "WasmPolicyDenied"
       | "WasmPolicyFailed"
       | "WebhookPoliciesDisabled"
-      | "DeniedByWebhook";
+      | "DeniedByWebhook"
+      | "ExplicitlyDenied";
     /** @description A struct containing all the information about a specific version of a policy. */
     PolicyInfo: {
       /** @description The access-control entries for the policy. */
@@ -9401,13 +9600,9 @@ export interface components {
       | components["schemas"]["SignerClientErrorCode"]
       | components["schemas"]["RpcEvmErrorCode"];
     /** @enum {string} */
-    RpcApiErrorOwnCodes: "MfaRequired" | "ConcurrentTransactionFailed";
+    RpcApiErrorOwnCodes: "MfaRequired" | "ConcurrentTransactionFailed" | "InvalidTxStatus";
     /** @enum {string} */
-    RpcEvmErrorCode:
-      | "SubmissionFailed"
-      | "FailedToReserveNonce"
-      | "InvalidTxStatus"
-      | "MissingTxFrom";
+    RpcEvmErrorCode: "SubmissionFailed" | "FailedToReserveNonce" | "MissingTxField" | "Signer";
     /**
      * @description The RPC API method and matching parameters.
      *
@@ -9578,6 +9773,37 @@ export interface components {
       /** @description Optional policy evaluation tree, if requested */
       policy_eval_tree?: unknown;
     };
+    /**
+     * @description The structured input to a Sign-In With Solana request (`SolanaSignInInput` in the spec).
+     *
+     * The relying party fills in `domain`/`address`/`uri`/... and the wallet renders it into the
+     * human-readable message (see [SignInInput::to_message_text]) that it signs.
+     */
+    SignInInput: {
+      /** @description The base58-encoded Solana (ed25519) public key performing the sign-in. */
+      address: string;
+      chainId?: components["schemas"]["SolanaNetwork"] | null;
+      /** @description The RFC 3986 authority that is requesting the sign-in. */
+      domain: string;
+      /** @description The ISO 8601 datetime string after which the signed message is no longer valid. */
+      expirationTime?: string | null;
+      /** @description The ISO 8601 datetime string of the time the message was issued. */
+      issuedAt?: string | null;
+      /** @description A randomized token used to prevent replay attacks; at least 8 alphanumeric characters. */
+      nonce?: string | null;
+      /** @description The ISO 8601 datetime string before which the signed message is not yet valid. */
+      notBefore?: string | null;
+      /** @description A system-specific identifier that may be used to uniquely refer to the sign-in request. */
+      requestId?: string | null;
+      /** @description A list of RFC 3986 URIs the user wishes to have resolved as part of the authentication. */
+      resources?: string[] | null;
+      /** @description A human-readable ASCII assertion that the user will sign; must not contain a newline. */
+      statement?: string | null;
+      /** @description An RFC 3986 URI referring to the resource that is the subject of the sign-in. */
+      uri?: string | null;
+      /** @description The version of the message (currently always `1`). */
+      version?: string | null;
+    };
     SignResponse: {
       /** @description Optional policy evaluation tree. */
       policy_eval_tree?: unknown;
@@ -9686,6 +9912,56 @@ export interface components {
       /** @description The message to sign following the EIP-191 standard. */
       message: string;
     };
+    /** @description Answer to a Sign-in with Solana challenge. */
+    SiwsCompleteRequest: {
+      challenge_id: components["schemas"]["Id"];
+      /** @description The base58-encoded ed25519 signature of `signed_message`. */
+      signature: string;
+      /** @description The base58-encoded UTF-8 bytes of the message that was signed (the rendered `SignInInput`). */
+      signed_message: string;
+    };
+    /** @description Returned upon a successful SIWS authentication. */
+    SiwsCompleteResponse: {
+      /** @description The OIDC token corresponding to the user with the requested SIWS identity. */
+      id_token: string;
+    };
+    /**
+     * @description Initialize the request to sign in with Solana. The response will contain a structured
+     * `SignInInput` that the client must render to text, sign, and submit via the corresponding PATCH
+     * endpoint within 5 minutes.
+     */
+    SiwsInitRequest: {
+      /** @description The base58-encoded Solana (ed25519) public key performing the signing. */
+      address: string;
+      chain_id?: components["schemas"]["SolanaNetwork"] | null;
+      /** @description The RFC 3986 authority that is requesting the signing. */
+      domain: string;
+      /** @description The ISO 8601 datetime string that, if present, indicates when the signed authentication message is no longer valid. */
+      expiration_time?: string | null;
+      /** @description The ISO 8601 datetime string that, if present, indicates when the signed authentication message will become valid. */
+      not_before?: string | null;
+      /** @description A system-specific identifier that may be used to uniquely refer to the sign-in request. */
+      request_id?: string | null;
+      /** @description A list of RFC 3986 URIs the user wishes to have resolved as part of authentication by the relying party. */
+      resources?: string[];
+      /** @description A human-readable ASCII assertion that the user will sign, and it must not contain '\n' (the byte 0x0a). */
+      statement?: string | null;
+      /** @description An RFC 3986 URI referring to the resource that is the subject of the signing (as in the subject of a claim). */
+      uri?: string | null;
+    };
+    /**
+     * @description A challenge returned in response to a Sign-In with Solana request.
+     *
+     * Contains a structured [SignInInput] that the client must render to its canonical text and sign
+     * (ed25519) with the requested key in order to complete authentication.
+     *
+     * The client has until the message expires (but no more than 5 minutes) to complete the challenge.
+     */
+    SiwsInitResponse: {
+      /** @description The ID of the challenge (to include in the request when calling the PATCH ('complete') endpoint) */
+      challenge_id: string;
+      sign_in_input: components["schemas"]["SignInInput"];
+    };
     /** @description A Solana address and the cluster it is on. */
     SolanaAddressInfo: {
       /**
@@ -9700,6 +9976,19 @@ export interface components {
      * @enum {string}
      */
     SolanaCluster: "mainnet" | "devnet";
+    /**
+     * @description The Solana network a SIWS message is bound to (the `Chain ID` field).
+     * @enum {string}
+     */
+    SolanaNetwork:
+      | "mainnet"
+      | "testnet"
+      | "devnet"
+      | "localnet"
+      | "solana:mainnet"
+      | "solana:testnet"
+      | "solana:devnet"
+      | "solana:localnet";
     /**
      * @description Solana signing request
      * @example {
@@ -12996,6 +13285,32 @@ export interface components {
         };
       };
     };
+    /** @description Returned upon a successful SIWS authentication. */
+    SiwsCompleteResponse: {
+      content: {
+        "application/json": {
+          /** @description The OIDC token corresponding to the user with the requested SIWS identity. */
+          id_token: string;
+        };
+      };
+    };
+    /**
+     * @description A challenge returned in response to a Sign-In with Solana request.
+     *
+     * Contains a structured [SignInInput] that the client must render to its canonical text and sign
+     * (ed25519) with the requested key in order to complete authentication.
+     *
+     * The client has until the message expires (but no more than 5 minutes) to complete the challenge.
+     */
+    SiwsInitResponse: {
+      content: {
+        "application/json": {
+          /** @description The ID of the challenge (to include in the request when calling the PATCH ('complete') endpoint) */
+          challenge_id: string;
+          sign_in_input: components["schemas"]["SignInInput"];
+        };
+      };
+    };
     StakeResponse: {
       content: {
         "application/json": ({
@@ -16155,12 +16470,21 @@ export interface operations {
    * but extends the output with an `id_token`.
    *
    * This `id_token` can then be used with any CubeSigner endpoint that requires an OIDC token.
+   * Callers must request *at least* scopes `tweet.read` and `users.read` during auth with twitter.
+   *
+   * By default, the id token does not contain a confirmed email;
+   * callers can request this field be populated by requesting the `users.email` scope
+   * and adding `fetch_email` as a URL parameter to this route.
+   *
    *
    * > [!IMPORTANT]
    * > This endpoint will fail unless the org is configured to allow the issuer `https://shim.oauth2.cubist.dev/twitter` and client ID being used for Twitter.
    */
   oauth2Twitter: {
     parameters: {
+      query?: {
+        fetch_email?: boolean | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -16333,6 +16657,77 @@ export interface operations {
       };
     };
   };
+  /**
+   * Initiate login via Sign-in With Solana (SIWS).
+   * @description Initiate login via Sign-in With Solana (SIWS).
+   *
+   * This endpoint generates a challenge which can be answered (via the corresponding PATCH endpoint)
+   * to obtain an OIDC token. The OIDC token can then be exchanged for a user session via the standard
+   * OIDC auth route.
+   *
+   * > [!IMPORTANT]
+   * > For this endpoint to succeed, the org must be configured to:
+   * > Allow the issuer `https://shim.oauth2.cubist.dev/siws` with the Org ID as the client ID
+   */
+  siwsInit: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["SiwsInitRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["SiwsInitResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
+  /**
+   * Complete login via Sign-in With Solana (SIWS)
+   * @description Complete login via Sign-in With Solana (SIWS)
+   *
+   * If the challenge (issued by the corresponding POST endpoint) is answered correctly, this endpoint
+   * generates an OIDC token that can then be exchanged for a user session via the standard OIDC auth route.
+   *
+   * > [!IMPORTANT]
+   * > For this endpoint to succeed, the org must be configured to:
+   * > Allow the issuer `https://shim.oauth2.cubist.dev/siws` with the Org ID as the client ID
+   */
+  siwsComplete: {
+    parameters: {
+      path: {
+        /**
+         * @description Name or ID of the desired Org
+         * @example Org#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        org_id: string;
+      };
+    };
+    requestBody: {
+      content: {
+        "application/json": components["schemas"]["SiwsCompleteRequest"];
+      };
+    };
+    responses: {
+      200: components["responses"]["SiwsCompleteResponse"];
+      default: {
+        content: {
+          "application/json": components["schemas"]["ErrorResponse"];
+        };
+      };
+    };
+  };
   /**
    * Allows a user to authenticate with the telegram API using the tgWebAppData value
    * @description Allows a user to authenticate with the telegram API using the tgWebAppData value
@@ -17677,16 +18072,23 @@ export interface operations {
         "page.start"?: string | null;
         /**
          * @description If provided, the name or ID of a role to operate on.
-         * Cannot be specified together with `user`.
+         * Cannot be specified together with other selectors.
          * @example my-role
          */
         role?: string | null;
         /**
          * @description If provided, the ID of a user to operate on.
-         * Cannot be specified together with `role`.
+         * Cannot be specified together with other selectors.
          * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         user?: string | null;
+        /**
+         * @description If provided, the ID of the user whose created role sessions to operate on.
+         * Selects all *role* sessions created by that user (user sessions are not affected).
+         * Cannot be specified together with other selectors.
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_created_by?: string | null;
       };
       path: {
         /**
@@ -17749,22 +18151,36 @@ export interface operations {
    *
    * If a `role` query parameter is provided, **ALL** session for **THAT ROLE** are revoked
    * (if the current user has permissions to revoke sessions for the role).
+   *
+   * If a `role_created_by` query parameter is provided, **ROLE** sessions created by **THAT USER**
+   * are revoked (gated by the same permissions as revoking that user's own sessions: the current
+   * user must be that user or an org owner). User sessions are not affected. Unless the current
+   * user is an org owner, only sessions for roles the current user is **still a member of** are
+   * revoked (so a user cannot revoke sessions for a role they have since been removed from); org
+   * owners revoke across all roles.
    */
   revokeSessions: {
     parameters: {
       query?: {
         /**
          * @description If provided, the name or ID of a role to operate on.
-         * Cannot be specified together with `user`.
+         * Cannot be specified together with other selectors.
          * @example my-role
          */
         role?: string | null;
         /**
          * @description If provided, the ID of a user to operate on.
-         * Cannot be specified together with `role`.
+         * Cannot be specified together with other selectors.
          * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         user?: string | null;
+        /**
+         * @description If provided, the ID of the user whose created role sessions to operate on.
+         * Selects all *role* sessions created by that user (user sessions are not affected).
+         * Cannot be specified together with other selectors.
+         * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
+         */
+        role_created_by?: string | null;
       };
       path: {
         /**
@@ -18604,6 +19020,9 @@ export interface operations {
    */
   deleteOidcUser: {
     parameters: {
+      query?: {
+        revoke_role_sessions_they_created?: boolean | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org
@@ -18745,6 +19164,9 @@ export interface operations {
    */
   deleteUser: {
     parameters: {
+      query?: {
+        revoke_role_sessions_they_created?: boolean | null;
+      };
       path: {
         /**
          * @description Name or ID of the desired Org