@opentdf/sdk 0.17.0 → 0.19.0-beta.167

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (117) hide show
  1. package/dist/cjs/src/platform/authorization/authorization_pb.js +2 -3
  2. package/dist/cjs/src/platform/authorization/v2/authorization_pb.js +2 -2
  3. package/dist/cjs/src/platform/buf/validate/validate_pb.js +17 -11
  4. package/dist/cjs/src/platform/entityresolution/entity_resolution_pb.js +2 -3
  5. package/dist/cjs/src/platform/entityresolution/v2/entity_resolution_pb.js +15 -9
  6. package/dist/cjs/src/platform/kas/kas_pb.js +2 -4
  7. package/dist/cjs/src/platform/policy/actions/actions_pb.js +2 -2
  8. package/dist/cjs/src/platform/policy/attributes/attributes_pb.js +79 -43
  9. package/dist/cjs/src/platform/policy/kasregistry/key_access_server_registry_pb.js +121 -56
  10. package/dist/cjs/src/platform/policy/namespaces/namespaces_pb.js +54 -44
  11. package/dist/cjs/src/platform/policy/objects_pb.js +58 -39
  12. package/dist/cjs/src/platform/policy/obligations/obligations_pb.js +85 -30
  13. package/dist/cjs/src/platform/policy/registeredresources/registered_resources_pb.js +53 -22
  14. package/dist/cjs/src/platform/policy/resourcemapping/resource_mapping_pb.js +2 -2
  15. package/dist/cjs/src/platform/policy/selectors_pb.js +38 -5
  16. package/dist/cjs/src/platform/policy/subjectmapping/subject_mapping_pb.js +78 -24
  17. package/dist/cjs/src/platform/policy/unsafe/unsafe_pb.js +3 -2
  18. package/dist/cjs/src/platform/wellknownconfiguration/wellknown_configuration_pb.js +2 -3
  19. package/dist/cjs/src/policy/api.js +1 -30
  20. package/dist/cjs/src/version.js +1 -1
  21. package/dist/types/src/platform/authorization/authorization_pb.d.ts.map +1 -1
  22. package/dist/types/src/platform/authorization/v2/authorization_pb.d.ts +3 -3
  23. package/dist/types/src/platform/authorization/v2/authorization_pb.d.ts.map +1 -1
  24. package/dist/types/src/platform/buf/validate/validate_pb.d.ts +392 -155
  25. package/dist/types/src/platform/buf/validate/validate_pb.d.ts.map +1 -1
  26. package/dist/types/src/platform/entityresolution/entity_resolution_pb.d.ts.map +1 -1
  27. package/dist/types/src/platform/entityresolution/v2/entity_resolution_pb.d.ts +33 -0
  28. package/dist/types/src/platform/entityresolution/v2/entity_resolution_pb.d.ts.map +1 -1
  29. package/dist/types/src/platform/kas/kas_pb.d.ts +173 -7
  30. package/dist/types/src/platform/kas/kas_pb.d.ts.map +1 -1
  31. package/dist/types/src/platform/policy/actions/actions_pb.d.ts +40 -0
  32. package/dist/types/src/platform/policy/actions/actions_pb.d.ts.map +1 -1
  33. package/dist/types/src/platform/policy/attributes/attributes_pb.d.ts +119 -4
  34. package/dist/types/src/platform/policy/attributes/attributes_pb.d.ts.map +1 -1
  35. package/dist/types/src/platform/policy/kasregistry/key_access_server_registry_pb.d.ts +124 -2
  36. package/dist/types/src/platform/policy/kasregistry/key_access_server_registry_pb.d.ts.map +1 -1
  37. package/dist/types/src/platform/policy/namespaces/namespaces_pb.d.ts +53 -114
  38. package/dist/types/src/platform/policy/namespaces/namespaces_pb.d.ts.map +1 -1
  39. package/dist/types/src/platform/policy/objects_pb.d.ts +85 -38
  40. package/dist/types/src/platform/policy/objects_pb.d.ts.map +1 -1
  41. package/dist/types/src/platform/policy/obligations/obligations_pb.d.ts +157 -4
  42. package/dist/types/src/platform/policy/obligations/obligations_pb.d.ts.map +1 -1
  43. package/dist/types/src/platform/policy/registeredresources/registered_resources_pb.d.ts +85 -2
  44. package/dist/types/src/platform/policy/registeredresources/registered_resources_pb.d.ts.map +1 -1
  45. package/dist/types/src/platform/policy/resourcemapping/resource_mapping_pb.d.ts +60 -2
  46. package/dist/types/src/platform/policy/resourcemapping/resource_mapping_pb.d.ts.map +1 -1
  47. package/dist/types/src/platform/policy/selectors_pb.d.ts +41 -1
  48. package/dist/types/src/platform/policy/selectors_pb.d.ts.map +1 -1
  49. package/dist/types/src/platform/policy/subjectmapping/subject_mapping_pb.d.ts +147 -2
  50. package/dist/types/src/platform/policy/subjectmapping/subject_mapping_pb.d.ts.map +1 -1
  51. package/dist/types/src/platform/policy/unsafe/unsafe_pb.d.ts +10 -0
  52. package/dist/types/src/platform/policy/unsafe/unsafe_pb.d.ts.map +1 -1
  53. package/dist/types/src/platform/wellknownconfiguration/wellknown_configuration_pb.d.ts.map +1 -1
  54. package/dist/types/src/policy/api.d.ts +0 -2
  55. package/dist/types/src/policy/api.d.ts.map +1 -1
  56. package/dist/types/src/version.d.ts +1 -1
  57. package/dist/web/src/platform/authorization/authorization_pb.js +2 -3
  58. package/dist/web/src/platform/authorization/v2/authorization_pb.js +2 -2
  59. package/dist/web/src/platform/buf/validate/validate_pb.js +17 -11
  60. package/dist/web/src/platform/entityresolution/entity_resolution_pb.js +2 -3
  61. package/dist/web/src/platform/entityresolution/v2/entity_resolution_pb.js +14 -8
  62. package/dist/web/src/platform/kas/kas_pb.js +2 -4
  63. package/dist/web/src/platform/policy/actions/actions_pb.js +2 -2
  64. package/dist/web/src/platform/policy/attributes/attributes_pb.js +79 -43
  65. package/dist/web/src/platform/policy/kasregistry/key_access_server_registry_pb.js +120 -55
  66. package/dist/web/src/platform/policy/namespaces/namespaces_pb.js +54 -44
  67. package/dist/web/src/platform/policy/objects_pb.js +56 -37
  68. package/dist/web/src/platform/policy/obligations/obligations_pb.js +85 -30
  69. package/dist/web/src/platform/policy/registeredresources/registered_resources_pb.js +53 -22
  70. package/dist/web/src/platform/policy/resourcemapping/resource_mapping_pb.js +2 -2
  71. package/dist/web/src/platform/policy/selectors_pb.js +38 -5
  72. package/dist/web/src/platform/policy/subjectmapping/subject_mapping_pb.js +78 -24
  73. package/dist/web/src/platform/policy/unsafe/unsafe_pb.js +3 -2
  74. package/dist/web/src/platform/wellknownconfiguration/wellknown_configuration_pb.js +2 -3
  75. package/dist/web/src/policy/api.js +1 -29
  76. package/dist/web/src/version.js +1 -1
  77. package/package.json +1 -1
  78. package/src/platform/authorization/authorization_pb.ts +1 -2
  79. package/src/platform/authorization/v2/authorization_pb.ts +4 -4
  80. package/src/platform/buf/validate/validate_pb.ts +437 -163
  81. package/src/platform/entityresolution/entity_resolution_pb.ts +1 -2
  82. package/src/platform/entityresolution/v2/entity_resolution_pb.ts +47 -7
  83. package/src/platform/kas/kas_pb.ts +174 -10
  84. package/src/platform/policy/actions/actions_pb.ts +47 -1
  85. package/src/platform/policy/attributes/attributes_pb.ts +181 -46
  86. package/src/platform/policy/kasregistry/key_access_server_registry_pb.ts +202 -56
  87. package/src/platform/policy/namespaces/namespaces_pb.ts +77 -144
  88. package/src/platform/policy/objects_pb.ts +129 -73
  89. package/src/platform/policy/obligations/obligations_pb.ts +214 -33
  90. package/src/platform/policy/registeredresources/registered_resources_pb.ts +125 -24
  91. package/src/platform/policy/resourcemapping/resource_mapping_pb.ts +70 -3
  92. package/src/platform/policy/selectors_pb.ts +54 -5
  93. package/src/platform/policy/subjectmapping/subject_mapping_pb.ts +200 -25
  94. package/src/platform/policy/unsafe/unsafe_pb.ts +13 -1
  95. package/src/platform/wellknownconfiguration/wellknown_configuration_pb.ts +1 -2
  96. package/src/policy/api.ts +0 -40
  97. package/src/version.ts +1 -1
  98. package/dist/cjs/src/platform/google/api/annotations_pb.js +0 -30
  99. package/dist/cjs/src/platform/google/api/http_pb.js +0 -37
  100. package/dist/cjs/src/platform/protoc-gen-openapiv2/options/annotations_pb.js +0 -68
  101. package/dist/cjs/src/platform/protoc-gen-openapiv2/options/openapiv2_pb.js +0 -307
  102. package/dist/types/src/platform/google/api/annotations_pb.d.ts +0 -14
  103. package/dist/types/src/platform/google/api/annotations_pb.d.ts.map +0 -1
  104. package/dist/types/src/platform/google/api/http_pb.d.ts +0 -441
  105. package/dist/types/src/platform/google/api/http_pb.d.ts.map +0 -1
  106. package/dist/types/src/platform/protoc-gen-openapiv2/options/annotations_pb.d.ts +0 -62
  107. package/dist/types/src/platform/protoc-gen-openapiv2/options/annotations_pb.d.ts.map +0 -1
  108. package/dist/types/src/platform/protoc-gen-openapiv2/options/openapiv2_pb.d.ts +0 -1441
  109. package/dist/types/src/platform/protoc-gen-openapiv2/options/openapiv2_pb.d.ts.map +0 -1
  110. package/dist/web/src/platform/google/api/annotations_pb.js +0 -27
  111. package/dist/web/src/platform/google/api/http_pb.js +0 -34
  112. package/dist/web/src/platform/protoc-gen-openapiv2/options/annotations_pb.js +0 -65
  113. package/dist/web/src/platform/protoc-gen-openapiv2/options/openapiv2_pb.js +0 -304
  114. package/src/platform/google/api/annotations_pb.ts +0 -39
  115. package/src/platform/google/api/http_pb.ts +0 -474
  116. package/src/platform/protoc-gen-openapiv2/options/annotations_pb.ts +0 -83
  117. package/src/platform/protoc-gen-openapiv2/options/openapiv2_pb.ts +0 -1615
@@ -8,14 +8,13 @@ import type { Entity, EntityChain, Token } from "../authorization/authorization_
8
8
  import { file_authorization_authorization } from "../authorization/authorization_pb.js";
9
9
  import type { Any } from "@bufbuild/protobuf/wkt";
10
10
  import { file_google_protobuf_any, file_google_protobuf_struct } from "@bufbuild/protobuf/wkt";
11
- import { file_google_api_annotations } from "../google/api/annotations_pb.js";
12
11
  import type { JsonObject, Message } from "@bufbuild/protobuf";
13
12
 
14
13
  /**
15
14
  * Describes the file entityresolution/entity_resolution.proto.
16
15
  */
17
16
  export const file_entityresolution_entity_resolution: GenFile = /*@__PURE__*/
18
- fileDesc("CihlbnRpdHlyZXNvbHV0aW9uL2VudGl0eV9yZXNvbHV0aW9uLnByb3RvEhBlbnRpdHlyZXNvbHV0aW9uIkEKFlJlc29sdmVFbnRpdGllc1JlcXVlc3QSJwoIZW50aXRpZXMYASADKAsyFS5hdXRob3JpemF0aW9uLkVudGl0eSJeChRFbnRpdHlSZXByZXNlbnRhdGlvbhIxChBhZGRpdGlvbmFsX3Byb3BzGAEgAygLMhcuZ29vZ2xlLnByb3RvYnVmLlN0cnVjdBITCgtvcmlnaW5hbF9pZBgCIAEoCSJhChdSZXNvbHZlRW50aXRpZXNSZXNwb25zZRJGChZlbnRpdHlfcmVwcmVzZW50YXRpb25zGAEgAygLMiYuZW50aXR5cmVzb2x1dGlvbi5FbnRpdHlSZXByZXNlbnRhdGlvbiJrChNFbnRpdHlOb3RGb3VuZEVycm9yEgwKBGNvZGUYASABKAUSDwoHbWVzc2FnZRgCIAEoCRIlCgdkZXRhaWxzGAMgAygLMhQuZ29vZ2xlLnByb3RvYnVmLkFueRIOCgZlbnRpdHkYBCABKAkiRwofQ3JlYXRlRW50aXR5Q2hhaW5Gcm9tSnd0UmVxdWVzdBIkCgZ0b2tlbnMYASADKAsyFC5hdXRob3JpemF0aW9uLlRva2VuIlUKIENyZWF0ZUVudGl0eUNoYWluRnJvbUp3dFJlc3BvbnNlEjEKDWVudGl0eV9jaGFpbnMYASADKAsyGi5hdXRob3JpemF0aW9uLkVudGl0eUNoYWluMtYCChdFbnRpdHlSZXNvbHV0aW9uU2VydmljZRKMAQoPUmVzb2x2ZUVudGl0aWVzEiguZW50aXR5cmVzb2x1dGlvbi5SZXNvbHZlRW50aXRpZXNSZXF1ZXN0GikuZW50aXR5cmVzb2x1dGlvbi5SZXNvbHZlRW50aXRpZXNSZXNwb25zZSIkgtPkkwIeOgEqIhkvZW50aXR5cmVzb2x1dGlvbi9yZXNvbHZlEqsBChhDcmVhdGVFbnRpdHlDaGFpbkZyb21Kd3QSMS5lbnRpdHlyZXNvbHV0aW9uLkNyZWF0ZUVudGl0eUNoYWluRnJvbUp3dFJlcXVlc3QaMi5lbnRpdHlyZXNvbHV0aW9uLkNyZWF0ZUVudGl0eUNoYWluRnJvbUp3dFJlc3BvbnNlIiiC0+STAiI6ASoiHS9lbnRpdHlyZXNvbHV0aW9uL2VudGl0eWNoYWluYgZwcm90bzM", [file_authorization_authorization, file_google_protobuf_struct, file_google_protobuf_any, file_google_api_annotations]);
17
+ fileDesc("CihlbnRpdHlyZXNvbHV0aW9uL2VudGl0eV9yZXNvbHV0aW9uLnByb3RvEhBlbnRpdHlyZXNvbHV0aW9uIkEKFlJlc29sdmVFbnRpdGllc1JlcXVlc3QSJwoIZW50aXRpZXMYASADKAsyFS5hdXRob3JpemF0aW9uLkVudGl0eSJeChRFbnRpdHlSZXByZXNlbnRhdGlvbhIxChBhZGRpdGlvbmFsX3Byb3BzGAEgAygLMhcuZ29vZ2xlLnByb3RvYnVmLlN0cnVjdBITCgtvcmlnaW5hbF9pZBgCIAEoCSJhChdSZXNvbHZlRW50aXRpZXNSZXNwb25zZRJGChZlbnRpdHlfcmVwcmVzZW50YXRpb25zGAEgAygLMiYuZW50aXR5cmVzb2x1dGlvbi5FbnRpdHlSZXByZXNlbnRhdGlvbiJrChNFbnRpdHlOb3RGb3VuZEVycm9yEgwKBGNvZGUYASABKAUSDwoHbWVzc2FnZRgCIAEoCRIlCgdkZXRhaWxzGAMgAygLMhQuZ29vZ2xlLnByb3RvYnVmLkFueRIOCgZlbnRpdHkYBCABKAkiRwofQ3JlYXRlRW50aXR5Q2hhaW5Gcm9tSnd0UmVxdWVzdBIkCgZ0b2tlbnMYASADKAsyFC5hdXRob3JpemF0aW9uLlRva2VuIlUKIENyZWF0ZUVudGl0eUNoYWluRnJvbUp3dFJlc3BvbnNlEjEKDWVudGl0eV9jaGFpbnMYASADKAsyGi5hdXRob3JpemF0aW9uLkVudGl0eUNoYWluMokCChdFbnRpdHlSZXNvbHV0aW9uU2VydmljZRJoCg9SZXNvbHZlRW50aXRpZXMSKC5lbnRpdHlyZXNvbHV0aW9uLlJlc29sdmVFbnRpdGllc1JlcXVlc3QaKS5lbnRpdHlyZXNvbHV0aW9uLlJlc29sdmVFbnRpdGllc1Jlc3BvbnNlIgASgwEKGENyZWF0ZUVudGl0eUNoYWluRnJvbUp3dBIxLmVudGl0eXJlc29sdXRpb24uQ3JlYXRlRW50aXR5Q2hhaW5Gcm9tSnd0UmVxdWVzdBoyLmVudGl0eXJlc29sdXRpb24uQ3JlYXRlRW50aXR5Q2hhaW5Gcm9tSnd0UmVzcG9uc2UiAGIGcHJvdG8z", [file_authorization_authorization, file_google_protobuf_any, file_google_protobuf_struct]);
19
18
 
20
19
  /**
21
20
  *
@@ -9,13 +9,39 @@ import type { Entity, EntityChain, Token } from "../../entity/entity_pb.js";
9
9
  import { file_entity_entity } from "../../entity/entity_pb.js";
10
10
  import type { Any } from "@bufbuild/protobuf/wkt";
11
11
  import { file_google_protobuf_any, file_google_protobuf_struct } from "@bufbuild/protobuf/wkt";
12
+ import type { Resource } from "../../authorization/v2/authorization_pb.js";
13
+ import { file_authorization_v2_authorization } from "../../authorization/v2/authorization_pb.js";
12
14
  import type { JsonObject, Message } from "@bufbuild/protobuf";
13
15
 
14
16
  /**
15
17
  * Describes the file entityresolution/v2/entity_resolution.proto.
16
18
  */
17
19
  export const file_entityresolution_v2_entity_resolution: GenFile = /*@__PURE__*/
18
- fileDesc("CitlbnRpdHlyZXNvbHV0aW9uL3YyL2VudGl0eV9yZXNvbHV0aW9uLnByb3RvEhNlbnRpdHlyZXNvbHV0aW9uLnYyIl4KFEVudGl0eVJlcHJlc2VudGF0aW9uEhMKC29yaWdpbmFsX2lkGAEgASgJEjEKEGFkZGl0aW9uYWxfcHJvcHMYAiADKAsyFy5nb29nbGUucHJvdG9idWYuU3RydWN0IkcKFlJlc29sdmVFbnRpdGllc1JlcXVlc3QSLQoIZW50aXRpZXMYASADKAsyDi5lbnRpdHkuRW50aXR5Qgu6SAjIAQGSAQIIASJkChdSZXNvbHZlRW50aXRpZXNSZXNwb25zZRJJChZlbnRpdHlfcmVwcmVzZW50YXRpb25zGAEgAygLMikuZW50aXR5cmVzb2x1dGlvbi52Mi5FbnRpdHlSZXByZXNlbnRhdGlvbiJrChNFbnRpdHlOb3RGb3VuZEVycm9yEgwKBGNvZGUYASABKAUSDwoHbWVzc2FnZRgCIAEoCRIlCgdkZXRhaWxzGAMgAygLMhQuZ29vZ2xlLnByb3RvYnVmLkFueRIOCgZlbnRpdHkYBCABKAkiRAojQ3JlYXRlRW50aXR5Q2hhaW5zRnJvbVRva2Vuc1JlcXVlc3QSHQoGdG9rZW5zGAEgAygLMg0uZW50aXR5LlRva2VuIlIKJENyZWF0ZUVudGl0eUNoYWluc0Zyb21Ub2tlbnNSZXNwb25zZRIqCg1lbnRpdHlfY2hhaW5zGAEgAygLMhMuZW50aXR5LkVudGl0eUNoYWluMqECChdFbnRpdHlSZXNvbHV0aW9uU2VydmljZRJuCg9SZXNvbHZlRW50aXRpZXMSKy5lbnRpdHlyZXNvbHV0aW9uLnYyLlJlc29sdmVFbnRpdGllc1JlcXVlc3QaLC5lbnRpdHlyZXNvbHV0aW9uLnYyLlJlc29sdmVFbnRpdGllc1Jlc3BvbnNlIgASlQEKHENyZWF0ZUVudGl0eUNoYWluc0Zyb21Ub2tlbnMSOC5lbnRpdHlyZXNvbHV0aW9uLnYyLkNyZWF0ZUVudGl0eUNoYWluc0Zyb21Ub2tlbnNSZXF1ZXN0GjkuZW50aXR5cmVzb2x1dGlvbi52Mi5DcmVhdGVFbnRpdHlDaGFpbnNGcm9tVG9rZW5zUmVzcG9uc2UiAGIGcHJvdG8z", [file_buf_validate_validate, file_entity_entity, file_google_protobuf_any, file_google_protobuf_struct]);
20
+ fileDesc("CitlbnRpdHlyZXNvbHV0aW9uL3YyL2VudGl0eV9yZXNvbHV0aW9uLnByb3RvEhNlbnRpdHlyZXNvbHV0aW9uLnYyIkEKEURpcmVjdEVudGl0bGVtZW50EhsKE2F0dHJpYnV0ZV92YWx1ZV9mcW4YASABKAkSDwoHYWN0aW9ucxgCIAMoCSKjAQoURW50aXR5UmVwcmVzZW50YXRpb24SEwoLb3JpZ2luYWxfaWQYASABKAkSMQoQYWRkaXRpb25hbF9wcm9wcxgCIAMoCzIXLmdvb2dsZS5wcm90b2J1Zi5TdHJ1Y3QSQwoTZGlyZWN0X2VudGl0bGVtZW50cxgDIAMoCzImLmVudGl0eXJlc29sdXRpb24udjIuRGlyZWN0RW50aXRsZW1lbnQiRwoWUmVzb2x2ZUVudGl0aWVzUmVxdWVzdBItCghlbnRpdGllcxgBIAMoCzIOLmVudGl0eS5FbnRpdHlCC7pICMgBAZIBAggBImQKF1Jlc29sdmVFbnRpdGllc1Jlc3BvbnNlEkkKFmVudGl0eV9yZXByZXNlbnRhdGlvbnMYASADKAsyKS5lbnRpdHlyZXNvbHV0aW9uLnYyLkVudGl0eVJlcHJlc2VudGF0aW9uImsKE0VudGl0eU5vdEZvdW5kRXJyb3ISDAoEY29kZRgBIAEoBRIPCgdtZXNzYWdlGAIgASgJEiUKB2RldGFpbHMYAyADKAsyFC5nb29nbGUucHJvdG9idWYuQW55Eg4KBmVudGl0eRgEIAEoCSJzCiNDcmVhdGVFbnRpdHlDaGFpbnNGcm9tVG9rZW5zUmVxdWVzdBIdCgZ0b2tlbnMYASADKAsyDS5lbnRpdHkuVG9rZW4SLQoJcmVzb3VyY2VzGAIgAygLMhouYXV0aG9yaXphdGlvbi52Mi5SZXNvdXJjZSJSCiRDcmVhdGVFbnRpdHlDaGFpbnNGcm9tVG9rZW5zUmVzcG9uc2USKgoNZW50aXR5X2NoYWlucxgBIAMoCzITLmVudGl0eS5FbnRpdHlDaGFpbjKhAgoXRW50aXR5UmVzb2x1dGlvblNlcnZpY2USbgoPUmVzb2x2ZUVudGl0aWVzEisuZW50aXR5cmVzb2x1dGlvbi52Mi5SZXNvbHZlRW50aXRpZXNSZXF1ZXN0GiwuZW50aXR5cmVzb2x1dGlvbi52Mi5SZXNvbHZlRW50aXRpZXNSZXNwb25zZSIAEpUBChxDcmVhdGVFbnRpdHlDaGFpbnNGcm9tVG9rZW5zEjguZW50aXR5cmVzb2x1dGlvbi52Mi5DcmVhdGVFbnRpdHlDaGFpbnNGcm9tVG9rZW5zUmVxdWVzdBo5LmVudGl0eXJlc29sdXRpb24udjIuQ3JlYXRlRW50aXR5Q2hhaW5zRnJvbVRva2Vuc1Jlc3BvbnNlIgBiBnByb3RvMw", [file_buf_validate_validate, file_entity_entity, file_google_protobuf_any, file_google_protobuf_struct, file_authorization_v2_authorization]);
21
+
22
+ /**
23
+ * Entity Entitlements that do not require subject mappings (experimental)
24
+ *
25
+ * @generated from message entityresolution.v2.DirectEntitlement
26
+ */
27
+ export type DirectEntitlement = Message<"entityresolution.v2.DirectEntitlement"> & {
28
+ /**
29
+ * @generated from field: string attribute_value_fqn = 1;
30
+ */
31
+ attributeValueFqn: string;
32
+
33
+ /**
34
+ * @generated from field: repeated string actions = 2;
35
+ */
36
+ actions: string[];
37
+ };
38
+
39
+ /**
40
+ * Describes the message entityresolution.v2.DirectEntitlement.
41
+ * Use `create(DirectEntitlementSchema)` to create a new message.
42
+ */
43
+ export const DirectEntitlementSchema: GenMessage<DirectEntitlement> = /*@__PURE__*/
44
+ messageDesc(file_entityresolution_v2_entity_resolution, 0);
19
45
 
20
46
  /**
21
47
  * @generated from message entityresolution.v2.EntityRepresentation
@@ -32,6 +58,13 @@ export type EntityRepresentation = Message<"entityresolution.v2.EntityRepresenta
32
58
  * @generated from field: repeated google.protobuf.Struct additional_props = 2;
33
59
  */
34
60
  additionalProps: JsonObject[];
61
+
62
+ /**
63
+ * direct entitlements applied to Entity (experimental)
64
+ *
65
+ * @generated from field: repeated entityresolution.v2.DirectEntitlement direct_entitlements = 3;
66
+ */
67
+ directEntitlements: DirectEntitlement[];
35
68
  };
36
69
 
37
70
  /**
@@ -39,7 +72,7 @@ export type EntityRepresentation = Message<"entityresolution.v2.EntityRepresenta
39
72
  * Use `create(EntityRepresentationSchema)` to create a new message.
40
73
  */
41
74
  export const EntityRepresentationSchema: GenMessage<EntityRepresentation> = /*@__PURE__*/
42
- messageDesc(file_entityresolution_v2_entity_resolution, 0);
75
+ messageDesc(file_entityresolution_v2_entity_resolution, 1);
43
76
 
44
77
  /**
45
78
  * Resolve a set of entities to their representations.
@@ -58,7 +91,7 @@ export type ResolveEntitiesRequest = Message<"entityresolution.v2.ResolveEntitie
58
91
  * Use `create(ResolveEntitiesRequestSchema)` to create a new message.
59
92
  */
60
93
  export const ResolveEntitiesRequestSchema: GenMessage<ResolveEntitiesRequest> = /*@__PURE__*/
61
- messageDesc(file_entityresolution_v2_entity_resolution, 1);
94
+ messageDesc(file_entityresolution_v2_entity_resolution, 2);
62
95
 
63
96
  /**
64
97
  * @generated from message entityresolution.v2.ResolveEntitiesResponse
@@ -75,7 +108,7 @@ export type ResolveEntitiesResponse = Message<"entityresolution.v2.ResolveEntiti
75
108
  * Use `create(ResolveEntitiesResponseSchema)` to create a new message.
76
109
  */
77
110
  export const ResolveEntitiesResponseSchema: GenMessage<ResolveEntitiesResponse> = /*@__PURE__*/
78
- messageDesc(file_entityresolution_v2_entity_resolution, 2);
111
+ messageDesc(file_entityresolution_v2_entity_resolution, 3);
79
112
 
80
113
  /**
81
114
  * @generated from message entityresolution.v2.EntityNotFoundError
@@ -107,7 +140,7 @@ export type EntityNotFoundError = Message<"entityresolution.v2.EntityNotFoundErr
107
140
  * Use `create(EntityNotFoundErrorSchema)` to create a new message.
108
141
  */
109
142
  export const EntityNotFoundErrorSchema: GenMessage<EntityNotFoundError> = /*@__PURE__*/
110
- messageDesc(file_entityresolution_v2_entity_resolution, 3);
143
+ messageDesc(file_entityresolution_v2_entity_resolution, 4);
111
144
 
112
145
  /**
113
146
  * Create an entity chain for each token (JWT) in the request.
@@ -119,6 +152,13 @@ export type CreateEntityChainsFromTokensRequest = Message<"entityresolution.v2.C
119
152
  * @generated from field: repeated entity.Token tokens = 1;
120
153
  */
121
154
  tokens: Token[];
155
+
156
+ /**
157
+ * resources to consider for direct entitlements (experimental)
158
+ *
159
+ * @generated from field: repeated authorization.v2.Resource resources = 2;
160
+ */
161
+ resources: Resource[];
122
162
  };
123
163
 
124
164
  /**
@@ -126,7 +166,7 @@ export type CreateEntityChainsFromTokensRequest = Message<"entityresolution.v2.C
126
166
  * Use `create(CreateEntityChainsFromTokensRequestSchema)` to create a new message.
127
167
  */
128
168
  export const CreateEntityChainsFromTokensRequestSchema: GenMessage<CreateEntityChainsFromTokensRequest> = /*@__PURE__*/
129
- messageDesc(file_entityresolution_v2_entity_resolution, 4);
169
+ messageDesc(file_entityresolution_v2_entity_resolution, 5);
130
170
 
131
171
  /**
132
172
  * @generated from message entityresolution.v2.CreateEntityChainsFromTokensResponse
@@ -143,7 +183,7 @@ export type CreateEntityChainsFromTokensResponse = Message<"entityresolution.v2.
143
183
  * Use `create(CreateEntityChainsFromTokensResponseSchema)` to create a new message.
144
184
  */
145
185
  export const CreateEntityChainsFromTokensResponseSchema: GenMessage<CreateEntityChainsFromTokensResponse> = /*@__PURE__*/
146
- messageDesc(file_entityresolution_v2_entity_resolution, 5);
186
+ messageDesc(file_entityresolution_v2_entity_resolution, 6);
147
187
 
148
188
  /**
149
189
  * @generated from service entityresolution.v2.EntityResolutionService
@@ -4,17 +4,15 @@
4
4
 
5
5
  import type { GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv1";
6
6
  import { fileDesc, messageDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
7
- import { file_google_api_annotations } from "../google/api/annotations_pb.js";
8
7
  import type { StringValueSchema, Value } from "@bufbuild/protobuf/wkt";
9
8
  import { file_google_protobuf_struct, file_google_protobuf_wrappers } from "@bufbuild/protobuf/wkt";
10
- import { file_protoc_gen_openapiv2_options_annotations } from "../protoc-gen-openapiv2/options/annotations_pb.js";
11
9
  import type { Message } from "@bufbuild/protobuf";
12
10
 
13
11
  /**
14
12
  * Describes the file kas/kas.proto.
15
13
  */
16
14
  export const file_kas_kas: GenFile = /*@__PURE__*/
17
- fileDesc("Cg1rYXMva2FzLnByb3RvEgNrYXMiDQoLSW5mb1JlcXVlc3QiHwoMSW5mb1Jlc3BvbnNlEg8KB3ZlcnNpb24YASABKAkiKwoWTGVnYWN5UHVibGljS2V5UmVxdWVzdBIRCglhbGdvcml0aG0YASABKAkiNQoNUG9saWN5QmluZGluZxIWCglhbGdvcml0aG0YASABKAlSA2FsZxIMCgRoYXNoGAIgASgJIvoBCglLZXlBY2Nlc3MSGgoSZW5jcnlwdGVkX21ldGFkYXRhGAEgASgJEioKDnBvbGljeV9iaW5kaW5nGAIgASgLMhIua2FzLlBvbGljeUJpbmRpbmcSEAoIcHJvdG9jb2wYAyABKAkSFgoIa2V5X3R5cGUYBCABKAlSBHR5cGUSFAoHa2FzX3VybBgFIAEoCVIDdXJsEgsKA2tpZBgGIAEoCRIVCghzcGxpdF9pZBgHIAEoCVIDc2lkEhMKC3dyYXBwZWRfa2V5GAggASgMEg4KBmhlYWRlchgJIAEoDBIcChRlcGhlbWVyYWxfcHVibGljX2tleRgKIAEoCSL5AwoVVW5zaWduZWRSZXdyYXBSZXF1ZXN0EhkKEWNsaWVudF9wdWJsaWNfa2V5GAEgASgJEj4KCHJlcXVlc3RzGAIgAygLMiwua2FzLlVuc2lnbmVkUmV3cmFwUmVxdWVzdC5XaXRoUG9saWN5UmVxdWVzdBImCgprZXlfYWNjZXNzGAMgASgLMg4ua2FzLktleUFjY2Vzc0ICGAESEgoGcG9saWN5GAQgASgJQgIYARIVCglhbGdvcml0aG0YBSABKAlCAhgBGiYKCldpdGhQb2xpY3kSCgoCaWQYASABKAkSDAoEYm9keRgCIAEoCRpeChNXaXRoS2V5QWNjZXNzT2JqZWN0EhwKFGtleV9hY2Nlc3Nfb2JqZWN0X2lkGAEgASgJEikKEWtleV9hY2Nlc3Nfb2JqZWN0GAIgASgLMg4ua2FzLktleUFjY2VzcxqpAQoRV2l0aFBvbGljeVJlcXVlc3QSSgoSa2V5X2FjY2Vzc19vYmplY3RzGAEgAygLMi4ua2FzLlVuc2lnbmVkUmV3cmFwUmVxdWVzdC5XaXRoS2V5QWNjZXNzT2JqZWN0EjUKBnBvbGljeRgCIAEoCzIlLmthcy5VbnNpZ25lZFJld3JhcFJlcXVlc3QuV2l0aFBvbGljeRIRCglhbGdvcml0aG0YAyABKAkingEKEFB1YmxpY0tleVJlcXVlc3QSRgoJYWxnb3JpdGhtGAEgASgJQjOSQTAyLmFsZ29yaXRobSB0eXBlIHJzYTo8a2V5c2l6ZT4gb3IgZWM6PGN1cnZlbmFtZT4SIQoDZm10GAIgASgJQhSSQREyD3Jlc3BvbnNlIGZvcm1hdBIfCgF2GAMgASgJQhSSQREyD3JlcXVlc3QgdmVyc2lvbiI0ChFQdWJsaWNLZXlSZXNwb25zZRISCgpwdWJsaWNfa2V5GAEgASgJEgsKA2tpZBgCIAEoCSI7Cg1SZXdyYXBSZXF1ZXN0EhwKFHNpZ25lZF9yZXF1ZXN0X3Rva2VuGAEgASgJSgQIAhADUgZiZWFyZXIigAIKFUtleUFjY2Vzc1Jld3JhcFJlc3VsdBI6CghtZXRhZGF0YRgBIAMoCzIoLmthcy5LZXlBY2Nlc3NSZXdyYXBSZXN1bHQuTWV0YWRhdGFFbnRyeRIcChRrZXlfYWNjZXNzX29iamVjdF9pZBgCIAEoCRIOCgZzdGF0dXMYAyABKAkSGQoPa2FzX3dyYXBwZWRfa2V5GAQgASgMSAASDwoFZXJyb3IYBSABKAlIABpHCg1NZXRhZGF0YUVudHJ5EgsKA2tleRgBIAEoCRIlCgV2YWx1ZRgCIAEoCzIWLmdvb2dsZS5wcm90b2J1Zi5WYWx1ZToCOAFCCAoGcmVzdWx0IlQKElBvbGljeVJld3JhcFJlc3VsdBIRCglwb2xpY3lfaWQYASABKAkSKwoHcmVzdWx0cxgCIAMoCzIaLmthcy5LZXlBY2Nlc3NSZXdyYXBSZXN1bHQilgIKDlJld3JhcFJlc3BvbnNlEjcKCG1ldGFkYXRhGAEgAygLMiEua2FzLlJld3JhcFJlc3BvbnNlLk1ldGFkYXRhRW50cnlCAhgBEh4KEmVudGl0eV93cmFwcGVkX2tleRgCIAEoDEICGAESGgoSc2Vzc2lvbl9wdWJsaWNfa2V5GAMgASgJEhoKDnNjaGVtYV92ZXJzaW9uGAQgASgJQgIYARIqCglyZXNwb25zZXMYBSADKAsyFy5rYXMuUG9saWN5UmV3cmFwUmVzdWx0GkcKDU1ldGFkYXRhRW50cnkSCwoDa2V5GAEgASgJEiUKBXZhbHVlGAIgASgLMhYuZ29vZ2xlLnByb3RvYnVmLlZhbHVlOgI4ATLRAgoNQWNjZXNzU2VydmljZRJpCglQdWJsaWNLZXkSFS5rYXMuUHVibGljS2V5UmVxdWVzdBoWLmthcy5QdWJsaWNLZXlSZXNwb25zZSItkAIBkkEJSgcKAzIwMBIAgtPkkwIYEhYva2FzL3YyL2thc19wdWJsaWNfa2V5EnsKD0xlZ2FjeVB1YmxpY0tleRIbLmthcy5MZWdhY3lQdWJsaWNLZXlSZXF1ZXN0GhwuZ29vZ2xlLnByb3RvYnVmLlN0cmluZ1ZhbHVlIi2IAgGQAgGSQQlKBwoDMjAwEgCC0+STAhUSEy9rYXMva2FzX3B1YmxpY19rZXkSWAoGUmV3cmFwEhIua2FzLlJld3JhcFJlcXVlc3QaEy5rYXMuUmV3cmFwUmVzcG9uc2UiJZJBCUoHCgMyMDASAILT5JMCEzoBKiIOL2thcy92Mi9yZXdyYXBCdpJBcxJxChpPcGVuVERGIEtleSBBY2Nlc3MgU2VydmljZSpMChJCU0QgMy1DbGF1c2UgQ2xlYXISNmh0dHBzOi8vZ2l0aHViLmNvbS9vcGVudGRmL2JhY2tlbmQvYmxvYi9tYXN0ZXIvTElDRU5TRTIFMS41LjBiBnByb3RvMw", [file_google_api_annotations, file_google_protobuf_struct, file_google_protobuf_wrappers, file_protoc_gen_openapiv2_options_annotations]);
15
+ fileDesc("Cg1rYXMva2FzLnByb3RvEgNrYXMiDQoLSW5mb1JlcXVlc3QiHwoMSW5mb1Jlc3BvbnNlEg8KB3ZlcnNpb24YASABKAkiKwoWTGVnYWN5UHVibGljS2V5UmVxdWVzdBIRCglhbGdvcml0aG0YASABKAkiNQoNUG9saWN5QmluZGluZxIWCglhbGdvcml0aG0YASABKAlSA2FsZxIMCgRoYXNoGAIgASgJIvoBCglLZXlBY2Nlc3MSGgoSZW5jcnlwdGVkX21ldGFkYXRhGAEgASgJEioKDnBvbGljeV9iaW5kaW5nGAIgASgLMhIua2FzLlBvbGljeUJpbmRpbmcSEAoIcHJvdG9jb2wYAyABKAkSFgoIa2V5X3R5cGUYBCABKAlSBHR5cGUSFAoHa2FzX3VybBgFIAEoCVIDdXJsEgsKA2tpZBgGIAEoCRIVCghzcGxpdF9pZBgHIAEoCVIDc2lkEhMKC3dyYXBwZWRfa2V5GAggASgMEg4KBmhlYWRlchgJIAEoDBIcChRlcGhlbWVyYWxfcHVibGljX2tleRgKIAEoCSL5AwoVVW5zaWduZWRSZXdyYXBSZXF1ZXN0EhkKEWNsaWVudF9wdWJsaWNfa2V5GAEgASgJEj4KCHJlcXVlc3RzGAIgAygLMiwua2FzLlVuc2lnbmVkUmV3cmFwUmVxdWVzdC5XaXRoUG9saWN5UmVxdWVzdBImCgprZXlfYWNjZXNzGAMgASgLMg4ua2FzLktleUFjY2Vzc0ICGAESEgoGcG9saWN5GAQgASgJQgIYARIVCglhbGdvcml0aG0YBSABKAlCAhgBGiYKCldpdGhQb2xpY3kSCgoCaWQYASABKAkSDAoEYm9keRgCIAEoCRpeChNXaXRoS2V5QWNjZXNzT2JqZWN0EhwKFGtleV9hY2Nlc3Nfb2JqZWN0X2lkGAEgASgJEikKEWtleV9hY2Nlc3Nfb2JqZWN0GAIgASgLMg4ua2FzLktleUFjY2VzcxqpAQoRV2l0aFBvbGljeVJlcXVlc3QSSgoSa2V5X2FjY2Vzc19vYmplY3RzGAEgAygLMi4ua2FzLlVuc2lnbmVkUmV3cmFwUmVxdWVzdC5XaXRoS2V5QWNjZXNzT2JqZWN0EjUKBnBvbGljeRgCIAEoCzIlLmthcy5VbnNpZ25lZFJld3JhcFJlcXVlc3QuV2l0aFBvbGljeRIRCglhbGdvcml0aG0YAyABKAkiPQoQUHVibGljS2V5UmVxdWVzdBIRCglhbGdvcml0aG0YASABKAkSCwoDZm10GAIgASgJEgkKAXYYAyABKAkiNAoRUHVibGljS2V5UmVzcG9uc2USEgoKcHVibGljX2tleRgBIAEoCRILCgNraWQYAiABKAkiOwoNUmV3cmFwUmVxdWVzdBIcChRzaWduZWRfcmVxdWVzdF90b2tlbhgBIAEoCUoECAIQA1IGYmVhcmVyIoACChVLZXlBY2Nlc3NSZXdyYXBSZXN1bHQSOgoIbWV0YWRhdGEYASADKAsyKC5rYXMuS2V5QWNjZXNzUmV3cmFwUmVzdWx0Lk1ldGFkYXRhRW50cnkSHAoUa2V5X2FjY2Vzc19vYmplY3RfaWQYAiABKAkSDgoGc3RhdHVzGAMgASgJEhkKD2thc193cmFwcGVkX2tleRgEIAEoDEgAEg8KBWVycm9yGAUgASgJSAAaRwoNTWV0YWRhdGFFbnRyeRILCgNrZXkYASABKAkSJQoFdmFsdWUYAiABKAsyFi5nb29nbGUucHJvdG9idWYuVmFsdWU6AjgBQggKBnJlc3VsdCJUChJQb2xpY3lSZXdyYXBSZXN1bHQSEQoJcG9saWN5X2lkGAEgASgJEisKB3Jlc3VsdHMYAiADKAsyGi5rYXMuS2V5QWNjZXNzUmV3cmFwUmVzdWx0IpYCCg5SZXdyYXBSZXNwb25zZRI3CghtZXRhZGF0YRgBIAMoCzIhLmthcy5SZXdyYXBSZXNwb25zZS5NZXRhZGF0YUVudHJ5QgIYARIeChJlbnRpdHlfd3JhcHBlZF9rZXkYAiABKAxCAhgBEhoKEnNlc3Npb25fcHVibGljX2tleRgDIAEoCRIaCg5zY2hlbWFfdmVyc2lvbhgEIAEoCUICGAESKgoJcmVzcG9uc2VzGAUgAygLMhcua2FzLlBvbGljeVJld3JhcFJlc3VsdBpHCg1NZXRhZGF0YUVudHJ5EgsKA2tleRgBIAEoCRIlCgV2YWx1ZRgCIAEoCzIWLmdvb2dsZS5wcm90b2J1Zi5WYWx1ZToCOAEy2wEKDUFjY2Vzc1NlcnZpY2USPwoJUHVibGljS2V5EhUua2FzLlB1YmxpY0tleVJlcXVlc3QaFi5rYXMuUHVibGljS2V5UmVzcG9uc2UiA5ACARJUCg9MZWdhY3lQdWJsaWNLZXkSGy5rYXMuTGVnYWN5UHVibGljS2V5UmVxdWVzdBocLmdvb2dsZS5wcm90b2J1Zi5TdHJpbmdWYWx1ZSIGiAIBkAIBEjMKBlJld3JhcBISLmthcy5SZXdyYXBSZXF1ZXN0GhMua2FzLlJld3JhcFJlc3BvbnNlIgBiBnByb3RvMw", [file_google_protobuf_struct, file_google_protobuf_wrappers]);
18
16
 
19
17
  /**
20
18
  * Intentionally empty. May include features later.
@@ -68,15 +66,29 @@ export const LegacyPublicKeyRequestSchema: GenMessage<LegacyPublicKeyRequest> =
68
66
  messageDesc(file_kas_kas, 2);
69
67
 
70
68
  /**
69
+ * Policy binding ensures cryptographic integrity between policy and wrapped key
70
+ * Prevents policy tampering by binding the policy hash to the encrypted key
71
+ *
71
72
  * @generated from message kas.PolicyBinding
72
73
  */
73
74
  export type PolicyBinding = Message<"kas.PolicyBinding"> & {
74
75
  /**
76
+ * Cryptographic hashing algorithm used for policy binding
77
+ * Optional: ZTDF (when policy_binding is an object)
78
+ * Value: Always "HS256" (HMAC-SHA256) - other algorithms not supported
79
+ * Example: "HS256"
80
+ *
75
81
  * @generated from field: string algorithm = 1 [json_name = "alg"];
76
82
  */
77
83
  algorithm: string;
78
84
 
79
85
  /**
86
+ * HMAC-SHA256 hash of the base64-encoded policy using the DEK as the secret key
87
+ * 4.2.2 TDFs are hex and base64 encoded before HMAC computation
88
+ * Required: ZTDF (when policy_binding is an object)
89
+ * Links the policy content to the wrapped DEK cryptographically via HMAC
90
+ * Computed as HMAC-SHA256(DEK, base64_policy) then hex-encoded and base64-encoded
91
+ *
80
92
  * @generated from field: string hash = 2;
81
93
  */
82
94
  hash: string;
@@ -90,59 +102,102 @@ export const PolicyBindingSchema: GenMessage<PolicyBinding> = /*@__PURE__*/
90
102
  messageDesc(file_kas_kas, 3);
91
103
 
92
104
  /**
105
+ * Key Access Object containing cryptographic material and metadata for TDF decryption
106
+ *
93
107
  * @generated from message kas.KeyAccess
94
108
  */
95
109
  export type KeyAccess = Message<"kas.KeyAccess"> & {
96
110
  /**
111
+ * Base64-encoded encrypted metadata containing additional key information
112
+ * Optional: Not used during KAS rewrap operations (client-side only)
113
+ * KAS service passes this through without processing or validation
114
+ *
97
115
  * @generated from field: string encrypted_metadata = 1;
98
116
  */
99
117
  encryptedMetadata: string;
100
118
 
101
119
  /**
120
+ * Policy binding ensuring cryptographic integrity between policy and wrapped key
121
+ * Required: ZTDF (contains hash and algorithm)
122
+ * Links the policy to the wrapped key cryptographically
123
+ *
102
124
  * @generated from field: kas.PolicyBinding policy_binding = 2;
103
125
  */
104
126
  policyBinding?: PolicyBinding;
105
127
 
106
128
  /**
129
+ * Protocol identifier for the key access mechanism
130
+ * Optional: Defaults to 'kas'
131
+ * Typically: 'kas' for standard Key Access Service protocol
132
+ * Example: "kas"
133
+ *
107
134
  * @generated from field: string protocol = 3;
108
135
  */
109
136
  protocol: string;
110
137
 
111
138
  /**
139
+ * Type of key wrapping used for the data encryption key
140
+ * Required: Always
141
+ * Values: 'wrapped' (RSA-wrapped for ZTDF), 'ec-wrapped' (experimental ECDH-wrapped), 'hybrid-wrapped' (experimental X-Wing-wrapped)
142
+ *
112
143
  * @generated from field: string key_type = 4 [json_name = "type"];
113
144
  */
114
145
  keyType: string;
115
146
 
116
147
  /**
148
+ * URL of the Key Access Server that can unwrap this key
149
+ * Optional: May be omitted if KAS URL is known from context
150
+ * Used to route rewrap requests to the correct KAS instance
151
+ * Example: "https://kas.example.com"
152
+ *
117
153
  * @generated from field: string kas_url = 5 [json_name = "url"];
118
154
  */
119
155
  kasUrl: string;
120
156
 
121
157
  /**
158
+ * Key identifier for the KAS public key used for wrapping
159
+ * Optional: ZTDF (may specify which KAS key to use, required if present in the TDF)
160
+ * References a specific public key in the KAS key storage (either local keyring or KAS Registry service)
161
+ * Example: "k1", "ec-key-2024"
162
+ *
122
163
  * @generated from field: string kid = 6;
123
164
  */
124
165
  kid: string;
125
166
 
126
167
  /**
168
+ * Split identifier for key splitting scenarios
169
+ * Optional: ZTDF (used in advanced key splitting configurations)
170
+ * Used when keys are split across multiple parties for enhanced security
171
+ *
127
172
  * @generated from field: string split_id = 7 [json_name = "sid"];
128
173
  */
129
174
  splitId: string;
130
175
 
131
176
  /**
177
+ * Client-generated data encryption key wrapped by KAS
178
+ * Required: Always
179
+ * Contains the actual DEK encrypted with KAS's public key
180
+ * This is the core cryptographic material needed for TDF decryption
181
+ *
132
182
  * @generated from field: bytes wrapped_key = 8;
133
183
  */
134
184
  wrappedKey: Uint8Array;
135
185
 
136
186
  /**
137
- * header is only used for NanoTDFs
187
+ * Complete header containing all metadata and policy information (for formats that embed it)
188
+ * Optional: Not used by ZTDF (policy and metadata are separate)
189
+ * Contains magic bytes, version, algorithm, policy, and ephemeral key information
138
190
  *
139
191
  * @generated from field: bytes header = 9;
140
192
  */
141
193
  header: Uint8Array;
142
194
 
143
195
  /**
144
- * For wrapping with an ECDH derived key, when type=ec-wrapped.
145
- * Should be a PEM-encoded PKCS#8 (asn.1) value.
196
+ * Ephemeral public key for ECDH key derivation (ec-wrapped type only)
197
+ * Required: When key_type="ec-wrapped" (experimental ECDH-based ZTDF)
198
+ * Omitted: When key_type="wrapped" or key_type="hybrid-wrapped"
199
+ * Should be a PEM-encoded PKCS#8 (ASN.1) formatted public key
200
+ * Used to derive the symmetric key for unwrapping the DEK
146
201
  *
147
202
  * @generated from field: string ephemeral_public_key = 10;
148
203
  */
@@ -157,21 +212,35 @@ export const KeyAccessSchema: GenMessage<KeyAccess> = /*@__PURE__*/
157
212
  messageDesc(file_kas_kas, 4);
158
213
 
159
214
  /**
215
+ * Bulk-style Rewrap request structure that is serialized into JSON and signed
216
+ * within a Rewrap flow. This message represents the unsigned payload that gets
217
+ * embedded in a JWT as the 'requestBody' claim and signed with a DPoP key.
218
+ *
160
219
  * @generated from message kas.UnsignedRewrapRequest
161
220
  */
162
221
  export type UnsignedRewrapRequest = Message<"kas.UnsignedRewrapRequest"> & {
163
222
  /**
223
+ * Client's public key in PEM format for establishing a session key
224
+ * Required: Always
225
+ * Used by KAS to generate an ephemeral session key for secure key exchange
226
+ *
164
227
  * @generated from field: string client_public_key = 1;
165
228
  */
166
229
  clientPublicKey: string;
167
230
 
168
231
  /**
232
+ * List of policy requests to be processed
233
+ * Required: Always (at least one)
234
+ * Each request represents a policy with its associated key access objects
235
+ *
169
236
  * @generated from field: repeated kas.UnsignedRewrapRequest.WithPolicyRequest requests = 2;
170
237
  */
171
238
  requests: UnsignedRewrapRequest_WithPolicyRequest[];
172
239
 
173
240
  /**
174
- * Used for legacy non-bulk requests
241
+ * Deprecated: Legacy single Key Access Object
242
+ * Used for legacy non-bulk requests (v1 API)
243
+ * Modern clients should use the 'requests' field instead
175
244
  *
176
245
  * @generated from field: kas.KeyAccess key_access = 3 [deprecated = true];
177
246
  * @deprecated
@@ -179,7 +248,9 @@ export type UnsignedRewrapRequest = Message<"kas.UnsignedRewrapRequest"> & {
179
248
  keyAccess?: KeyAccess;
180
249
 
181
250
  /**
182
- * Used for legacy non-bulk requests
251
+ * Deprecated: Legacy single policy
252
+ * Used for legacy non-bulk requests (v1 API)
253
+ * Modern clients should use the 'requests' field instead
183
254
  *
184
255
  * @generated from field: string policy = 4 [deprecated = true];
185
256
  * @deprecated
@@ -187,7 +258,9 @@ export type UnsignedRewrapRequest = Message<"kas.UnsignedRewrapRequest"> & {
187
258
  policy: string;
188
259
 
189
260
  /**
190
- * Used for legacy non-bulk requests
261
+ * Deprecated: Legacy algorithm specification
262
+ * Used for legacy non-bulk requests (v1 API)
263
+ * Modern clients should use the 'requests' field instead
191
264
  *
192
265
  * @generated from field: string algorithm = 5 [deprecated = true];
193
266
  * @deprecated
@@ -203,15 +276,26 @@ export const UnsignedRewrapRequestSchema: GenMessage<UnsignedRewrapRequest> = /*
203
276
  messageDesc(file_kas_kas, 5);
204
277
 
205
278
  /**
279
+ * Policy metadata and content for a group of KeyAccessObjects
280
+ *
206
281
  * @generated from message kas.UnsignedRewrapRequest.WithPolicy
207
282
  */
208
283
  export type UnsignedRewrapRequest_WithPolicy = Message<"kas.UnsignedRewrapRequest.WithPolicy"> & {
209
284
  /**
285
+ * An identifier unique within the scope of the rewrap request
286
+ * Used for mapping between request and response items.
287
+ * Required: Always
288
+ * Example: "policy", "policy-0", "policy-1"
289
+ *
210
290
  * @generated from field: string id = 1;
211
291
  */
212
292
  id: string;
213
293
 
214
294
  /**
295
+ * Policy content - format varies by TDF type:
296
+ * ZTDF: Base64-encoded JSON policy object containing attributes and other policy data
297
+ * Required: ZTDF (base64-encoded policy JSON)
298
+ *
215
299
  * @generated from field: string body = 2;
216
300
  */
217
301
  body: string;
@@ -225,15 +309,24 @@ export const UnsignedRewrapRequest_WithPolicySchema: GenMessage<UnsignedRewrapRe
225
309
  messageDesc(file_kas_kas, 5, 0);
226
310
 
227
311
  /**
312
+ * Key Access Object wrapper with identifier
313
+ *
228
314
  * @generated from message kas.UnsignedRewrapRequest.WithKeyAccessObject
229
315
  */
230
316
  export type UnsignedRewrapRequest_WithKeyAccessObject = Message<"kas.UnsignedRewrapRequest.WithKeyAccessObject"> & {
231
317
  /**
318
+ * Ephemeral, unique identifier for this KAO within the request
319
+ * Required: Always
320
+ * Example: "kao-0", "kao-1", "key-access-object-uuid"
321
+ *
232
322
  * @generated from field: string key_access_object_id = 1;
233
323
  */
234
324
  keyAccessObjectId: string;
235
325
 
236
326
  /**
327
+ * The actual Key Access Object containing cryptographic material and metadata
328
+ * Required: Always
329
+ *
237
330
  * @generated from field: kas.KeyAccess key_access_object = 2;
238
331
  */
239
332
  keyAccessObject?: KeyAccess;
@@ -247,20 +340,34 @@ export const UnsignedRewrapRequest_WithKeyAccessObjectSchema: GenMessage<Unsigne
247
340
  messageDesc(file_kas_kas, 5, 1);
248
341
 
249
342
  /**
343
+ * Request grouping policy with associated key access objects
344
+ *
250
345
  * @generated from message kas.UnsignedRewrapRequest.WithPolicyRequest
251
346
  */
252
347
  export type UnsignedRewrapRequest_WithPolicyRequest = Message<"kas.UnsignedRewrapRequest.WithPolicyRequest"> & {
253
348
  /**
349
+ * List of Key Access Objects associated with this policy
350
+ * Required: Always (at least one)
351
+ * Some formats require exactly one KAO per policy
352
+ *
254
353
  * @generated from field: repeated kas.UnsignedRewrapRequest.WithKeyAccessObject key_access_objects = 1;
255
354
  */
256
355
  keyAccessObjects: UnsignedRewrapRequest_WithKeyAccessObject[];
257
356
 
258
357
  /**
358
+ * Policy information for this group of KAOs
359
+ * Required: Always
360
+ *
259
361
  * @generated from field: kas.UnsignedRewrapRequest.WithPolicy policy = 2;
260
362
  */
261
363
  policy?: UnsignedRewrapRequest_WithPolicy;
262
364
 
263
365
  /**
366
+ * Cryptographic algorithm identifier for the TDF type
367
+ * Optional: Defaults to rsa:2048 if omitted
368
+ * Values: "ec:secp256r1" (EC-based), "rsa:2048" (RSA-based), "" (defaults to rsa:2048)
369
+ * Example: "ec:secp256r1"
370
+ *
264
371
  * @generated from field: string algorithm = 3;
265
372
  */
266
373
  algorithm: string;
@@ -323,10 +430,18 @@ export const PublicKeyResponseSchema: GenMessage<PublicKeyResponse> = /*@__PURE_
323
430
  messageDesc(file_kas_kas, 7);
324
431
 
325
432
  /**
433
+ * Request to rewrap (decrypt and re-encrypt) TDF keys for client access
434
+ *
326
435
  * @generated from message kas.RewrapRequest
327
436
  */
328
437
  export type RewrapRequest = Message<"kas.RewrapRequest"> & {
329
438
  /**
439
+ * A JWT signed by the DPoP (Demonstration of Proof of Possession) private key
440
+ * Required: Always
441
+ * Version differences:
442
+ * - v1 (legacy): Uses existing TDF spec schema in requestBody
443
+ * - v2 (bulk): Uses UnsignedRewrapRequest proto serialized as JSON in requestBody
444
+ *
330
445
  * @generated from field: string signed_request_token = 1;
331
446
  */
332
447
  signedRequestToken: string;
@@ -340,35 +455,58 @@ export const RewrapRequestSchema: GenMessage<RewrapRequest> = /*@__PURE__*/
340
455
  messageDesc(file_kas_kas, 8);
341
456
 
342
457
  /**
458
+ * Result of a key access object rewrap operation
459
+ *
343
460
  * @generated from message kas.KeyAccessRewrapResult
344
461
  */
345
462
  export type KeyAccessRewrapResult = Message<"kas.KeyAccessRewrapResult"> & {
346
463
  /**
464
+ * Metadata associated with this KAO result (e.g., required obligations)
465
+ * Optional: May contain obligation requirements or other policy metadata
466
+ * Common keys: "X-Required-Obligations" with array of obligation FQNs
467
+ *
347
468
  * @generated from field: map<string, google.protobuf.Value> metadata = 1;
348
469
  */
349
470
  metadata: { [key: string]: Value };
350
471
 
351
472
  /**
473
+ * Identifier matching the key_access_object_id from the request
474
+ * Required: Always matches the ID from UnsignedRewrapRequest_WithKeyAccessObject
475
+ *
352
476
  * @generated from field: string key_access_object_id = 2;
353
477
  */
354
478
  keyAccessObjectId: string;
355
479
 
356
480
  /**
481
+ * Status of the rewrap operation for this KAO
482
+ * Required: Always
483
+ * Values: "permit" (success), "fail" (failure)
484
+ *
357
485
  * @generated from field: string status = 3;
358
486
  */
359
487
  status: string;
360
488
 
361
489
  /**
490
+ * Result of the rewrap operation - either success or error
491
+ *
362
492
  * @generated from oneof kas.KeyAccessRewrapResult.result
363
493
  */
364
494
  result: {
365
495
  /**
496
+ * Successfully rewrapped key encrypted with the session key
497
+ * Present when status="permit"
498
+ * Contains the DEK encrypted with the ephemeral session key
499
+ *
366
500
  * @generated from field: bytes kas_wrapped_key = 4;
367
501
  */
368
502
  value: Uint8Array;
369
503
  case: "kasWrappedKey";
370
504
  } | {
371
505
  /**
506
+ * Error message when rewrap failed
507
+ * Present when status="fail"
508
+ * Human-readable description of the failure reason
509
+ *
372
510
  * @generated from field: string error = 5;
373
511
  */
374
512
  value: string;
@@ -384,15 +522,23 @@ export const KeyAccessRewrapResultSchema: GenMessage<KeyAccessRewrapResult> = /*
384
522
  messageDesc(file_kas_kas, 9);
385
523
 
386
524
  /**
525
+ * Result for all KAOs associated with a single policy
526
+ *
387
527
  * @generated from message kas.PolicyRewrapResult
388
528
  */
389
529
  export type PolicyRewrapResult = Message<"kas.PolicyRewrapResult"> & {
390
530
  /**
531
+ * Policy identifier matching the policy.id from the request
532
+ * Required: Always matches the ID from UnsignedRewrapRequest_WithPolicy
533
+ *
391
534
  * @generated from field: string policy_id = 1;
392
535
  */
393
536
  policyId: string;
394
537
 
395
538
  /**
539
+ * Results for each KAO under this policy
540
+ * Required: One result per KAO in the original request
541
+ *
396
542
  * @generated from field: repeated kas.KeyAccessRewrapResult results = 2;
397
543
  */
398
544
  results: KeyAccessRewrapResult[];
@@ -406,34 +552,52 @@ export const PolicyRewrapResultSchema: GenMessage<PolicyRewrapResult> = /*@__PUR
406
552
  messageDesc(file_kas_kas, 10);
407
553
 
408
554
  /**
555
+ * Response containing rewrapped keys and session information
556
+ *
409
557
  * @generated from message kas.RewrapResponse
410
558
  */
411
559
  export type RewrapResponse = Message<"kas.RewrapResponse"> & {
412
560
  /**
561
+ * Deprecated: Legacy metadata field
562
+ * Modern responses use metadata in individual KeyAccessRewrapResult
563
+ *
413
564
  * @generated from field: map<string, google.protobuf.Value> metadata = 1 [deprecated = true];
414
565
  * @deprecated
415
566
  */
416
567
  metadata: { [key: string]: Value };
417
568
 
418
569
  /**
570
+ * Deprecated: Legacy single entity wrapped key
571
+ * Modern responses use kas_wrapped_key in KeyAccessRewrapResult
572
+ *
419
573
  * @generated from field: bytes entity_wrapped_key = 2 [deprecated = true];
420
574
  * @deprecated
421
575
  */
422
576
  entityWrappedKey: Uint8Array;
423
577
 
424
578
  /**
579
+ * KAS's ephemeral session public key in PEM format
580
+ * Required: For EC-based operations (key_type="ec-wrapped")
581
+ * Optional: Empty for RSA-based or X-Wing-based ZTDF (key_type="wrapped" or key_type="hybrid-wrapped")
582
+ * Used by client to perform ECDH key agreement and decrypt the kas_wrapped_key values
583
+ *
425
584
  * @generated from field: string session_public_key = 3;
426
585
  */
427
586
  sessionPublicKey: string;
428
587
 
429
588
  /**
589
+ * Deprecated: Legacy schema version identifier
590
+ * Modern responses use implicit versioning
591
+ *
430
592
  * @generated from field: string schema_version = 4 [deprecated = true];
431
593
  * @deprecated
432
594
  */
433
595
  schemaVersion: string;
434
596
 
435
597
  /**
436
- * New Rewrap API changes
598
+ * Policy-grouped rewrap results for the bulk API
599
+ * Required: Modern v2 API responses
600
+ * Each PolicyRewrapResult contains results for all KAOs under that policy
437
601
  *
438
602
  * @generated from field: repeated kas.PolicyRewrapResult responses = 5;
439
603
  */