@openvtc/trust-tasks 0.1.0 → 0.2.0

package/dist/auth/step-up/approve-request/0.1/payload.d.ts

@@ -26,12 +26,40 @@ export interface AuthStepUpApproveRequest {
      * The acr the relying party expects on the elevated session. Approvers MAY refuse if they cannot deliver this level.
      */
     targetAcr?: string;
+    /**
+     * Which approve-response evidence kinds the relying party will accept (see auth/step-up/approve-response `evidence`). When omitted, the approver MAY use any kind it supports. An approver that cannot satisfy any listed kind SHOULD refuse with `method_unsupported`.
+     *
+     * @minItems 1
+     */
+    acceptableEvidence?: ["did-signed" | "webauthn", ...("did-signed" | "webauthn")[]];
+    webauthn?: PublicKeyCredentialRequestOptions;
     /**
      * Seconds within which the relying party expects the approve-response. Approvers SHOULD treat as advisory — the relying party's own expiry policy is authoritative.
      */
     ttl?: number;
     ext?: Ext;
 }
+/**
+ * Optional WebAuthn `PublicKeyCredentialRequestOptions` the approver passes to the platform passkey API when producing `webauthn` evidence. When present, its `challenge` MUST equal `payload.challenge` so the resulting assertion binds the same nonce the relying party bound server-side. `rpId`/`allowCredentials` identify which credential the approver should assert with.
+ */
+export interface PublicKeyCredentialRequestOptions {
+    /**
+     * base64url-encoded one-time nonce.
+     */
+    challenge: string;
+    timeout?: number;
+    rpId?: string;
+    allowCredentials?: PublicKeyCredentialDescriptor[];
+    userVerification?: "discouraged" | "preferred" | "required";
+}
+export interface PublicKeyCredentialDescriptor {
+    type: "public-key";
+    /**
+     * base64url-encoded credential id.
+     */
+    id: string;
+    transports?: ("usb" | "nfc" | "ble" | "internal" | "hybrid")[];
+}
 /**
  * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
  */

package/dist/auth/step-up/approve-request/0.1/payload.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../../src/auth/step-up/approve-request/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,8DAAuE,CAAC;AAEhG,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,uEAAgF,CAAC"}
+{"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../../src/auth/step-up/approve-request/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,CAAC,YAAY,GAAG,UAAU,EAAE,GAAG,CAAC,YAAY,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC;IACnF,QAAQ,CAAC,EAAE,iCAAiC,CAAC;IAC7C;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD;;GAEG;AACH,MAAM,WAAW,iCAAiC;IAChD;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,gBAAgB,CAAC,EAAE,6BAA6B,EAAE,CAAC;IACnD,gBAAgB,CAAC,EAAE,aAAa,GAAG,WAAW,GAAG,UAAU,CAAC;CAC7D;AACD,MAAM,WAAW,6BAA6B;IAC5C,IAAI,EAAE,YAAY,CAAC;IACnB;;OAEG;IACH,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,CAAC,EAAE,CAAC,KAAK,GAAG,KAAK,GAAG,KAAK,GAAG,UAAU,GAAG,QAAQ,CAAC,EAAE,CAAC;CAChE;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,8DAAuE,CAAC;AAEhG,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,uEAAgF,CAAC"}

package/dist/auth/step-up/approve-request/0.1/payload.js.map

@@ -1 +1 @@
-{"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../../src/auth/step-up/approve-request/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAuCH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,8DAAuE,CAAC;AAEhG,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,uEAAgF,CAAC"}
+{"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../../src/auth/step-up/approve-request/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAmEH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,8DAAuE,CAAC;AAEhG,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,uEAAgF,CAAC"}

package/dist/auth/step-up/approve-response/0.1/payload.d.ts

@@ -2,6 +2,10 @@
  * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
  * Source: specs/auth/step-up/approve-response/0.1/payload.schema.json
  */
+/**
+ * How the approver demonstrated the factor backing this elevation. A tagged union on `kind`. When `evidence` is absent the elevation is gated solely by the document's framework `proof` (equivalent to `kind: did-signed`). When `kind: webauthn` is supplied, the carried WebAuthn assertion over `challenge` is the gate and the framework `proof` MAY be omitted.
+ */
+export type StepUpEvidence = DidSigned | WebAuthn;
 /**
  * The approver's signed ratification of a step-up: subject + sessionId + challenge are echoed inside a proof-bearing document so the relying party can elevate the session.
  */
@@ -30,8 +34,35 @@ export interface AuthStepUpApproveResponse {
      * The acr the approver believes it has cryptographically demonstrated. The relying party MAY accept this, MAY upgrade to a lower value, but MUST NOT exceed it.
      */
     grantedAcr?: string;
+    evidence?: StepUpEvidence;
     ext?: Ext;
 }
+/**
+ * The elevation is gated by the document's framework `proof` — a Data Integrity signature from a key the subject controls (SPEC §4.7). This is the default when `evidence` is omitted. `amr` reflects "vta"/"did".
+ */
+export interface DidSigned {
+    kind: "did-signed";
+}
+export interface WebAuthn {
+    kind: "webauthn";
+    assertion: AuthenticatorAssertionResponseLogin;
+}
+/**
+ * The unmodified AuthenticatorAssertionResponse from the platform WebAuthn API (`navigator.credentials.get` / ASAuthorization / Credential Manager). Its `clientDataJSON` challenge MUST equal the step-up `challenge`. The relying party verifies it per WebAuthn Level 2 §7.2 exactly as auth/passkey/login/finish does; the assertion is the gate and `amr` reflects "passkey".
+ */
+export interface AuthenticatorAssertionResponseLogin {
+    id: string;
+    rawId: string;
+    type: "public-key";
+    response: {
+        clientDataJSON: string;
+        authenticatorData: string;
+        signature: string;
+        userHandle?: string | null;
+    };
+    authenticatorAttachment?: "platform" | "cross-platform";
+    clientExtensionResults?: {};
+}
 /**
  * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
  */

package/dist/auth/step-up/approve-response/0.1/payload.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../../src/auth/step-up/approve-response/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,QAAQ,EAAE,UAAU,GAAG,QAAQ,CAAC;IAChC;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,+DAAwE,CAAC;AAEjG,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,wEAAiF,CAAC"}
+{"version":3,"file":"payload.d.ts","sourceRoot":"","sources":["../../../../../src/auth/step-up/approve-response/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,QAAQ,CAAC;AAElD;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,QAAQ,EAAE,UAAU,GAAG,QAAQ,CAAC;IAChC;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,GAAG,CAAC,EAAE,GAAG,CAAC;CACX;AACD;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,YAAY,CAAC;CACpB;AACD,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,UAAU,CAAC;IACjB,SAAS,EAAE,mCAAmC,CAAC;CAChD;AACD;;GAEG;AACH,MAAM,WAAW,mCAAmC;IAClD,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,YAAY,CAAC;IACnB,QAAQ,EAAE;QACR,cAAc,EAAE,MAAM,CAAC;QACvB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KAC5B,CAAC;IACF,uBAAuB,CAAC,EAAE,UAAU,GAAG,gBAAgB,CAAC;IACxD,sBAAsB,CAAC,EAAE,EAAE,CAAC;CAC7B;AACD;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC;CAClC;AAED,2BAA2B;AAC3B,eAAO,MAAM,QAAQ,EAAG,+DAAwE,CAAC;AAEjG,qEAAqE;AACrE,eAAO,MAAM,iBAAiB,EAAG,wEAAiF,CAAC"}

package/dist/auth/step-up/approve-response/0.1/payload.js.map

@@ -1 +1 @@
-{"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../../src/auth/step-up/approve-response/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAuCH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,+DAAwE,CAAC;AAEjG,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,wEAAiF,CAAC"}
+{"version":3,"file":"payload.js","sourceRoot":"","sources":["../../../../../src/auth/step-up/approve-response/0.1/payload.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAuEH,2BAA2B;AAC3B,MAAM,CAAC,MAAM,QAAQ,GAAG,+DAAwE,CAAC;AAEjG,qEAAqE;AACrE,MAAM,CAAC,MAAM,iBAAiB,GAAG,wEAAiF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openvtc/trust-tasks",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Generated TypeScript bindings for the Trust Tasks framework registry.",
   "type": "module",
   "main": "./dist/index.js",
@@ -25,7 +25,7 @@
     "clean": "rm -rf dist"
   },
   "devDependencies": {
-    "typescript": "^5.6.0"
+    "typescript": "^6.0.0"
   },
   "license": "Apache-2.0",
   "repository": {

package/src/_framework/0.2/framework.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/_framework/0.2/framework.schema.json
+ */
+
+/**
+ * Reusable $defs cross-referenced by individual Trust Task specifications. Not itself a Trust Task specification — the `_framework` directory is skipped by the registry build (folders starting with `_` are not discovered) and by the codegen (which only triggers on payload.schema.json). See SPEC.md §4.5.1 for the normative description of `ext`.
+ */
+export interface TrustTasksFrameworkReusableJSONSchemaDefinitions {
+  [k: string]: unknown | undefined;
+}

package/src/acl/grant/0.1/payload.ts

@@ -45,6 +45,19 @@ export interface AclEntry {
    * Optional time after which the entry is no longer effective.
    */
   expiresAt?: string;
+  /**
+   * Per-entry authentication step-up configuration, consumed by the ACL maintainer when it gates an operation behind a step-up (see auth/step-up/policy/0.1). ADDITIVE-ONLY: a per-entry setting MAY raise the assurance required of this subject above the maintainer's system-wide floor, but MUST NOT lower it. The maintainer resolves the effective requirement as the strictest of (system floor, this entry).
+   */
+  stepUp?: {
+    /**
+     * VID authorized to ratify step-up for this subject — the `recipient` the maintainer addresses an auth/step-up/approve-request to (e.g. the holder's mobile authenticator or browser companion). Absent → the subject is its own approver (mode `self`) when it holds a usable authenticator; if neither an `approver` nor a self authenticator exists, no step-up method is available for this subject and the maintainer's fail-closed rule applies.
+     */
+    approver?: string;
+    /**
+     * Minimum step-up mode this subject MUST satisfy for gated operations, raising the system floor. `self` = the subject re-authenticates its own session; `delegated` = a separate `approver` MUST ratify. Omitted → the system floor applies unchanged. A value weaker than the resolved floor is ignored (additive-only).
+     */
+    require?: "self" | "delegated";
+  };
   ext?: Ext;
 }
 /**

package/src/auth/passkey/login/finish/0.2/payload.ts

@@ -0,0 +1,44 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/passkey/login/finish/0.2/payload.schema.json
+ */
+
+/**
+ * Submit the WebAuthn assertion that completes a passkey login or step-up ceremony. On success the auth service issues a session (login) or elevates an existing session's acr (step-up).
+ */
+export interface AuthPasskeyLoginFinish {
+  /**
+   * The authId issued by the matching login/start response. Echoed verbatim.
+   */
+  authId: string;
+  credential: AuthenticatorAssertionResponseLogin;
+  ext?: Ext;
+}
+/**
+ * AuthenticatorAssertionResponse as returned by `navigator.credentials.get`. Binary fields base64url-encoded.
+ */
+export interface AuthenticatorAssertionResponseLogin {
+  id: string;
+  rawId: string;
+  type: "public-key";
+  response: {
+    clientDataJSON: string;
+    authenticatorData: string;
+    signature: string;
+    userHandle?: string | null;
+  };
+  authenticatorAttachment?: "platform" | "cross-platform";
+  clientExtensionResults?: {};
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/passkey/login/finish/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/passkey/login/finish/0.2#response" as const;

package/src/auth/passkey/login/start/0.2/payload.ts

@@ -0,0 +1,31 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/passkey/login/start/0.2/payload.schema.json
+ */
+
+/**
+ * Ask the auth service to begin a WebAuthn authentication ceremony. The response carries PublicKeyCredentialRequestOptions for `navigator.credentials.get`.
+ */
+export interface AuthPasskeyLoginStart {
+  /**
+   * The VID the producer intends to authenticate as. Optional — omit for usernameless / discoverable-credential flows where any registered passkey may answer.
+   */
+  subject?: string;
+  /**
+   * Producer-declared intent. `login` issues a new session; `stepUp` elevates an existing session's `acr`. The consumer's behaviour on the matching finish differs accordingly.
+   */
+  purpose?: "login" | "stepUp";
+  ext?: Ext;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/passkey/login/start/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/passkey/login/start/0.2#response" as const;

package/src/auth/step-up/approve-request/0.1/payload.ts

@@ -27,12 +27,40 @@ export interface AuthStepUpApproveRequest {
    * The acr the relying party expects on the elevated session. Approvers MAY refuse if they cannot deliver this level.
    */
   targetAcr?: string;
+  /**
+   * Which approve-response evidence kinds the relying party will accept (see auth/step-up/approve-response `evidence`). When omitted, the approver MAY use any kind it supports. An approver that cannot satisfy any listed kind SHOULD refuse with `method_unsupported`.
+   *
+   * @minItems 1
+   */
+  acceptableEvidence?: ["did-signed" | "webauthn", ...("did-signed" | "webauthn")[]];
+  webauthn?: PublicKeyCredentialRequestOptions;
   /**
    * Seconds within which the relying party expects the approve-response. Approvers SHOULD treat as advisory — the relying party's own expiry policy is authoritative.
    */
   ttl?: number;
   ext?: Ext;
 }
+/**
+ * Optional WebAuthn `PublicKeyCredentialRequestOptions` the approver passes to the platform passkey API when producing `webauthn` evidence. When present, its `challenge` MUST equal `payload.challenge` so the resulting assertion binds the same nonce the relying party bound server-side. `rpId`/`allowCredentials` identify which credential the approver should assert with.
+ */
+export interface PublicKeyCredentialRequestOptions {
+  /**
+   * base64url-encoded one-time nonce.
+   */
+  challenge: string;
+  timeout?: number;
+  rpId?: string;
+  allowCredentials?: PublicKeyCredentialDescriptor[];
+  userVerification?: "discouraged" | "preferred" | "required";
+}
+export interface PublicKeyCredentialDescriptor {
+  type: "public-key";
+  /**
+   * base64url-encoded credential id.
+   */
+  id: string;
+  transports?: ("usb" | "nfc" | "ble" | "internal" | "hybrid")[];
+}
 /**
  * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
  */

package/src/auth/step-up/approve-request/0.2/payload.ts

@@ -0,0 +1,75 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/step-up/approve-request/0.2/payload.schema.json
+ */
+
+/**
+ * A relying party asks an approver (typically a wallet or a VTA) to ratify an AAL elevation for a subject's session.
+ */
+export interface AuthStepUpApproveRequest {
+  /**
+   * The VID whose session is being elevated. The approver MUST verify this is a VID it can speak for.
+   */
+  subject: string;
+  /**
+   * The session the relying party wants elevated. Opaque to the approver.
+   */
+  sessionId: string;
+  /**
+   * base64url-encoded nonce the approver will include in the approve-response signature. ≥128 bits entropy.
+   */
+  challenge: string;
+  /**
+   * Human-readable explanation of WHY the relying party is asking (e.g. "confirm transfer of 1000 USD to bob.example"). Surfaced to the user by the approver for consent. SHOULD be specific enough that a user can refuse intelligently.
+   */
+  reason: string;
+  /**
+   * The acr the relying party expects on the elevated session. Approvers MAY refuse if they cannot deliver this level.
+   */
+  targetAcr?: string;
+  /**
+   * Which approve-response evidence kinds the relying party will accept (see auth/step-up/approve-response `evidence`). When omitted, the approver MAY use any kind it supports. An approver that cannot satisfy any listed kind SHOULD refuse with `method_unsupported`.
+   *
+   * @minItems 1
+   */
+  acceptableEvidence?: ["didSigned" | "webauthn", ...("didSigned" | "webauthn")[]];
+  webauthn?: PublicKeyCredentialRequestOptions;
+  /**
+   * Seconds within which the relying party expects the approve-response. Approvers SHOULD treat as advisory — the relying party's own expiry policy is authoritative.
+   */
+  ttl?: number;
+  ext?: Ext;
+}
+/**
+ * Optional WebAuthn `PublicKeyCredentialRequestOptions` the approver passes to the platform passkey API when producing `webauthn` evidence. When present, its `challenge` MUST equal `payload.challenge` so the resulting assertion binds the same nonce the relying party bound server-side. `rpId`/`allowCredentials` identify which credential the approver should assert with.
+ */
+export interface PublicKeyCredentialRequestOptions {
+  /**
+   * base64url-encoded one-time nonce.
+   */
+  challenge: string;
+  timeout?: number;
+  rpId?: string;
+  allowCredentials?: PublicKeyCredentialDescriptor[];
+  userVerification?: "discouraged" | "preferred" | "required";
+}
+export interface PublicKeyCredentialDescriptor {
+  type: "public-key";
+  /**
+   * base64url-encoded credential id.
+   */
+  id: string;
+  transports?: ("usb" | "nfc" | "ble" | "internal" | "hybrid")[];
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/step-up/approve-request/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/step-up/approve-request/0.2#response" as const;

package/src/auth/step-up/approve-response/0.1/payload.ts

@@ -3,6 +3,11 @@
  * Source: specs/auth/step-up/approve-response/0.1/payload.schema.json
  */
 
+/**
+ * How the approver demonstrated the factor backing this elevation. A tagged union on `kind`. When `evidence` is absent the elevation is gated solely by the document's framework `proof` (equivalent to `kind: did-signed`). When `kind: webauthn` is supplied, the carried WebAuthn assertion over `challenge` is the gate and the framework `proof` MAY be omitted.
+ */
+export type StepUpEvidence = DidSigned | WebAuthn;
+
 /**
  * The approver's signed ratification of a step-up: subject + sessionId + challenge are echoed inside a proof-bearing document so the relying party can elevate the session.
  */
@@ -31,8 +36,35 @@ export interface AuthStepUpApproveResponse {
    * The acr the approver believes it has cryptographically demonstrated. The relying party MAY accept this, MAY upgrade to a lower value, but MUST NOT exceed it.
    */
   grantedAcr?: string;
+  evidence?: StepUpEvidence;
   ext?: Ext;
 }
+/**
+ * The elevation is gated by the document's framework `proof` — a Data Integrity signature from a key the subject controls (SPEC §4.7). This is the default when `evidence` is omitted. `amr` reflects "vta"/"did".
+ */
+export interface DidSigned {
+  kind: "did-signed";
+}
+export interface WebAuthn {
+  kind: "webauthn";
+  assertion: AuthenticatorAssertionResponseLogin;
+}
+/**
+ * The unmodified AuthenticatorAssertionResponse from the platform WebAuthn API (`navigator.credentials.get` / ASAuthorization / Credential Manager). Its `clientDataJSON` challenge MUST equal the step-up `challenge`. The relying party verifies it per WebAuthn Level 2 §7.2 exactly as auth/passkey/login/finish does; the assertion is the gate and `amr` reflects "passkey".
+ */
+export interface AuthenticatorAssertionResponseLogin {
+  id: string;
+  rawId: string;
+  type: "public-key";
+  response: {
+    clientDataJSON: string;
+    authenticatorData: string;
+    signature: string;
+    userHandle?: string | null;
+  };
+  authenticatorAttachment?: "platform" | "cross-platform";
+  clientExtensionResults?: {};
+}
 /**
  * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
  */

package/src/auth/step-up/approve-response/0.2/payload.ts

@@ -0,0 +1,79 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/step-up/approve-response/0.2/payload.schema.json
+ */
+
+/**
+ * How the approver demonstrated the factor backing this elevation. A tagged union on `kind`. When `evidence` is absent the elevation is gated solely by the document's framework `proof` (equivalent to `kind: did-signed`). When `kind: webauthn` is supplied, the carried WebAuthn assertion over `challenge` is the gate and the framework `proof` MAY be omitted.
+ */
+export type StepUpEvidence = DidSigned | WebAuthn;
+
+/**
+ * The approver's signed ratification of a step-up: subject + sessionId + challenge are echoed inside a proof-bearing document so the relying party can elevate the session.
+ */
+export interface AuthStepUpApproveResponse {
+  /**
+   * Echoed from the matching approve-request. The relying party verifies it equals the session's subject.
+   */
+  subject: string;
+  /**
+   * Echoed from the matching approve-request. The relying party uses it to locate the session to elevate.
+   */
+  sessionId: string;
+  /**
+   * Echoed from the matching approve-request. The relying party verifies it equals the bound challenge.
+   */
+  challenge: string;
+  /**
+   * `approved` elevates the session per the relying party's policy. `denied` is a signed refusal — useful for audit even though it elevates nothing.
+   */
+  decision: "approved" | "denied";
+  /**
+   * Required when decision is `denied`. Human-readable rationale the user provided (or which the approver inferred).
+   */
+  deniedReason?: string;
+  /**
+   * The acr the approver believes it has cryptographically demonstrated. The relying party MAY accept this, MAY upgrade to a lower value, but MUST NOT exceed it.
+   */
+  grantedAcr?: string;
+  evidence?: StepUpEvidence;
+  ext?: Ext;
+}
+/**
+ * The elevation is gated by the document's framework `proof` — a Data Integrity signature from a key the subject controls (SPEC §4.7). This is the default when `evidence` is omitted. `amr` reflects "vta"/"did".
+ */
+export interface DidSigned {
+  kind: "didSigned";
+}
+export interface WebAuthn {
+  kind: "webauthn";
+  assertion: AuthenticatorAssertionResponseLogin;
+}
+/**
+ * The unmodified AuthenticatorAssertionResponse from the platform WebAuthn API (`navigator.credentials.get` / ASAuthorization / Credential Manager). Its `clientDataJSON` challenge MUST equal the step-up `challenge`. The relying party verifies it per WebAuthn Level 2 §7.2 exactly as auth/passkey/login/finish does; the assertion is the gate and `amr` reflects "passkey".
+ */
+export interface AuthenticatorAssertionResponseLogin {
+  id: string;
+  rawId: string;
+  type: "public-key";
+  response: {
+    clientDataJSON: string;
+    authenticatorData: string;
+    signature: string;
+    userHandle?: string | null;
+  };
+  authenticatorAttachment?: "platform" | "cross-platform";
+  clientExtensionResults?: {};
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/step-up/approve-response/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/step-up/approve-response/0.2#response" as const;

package/src/auth/step-up/policy/0.1/payload.ts

@@ -0,0 +1,45 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/step-up/policy/0.1/payload.schema.json
+ */
+
+/**
+ * The relying party's (ACL maintainer's) system-wide step-up policy: the per-operation-class floor that decides whether — and how — a step-up to a higher assurance level is required before a gated operation proceeds. Set by an administrator; resolved per request against per-entry overrides (see acl/_shared AclEntry.stepUp).
+ */
+export interface AuthStepUpPolicyPayload {
+  /**
+   * Master switch. `false` (the shipping default) ⇒ step-up is NOT enforced anywhere; every operation proceeds at AAL1 regardless of `floors`, because a freshly-provisioned maintainer has no registered approver and could not otherwise be administered (chicken-and-egg). The maintainer SHOULD surface this 'not enforced' state prominently. `true` ⇒ the `floors` are enforced.
+   */
+  enabled: boolean;
+  /**
+   * The system-wide minimum step-up requirement per operation-class — the maintainer-owned floor. Per-entry `stepUp` settings on an AclEntry MAY raise the requirement for a given subject but MUST NOT lower it (additive-only). The effective requirement for a request is the strictest of (matching floor, caller's per-entry setting).
+   */
+  floors: StepUpFloor[];
+  ext?: Ext;
+}
+export interface StepUpFloor {
+  /**
+   * The operation-class this floor governs: a Trust Task type URI or slug (e.g. `acl/grant`, `acl/swap-key`, `context/delete`, `key/revoke`, `vault/release`), or `*` for the catch-all default applied when no more-specific floor matches.
+   */
+  operation: string;
+  /**
+   * Minimum mode required to perform the operation. `none` = AAL1 permitted (no step-up). `self` = the caller must elevate its own session (AAL2 via its own authenticator). `delegated` = a separate approver named on the caller's AclEntry (`stepUp.approver`) MUST ratify (AAL2 via auth/step-up/approve-request). `delegated-any` = any VID satisfying the maintainer's approver criterion MAY ratify. Strictness order for floor/override resolution: none < self < delegated-any < delegated.
+   */
+  mode: "none" | "self" | "delegated" | "delegated-any";
+  /**
+   * Carve-out for non-escalating self-service operations (notably acl/swap-key key-rotation and method-enrolment). When `true` and the maintainer verifies the request does not escalate (its resulting AclEntry's role and scopes are a subset of the caller's existing entry, and the caller acts on its own entry), the operation is admitted at AAL1 even though `mode` requires AAL2 — so a holder with no authenticator yet can still bootstrap/rotate. Omitted is equivalent to `false` (the correct default for escalating operations such as acl/grant, change-role, revoke, context/delete, key/revoke): a caller lacking a usable step-up method is denied (fail-closed) rather than silently downgraded to AAL1.
+   */
+  allowAal1IfNonEscalating?: boolean;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/step-up/policy/0.1" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/step-up/policy/0.1#response" as const;

package/src/auth/step-up/policy/0.2/payload.ts

@@ -0,0 +1,45 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/auth/step-up/policy/0.2/payload.schema.json
+ */
+
+/**
+ * The relying party's (ACL maintainer's) system-wide step-up policy: the per-operation-class floor that decides whether — and how — a step-up to a higher assurance level is required before a gated operation proceeds. Set by an administrator; resolved per request against per-entry overrides (see acl/_shared AclEntry.stepUp).
+ */
+export interface AuthStepUpPolicyPayload {
+  /**
+   * Master switch. `false` (the shipping default) ⇒ step-up is NOT enforced anywhere; every operation proceeds at AAL1 regardless of `floors`, because a freshly-provisioned maintainer has no registered approver and could not otherwise be administered (chicken-and-egg). The maintainer SHOULD surface this 'not enforced' state prominently. `true` ⇒ the `floors` are enforced.
+   */
+  enabled: boolean;
+  /**
+   * The system-wide minimum step-up requirement per operation-class — the maintainer-owned floor. Per-entry `stepUp` settings on an AclEntry MAY raise the requirement for a given subject but MUST NOT lower it (additive-only). The effective requirement for a request is the strictest of (matching floor, caller's per-entry setting).
+   */
+  floors: StepUpFloor[];
+  ext?: Ext;
+}
+export interface StepUpFloor {
+  /**
+   * The operation-class this floor governs: a Trust Task type URI or slug (e.g. `acl/grant`, `acl/swap-key`, `context/delete`, `key/revoke`, `vault/release`), or `*` for the catch-all default applied when no more-specific floor matches.
+   */
+  operation: string;
+  /**
+   * Minimum mode required to perform the operation. `none` = AAL1 permitted (no step-up). `self` = the caller must elevate its own session (AAL2 via its own authenticator). `delegated` = a separate approver named on the caller's AclEntry (`stepUp.approver`) MUST ratify (AAL2 via auth/step-up/approve-request). `delegatedAny` = any VID satisfying the maintainer's approver criterion MAY ratify. Strictness order for floor/override resolution: none < self < delegated-any < delegated.
+   */
+  mode: "none" | "self" | "delegated" | "delegatedAny";
+  /**
+   * Carve-out for non-escalating self-service operations (notably acl/swap-key key-rotation and method-enrolment). When `true` and the maintainer verifies the request does not escalate (its resulting AclEntry's role and scopes are a subset of the caller's existing entry, and the caller acts on its own entry), the operation is admitted at AAL1 even though `mode` requires AAL2 — so a holder with no authenticator yet can still bootstrap/rotate. Omitted is equivalent to `false` (the correct default for escalating operations such as acl/grant, change-role, revoke, context/delete, key/revoke): a caller lacking a usable step-up method is denied (fail-closed) rather than silently downgraded to AAL1.
+   */
+  allowAal1IfNonEscalating?: boolean;
+}
+/**
+ * Ecosystem-defined extension members per SPEC.md §4.5.1.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/auth/step-up/policy/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/auth/step-up/policy/0.2#response" as const;

package/src/device/_shared/0.2/device-binding.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/_shared/0.2/device-binding.schema.json
+ */
+
+/**
+ * Canonical metadata view of a registered consumer device — a Companion (browser plugin, mobile app, desktop app) or a Service (mediator, AI agent, daemon) enrolled to a VTA. Referenced by every device/* specification. Pairs with the ACL: a DeviceBinding is the device-facing half of an AclEntry. Most fields are maintainer-side observations (device id, attestation, timestamps); a few are consumer-supplied at registration time (form factor, display name).
+ */
+export interface DeviceBindingSharedDefinitionForTheDeviceSpecFamily {
+  [k: string]: unknown | undefined;
+}

package/src/device/heartbeat/0.2/payload.ts

@@ -0,0 +1,31 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/heartbeat/0.2/payload.schema.json
+ */
+
+/**
+ * Periodic check-in from a Companion or Service. Refreshes `lastSeenAt`, carries optional state digests, and gives the maintainer a chance to deliver queued operations (notably queued wipes for targets that were offline at issuance).
+ */
+export interface DeviceHeartbeatPayload {
+  /**
+   * Updated platform descriptor if it changed since registration (e.g. browser updated).
+   */
+  platform?: string;
+  /**
+   * Optional — consumer's current sync baseline. If the maintainer notices a gap (consumer is behind), the response can hint that a vault/sync is due.
+   */
+  vaultSeq?: number;
+  ext?: Ext;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/heartbeat/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/heartbeat/0.2#response" as const;