@giveitsmaller/contracts 0.5.0 → 0.7.0

package/openapi/api.yaml

@@ -75,7 +75,7 @@ info:
     of truth instead of hardcoding magic numbers. A runtime
     `GET /api/uploads/limits` endpoint for dynamic discovery
     (per-tier / per-environment overrides) is a deferred follow-up.
-  version: 2.15.3
+  version: 2.17.0
   contact:
     name: API Support
 
@@ -103,6 +103,14 @@ tags:
   - name: AudioWatermark
     description: Steganographic audio watermark embed and decode
 
+# Spec-root default per ADR-0016 D2: anonymous-OK unless overridden
+# per-operation. Every inbound operation declares an explicit `security:`
+# block (one of `[]`, `[{bearerAuth: []}, {sessionAuth: []}]`, or
+# `[{}, {bearerAuth: []}, {sessionAuth: []}]`) so the contract is
+# self-documenting — `[]` here protects against future endpoints that
+# accidentally inherit a stricter default.
+security: []
+
 paths:
   # ============================================
   # UPLOAD ENDPOINTS
@@ -122,6 +130,7 @@ paths:
         (10 MB). Files above this size MUST use the multipart upload flow
         instead (`POST /api/uploads/multipart/initiate`).
       operationId: uploadFile
+      security: [{}, {bearerAuth: []}, {sessionAuth: []}]  # optional (anon-OK; auth attribution if present)
       tags:
         - Upload
       requestBody:
@@ -321,6 +330,7 @@ paths:
 
         After all parts are uploaded to S3, call the complete endpoint to finalise.
       operationId: multipartInitiate
+      security: [{}, {bearerAuth: []}, {sessionAuth: []}]  # optional (anon-tolerant; manifest.userId pinned to caller if authed)
       tags:
         - Upload
       requestBody:
@@ -455,6 +465,8 @@ paths:
         rule and additionally refuse anonymous-initiated sessions
         outright (returning 403 `MULTIPART_SESSION_AUTH_REQUIRED`).
       operationId: multipartComplete
+      security: [{}, {bearerAuth: []}, {sessionAuth: []}]  # optional (anon-tolerant; ownership-scoped per HxUmVr3Y when manifest.userId set)
+      x-identity-scoped: true  # session/ownership-scoped per ADR-0016 D3
       tags:
         - Upload
       requestBody:
@@ -550,6 +562,8 @@ paths:
         Completion-readiness is client-derived (walk all pages, compare
         the count of returned parts to `total_parts`).
       operationId: multipartStatus
+      security: [{bearerAuth: []}, {sessionAuth: []}]  # required (anon-initiated sessions rejected with MULTIPART_SESSION_AUTH_REQUIRED — see ErrorCode.authentication_required prose)
+      x-identity-scoped: true  # session/ownership-scoped per ADR-0016 D3
       tags:
         - Upload
       parameters:
@@ -674,6 +688,8 @@ paths:
         **Authentication required.** Same `MULTIPART_SESSION_*` codes
         apply as on `/status`.
       operationId: multipartPresign
+      security: [{bearerAuth: []}, {sessionAuth: []}]  # required (anon-initiated sessions rejected; resume-only endpoint)
+      x-identity-scoped: true  # session/ownership-scoped per ADR-0016 D3
       tags:
         - Upload
       parameters:
@@ -793,6 +809,8 @@ paths:
         **Authentication required.** Same `MULTIPART_SESSION_*` codes
         apply as on `/status` and `/presign`.
       operationId: multipartKeepalive
+      security: [{bearerAuth: []}, {sessionAuth: []}]  # required (anon-initiated sessions rejected; resume-only endpoint)
+      x-identity-scoped: true  # session/ownership-scoped per ADR-0016 D3
       tags:
         - Upload
       parameters:
@@ -868,6 +886,8 @@ paths:
         - **Audio:** duration, bitrate, channels, sample_rate, codec
         - **Documents:** page_count, dimensions (for PDF)
       operationId: getUploadMetadata
+      security: [{}, {bearerAuth: []}, {sessionAuth: []}]  # optional (anon-OK; identity-scoped to caller's session/identity)
+      x-identity-scoped: true  # ownership-scoped per ADR-0016 D3
       tags:
         - Upload
       parameters:
@@ -955,6 +975,8 @@ paths:
         same `probed_at` timestamp + result (cached server-side per
         upload).
       operationId: probeUpload
+      security: [{bearerAuth: []}, {sessionAuth: []}]  # required (explicit 401 in response set; ownership-scoped)
+      x-identity-scoped: true  # ownership-scoped per ADR-0016 D3
       tags:
         - Upload
       x-availability: planned
@@ -1173,6 +1195,8 @@ paths:
         idempotency-key wire shape for retried reservation attempts
         is deferred per ADR-0001 §1.7 row 5.
       operationId: createWorkflow
+      security: [{}, {bearerAuth: []}, {sessionAuth: []}]  # optional (anon-OK on free-tier baseline; auth required for tier-gated operations)
+      x-identity-scoped: true  # request body dereferences upload file_ids — cross-identity references return 403 per ADR-0016 D3 (NOTE: §D4 ADR sample showed identity_scoped: false; B3 audit flipped to true per §D3 principle — SDK-acked 2026-05-28)
       tags:
         - Workflow
       requestBody:
@@ -1656,6 +1680,8 @@ paths:
         Each operation includes its current progress and, when completed, its result
         (download URL, size, metrics).
       operationId: getWorkflowStatus
+      security: [{}, {bearerAuth: []}, {sessionAuth: []}]  # optional (anon-OK; identity-scoped to workflow owner)
+      x-identity-scoped: true  # workflow-ownership-scoped per ADR-0016 D3
       tags:
         - Workflow
       parameters:
@@ -1737,6 +1763,8 @@ paths:
         Each job's operations are listed with their output files and pre-signed
         download URLs.
       operationId: getWorkflowDownloads
+      security: [{}, {bearerAuth: []}, {sessionAuth: []}]  # optional (anon-OK; identity-scoped to workflow owner)
+      x-identity-scoped: true  # workflow-ownership-scoped per ADR-0016 D3
       tags:
         - Workflow
       parameters:
@@ -1839,6 +1867,8 @@ paths:
         (the `id:` and `event:` lines) is transport-level and intentionally
         **not** schema-described.
       operationId: streamWorkflowEvents
+      security: [{}, {bearerAuth: []}, {sessionAuth: []}]  # optional (anon-OK; identity-scoped to workflow owner)
+      x-identity-scoped: true  # workflow-ownership-scoped per ADR-0016 D3
       tags:
         - Workflow
       parameters:
@@ -1902,6 +1932,8 @@ paths:
         cancel response is the binding "no further reservations
         will be made" signal.
       operationId: cancelWorkflow
+      security: [{bearerAuth: []}, {sessionAuth: []}]  # required (explicit 401 in response set)
+      x-identity-scoped: true  # workflow-ownership-scoped per ADR-0016 D3
       tags:
         - Workflow
       parameters:
@@ -2004,6 +2036,8 @@ paths:
         a 409 (no-op — the workflow is already running, terminal,
         or cancelled).
       operationId: resumeWorkflow
+      security: [{bearerAuth: []}, {sessionAuth: []}]  # required (explicit 401 in response set)
+      x-identity-scoped: true  # workflow-ownership-scoped per ADR-0016 D3
       tags:
         - Workflow
       parameters:
@@ -2125,6 +2159,7 @@ paths:
         on `OptionSchema` (ticket I17). Clients should use these to build
         dynamic forms with availability-aware UX.
       operationId: getOperationsSchema
+      security: [{}, {bearerAuth: []}, {sessionAuth: []}]  # optional (anon-OK returns free-tier baseline; auth tier-scopes the response)
       tags:
         - Operations
       parameters:
@@ -2287,6 +2322,8 @@ paths:
         The original failed operation is marked as `retried` and a new operation with
         a new ID is created in `pending` state.
       operationId: retryOperation
+      security: [{}, {bearerAuth: []}, {sessionAuth: []}]  # optional (anon-OK; identity-scoped to operation owner)
+      x-identity-scoped: true  # operation-ownership-scoped per ADR-0016 D3
       tags:
         - Operations
       parameters:
@@ -2340,6 +2377,7 @@ paths:
       summary: Liveness probe
       description: Kubernetes liveness probe endpoint
       operationId: liveness
+      security: []  # anonymous (k8s probe — auth irrelevant)
       tags:
         - Health
       responses:
@@ -2357,6 +2395,7 @@ paths:
       summary: Readiness probe
       description: Kubernetes readiness probe endpoint - checks database and cache connectivity
       operationId: readiness
+      security: []  # anonymous (k8s probe — auth irrelevant)
       tags:
         - Health
       responses:
@@ -2393,6 +2432,7 @@ paths:
           - `429` — infrastructure rate-limit (too many attempts in the current
             window). Distinct from `account_locked`, which is persisted state.
       operationId: loginUser
+      security: []  # anonymous (entry point — you're logging in, no creds yet)
       tags:
         - Auth
       requestBody:
@@ -2580,6 +2620,8 @@ paths:
         endpoint since `AuthController.php:19-22`; this declaration
         catches the contract up).
       operationId: logoutUser
+      security: [{bearerAuth: []}, {sessionAuth: []}]  # required (logout requires an authenticated principal to invalidate)
+      x-identity-scoped: true  # identity-bound (caller's own session) per ADR-0016 D3 — by symmetry with credits/balance per §D4 sample
       tags:
         - Auth
       responses:
@@ -2674,6 +2716,14 @@ paths:
         per ADR-0001 §1.3); the runtime endpoint returns `404` until
         cross-repo wiring lands.
       operationId: createExternalImport
+      # Auth: REQUIRED defensively. Endpoint is availability:planned (no
+      # controller yet); but the endpoint stores encrypted server-side
+      # secrets (bearer URLs, passwords) and anon-callable secret
+      # storage is almost certainly wrong. Locking the contract here
+      # while we still own the source of truth; runtime tightens to
+      # match when the controller lands. Per ADR-0016 / karen review
+      # on yN309QVb-B2.
+      security: [{bearerAuth: []}, {sessionAuth: []}]
       x-availability: planned
       tags:
         - Upload
@@ -2780,6 +2830,7 @@ paths:
         `feature_not_available` (422) until the Lambda lands. Per
         Tension 1 (ADR-0001 §1.3).
       operationId: decodeAudioWatermark
+      security: [{bearerAuth: []}, {sessionAuth: []}]  # required (explicit 401 in response set; tier-gated runtime call)
       tags:
         - AudioWatermark
       x-availability: planned
@@ -2877,6 +2928,8 @@ paths:
         SDKs gate UI on `available_credits` for the spend-now affordance
         and on `tier` for tier-upgrade prompts.
       operationId: getCreditsBalance
+      security: [{bearerAuth: []}, {sessionAuth: []}]  # required (identity-scoped to caller's wallet)
+      x-identity-scoped: true  # caller's wallet — per ADR-0016 §D4 sample
       tags:
         - Billing
       responses:
@@ -2956,6 +3009,8 @@ paths:
 
         Default page is 20 transactions, ordered most-recent-first.
       operationId: getCreditsUsage
+      security: [{bearerAuth: []}, {sessionAuth: []}]  # required (identity-scoped to caller's usage history)
+      x-identity-scoped: true  # caller's usage history — per ADR-0016 D3
       tags:
         - Billing
       parameters:
@@ -3139,6 +3194,7 @@ paths:
         On success, returns 204 with no body. The API sends the message via its
         configured delivery channel (e.g. email, queue).
       operationId: submitContact
+      security: []  # anonymous (public contact form)
       tags:
         - Contact
       requestBody:
@@ -3225,6 +3281,38 @@ webhooks:
           description: Callback acknowledged (no body)
 
 components:
+  # Per ADR-0016: auth presence is modeled with OpenAPI-native
+  # `security` / `securitySchemes` (NOT a custom `auth:` field) so codegen,
+  # spectral, and oasdiff understand it natively. Two schemes — the same
+  # Symfony `api` firewall accepts BOTH a bearer API-key and a login-session
+  # cookie. Per-operation `security:` blocks OR the two schemes for the
+  # three idioms (anonymous / required / optional). Spec root carries
+  # `security: []` default (anonymous-OK); per-operation overrides flip
+  # the requirement.
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      description: |
+        API-key bearer authentication. The `ApiKeyAuthenticator`
+        (Symfony `api` firewall) validates
+        `Authorization: Bearer <api-key>` per the prose under
+        `ErrorCode.authentication_required`.
+    sessionAuth:
+      type: apiKey
+      in: cookie
+      name: PHPSESSID
+      description: |
+        Login-session cookie authentication. The `ApiEntryPoint`
+        (Symfony `api` firewall) recognises an authenticated session
+        when the cookie is present and the session has a valid
+        principal. Set by `POST /api/auth/login`; cleared by
+        `POST /api/auth/logout`. Cookie name `PHPSESSID` follows the
+        Symfony / PHP default — no `framework.session.name` override
+        in `compression/config/packages/framework.yaml` as of v2.16.6
+        verification. Update this declaration if the API repo ever
+        adds a `session.name` override.
+
   schemas:
     # ============================================
     # SHARED PRIMITIVES
@@ -7752,6 +7840,63 @@ components:
         discriminator-based dispatch reads the snake_case wire key directly
         (`switch (json['result_kind'])`), avoiding the case-mismatch bug
         entirely.
+
+        **v2.16.1 attempted PHP-template fix (superseded by v2.16.5).**
+        The v2.16.1 cut introduced the shared `SseCompletionBase`
+        schema declaring `result_kind: { enum: [single, multi] }` (both
+        literal values together) and had the branch wrappers
+        allOf-merge it. The intent was to fix the v2.15.3 design where
+        `result_kind` was declared only as `enum: [single]` /
+        `enum: [multi]` inside each branch's inline `allOf` block —
+        which made the openapi-generator PHP template flatten only one
+        branch's enum into `getResultKindAllowableValues()`. The
+        v2.16.1 verification at the time confirmed PHP emitted both
+        values, but against the v2.15.3-generated tree, not against a
+        fresh v2.16.1 regen. SDKs later caught (via codex on the
+        v2.16.3 regen, surfaced by ChSmslxj) that v2.16.1's shared-base
+        fix did NOT actually propagate through the PHP template — the
+        template visits each oneOf branch's allOf and only flattens the
+        per-branch single-value enum, NOT the shared base's full-union
+        enum. PHP root model still emitted `RESULT_KIND_MULTI` only
+        (the second branch's value). SseCompletionBase is RETAINED in
+        v2.16.5 for documentation + JSON Schema branch identification
+        + consumers that traverse the allOf chain, but on its own it
+        is NOT load-bearing for PHP correctness.
+
+        **v2.16.5 ChSmslxj PHP-template fix (load-bearing).**
+        Declares `result_kind` with the full `enum: [single, multi]`
+        directly on the ROOT `SseOperationCompletionResult` schema as
+        a sibling of `oneOf` and `discriminator` (with `type: object`
+        + `required: [result_kind]`). The openapi-generator PHP
+        template flattens this root enum cleanly into
+        `getResultKindAllowableValues()`, emitting both
+        `RESULT_KIND_SINGLE` and `RESULT_KIND_MULTI`. The triple
+        declaration (root + SseCompletionBase + per-branch wrappers)
+        is harmless redundancy: the root carries the full union for
+        the PHP template; SseCompletionBase carries the full union
+        for allOf-chain consumers; per-branch wrappers pin to a
+        single literal value for OpenAPI discriminator semantics +
+        JSON Schema branch identification. TypeScript dispatch is
+        unchanged (`switch (json['result_kind'])` reads the
+        snake_case wire key directly — verified on openapi-generator-
+        cli v7.21.0).
+      type: object
+      required:
+        - result_kind
+      properties:
+        result_kind:
+          type: string
+          enum: [single, multi]
+          description: |
+            Discriminator field. The full `[single, multi]` enum is
+            declared directly on the root (this object) so the
+            openapi-generator PHP template flattens both literal
+            values into `getResultKindAllowableValues()` per
+            ChSmslxj. Also declared on the shared `SseCompletionBase`
+            (retained for consumers that traverse the allOf chain)
+            and on each per-branch wrapper (single-value enum pinning
+            the branch). The triple declaration is harmless redundancy
+            necessary for PHP template flattening.
       oneOf:
         - $ref: '#/components/schemas/SseSingleOutputCompletion'
         - $ref: '#/components/schemas/SseMultiOutputCompletionWithKind'
@@ -7761,46 +7906,71 @@ components:
           single: '#/components/schemas/SseSingleOutputCompletion'
           multi: '#/components/schemas/SseMultiOutputCompletionWithKind'
 
+    SseCompletionBase:
+      type: object
+      description: |
+        Shared base schema for the two `SseOperationCompletionResult`
+        branches. Declares the `result_kind` discriminator field as a
+        `[single, multi]` enum with both literal values, then each branch
+        wrapper allOf-merges this base + its body schema.
+
+        **Rationale (v2.16.1):** the v2.15.3 design declared `result_kind`
+        as a single-value `enum [single]` / `enum [multi]` inside each
+        branch's inline `allOf` block. The openapi-generator PHP template
+        for this shape flattens only the FIRST branch's discriminator enum
+        into the root `getResultKindAllowableValues()` list, so PHP
+        deserialisation rejects the other branch's wire value as invalid.
+        Promoting `result_kind` to a shared base with the full union
+        `enum [single, multi]` makes PHP accept both values; the
+        per-branch `enum [single]` / `enum [multi]` (kept on the wrappers
+        for JSON Schema-level branch identification + OpenAPI
+        discriminator semantics) does not regress. TypeScript dispatch
+        continues to use `switch (json['result_kind'])` — confirmed by
+        codegen verification on openapi-generator-cli v7.21.0.
+      required:
+        - result_kind
+      properties:
+        result_kind:
+          type: string
+          enum: [single, multi]
+          description: |
+            Discriminator field on `SseOperationCompletionResult`. The
+            API SSE serializer emits `"single"` for single-output
+            completion payloads and `"multi"` for multi-output payloads;
+            generated SDK dispatch routes on this value to pick the
+            correct branch deserializer.
+
     SseSingleOutputCompletion:
       description: |
         Single-output branch of `SseOperationCompletionResult` — wraps
-        `OperationResult` with a `result_kind: "single"` discriminator field
-        so the openapi-generator dispatch can route by wire-format key
-        (`result_kind`) rather than by structural property presence.
-        See `SseOperationCompletionResult` description for the rationale.
+        `OperationResult` + the shared `SseCompletionBase` + pins
+        `result_kind` to the literal `"single"`. See
+        `SseOperationCompletionResult` description for the rationale +
+        codegen-quirk context.
       allOf:
         - $ref: '#/components/schemas/OperationResult'
+        - $ref: '#/components/schemas/SseCompletionBase'
         - type: object
-          required:
-            - result_kind
           properties:
             result_kind:
               type: string
               enum: [single]
-              description: |
-                Discriminator. Always the literal `"single"` for this branch.
-                Emitted by the API SSE serializer; consumed by
-                `SseOperationCompletionResult` dispatch.
 
     SseMultiOutputCompletionWithKind:
       description: |
         Multi-output branch of `SseOperationCompletionResult` — wraps
-        `SseMultiOutputCompletion` with a `result_kind: "multi"` discriminator
-        field. See `SseOperationCompletionResult` description for the
-        rationale.
+        `SseMultiOutputCompletion` + the shared `SseCompletionBase` +
+        pins `result_kind` to the literal `"multi"`. See
+        `SseOperationCompletionResult` description for the rationale +
+        codegen-quirk context.
       allOf:
         - $ref: '#/components/schemas/SseMultiOutputCompletion'
+        - $ref: '#/components/schemas/SseCompletionBase'
         - type: object
-          required:
-            - result_kind
           properties:
             result_kind:
               type: string
               enum: [multi]
-              description: |
-                Discriminator. Always the literal `"multi"` for this branch.
-                Emitted by the API SSE serializer; consumed by
-                `SseOperationCompletionResult` dispatch.
 
     SseMultiOutputCompletion:
       type: object
@@ -8115,6 +8285,84 @@ components:
             availability metadata per I1 / I17).
           additionalProperties:
             $ref: '#/components/schemas/OperationSchemaDefinition'
+        endpoints:
+          type: object
+          description: |
+            Flat per-endpoint auth/identity projection per
+            [ADR-0016](../docs/decisions/0016-per-endpoint-auth-identity-modeling.md)
+            §D4. Keys are `<METHOD> <PATH>` literals (e.g.
+            `"POST /api/workflows"`); values declare the auth axis +
+            identity-scoping + reserved tier/availability slots +
+            operation_id for SDK ergonomic-layer consumption.
+
+            Webhook operations are EXCLUDED per ADR-0016 §D5 — outbound
+            HMAC-signed callbacks use a separate auth model.
+
+            **Optional in the wire envelope** to keep the runtime
+            endpoint's mirroring obligation incremental: the
+            committed sidecar (yN309QVb-B3 / v2.17.0+) emits this
+            block authoritatively; the runtime `GET /api/operations/
+            schema` MAY mirror it once the API team's runtime
+            generator catches up. Consumers MUST tolerate absent
+            `endpoints` from the runtime endpoint (read the sidecar
+            instead) and MUST tolerate present `endpoints` from
+            either source.
+          additionalProperties:
+            $ref: '#/components/schemas/EndpointProjection'
+
+    EndpointProjection:
+      type: object
+      description: |
+        Per-endpoint projection entry per ADR-0016 §D4. Five fields;
+        `required_tier` and `availability` at endpoint level are
+        reserved/null today (operation-level `required_tier` continues
+        to flow via `operations.*.required_tier`; every shipped
+        endpoint is currently `availability: stable`).
+      required:
+        - auth
+        - identity_scoped
+        - required_tier
+        - availability
+        - operation_id
+      properties:
+        auth:
+          type: string
+          enum: [anonymous, optional, required]
+          description: |
+            3-value projection of the operation's `security:` block:
+            `anonymous` (`security: []`), `optional` (`security`
+            contains the empty requirement `{}`), `required`
+            (otherwise).
+        identity_scoped:
+          type: boolean
+          description: |
+            Value of the `x-identity-scoped` vendor extension on the
+            operation (default `false`). True iff the operation
+            targets an identity-bound resource and cross-identity
+            access returns 403 — OR acts on the caller's implicit
+            identity-scoped data (credits balance, own session).
+        required_tier:
+          description: |
+            Endpoint-level entitlement gate. Reserved/null today —
+            operation-level `required_tier` flows via
+            `operations.*.required_tier` and is NOT duplicated here.
+          oneOf:
+            - $ref: '#/components/schemas/UserTier'
+            - type: 'null'
+        availability:
+          type: string
+          enum: [stable, beta, experimental, planned, deprecated]
+          description: |
+            Endpoint-level availability tag. Currently always
+            `"stable"` for shipped endpoints. Reserved for future
+            `planned` / `deprecated` endpoint-level annotation.
+        operation_id:
+          type: string
+          description: |
+            OpenAPI `operationId` for the operation. SDK code
+            generators anchor on this for method naming; including
+            it in the sidecar saves a round-trip to `openapi/api.yaml`.
+            Per the SDK ask at ADR-0016 B1 sign-off.
 
     OperationSchemaDefinition:
       type: object
@@ -8291,6 +8539,7 @@ components:
             - boolean
             - enum
             - string
+            - array
         description:
           type: string
           description: Human-readable description

package/operations/schemas/compress.yaml

@@ -15,10 +15,7 @@ operation:
         - image/webp
         - image/svg+xml
         - image/tiff
-        - image/bmp
-        - image/vnd.microsoft.icon
         - image/avif
-        - image/heic
       options:
         mode:
           type: enum

package/operations/schemas/convert.yaml

@@ -117,7 +117,20 @@ operation:
         pages:
           type: string
           default: "1"
-          description: "Page selection (e.g. '1-5,8'). Each page produces a separate output file."
+          description: |
+            Page selection (e.g. '1-5,8'). Each resolved page produces a
+            separate output file. **Maximum 200 resolved entries per
+            request** — aligns with the `OperationResult.outputs[]`
+            `maxItems: 200` cap per ADR-0009 §D5
+            (`docs/decisions/0009-multi-output-result-envelope.md`).
+            Expressions resolving to more than 200 entries (e.g.
+            `'1-201'`, `'1-100,102-205'`) are out of contract.
+            Duplicate or overlapping entries (e.g. `'1,1'`,
+            `'1-100,50-150'`) are counted toward the cap as parsed;
+            deduplication, if any, is a runtime concern and is NOT part
+            of this contract. Enforcement at the API edge validator and
+            the Lambda runtime is tracked under WgCqnMRa follow-ups
+            (cross-repo: API + Lambdas `bFlEXizR`).
         dpi:
           type: integer
           min: 72

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@giveitsmaller/contracts",
-  "version": "0.5.0",
+  "version": "0.7.0",
   "description": "Generated contract types for GISL (Give It Smaller)",
   "license": "MIT",
   "type": "module",