@cubist-labs/cubesigner-sdk 0.4.259 → 0.4.262

package/src/client/api_client.ts

@@ -1,5 +1,6 @@
 import type {
   CreateOidcUserOptions,
+  DeleteUserOptions,
   IdentityProof,
   KeyInRoleInfo,
   KeyInfo,
@@ -202,6 +203,14 @@ export type SessionSelector =
   | {
       /** Selects all sessions tied to a user with this ID. */
       user: string;
+    }
+  | {
+      /**
+       * Selects all *role* sessions created by the user with this ID (user sessions are not
+       * affected). Org owners select sessions across all roles; other users only across roles
+       * they are still a member of.
+       */
+      role_created_by: string;
     };
 
 /**
@@ -736,9 +745,11 @@ export class ApiClient extends BaseClient {
    * Remove the user from the org.
    *
    * @param userId The ID of the user to remove.
+   * @param opts Options for user deletion.
+   * @param opts.revoke_role_sessions_they_created Whether to revoke role sessions created by the removed user.
    * @returns An empty response
    */
-  async orgUserDelete(userId: string): Promise<Empty> {
+  async orgUserDelete(userId: string, opts?: DeleteUserOptions): Promise<Empty> {
     const o = op("/v0/org/{org_id}/users/{user_id}", "delete");
 
     return this.exec(o, {
@@ -746,6 +757,7 @@ export class ApiClient extends BaseClient {
         path: {
           user_id: userId,
         },
+        query: opts,
       },
     });
   }
@@ -860,13 +872,18 @@ export class ApiClient extends BaseClient {
    * Delete an existing OIDC user.
    *
    * @param identity The identity of the OIDC user
+   * @param opts Options for user deletion.
+   * @param opts.revoke_role_sessions_they_created Whether to revoke role sessions created by the removed user.
    * @returns An empty response
    */
-  async orgUserDeleteOidc(identity: OidcIdentity): Promise<Empty> {
+  async orgUserDeleteOidc(identity: OidcIdentity, opts?: DeleteUserOptions): Promise<Empty> {
     const o = op("/v0/org/{org_id}/users/oidc", "delete");
 
     return this.exec(o, {
       body: identity,
+      params: {
+        query: opts,
+      },
     });
   }
 
@@ -3198,6 +3215,65 @@ export class ApiClient extends BaseClient {
     ).then(assertOk);
   }
 
+  /**
+   * Initiate login via Sign-in With Solana (SIWS).
+   *
+   * The response contains a challenge which must be answered (via {@link siwsLoginComplete})
+   * to obtain an OIDC token.
+   *
+   * @param env The environment to use
+   * @param orgId The org to login to
+   * @param body The request body
+   * @param headers Optional headers to set
+   * @returns The challenge that needs to be answered via {@link siwsLoginComplete}
+   */
+  static async siwsLoginInit(
+    env: EnvInterface,
+    orgId: string,
+    body: schemas["SiwsInitRequest"],
+    headers?: HeadersInit,
+  ): Promise<schemas["SiwsInitResponse"]> {
+    const o = op("/v0/org/{org_id}/oidc/siws", "post");
+    return await retryOn5XX(() =>
+      o({
+        baseUrl: env.SignerApiRoot,
+        params: { path: { org_id: orgId } },
+        body,
+        headers,
+      }),
+    ).then(assertOk);
+  }
+
+  /**
+   * Complete login via Sign-in With Solana (SIWS).
+   *
+   * The challenge returned by {@link siwsLoginInit} should be signed
+   * and submitted via this API call to obtain an OIDC token, which can
+   * then be used to log in via {@link oidcSessionCreate}.
+   *
+   * @param env The environment to use
+   * @param orgId The org to login to
+   * @param body The request body
+   * @param headers Optional headers to set
+   * @returns An OIDC token which can be used to log in via OIDC (see {@link oidcSessionCreate})
+   */
+  static async siwsLoginComplete(
+    env: EnvInterface,
+    orgId: string,
+    body: schemas["SiwsCompleteRequest"],
+    headers?: HeadersInit,
+  ): Promise<schemas["SiwsCompleteResponse"]> {
+    const o = op("/v0/org/{org_id}/oidc/siws", "patch");
+    return await retryOn5XX(() =>
+      o({
+        baseUrl: env.SignerApiRoot,
+        params: { path: { org_id: orgId } },
+        body,
+        headers,
+      }),
+    ).then(assertOk);
+  }
+
   /**
    * Initiate the login with passkey flow.
    *

package/src/role.ts

@@ -484,8 +484,30 @@ export type NamedPolicyReference = {
   Reference: PolicyReference;
 };
 
+/** Explicit "permit" vs "deny" policy outcome, with or without a descriptive message. */
+export type Const = ConstOutcome | { outcome: ConstOutcome; message: string };
+
+/** Explicit "permit" vs "deny" policy outcome. */
+export type ConstOutcome = "Permit" | "Deny";
+
+/**
+ * A {@link https://github.com/google/cel-spec Common Expression Language}
+ * policy to evaluate against the following context:
+ *
+ * ```json
+ * {
+ *   "operation": OperationKind,
+ *   "identity": <UserOrRoleId>,
+ *   "body": <RequestBodyJson>
+ * }
+ * ```
+ */
+export type Cel = { Cel: string };
+
 /** Key policies that restrict the requests that the signing endpoints accept */
 export type KeyDenyPolicy =
+  | Const
+  | Cel
   | OperationAllowlist
   | TxReceiver
   | TxDeposit
@@ -508,6 +530,7 @@ export type KeyDenyPolicy =
   | PolicyAnd
   | PolicyOr
   | PolicyNot
+  | PolicyIte
   | NamedPolicyReference;
 
 /**
@@ -545,6 +568,30 @@ export type RolePolicy = RolePolicyRule[];
 
 export type RolePolicyRule = KeyDenyPolicy | PolicyReference;
 
+/** Conditional policy */
+export type Conditional = {
+  /** The condition to evaluate first. */
+  if: KeyDenyPolicy;
+
+  /** The policy to apply when the condition evaluates to 'Permit'. */
+  then: KeyDenyPolicy;
+};
+
+/** One or more conditional policies */
+export type Conditionals =
+  | Conditional
+  | {
+      conditionals: Conditional[];
+    };
+
+/** If-then-else policy */
+export type PolicyIte = {
+  IfThenElse: Conditionals & {
+    /** The policy to apply when none of the conditionals apply. */
+    else: KeyDenyPolicy;
+  };
+};
+
 export type PolicyAnd = {
   And: KeyDenyPolicy[];
 };