@naughtbot/e2ee-payloads 0.3.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/index.d.ts +30 -0
  2. package/dist/index.d.ts.map +1 -1
  3. package/dist/schema.d.ts +717 -1
  4. package/dist/schema.d.ts.map +1 -1
  5. package/package.json +1 -1
  6. package/src/index.test.ts +273 -0
  7. package/src/index.ts +30 -0
  8. package/src/schema.ts +717 -1
package/dist/schema.d.ts CHANGED
@@ -42,7 +42,7 @@ export interface components {
42
42
  * @example ssh_sign
43
43
  * @enum {string}
44
44
  */
45
- MailboxEnvelopeType: "link_request" | "link_approval" | "link_rejection" | "captcha_request" | "captcha_response" | "ssh_auth" | "ssh_sign" | "gpg_sign" | "gpg_decrypt" | "age_unwrap" | "pkcs11_sign" | "pkcs11_derive" | "enroll" | "browser_approval_request" | "browser_approval_response";
45
+ MailboxEnvelopeType: "link_request" | "link_approval" | "link_rejection" | "captcha_request" | "captcha_response" | "ssh_auth" | "ssh_sign" | "gpg_sign" | "gpg_decrypt" | "age_unwrap" | "pkcs11_sign" | "pkcs11_derive" | "enroll" | "browser_approval_request" | "browser_approval_response" | "first_party_request" | "first_party_response" | "signing_request" | "signing_response";
46
46
  /**
47
47
  * ApprovalChallenge
48
48
  * @description Canonical Longfellow / attested-key-zk approval challenge. Producer sends this inside the request payload; the approver binds it into the approval proof returned in the response payload.
@@ -180,6 +180,7 @@ export interface components {
180
180
  /**
181
181
  * DisplayField
182
182
  * @description A single label/value row rendered on the approval surface.
183
+ * Superseded by the declarative `ApprovalUiV1` schema in `approval_ui.yaml` (`ApprovalUiKeyValueRow` is the direct replacement). Retained only for producers that have not yet migrated to the `ui` field; scheduled for removal in a follow-up once every producer and approver sends and renders `ApprovalUiV1`.
183
184
  */
184
185
  DisplayField: {
185
186
  /**
@@ -218,6 +219,7 @@ export interface components {
218
219
  /**
219
220
  * DisplaySchema
220
221
  * @description Optional approval-UI metadata. Producers populate this on a best-effort basis; approvers MUST render the wire payload regardless of presence.
222
+ * Superseded by the declarative `ApprovalUiV1` schema in `approval_ui.yaml`, exposed as the `ui` field on every request payload. Retained only for producers that have not yet migrated; scheduled for removal in a follow-up once every producer and approver sends and renders `ApprovalUiV1`.
221
223
  */
222
224
  DisplaySchema: {
223
225
  /**
@@ -264,6 +266,264 @@ export interface components {
264
266
  /** @description Full process tree from the current process up to init. */
265
267
  process_chain?: components["schemas"]["ProcessEntry"][];
266
268
  };
269
+ /**
270
+ * ApprovalUiV1
271
+ * @description Declarative approval-UI container. `blocks` is a flat, ordered list rendered top to bottom. The approver renders this content above its own mandatory security chrome and signing controls; nothing here can suppress, reorder, or replace that chrome. Renderers MUST skip (not reject) any block whose `type` is not recognised so that newer producers stay forward-compatible with older approvers. Producers populate this on a best-effort basis; approvers MUST still render a safe default screen when it is absent or empty.
272
+ */
273
+ ApprovalUiV1: {
274
+ /**
275
+ * @description Canonical declarative approval-UI format version. Renderers reject unknown values.
276
+ * @enum {string}
277
+ */
278
+ schema: "approval-ui/v1";
279
+ /** @description Ordered list of content blocks. An empty list is valid and renders as no requester-supplied content. */
280
+ blocks: components["schemas"]["ApprovalUiBlock"][];
281
+ };
282
+ /**
283
+ * ApprovalUiBlock
284
+ * @description One content block in an `ApprovalUiV1.blocks` list. Discriminated on `type`. Renderers MUST skip blocks whose `type` is not recognised rather than rejecting the whole payload.
285
+ */
286
+ ApprovalUiBlock: components["schemas"]["ApprovalUiHeadingBlock"] | components["schemas"]["ApprovalUiTextBlock"] | components["schemas"]["ApprovalUiKeyValuesBlock"] | components["schemas"]["ApprovalUiCalloutBlock"] | components["schemas"]["ApprovalUiBadgeBlock"] | components["schemas"]["ApprovalUiDividerBlock"] | components["schemas"]["ApprovalUiImageBlock"] | components["schemas"]["ApprovalUiSignedDataBlock"];
287
+ /**
288
+ * ApprovalUiProvenance
289
+ * @description Trust origin of a block's content. Renderers MAY group or badge blocks by provenance so the approver can tell requester-asserted content from device-derived content. `requester` is content the relying party / CLI asserted, `relay` is content the relay added, `device` is content the approving device derived locally, and `backend` is content a first-party NaughtBot backend asserted.
290
+ * @example requester
291
+ * @enum {string}
292
+ */
293
+ ApprovalUiProvenance: "requester" | "relay" | "device" | "backend";
294
+ /**
295
+ * ApprovalUiHeadingBlock
296
+ * @description A short heading rendered as a section title. `level` is visual weight only and carries no document-outline semantics.
297
+ */
298
+ ApprovalUiHeadingBlock: {
299
+ /**
300
+ * @description Block discriminator (`heading`). (enum property replaced by openapi-typescript)
301
+ * @enum {string}
302
+ */
303
+ type: "heading";
304
+ provenance: components["schemas"]["ApprovalUiProvenance"];
305
+ /**
306
+ * @description Heading text.
307
+ * @example Sign Git Commit
308
+ */
309
+ text: string;
310
+ /**
311
+ * @description Visual weight of the heading (`1` strongest). Not a document outline level; renderers map it to a font size only.
312
+ * @default 1
313
+ * @enum {integer}
314
+ */
315
+ level?: 1 | 2;
316
+ };
317
+ /**
318
+ * ApprovalUiTextBlock
319
+ * @description A paragraph of plain, non-interactive body text.
320
+ */
321
+ ApprovalUiTextBlock: {
322
+ /**
323
+ * @description Block discriminator (`text`). (enum property replaced by openapi-typescript)
324
+ * @enum {string}
325
+ */
326
+ type: "text";
327
+ provenance: components["schemas"]["ApprovalUiProvenance"];
328
+ /**
329
+ * @description Body text. Rendered as plain text; no markup is interpreted.
330
+ * @example This will create a signed commit on the main branch.
331
+ */
332
+ text: string;
333
+ /**
334
+ * @description Visual emphasis. `secondary` renders as de-emphasised supporting text.
335
+ * @default normal
336
+ * @enum {string}
337
+ */
338
+ style?: "normal" | "secondary";
339
+ };
340
+ /**
341
+ * ApprovalUiKeyValuesBlock
342
+ * @description A labelled table of label/value rows, e.g. request metadata the approver should review before approving.
343
+ */
344
+ ApprovalUiKeyValuesBlock: {
345
+ /**
346
+ * @description Block discriminator (`key_values`). (enum property replaced by openapi-typescript)
347
+ * @enum {string}
348
+ */
349
+ type: "key_values";
350
+ provenance: components["schemas"]["ApprovalUiProvenance"];
351
+ /**
352
+ * @description Optional title rendered above the rows.
353
+ * @example Request details
354
+ */
355
+ title?: string;
356
+ /** @description Ordered label/value rows. */
357
+ rows: components["schemas"]["ApprovalUiKeyValueRow"][];
358
+ };
359
+ /**
360
+ * ApprovalUiKeyValueRow
361
+ * @description A single label/value row inside an `ApprovalUiKeyValuesBlock`.
362
+ */
363
+ ApprovalUiKeyValueRow: {
364
+ /**
365
+ * @description Short row label.
366
+ * @example Repository
367
+ */
368
+ label: string;
369
+ /**
370
+ * @description Row value. Rendered as plain text; no markup is interpreted.
371
+ * @example github.com/user/repo
372
+ */
373
+ value: string;
374
+ /**
375
+ * @description Render the value in a monospace font.
376
+ * @default false
377
+ */
378
+ monospace?: boolean;
379
+ /**
380
+ * @description Value may be collapsed by default and expanded on demand.
381
+ * @default false
382
+ */
383
+ expandable?: boolean;
384
+ /**
385
+ * @description Render the value across multiple lines.
386
+ * @default false
387
+ */
388
+ multiline?: boolean;
389
+ /**
390
+ * @description Value is sensitive; the renderer MAY mask it until revealed.
391
+ * @default false
392
+ */
393
+ sensitive?: boolean;
394
+ /**
395
+ * @description Optional lookup name into the approver's curated icon set. MUST NOT be a URL or file path; renderers ignore unknown names.
396
+ * @example lock
397
+ */
398
+ icon?: string;
399
+ };
400
+ /**
401
+ * ApprovalUiCalloutBlock
402
+ * @description A highlighted callout box used to draw attention to a single message, e.g. a warning about the request.
403
+ */
404
+ ApprovalUiCalloutBlock: {
405
+ /**
406
+ * @description Block discriminator (`callout`). (enum property replaced by openapi-typescript)
407
+ * @enum {string}
408
+ */
409
+ type: "callout";
410
+ provenance: components["schemas"]["ApprovalUiProvenance"];
411
+ /**
412
+ * @description Visual severity of the callout. The renderer maps this to a fixed colour treatment; it carries no executable meaning.
413
+ * @enum {string}
414
+ */
415
+ severity: "info" | "success" | "warning" | "danger";
416
+ /**
417
+ * @description Optional callout title.
418
+ * @example Unrecognised host
419
+ */
420
+ title?: string;
421
+ /**
422
+ * @description Callout body text. Rendered as plain text.
423
+ * @example This request came from a host you have not approved before.
424
+ */
425
+ text: string;
426
+ };
427
+ /**
428
+ * ApprovalUiBadgeBlock
429
+ * @description A small inline pill / tag used to label a status or category.
430
+ */
431
+ ApprovalUiBadgeBlock: {
432
+ /**
433
+ * @description Block discriminator (`badge`). (enum property replaced by openapi-typescript)
434
+ * @enum {string}
435
+ */
436
+ type: "badge";
437
+ provenance: components["schemas"]["ApprovalUiProvenance"];
438
+ /**
439
+ * @description Badge label.
440
+ * @example Production
441
+ */
442
+ text: string;
443
+ /**
444
+ * @description Visual tone of the badge. The renderer maps this to a fixed colour treatment.
445
+ * @default neutral
446
+ * @enum {string}
447
+ */
448
+ tone?: "neutral" | "info" | "success" | "warning" | "danger";
449
+ };
450
+ /**
451
+ * ApprovalUiDividerBlock
452
+ * @description A horizontal rule used to visually separate groups of blocks.
453
+ */
454
+ ApprovalUiDividerBlock: {
455
+ /**
456
+ * @description Block discriminator (`divider`). (enum property replaced by openapi-typescript)
457
+ * @enum {string}
458
+ */
459
+ type: "divider";
460
+ provenance: components["schemas"]["ApprovalUiProvenance"];
461
+ };
462
+ /**
463
+ * ApprovalUiImageBlock
464
+ * @description An embedded raster image rendered inline. The image bytes are carried in `data`; the schema never references an external URL or file path so the approver never makes a network request to render the screen. Deferred: the schema is published now, but the mobile renderer adds image support in a later phase. Renderers that do not yet support images MUST skip this block per the `ApprovalUiBlock` skip-unknown rule.
465
+ */
466
+ ApprovalUiImageBlock: {
467
+ /**
468
+ * @description Block discriminator (`image`). (enum property replaced by openapi-typescript)
469
+ * @enum {string}
470
+ */
471
+ type: "image";
472
+ provenance: components["schemas"]["ApprovalUiProvenance"];
473
+ /**
474
+ * @description Pixel format of the embedded image bytes.
475
+ * @enum {string}
476
+ */
477
+ format: "png";
478
+ /**
479
+ * Format: byte
480
+ * @description RFC 4648 standard base64 with `=` padding for the raw image bytes. Embedded inline only; never a URL or file path.
481
+ */
482
+ data: string;
483
+ /**
484
+ * @description Optional accessibility description of the image.
485
+ * @example Repository avatar
486
+ */
487
+ alt_text?: string;
488
+ /**
489
+ * @description Maximum rendered height in layout points. The renderer scales the image down to fit and never scales it up past its native size.
490
+ * @default 120
491
+ */
492
+ max_height_points?: number;
493
+ };
494
+ /**
495
+ * ApprovalUiSignedDataBlock
496
+ * @description A read-only presentation of the exact bytes the approver is about to sign. This block carries NO content field of its own: the renderer derives the displayed bytes from the request payload's own preimage field (e.g. `signed_payload` / `raw_data`) and renders them in the selected `encoding`. This keeps the signed bytes single-sourced — a requester cannot show the approver one thing here and sign another. Because the content is device-derived, `provenance` MUST be `device`.
497
+ */
498
+ ApprovalUiSignedDataBlock: {
499
+ /**
500
+ * @description Block discriminator (`signed_data`). (enum property replaced by openapi-typescript)
501
+ * @enum {string}
502
+ */
503
+ type: "signed_data";
504
+ /**
505
+ * @description Always `device`: the displayed bytes are derived locally from the request preimage, never asserted by the requester. Constrained to the single `device` value in-schema (rather than the shared `ApprovalUiProvenance` enum) so a requester cannot mislabel the trust origin of signed bytes.
506
+ * @enum {string}
507
+ */
508
+ provenance: "device";
509
+ encoding: components["schemas"]["ApprovalUiSignedDataEncoding"];
510
+ /**
511
+ * @description Label rendered above the signed-data presentation.
512
+ * @default To be signed
513
+ */
514
+ label?: string;
515
+ /** @description Encodings the renderer MAY offer the approver to switch between. When present it SHOULD include `encoding`. */
516
+ available_encodings?: components["schemas"]["ApprovalUiSignedDataEncoding"][];
517
+ /** @description Optional caption rendered below the signed-data presentation. */
518
+ caption?: string;
519
+ };
520
+ /**
521
+ * ApprovalUiSignedDataEncoding
522
+ * @description How the signed bytes are rendered for review. `hex` and `base64` render the raw bytes, `utf8` decodes them as text, and `sha256` renders the lowercase hex SHA-256 digest of the bytes.
523
+ * @example hex
524
+ * @enum {string}
525
+ */
526
+ ApprovalUiSignedDataEncoding: "hex" | "base64" | "utf8" | "sha256";
267
527
  /**
268
528
  * MailboxSshAuthRequestPayloadV1
269
529
  * @description Request payload for the `ssh_auth` envelope type. The approver signs an SSH user-authentication challenge constructed from `raw_data`, using the on-device key selected by `device_key_id`.
@@ -296,6 +556,7 @@ export interface components {
296
556
  device_key_id: string;
297
557
  approval_challenge?: components["schemas"]["ApprovalChallenge"];
298
558
  display?: components["schemas"]["DisplaySchema"];
559
+ ui?: components["schemas"]["ApprovalUiV1"];
299
560
  source_info?: components["schemas"]["SourceInfo"];
300
561
  };
301
562
  /**
@@ -370,6 +631,7 @@ export interface components {
370
631
  device_key_id: string;
371
632
  approval_challenge?: components["schemas"]["ApprovalChallenge"];
372
633
  display?: components["schemas"]["DisplaySchema"];
634
+ ui?: components["schemas"]["ApprovalUiV1"];
373
635
  source_info?: components["schemas"]["SourceInfo"];
374
636
  };
375
637
  /**
@@ -430,6 +692,7 @@ export interface components {
430
692
  device_key_id: string;
431
693
  approval_challenge?: components["schemas"]["ApprovalChallenge"];
432
694
  display?: components["schemas"]["DisplaySchema"];
695
+ ui?: components["schemas"]["ApprovalUiV1"];
433
696
  source_info?: components["schemas"]["SourceInfo"];
434
697
  };
435
698
  /**
@@ -480,6 +743,7 @@ export interface components {
480
743
  device_key_id: string;
481
744
  approval_challenge?: components["schemas"]["ApprovalChallenge"];
482
745
  display?: components["schemas"]["DisplaySchema"];
746
+ ui?: components["schemas"]["ApprovalUiV1"];
483
747
  source_info?: components["schemas"]["SourceInfo"];
484
748
  };
485
749
  /**
@@ -577,6 +841,7 @@ export interface components {
577
841
  recipient_public_hex: string;
578
842
  approval_challenge?: components["schemas"]["ApprovalChallenge"];
579
843
  display?: components["schemas"]["DisplaySchema"];
844
+ ui?: components["schemas"]["ApprovalUiV1"];
580
845
  source_info?: components["schemas"]["SourceInfo"];
581
846
  };
582
847
  /**
@@ -623,6 +888,7 @@ export interface components {
623
888
  /** @description Hex-encoded public key selecting which on-device key the approver should use for signing. */
624
889
  device_key_id: string;
625
890
  display?: components["schemas"]["DisplaySchema"];
891
+ ui?: components["schemas"]["ApprovalUiV1"];
626
892
  approval_challenge?: components["schemas"]["ApprovalChallenge"];
627
893
  source_info?: components["schemas"]["SourceInfo"];
628
894
  };
@@ -670,6 +936,7 @@ export interface components {
670
936
  kdf?: components["schemas"]["Pkcs11DeriveKdfParams"];
671
937
  approval_challenge?: components["schemas"]["ApprovalChallenge"];
672
938
  display?: components["schemas"]["DisplaySchema"];
939
+ ui?: components["schemas"]["ApprovalUiV1"];
673
940
  source_info?: components["schemas"]["SourceInfo"];
674
941
  };
675
942
  /**
@@ -747,6 +1014,7 @@ export interface components {
747
1014
  include_certification?: boolean;
748
1015
  approval_challenge?: components["schemas"]["ApprovalChallenge"];
749
1016
  display?: components["schemas"]["DisplaySchema"];
1017
+ ui?: components["schemas"]["ApprovalUiV1"];
750
1018
  source_info?: components["schemas"]["SourceInfo"];
751
1019
  };
752
1020
  /**
@@ -825,6 +1093,86 @@ export interface components {
825
1093
  */
826
1094
  error_message?: string;
827
1095
  };
1096
+ /**
1097
+ * MailboxSigningRequestPayloadV1
1098
+ * @description Request payload for the `signing_request` envelope type. The approver signs `signed_payload` exactly as supplied with the on-device key selected by `device_key_id`; there is no protocol-specific preimage wrapping. When `approval_challenge` is present its `plaintext_hash` MUST equal `sha256:<lowercase hex of signed_payload after base64 decoding>` so the approval proof is bound to the exact signed bytes.
1099
+ */
1100
+ MailboxSigningRequestPayloadV1: {
1101
+ /**
1102
+ * Format: byte
1103
+ * @description RFC 4648 standard base64 with `=` padding for the exact preimage bytes the approver signs. The decoded payload is capped at 1 MiB (1048576 bytes); `maxLength` is the matching base64-string ceiling.
1104
+ * @example ZGF0YSB0byBzaWdu
1105
+ */
1106
+ signed_payload: string;
1107
+ /**
1108
+ * @description Signature algorithm the approver MUST use. `ecdsa-p256-sha256` signs the SHA-256 digest of `signed_payload`; `ed25519` signs the payload bytes directly.
1109
+ * @example ed25519
1110
+ * @enum {string}
1111
+ */
1112
+ signing_algorithm: "ed25519" | "ecdsa-p256-sha256";
1113
+ /** @description Device-side key identifier (e.g. iOS Secure Enclave handle) used to select among enrolled signing keys on the approver. */
1114
+ device_key_id: string;
1115
+ /**
1116
+ * @description When true, `signed_payload` is already the digest to sign and the approver MUST NOT hash it again. Only meaningful for algorithms that sign a digest (e.g. `ecdsa-p256-sha256`); ignored for `ed25519`.
1117
+ * @default false
1118
+ */
1119
+ digest_prehashed?: boolean;
1120
+ /**
1121
+ * @description Optional short human-readable label describing what the signature is for. Display only; not bound into the signature.
1122
+ * @example Release manifest
1123
+ */
1124
+ purpose_label?: string;
1125
+ ui?: components["schemas"]["ApprovalUiV1"];
1126
+ approval_challenge?: components["schemas"]["ApprovalChallenge"];
1127
+ source_info?: components["schemas"]["SourceInfo"];
1128
+ };
1129
+ /**
1130
+ * MailboxSigningResponsePayloadV1
1131
+ * @description Response payload for the `signing_response` envelope type. Discriminated on `result`: `signed` carries the signature; `failed` carries a signing error code.
1132
+ */
1133
+ MailboxSigningResponsePayloadV1: components["schemas"]["MailboxSigningResponseSignedV1"] | components["schemas"]["MailboxSigningResponseFailedV1"];
1134
+ /**
1135
+ * MailboxSigningResponseSignedV1
1136
+ * @description Signed branch of `MailboxSigningResponsePayloadV1`. Carries the raw signature over the request `signed_payload` and echoes the algorithm the approver actually used.
1137
+ */
1138
+ MailboxSigningResponseSignedV1: {
1139
+ /**
1140
+ * @description Signing outcome discriminator (`signed`). (enum property replaced by openapi-typescript)
1141
+ * @enum {string}
1142
+ */
1143
+ result: "signed";
1144
+ /**
1145
+ * Format: byte
1146
+ * @description RFC 4648 standard base64 with `=` padding for the raw signature bytes (no protocol framing).
1147
+ */
1148
+ signature: string;
1149
+ /**
1150
+ * @description Signature algorithm the approver used. Echoes the request `signing_algorithm`.
1151
+ * @example ed25519
1152
+ * @enum {string}
1153
+ */
1154
+ signing_algorithm: "ed25519" | "ecdsa-p256-sha256";
1155
+ /** @description Optional lowercase hex-encoded public key the signature verifies against (64 hex chars for an Ed25519 32-byte key, or 66 hex chars for a P-256 33-byte compressed key). */
1156
+ public_key_hex?: string;
1157
+ approval_proof?: components["schemas"]["ApprovalAttestedKeyProof"];
1158
+ };
1159
+ /**
1160
+ * MailboxSigningResponseFailedV1
1161
+ * @description Failed branch of `MailboxSigningResponsePayloadV1`. Carries the signing error code and an optional human-readable message.
1162
+ */
1163
+ MailboxSigningResponseFailedV1: {
1164
+ /**
1165
+ * @description Signing outcome discriminator (`failed`). (enum property replaced by openapi-typescript)
1166
+ * @enum {string}
1167
+ */
1168
+ result: "failed";
1169
+ error_code: components["schemas"]["SigningErrorCode"];
1170
+ /**
1171
+ * @description Human-readable error message.
1172
+ * @example User rejected the request
1173
+ */
1174
+ error_message?: string;
1175
+ };
828
1176
  /**
829
1177
  * MailboxBrowserApprovalDecision
830
1178
  * @description Mobile user's signed approval decision.
@@ -1030,6 +1378,374 @@ export interface components {
1030
1378
  request_envelope_id: string;
1031
1379
  status: components["schemas"]["MailboxBrowserApprovalResponseStatus"];
1032
1380
  };
1381
+ /**
1382
+ * MailboxFirstPartyRequestKind
1383
+ * @description First-party request category delivered to a user's devices.
1384
+ * @example privileged_action_approval
1385
+ * @enum {string}
1386
+ */
1387
+ MailboxFirstPartyRequestKind: "privileged_action_approval";
1388
+ /**
1389
+ * MailboxFirstPartyPrivilegedActionType
1390
+ * @description Privileged server-side action that requires mobile approval.
1391
+ * @example relying_party.register
1392
+ * @enum {string}
1393
+ */
1394
+ MailboxFirstPartyPrivilegedActionType: "relying_party.register" | "relying_party.rotate_secret" | "device.revoke_other";
1395
+ /**
1396
+ * MailboxFirstPartyApprovalDecision
1397
+ * @description Mobile user's signed decision for a first-party request.
1398
+ * @example approved
1399
+ * @enum {string}
1400
+ */
1401
+ MailboxFirstPartyApprovalDecision: "approved" | "denied";
1402
+ /**
1403
+ * MailboxFirstPartyResponseStatus
1404
+ * @description Response lifecycle status. The signed `decision` carries the approval outcome.
1405
+ * @example decided
1406
+ * @enum {string}
1407
+ */
1408
+ MailboxFirstPartyResponseStatus: "decided";
1409
+ /**
1410
+ * MailboxFirstPartyApprovalBindingFormat
1411
+ * @description Canonical byte format signed by the approving device key.
1412
+ * @example first-party-privileged-action-decision-binding/v1+json
1413
+ * @enum {string}
1414
+ */
1415
+ MailboxFirstPartyApprovalBindingFormat: "first-party-privileged-action-decision-binding/v1+json";
1416
+ /**
1417
+ * MailboxFirstPartyRelyingPartyRegisterActionV1
1418
+ * @description Canonical action details for `relying_party.register`. Mobile displays these exact fields before approving creation of the relying party and its paired public/confidential clients.
1419
+ */
1420
+ MailboxFirstPartyRelyingPartyRegisterActionV1: {
1421
+ /**
1422
+ * @description Discriminator for this privileged action payload.
1423
+ * @enum {string}
1424
+ */
1425
+ action_type: "relying_party.register";
1426
+ /**
1427
+ * @description Whether approval returns a one-time plaintext client secret to the initiating console flow.
1428
+ * @example true
1429
+ */
1430
+ client_secret_returned_once: boolean;
1431
+ /**
1432
+ * @description OAuth resource audience requested for confidential client credentials.
1433
+ * @example verify.api
1434
+ */
1435
+ confidential_client_audience: string;
1436
+ /**
1437
+ * @description Requested scopes for the confidential backend client.
1438
+ * @example [
1439
+ * "verify:proof"
1440
+ * ]
1441
+ */
1442
+ confidential_client_scopes: string[];
1443
+ /**
1444
+ * @description Human-readable relying-party label shown to the user.
1445
+ * @example Customer Portal
1446
+ */
1447
+ display_name: string;
1448
+ /**
1449
+ * Format: uri
1450
+ * @description Browser origin that will host the public relying-party client.
1451
+ * @example https://customer.example
1452
+ */
1453
+ origin: string;
1454
+ /**
1455
+ * @description Requested scopes for the public browser Sign in client.
1456
+ * @example [
1457
+ * "openid",
1458
+ * "offline_access",
1459
+ * "mailbox:pairing:start"
1460
+ * ]
1461
+ */
1462
+ public_client_scopes: string[];
1463
+ /**
1464
+ * @description Exact browser callback URIs for the public authorization-code client.
1465
+ * @example [
1466
+ * "https://customer.example/oauth/callback"
1467
+ * ]
1468
+ */
1469
+ redirect_uris: string[];
1470
+ };
1471
+ /**
1472
+ * MailboxFirstPartyRelyingPartyRotateSecretActionV1
1473
+ * @description Canonical action details for `relying_party.rotate_secret`. Approval authorizes replacing the confidential client's stored secret hash and returning the new secret once to the initiating console flow.
1474
+ */
1475
+ MailboxFirstPartyRelyingPartyRotateSecretActionV1: {
1476
+ /**
1477
+ * @description Discriminator for this privileged action payload.
1478
+ * @enum {string}
1479
+ */
1480
+ action_type: "relying_party.rotate_secret";
1481
+ /**
1482
+ * @description Whether approval returns a one-time plaintext client secret to the initiating console flow.
1483
+ * @example true
1484
+ */
1485
+ client_secret_returned_once: boolean;
1486
+ /**
1487
+ * @description Confidential backend client id whose secret will rotate.
1488
+ * @example rp_conf_9d58fb4c6ff84f46
1489
+ */
1490
+ confidential_client_id: string;
1491
+ /**
1492
+ * @description Human-readable relying-party label shown to the user.
1493
+ * @example Customer Portal
1494
+ */
1495
+ display_name: string;
1496
+ /**
1497
+ * Format: uri
1498
+ * @description Browser origin attached to the relying party.
1499
+ * @example https://customer.example
1500
+ */
1501
+ origin: string;
1502
+ /**
1503
+ * @description Relying-party record id whose confidential secret will rotate.
1504
+ * @example rp_2af7b1fb2b5b4b5b8
1505
+ */
1506
+ relying_party_id: string;
1507
+ };
1508
+ /**
1509
+ * MailboxFirstPartyDeviceRevokeOtherActionV1
1510
+ * @description Canonical action details for `device.revoke_other`. Approval authorizes revoking another active device on the same user account.
1511
+ */
1512
+ MailboxFirstPartyDeviceRevokeOtherActionV1: {
1513
+ /**
1514
+ * @description Discriminator for this privileged action payload.
1515
+ * @enum {string}
1516
+ */
1517
+ action_type: "device.revoke_other";
1518
+ /**
1519
+ * @description Whether approval cascades revocation to pairings involving the target device.
1520
+ * @example true
1521
+ */
1522
+ revoke_pairings: boolean;
1523
+ /**
1524
+ * @description Whether approval revokes refresh-token families bound to the target device.
1525
+ * @example true
1526
+ */
1527
+ revoke_refresh_tokens: boolean;
1528
+ /**
1529
+ * @description RFC 3339 UTC creation timestamp for the target device.
1530
+ * @example 2026-05-01T12:00:00Z
1531
+ */
1532
+ target_device_created_at: string;
1533
+ /**
1534
+ * Format: uuid
1535
+ * @description Device id that will be revoked.
1536
+ * @example 22222222-3333-4444-8555-666666666666
1537
+ */
1538
+ target_device_id: string;
1539
+ /**
1540
+ * @description Optional human-readable device name shown to the user.
1541
+ * @example Taylor's iPhone
1542
+ */
1543
+ target_device_name?: string | null;
1544
+ /**
1545
+ * @description Registered platform type for the target device.
1546
+ * @example ios
1547
+ * @enum {string}
1548
+ */
1549
+ target_device_type: "ios" | "android";
1550
+ };
1551
+ /**
1552
+ * MailboxFirstPartyPrivilegedAction
1553
+ * @description Typed canonical privileged action details shown on mobile.
1554
+ */
1555
+ MailboxFirstPartyPrivilegedAction: components["schemas"]["MailboxFirstPartyRelyingPartyRegisterActionV1"] | components["schemas"]["MailboxFirstPartyRelyingPartyRotateSecretActionV1"] | components["schemas"]["MailboxFirstPartyDeviceRevokeOtherActionV1"];
1556
+ /**
1557
+ * MailboxFirstPartyPrivilegedActionRequestV1
1558
+ * @description Privileged console action approval request. `canonical_action_bytes` are the UTF-8 JSON bytes of the typed `action` object encoded with lexicographic property order and no insignificant whitespace; the hash pins the exact action details auth will execute after approval.
1559
+ */
1560
+ MailboxFirstPartyPrivilegedActionRequestV1: {
1561
+ action: components["schemas"]["MailboxFirstPartyPrivilegedAction"];
1562
+ action_type: components["schemas"]["MailboxFirstPartyPrivilegedActionType"];
1563
+ /**
1564
+ * Format: byte
1565
+ * @description RFC 4648 standard base64 with `=` padding for the canonical privileged action JSON bytes.
1566
+ */
1567
+ canonical_action_bytes: string;
1568
+ /**
1569
+ * @description SHA-256 hash of `canonical_action_bytes` after base64 decoding.
1570
+ * @example sha256:70f1e52bd01429bc2f405b182a3abc72751bda213dba41684a12db5116698c3c
1571
+ */
1572
+ canonical_action_hash: string;
1573
+ /**
1574
+ * @description RFC 3339 UTC timestamp when auth created the privileged-action intent.
1575
+ * @example 2026-05-16T20:40:00Z
1576
+ */
1577
+ created_at: string;
1578
+ /**
1579
+ * @description OAuth client id for the console flow that initiated the intent.
1580
+ * @example naughtbot-console
1581
+ */
1582
+ initiating_client_id: string;
1583
+ /**
1584
+ * @description Base64url SHA-256 thumbprint of the initiating browser DPoP key.
1585
+ * @example 2oNQXcW2Upi5b1xHZQW1Yf3N0aYVnX_Jf7mRiS7Jm8A
1586
+ */
1587
+ initiating_dpop_jkt: string;
1588
+ /**
1589
+ * @description Opaque privileged-action intent id.
1590
+ * @example pai_2af7b1fb2b5b4b5b8
1591
+ */
1592
+ intent_id: string;
1593
+ };
1594
+ /**
1595
+ * MailboxFirstPartyRequestPayloadV1
1596
+ * @description Request payload for the `first_party_request` envelope type.
1597
+ */
1598
+ MailboxFirstPartyRequestPayloadV1: {
1599
+ /**
1600
+ * @description RFC 3339 UTC timestamp after which the request is invalid.
1601
+ * @example 2026-05-16T20:45:00Z
1602
+ */
1603
+ expires_at: string;
1604
+ /**
1605
+ * @description RFC 3339 UTC timestamp with canonical `Z` suffix.
1606
+ * @example 2026-05-16T20:40:00Z
1607
+ */
1608
+ issued_at: string;
1609
+ /**
1610
+ * @description Opaque nonce bound into the mobile-signed decision.
1611
+ * @example first-party-nonce-fixture
1612
+ */
1613
+ nonce: string;
1614
+ privileged_action: components["schemas"]["MailboxFirstPartyPrivilegedActionRequestV1"];
1615
+ /**
1616
+ * @description Opaque auth/mailbox-scoped first-party request id.
1617
+ * @example fpr_2af7b1fb2b5b4b5b8
1618
+ */
1619
+ request_id: string;
1620
+ request_kind: components["schemas"]["MailboxFirstPartyRequestKind"];
1621
+ };
1622
+ /**
1623
+ * MailboxFirstPartyPrivilegedActionDecisionBindingV1
1624
+ * @description Canonical JSON object whose UTF-8 bytes are signed by the approving device key. Producers encode these fields in lexicographic property order with no insignificant whitespace and place the resulting bytes in `MailboxFirstPartyResponsePayloadV1.approval_binding_bytes`.
1625
+ */
1626
+ MailboxFirstPartyPrivilegedActionDecisionBindingV1: {
1627
+ action_type: components["schemas"]["MailboxFirstPartyPrivilegedActionType"];
1628
+ /**
1629
+ * Format: uuid
1630
+ * @description Device id whose signing key created `approval_signature`.
1631
+ * @example 33333333-4444-4555-8666-777777777777
1632
+ */
1633
+ approving_device_id: string;
1634
+ /**
1635
+ * @description Base64url SHA-256 thumbprint of the approving device signing key.
1636
+ * @example uJx87scLEhI5vT1YdtXx5ERw2IW0aP2mMNJ1lUu1Dx4
1637
+ */
1638
+ approving_device_signing_key_jkt: string;
1639
+ /**
1640
+ * @description Hash copied from the request payload.
1641
+ * @example sha256:70f1e52bd01429bc2f405b182a3abc72751bda213dba41684a12db5116698c3c
1642
+ */
1643
+ canonical_action_hash: string;
1644
+ /**
1645
+ * @description RFC 3339 UTC timestamp of the mobile decision.
1646
+ * @example 2026-05-16T20:41:00Z
1647
+ */
1648
+ decided_at: string;
1649
+ decision: components["schemas"]["MailboxFirstPartyApprovalDecision"];
1650
+ /**
1651
+ * @description Request expiry copied from the request payload.
1652
+ * @example 2026-05-16T20:45:00Z
1653
+ */
1654
+ expires_at: string;
1655
+ /**
1656
+ * @description Privileged-action intent id copied from the request payload.
1657
+ * @example pai_2af7b1fb2b5b4b5b8
1658
+ */
1659
+ intent_id: string;
1660
+ /**
1661
+ * @description Nonce copied from the request payload.
1662
+ * @example first-party-nonce-fixture
1663
+ */
1664
+ nonce: string;
1665
+ /**
1666
+ * Format: uuid
1667
+ * @description Envelope id of the first-party request being answered.
1668
+ * @example 11111111-2222-4333-8444-555555555555
1669
+ */
1670
+ request_envelope_id: string;
1671
+ /**
1672
+ * @description Envelope `issued_at` timestamp of the request being answered.
1673
+ * @example 2026-05-16T20:40:00Z
1674
+ */
1675
+ request_envelope_issued_at: string;
1676
+ /**
1677
+ * @description Envelope type of the request being answered.
1678
+ * @example first_party_request
1679
+ * @enum {string}
1680
+ */
1681
+ request_envelope_type: "first_party_request";
1682
+ /**
1683
+ * @description First-party request id copied from the request payload.
1684
+ * @example fpr_2af7b1fb2b5b4b5b8
1685
+ */
1686
+ request_id: string;
1687
+ /**
1688
+ * @description Canonical decision binding schema version.
1689
+ * @enum {string}
1690
+ */
1691
+ version: "first-party-privileged-action-decision-binding/v1";
1692
+ };
1693
+ /**
1694
+ * MailboxFirstPartyResponsePayloadV1
1695
+ * @description Response payload for the `first_party_response` envelope type. The response carries the mobile decision, the exact canonical bytes signed by the approving device, and the raw device signature over those bytes.
1696
+ */
1697
+ MailboxFirstPartyResponsePayloadV1: {
1698
+ /**
1699
+ * Format: byte
1700
+ * @description RFC 4648 standard base64 with `=` padding for the canonical `MailboxFirstPartyPrivilegedActionDecisionBindingV1` UTF-8 JSON bytes.
1701
+ */
1702
+ approval_binding_bytes: string;
1703
+ approval_binding_format: components["schemas"]["MailboxFirstPartyApprovalBindingFormat"];
1704
+ /**
1705
+ * Format: byte
1706
+ * @description RFC 4648 standard base64 with `=` padding for the raw signature over `approval_binding_bytes` after base64 decoding.
1707
+ */
1708
+ approval_signature: string;
1709
+ /**
1710
+ * @description Device signing-key algorithm identifier.
1711
+ * @example ES256
1712
+ */
1713
+ approval_signature_algorithm: string;
1714
+ /**
1715
+ * Format: uuid
1716
+ * @description Device id whose signing key created `approval_signature`.
1717
+ * @example 33333333-4444-4555-8666-777777777777
1718
+ */
1719
+ approving_device_id: string;
1720
+ /**
1721
+ * @description Base64url SHA-256 thumbprint of the approving device signing key.
1722
+ * @example uJx87scLEhI5vT1YdtXx5ERw2IW0aP2mMNJ1lUu1Dx4
1723
+ */
1724
+ approving_device_signing_key_jkt: string;
1725
+ /**
1726
+ * @description RFC 3339 UTC timestamp of the mobile decision.
1727
+ * @example 2026-05-16T20:41:00Z
1728
+ */
1729
+ decided_at: string;
1730
+ decision: components["schemas"]["MailboxFirstPartyApprovalDecision"];
1731
+ /**
1732
+ * @description Privileged-action intent id copied from the request payload.
1733
+ * @example pai_2af7b1fb2b5b4b5b8
1734
+ */
1735
+ intent_id: string;
1736
+ /**
1737
+ * Format: uuid
1738
+ * @description Envelope id of the first-party request being answered.
1739
+ * @example 11111111-2222-4333-8444-555555555555
1740
+ */
1741
+ request_envelope_id: string;
1742
+ /**
1743
+ * @description First-party request id copied from the request payload.
1744
+ * @example fpr_2af7b1fb2b5b4b5b8
1745
+ */
1746
+ request_id: string;
1747
+ status: components["schemas"]["MailboxFirstPartyResponseStatus"];
1748
+ };
1033
1749
  };
1034
1750
  responses: never;
1035
1751
  parameters: never;