@cubist-labs/cubesigner-sdk 0.4.263 → 0.4.266

package/src/response.ts

@@ -1,7 +1,21 @@
-import type { MfaVote, EnvInterface, MfaReceipts, MfaRequired } from ".";
-import { CubeSignerClient, MultiRegionEnv, isManyMfaReceipts } from ".";
-import { encodeToBase64Url } from "./util";
-import type { AcceptedResponse, AcceptedValue, BinanceDryRun, SignDryRun } from "./schema_types";
+import type { MfaVote, EnvInterface, MfaReceipts, MfaRequired } from "./index.ts";
+import {
+  ALL_ACCEPTED_CODES,
+  CubeSignerClient,
+  ErrResponse,
+  MultiRegionEnv,
+  isManyMfaReceipts,
+} from "./index.ts";
+import { encodeToBase64Url } from "./util.ts";
+import type {
+  AcceptedResponse,
+  AcceptedValue,
+  SignDryRun,
+  JsonRpcResponse,
+  JsonRpcResult,
+  ErrorResponse,
+  AcceptedValueCode,
+} from "./schema_types.ts";
 
 /**
  * Response type, which can be either a value of type {@link U}
@@ -42,7 +56,7 @@ export function mapResponse<U, V>(resp: Response<U>, mapFn: MapFn<U, V>): Respon
  */
 function asAccepted<U>(resp: Response<U>): AcceptedValue | undefined {
   const acceptedResp = resp as AcceptedResponse;
-  return acceptedResp.error_code === "SignDryRun" || acceptedResp.error_code === "MfaRequired"
+  return ALL_ACCEPTED_CODES.includes(acceptedResp.error_code as AcceptedValueCode)
     ? (acceptedResp.accepted ?? undefined)
     : undefined;
 }
@@ -76,13 +90,6 @@ export class CubeSignerResponse<U> {
     return this.asAccepted()?.SignDryRun ?? undefined;
   }
 
-  /**
-   * @returns The associated {@link BinanceDryRun} value, if the response status code is 202 and the response is a dry run of a sign operation.
-   */
-  asBinanceDryRun(): BinanceDryRun | undefined {
-    return this.asAccepted()?.BinanceDryRun ?? undefined;
-  }
-
   /**
    * @returns Whether this response is a "200 Success" (in which case it is safe to call {@link data})
    */
@@ -285,6 +292,44 @@ export class CubeSignerResponse<U> {
     return new CubeSignerResponse(MultiRegionEnv.create(env), requestFn, seed);
   }
 
+  /**
+   * Similar to {@link create} except that unwraps the {@link JsonRpcResponse}
+   * to throw an {@link ErrResponse} on error
+   *
+   * @param env The environment where the response comes from
+   * @param reqFn
+   *    The request function that this response is from.
+   *    This argument is used to resend requests with different headers if needed.
+   * @param mfaReceipt Optional MFA receipt(s)
+   * @returns New instance of this class.
+   * @internal
+   */
+  static async createForJsonRpc(
+    env: EnvInterface | MultiRegionEnv,
+    reqFn: RequestFn<JsonRpcResponse>,
+    mfaReceipt?: MfaReceipts,
+  ): Promise<CubeSignerResponse<JsonRpcResult>> {
+    const requestFn: RequestFn<JsonRpcResult> = async (headers) => {
+      const resp = await reqFn(headers);
+      if (resp.result) return resp.result;
+      const errResp = resp.error?.data as ErrorResponse | undefined;
+
+      // return AcceptedResponse if accepted
+      if (errResp?.accepted) {
+        return errResp;
+      }
+
+      // otherwise it's an error
+      throw new ErrResponse({
+        message: errResp?.message ?? resp.error?.message ?? "JSON-RPC error",
+        errorCode: errResp?.error_code,
+        requestId: errResp?.request_id,
+      });
+    };
+    const seed = await requestFn(this.getMfaHeaders(mfaReceipt));
+    return new CubeSignerResponse(MultiRegionEnv.create(env), requestFn, seed);
+  }
+
   /**
    * Return HTTP headers containing a given MFA receipt.
    *

package/src/role.ts

@@ -20,12 +20,12 @@ import type {
   EditPolicy,
   MfaPolicy,
   RoleInfoJwt,
-} from ".";
-import { Key, SignerSessionInfo } from ".";
+} from "./index.ts";
+import { Key, SignerSessionInfo } from "./index.ts";
 
 // these types are used in doc comments only
 // eslint-disable-next-line @typescript-eslint/no-unused-vars
-import type { RoleAttestationClaims, RoleAttestationQuery } from "./schema_types";
+import type { RoleAttestationClaims, RoleAttestationQuery } from "./schema_types.ts";
 
 type NameOrAddressOrNull = string | null;
 

package/src/schema.ts

@@ -1320,6 +1320,12 @@ export interface paths {
      *
      * If a `role` query parameter is provided, all active sessions for the selected role are returned
      * (asserting first that the current user has permissions to read sessions for that role).
+     *
+     * If a `role_created_by` query parameter is provided, all active **role** sessions created by that
+     * user are returned (gated by the same permissions as listing that user's own sessions: the
+     * current user must be that user or an org owner). When combined with `role`, the result is
+     * further restricted to the sessions created by that user for the given role; the permission model
+     * is unchanged. The `user` selector cannot be combined with `role` or `role_created_by`.
      */
     get: operations["listSessions"];
     /**
@@ -1350,6 +1356,14 @@ export interface paths {
      * user is an org owner, only sessions for roles the current user is **still a member of** are
      * revoked (so a user cannot revoke sessions for a role they have since been removed from); org
      * owners revoke across all roles.
+     *
+     * If **both** a `role` and a `role_created_by` query parameter are provided, the selection above
+     * is narrowed to only the sessions created by **THAT USER** for **THAT ROLE**. The permission
+     * model is unchanged from the `role_created_by`-only case (the current user must be that user or
+     * an org owner, and non-owners are still limited to roles they are a member of); `role` is purely
+     * an additional filter.
+     *
+     * The `user` selector cannot be combined with `role` or `role_created_by`.
      */
     delete: operations["revokeSessions"];
   };
@@ -2949,6 +2963,7 @@ export interface components {
       | "InvalidSolanaSignRequest"
       | "InvalidEip712SignRequest"
       | "OnlySpecifyOne"
+      | "IncompatibleParams"
       | "NoOidcDataInProof"
       | "InvalidEvmSignRequest"
       | "InvalidEth2SignRequest"
@@ -3257,6 +3272,7 @@ export interface components {
       | "RpcCreateTransaction"
       | "RpcGetTransaction"
       | "RpcListTransactions"
+      | "RpcBtcListUtxos"
       | "RpcRetryTransaction"
       | "RpcCancelTransaction"
       | "RpcBinance"
@@ -3646,6 +3662,27 @@ export interface components {
       /** @description Taproot-tagged hash with tag "TapLeaf". */
       leaf_hash: string;
     };
+    /** @description Parameters for the [`cs_btcListUtxos`](CsRpc::BtcListUtxos) method. */
+    BtcListUtxosRequest: {
+      /** @description The Bitcoin address whose unspent outputs (UTXOs) are being queried. */
+      address: string;
+      /**
+       * Format: int32
+       * @description The maximum number of UTXOs to return (1-250).
+       * @default 100
+       */
+      max_results?: number;
+      network: components["schemas"]["BtcNetwork"];
+      /** @description Pagination token returned by a previous call. */
+      next_token?: string | null;
+    };
+    /** @description The response to [`cs_btcListUtxos`](super::request::CsRpc::BtcListUtxos). */
+    BtcListUtxosResponse: {
+      /** @description Pagination token to pass to the next call, if more results remain. */
+      next_token?: string | null;
+      /** @description The unspent transaction outputs for the queried address. */
+      utxos: components["schemas"]["BtcUtxo"][];
+    };
     /** @description Data to sign */
     BtcMessageSignRequest: {
       /** @description Do not produce a valid signature, just evaluate attached policies. */
@@ -3683,6 +3720,11 @@ export interface components {
       /** @description The base64-encoded signature in BIP137 format. */
       sig: string;
     };
+    /**
+     * @description The Bitcoin network to query for UTXOs.
+     * @enum {string}
+     */
+    BtcNetwork: "mainnet" | "testnet";
     /** @enum {string} */
     BtcSighashType:
       | "All"
@@ -3779,6 +3821,27 @@ export interface components {
        */
       value: number;
     };
+    /** @description A single Bitcoin unspent transaction output (UTXO). */
+    BtcUtxo: {
+      /** @description The address that controls this output. */
+      address?: string | null;
+      /** @description Whether the output has reached finality (is confirmed). */
+      confirmed: boolean;
+      /**
+       * Format: int64
+       * @description The block time of the output, in seconds since the Unix epoch.
+       */
+      time?: number | null;
+      /** @description The hash of the transaction that created this output. */
+      transaction_hash: string;
+      /** @description The output value, in satoshis, as a decimal string. */
+      value?: string | null;
+      /**
+       * Format: int32
+       * @description The index of this output within its transaction.
+       */
+      vout_index?: number | null;
+    };
     /**
      * @description The access-controlled actions that can be performed on a bucket
      * @enum {string}
@@ -4028,7 +4091,7 @@ export interface components {
     };
     /**
      * @description Bybit-family RPC methods. Each variant authenticates as the
-     * [`KeyType::HmacSha256`] key in its `params.key_id` (which must carry
+     * [`KeyType::HmacSha256Bybit`] key in its `params.key_id` (which must carry
      * [`KeyProperties::BybitApi`]).
      */
     BybitRpc:
@@ -5049,35 +5112,37 @@ export interface components {
       options: components["schemas"]["PublicKeyCredentialCreationOptions"];
     };
     /** @description Core RPC methods (transaction CRUD). */
-    CsRpc: OneOf<
-      [
-        {
+    CsRpc:
+      | {
           /** @enum {string} */
           method: "cs_createTransaction";
           params: components["schemas"]["CreateTransactionRequest"];
-        },
-        {
+        }
+      | {
           /** @enum {string} */
           method: "cs_retryTransaction";
           params: components["schemas"]["RetryTransactionRequest"];
-        },
-        {
+        }
+      | {
           /** @enum {string} */
           method: "cs_cancelTransaction";
           params: components["schemas"]["CancelTransactionRequest"];
-        },
-        {
+        }
+      | {
           /** @enum {string} */
           method: "cs_getTransaction";
           params: components["schemas"]["GetTransactionRequest"];
-        },
-        {
+        }
+      | {
           /** @enum {string} */
           method: "cs_listTransactions";
           params: components["schemas"]["ListTransactionsRequest"];
-        },
-      ]
-    >;
+        }
+      | {
+          /** @enum {string} */
+          method: "cs_btcListUtxos";
+          params: components["schemas"]["BtcListUtxosRequest"];
+        };
     CubeSignerUserInfo: {
       /** @description All multi-factor authentication methods configured for this user */
       configured_mfa: components["schemas"]["ConfiguredMfa"][];
@@ -6356,6 +6421,7 @@ export interface components {
       | "rpc:cancelTransaction"
       | "rpc:getTransaction"
       | "rpc:listTransactions"
+      | "rpc:btcListUtxos"
       | "rpc:binance"
       | "rpc:bybit"
       | "rpc:coinbase";
@@ -6507,6 +6573,7 @@ export interface components {
       | "SiweMessageNotValid"
       | "SiweMessageInvalidSignature"
       | "SiwsChallengeExpired"
+      | "SiwsDomain"
       | "SiwsMessageInvalid"
       | "Acl";
     /**
@@ -7068,7 +7135,8 @@ export interface components {
       | components["schemas"]["BybitWithdrawalsResponse"]
       | components["schemas"]["CoinbaseListAccountsResponse"]
       | components["schemas"]["CoinbaseListPortfoliosResponse"]
-      | components["schemas"]["CoinbaseMoveFundsResponse"];
+      | components["schemas"]["CoinbaseMoveFundsResponse"]
+      | components["schemas"]["BtcListUtxosResponse"];
     JwkSetResponse: {
       /** @description The keys included in this set */
       keys: Record<string, never>[];
@@ -7268,7 +7336,8 @@ export interface components {
       | "SecpXrpAddr"
       | "Ed25519XrpAddr"
       | "BabyJubjub"
-      | "HmacSha256";
+      | "HmacSha256"
+      | "HmacSha256Bybit";
     KeyTypeAndDerivationPath: {
       /**
        * @description List of derivation paths for which to derive.
@@ -7634,7 +7703,7 @@ export interface components {
        * @example 1701879640
        */
       expiration?: number;
-      org_id?: components["schemas"]["Id"] | null;
+      org_id: components["schemas"]["Id"];
       /** @description Token that can be used to refresh this session. */
       refresh_token: string;
       session_info: components["schemas"]["ClientSessionInfo"];
@@ -12502,7 +12571,7 @@ export interface components {
            * @example 1701879640
            */
           expiration?: number;
-          org_id?: components["schemas"]["Id"] | null;
+          org_id: components["schemas"]["Id"];
           /** @description Token that can be used to refresh this session. */
           refresh_token: string;
           session_info: components["schemas"]["ClientSessionInfo"];
@@ -18053,6 +18122,12 @@ export interface operations {
    *
    * If a `role` query parameter is provided, all active sessions for the selected role are returned
    * (asserting first that the current user has permissions to read sessions for that role).
+   *
+   * If a `role_created_by` query parameter is provided, all active **role** sessions created by that
+   * user are returned (gated by the same permissions as listing that user's own sessions: the
+   * current user must be that user or an org owner). When combined with `role`, the result is
+   * further restricted to the sessions created by that user for the given role; the permission model
+   * is unchanged. The `user` selector cannot be combined with `role` or `role_created_by`.
    */
   listSessions: {
     parameters: {
@@ -18072,7 +18147,8 @@ export interface operations {
         "page.start"?: string | null;
         /**
          * @description If provided, the name or ID of a role to operate on.
-         * Cannot be specified together with other selectors.
+         * Cannot be specified together with `user`, but may be combined with `role_created_by`
+         * to operate on the role sessions created by a given user for this specific role.
          * @example my-role
          */
         role?: string | null;
@@ -18085,7 +18161,8 @@ export interface operations {
         /**
          * @description If provided, the ID of the user whose created role sessions to operate on.
          * Selects all *role* sessions created by that user (user sessions are not affected).
-         * Cannot be specified together with other selectors.
+         * Cannot be specified together with `user`. When combined with `role`, the selection is
+         * further restricted to the sessions created by that user for the given role.
          * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         role_created_by?: string | null;
@@ -18158,13 +18235,22 @@ export interface operations {
    * user is an org owner, only sessions for roles the current user is **still a member of** are
    * revoked (so a user cannot revoke sessions for a role they have since been removed from); org
    * owners revoke across all roles.
+   *
+   * If **both** a `role` and a `role_created_by` query parameter are provided, the selection above
+   * is narrowed to only the sessions created by **THAT USER** for **THAT ROLE**. The permission
+   * model is unchanged from the `role_created_by`-only case (the current user must be that user or
+   * an org owner, and non-owners are still limited to roles they are a member of); `role` is purely
+   * an additional filter.
+   *
+   * The `user` selector cannot be combined with `role` or `role_created_by`.
    */
   revokeSessions: {
     parameters: {
       query?: {
         /**
          * @description If provided, the name or ID of a role to operate on.
-         * Cannot be specified together with other selectors.
+         * Cannot be specified together with `user`, but may be combined with `role_created_by`
+         * to operate on the role sessions created by a given user for this specific role.
          * @example my-role
          */
         role?: string | null;
@@ -18177,7 +18263,8 @@ export interface operations {
         /**
          * @description If provided, the ID of the user whose created role sessions to operate on.
          * Selects all *role* sessions created by that user (user sessions are not affected).
-         * Cannot be specified together with other selectors.
+         * Cannot be specified together with `user`. When combined with `role`, the selection is
+         * further restricted to the sessions created by that user for the given role.
          * @example User#124dfe3e-3bbd-487d-80c0-53c55e8ab87a
          */
         role_created_by?: string | null;

package/src/schema_types.ts

@@ -1,5 +1,5 @@
-import type { components, operations, paths } from "./schema";
-import type { JsonMap, JsonValue } from "./util";
+import type { components, operations, paths } from "./schema.ts";
+import type { JsonMap, JsonValue } from "./util.ts";
 
 export type schemas = components["schemas"];
 
@@ -90,6 +90,16 @@ const AllOperationKinds: Record<OperationKind, true> = {
 };
 export const ALL_OPERATION_KINDS = Object.keys(AllOperationKinds) as readonly OperationKind[];
 
+export type AcceptedValueCode = schemas["AcceptedValueCode"];
+const AllAcceptedCodes: Record<AcceptedValueCode, true> = {
+  BinanceDryRun: true,
+  BybitDryRun: true,
+  CoinbaseDryRun: true,
+  MfaRequired: true,
+  SignDryRun: true,
+};
+export const ALL_ACCEPTED_CODES = Object.keys(AllAcceptedCodes) as readonly AcceptedValueCode[];
+
 export type OrgData = schemas["OrgData"];
 export type UserOrgsResponse = schemas["UserOrgsResponse"];
 
@@ -253,7 +263,7 @@ export type QueryMetricsRequest = schemas["QueryMetricsRequest"];
 export type QueryMetricsResponse = schemas["QueryMetricsResponse"];
 export type AuditLogRequest = schemas["AuditLogRequest"];
 export type AuditLogResponse = schemas["PaginatedAuditLogResponse"];
-export type { AuditLogEntry } from "./audit_log";
+export type { AuditLogEntry } from "./audit_log.ts";
 
 export type DiffieHellmanRequest = schemas["DiffieHellmanRequest"];
 export type DiffieHellmanResponse = schemas["DiffieHellmanResponse"];
@@ -265,6 +275,7 @@ export type UserExportCompleteResponse = schemas["UserExportCompleteResponse"];
 export type UserExportListResponse = schemas["PaginatedUserExportListResponse"];
 export type UserExportKeyMaterial = schemas["JsonKeyPackage"];
 export type JsonRpcResponse = schemas["JsonRpcResponse"];
+export type JsonRpcResult = NonNullable<schemas["JsonRpcResponse"]["result"]>;
 export type JsonRpcRequest = schemas["RpcMethod"] & {
   /** @description Request ID */
   id?: string;

package/src/scopes.ts

@@ -1,6 +1,6 @@
 // eslint-disable spaced-comment
 
-import { type ExplicitScope } from ".";
+import { type ExplicitScope } from "./index.ts";
 
 export type ScopesDictionary = Record<string, { label: string; scopes: ScopeItem[] }>;
 
@@ -273,6 +273,7 @@ export const AllScopes: Record<ExplicitScope, string> =
   "rpc:createTransaction:*"                     : "Allows access to the RPC API endpoint, but only for the 'cs_createTransaction' function.",
   "rpc:createTransaction:evm"                   : "Allows access to the RPC API endpoint, but only for the 'cs_createTransaction' function with an EVM transaction request.",
   "rpc:getTransaction"                          : "Allows access to the RPC API endpoint, but only for the 'cs_getTransaction' function.",
+  "rpc:btcListUtxos"                            : "Allows access to the RPC API endpoint, but only for the 'cs_btcListUtxos' function.",
   "rpc:listTransactions"                        : "Allows access to the RPC API endpoint, but only for the 'cs_listTransactions' function.",
   "rpc:retryTransaction"                        : "Allows access to the RPC API endpoint, but only for the 'cs_retryTransaction' function",
   "rpc:binance"                                 : "Allows access to the RPC API endpoint, but only for the 'cs_binance*' functions",

package/src/signer_session.ts

@@ -1,4 +1,4 @@
-import type { ApiClient } from ".";
+import type { ApiClient } from "./index.ts";
 
 /** Signer session info. Can only be used to revoke a token, but not for authentication. */
 export class SignerSessionInfo {

package/src/user_export.ts

@@ -1,5 +1,5 @@
-import type { UserExportCompleteResponse, UserExportKeyMaterial } from "./schema_types";
-import { decodeBase64 } from "./util";
+import type { UserExportCompleteResponse, UserExportKeyMaterial } from "./schema_types.ts";
+import { decodeBase64 } from "./util.ts";
 import type { CipherSuite } from "@hpke/core";
 
 /**

package/tsconfig.json

@@ -0,0 +1,12 @@
+{
+  "extends": "../../tsconfig.build.json",
+  "compilerOptions": {
+    "outDir": "./dist"
+  },
+  "typedocOptions": {
+    "out": "./docs",
+    "entryPoints": ["src/index.ts"]
+  },
+  "exclude": ["spec", "node_modules", "dist"],
+  "include": ["src/**/*.ts"]
+}