@naughtbot/e2ee-payloads 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/dist/index.d.ts +37 -0
  2. package/dist/index.d.ts.map +1 -0
  3. package/dist/index.js +2 -0
  4. package/dist/index.js.map +1 -0
  5. package/dist/schema.d.ts +810 -0
  6. package/dist/schema.d.ts.map +1 -0
  7. package/dist/schema.js +6 -0
  8. package/dist/schema.js.map +1 -0
  9. package/package.json +36 -0
  10. package/src/index.test.ts +136 -0
  11. package/src/index.ts +40 -0
  12. package/src/schema.ts +810 -0
package/src/schema.ts ADDED
@@ -0,0 +1,810 @@
1
+ /**
2
+ * This file was auto-generated by openapi-typescript.
3
+ * Do not make direct changes to the file.
4
+ */
5
+
6
+ export type paths = Record<string, never>;
7
+ export type webhooks = Record<string, never>;
8
+ export interface components {
9
+ schemas: {
10
+ /**
11
+ * MailboxEnvelopeV1
12
+ * @description Typed plaintext envelope for NaughtBot mailbox payloads. Receivers dispatch on `type`. The schema is documentary — the auth/mailbox backend never sees the envelope (it is inside HPKE plaintext) and no endpoint accepts it directly. See `core/memories/mailbox-envelope.md` for the canonical decode rules until that memory migrates here with the rest of the schema-relocation follow-up.
13
+ */
14
+ MailboxEnvelopeV1: {
15
+ /**
16
+ * @description Envelope version. Receivers reject unknown versions.
17
+ * @enum {integer}
18
+ */
19
+ v: 1;
20
+ /**
21
+ * @description Registered type discriminator. Receivers SHOULD validate against the `MailboxEnvelopeType` registry enum at runtime; unknown values MUST be logged and dropped without rejecting the envelope.
22
+ * @example ssh_sign
23
+ */
24
+ type: string;
25
+ /**
26
+ * Format: uuid
27
+ * @description Canonical lower-case RFC 4122 UUID string for idempotency / dedup on the receiver.
28
+ */
29
+ id: string;
30
+ /**
31
+ * @description RFC 3339 UTC timestamp with the canonical `Z` suffix. Senders SHOULD emit fractional seconds (`2026-05-03T05:00:00.123Z`); receivers MUST also accept the plain second-precision form (`2026-05-03T05:00:00Z`). Times outside UTC and timestamps lacking the `T` delimiter are rejected.
32
+ * @example 2026-05-03T05:00:00.123Z
33
+ */
34
+ issued_at: string;
35
+ /** @description Type-specific payload, MUST be a JSON object (`{...}`); scalar / array / string roots are not valid envelopes. The internal schema is validated by the per-`type` handler defined under `payloads/`, not by the envelope codec. */
36
+ payload: {
37
+ [key: string]: unknown;
38
+ };
39
+ };
40
+ /**
41
+ * MailboxEnvelopeType
42
+ * @description Registered set of envelope `type` discriminators. Receivers may decode the envelope successfully but log+drop on unknown values. Adding a new type requires adding it here and shipping the matching payload schema under `payloads/<surface>.yaml`.
43
+ * @example ssh_sign
44
+ * @enum {string}
45
+ */
46
+ MailboxEnvelopeType: "link_request" | "link_approval" | "link_rejection" | "captcha_request" | "captcha_response" | "ssh_auth" | "ssh_sign" | "gpg_sign" | "gpg_decrypt" | "age_unwrap" | "pkcs11_sign" | "pkcs11_derive" | "enroll";
47
+ /**
48
+ * ApprovalChallenge
49
+ * @description Canonical Longfellow / attested-key-zk approval challenge. Producer sends this inside the request payload; the approver binds it into the approval proof returned in the response payload.
50
+ */
51
+ ApprovalChallenge: {
52
+ /**
53
+ * @description Canonical approval challenge format version.
54
+ * @enum {string}
55
+ */
56
+ version: "approval-challenge/v1";
57
+ /** @description Opaque nonce bound into the approval challenge and proof statement. */
58
+ nonce: string;
59
+ /** @description Relay request id that scopes the approval proof. */
60
+ request_id: string;
61
+ /** @description SHA-256 digest of the approved plaintext, formatted as `sha256:<hex>`. */
62
+ plaintext_hash: string;
63
+ };
64
+ /**
65
+ * ApprovalProofStatement
66
+ * @description Public Longfellow statement bound into the zero-knowledge proof.
67
+ */
68
+ ApprovalProofStatement: {
69
+ /** @description Lowercase hex-encoded compressed P-256 issuer public key (66 hex chars, 33 bytes: `0x02`/`0x03` || X). */
70
+ issuer_public_key_hex: string;
71
+ /** @description Lowercase hex-encoded SHA-256 hash of the mobile app identifier. */
72
+ app_id_hash_hex: string;
73
+ /**
74
+ * Format: int32
75
+ * @description Policy version embedded into the approval proof statement.
76
+ */
77
+ policy_version: number;
78
+ /**
79
+ * Format: int64
80
+ * @description Unix timestamp in seconds embedded into the approval proof statement.
81
+ */
82
+ now: number;
83
+ /** @description Lowercase hex-encoded SHA-256 hash of `ApprovalChallenge.nonce`. */
84
+ challenge_nonce_hex: string;
85
+ /** @description Lowercase hex-encoded SHA-256 hash of the verifier audience string. */
86
+ audience_hash_hex: string;
87
+ /** @description Lowercase hex-encoded SHA-256 hash of the canonical approval challenge JSON. */
88
+ approval_hash_hex: string;
89
+ };
90
+ /**
91
+ * ApprovalAttestationV1
92
+ * @description Service-issued approval attestation embedded into the Longfellow proof witness.
93
+ */
94
+ ApprovalAttestationV1: {
95
+ /**
96
+ * @description Canonical approval attestation format version.
97
+ * @enum {string}
98
+ */
99
+ version: "approval-attestation/v1";
100
+ /**
101
+ * Format: byte
102
+ * @description RFC 4648 standard base64 with `=` padding for the `approval-attestation/v1` bytes embedded into the Longfellow proof witness.
103
+ */
104
+ bytes: string;
105
+ /**
106
+ * Format: byte
107
+ * @description RFC 4648 standard base64 with `=` padding for the raw 64-byte P-256 `r || s` signature over `SHA256(bytes)`.
108
+ */
109
+ signature: string;
110
+ };
111
+ /**
112
+ * ApprovalAttestedKeyProof
113
+ * @description Canonical Longfellow approval proof carried inside encrypted approval responses.
114
+ */
115
+ ApprovalAttestedKeyProof: {
116
+ /**
117
+ * @description Canonical approval proof format version.
118
+ * @enum {string}
119
+ */
120
+ version: "approval-attested-key-proof/v1";
121
+ challenge: components["schemas"]["ApprovalChallenge"];
122
+ statement: components["schemas"]["ApprovalProofStatement"];
123
+ attestation: components["schemas"]["ApprovalAttestationV1"];
124
+ /**
125
+ * Format: byte
126
+ * @description RFC 4648 standard base64 with `=` padding for the Longfellow approval proof bytes.
127
+ */
128
+ proof: string;
129
+ };
130
+ /**
131
+ * AttestationSecurityType
132
+ * @description Combined platform and security level for attestation.
133
+ * @enum {string}
134
+ */
135
+ AttestationSecurityType: "ios_secure_enclave" | "android_tee" | "android_strongbox" | "software" | "play_integrity";
136
+ /**
137
+ * KeyMetadataAttestation
138
+ * @description Attestation proof that a key was created on attested device hardware.
139
+ */
140
+ KeyMetadataAttestation: {
141
+ /** @description Lowercase hex-encoded public key being attested (66 hex chars for P-256 33-byte compressed key, or 64 hex chars for Ed25519 32-byte key). */
142
+ public_key_hex: string;
143
+ /**
144
+ * Format: byte
145
+ * @description RFC 4648 standard base64 with `=` padding for the App Attest assertion or software signature.
146
+ */
147
+ assertion: string;
148
+ attestation_type: components["schemas"]["AttestationSecurityType"];
149
+ /**
150
+ * Format: byte
151
+ * @description RFC 4648 standard base64 with `=` padding for the Apple CBOR attestation object used by hardware attestation.
152
+ */
153
+ attestation_object?: string;
154
+ /**
155
+ * Format: byte
156
+ * @description RFC 4648 standard base64 with `=` padding for `SHA256(id || public_key || created_at || device_auth_public_key)`.
157
+ */
158
+ challenge: string;
159
+ /**
160
+ * Format: int64
161
+ * @description Unix timestamp in milliseconds.
162
+ */
163
+ attestation_timestamp: number;
164
+ /** @description Lowercase hex-encoded attestation key public key (66 hex chars for P-256 33-byte compressed key). */
165
+ attestation_public_key_hex?: string;
166
+ };
167
+ /**
168
+ * SigningErrorCode
169
+ * @description Numeric error code returned in `*ResponsePayloadV1.error_code` when an approval flow fails. `1=rejected`, `2=timeout`, `3=key_not_found`, `4=invalid_payload`, `5=attestation_failed`, `6=internal_error`.
170
+ * @example 1
171
+ * @enum {integer}
172
+ */
173
+ SigningErrorCode: 1 | 2 | 3 | 4 | 5 | 6;
174
+ /**
175
+ * KeyPurpose
176
+ * @description Purpose of an enrolled key.
177
+ * @example ssh
178
+ * @enum {string}
179
+ */
180
+ KeyPurpose: "ssh" | "gpg" | "age";
181
+ /**
182
+ * DisplayField
183
+ * @description A single label/value row rendered on the approval surface.
184
+ */
185
+ DisplayField: {
186
+ /**
187
+ * @description Short label for the field.
188
+ * @example Repository
189
+ */
190
+ label: string;
191
+ /**
192
+ * @description Value to display.
193
+ * @example github.com/user/repo
194
+ */
195
+ value: string;
196
+ /**
197
+ * @description Render the value in a monospace font.
198
+ * @default false
199
+ */
200
+ monospace?: boolean;
201
+ /**
202
+ * @description Field can be expanded to show additional content.
203
+ * @default false
204
+ */
205
+ expandable?: boolean;
206
+ /**
207
+ * @description Render the value across multiple lines.
208
+ * @default false
209
+ */
210
+ multiline?: boolean;
211
+ /**
212
+ * @description Value contains sensitive information; UI may mask it.
213
+ * @default false
214
+ */
215
+ sensitive?: boolean;
216
+ /** @description Optional SF Symbol or Material icon name. */
217
+ icon?: string;
218
+ };
219
+ /**
220
+ * DisplaySchema
221
+ * @description Optional approval-UI metadata. Producers populate this on a best-effort basis; approvers MUST render the wire payload regardless of presence.
222
+ */
223
+ DisplaySchema: {
224
+ /**
225
+ * @description Main title for the approval screen.
226
+ * @example Sign Git Commit
227
+ */
228
+ title: string;
229
+ /** @description Shorter title for the history list view. */
230
+ history_title?: string;
231
+ /** @description Subtitle with additional context. */
232
+ subtitle?: string;
233
+ /** @description Optional icon name. */
234
+ icon?: string;
235
+ fields: components["schemas"]["DisplayField"][];
236
+ };
237
+ /**
238
+ * ProcessEntry
239
+ * @description Entry in a process ancestry chain.
240
+ */
241
+ ProcessEntry: {
242
+ /**
243
+ * Format: int32
244
+ * @description Process id.
245
+ */
246
+ pid: number;
247
+ /** @description Username running the process. */
248
+ username: string;
249
+ /** @description Command line of the process. */
250
+ command: string;
251
+ };
252
+ /**
253
+ * SourceInfo
254
+ * @description Optional context about the requesting system. Producers populate this on a best-effort basis; approvers MUST NOT make security decisions on unauthenticated source metadata.
255
+ */
256
+ SourceInfo: {
257
+ /** @description Source machine hostname. */
258
+ hostname?: string;
259
+ /** @description Local/private IP address. */
260
+ local_ip?: string;
261
+ /** @description User running the requesting process. */
262
+ username?: string;
263
+ /** @description Command line of the current process. */
264
+ command?: string;
265
+ /** @description Full process tree from the current process up to init. */
266
+ process_chain?: components["schemas"]["ProcessEntry"][];
267
+ };
268
+ /**
269
+ * MailboxSshAuthRequestPayloadV1
270
+ * @description Request payload for the `ssh_auth` envelope type. The approver signs an SSH user-authentication challenge constructed from `raw_data`, using the on-device key selected by `device_key_id`.
271
+ */
272
+ MailboxSshAuthRequestPayloadV1: {
273
+ /**
274
+ * Format: byte
275
+ * @description RFC 4648 standard base64 with `=` padding for the raw SSH challenge preimage. The approver builds the canonical SSH signature input from this preimage.
276
+ * @example c3NoIGNoYWxsZW5nZQ==
277
+ */
278
+ raw_data: string;
279
+ /**
280
+ * @description Identifier of the key to sign with.
281
+ * @example key_abc123
282
+ */
283
+ key_id?: string;
284
+ /**
285
+ * @description SSH application identifier (e.g. `ssh:`).
286
+ * @example ssh:
287
+ */
288
+ application?: string;
289
+ /**
290
+ * Format: int32
291
+ * @description SSH SK flags bitmask. Default `0x01` requires user presence.
292
+ * @default 1
293
+ * @example 1
294
+ */
295
+ flags?: number;
296
+ /** @description Device-side key identifier (e.g. iOS Secure Enclave handle) used to select among enrolled signing keys on the approver. */
297
+ device_key_id: string;
298
+ approval_challenge?: components["schemas"]["ApprovalChallenge"];
299
+ display?: components["schemas"]["DisplaySchema"];
300
+ source_info?: components["schemas"]["SourceInfo"];
301
+ };
302
+ /**
303
+ * MailboxSshAuthResponsePayloadV1
304
+ * @description Response payload for the `ssh_auth` envelope type. Discriminated as a success / failure pair. Decoders pick `MailboxSshAuthResponseSuccessV1` if `signature` is present and `MailboxSshAuthResponseFailureV1` if `error_code` is present.
305
+ */
306
+ MailboxSshAuthResponsePayloadV1: components["schemas"]["MailboxSshAuthResponseSuccessV1"] | components["schemas"]["MailboxSshAuthResponseFailureV1"];
307
+ /**
308
+ * MailboxSshAuthResponseSuccessV1
309
+ * @description Success branch of `MailboxSshAuthResponsePayloadV1`.
310
+ */
311
+ MailboxSshAuthResponseSuccessV1: {
312
+ /**
313
+ * Format: byte
314
+ * @description RFC 4648 standard base64 with `=` padding for the raw SSH signature blob (no SSH-wire framing).
315
+ */
316
+ signature: string;
317
+ approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
318
+ };
319
+ /**
320
+ * MailboxSshAuthResponseFailureV1
321
+ * @description Failure branch of `MailboxSshAuthResponsePayloadV1`.
322
+ */
323
+ MailboxSshAuthResponseFailureV1: {
324
+ error_code: components["schemas"]["SigningErrorCode"];
325
+ /**
326
+ * @description Human-readable error message.
327
+ * @example User rejected the request
328
+ */
329
+ error_message?: string;
330
+ };
331
+ /**
332
+ * MailboxSshSignRequestPayloadV1
333
+ * @description Request payload for the `ssh_sign` envelope type. The approver signs an SSH signature input derived from `raw_data` (e.g. `git commit -S` SSH signing), using the on-device key selected by `device_key_id`.
334
+ */
335
+ MailboxSshSignRequestPayloadV1: {
336
+ /**
337
+ * Format: byte
338
+ * @description RFC 4648 standard base64 with `=` padding for the raw data to sign (preimage). The approver builds the canonical SSH signature input from this preimage.
339
+ * @example ZGF0YSB0byBzaWdu
340
+ */
341
+ raw_data: string;
342
+ /**
343
+ * @description Identifier of the key to sign with.
344
+ * @example key_abc123
345
+ */
346
+ key_id?: string;
347
+ /**
348
+ * @description SSH application identifier (e.g. `ssh:`).
349
+ * @example ssh:
350
+ */
351
+ application?: string;
352
+ /**
353
+ * Format: int32
354
+ * @description SSH SK flags bitmask. Default `0x01` requires user presence.
355
+ * @default 1
356
+ * @example 1
357
+ */
358
+ flags?: number;
359
+ /** @description Device-side key identifier (e.g. iOS Secure Enclave handle) used to select among enrolled signing keys on the approver. */
360
+ device_key_id: string;
361
+ approval_challenge?: components["schemas"]["ApprovalChallenge"];
362
+ display?: components["schemas"]["DisplaySchema"];
363
+ source_info?: components["schemas"]["SourceInfo"];
364
+ };
365
+ /**
366
+ * MailboxSshSignResponsePayloadV1
367
+ * @description Response payload for the `ssh_sign` envelope type. Discriminated as a success / failure pair.
368
+ */
369
+ MailboxSshSignResponsePayloadV1: components["schemas"]["MailboxSshSignResponseSuccessV1"] | components["schemas"]["MailboxSshSignResponseFailureV1"];
370
+ /**
371
+ * MailboxSshSignResponseSuccessV1
372
+ * @description Success branch of `MailboxSshSignResponsePayloadV1`.
373
+ */
374
+ MailboxSshSignResponseSuccessV1: {
375
+ /**
376
+ * Format: byte
377
+ * @description RFC 4648 standard base64 with `=` padding for the raw SSH signature blob (no SSH-wire framing).
378
+ */
379
+ signature: string;
380
+ approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
381
+ };
382
+ /**
383
+ * MailboxSshSignResponseFailureV1
384
+ * @description Failure branch of `MailboxSshSignResponsePayloadV1`.
385
+ */
386
+ MailboxSshSignResponseFailureV1: {
387
+ error_code: components["schemas"]["SigningErrorCode"];
388
+ /**
389
+ * @description Human-readable error message.
390
+ * @example User rejected the request
391
+ */
392
+ error_message?: string;
393
+ };
394
+ /**
395
+ * MailboxGpgSignRequestPayloadV1
396
+ * @description Request payload for the `gpg_sign` envelope type. The approver builds the OpenPGP hash input from `raw_data` and signs the resulting digest with the primary GPG signing key selected by `device_key_id`.
397
+ */
398
+ MailboxGpgSignRequestPayloadV1: {
399
+ /**
400
+ * Format: byte
401
+ * @description RFC 4648 standard base64 with `=` padding for the raw data to sign (preimage). The approver builds the OpenPGP hash input from this preimage and signs the resulting digest.
402
+ * @example cmF3IGRhdGE=
403
+ */
404
+ raw_data: string;
405
+ /**
406
+ * @description Hex-encoded public key selecting which on-device GPG primary key the approver should use for signing. The mailbox/poll path requires this because the envelope does not otherwise carry a key identifier.
407
+ * @example 034dc708f0fda9462584485537d588657e68c808dae0edb8cc556459a7975229e8
408
+ */
409
+ device_key_id: string;
410
+ approval_challenge?: components["schemas"]["ApprovalChallenge"];
411
+ display?: components["schemas"]["DisplaySchema"];
412
+ source_info?: components["schemas"]["SourceInfo"];
413
+ };
414
+ /**
415
+ * MailboxGpgSignResponsePayloadV1
416
+ * @description Response payload for the `gpg_sign` envelope type. Discriminated as a success / failure pair.
417
+ */
418
+ MailboxGpgSignResponsePayloadV1: components["schemas"]["MailboxGpgSignResponseSuccessV1"] | components["schemas"]["MailboxGpgSignResponseFailureV1"];
419
+ /**
420
+ * MailboxGpgSignResponseSuccessV1
421
+ * @description Success branch of `MailboxGpgSignResponsePayloadV1`.
422
+ */
423
+ MailboxGpgSignResponseSuccessV1: {
424
+ /**
425
+ * @description ASCII-armored OpenPGP signature.
426
+ * @example -----BEGIN PGP SIGNATURE-----...
427
+ */
428
+ armored_signature: string;
429
+ approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
430
+ };
431
+ /**
432
+ * MailboxGpgSignResponseFailureV1
433
+ * @description Failure branch of `MailboxGpgSignResponsePayloadV1`.
434
+ */
435
+ MailboxGpgSignResponseFailureV1: {
436
+ error_code: components["schemas"]["SigningErrorCode"];
437
+ /**
438
+ * @description Human-readable error message.
439
+ * @example User rejected the request
440
+ */
441
+ error_message?: string;
442
+ };
443
+ /**
444
+ * MailboxGpgDecryptRequestPayloadV1
445
+ * @description Request payload for the `gpg_decrypt` envelope type. The approver unwraps the OpenPGP Public Key Encrypted Session Key packet using the encryption subkey selected by `device_key_id`.
446
+ */
447
+ MailboxGpgDecryptRequestPayloadV1: {
448
+ /**
449
+ * Format: byte
450
+ * @description RFC 4648 standard base64 with `=` padding for the encrypted data to decrypt.
451
+ * @example ZW5jcnlwdGVkIGRhdGE=
452
+ */
453
+ encrypted_data: string;
454
+ pkesk: components["schemas"]["PkeskData"];
455
+ /**
456
+ * @description Hex-encoded public key selecting which on-device GPG encryption subkey the approver should use for ECDH. The mailbox/poll path requires this because the envelope does not otherwise carry a key identifier.
457
+ * @example 034dc708f0fda9462584485537d588657e68c808dae0edb8cc556459a7975229e8
458
+ */
459
+ device_key_id: string;
460
+ approval_challenge?: components["schemas"]["ApprovalChallenge"];
461
+ display?: components["schemas"]["DisplaySchema"];
462
+ source_info?: components["schemas"]["SourceInfo"];
463
+ };
464
+ /**
465
+ * MailboxGpgDecryptResponsePayloadV1
466
+ * @description Response payload for the `gpg_decrypt` envelope type. Discriminated as a success / failure pair. The success branch carries both `session_key` and `algorithm`; the failure branch carries `error_code`.
467
+ */
468
+ MailboxGpgDecryptResponsePayloadV1: components["schemas"]["MailboxGpgDecryptResponseSuccessV1"] | components["schemas"]["MailboxGpgDecryptResponseFailureV1"];
469
+ /**
470
+ * MailboxGpgDecryptResponseSuccessV1
471
+ * @description Success branch of `MailboxGpgDecryptResponsePayloadV1`.
472
+ */
473
+ MailboxGpgDecryptResponseSuccessV1: {
474
+ /**
475
+ * Format: byte
476
+ * @description RFC 4648 standard base64 with `=` padding for the unwrapped session key.
477
+ * @example c2Vzc2lvbiBrZXk=
478
+ */
479
+ session_key: string;
480
+ /**
481
+ * Format: int32
482
+ * @description OpenPGP symmetric algorithm id (RFC 4880 §9.2).
483
+ * @example 9
484
+ */
485
+ algorithm: number;
486
+ approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
487
+ };
488
+ /**
489
+ * MailboxGpgDecryptResponseFailureV1
490
+ * @description Failure branch of `MailboxGpgDecryptResponsePayloadV1`.
491
+ */
492
+ MailboxGpgDecryptResponseFailureV1: {
493
+ error_code: components["schemas"]["SigningErrorCode"];
494
+ /**
495
+ * @description Human-readable error message.
496
+ * @example User rejected the request
497
+ */
498
+ error_message?: string;
499
+ };
500
+ /**
501
+ * PkeskData
502
+ * @description OpenPGP Public Key Encrypted Session Key packet data.
503
+ */
504
+ PkeskData: {
505
+ /**
506
+ * Format: int32
507
+ * @description PKESK packet version (typically 3).
508
+ * @example 3
509
+ */
510
+ version: number;
511
+ /**
512
+ * Format: byte
513
+ * @description RFC 4648 standard base64 with `=` padding for the 8-byte recipient key id.
514
+ * @example a2V5X2lkMTIz
515
+ */
516
+ key_id: string;
517
+ /**
518
+ * Format: int32
519
+ * @description OpenPGP public key algorithm (RFC 4880 §9.1). `18` is ECDH.
520
+ * @example 18
521
+ */
522
+ algorithm: number;
523
+ /**
524
+ * Format: byte
525
+ * @description RFC 4648 standard base64 with `=` padding for the ephemeral ECDH public point (33 bytes compressed).
526
+ * @example ZXBoZW1lcmFsX3BvaW50
527
+ */
528
+ ephemeral_point: string;
529
+ /**
530
+ * Format: byte
531
+ * @description RFC 4648 standard base64 with `=` padding for the AES-wrapped session key.
532
+ * @example d3JhcHBlZF9rZXk=
533
+ */
534
+ wrapped_key: string;
535
+ };
536
+ /**
537
+ * MailboxAgeUnwrapRequestPayloadV1
538
+ * @description Request payload for the `age_unwrap` envelope type. The approver unwraps an age `X25519` recipient stanza using the on-device X25519 key matching `recipient_public_hex`.
539
+ */
540
+ MailboxAgeUnwrapRequestPayloadV1: {
541
+ /**
542
+ * @description Lowercase hex-encoded sender's ephemeral X25519 public key (64 hex chars for the 32-byte key).
543
+ * @example a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2
544
+ */
545
+ ephemeral_public_hex: string;
546
+ /**
547
+ * Format: byte
548
+ * @description RFC 4648 standard base64 with `=` padding for the wrapped file key for decryption.
549
+ * @example d3JhcHBlZCBmaWxlIGtleQ==
550
+ */
551
+ wrapped_file_key: string;
552
+ /**
553
+ * @description Lowercase hex-encoded recipient's X25519 public key (64 hex chars for the 32-byte key).
554
+ * @example b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3
555
+ */
556
+ recipient_public_hex: string;
557
+ approval_challenge?: components["schemas"]["ApprovalChallenge"];
558
+ display?: components["schemas"]["DisplaySchema"];
559
+ source_info?: components["schemas"]["SourceInfo"];
560
+ };
561
+ /**
562
+ * MailboxAgeUnwrapResponsePayloadV1
563
+ * @description Response payload for the `age_unwrap` envelope type. Discriminated as a success / failure pair.
564
+ */
565
+ MailboxAgeUnwrapResponsePayloadV1: components["schemas"]["MailboxAgeUnwrapResponseSuccessV1"] | components["schemas"]["MailboxAgeUnwrapResponseFailureV1"];
566
+ /**
567
+ * MailboxAgeUnwrapResponseSuccessV1
568
+ * @description Success branch of `MailboxAgeUnwrapResponsePayloadV1`.
569
+ */
570
+ MailboxAgeUnwrapResponseSuccessV1: {
571
+ /**
572
+ * Format: byte
573
+ * @description RFC 4648 standard base64 with `=` padding for the unwrapped age file key.
574
+ * @example ZmlsZSBrZXk=
575
+ */
576
+ file_key: string;
577
+ approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
578
+ };
579
+ /**
580
+ * MailboxAgeUnwrapResponseFailureV1
581
+ * @description Failure branch of `MailboxAgeUnwrapResponsePayloadV1`.
582
+ */
583
+ MailboxAgeUnwrapResponseFailureV1: {
584
+ error_code: components["schemas"]["SigningErrorCode"];
585
+ /**
586
+ * @description Human-readable error message.
587
+ * @example User rejected the request
588
+ */
589
+ error_message?: string;
590
+ };
591
+ /**
592
+ * MailboxPkcs11SignRequestPayloadV1
593
+ * @description Request payload for the `pkcs11_sign` envelope type. The approver computes the SHA-256 digest of `raw_data` and signs it with the on-device key selected by `device_key_id`.
594
+ */
595
+ MailboxPkcs11SignRequestPayloadV1: {
596
+ /**
597
+ * Format: byte
598
+ * @description RFC 4648 standard base64 with `=` padding for the raw data to sign (preimage). The approver computes the SHA-256 digest and signs it.
599
+ * @example cGtjczExIGRhdGE=
600
+ */
601
+ raw_data: string;
602
+ /** @description Hex-encoded public key selecting which on-device key the approver should use for signing. */
603
+ device_key_id: string;
604
+ display?: components["schemas"]["DisplaySchema"];
605
+ approval_challenge?: components["schemas"]["ApprovalChallenge"];
606
+ source_info?: components["schemas"]["SourceInfo"];
607
+ };
608
+ /**
609
+ * MailboxPkcs11SignResponsePayloadV1
610
+ * @description Response payload for the `pkcs11_sign` envelope type. Discriminated as a success / failure pair.
611
+ */
612
+ MailboxPkcs11SignResponsePayloadV1: components["schemas"]["MailboxPkcs11SignResponseSuccessV1"] | components["schemas"]["MailboxPkcs11SignResponseFailureV1"];
613
+ /**
614
+ * MailboxPkcs11SignResponseSuccessV1
615
+ * @description Success branch of `MailboxPkcs11SignResponsePayloadV1`.
616
+ */
617
+ MailboxPkcs11SignResponseSuccessV1: {
618
+ /**
619
+ * Format: byte
620
+ * @description RFC 4648 standard base64 with `=` padding for the raw signature bytes (no PKCS#1 framing).
621
+ */
622
+ signature: string;
623
+ approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
624
+ };
625
+ /**
626
+ * MailboxPkcs11SignResponseFailureV1
627
+ * @description Failure branch of `MailboxPkcs11SignResponsePayloadV1`.
628
+ */
629
+ MailboxPkcs11SignResponseFailureV1: {
630
+ error_code: components["schemas"]["SigningErrorCode"];
631
+ /**
632
+ * @description Human-readable error message.
633
+ * @example User rejected the request
634
+ */
635
+ error_message?: string;
636
+ };
637
+ /**
638
+ * MailboxPkcs11DeriveRequestPayloadV1
639
+ * @description Request payload for the `pkcs11_derive` envelope type. The approver runs ECDH between the on-device private key selected by `device_key_id` and the peer public key, optionally feeding the shared secret through a KDF.
640
+ */
641
+ MailboxPkcs11DeriveRequestPayloadV1: {
642
+ /**
643
+ * @description Lowercase hex-encoded peer public key for ECDH (66 hex chars for P-256 33-byte compressed key).
644
+ * @example 02a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2
645
+ */
646
+ peer_public_hex: string;
647
+ /** @description Hex-encoded public key selecting which on-device key the approver should use for ECDH. */
648
+ device_key_id: string;
649
+ kdf?: components["schemas"]["Pkcs11DeriveKdfParams"];
650
+ approval_challenge?: components["schemas"]["ApprovalChallenge"];
651
+ display?: components["schemas"]["DisplaySchema"];
652
+ source_info?: components["schemas"]["SourceInfo"];
653
+ };
654
+ /**
655
+ * MailboxPkcs11DeriveResponsePayloadV1
656
+ * @description Response payload for the `pkcs11_derive` envelope type. Discriminated as a success / failure pair.
657
+ */
658
+ MailboxPkcs11DeriveResponsePayloadV1: components["schemas"]["MailboxPkcs11DeriveResponseSuccessV1"] | components["schemas"]["MailboxPkcs11DeriveResponseFailureV1"];
659
+ /**
660
+ * MailboxPkcs11DeriveResponseSuccessV1
661
+ * @description Success branch of `MailboxPkcs11DeriveResponsePayloadV1`.
662
+ */
663
+ MailboxPkcs11DeriveResponseSuccessV1: {
664
+ /**
665
+ * Format: byte
666
+ * @description RFC 4648 standard base64 with `=` padding for the derived shared secret (post-KDF if `kdf` was supplied, otherwise raw ECDH X output).
667
+ * @example c2hhcmVkIHNlY3JldA==
668
+ */
669
+ shared_secret: string;
670
+ approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
671
+ };
672
+ /**
673
+ * MailboxPkcs11DeriveResponseFailureV1
674
+ * @description Failure branch of `MailboxPkcs11DeriveResponsePayloadV1`.
675
+ */
676
+ MailboxPkcs11DeriveResponseFailureV1: {
677
+ error_code: components["schemas"]["SigningErrorCode"];
678
+ /**
679
+ * @description Human-readable error message.
680
+ * @example User rejected the request
681
+ */
682
+ error_message?: string;
683
+ };
684
+ /**
685
+ * Pkcs11DeriveKdfParams
686
+ * @description Optional key derivation parameters applied to the ECDH shared secret.
687
+ */
688
+ Pkcs11DeriveKdfParams: {
689
+ /**
690
+ * @description KDF algorithm name. Approvers MUST reject unknown algorithms.
691
+ * @example HKDF-SHA256
692
+ */
693
+ algorithm: string;
694
+ /**
695
+ * Format: int32
696
+ * @description Desired output key length in bytes.
697
+ * @example 32
698
+ */
699
+ key_length?: number;
700
+ /**
701
+ * Format: byte
702
+ * @description RFC 4648 standard base64 with `=` padding for the optional KDF `info` parameter.
703
+ */
704
+ info?: string;
705
+ };
706
+ /**
707
+ * MailboxEnrollRequestPayloadV1
708
+ * @description Request payload for the `enroll` envelope type. The approver creates a new key for the requested `purpose` and returns its public material.
709
+ */
710
+ MailboxEnrollRequestPayloadV1: {
711
+ purpose: components["schemas"]["KeyPurpose"];
712
+ /**
713
+ * @description Human-readable label for the new key.
714
+ * @example Work Laptop SSH Key
715
+ */
716
+ label?: string;
717
+ /**
718
+ * @description Key algorithm to use. Approver MUST reject unknown algorithms.
719
+ * @example ed25519
720
+ */
721
+ algorithm?: string;
722
+ /**
723
+ * @description Include a self-certification signature for GPG export. Ignored for non-GPG purposes.
724
+ * @default false
725
+ */
726
+ include_certification?: boolean;
727
+ approval_challenge?: components["schemas"]["ApprovalChallenge"];
728
+ display?: components["schemas"]["DisplaySchema"];
729
+ source_info?: components["schemas"]["SourceInfo"];
730
+ };
731
+ /**
732
+ * MailboxEnrollResponsePayloadV1
733
+ * @description Response payload for the `enroll` envelope type. Discriminated on `status`: `approved` requires the full key material set; `rejected` requires `error_code`.
734
+ */
735
+ MailboxEnrollResponsePayloadV1: components["schemas"]["MailboxEnrollResponseApprovedV1"] | components["schemas"]["MailboxEnrollResponseRejectedV1"];
736
+ /**
737
+ * MailboxEnrollResponseApprovedV1
738
+ * @description Approved branch of `MailboxEnrollResponsePayloadV1`. Carries the freshly minted public key material so the requester can refer to the new key in subsequent signing / decryption requests.
739
+ */
740
+ MailboxEnrollResponseApprovedV1: {
741
+ /**
742
+ * @description Enrollment outcome discriminator (`approved`). (enum property replaced by openapi-typescript)
743
+ * @enum {string}
744
+ */
745
+ status: "approved";
746
+ /**
747
+ * @description New key identifier. UUID for GPG keys; format defined by the algorithm for other purposes.
748
+ * @example 550e8400-e29b-41d4-a716-446655440000
749
+ */
750
+ id: string;
751
+ /** @description Lowercase hex-encoded public key. 66 hex chars for P-256 33-byte compressed key, or 64 hex chars for Ed25519 32-byte key. */
752
+ public_key_hex: string;
753
+ /** @description Device-side key identifier (e.g. iOS Secure Enclave handle) the requester can use to refer to the new key in subsequent requests. */
754
+ device_key_id: string;
755
+ /**
756
+ * @description Key algorithm used.
757
+ * @example ed25519
758
+ */
759
+ algorithm: string;
760
+ /** @description GPG fingerprint for GPG keys (40 hex chars). */
761
+ fingerprint?: string;
762
+ /**
763
+ * Format: int64
764
+ * @description Unix timestamp (seconds) when the key was created.
765
+ * @example 1705320000
766
+ */
767
+ key_creation_timestamp?: number;
768
+ /**
769
+ * Format: byte
770
+ * @description RFC 4648 standard base64 with `=` padding for the GPG self-certification signature.
771
+ */
772
+ user_id_signature?: string;
773
+ /**
774
+ * Format: byte
775
+ * @description RFC 4648 standard base64 with `=` padding for the GPG subkey binding signature.
776
+ */
777
+ subkey_signature?: string;
778
+ /** @description Lowercase hex-encoded ECDH encryption subkey public key (66 hex chars for P-256 33-byte compressed key). */
779
+ encryption_public_key_hex?: string;
780
+ /** @description 40-character hex fingerprint of the ECDH encryption subkey. */
781
+ encryption_fingerprint?: string;
782
+ attestation?: components["schemas"]["KeyMetadataAttestation"];
783
+ approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
784
+ };
785
+ /**
786
+ * MailboxEnrollResponseRejectedV1
787
+ * @description Rejected branch of `MailboxEnrollResponsePayloadV1`. Carries the signing error code (and optional human-readable message).
788
+ */
789
+ MailboxEnrollResponseRejectedV1: {
790
+ /**
791
+ * @description Enrollment outcome discriminator (`rejected`). (enum property replaced by openapi-typescript)
792
+ * @enum {string}
793
+ */
794
+ status: "rejected";
795
+ error_code: components["schemas"]["SigningErrorCode"];
796
+ /**
797
+ * @description Human-readable error message.
798
+ * @example User rejected the enrollment
799
+ */
800
+ error_message?: string;
801
+ };
802
+ };
803
+ responses: never;
804
+ parameters: never;
805
+ requestBodies: never;
806
+ headers: never;
807
+ pathItems: never;
808
+ }
809
+ export type $defs = Record<string, never>;
810
+ export type operations = Record<string, never>;