@naughtbot/e2ee-payloads 0.1.0 → 0.3.0

package/dist/index.d.ts

@@ -34,4 +34,10 @@ export type MailboxEnrollRequestPayloadV1 = components["schemas"]["MailboxEnroll
 export type MailboxEnrollResponsePayloadV1 = components["schemas"]["MailboxEnrollResponsePayloadV1"];
 export type MailboxEnrollResponseApprovedV1 = components["schemas"]["MailboxEnrollResponseApprovedV1"];
 export type MailboxEnrollResponseRejectedV1 = components["schemas"]["MailboxEnrollResponseRejectedV1"];
+export type MailboxBrowserApprovalDecision = components["schemas"]["MailboxBrowserApprovalDecision"];
+export type MailboxBrowserApprovalResponseStatus = components["schemas"]["MailboxBrowserApprovalResponseStatus"];
+export type MailboxBrowserApprovalBindingFormat = components["schemas"]["MailboxBrowserApprovalBindingFormat"];
+export type MailboxBrowserApprovalRequestPayloadV1 = components["schemas"]["MailboxBrowserApprovalRequestPayloadV1"];
+export type MailboxBrowserApprovalDecisionBindingV1 = components["schemas"]["MailboxBrowserApprovalDecisionBindingV1"];
+export type MailboxBrowserApprovalResponsePayloadV1 = components["schemas"]["MailboxBrowserApprovalResponsePayloadV1"];
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,YAAY,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAE/D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,MAAM,MAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;AAC3E,MAAM,MAAM,mBAAmB,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,qBAAqB,CAAC,CAAC;AAC/E,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;AACrG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;AACrG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;AACrG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,iCAAiC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;AAC3G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,gCAAgC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,kCAAkC,CAAC,CAAC;AACzG,MAAM,MAAM,iCAAiC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;AAC3G,MAAM,MAAM,iCAAiC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;AAC3G,MAAM,MAAM,iCAAiC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;AAC3G,MAAM,MAAM,iCAAiC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;AAC3G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,mCAAmC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,qCAAqC,CAAC,CAAC;AAC/G,MAAM,MAAM,oCAAoC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,CAAC;AACjH,MAAM,MAAM,oCAAoC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,CAAC;AACjH,MAAM,MAAM,oCAAoC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,CAAC;AACjH,MAAM,MAAM,6BAA6B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,+BAA+B,CAAC,CAAC;AACnG,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;AACrG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,YAAY,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAE/D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,MAAM,MAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;AAC3E,MAAM,MAAM,mBAAmB,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,qBAAqB,CAAC,CAAC;AAC/E,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;AACrG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;AACrG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;AACrG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,iCAAiC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;AAC3G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,gCAAgC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,kCAAkC,CAAC,CAAC;AACzG,MAAM,MAAM,iCAAiC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;AAC3G,MAAM,MAAM,iCAAiC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;AAC3G,MAAM,MAAM,iCAAiC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;AAC3G,MAAM,MAAM,iCAAiC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;AAC3G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,kCAAkC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;AAC7G,MAAM,MAAM,mCAAmC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,qCAAqC,CAAC,CAAC;AAC/G,MAAM,MAAM,oCAAoC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,CAAC;AACjH,MAAM,MAAM,oCAAoC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,CAAC;AACjH,MAAM,MAAM,oCAAoC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,CAAC;AACjH,MAAM,MAAM,6BAA6B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,+BAA+B,CAAC,CAAC;AACnG,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;AACrG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,+BAA+B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;AACvG,MAAM,MAAM,8BAA8B,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;AACrG,MAAM,MAAM,oCAAoC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,CAAC;AACjH,MAAM,MAAM,mCAAmC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,qCAAqC,CAAC,CAAC;AAC/G,MAAM,MAAM,sCAAsC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,wCAAwC,CAAC,CAAC;AACrH,MAAM,MAAM,uCAAuC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,yCAAyC,CAAC,CAAC;AACvH,MAAM,MAAM,uCAAuC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,yCAAyC,CAAC,CAAC"}

package/dist/schema.d.ts

@@ -42,7 +42,7 @@ export interface components {
          * @example ssh_sign
          * @enum {string}
          */
-        MailboxEnvelopeType: "link_request" | "link_approval" | "link_rejection" | "captcha_request" | "captcha_response" | "ssh_auth" | "ssh_sign" | "gpg_sign" | "gpg_decrypt" | "age_unwrap" | "pkcs11_sign" | "pkcs11_derive" | "enroll";
+        MailboxEnvelopeType: "link_request" | "link_approval" | "link_rejection" | "captcha_request" | "captcha_response" | "ssh_auth" | "ssh_sign" | "gpg_sign" | "gpg_decrypt" | "age_unwrap" | "pkcs11_sign" | "pkcs11_derive" | "enroll" | "browser_approval_request" | "browser_approval_response";
         /**
          * ApprovalChallenge
          * @description Canonical Longfellow / attested-key-zk approval challenge. Producer sends this inside the request payload; the approver binds it into the approval proof returned in the response payload.
@@ -305,7 +305,7 @@ export interface components {
         MailboxSshAuthResponsePayloadV1: components["schemas"]["MailboxSshAuthResponseSuccessV1"] | components["schemas"]["MailboxSshAuthResponseFailureV1"];
         /**
          * MailboxSshAuthResponseSuccessV1
-         * @description Success branch of `MailboxSshAuthResponsePayloadV1`.
+         * @description Success branch of `MailboxSshAuthResponsePayloadV1`. Carries the raw SSH signature plus the per-signature SK assertion flags byte and monotonic counter the signer's secure element returned for this signing operation; all three are required so the requester can rebuild the OpenSSH SK signature preimage (`SHA256(application) || flags || counter || SHA256(data)`) and verify against the enrolled credential public key.
          */
         MailboxSshAuthResponseSuccessV1: {
             /**
@@ -313,6 +313,17 @@ export interface components {
              * @description RFC 4648 standard base64 with `=` padding for the raw SSH signature blob (no SSH-wire framing).
              */
             signature: string;
+            /**
+             * @description Per-signature SK assertion flags byte the signer's secure element actually asserted with. Approvers MUST either (a) assert with at least the bits the request `flags` byte asked for (UP=0x01, UV=0x04) and return the resulting byte here, or (b) return a `MailboxSshAuthResponseFailureV1` / `MailboxSshSignResponseFailureV1` with the appropriate signing error code. Approvers MUST NOT return a success response whose asserted flags byte clears bits the requester set; that would silently downgrade the security posture (e.g. UV-required → UP-only) below what the request agreed to. Receivers MUST embed this asserted byte at the `flags` position of the OpenSSH SK signature preimage; verification fails if the request `flags` byte is used instead. Receivers SHOULD additionally verify that every bit set in the request `flags` byte is also set here as belt-and-suspenders defence against a misbehaving approver.
+             * @example 1
+             */
+            flags: number;
+            /**
+             * Format: int64
+             * @description Monotonic counter (u32) the signer's secure element returned for this SK signing operation. Receivers MUST embed this in the OpenSSH SK signature preimage at the position between `flags` and `SHA256(data)` as a 4-byte big-endian unsigned integer. Successive signatures from the same key handle MUST have strictly increasing counter values. The schema declares `format: int64` so 32-bit Go targets can still represent the full u32 range without overflow.
+             * @example 1
+             */
+            counter: number;
             approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
         };
         /**
@@ -368,7 +379,7 @@ export interface components {
         MailboxSshSignResponsePayloadV1: components["schemas"]["MailboxSshSignResponseSuccessV1"] | components["schemas"]["MailboxSshSignResponseFailureV1"];
         /**
          * MailboxSshSignResponseSuccessV1
-         * @description Success branch of `MailboxSshSignResponsePayloadV1`.
+         * @description Success branch of `MailboxSshSignResponsePayloadV1`. Carries the raw SSH signature plus the per-signature SK assertion flags byte and monotonic counter the signer's secure element returned for this signing operation; all three are required so the requester can rebuild the OpenSSH SK signature preimage (`SHA256(application) || flags || counter || SHA256(data)`) and verify against the enrolled credential public key.
          */
         MailboxSshSignResponseSuccessV1: {
             /**
@@ -376,6 +387,17 @@ export interface components {
              * @description RFC 4648 standard base64 with `=` padding for the raw SSH signature blob (no SSH-wire framing).
              */
             signature: string;
+            /**
+             * @description Per-signature SK assertion flags byte the signer's secure element actually asserted with. Approvers MUST either (a) assert with at least the bits the request `flags` byte asked for (UP=0x01, UV=0x04) and return the resulting byte here, or (b) return a `MailboxSshAuthResponseFailureV1` / `MailboxSshSignResponseFailureV1` with the appropriate signing error code. Approvers MUST NOT return a success response whose asserted flags byte clears bits the requester set; that would silently downgrade the security posture (e.g. UV-required → UP-only) below what the request agreed to. Receivers MUST embed this asserted byte at the `flags` position of the OpenSSH SK signature preimage; verification fails if the request `flags` byte is used instead. Receivers SHOULD additionally verify that every bit set in the request `flags` byte is also set here as belt-and-suspenders defence against a misbehaving approver.
+             * @example 1
+             */
+            flags: number;
+            /**
+             * Format: int64
+             * @description Monotonic counter (u32) the signer's secure element returned for this SK signing operation. Receivers MUST embed this in the OpenSSH SK signature preimage at the position between `flags` and `SHA256(data)` as a 4-byte big-endian unsigned integer. Successive signatures from the same key handle MUST have strictly increasing counter values. The schema declares `format: int64` so 32-bit Go targets can still represent the full u32 range without overflow.
+             * @example 1
+             */
+            counter: number;
             approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
         };
         /**
@@ -778,6 +800,11 @@ export interface components {
             encryption_public_key_hex?: string;
             /** @description 40-character hex fingerprint of the ECDH encryption subkey. */
             encryption_fingerprint?: string;
+            /**
+             * @description Per-credential SSH-SK flags byte the approver baked into a newly enrolled SSH security-key credential. **MUST be present when `purpose` is the SSH signing purpose; absent for all other key purposes.** (The schema cannot express that conditional requirement directly because `MailboxEnrollResponseApprovedV1` is a single monolithic shape with per-type-optional fields like `fingerprint` / `encryption_public_key_hex`; requesters MUST reject SSH-purpose approved responses that omit this field.) The requester MUST persist this byte alongside the credential public key and use it as the request `flags` input on every subsequent `ssh_auth` / `ssh_sign` call. The approver echoes the actual per-signature assertion flags byte back in the success response (see `MailboxSshAuthResponseSuccessV1.flags`); that asserted byte (which MAY differ from this enrollment flags byte when, e.g., the SK could not deliver user verification) is what the requester MUST embed into the OpenSSH SK signature preimage `SHA256(application) || flags || counter || SHA256(data)`. Bit `0x01` is "user presence required" and `0x04` is "user verification required" per the OpenSSH SK protocol.
+             * @example 1
+             */
+            ssh_sk_flags?: number;
             attestation?: components["schemas"]["KeyMetadataAttestation"];
             approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
         };
@@ -798,6 +825,219 @@ export interface components {
              */
             error_message?: string;
         };
+        /**
+         * MailboxBrowserApprovalDecision
+         * @description Mobile user's signed approval decision.
+         * @example approved
+         * @enum {string}
+         */
+        MailboxBrowserApprovalDecision: "approved" | "denied";
+        /**
+         * MailboxBrowserApprovalResponseStatus
+         * @description Response lifecycle status. The signed `decision` carries the approval outcome.
+         * @example decided
+         * @enum {string}
+         */
+        MailboxBrowserApprovalResponseStatus: "decided";
+        /**
+         * MailboxBrowserApprovalBindingFormat
+         * @description Canonical byte format signed by the mobile approval key.
+         * @example browser-approval-decision-binding/v1+json
+         * @enum {string}
+         */
+        MailboxBrowserApprovalBindingFormat: "browser-approval-decision-binding/v1+json";
+        /**
+         * MailboxBrowserApprovalRequestPayloadV1
+         * @description Request payload for the `browser_approval_request` envelope type. A service requester sends this to the paired mobile device when a browser key needs approval for a generic capability.
+         */
+        MailboxBrowserApprovalRequestPayloadV1: {
+            /**
+             * @description Opaque service-scoped approval id.
+             * @example appr_2af7b1fb2b5b4b5b8c7e9a0d
+             */
+            approval_id: string;
+            /**
+             * @description Human-readable browser/device label shown to the mobile user.
+             * @example Chrome on MacBook Pro
+             */
+            browser_display_name: string;
+            /**
+             * @description Best-effort browser platform hint shown to the mobile user.
+             * @example macOS
+             */
+            browser_platform: string;
+            /** @description Optional user-agent hint for display and diagnostics. */
+            browser_user_agent?: string;
+            /**
+             * @description Browser public key algorithm identifier, e.g. `ES256` or `Ed25519`.
+             * @example ES256
+             */
+            browser_public_key_algorithm: string;
+            /**
+             * @description Thumbprint of the browser public key being approved. Producers SHOULD use `sha256:<base64url-no-padding>` for JWK thumbprints.
+             * @example sha256:8uLz73VtBwmU5O_Jr3r2StpLrNxW41Oq9p6FwR2C7xA
+             */
+            browser_public_key_thumbprint: string;
+            /**
+             * @description Generic capability requested by the service.
+             * @example captcha.browser_credential
+             */
+            requested_capability: string;
+            /**
+             * @description Service/requester client id that created the approval request.
+             * @example captcha-service
+             */
+            requester_client_id: string;
+            /**
+             * @description Human-readable requester name shown to the mobile user.
+             * @example NaughtBot Captcha
+             */
+            requester_display_name: string;
+            /**
+             * @description Origin of the requester that will receive/use the browser credential.
+             * @example https://captcha.naughtbot.com
+             */
+            requester_origin: string;
+            /**
+             * @description Opaque nonce bound into the mobile-signed decision.
+             * @example m4H2YxTjueEXAMPLE
+             */
+            nonce: string;
+            /**
+             * @description RFC 3339 UTC timestamp with canonical `Z` suffix.
+             * @example 2026-05-14T19:30:00Z
+             */
+            issued_at: string;
+            /**
+             * @description RFC 3339 UTC timestamp after which the request is invalid.
+             * @example 2026-05-14T19:35:00Z
+             */
+            expires_at: string;
+        };
+        /**
+         * MailboxBrowserApprovalDecisionBindingV1
+         * @description Canonical JSON object whose UTF-8 bytes are signed by the mobile approval key. Producers encode these fields in lexicographic property order with no insignificant whitespace and place the resulting bytes in `MailboxBrowserApprovalResponsePayloadV1.approval_binding_bytes`.
+         */
+        MailboxBrowserApprovalDecisionBindingV1: {
+            /**
+             * @description Approval id copied from the request payload.
+             * @example appr_2af7b1fb2b5b4b5b8c7e9a0d
+             */
+            approval_id: string;
+            /**
+             * @description Browser public key algorithm copied from the request payload.
+             * @example ES256
+             */
+            browser_public_key_algorithm: string;
+            /**
+             * @description Browser public key thumbprint copied from the request payload.
+             * @example sha256:8uLz73VtBwmU5O_Jr3r2StpLrNxW41Oq9p6FwR2C7xA
+             */
+            browser_public_key_thumbprint: string;
+            /**
+             * @description RFC 3339 UTC timestamp of the mobile decision.
+             * @example 2026-05-14T19:31:00Z
+             */
+            decided_at: string;
+            decision: components["schemas"]["MailboxBrowserApprovalDecision"];
+            /**
+             * @description Request expiry copied from the request payload.
+             * @example 2026-05-14T19:35:00Z
+             */
+            expires_at: string;
+            /**
+             * @description Nonce copied from the request payload.
+             * @example m4H2YxTjueEXAMPLE
+             */
+            nonce: string;
+            /**
+             * @description SHA-256 hash of the service-mobile pairing transcript.
+             * @example sha256:6f5902ac237024bdd0c176cb93063dc4f1e01e1191450b5f8f457c56f48e1f4f
+             */
+            pairing_transcript_hash: string;
+            /**
+             * Format: uuid
+             * @description Envelope id of the browser approval request being answered.
+             * @example 11111111-2222-4333-8444-555555555555
+             */
+            request_envelope_id: string;
+            /**
+             * @description Envelope `issued_at` timestamp of the request being answered.
+             * @example 2026-05-14T19:30:00Z
+             */
+            request_envelope_issued_at: string;
+            /**
+             * @description Envelope type of the request being answered.
+             * @example browser_approval_request
+             * @enum {string}
+             */
+            request_envelope_type: "browser_approval_request";
+            /**
+             * @description Requested capability copied from the request payload.
+             * @example captcha.browser_credential
+             */
+            requested_capability: string;
+            /**
+             * @description Requester client id copied from the request payload.
+             * @example captcha-service
+             */
+            requester_client_id: string;
+            /**
+             * @description Requester origin copied from the request payload.
+             * @example https://captcha.naughtbot.com
+             */
+            requester_origin: string;
+            /**
+             * @description Stable id for the service-mobile E2EE mailbox pairing.
+             * @example pair_9d58fb4c6ff84f46
+             */
+            service_mobile_pairing_id: string;
+            /**
+             * @description Canonical decision binding schema version.
+             * @enum {string}
+             */
+            version: "browser-approval-decision-binding/v1";
+        };
+        /**
+         * MailboxBrowserApprovalResponsePayloadV1
+         * @description Response payload for the `browser_approval_response` envelope type. The response carries the mobile decision plus the exact canonical bytes and signature over `MailboxBrowserApprovalDecisionBindingV1`.
+         */
+        MailboxBrowserApprovalResponsePayloadV1: {
+            /**
+             * Format: byte
+             * @description RFC 4648 standard base64 with `=` padding for the canonical `MailboxBrowserApprovalDecisionBindingV1` UTF-8 JSON bytes.
+             */
+            approval_binding_bytes: string;
+            approval_binding_format: components["schemas"]["MailboxBrowserApprovalBindingFormat"];
+            /**
+             * @description Approval id copied from the request payload.
+             * @example appr_2af7b1fb2b5b4b5b8c7e9a0d
+             */
+            approval_id: string;
+            /**
+             * Format: byte
+             * @description RFC 4648 standard base64 with `=` padding for the signature over `approval_binding_bytes`.
+             */
+            approval_signature: string;
+            /**
+             * @description RFC 3339 UTC timestamp of the mobile decision.
+             * @example 2026-05-14T19:31:00Z
+             */
+            decided_at: string;
+            decision: components["schemas"]["MailboxBrowserApprovalDecision"];
+            /**
+             * Format: uuid
+             * @description Envelope id of the browser approval request being answered.
+             * @example 11111111-2222-4333-8444-555555555555
+             */
+            request_envelope_id: string;
+            /**
+             * @description Mobile signing key id that produced `approval_signature`.
+             * @example mobile-key-browser-approval-1
+             */
+            signing_key_id: string;
+            status: components["schemas"]["MailboxBrowserApprovalResponseStatus"];
+        };
     };
     responses: never;
     parameters: never;

package/dist/schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAC1C,MAAM,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAC7C,MAAM,WAAW,UAAU;IACvB,OAAO,EAAE;QACL;;;WAGG;QACH,iBAAiB,EAAE;YACf;;;eAGG;YACH,CAAC,EAAE,CAAC,CAAC;YACL;;;eAGG;YACH,IAAI,EAAE,MAAM,CAAC;YACb;;;eAGG;YACH,EAAE,EAAE,MAAM,CAAC;YACX;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,mPAAmP;YACnP,OAAO,EAAE;gBACL,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;aAC1B,CAAC;SACL,CAAC;QACF;;;;;WAKG;QACH,mBAAmB,EAAE,cAAc,GAAG,eAAe,GAAG,gBAAgB,GAAG,iBAAiB,GAAG,kBAAkB,GAAG,UAAU,GAAG,UAAU,GAAG,UAAU,GAAG,aAAa,GAAG,YAAY,GAAG,aAAa,GAAG,eAAe,GAAG,QAAQ,CAAC;QACrO;;;WAGG;QACH,iBAAiB,EAAE;YACf;;;eAGG;YACH,OAAO,EAAE,uBAAuB,CAAC;YACjC,uFAAuF;YACvF,KAAK,EAAE,MAAM,CAAC;YACd,oEAAoE;YACpE,UAAU,EAAE,MAAM,CAAC;YACnB,0FAA0F;YAC1F,cAAc,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,sBAAsB,EAAE;YACpB,0HAA0H;YAC1H,qBAAqB,EAAE,MAAM,CAAC;YAC9B,oFAAoF;YACpF,eAAe,EAAE,MAAM,CAAC;YACxB;;;eAGG;YACH,cAAc,EAAE,MAAM,CAAC;YACvB;;;eAGG;YACH,GAAG,EAAE,MAAM,CAAC;YACZ,oFAAoF;YACpF,mBAAmB,EAAE,MAAM,CAAC;YAC5B,uFAAuF;YACvF,iBAAiB,EAAE,MAAM,CAAC;YAC1B,gGAAgG;YAChG,iBAAiB,EAAE,MAAM,CAAC;SAC7B,CAAC;QACF;;;WAGG;QACH,qBAAqB,EAAE;YACnB;;;eAGG;YACH,OAAO,EAAE,yBAAyB,CAAC;YACnC;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;SACrB,CAAC;QACF;;;WAGG;QACH,wBAAwB,EAAE;YACtB;;;eAGG;YACH,OAAO,EAAE,gCAAgC,CAAC;YAC1C,SAAS,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YACtD,SAAS,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,wBAAwB,CAAC,CAAC;YAC3D,WAAW,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,uBAAuB,CAAC,CAAC;YAC5D;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;SACjB,CAAC;QACF;;;;WAIG;QACH,uBAAuB,EAAE,oBAAoB,GAAG,aAAa,GAAG,mBAAmB,GAAG,UAAU,GAAG,gBAAgB,CAAC;QACpH;;;WAGG;QACH,sBAAsB,EAAE;YACpB,6JAA6J;YAC7J,cAAc,EAAE,MAAM,CAAC;YACvB;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,gBAAgB,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,yBAAyB,CAAC,CAAC;YACnE;;;eAGG;YACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;YAC5B;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB;;;eAGG;YACH,qBAAqB,EAAE,MAAM,CAAC;YAC9B,qHAAqH;YACrH,0BAA0B,CAAC,EAAE,MAAM,CAAC;SACvC,CAAC;QACF;;;;;WAKG;QACH,gBAAgB,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxC;;;;;WAKG;QACH,UAAU,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC;QAClC;;;WAGG;QACH,YAAY,EAAE;YACV;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd;;;eAGG;YACH,SAAS,CAAC,EAAE,OAAO,CAAC;YACpB;;;eAGG;YACH,UAAU,CAAC,EAAE,OAAO,CAAC;YACrB;;;eAGG;YACH,SAAS,CAAC,EAAE,OAAO,CAAC;YACpB;;;eAGG;YACH,SAAS,CAAC,EAAE,OAAO,CAAC;YACpB,6DAA6D;YAC7D,IAAI,CAAC,EAAE,MAAM,CAAC;SACjB,CAAC;QACF;;;WAGG;QACH,aAAa,EAAE;YACX;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd,4DAA4D;YAC5D,aAAa,CAAC,EAAE,MAAM,CAAC;YACvB,qDAAqD;YACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,uCAAuC;YACvC,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC;SACnD,CAAC;QACF;;;WAGG;QACH,YAAY,EAAE;YACV;;;eAGG;YACH,GAAG,EAAE,MAAM,CAAC;YACZ,iDAAiD;YACjD,QAAQ,EAAE,MAAM,CAAC;YACjB,gDAAgD;YAChD,OAAO,EAAE,MAAM,CAAC;SACnB,CAAC;QACF;;;WAGG;QACH,UAAU,EAAE;YACR,4CAA4C;YAC5C,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,6CAA6C;YAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,wDAAwD;YACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,wDAAwD;YACxD,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,0EAA0E;YAC1E,aAAa,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC;SAC3D,CAAC;QACF;;;WAGG;QACH,8BAA8B,EAAE;YAC5B;;;;eAIG;YACH,QAAQ,EAAE,MAAM,CAAC;YACjB;;;eAGG;YACH,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB;;;eAGG;YACH,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB;;;;;eAKG;YACH,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,2IAA2I;YAC3I,aAAa,EAAE,MAAM,CAAC;YACtB,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;QACrJ;;;WAGG;QACH,+BAA+B,EAAE;YAC7B;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE;YAC7B,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,8BAA8B,EAAE;YAC5B;;;;eAIG;YACH,QAAQ,EAAE,MAAM,CAAC;YACjB;;;eAGG;YACH,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB;;;eAGG;YACH,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB;;;;;eAKG;YACH,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,2IAA2I;YAC3I,aAAa,EAAE,MAAM,CAAC;YACtB,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;QACrJ;;;WAGG;QACH,+BAA+B,EAAE;YAC7B;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE;YAC7B,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,8BAA8B,EAAE;YAC5B;;;;eAIG;YACH,QAAQ,EAAE,MAAM,CAAC;YACjB;;;eAGG;YACH,aAAa,EAAE,MAAM,CAAC;YACtB,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;QACrJ;;;WAGG;QACH,+BAA+B,EAAE;YAC7B;;;eAGG;YACH,iBAAiB,EAAE,MAAM,CAAC;YAC1B,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE;YAC7B,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,iCAAiC,EAAE;YAC/B;;;;eAIG;YACH,cAAc,EAAE,MAAM,CAAC;YACvB,KAAK,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,WAAW,CAAC,CAAC;YAC1C;;;eAGG;YACH,aAAa,EAAE,MAAM,CAAC;YACtB,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,kCAAkC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;QAC9J;;;WAGG;QACH,kCAAkC,EAAE;YAChC;;;;eAIG;YACH,WAAW,EAAE,MAAM,CAAC;YACpB;;;;eAIG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,kCAAkC,EAAE;YAChC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,SAAS,EAAE;YACP;;;;eAIG;YACH,OAAO,EAAE,MAAM,CAAC;YAChB;;;;eAIG;YACH,MAAM,EAAE,MAAM,CAAC;YACf;;;;eAIG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB;;;;eAIG;YACH,eAAe,EAAE,MAAM,CAAC;YACxB;;;;eAIG;YACH,WAAW,EAAE,MAAM,CAAC;SACvB,CAAC;QACF;;;WAGG;QACH,gCAAgC,EAAE;YAC9B;;;eAGG;YACH,oBAAoB,EAAE,MAAM,CAAC;YAC7B;;;;eAIG;YACH,gBAAgB,EAAE,MAAM,CAAC;YACzB;;;eAGG;YACH,oBAAoB,EAAE,MAAM,CAAC;YAC7B,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,iCAAiC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;QAC3J;;;WAGG;QACH,iCAAiC,EAAE;YAC/B;;;;eAIG;YACH,QAAQ,EAAE,MAAM,CAAC;YACjB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,iCAAiC,EAAE;YAC/B,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,iCAAiC,EAAE;YAC/B;;;;eAIG;YACH,QAAQ,EAAE,MAAM,CAAC;YACjB,6GAA6G;YAC7G,aAAa,EAAE,MAAM,CAAC;YACtB,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,kCAAkC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;QAC9J;;;WAGG;QACH,kCAAkC,EAAE;YAChC;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,kCAAkC,EAAE;YAChC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,mCAAmC,EAAE;YACjC;;;eAGG;YACH,eAAe,EAAE,MAAM,CAAC;YACxB,0GAA0G;YAC1G,aAAa,EAAE,MAAM,CAAC;YACtB,GAAG,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,uBAAuB,CAAC,CAAC;YACrD,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,oCAAoC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,CAAC;QACpK;;;WAGG;QACH,oCAAoC,EAAE;YAClC;;;;eAIG;YACH,aAAa,EAAE,MAAM,CAAC;YACtB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,oCAAoC,EAAE;YAClC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,qBAAqB,EAAE;YACnB;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB;;;;eAIG;YACH,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB;;;eAGG;YACH,IAAI,CAAC,EAAE,MAAM,CAAC;SACjB,CAAC;QACF;;;WAGG;QACH,6BAA6B,EAAE;YAC3B,OAAO,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;YAC7C;;;eAGG;YACH,KAAK,CAAC,EAAE,MAAM,CAAC;YACf;;;eAGG;YACH,SAAS,CAAC,EAAE,MAAM,CAAC;YACnB;;;eAGG;YACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;YAChC,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,8BAA8B,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;QACpJ;;;WAGG;QACH,+BAA+B,EAAE;YAC7B;;;eAGG;YACH,MAAM,EAAE,UAAU,CAAC;YACnB;;;eAGG;YACH,EAAE,EAAE,MAAM,CAAC;YACX,6IAA6I;YAC7I,cAAc,EAAE,MAAM,CAAC;YACvB,qJAAqJ;YACrJ,aAAa,EAAE,MAAM,CAAC;YACtB;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,gEAAgE;YAChE,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB;;;;eAIG;YACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;YAChC;;;eAGG;YACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;YAC3B;;;eAGG;YACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;YAC1B,4HAA4H;YAC5H,yBAAyB,CAAC,EAAE,MAAM,CAAC;YACnC,+EAA+E;YAC/E,sBAAsB,CAAC,EAAE,MAAM,CAAC;YAChC,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,wBAAwB,CAAC,CAAC;YAC9D,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE;YAC7B;;;eAGG;YACH,MAAM,EAAE,UAAU,CAAC;YACnB,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;KACL,CAAC;IACF,SAAS,EAAE,KAAK,CAAC;IACjB,UAAU,EAAE,KAAK,CAAC;IAClB,aAAa,EAAE,KAAK,CAAC;IACrB,OAAO,EAAE,KAAK,CAAC;IACf,SAAS,EAAE,KAAK,CAAC;CACpB;AACD,MAAM,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAC1C,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC"}
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAC1C,MAAM,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAC7C,MAAM,WAAW,UAAU;IACvB,OAAO,EAAE;QACL;;;WAGG;QACH,iBAAiB,EAAE;YACf;;;eAGG;YACH,CAAC,EAAE,CAAC,CAAC;YACL;;;eAGG;YACH,IAAI,EAAE,MAAM,CAAC;YACb;;;eAGG;YACH,EAAE,EAAE,MAAM,CAAC;YACX;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,mPAAmP;YACnP,OAAO,EAAE;gBACL,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;aAC1B,CAAC;SACL,CAAC;QACF;;;;;WAKG;QACH,mBAAmB,EAAE,cAAc,GAAG,eAAe,GAAG,gBAAgB,GAAG,iBAAiB,GAAG,kBAAkB,GAAG,UAAU,GAAG,UAAU,GAAG,UAAU,GAAG,aAAa,GAAG,YAAY,GAAG,aAAa,GAAG,eAAe,GAAG,QAAQ,GAAG,0BAA0B,GAAG,2BAA2B,CAAC;QAChS;;;WAGG;QACH,iBAAiB,EAAE;YACf;;;eAGG;YACH,OAAO,EAAE,uBAAuB,CAAC;YACjC,uFAAuF;YACvF,KAAK,EAAE,MAAM,CAAC;YACd,oEAAoE;YACpE,UAAU,EAAE,MAAM,CAAC;YACnB,0FAA0F;YAC1F,cAAc,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,sBAAsB,EAAE;YACpB,0HAA0H;YAC1H,qBAAqB,EAAE,MAAM,CAAC;YAC9B,oFAAoF;YACpF,eAAe,EAAE,MAAM,CAAC;YACxB;;;eAGG;YACH,cAAc,EAAE,MAAM,CAAC;YACvB;;;eAGG;YACH,GAAG,EAAE,MAAM,CAAC;YACZ,oFAAoF;YACpF,mBAAmB,EAAE,MAAM,CAAC;YAC5B,uFAAuF;YACvF,iBAAiB,EAAE,MAAM,CAAC;YAC1B,gGAAgG;YAChG,iBAAiB,EAAE,MAAM,CAAC;SAC7B,CAAC;QACF;;;WAGG;QACH,qBAAqB,EAAE;YACnB;;;eAGG;YACH,OAAO,EAAE,yBAAyB,CAAC;YACnC;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;SACrB,CAAC;QACF;;;WAGG;QACH,wBAAwB,EAAE;YACtB;;;eAGG;YACH,OAAO,EAAE,gCAAgC,CAAC;YAC1C,SAAS,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YACtD,SAAS,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,wBAAwB,CAAC,CAAC;YAC3D,WAAW,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,uBAAuB,CAAC,CAAC;YAC5D;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;SACjB,CAAC;QACF;;;;WAIG;QACH,uBAAuB,EAAE,oBAAoB,GAAG,aAAa,GAAG,mBAAmB,GAAG,UAAU,GAAG,gBAAgB,CAAC;QACpH;;;WAGG;QACH,sBAAsB,EAAE;YACpB,6JAA6J;YAC7J,cAAc,EAAE,MAAM,CAAC;YACvB;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,gBAAgB,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,yBAAyB,CAAC,CAAC;YACnE;;;eAGG;YACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;YAC5B;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB;;;eAGG;YACH,qBAAqB,EAAE,MAAM,CAAC;YAC9B,qHAAqH;YACrH,0BAA0B,CAAC,EAAE,MAAM,CAAC;SACvC,CAAC;QACF;;;;;WAKG;QACH,gBAAgB,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxC;;;;;WAKG;QACH,UAAU,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC;QAClC;;;WAGG;QACH,YAAY,EAAE;YACV;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd;;;eAGG;YACH,SAAS,CAAC,EAAE,OAAO,CAAC;YACpB;;;eAGG;YACH,UAAU,CAAC,EAAE,OAAO,CAAC;YACrB;;;eAGG;YACH,SAAS,CAAC,EAAE,OAAO,CAAC;YACpB;;;eAGG;YACH,SAAS,CAAC,EAAE,OAAO,CAAC;YACpB,6DAA6D;YAC7D,IAAI,CAAC,EAAE,MAAM,CAAC;SACjB,CAAC;QACF;;;WAGG;QACH,aAAa,EAAE;YACX;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd,4DAA4D;YAC5D,aAAa,CAAC,EAAE,MAAM,CAAC;YACvB,qDAAqD;YACrD,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,uCAAuC;YACvC,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC;SACnD,CAAC;QACF;;;WAGG;QACH,YAAY,EAAE;YACV;;;eAGG;YACH,GAAG,EAAE,MAAM,CAAC;YACZ,iDAAiD;YACjD,QAAQ,EAAE,MAAM,CAAC;YACjB,gDAAgD;YAChD,OAAO,EAAE,MAAM,CAAC;SACnB,CAAC;QACF;;;WAGG;QACH,UAAU,EAAE;YACR,4CAA4C;YAC5C,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,6CAA6C;YAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,wDAAwD;YACxD,QAAQ,CAAC,EAAE,MAAM,CAAC;YAClB,wDAAwD;YACxD,OAAO,CAAC,EAAE,MAAM,CAAC;YACjB,0EAA0E;YAC1E,aAAa,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC;SAC3D,CAAC;QACF;;;WAGG;QACH,8BAA8B,EAAE;YAC5B;;;;eAIG;YACH,QAAQ,EAAE,MAAM,CAAC;YACjB;;;eAGG;YACH,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB;;;eAGG;YACH,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB;;;;;eAKG;YACH,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,2IAA2I;YAC3I,aAAa,EAAE,MAAM,CAAC;YACtB,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;QACrJ;;;WAGG;QACH,+BAA+B,EAAE;YAC7B;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd;;;;eAIG;YACH,OAAO,EAAE,MAAM,CAAC;YAChB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE;YAC7B,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,8BAA8B,EAAE;YAC5B;;;;eAIG;YACH,QAAQ,EAAE,MAAM,CAAC;YACjB;;;eAGG;YACH,MAAM,CAAC,EAAE,MAAM,CAAC;YAChB;;;eAGG;YACH,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB;;;;;eAKG;YACH,KAAK,CAAC,EAAE,MAAM,CAAC;YACf,2IAA2I;YAC3I,aAAa,EAAE,MAAM,CAAC;YACtB,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;QACrJ;;;WAGG;QACH,+BAA+B,EAAE;YAC7B;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd;;;;eAIG;YACH,OAAO,EAAE,MAAM,CAAC;YAChB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE;YAC7B,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,8BAA8B,EAAE;YAC5B;;;;eAIG;YACH,QAAQ,EAAE,MAAM,CAAC;YACjB;;;eAGG;YACH,aAAa,EAAE,MAAM,CAAC;YACtB,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;QACrJ;;;WAGG;QACH,+BAA+B,EAAE;YAC7B;;;eAGG;YACH,iBAAiB,EAAE,MAAM,CAAC;YAC1B,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE;YAC7B,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,iCAAiC,EAAE;YAC/B;;;;eAIG;YACH,cAAc,EAAE,MAAM,CAAC;YACvB,KAAK,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,WAAW,CAAC,CAAC;YAC1C;;;eAGG;YACH,aAAa,EAAE,MAAM,CAAC;YACtB,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,kCAAkC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;QAC9J;;;WAGG;QACH,kCAAkC,EAAE;YAChC;;;;eAIG;YACH,WAAW,EAAE,MAAM,CAAC;YACpB;;;;eAIG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,kCAAkC,EAAE;YAChC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,SAAS,EAAE;YACP;;;;eAIG;YACH,OAAO,EAAE,MAAM,CAAC;YAChB;;;;eAIG;YACH,MAAM,EAAE,MAAM,CAAC;YACf;;;;eAIG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB;;;;eAIG;YACH,eAAe,EAAE,MAAM,CAAC;YACxB;;;;eAIG;YACH,WAAW,EAAE,MAAM,CAAC;SACvB,CAAC;QACF;;;WAGG;QACH,gCAAgC,EAAE;YAC9B;;;eAGG;YACH,oBAAoB,EAAE,MAAM,CAAC;YAC7B;;;;eAIG;YACH,gBAAgB,EAAE,MAAM,CAAC;YACzB;;;eAGG;YACH,oBAAoB,EAAE,MAAM,CAAC;YAC7B,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,iCAAiC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,mCAAmC,CAAC,CAAC;QAC3J;;;WAGG;QACH,iCAAiC,EAAE;YAC/B;;;;eAIG;YACH,QAAQ,EAAE,MAAM,CAAC;YACjB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,iCAAiC,EAAE;YAC/B,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,iCAAiC,EAAE;YAC/B;;;;eAIG;YACH,QAAQ,EAAE,MAAM,CAAC;YACjB,6GAA6G;YAC7G,aAAa,EAAE,MAAM,CAAC;YACtB,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,kCAAkC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,oCAAoC,CAAC,CAAC;QAC9J;;;WAGG;QACH,kCAAkC,EAAE;YAChC;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,kCAAkC,EAAE;YAChC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,mCAAmC,EAAE;YACjC;;;eAGG;YACH,eAAe,EAAE,MAAM,CAAC;YACxB,0GAA0G;YAC1G,aAAa,EAAE,MAAM,CAAC;YACtB,GAAG,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,uBAAuB,CAAC,CAAC;YACrD,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,oCAAoC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,CAAC;QACpK;;;WAGG;QACH,oCAAoC,EAAE;YAClC;;;;eAIG;YACH,aAAa,EAAE,MAAM,CAAC;YACtB,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,oCAAoC,EAAE;YAClC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;WAGG;QACH,qBAAqB,EAAE;YACnB;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB;;;;eAIG;YACH,UAAU,CAAC,EAAE,MAAM,CAAC;YACpB;;;eAGG;YACH,IAAI,CAAC,EAAE,MAAM,CAAC;SACjB,CAAC;QACF;;;WAGG;QACH,6BAA6B,EAAE;YAC3B,OAAO,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;YAC7C;;;eAGG;YACH,KAAK,CAAC,EAAE,MAAM,CAAC;YACf;;;eAGG;YACH,SAAS,CAAC,EAAE,MAAM,CAAC;YACnB;;;eAGG;YACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;YAChC,kBAAkB,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,mBAAmB,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,eAAe,CAAC,CAAC;YACjD,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,YAAY,CAAC,CAAC;SACrD,CAAC;QACF;;;WAGG;QACH,8BAA8B,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,iCAAiC,CAAC,CAAC;QACpJ;;;WAGG;QACH,+BAA+B,EAAE;YAC7B;;;eAGG;YACH,MAAM,EAAE,UAAU,CAAC;YACnB;;;eAGG;YACH,EAAE,EAAE,MAAM,CAAC;YACX,6IAA6I;YAC7I,cAAc,EAAE,MAAM,CAAC;YACvB,qJAAqJ;YACrJ,aAAa,EAAE,MAAM,CAAC;YACtB;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB,gEAAgE;YAChE,WAAW,CAAC,EAAE,MAAM,CAAC;YACrB;;;;eAIG;YACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;YAChC;;;eAGG;YACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;YAC3B;;;eAGG;YACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;YAC1B,4HAA4H;YAC5H,yBAAyB,CAAC,EAAE,MAAM,CAAC;YACnC,+EAA+E;YAC/E,sBAAsB,CAAC,EAAE,MAAM,CAAC;YAChC;;;eAGG;YACH,YAAY,CAAC,EAAE,MAAM,CAAC;YACtB,WAAW,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,wBAAwB,CAAC,CAAC;YAC9D,cAAc,CAAC,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,0BAA0B,CAAC,CAAC;SACtE,CAAC;QACF;;;WAGG;QACH,+BAA+B,EAAE;YAC7B;;;eAGG;YACH,MAAM,EAAE,UAAU,CAAC;YACnB,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,kBAAkB,CAAC,CAAC;YACtD;;;eAGG;YACH,aAAa,CAAC,EAAE,MAAM,CAAC;SAC1B,CAAC;QACF;;;;;WAKG;QACH,8BAA8B,EAAE,UAAU,GAAG,QAAQ,CAAC;QACtD;;;;;WAKG;QACH,oCAAoC,EAAE,SAAS,CAAC;QAChD;;;;;WAKG;QACH,mCAAmC,EAAE,2CAA2C,CAAC;QACjF;;;WAGG;QACH,sCAAsC,EAAE;YACpC;;;eAGG;YACH,WAAW,EAAE,MAAM,CAAC;YACpB;;;eAGG;YACH,oBAAoB,EAAE,MAAM,CAAC;YAC7B;;;eAGG;YACH,gBAAgB,EAAE,MAAM,CAAC;YACzB,yEAAyE;YACzE,kBAAkB,CAAC,EAAE,MAAM,CAAC;YAC5B;;;eAGG;YACH,4BAA4B,EAAE,MAAM,CAAC;YACrC;;;eAGG;YACH,6BAA6B,EAAE,MAAM,CAAC;YACtC;;;eAGG;YACH,oBAAoB,EAAE,MAAM,CAAC;YAC7B;;;eAGG;YACH,mBAAmB,EAAE,MAAM,CAAC;YAC5B;;;eAGG;YACH,sBAAsB,EAAE,MAAM,CAAC;YAC/B;;;eAGG;YACH,gBAAgB,EAAE,MAAM,CAAC;YACzB;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd;;;eAGG;YACH,SAAS,EAAE,MAAM,CAAC;YAClB;;;eAGG;YACH,UAAU,EAAE,MAAM,CAAC;SACtB,CAAC;QACF;;;WAGG;QACH,uCAAuC,EAAE;YACrC;;;eAGG;YACH,WAAW,EAAE,MAAM,CAAC;YACpB;;;eAGG;YACH,4BAA4B,EAAE,MAAM,CAAC;YACrC;;;eAGG;YACH,6BAA6B,EAAE,MAAM,CAAC;YACtC;;;eAGG;YACH,UAAU,EAAE,MAAM,CAAC;YACnB,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;YAClE;;;eAGG;YACH,UAAU,EAAE,MAAM,CAAC;YACnB;;;eAGG;YACH,KAAK,EAAE,MAAM,CAAC;YACd;;;eAGG;YACH,uBAAuB,EAAE,MAAM,CAAC;YAChC;;;;eAIG;YACH,mBAAmB,EAAE,MAAM,CAAC;YAC5B;;;eAGG;YACH,0BAA0B,EAAE,MAAM,CAAC;YACnC;;;;eAIG;YACH,qBAAqB,EAAE,0BAA0B,CAAC;YAClD;;;eAGG;YACH,oBAAoB,EAAE,MAAM,CAAC;YAC7B;;;eAGG;YACH,mBAAmB,EAAE,MAAM,CAAC;YAC5B;;;eAGG;YACH,gBAAgB,EAAE,MAAM,CAAC;YACzB;;;eAGG;YACH,yBAAyB,EAAE,MAAM,CAAC;YAClC;;;eAGG;YACH,OAAO,EAAE,sCAAsC,CAAC;SACnD,CAAC;QACF;;;WAGG;QACH,uCAAuC,EAAE;YACrC;;;eAGG;YACH,sBAAsB,EAAE,MAAM,CAAC;YAC/B,uBAAuB,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,qCAAqC,CAAC,CAAC;YACtF;;;eAGG;YACH,WAAW,EAAE,MAAM,CAAC;YACpB;;;eAGG;YACH,kBAAkB,EAAE,MAAM,CAAC;YAC3B;;;eAGG;YACH,UAAU,EAAE,MAAM,CAAC;YACnB,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,gCAAgC,CAAC,CAAC;YAClE;;;;eAIG;YACH,mBAAmB,EAAE,MAAM,CAAC;YAC5B;;;eAGG;YACH,cAAc,EAAE,MAAM,CAAC;YACvB,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,sCAAsC,CAAC,CAAC;SACzE,CAAC;KACL,CAAC;IACF,SAAS,EAAE,KAAK,CAAC;IACjB,UAAU,EAAE,KAAK,CAAC;IAClB,aAAa,EAAE,KAAK,CAAC;IACrB,OAAO,EAAE,KAAK,CAAC;IACf,SAAS,EAAE,KAAK,CAAC;CACpB;AACD,MAAM,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AAC1C,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naughtbot/e2ee-payloads",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "Generated TypeScript types for the NaughtBot mailbox envelope and per-type payload schemas.",
   "type": "module",
   "license": "MIT",

package/src/index.test.ts

@@ -6,13 +6,21 @@ import { describe, it } from "node:test";
 
 import type {
   MailboxAgeUnwrapRequestPayloadV1,
+  MailboxBrowserApprovalDecisionBindingV1,
+  MailboxBrowserApprovalResponsePayloadV1,
+  MailboxEnrollResponseApprovedV1,
   MailboxEnrollResponsePayloadV1,
   MailboxEnvelopeV1,
   MailboxGpgDecryptResponseSuccessV1,
+  MailboxSshAuthResponseSuccessV1,
   MailboxSshSignRequestPayloadV1,
   MailboxSshSignResponsePayloadV1,
+  MailboxSshSignResponseSuccessV1,
 } from "./index.ts";
 
+const browserApprovalDecisionBindingFixtureJSON =
+  '{"approval_id":"appr_browser_approval_fixture","browser_public_key_algorithm":"ES256","browser_public_key_thumbprint":"sha256:8uLz73VtBwmU5O_Jr3r2StpLrNxW41Oq9p6FwR2C7xA","decided_at":"2026-05-14T19:31:00Z","decision":"approved","expires_at":"2026-05-14T19:35:00Z","nonce":"m4H2YxTjueEXAMPLE","pairing_transcript_hash":"sha256:6f5902ac237024bdd0c176cb93063dc4f1e01e1191450b5f8f457c56f48e1f4f","request_envelope_id":"11111111-2222-4333-8444-555555555555","request_envelope_issued_at":"2026-05-14T19:30:00Z","request_envelope_type":"browser_approval_request","requested_capability":"captcha.browser_credential","requester_client_id":"captcha-service","requester_origin":"https://captcha.naughtbot.com","service_mobile_pairing_id":"pair_9d58fb4c6ff84f46","version":"browser-approval-decision-binding/v1"}';
+
 describe("MailboxEnvelopeV1", () => {
   it("round-trips the literal RFC 3339 issued_at string", () => {
     const envelope: MailboxEnvelopeV1 = {
@@ -62,9 +70,11 @@ describe("MailboxSshSignRequestPayloadV1", () => {
 
 describe("MailboxSshSignResponsePayloadV1", () => {
   it("decodes success branch by structural narrowing", () => {
-    const json = '{"signature":"YWJj"}';
+    const json = '{"signature":"YWJj","flags":1,"counter":7}';
     const resp = JSON.parse(json) as MailboxSshSignResponsePayloadV1;
     assert.ok("signature" in resp && resp.signature !== undefined);
+    assert.ok("flags" in resp && resp.flags === 1);
+    assert.ok("counter" in resp && resp.counter === 7);
     assert.ok(!("error_code" in resp) || resp.error_code === undefined);
   });
 
@@ -75,6 +85,103 @@ describe("MailboxSshSignResponsePayloadV1", () => {
   });
 });
 
+// Regression test for NaughtBot/e2ee-payloads#17. The SK monotonic counter
+// and per-signature flags byte are now required on both `ssh_auth` and
+// `ssh_sign` success branches. The compile-time bindings below also pin
+// that `counter` and `flags` are required (a regression that makes either
+// optional turns this file into a `tsc` error).
+describe("SSH-SK counter + flags (issue #17)", () => {
+  it("requires counter + flags on MailboxSshAuthResponseSuccessV1", () => {
+    const success: MailboxSshAuthResponseSuccessV1 = {
+      signature: "YWJj",
+      flags: 1,
+      counter: 7,
+    };
+    const parsed = JSON.parse(
+      JSON.stringify(success),
+    ) as MailboxSshAuthResponseSuccessV1;
+    assert.equal(parsed.counter, 7);
+    assert.equal(parsed.flags, 1);
+    assert.equal(parsed.signature, "YWJj");
+
+    // u32 max counter + u8 max flags round-trip without overflow.
+    const maxBoundary: MailboxSshAuthResponseSuccessV1 = {
+      signature: "YWJj",
+      flags: 255,
+      counter: 4294967295,
+    };
+    const parsedMax = JSON.parse(
+      JSON.stringify(maxBoundary),
+    ) as MailboxSshAuthResponseSuccessV1;
+    assert.equal(parsedMax.counter, 4294967295);
+    assert.equal(parsedMax.flags, 255);
+  });
+
+  it("requires counter + flags on MailboxSshSignResponseSuccessV1", () => {
+    const success: MailboxSshSignResponseSuccessV1 = {
+      signature: "YWJj",
+      flags: 1,
+      counter: 42,
+    };
+    const parsed = JSON.parse(
+      JSON.stringify(success),
+    ) as MailboxSshSignResponseSuccessV1;
+    assert.equal(parsed.counter, 42);
+    assert.equal(parsed.flags, 1);
+  });
+});
+
+describe("MailboxBrowserApprovalDecisionBindingV1", () => {
+  it("matches the cross-language canonical JSON fixture", () => {
+    const binding: MailboxBrowserApprovalDecisionBindingV1 = {
+      approval_id: "appr_browser_approval_fixture",
+      browser_public_key_algorithm: "ES256",
+      browser_public_key_thumbprint:
+        "sha256:8uLz73VtBwmU5O_Jr3r2StpLrNxW41Oq9p6FwR2C7xA",
+      decided_at: "2026-05-14T19:31:00Z",
+      decision: "approved",
+      expires_at: "2026-05-14T19:35:00Z",
+      nonce: "m4H2YxTjueEXAMPLE",
+      pairing_transcript_hash:
+        "sha256:6f5902ac237024bdd0c176cb93063dc4f1e01e1191450b5f8f457c56f48e1f4f",
+      request_envelope_id: "11111111-2222-4333-8444-555555555555",
+      request_envelope_issued_at: "2026-05-14T19:30:00Z",
+      request_envelope_type: "browser_approval_request",
+      requested_capability: "captcha.browser_credential",
+      requester_client_id: "captcha-service",
+      requester_origin: "https://captcha.naughtbot.com",
+      service_mobile_pairing_id: "pair_9d58fb4c6ff84f46",
+      version: "browser-approval-decision-binding/v1",
+    };
+    const json = JSON.stringify(binding);
+    assert.equal(json, browserApprovalDecisionBindingFixtureJSON);
+
+    const response: MailboxBrowserApprovalResponsePayloadV1 = {
+      approval_binding_bytes: Buffer.from(json, "utf8").toString("base64"),
+      approval_binding_format: "browser-approval-decision-binding/v1+json",
+      approval_id: binding.approval_id,
+      approval_signature: Buffer.from(
+        "approval-signature-fixture",
+        "utf8",
+      ).toString("base64"),
+      decided_at: binding.decided_at,
+      decision: binding.decision,
+      request_envelope_id: binding.request_envelope_id,
+      signing_key_id: "mobile-key-browser-approval-1",
+      status: "decided",
+    };
+    const parsed = JSON.parse(
+      JSON.stringify(response),
+    ) as MailboxBrowserApprovalResponsePayloadV1;
+    assert.equal(
+      Buffer.from(parsed.approval_binding_bytes, "base64").toString("utf8"),
+      browserApprovalDecisionBindingFixtureJSON,
+    );
+    assert.equal(parsed.decision, "approved");
+    assert.equal(parsed.status, "decided");
+  });
+});
+
 describe("MailboxGpgDecryptResponseSuccessV1", () => {
   it("requires both session_key and algorithm on success", () => {
     // Bind to the success branch directly so the compile-time check is
@@ -133,4 +240,37 @@ describe("MailboxEnrollResponsePayloadV1", () => {
       assert.equal(rejected.error_code, 1);
     }
   });
+
+  // Regression test for NaughtBot/e2ee-payloads#17. The per-credential
+  // SSH-SK flags byte must be carried back to the requester on approved
+  // SSH-SK enrollments so the requester can rebuild the OpenSSH SK
+  // signature preimage on every subsequent `ssh_auth` / `ssh_sign` call.
+  it("round-trips per-credential ssh_sk_flags on SSH-SK enrollments", () => {
+    const approved: MailboxEnrollResponseApprovedV1 = {
+      status: "approved",
+      id: "550e8400-e29b-41d4-a716-446655440000",
+      public_key_hex:
+        "02a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
+      device_key_id: "dev-1",
+      algorithm: "ed25519",
+      ssh_sk_flags: 5, // 0x05 = user presence + user verification
+    };
+    const json = JSON.stringify(approved);
+    assert.ok(json.includes('"ssh_sk_flags":5'));
+    const parsed = JSON.parse(json) as MailboxEnrollResponseApprovedV1;
+    assert.equal(parsed.ssh_sk_flags, 5);
+
+    // Non-SSH enrollments omit the field; verify the surface stays
+    // optional (a regression that makes it required turns this into a
+    // `tsc` error rather than a silent on-the-wire change).
+    const noFlags: MailboxEnrollResponseApprovedV1 = {
+      status: "approved",
+      id: "550e8400-e29b-41d4-a716-446655440000",
+      public_key_hex:
+        "02a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
+      device_key_id: "dev-1",
+      algorithm: "ed25519",
+    };
+    assert.ok(!JSON.stringify(noFlags).includes("ssh_sk_flags"));
+  });
 });

package/src/index.ts

@@ -38,3 +38,9 @@ export type MailboxEnrollRequestPayloadV1 = components["schemas"]["MailboxEnroll
 export type MailboxEnrollResponsePayloadV1 = components["schemas"]["MailboxEnrollResponsePayloadV1"];
 export type MailboxEnrollResponseApprovedV1 = components["schemas"]["MailboxEnrollResponseApprovedV1"];
 export type MailboxEnrollResponseRejectedV1 = components["schemas"]["MailboxEnrollResponseRejectedV1"];
+export type MailboxBrowserApprovalDecision = components["schemas"]["MailboxBrowserApprovalDecision"];
+export type MailboxBrowserApprovalResponseStatus = components["schemas"]["MailboxBrowserApprovalResponseStatus"];
+export type MailboxBrowserApprovalBindingFormat = components["schemas"]["MailboxBrowserApprovalBindingFormat"];
+export type MailboxBrowserApprovalRequestPayloadV1 = components["schemas"]["MailboxBrowserApprovalRequestPayloadV1"];
+export type MailboxBrowserApprovalDecisionBindingV1 = components["schemas"]["MailboxBrowserApprovalDecisionBindingV1"];
+export type MailboxBrowserApprovalResponsePayloadV1 = components["schemas"]["MailboxBrowserApprovalResponsePayloadV1"];

package/src/schema.ts

@@ -43,7 +43,7 @@ export interface components {
          * @example ssh_sign
          * @enum {string}
          */
-        MailboxEnvelopeType: "link_request" | "link_approval" | "link_rejection" | "captcha_request" | "captcha_response" | "ssh_auth" | "ssh_sign" | "gpg_sign" | "gpg_decrypt" | "age_unwrap" | "pkcs11_sign" | "pkcs11_derive" | "enroll";
+        MailboxEnvelopeType: "link_request" | "link_approval" | "link_rejection" | "captcha_request" | "captcha_response" | "ssh_auth" | "ssh_sign" | "gpg_sign" | "gpg_decrypt" | "age_unwrap" | "pkcs11_sign" | "pkcs11_derive" | "enroll" | "browser_approval_request" | "browser_approval_response";
         /**
          * ApprovalChallenge
          * @description Canonical Longfellow / attested-key-zk approval challenge. Producer sends this inside the request payload; the approver binds it into the approval proof returned in the response payload.
@@ -306,7 +306,7 @@ export interface components {
         MailboxSshAuthResponsePayloadV1: components["schemas"]["MailboxSshAuthResponseSuccessV1"] | components["schemas"]["MailboxSshAuthResponseFailureV1"];
         /**
          * MailboxSshAuthResponseSuccessV1
-         * @description Success branch of `MailboxSshAuthResponsePayloadV1`.
+         * @description Success branch of `MailboxSshAuthResponsePayloadV1`. Carries the raw SSH signature plus the per-signature SK assertion flags byte and monotonic counter the signer's secure element returned for this signing operation; all three are required so the requester can rebuild the OpenSSH SK signature preimage (`SHA256(application) || flags || counter || SHA256(data)`) and verify against the enrolled credential public key.
          */
         MailboxSshAuthResponseSuccessV1: {
             /**
@@ -314,6 +314,17 @@ export interface components {
              * @description RFC 4648 standard base64 with `=` padding for the raw SSH signature blob (no SSH-wire framing).
              */
             signature: string;
+            /**
+             * @description Per-signature SK assertion flags byte the signer's secure element actually asserted with. Approvers MUST either (a) assert with at least the bits the request `flags` byte asked for (UP=0x01, UV=0x04) and return the resulting byte here, or (b) return a `MailboxSshAuthResponseFailureV1` / `MailboxSshSignResponseFailureV1` with the appropriate signing error code. Approvers MUST NOT return a success response whose asserted flags byte clears bits the requester set; that would silently downgrade the security posture (e.g. UV-required → UP-only) below what the request agreed to. Receivers MUST embed this asserted byte at the `flags` position of the OpenSSH SK signature preimage; verification fails if the request `flags` byte is used instead. Receivers SHOULD additionally verify that every bit set in the request `flags` byte is also set here as belt-and-suspenders defence against a misbehaving approver.
+             * @example 1
+             */
+            flags: number;
+            /**
+             * Format: int64
+             * @description Monotonic counter (u32) the signer's secure element returned for this SK signing operation. Receivers MUST embed this in the OpenSSH SK signature preimage at the position between `flags` and `SHA256(data)` as a 4-byte big-endian unsigned integer. Successive signatures from the same key handle MUST have strictly increasing counter values. The schema declares `format: int64` so 32-bit Go targets can still represent the full u32 range without overflow.
+             * @example 1
+             */
+            counter: number;
             approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
         };
         /**
@@ -369,7 +380,7 @@ export interface components {
         MailboxSshSignResponsePayloadV1: components["schemas"]["MailboxSshSignResponseSuccessV1"] | components["schemas"]["MailboxSshSignResponseFailureV1"];
         /**
          * MailboxSshSignResponseSuccessV1
-         * @description Success branch of `MailboxSshSignResponsePayloadV1`.
+         * @description Success branch of `MailboxSshSignResponsePayloadV1`. Carries the raw SSH signature plus the per-signature SK assertion flags byte and monotonic counter the signer's secure element returned for this signing operation; all three are required so the requester can rebuild the OpenSSH SK signature preimage (`SHA256(application) || flags || counter || SHA256(data)`) and verify against the enrolled credential public key.
          */
         MailboxSshSignResponseSuccessV1: {
             /**
@@ -377,6 +388,17 @@ export interface components {
              * @description RFC 4648 standard base64 with `=` padding for the raw SSH signature blob (no SSH-wire framing).
              */
             signature: string;
+            /**
+             * @description Per-signature SK assertion flags byte the signer's secure element actually asserted with. Approvers MUST either (a) assert with at least the bits the request `flags` byte asked for (UP=0x01, UV=0x04) and return the resulting byte here, or (b) return a `MailboxSshAuthResponseFailureV1` / `MailboxSshSignResponseFailureV1` with the appropriate signing error code. Approvers MUST NOT return a success response whose asserted flags byte clears bits the requester set; that would silently downgrade the security posture (e.g. UV-required → UP-only) below what the request agreed to. Receivers MUST embed this asserted byte at the `flags` position of the OpenSSH SK signature preimage; verification fails if the request `flags` byte is used instead. Receivers SHOULD additionally verify that every bit set in the request `flags` byte is also set here as belt-and-suspenders defence against a misbehaving approver.
+             * @example 1
+             */
+            flags: number;
+            /**
+             * Format: int64
+             * @description Monotonic counter (u32) the signer's secure element returned for this SK signing operation. Receivers MUST embed this in the OpenSSH SK signature preimage at the position between `flags` and `SHA256(data)` as a 4-byte big-endian unsigned integer. Successive signatures from the same key handle MUST have strictly increasing counter values. The schema declares `format: int64` so 32-bit Go targets can still represent the full u32 range without overflow.
+             * @example 1
+             */
+            counter: number;
             approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
         };
         /**
@@ -779,6 +801,11 @@ export interface components {
             encryption_public_key_hex?: string;
             /** @description 40-character hex fingerprint of the ECDH encryption subkey. */
             encryption_fingerprint?: string;
+            /**
+             * @description Per-credential SSH-SK flags byte the approver baked into a newly enrolled SSH security-key credential. **MUST be present when `purpose` is the SSH signing purpose; absent for all other key purposes.** (The schema cannot express that conditional requirement directly because `MailboxEnrollResponseApprovedV1` is a single monolithic shape with per-type-optional fields like `fingerprint` / `encryption_public_key_hex`; requesters MUST reject SSH-purpose approved responses that omit this field.) The requester MUST persist this byte alongside the credential public key and use it as the request `flags` input on every subsequent `ssh_auth` / `ssh_sign` call. The approver echoes the actual per-signature assertion flags byte back in the success response (see `MailboxSshAuthResponseSuccessV1.flags`); that asserted byte (which MAY differ from this enrollment flags byte when, e.g., the SK could not deliver user verification) is what the requester MUST embed into the OpenSSH SK signature preimage `SHA256(application) || flags || counter || SHA256(data)`. Bit `0x01` is "user presence required" and `0x04` is "user verification required" per the OpenSSH SK protocol.
+             * @example 1
+             */
+            ssh_sk_flags?: number;
             attestation?: components["schemas"]["KeyMetadataAttestation"];
             approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
         };
@@ -799,6 +826,219 @@ export interface components {
              */
             error_message?: string;
         };
+        /**
+         * MailboxBrowserApprovalDecision
+         * @description Mobile user's signed approval decision.
+         * @example approved
+         * @enum {string}
+         */
+        MailboxBrowserApprovalDecision: "approved" | "denied";
+        /**
+         * MailboxBrowserApprovalResponseStatus
+         * @description Response lifecycle status. The signed `decision` carries the approval outcome.
+         * @example decided
+         * @enum {string}
+         */
+        MailboxBrowserApprovalResponseStatus: "decided";
+        /**
+         * MailboxBrowserApprovalBindingFormat
+         * @description Canonical byte format signed by the mobile approval key.
+         * @example browser-approval-decision-binding/v1+json
+         * @enum {string}
+         */
+        MailboxBrowserApprovalBindingFormat: "browser-approval-decision-binding/v1+json";
+        /**
+         * MailboxBrowserApprovalRequestPayloadV1
+         * @description Request payload for the `browser_approval_request` envelope type. A service requester sends this to the paired mobile device when a browser key needs approval for a generic capability.
+         */
+        MailboxBrowserApprovalRequestPayloadV1: {
+            /**
+             * @description Opaque service-scoped approval id.
+             * @example appr_2af7b1fb2b5b4b5b8c7e9a0d
+             */
+            approval_id: string;
+            /**
+             * @description Human-readable browser/device label shown to the mobile user.
+             * @example Chrome on MacBook Pro
+             */
+            browser_display_name: string;
+            /**
+             * @description Best-effort browser platform hint shown to the mobile user.
+             * @example macOS
+             */
+            browser_platform: string;
+            /** @description Optional user-agent hint for display and diagnostics. */
+            browser_user_agent?: string;
+            /**
+             * @description Browser public key algorithm identifier, e.g. `ES256` or `Ed25519`.
+             * @example ES256
+             */
+            browser_public_key_algorithm: string;
+            /**
+             * @description Thumbprint of the browser public key being approved. Producers SHOULD use `sha256:<base64url-no-padding>` for JWK thumbprints.
+             * @example sha256:8uLz73VtBwmU5O_Jr3r2StpLrNxW41Oq9p6FwR2C7xA
+             */
+            browser_public_key_thumbprint: string;
+            /**
+             * @description Generic capability requested by the service.
+             * @example captcha.browser_credential
+             */
+            requested_capability: string;
+            /**
+             * @description Service/requester client id that created the approval request.
+             * @example captcha-service
+             */
+            requester_client_id: string;
+            /**
+             * @description Human-readable requester name shown to the mobile user.
+             * @example NaughtBot Captcha
+             */
+            requester_display_name: string;
+            /**
+             * @description Origin of the requester that will receive/use the browser credential.
+             * @example https://captcha.naughtbot.com
+             */
+            requester_origin: string;
+            /**
+             * @description Opaque nonce bound into the mobile-signed decision.
+             * @example m4H2YxTjueEXAMPLE
+             */
+            nonce: string;
+            /**
+             * @description RFC 3339 UTC timestamp with canonical `Z` suffix.
+             * @example 2026-05-14T19:30:00Z
+             */
+            issued_at: string;
+            /**
+             * @description RFC 3339 UTC timestamp after which the request is invalid.
+             * @example 2026-05-14T19:35:00Z
+             */
+            expires_at: string;
+        };
+        /**
+         * MailboxBrowserApprovalDecisionBindingV1
+         * @description Canonical JSON object whose UTF-8 bytes are signed by the mobile approval key. Producers encode these fields in lexicographic property order with no insignificant whitespace and place the resulting bytes in `MailboxBrowserApprovalResponsePayloadV1.approval_binding_bytes`.
+         */
+        MailboxBrowserApprovalDecisionBindingV1: {
+            /**
+             * @description Approval id copied from the request payload.
+             * @example appr_2af7b1fb2b5b4b5b8c7e9a0d
+             */
+            approval_id: string;
+            /**
+             * @description Browser public key algorithm copied from the request payload.
+             * @example ES256
+             */
+            browser_public_key_algorithm: string;
+            /**
+             * @description Browser public key thumbprint copied from the request payload.
+             * @example sha256:8uLz73VtBwmU5O_Jr3r2StpLrNxW41Oq9p6FwR2C7xA
+             */
+            browser_public_key_thumbprint: string;
+            /**
+             * @description RFC 3339 UTC timestamp of the mobile decision.
+             * @example 2026-05-14T19:31:00Z
+             */
+            decided_at: string;
+            decision: components["schemas"]["MailboxBrowserApprovalDecision"];
+            /**
+             * @description Request expiry copied from the request payload.
+             * @example 2026-05-14T19:35:00Z
+             */
+            expires_at: string;
+            /**
+             * @description Nonce copied from the request payload.
+             * @example m4H2YxTjueEXAMPLE
+             */
+            nonce: string;
+            /**
+             * @description SHA-256 hash of the service-mobile pairing transcript.
+             * @example sha256:6f5902ac237024bdd0c176cb93063dc4f1e01e1191450b5f8f457c56f48e1f4f
+             */
+            pairing_transcript_hash: string;
+            /**
+             * Format: uuid
+             * @description Envelope id of the browser approval request being answered.
+             * @example 11111111-2222-4333-8444-555555555555
+             */
+            request_envelope_id: string;
+            /**
+             * @description Envelope `issued_at` timestamp of the request being answered.
+             * @example 2026-05-14T19:30:00Z
+             */
+            request_envelope_issued_at: string;
+            /**
+             * @description Envelope type of the request being answered.
+             * @example browser_approval_request
+             * @enum {string}
+             */
+            request_envelope_type: "browser_approval_request";
+            /**
+             * @description Requested capability copied from the request payload.
+             * @example captcha.browser_credential
+             */
+            requested_capability: string;
+            /**
+             * @description Requester client id copied from the request payload.
+             * @example captcha-service
+             */
+            requester_client_id: string;
+            /**
+             * @description Requester origin copied from the request payload.
+             * @example https://captcha.naughtbot.com
+             */
+            requester_origin: string;
+            /**
+             * @description Stable id for the service-mobile E2EE mailbox pairing.
+             * @example pair_9d58fb4c6ff84f46
+             */
+            service_mobile_pairing_id: string;
+            /**
+             * @description Canonical decision binding schema version.
+             * @enum {string}
+             */
+            version: "browser-approval-decision-binding/v1";
+        };
+        /**
+         * MailboxBrowserApprovalResponsePayloadV1
+         * @description Response payload for the `browser_approval_response` envelope type. The response carries the mobile decision plus the exact canonical bytes and signature over `MailboxBrowserApprovalDecisionBindingV1`.
+         */
+        MailboxBrowserApprovalResponsePayloadV1: {
+            /**
+             * Format: byte
+             * @description RFC 4648 standard base64 with `=` padding for the canonical `MailboxBrowserApprovalDecisionBindingV1` UTF-8 JSON bytes.
+             */
+            approval_binding_bytes: string;
+            approval_binding_format: components["schemas"]["MailboxBrowserApprovalBindingFormat"];
+            /**
+             * @description Approval id copied from the request payload.
+             * @example appr_2af7b1fb2b5b4b5b8c7e9a0d
+             */
+            approval_id: string;
+            /**
+             * Format: byte
+             * @description RFC 4648 standard base64 with `=` padding for the signature over `approval_binding_bytes`.
+             */
+            approval_signature: string;
+            /**
+             * @description RFC 3339 UTC timestamp of the mobile decision.
+             * @example 2026-05-14T19:31:00Z
+             */
+            decided_at: string;
+            decision: components["schemas"]["MailboxBrowserApprovalDecision"];
+            /**
+             * Format: uuid
+             * @description Envelope id of the browser approval request being answered.
+             * @example 11111111-2222-4333-8444-555555555555
+             */
+            request_envelope_id: string;
+            /**
+             * @description Mobile signing key id that produced `approval_signature`.
+             * @example mobile-key-browser-approval-1
+             */
+            signing_key_id: string;
+            status: components["schemas"]["MailboxBrowserApprovalResponseStatus"];
+        };
     };
     responses: never;
     parameters: never;