@openvtc/trust-tasks 0.1.0 → 0.2.0

package/src/device/list/0.2/payload.ts

@@ -0,0 +1,48 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/list/0.2/payload.schema.json
+ */
+
+/**
+ * Fine-grained capability flag scoped to the device's allowed contexts. See SPEC.md for the full semantics of each.
+ */
+export type Capability =
+  | "vaultRead"
+  | "vaultWrite"
+  | "proxyLogin"
+  | "fillRelease"
+  | "policyAdmin"
+  | "deviceAdmin"
+  | "sign"
+  | "keyMint";
+
+/**
+ * List DeviceBindings known to the maintainer, optionally filtered by consumer kind, capability, status, and last-seen time.
+ */
+export interface DeviceListPayload {
+  consumerKindFilter?: "companion" | "service";
+  formFactorFilter?: "browser" | "mobile" | "desktop";
+  serviceKindFilter?: "mediator" | "aiAgent" | "daemon";
+  capabilityFilter?: Capability;
+  /**
+   * When true, include devices with `disabledAt` set. Default omits disabled.
+   */
+  includeDisabled?: boolean;
+  includeWiped?: boolean;
+  lastSeenSince?: string;
+  pageSize?: number;
+  cursor?: string;
+  ext?: Ext;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/list/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/list/0.2#response" as const;

package/src/device/register/0.1/payload.ts

@@ -26,6 +26,7 @@ export interface DeviceRegisterPayload {
   displayName: string;
   platform?: string;
   attestation?: DeviceAttestation;
+  keyCustody?: KeyCustody;
   /**
    * X25519 public key (did:key form) the maintainer will use to HPKE-seal sensitive payloads to this device (sealed secrets, session blobs, sync events). REQUIRED — every Companion/Service needs a recipient key.
    */
@@ -74,6 +75,23 @@ export interface NitroEnclave {
 export interface NoAttestation {
   kind: "none";
 }
+/**
+ * OPTIONAL. How the device custodies its private keys (tier + algorithms). RECOMMENDED for mobile Companions. Maintainer policy input — see docs/design-notes/mobile-key-custody-profile.md.
+ */
+export interface KeyCustody {
+  /**
+   * `hardware`: the key is non-exportable in the secure keystore (iOS Secure Enclave / Android StrongBox) and every signing / key-agreement operation runs in-chip — achievable only with P-256. `software`: the key is held in app memory during use, stored hardware-wrapped at rest. Maintainers MAY apply stricter policy (shorter sessions, more frequent step-up) to `software`-tier devices.
+   */
+  tier: "hardware" | "software";
+  /**
+   * JOSE `alg` of the holder's signing key, e.g. `ES256` (hardware-custodiable on mobile) or `EdDSA` (not).
+   */
+  signingAlg?: string;
+  /**
+   * Curve of the holder's keyAgreement key, e.g. `P-256` (hardware-custodiable on mobile) or `X25519` (not).
+   */
+  keyAgreementCurve?: string;
+}
 /**
  * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
  */

package/src/device/register/0.2/payload.ts

@@ -0,0 +1,106 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/register/0.2/payload.schema.json
+ */
+
+/**
+ * Discriminator: is this consumer a user-driven Companion or a headless Service?
+ */
+export type ConsumerKind = Companion | Service;
+/**
+ * Producer-supplied attestation at registration time, verifiable by the maintainer against the platform's attestation infrastructure. Tagged union over the discriminator `kind`.
+ */
+export type DeviceAttestation =
+  | WebAuthnAttestation
+  | AppleAppAttest
+  | PlayIntegrity
+  | Tpm
+  | NitroEnclave
+  | NoAttestation;
+
+/**
+ * Public discovery surface that wraps the maintainer's existing two-phase enrolment (provision-integration → acl/swap-key). A new Companion or Service hands the maintainer its long-term VTA-derived key, its consumer kind, display name, and an optional device attestation; the maintainer creates the DeviceBinding and returns it. Phase 1 (provision-integration) is assumed to have already happened — this task is the post-bootstrap claim step.
+ */
+export interface DeviceRegisterPayload {
+  consumerKind: ConsumerKind;
+  displayName: string;
+  platform?: string;
+  attestation?: DeviceAttestation;
+  keyCustody?: KeyCustody;
+  /**
+   * X25519 public key (did:key form) the maintainer will use to HPKE-seal sensitive payloads to this device (sealed secrets, session blobs, sync events). REQUIRED — every Companion/Service needs a recipient key.
+   */
+  hpkePublicKey?: string;
+  ext?: Ext;
+}
+export interface Companion {
+  kind: "companion";
+  formFactor: "browser" | "mobile" | "desktop";
+}
+export interface Service {
+  kind: "service";
+  serviceKind: "mediator" | "aiAgent" | "daemon";
+}
+export interface WebAuthnAttestation {
+  kind: "webauthn";
+  /**
+   * WebAuthn Authenticator AAGUID (UUID).
+   */
+  aaguid: string;
+  /**
+   * Base64url-encoded WebAuthn attestation statement, when supplied by the platform.
+   */
+  attestationStatement?: string;
+}
+export interface AppleAppAttest {
+  kind: "appleAppAttest";
+  keyId: string;
+  attestation: string;
+}
+export interface PlayIntegrity {
+  kind: "playIntegrity";
+  token: string;
+}
+export interface Tpm {
+  kind: "tpm";
+  quote: string;
+}
+export interface NitroEnclave {
+  kind: "nitroEnclave";
+  quote: string;
+}
+/**
+ * No device-level attestation is available. Maintainers MAY still register the device but SHOULD apply stricter policy (shorter session TTL, more frequent step-up).
+ */
+export interface NoAttestation {
+  kind: "none";
+}
+/**
+ * OPTIONAL. How the device custodies its private keys (tier + algorithms). RECOMMENDED for mobile Companions. Maintainer policy input — see docs/design-notes/mobile-key-custody-profile.md.
+ */
+export interface KeyCustody {
+  /**
+   * `hardware`: the key is non-exportable in the secure keystore (iOS Secure Enclave / Android StrongBox) and every signing / key-agreement operation runs in-chip — achievable only with P-256. `software`: the key is held in app memory during use, stored hardware-wrapped at rest. Maintainers MAY apply stricter policy (shorter sessions, more frequent step-up) to `software`-tier devices.
+   */
+  tier: "hardware" | "software";
+  /**
+   * JOSE `alg` of the holder's signing key, e.g. `ES256` (hardware-custodiable on mobile) or `EdDSA` (not).
+   */
+  signingAlg?: string;
+  /**
+   * Curve of the holder's keyAgreement key, e.g. `P-256` (hardware-custodiable on mobile) or `X25519` (not).
+   */
+  keyAgreementCurve?: string;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/register/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/register/0.2#response" as const;

package/src/device/set-wake/0.1/payload.ts

@@ -0,0 +1,45 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/set-wake/0.1/payload.schema.json
+ */
+
+/**
+ * A device conveys to its VTA the opaque WakeHandle it obtained from a push gateway, so the VTA can own the trigger allowlist and provision the gateway. Carries no platform push token — only the handle. Present `wakeHandle` sets/replaces the wake channel; absent clears it (device becomes non-wakeable). Idempotent; re-issued on token rotation. See the push wake-up binding (https://trusttasks.org/binding/push/0.1).
+ */
+export interface DeviceSetWakePayload {
+  wakeHandle?: WakeHandle;
+  /**
+   * OPTIONAL, advisory. The abstract platform behind the handle, for device/list visibility only. The VTA never sees the token; this is a non-authoritative hint.
+   */
+  pushPlatform?: "apns" | "fcm" | "webpush";
+  /**
+   * OPTIONAL, advisory. DIDs the device suggests as wake triggers (e.g. its mediator). The VTA owns the allowlist and MAY ignore this entirely — it is a hint, not an instruction.
+   */
+  suggestedTriggers?: string[];
+  ext?: Ext;
+}
+/**
+ * OPTIONAL. The opaque gateway-issued handle for this device's push channel. Omit to clear the wake channel (the VTA empties the gateway allowlist; the device becomes non-wakeable).
+ */
+export interface WakeHandle {
+  /**
+   * The push gateway that issued this handle and acts on it — a DID (DIDComm-reachable gateway) or an https URL (REST gateway). A trigger sends its contentless wake request here.
+   */
+  gateway: string;
+  /**
+   * Opaque gateway-issued identifier for the device's push channel. Reveals no platform token. Rotates whenever the device re-registers a new platform token with the gateway; the device then re-conveys the fresh handle via device/set-wake.
+   */
+  handle: string;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/set-wake/0.1" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/set-wake/0.1#response" as const;

package/src/device/set-wake/0.2/payload.ts

@@ -0,0 +1,45 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/set-wake/0.2/payload.schema.json
+ */
+
+/**
+ * A device conveys to its VTA the opaque WakeHandle it obtained from a push gateway, so the VTA can own the trigger allowlist and provision the gateway. Carries no platform push token — only the handle. Present `wakeHandle` sets/replaces the wake channel; absent clears it (device becomes non-wakeable). Idempotent; re-issued on token rotation. See the push wake-up binding (https://trusttasks.org/binding/push/0.1).
+ */
+export interface DeviceSetWakePayload {
+  wakeHandle?: WakeHandle;
+  /**
+   * OPTIONAL, advisory. The abstract platform behind the handle, for device/list visibility only. The VTA never sees the token; this is a non-authoritative hint.
+   */
+  pushPlatform?: "apns" | "fcm" | "webpush";
+  /**
+   * OPTIONAL, advisory. DIDs the device suggests as wake triggers (e.g. its mediator). The VTA owns the allowlist and MAY ignore this entirely — it is a hint, not an instruction.
+   */
+  suggestedTriggers?: string[];
+  ext?: Ext;
+}
+/**
+ * OPTIONAL. The opaque gateway-issued handle for this device's push channel. Omit to clear the wake channel (the VTA empties the gateway allowlist; the device becomes non-wakeable).
+ */
+export interface WakeHandle {
+  /**
+   * The push gateway that issued this handle and acts on it — a DID (DIDComm-reachable gateway) or an https URL (REST gateway). A trigger sends its contentless wake request here.
+   */
+  gateway: string;
+  /**
+   * Opaque gateway-issued identifier for the device's push channel. Reveals no platform token. Rotates whenever the device re-registers a new platform token with the gateway; the device then re-conveys the fresh handle via device/set-wake.
+   */
+  handle: string;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/set-wake/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/set-wake/0.2#response" as const;

package/src/device/wipe/0.2/payload.ts

@@ -0,0 +1,39 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/device/wipe/0.2/payload.schema.json
+ */
+
+/**
+ * The maintainer issues a wipe to a Companion or Service. The target is expected to destroy its local cache and (depending on scope) its device-local key material. The action is best-effort — a compromised device may silently drop the wipe — so the maintainer additionally revokes ACL access and rotates the device's cache-key derivation root, so that defence in depth means a non-compliant device is still neutralised.
+ */
+export interface DeviceWipePayload {
+  deviceId: string;
+  /**
+   * How aggressively the target should wipe:
+   * - `cache` — discard the encrypted vault cache; consumer can re-sync with valid creds.
+   * - `cacheAndKeys` — discard cache + device-local key material; consumer must re-onboard.
+   * - `full` — `cacheAndKeys` + clear all extension/app storage + revoke OS credential-provider registration where APIs permit.
+   */
+  scope: "cache" | "cacheAndKeys" | "full";
+  /**
+   * Human-readable reason. Required (not optional) because every wipe is consequential and the audit log must capture intent.
+   */
+  reason: string;
+  /**
+   * Wipe-issuance timestamp; identical to the document's `issuedAt`, repeated here so the body is self-contained for offline-queued delivery.
+   */
+  issuedAt?: string;
+  ext?: Ext;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/device/wipe/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/device/wipe/0.2#response" as const;

package/src/did-management/did/check-name/0.1/payload.ts

@@ -4,9 +4,12 @@
  */
 
 export interface DIDManagementCheckNamePayload {
-  path: string;
   /**
-   * When true and the path is available, atomically reserve it under the caller and return the resulting DidRecord.
+   * Local path to test. REQUIRED for an availability probe (`reserve: false`). OPTIONAL when `reserve: true`: omit it to ask the host to auto-assign a fresh, server-generated mnemonic for the reservation.
+   */
+  path?: string;
+  /**
+   * When true and the path is available — or, when `path` is omitted, always — atomically reserve a slot under the caller and return the resulting DidRecord. When `path` is omitted the host generates a fresh unused mnemonic (auto-assign).
    */
   reserve?: boolean;
   /**

package/src/index.ts

@@ -1,6 +1,7 @@
 /** Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND. */
 
 export * as FrameworkShared from "./_framework/0.1/framework";
+export * as FrameworkShared from "./_framework/0.2/framework";
 export * as AclEntryShared from "./acl/_shared/0.1/acl-entry";
 export * as AclChangeRole_v0_1 from "./acl/change-role/0.1/payload";
 export * as AclGrant_v0_1 from "./acl/grant/0.1/payload";
@@ -17,21 +18,34 @@ export * as AuthPasskeyEnrollFinish_v0_1 from "./auth/passkey/enroll/finish/0.1/
 export * as AuthPasskeyEnrollInvite_v0_1 from "./auth/passkey/enroll/invite/0.1/payload";
 export * as AuthPasskeyEnrollStart_v0_1 from "./auth/passkey/enroll/start/0.1/payload";
 export * as AuthPasskeyLoginFinish_v0_1 from "./auth/passkey/login/finish/0.1/payload";
+export * as AuthPasskeyLoginFinish_v0_2 from "./auth/passkey/login/finish/0.2/payload";
 export * as AuthPasskeyLoginStart_v0_1 from "./auth/passkey/login/start/0.1/payload";
+export * as AuthPasskeyLoginStart_v0_2 from "./auth/passkey/login/start/0.2/payload";
 export * as AuthRefresh_v0_1 from "./auth/refresh/0.1/payload";
 export * as AuthRevokeSession_v0_1 from "./auth/revoke-session/0.1/payload";
 export * as AuthSessionsList_v0_1 from "./auth/sessions/list/0.1/payload";
 export * as AuthStepUpApproveRequest_v0_1 from "./auth/step-up/approve-request/0.1/payload";
+export * as AuthStepUpApproveRequest_v0_2 from "./auth/step-up/approve-request/0.2/payload";
 export * as AuthStepUpApproveResponse_v0_1 from "./auth/step-up/approve-response/0.1/payload";
+export * as AuthStepUpApproveResponse_v0_2 from "./auth/step-up/approve-response/0.2/payload";
+export * as AuthStepUpPolicy_v0_1 from "./auth/step-up/policy/0.1/payload";
+export * as AuthStepUpPolicy_v0_2 from "./auth/step-up/policy/0.2/payload";
 export * as AuthWhoami_v0_1 from "./auth/whoami/0.1/payload";
 export * as ConfirmRequest_v0_1 from "./confirm/request/0.1/payload";
 export * as ConfirmResponse_v0_1 from "./confirm/response/0.1/payload";
 export * as DeviceBindingShared from "./device/_shared/0.1/device-binding";
+export * as DeviceBindingShared from "./device/_shared/0.2/device-binding";
 export * as DeviceDisable_v0_1 from "./device/disable/0.1/payload";
 export * as DeviceHeartbeat_v0_1 from "./device/heartbeat/0.1/payload";
+export * as DeviceHeartbeat_v0_2 from "./device/heartbeat/0.2/payload";
 export * as DeviceList_v0_1 from "./device/list/0.1/payload";
+export * as DeviceList_v0_2 from "./device/list/0.2/payload";
 export * as DeviceRegister_v0_1 from "./device/register/0.1/payload";
+export * as DeviceRegister_v0_2 from "./device/register/0.2/payload";
+export * as DeviceSetWake_v0_1 from "./device/set-wake/0.1/payload";
+export * as DeviceSetWake_v0_2 from "./device/set-wake/0.2/payload";
 export * as DeviceWipe_v0_1 from "./device/wipe/0.1/payload";
+export * as DeviceWipe_v0_2 from "./device/wipe/0.2/payload";
 export * as WebvhShared from "./did-management/_shared/0.1/did-method-extensions/webvh";
 export * as DidRecordShared from "./did-management/_shared/0.1/did-record";
 export * as DomainEntryShared from "./did-management/_shared/0.1/domain-entry";
@@ -62,29 +76,56 @@ export * as DidManagementServerHealth_v0_1 from "./did-management/server/health/
 export * as DidManagementServerRegister_v0_1 from "./did-management/server/register/0.1/payload";
 export * as DidManagementServerStatsSync_v0_1 from "./did-management/server/stats-sync/0.1/payload";
 export * as PolicyShared from "./policy/_shared/0.1/policy";
+export * as PolicyShared from "./policy/_shared/0.2/policy";
 export * as PolicyDelete_v0_1 from "./policy/delete/0.1/payload";
 export * as PolicyEvaluate_v0_1 from "./policy/evaluate/0.1/payload";
+export * as PolicyEvaluate_v0_2 from "./policy/evaluate/0.2/payload";
 export * as PolicyList_v0_1 from "./policy/list/0.1/payload";
+export * as PolicyList_v0_2 from "./policy/list/0.2/payload";
 export * as PolicyUpsert_v0_1 from "./policy/upsert/0.1/payload";
+export * as PolicyUpsert_v0_2 from "./policy/upsert/0.2/payload";
 export * as ProvisionIntegration_v0_1 from "./provision/integration/0.1/payload";
+export * as ProvisionIntegration_v0_2 from "./provision/integration/0.2/payload";
+export * as PushProvision_v0_1 from "./push/provision/0.1/payload";
+export * as PushProvision_v0_2 from "./push/provision/0.2/payload";
+export * as PushRegister_v0_1 from "./push/register/0.1/payload";
+export * as PushRegister_v0_2 from "./push/register/0.2/payload";
+export * as PushWake_v0_1 from "./push/wake/0.1/payload";
+export * as PushWake_v0_2 from "./push/wake/0.2/payload";
 export * as SyncEventShared from "./sync/_shared/0.1/sync-event";
+export * as SyncEventShared from "./sync/_shared/0.2/sync-event";
 export * as SyncEvent_v0_1 from "./sync/event/0.1/payload";
+export * as SyncEvent_v0_2 from "./sync/event/0.2/payload";
 export * as TrustTaskDiscovery_v0_1 from "./trust-task-discovery/0.1/payload";
 export * as TrustTaskError_v0_1 from "./trust-task-error/0.1/payload";
+export * as TrustTaskError_v0_2 from "./trust-task-error/0.2/payload";
 export * as ConsumerContextShared from "./vault/_shared/0.1/consumer-context";
 export * as SealedEnvelopeShared from "./vault/_shared/0.1/sealed-envelope";
 export * as SessionBlobShared from "./vault/_shared/0.1/session-blob";
 export * as VaultEntryShared from "./vault/_shared/0.1/vault-entry";
 export * as VaultSecretShared from "./vault/_shared/0.1/vault-secret";
+export * as ConsumerContextShared from "./vault/_shared/0.2/consumer-context";
+export * as SealedEnvelopeShared from "./vault/_shared/0.2/sealed-envelope";
+export * as SessionBlobShared from "./vault/_shared/0.2/session-blob";
+export * as VaultEntryShared from "./vault/_shared/0.2/vault-entry";
+export * as VaultSecretShared from "./vault/_shared/0.2/vault-secret";
 export * as VaultDelete_v0_1 from "./vault/delete/0.1/payload";
 export * as VaultGet_v0_1 from "./vault/get/0.1/payload";
+export * as VaultGet_v0_2 from "./vault/get/0.2/payload";
 export * as VaultList_v0_1 from "./vault/list/0.1/payload";
+export * as VaultList_v0_2 from "./vault/list/0.2/payload";
 export * as VaultProxyLogin_v0_1 from "./vault/proxy-login/0.1/payload";
+export * as VaultProxyLogin_v0_2 from "./vault/proxy-login/0.2/payload";
 export * as VaultRelease_v0_1 from "./vault/release/0.1/payload";
+export * as VaultRelease_v0_2 from "./vault/release/0.2/payload";
 export * as VaultSignTrustTask_v0_1 from "./vault/sign-trust-task/0.1/payload";
+export * as VaultSignTrustTask_v0_2 from "./vault/sign-trust-task/0.2/payload";
 export * as VaultSync_v0_1 from "./vault/sync/0.1/payload";
+export * as VaultSync_v0_2 from "./vault/sync/0.2/payload";
 export * as VaultUpsert_v0_1 from "./vault/upsert/0.1/payload";
+export * as VaultUpsert_v0_2 from "./vault/upsert/0.2/payload";
 export * as VaultUsage_v0_1 from "./vault/usage/0.1/payload";
+export * as VaultUsage_v0_2 from "./vault/usage/0.2/payload";
 export * as WebvhSyncDelete_v0_1 from "./webvh/sync/delete/0.1/payload";
 export * as WebvhSyncUpdate_v0_1 from "./webvh/sync/update/0.1/payload";
 export * as WebvhWitnessPublish_v0_1 from "./webvh/witness/publish/0.1/payload";

package/src/policy/_shared/0.2/policy.ts

@@ -0,0 +1,11 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/policy/_shared/0.2/policy.schema.json
+ */
+
+/**
+ * Shared Rego policy types referenced by the policy/* spec family. The maintainer evaluates these against PolicyInput (the request context) to decide proxy_login vs fill, release vs deny, and step-up demands. Engine: embedded Rego via `regorus` (pure-Rust evaluator) in the canonical maintainer implementation; other implementations MAY use a different engine if they accept the same Rego syntax.
+ */
+export interface PolicySharedDefinitions {
+  [k: string]: unknown | undefined;
+}

package/src/policy/evaluate/0.2/payload.ts

@@ -0,0 +1,102 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/policy/evaluate/0.2/payload.schema.json
+ */
+
+/**
+ * A single binding target for a vault entry. Tagged union over the discriminator `kind`. A VaultEntry's `targets` array MAY mix any number of these.
+ */
+export type SiteTarget = WebOrigin | Did | IosApp | AndroidApp;
+/**
+ * Discriminator: is this consumer a user-driven Companion or a headless Service?
+ */
+export type ConsumerKind = Companion | Service;
+
+/**
+ * Dry-run a policy decision against a synthetic PolicyInput. Returns the policy decision plus a trace of which policy modules matched and which rules fired. Used by the policy-editor UI to verify changes before save and by admins to diagnose unexpected deny/allow outcomes.
+ */
+export interface PolicyEvaluatePayload {
+  input: PolicyInput;
+  /**
+   * Optional — when supplied, evaluate as if this Rego source were active (e.g. preview a pending upsert). The candidate is layered into the evaluator at the priority specified by `candidatePriority` (default 1000) for this call only.
+   */
+  candidateModule?: string;
+  candidatePriority?: number;
+  includeTrace?: boolean;
+  ext?: Ext;
+}
+/**
+ * The structured input fed to a policy evaluator on every vault/proxy-login, vault/release, and policy/evaluate call.
+ */
+export interface PolicyInput {
+  request: {
+    kind: "proxyLogin" | "release" | "stepUpResponse";
+  };
+  site: SiteTarget;
+  contextId: string;
+  consumer: {
+    did: string;
+    kind?: ConsumerKind;
+    deviceId?: string;
+    lastUserVerificationAt?: string;
+    networkClass?: "unknown" | "home" | "corp" | "public" | "vpn";
+  };
+}
+export interface WebOrigin {
+  kind: "webOrigin";
+  /**
+   * Web origin per RFC 6454 (scheme + host + optional port), e.g. "https://github.com". Compared by exact string equality after canonicalisation (lowercase host, default port elided). Consumers wanting subdomain coverage SHOULD add multiple targets, not encode a wildcard.
+   */
+  origin: string;
+}
+export interface Did {
+  kind: "did";
+  /**
+   * DID identifying the relying party (e.g. did:web:rp.example). The vault maintainer is responsible for any DID resolution required to act on this entry.
+   */
+  did: string;
+}
+export interface IosApp {
+  kind: "iosApp";
+  /**
+   * iOS bundle identifier in reverse-DNS form (e.g. "com.github.stwalkerster.codehub"). Compared by exact string equality. Matches when an iOS Companion identifies the requesting app via its bundle id (typically via the OS Credential Manager integration).
+   */
+  bundleId: string;
+  /**
+   * Optional Apple Developer Team identifier (10-character alphanumeric). When supplied, the maintainer SHOULD also verify the team id of the requesting app before matching — defense in depth against bundle-id squatting on jailbroken devices.
+   */
+  teamId?: string;
+}
+export interface AndroidApp {
+  kind: "androidApp";
+  /**
+   * Android package name in reverse-DNS form (e.g. "com.github.android").
+   */
+  packageName: string;
+  /**
+   * SHA-256 fingerprints of the app's signing certificates, in colon-separated hex (the format `apksigner` and the Play Console emit). At least one fingerprint MUST be present. The maintainer matches when ANY of the provided fingerprints matches the requesting app's signature — this supports apps signed by multiple keys (e.g. during certificate rotation via Play App Signing).
+   *
+   * @minItems 1
+   */
+  sha256CertFingerprints: [string, ...string[]];
+}
+export interface Companion {
+  kind: "companion";
+  formFactor: "browser" | "mobile" | "desktop";
+}
+export interface Service {
+  kind: "service";
+  serviceKind: "mediator" | "aiAgent" | "daemon";
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/policy/evaluate/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/policy/evaluate/0.2#response" as const;

package/src/policy/list/0.2/payload.ts

@@ -0,0 +1,24 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/policy/list/0.2/payload.schema.json
+ */
+
+export interface PolicyListPayload {
+  contextId?: string;
+  enabledOnly?: boolean;
+  pageSize?: number;
+  cursor?: string;
+  ext?: Ext;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/policy/list/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/policy/list/0.2#response" as const;

package/src/policy/upsert/0.2/payload.ts

@@ -0,0 +1,31 @@
+/**
+ * Generated by scripts/build-ts-bindings.mjs — DO NOT EDIT BY HAND.
+ * Source: specs/policy/upsert/0.2/payload.schema.json
+ */
+
+export interface PolicyUpsertPayload {
+  id?: string;
+  expectedVersion?: number;
+  name: string;
+  description?: string;
+  /**
+   * Rego source. The maintainer parses and validates against its evaluator before persisting; a syntactically invalid module is rejected.
+   */
+  module: string;
+  appliesTo?: string[];
+  priority?: number;
+  enabled?: boolean;
+  ext?: Ext;
+}
+/**
+ * Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
+ */
+export interface Ext {
+  [k: string]: unknown | undefined;
+}
+
+/** Trust Task type URI. */
+export const TYPE_URI = "https://trusttasks.org/spec/policy/upsert/0.2" as const;
+
+/** Trust Task response type URI (request type URI + "#response"). */
+export const RESPONSE_TYPE_URI = "https://trusttasks.org/spec/policy/upsert/0.2#response" as const;